Basic Access Control
Access control is used to restrict what you can see and what you can update. Basic access control is implemented using three special relations:
- /Relations/Reader - Read Permission,
- /Relations/Writer - Write Permission and
- /Relations/Owner - Owner Permission.
These relations can be added to any Rolon, but always map to either a UserAccount or a UserGroup. (User groups are used to implement advanced access control.)
By default, everyone has write permission for all three of these relations, as well as read access to all user accounts (and user groups).
Additionally, these three relations are also used as qualifiers. When, for example, the read permission is used to tag a Rolon, everyone has read access to that Rolon.
1. Read Permission
Read permission is used to provide read-only access. If the /Relations/Reader relation on a Rolon maps to your user account, then you can access the content of that Rolon.
Read permission also applies to relations. You can view a relation between two Rolons only if you have read access for both Rolons and for the relation as well.
2. Write Permission
Write permission is used to provide read/write access. If the /Relations/Writer relation on a Rolon maps to your user account, then you can update that Rolon.
Write permission also applies to relations. You can add or remove a relation between two Rolons only if you have read access for the Subject Rolon, write access for the relation and read access for the Object Rolon. However, specialized relations (e.g. permissions) may impose additional restrictions.
3. Owner Permission
Owner permission is used to provide read/write access as well as control over the permission of a Rolon. You can add or remove the permissions on a Rolon for user (or user group) only if you have owner permission for that Rolon.
