Access can be granted or denied within a schema in a number of different ways.
Assigning Permissions to Groups of Users
Access permissions can be granted either to every user in the system as a whole or to one or more user groups.
Access permissions cannot be granted at the individual user level. For an individual user to be given specific permissions, that user would need to be placed in a user group alone.
If a user (or group of users) has been assigned to a number of permissions within a schema in which these permissions contradict, for example being both denied and granted the permission to create products, 'deny' will always take precedence over 'create' in order to safeguard the data.
Assigning Permissions to Products, Attributes & Sets
When creating a new access control entry, the permissions can be assigned at a number of levels. These apply to every product within that schema and can apply to:
Whole product: The permissions set will allow/deny the user the access to all attributes within each product
Attribute set: The permissions will be set at attribute set level, meaning that users can be granted/denied access only to sets of attributes within the products
Attribute: The permissions will be set on a per-attribute basis, meaning that users can be granted or denied access down to a single attribute within the products.
Selecting the Permissions to Assign
There are currently nine permissions options which can be assigned to user groups at product or attribute level:
Allow read, write, create & delete: Users are able to view and edit products/attributes, create new products and delete products
Allow read & write: Users are able to view and edit products/attributes
Allow read: Users are able to view products/attributes
Approve create: Any new products created will need to go through an existing approval workflow which requires another user group to approve this creation
Approve create or write: Any new products created or any products/attributes edited will need to go through an existing approval workflow which requires another user group to approve this creation or edit
Deny create: Users are denied the option to create new products
Deny create or write: Users are denied the option to create or edit products/attributes
Deny create, write, read or delete: Users are denied the option to create, delete, edit or view products/attributes
Deny delete: Users are denied the option to delete products; best used by creating a group containing the users who should not be allowed to delete products, and then assigning a separate rule to this group with this permission