Permissions

Permissions are the key to aPriori access control. A permission is associated with a group, and consists of:

• one or more Actions

• a Resource

• a Rule

In short, a permission specifies whether a member of the group to which it belongs is granted or denied the ability to perform an action on the specified resource, based on the specified rule.

A permission can also include Grant/Deny behavior modifiers:

• Normal Grant: Actions are allowed if the permission rule is True unless blocked by a Strong Deny permission

• Strong Grant: Actions are ALWAYS permitted if the permission rule is True

• Normal Deny: Actions are blocked if the permission rule is False unless allowed by a Normal Grant permission

• Strong Deny: Actions are blocked if the permission rule is False unless allowed by a Strong Grant permission

Actions

aPriori Access Control supports the following actions. Some are self-explanatory, but some require a little background.

• Create (available to all resource, but cannot be combined with other actions)

• Read (available for all resources except for groups and permissions; Read access is already granted by the system for every user to every group and permission to enable Access Control to work)

• Update (available for all resources)

• Delete (available for all resources)

• Cost Using (available for only VPE resources)

• Associate (available for only Permission resources)

Note that Create can be applied to all resources but cannot be combined with any other action.

The other actions may or may not be applicable to various resources but can be combined with other actions that have compatible requirements. For example, Update and Delete require that the Resource already exists, and can be combined in the same Permission. But Create requires that the target Resource does NOT already exist, and therefore cannot be combined with other actions which all require that the target Resource exists.

Similarly, you can create a Permission for Roll-ups that combines any combination of Read, Update, or Delete. But you cannot create a Roll-up permission with a Cost Using action, because Cost Using applies only to VPE resources.

Note: Read and Cost-Using are similar but have somewhat different behavior. In general. if you do not have Read permission for a VPE, you cannot see it. If you do have Read permission, you can see it and read the data in it, but you will not be able to execute a cost operation using it unless you have Cost-Using permission. There are some variations to this rule depending on context: For a user to see a VPE in a Cost Guide drop-down menu, that user must have both Read and Cost Using permission to that VPE. But in the VPE Manager, one needs only Read permission to see the VPE.

In the case of overlay VPEs, the top-level VPE is the only one that requires Cost-Using access. The underlying ("antecedent") VPEs do not require any access.

Resource

A Resource is the target on which the Action operates. As mentioned above, Resources include:

 Component (part and assemblies)

 Rollup (Roll-ups, Dynamic Roll-ups, Cost Comparisons)

 VPE

 Group

 Permission

Rules can use the attributes of a target Resource to fine-tune their behavior (see below).

Note: Group and Permission are provided for "access control of access control", which is an advanced topic. (See Access Control of Access Control)

Rule

A Rule is an expression that determines a group member's access to a target Resource. For example:

Group.attributesValue.Region == currentGroup.attributesValue.Region

If a rule evaluates to "true", then access is granted. If it evaluates to false, access is denied. However, there are grant and deny modifiers that determine how conflicting permissions are resolved.

Grant/Deny modifiers

The Grant and Deny permission modifiers give you the ability to fine-tune permissions by strengthening ("strong") access and denial results.

For example, permissions for Super Users who need exceptional access rights over access control feature will have the strong Grant modifier enabled. This means that Super Users are always granted access rights, even if another permission attempts to deny access.

Deny: Normal Deny is the default, Out-of-Box setting for "regular" user permissions and translates to "An action is blocked unless another permission explicitly allows it". In general, when you (an administrator) create a new permission, you should use Normal Deny unless a Strong Deny is required.

This is typically paired with a normal Grant setting (see below). A "normal Deny" is actually not a Deny at all–it is more of an "abstain" setting. This means that if a user is granted access by a permission, other permissions that return a normal Deny are ignored. Only a strong Deny permission will prohibit a user from an action form which they have been granted normal access. A normal Deny that abstains does not equate to granting access, it just means that the user will not be denied access if another permission grants it. This ensures that a user who belongs to multiple groups is not blocked from an action in one group because of a Deny in another group.

For example, assume that multiple groups are defined to correspond to projects. Each project has a Permission associated with it that has a component UPDATE action. The rule for each project might be something like:

component.projectName == currentGroup.attributeValues.Project

Now consider a user who is a member of several of these groups.

Without the normal Deny ("abstain") modifier, this user would not be allowed to update ("save") any scenario, because strong Deny permissions associated with the other projects would prevent it.

By setting normal Deny rather than Strong Deny on these permissions, failure of the rule is treated as if the permission did not exist in the first place. This is not a security hole, since one needs to have at least one Permission that explicitly returns True (i.e., grants access).

Grant – Strong: This modifier can force access to be granted even if there are other permissions that strongly deny access. This is intended for the Super Users group whose members may also be in other groups that have more restrictive permissions. This modifier should be used carefully and sparingly outside of the Super Users group.

The following table explains how combinations of these modifiers affect access and deny permissions:

Grant Level	Deny Level	Description
Normal	Normal	Access granted unless some other permission contains a Strong Deny. Access denied only if no other permission grants it. NOTE: This is the out-of-box default for "regular" users.
Strong	Normal	Access granted regardless of other permissions. Access denied only if no other permission grants it. NOTE: This is a superuser-level permission. Apply it with caution.
Normal	Strong	Access granted unless some other permission contains a Strong Deny. Access denied unless overridden by a Strong Grant
Strong	Strong	Access granted regardless of other permissions. Access denied unless overridden by a Strong Grant. NOTE: This is a superuser-level permission. Apply it with caution.