Permissions

SAYMON is a multi-user system. To be safe in use, it has a mechanism that allows you to give various access rights to different users. For example, administrators can have the right to create new users, set their access rights, modify objects, change a system configuration, etc. A regular user who only needs to monitor the data should have access only to their own objects.

To work with SAYMON through its API, you also may need to have special rights. For API methods, these rights are called permissions. If an API method requires you to have some permissions, they will be specified in a method’s description.

By default, new users don’t have special permissions. They can be managed by administrators through a web interface or using the corresponding API methods. Additionaly, default user permissions can be confgured in the server.user.template.permissions parameter of the server configuration.

Permissions used in the SAYMON API

All permissions used in the SAYMON API can be divided into four groups.

Objects' and links' permissions

The first group of permissions includes two called objectPermissions and linkPermissions. In simple words, they define whether you are allowed to perform operations on a particular object or link. The paragraph below contains a more detailed description of how these permissions work.

How objects' and links' permissions work under the hood

Each time you make a request to an API method that requires you to have objectPermissions or linkPermissions, SAYMON runs an algorithm that checks whether you have those permissions. Before providing a description of the algorithm, let’s introduce some terms and definitions. For simplicity, the term object is used to describe both objects and links.

All objects in SAYMON form a graph. Each object has parent and children objects accessible via links. The algorithm uses links only to parent objects to traverse the graph.
Permissions to an object might be given/forbidden for you explicitly. A list of objects to which you are explicitly given permissions is called included, to which you are explicitly forbidden — excluded.
Permissions to an object might also be given/forbidden to you implicitly. If there exists a path from an object to its ancestor to which you are explicitly given access and this path doesn’t contain excluded objects, you will have implicit access to this object. If such a path doesn’t exist, you are implicitly forbidden to work with the object.

Permission algorithm

When you make a request to an API method requiring objectPermissions or linkPermissions, the algorithm first checks whether you have explicit permissions to the object. If you have, the request will be processed. Otherwise, the algorithm checks whether you have implicit permissions to the object by traversing the object’s parents. If a path to an included ancestor is found, the request will be processed as well. If not, you will get the 403 error indicating that you don’t have the required permissions.

Entities permissions

API methods that work with both objects and links (for example, Get Entity by ID) require entityPermissions. These methods check for permissions depending on the type of entity being accessed. If the user tries to access an object with those methods, SAYMON will check if this user has objectPermissions; if the user tries to access a link – linkPermissions.

The rest of the algorithm is the same as objectPermissions or linkPermissions.

Reference permissions

The referencePermissions group contains permissions that are required to get, delete and update references. If a request requires this permission, this means that you need to have access to an object to which the reference belongs.

Manage permissions

The third group represents the so-called manage permissions. If you have the manage permissions to some item, you can create, modify, and delete this item. Examples of such permissions aremanage-objects, manage-properties, manage-documents, etc.

Here is a list of all items to which you may have the manage permissions:

objects,
properties,
documents,
links,
flows,
users,
service-properties,
classes,
event-log,
history,
configuration.

Note that manage-properties and manage-documents are subsets of manage-objects and manage-links permissions. This means that users with manage-objects or manage-links permissions are automatically given the manage-properties and manage-documents permissions for objects or links as well.

For some of the manage permissions, users may be given only a subset of them. For example, users may have only create-object permission, which allows only creating but not modifying or deleting objects.

Here is a list of all items to which users may be given a subset (create, modify, delete) of the manage permissions:

objects,
properties,
documents,
links,
flows.

One permission that’s a bit different from the mentioned ones and should be described separately is manage-documents. The permission consists of four subsets:

Subset title	What a subset allows users to do
create-documents	create a URL to a document
delete-documents	delete documents and documents' URLs
modify-documents	modify a document’s URL
upload-documents	upload documents

Subset title

What a subset allows users to do

create-documents

create a URL to a document

delete-documents

delete documents and documents' URLs

modify-documents

modify a document’s URL

upload-documents

upload documents

The table below summarizes all permissions' subsets:

Items/Permissions' subsets	manage	create	modify	delete	upload
classes	+	-	-	-	-
configuration	+	-	-	-	-
documents	+	+	+	+	+
event-log	+	-	-	-	-
flows	+	+	+	+	-
history	+	-	-	-	-
links	+	+	+	+	-
objects	+	+	+	+	-
properties	+	+	+	+	-
service-properties	+	-	-	-	-
users	+	-	-	-	-

Items/Permissions' subsets

manage

create

modify

delete

upload

classes

configuration

documents

event-log

flows

history

links

objects

properties

service-properties

users

The ` sign at the intersection of a row and a column means that a corresponding item can be given a respective permission subset. For instance, ` at the intersection of properties and delete means that properties can have the delete subset permissions. Minus at the same row and at the next column denotes that properties can’t be assigned the upload permission subset.

Other permissions

The last group includes four permissions:

Permission title	What a permission allows users to do
execute-operations	execute operations for an object or a link
read-session-log	get information about users' sessions
run-bulks	run bulk operations
upload-agent-updates	upload updates for agents

Permission title

What a permission allows users to do

execute-operations

execute operations for an object or a link

read-session-log

get information about users' sessions

run-bulks

run bulk operations

upload-agent-updates

upload updates for agents

Multiple permissions

Some methods might require you to have multiple permissions. For example, a record objectPermissions&(create-objects | manage-objects) means that a method requires you to have permission to a specific object AND create-objects OR manage-objects permission.