linkPermissions. In simple words, they define whether you are allowed to perform operations on a particular object or link. The paragraph below contains a more detailed description of how these permissions work.
linkPermissions, SAYMON runs an algorithm that checks whether you indeed have such permissions. Before providing a description of the algorithm, let's introduce some terms and definitions. For simplicity, we will use the term object to describe both objects and links.
linkPermissions, the algorithm first checks whether you have explicit permissions to the object. If you have, the request will be processed. Otherwise, the algorithm checks whether you have implicit permissions to the object by traversing the object's parents. If a path to an included ancestor is found, the request will be processed as well. If not, you will get the
403error indicating that you don't have the required permissions.
referencePermissions. They might be required only for references. If a reference requires this permissions, this means that you need to have access to an object to which the reference belongs.
manage-documents, etc. Here is a list of all items to which you may have the manage permissions:
manage-documentsare subsets of
manage-linkspermissions. This means that users with
manage-linkspermissions are automatically given the latter two permissions for objects or links as well.
create-objectpermission, which allows only creating but not modifying or deleting objects. Here is a list of all items to which users may be given a subset (create, modify, delete) of the manage permissions:
manage-documents. The permission consists of four subsets:
+sign at the intersection of a row and a column means that a corresponding item can be given a respective permission subset. For instance,
+at the intersection of properties and delete means that properties can have the delete subset permissions. Minus at the same row and at the next column denotes that properties cannot be assigned the upload permission subset.
(create-objects | manage-objects)means that a method requires you to have permission to a specific object AND