Authorization¶

How permissions work¶

Each staff user, enduser and group in Fleio may have a permission list associated (and stored in db). This permission list is created when save permissions is first used from Permissions tab or from the Settings/Authorization page. If no permissions list exists, then Fleio constructs a default permission list when needed based on Inherit all permissions implicitly and Grant all permissions implicitly settings.

Groups permissions¶

Groups permission do not support inheritance since groups are top level element and cannot inherit permissions.

Default group permissions are generated based on Grant all permissions implicitly setting.

If Grant all permissions implicitly is checked then the default group permissions:

will have Grant new permissions implicitly checked
will have all permissions granted

If Grant all permissions implicitly is unchecked then the default group permissions:

will have Grant new permissions implicitly unchecked
will have all permissions not granted

Checking and unchecking Grant all permissions implicitly will affect permissions for all groups that do not have saved permissions in the database (a message will be displayed if the group has no saved permissions when editing the group permissions).

Once a group permissions are saved changing Grant all permissions implicitly will have no more effect for that group.

Users permmissions¶

Default user permissions are generated based on Inherit all permissions implicitly and Grant all permissions implicitly settings

If Grant all permissions implicitly is checked then the default user permissions:

will have Grant new permissions implicitly checked
will have all permissions granted

If Grant all permissions implicitly is unchecked then the default user permissions:

will have Grant new permissions implicitly unchecked
will have all permissions not granted

If Inherit all permissions implicitly is checked then the default user permissions:

will have inherit new permissions implicitly checked
will have all permissions inherited
this setting overrides Grant all permissions implicitly if is set

Checking and unchecking Inherit all permissions implicitly and Grant all permissions implicitly will affect permissions for all users that do not have saved permissions in the database (a message will be displayed if the user has no saved permissions when editing the user permissions).

Once a user permissions are saved, changing Inherit all permissions implicitly and Grant all permissions implicitly will have no more effect for that user.

Superuser permissions¶

A superuser will always have all permissions granted.

Role permmissions¶

Default role permissions are generated based on Inherit all permissions implicitly and Grant all permissions implicitly settings

If Grant all permissions implicitly is checked then the default role permissions:

will have Grant new permissions implicitly checked
will have all permissions granted

If Grant all permissions implicitly is unchecked then the default role permissions:

will have Grant new permissions implicitly unchecked
will have all permissions not granted

If Inherit all permissions implicitly is checked then the default role permissions:

will have inherit new permissions implicitly checked
will have all permissions inherited
this setting overrides Grant all permissions implicitly if is set

Checking and unchecking Inherit all permissions implicitly and Grant all permissions implicitly will affect permissions for all roles that do not have saved permissions in the database (a message will be displayed if the role has no saved permissions when editing the role permissions).

Once a role permissions are saved changing Inherit all permissions implicitly and Grant all permissions implicitly will have no more effect for that role.

Effective user permissions¶

The effective user permissions are the permissions that determine what an user can actually do in its user panel. These permissions are computed based on user permissions, group permissions and in case of end user, the role permissions also.

Effective user permissions are computed using the steps below:

First we compute the group permissions. If the user is part of multiple groups the group permissions are computed by applying OR operations on the permisssions list from each group. This means that if the group permission is granted if it is granted on any group the user belongs to.
Once we have the group permsissions we combine these with the user permissions to determine the effective user permissions using the following algorithm (user inherits from group):
- for each user permission
  
  if the permission is marked as inherited we overwrite the permission with the group permission
  
  if the permission is granted or not granted on user we keep the permission

For staff users these are the only steps needed to compute the effective permissions.

Effective enduser permissions¶

In case of an eduser we also have role permissions besides the user and group permissions.

An enduser must be associated with at least one client. When creating an association between an enduser and a client at least a role must be specified. This role defines what permissions the user has for the associated client. Note that multiple roles may be specified for a client user association.

An enduser logged in enduser panel will always manage a client, we call this the current client. To determine what are the effective permissions for current client we use the roles specified in the user client association and we combine permissions from roles with effective user permissions computed at step 2 above in the following way:

First we compute the role permissions. If there are multiple roles for the current client role permissions are computed by applying OR operations on the permisssions list from each role if permmission is granted or not granted. If the permission is inherited it must be inherited on all roles or it will use the Grant new permissions implicitly value. This means that:
- the role permission is granted if it is granted on any role the user has for the current client.
- the role permission is inherited if it is inherited on all roles the user has for the current client.
Once we have the role permsissions we combine these with the user permissions to determine the effective user permissions using the following algorithm (role inherits from user):
- for each role permission
  
  if the permission is marked as inherited, we overwrite the permission with the user permission
  
  if the permission is granted or not granted on role we keep the permission

On the authorization page permissions can be managed for a certain user or user group.

User permissions¶

Use this page to manage both for end-users permissions and staff users permissions. Only users that have Is staff flag are allowed to log into the the staff panel, while staff users are not allowed to log into the end-users area (to avoid any confusion). Hence, the permission applies for each user’s panel: staff user rights for staff panel and end-user rights for end-user panel.

In order to change permissions, search for a user or group in the autocomplete input field, then after you select one, a detailed list will be displayed.

As you can see, permissions are displayed on 2 columns on desktops and 1 column on mobile screens. Each permission category is separated by a headline.

../../_images/permissions-description.png

Hovering over a permission will display a tooltip containing the description of that item. You can switch on/off a permission by clicking on the whole row.

Effective permissions¶

A user has 2 checkboxes for each permission, the first one representing the value that is only assigned to his own permissions set, and the second checkbox, the disabled one, representing the effective permission that the user currently has for that action.

Effective permissions are calculated based on the values of permissions of the user groups that the user is part of, and his own permissions.

If the user is included in any group, a note will be displayed on top of the permissions list that tells about the effective permissions, and lists the groups that the user is part of.

../../_images/user-in-usergroup-note.png

Once you finish managing permissions, click the Save button from the bottom of the list.

Permissions for user groups¶

Everything works the same for user groups, except that they don’t have effective permissions, as their permissions cannot be influenced by another permissions set values.

Trying to take action without having permission¶

If a user doesn’t have the effective permissions to take a certain action, the related buttons for that action are disabled or an error dialog will be shown like in the following image:

Default permissions¶

Default permissions for every user or user group can be managed using Grant all permissions implicitly setting from see Advanced settings tab on General settings page.

Documentation

Navigation

Related Topics

Staff / Settings / Authorization¶

How permissions work¶

Groups permissions¶

Users permmissions¶

Superuser permissions¶

Role permmissions¶

Effective user permissions¶

Effective enduser permissions¶

User permissions¶

Effective permissions¶

Permissions for user groups¶

Trying to take action without having permission¶

Default permissions¶

Group permissions¶

Staff / Settings / Authorization¶

How permissions work¶

Groups permissions¶

Users permmissions¶

Superuser permissions¶

Role permmissions¶

Effective user permissions¶

Effective enduser permissions¶

User permissions¶

Effective permissions¶

Permissions for user groups¶

Trying to take action without having permission¶

Default permissions¶

Group permissions¶

Join our mailing list to stay up to date on Fleio development, discounts, OpenStack tutorials and OpenStack news.