syst_perms


Description

Defines the available system and application permissions which can be assigned to users.

The Permission is divided into the following concepts:

  1. The Permission record itself defines a subject for which application security and control concerns exist.

  2. Each Permission is made up of standard Rights. These Rights are:

    • View - the ability to view data.

    • Maintenance - the ability to change or process existing data.

    • Administration - the ability to create or destroy data.

    • Operations - the ability to perform certain operations or processes.

  3. The Right for each Permission is assigned a Scope of applicability which can limit or extend the grant of a Right. Each Right of the Permission may define which Scopes it supports out of the following possibilities:

    • Unused - The Right does not exist in any meaningful way for the Permission.

    • Deny - The Right is not granted by the Permission grant; this is typically used in cases where other Rights may be granted, for example permitting a user to see a value (View Right), but not to Maintain or perform data Admin tasks (Maint & Admin Rights).

    • Same User - The Right grant is limited in Scope to those records which are in some way designated as belonging to the specific user exercising the Right. Ownership designation will be defined by those functions where a Permission is checked.

    • Same Group - The Right grant is limited in Scope to those records which are in some way designated as belonging to a specific group or groups and to which the user belongs in some way. Ownership designation will be defined by those functions where a Permission is checked.

    • All - The Right grant is not limited in Scope and all records which are subject to the Permission are available to the user.

Permissions are assigned to Permission Roles which are in turn granted to individual users. If a Permission is not assigned to a Permission Role, then the assumption is that the Permission Role’s users are denied all rights granted by the unassigned Permission.

Some Permissions may be dependent on the grants of other more fundamental Permissions. For example, a user may be granted only View Rights to the sales order form, but also granted Maintenance Rights to sales pricing data. In such a case the sales order Rights would dictate that the user does not have the ability to maintain sales pricing in the sales order context.

Specific details of applicability and the determination of Scope boundaries will vary by each specific scenario. Consult individual Permission documentation for specific understanding of how determinations of access are made.

Columns

Column Type Size Nulls Auto Default Children Parents Comments
id uuid 2147483647 uuid_generate_v7()
syst_perm_role_grants.perm_id syst_perm_role_grants_perm_fk C

The record’s primary key. The definitive identifier of the record in the system.

General Usage

This column is system maintained and should be considered read only in normal operations.
internal_name text 2147483647 null

A candidate key useful for programmatic references to individual records.

General Usage

This column is system maintained and should be considered read only in normal operations.
display_name text 2147483647 null

A friendly name and candidate key for the record, suitable for use in user interactions

General Usage

This column is system maintained and should be considered read only in normal operations.
perm_functional_type_id uuid 2147483647 null
syst_perm_functional_types.id syst_perms_perm_functional_type_fk R

Assigns the Permission to a specific Permission Functional Type.

General Usage

Permissions may only be granted in Permission Roles of the same Permission Functional Type.
syst_defined bool 1 false

Values of TRUE in this column indicate that the record is considered a “System Defined” record, a record which is created and primarily maintained by the system using automated processes. A value of FALSE indicates that the record is considered a “User Defined” record which is maintained by user actions in the application.

General Usage

This column is system maintained and should be considered read only in normal operations.
syst_description text 2147483647 null

A system defined description indicating the purpose and use cases of a given record. Text defined in this column is system maintained and should not be changed under normal circumstances.

General Usage

This column is system maintained and should be considered read only in normal operations.
user_description text 2147483647 null

An optional user defined description of the record and its use cases. If this value is not NULL, the value will override any syst_description defined text in application user interfaces and other presentations.
view_scope_options _text 2147483647 ARRAY['unused'::text]

If applicable, enumerates the available Scopes of viewable data offered by the permission.

General Usage

If not applicable the only option will be ‘unused’.
maint_scope_options _text 2147483647 ARRAY['unused'::text]

If applicable, enumerates the available Scopes of maintainable data offered by the permission. Maintenance in this context refers to changing existing data.

General Usage

If not applicable the only option will be ‘unused’.
admin_scope_options _text 2147483647 ARRAY['unused'::text]

If applicable, enumerates the available Scopes of data administration offered by the permission. Administration in this context refers to creating or deleting records.

General Usage

If not applicable the only option will be ‘unused’.
ops_scope_options _text 2147483647 ARRAY['unused'::text]

If applicable, enumerates the available Scopes of a given operation or processing capability offered by the permission.

General Usage

If not applicable the only option will be ‘unused’.
diag_timestamp_created timestamptz 35,6 now()

The database server date/time when the transaction which created the record started.

General Usage

This column is system maintained and should be considered read only in normal operations.
diag_role_created text 2147483647 null

The database role which created the record.

General Usage

This column is system maintained and should be considered read only in normal operations.
diag_timestamp_modified timestamptz 35,6 now()

The database server date/time when the transaction which modified the record started. This field will be the same as diag_timestamp_created for inserted records.

General Usage

This column is system maintained and should be considered read only in normal operations.
diag_wallclock_modified timestamptz 35,6 clock_timestamp()

The database server date/time at the moment the record was actually modified. For long running transactions this time may be significantly later than the value of diag_timestamp_modified.

General Usage

This column is system maintained and should be considered read only in normal operations.
diag_role_modified text 2147483647 null

The database role which modified the record.

General Usage

This column is system maintained and should be considered read only in normal operations.
diag_row_version int8 19 1

The current version of the row. The value here indicates how many actual data changes have been made to the row. If an update of the row leaves all data fields the same, disregarding the updates to the diag_* columns, the row version is not updated, nor are any updates made to the other diag_* columns other than diag_update_count.

General Usage

This column is system maintained and should be considered read only in normal operations.

Direct Usage

This column is frequently used by by application logic to resolve the “dirty write” issues which can arise from concurrent data changes. As such any administrative override of automatic system maintenance of this value should consider the ramifications on application function.
diag_update_count int8 19 0

Records the number of times the record has been updated regardless as to if the update actually changed any data. In this way needless or redundant record updates can be found. This row starts at 0 and therefore may be the same as the diag_row_version - 1.

General Usage

This column is system maintained and should be considered read only in normal operations.

Indexes

Constraint Name Type Sort Column(s)
syst_perms_pk Primary key Asc id
syst_perms_display_name_udx Must be unique Asc display_name
syst_perms_internal_name_udx Must be unique Asc internal_name

Check Constraints

Constraint Name Constraint
syst_perms_maint_scope_options_chk (((cardinality(maint_scope_options) > 0) AND (maint_scope_options <@ ARRAY['unused'::text, 'deny'::text, 'same_user'::text, 'same_group'::text, 'all'::text])))
syst_perms_admin_scope_options_chk (((cardinality(admin_scope_options) > 0) AND (admin_scope_options <@ ARRAY['unused'::text, 'deny'::text, 'same_user'::text, 'same_group'::text, 'all'::text])))
syst_perms_view_scope_options_chk (((cardinality(view_scope_options) > 0) AND (view_scope_options <@ ARRAY['unused'::text, 'deny'::text, 'same_user'::text, 'same_group'::text, 'all'::text])))
syst_perms_ops_scope_options_chk (((cardinality(ops_scope_options) > 0) AND (ops_scope_options <@ ARRAY['unused'::text, 'deny'::text, 'same_user'::text, 'same_group'::text, 'all'::text])))

Relationships

Close relationships within degrees of separation