Permission Logic

Permissions are controlled only by the ADMIN or by a person and/or permission group that has been assigned a named permission or associated to a specific object instance. The subsections below define each type of control for each permission grade.

Activities in AssetWise are initiated by persons. Persons may be grouped together to simplify administration. In AssetWise, persons/groups in the security context are referred to as subjects.

Grade B, C, D, and E permissions are defined as Liberal Discretionary Access Control (DAC) with Multilevel Grant and Grant-Independent Revocation.

The idea of DAC is that the owner of an object has discretionary authority over who else can access that object.

Liberal DAC allows the owner to delegate discretionary authority for granting access to an object to other users.

Multilevel Grant implies that the authority can itself be delegated. Thus Alice can authorize Bob, who can further authorize Charles, who can further authorize Dorothy, and so on indefinitely.

Grant-Independent Revocation implies that revocation is independent of the granter. Thus Bob may be granted access by Alice but have it revoked by Charles.

Grade 0

Permission is controlled at a 'Per Person/Group to Named Permission' level.
Permission to control 'Ad Hoc' features (both internal and external) i.e. Change password and Shutdown a Service may be identified and added.
If no permission is defined, it implies only ADMIN has rights.

For more information, see Implementation for Grade 0 .

Grade A

Permission is controlled at a 'Per Person/Group to Named Permission' level.
If no permission is defined, it implies only ADMIN has rights.
Permission may be added to control 'supporting' information like Document Classes etc. The ability to add new object instances (like documents) forms part of this security category.

For more information, see Implementation for Grade A .

Grade B

Subjects initiate actions or operations on objects. (A subtle point that may be overlooked is that subjects can themselves be objects.) The subject-object relation is basic to access control in AssetWise.

Actions are permitted or denied in accord with the authorizations established on the object. Authorization is expressed in terms of access rights [permissions]. The meaning of access rights depends upon the object in question. For a Document it is View, Modify and Approve; other objects may have different access rights.

Some access rights depend on other rights. For example, for a subject to have Modify rights on an object it would need at least View rights, equally Approve rights would need Modify. For the list of access rights dependencies, see Access Rights Dependencies.

Ownership is concerned with controlling who can change the access permissions for the object. A subject needs to have the access right assigned in order to modify (grant/revoke) it.

Note: The 'Grade 0A' Security permission controls the overall access to the modification of Grade B permissions.

The following points should also be kept in mind when working with Grade B permissions:

ADMIN always sees every object.
Permissions on Grade B are limited to certain Object Types.
If no permission (e.g. View) is associated with an object instance it implies that permission is given to everybody.
An object instance gets added without any permission defined (as opposed to automatically adding the creator as the sole 'owner').
Modification rights are sufficient for delete.
The 'Grade B' Security permission is required for assigning Grade B permissions.
Instance 'Modify' permissions are required for modification to instance.

For more information, see Implementation for Grades B, C, and D .

Grade C

Permissions on the object imply the same permissions on all related information. Exceptions are in the case of attributes. For more information, see Implementation for Grades B, C, and D .

Grade D

No permission is checked. (As opposed to having Modify permissions on both objects before changes could be made.) For more information, see Implementation for Grades B, C, and D .

Grade E

The permission on the object group applies to all objects within it over-and-above specific Grade B, C, and D permissions. For more information, see Implementation for Grades B, C, and D .

Permission Groups

ADMIN or a user granted the Security permission can define permission Groups.
Person objects are related to permission Groups.
A group name shall be unique.

General

Search results do NOT indicate when records are excluded from view.
In an object instance detail window, there is an indication to the user when a related object record is excluded from view.
The system searches across 'hidden' objects (even though it excludes them from the search results).
Permissions are implemented on the data (Stored Procedures) and application (API) level, which implies that both the AssetWise Web and AssetWise Director application apply the same permission 'logic'.
Owner project and project restricted are kept but have no bearing on permissions.
In order to have Attribute Level Permission, the Attribute must first be marked as 'Permission Controlled'. The list of subjects that have Attribute level access is a subset of those who have view permission on the object.