About Permissions

Security rights in Trapeze are managed using permission keys.

Each security permission key controls a screen or function for which a user can be granted or denied access. For example, a permission key may be used to specify whether a user can edit particular field information on a specific screen.

Using permission keys, you can assign security rights directly to users. Or, you can assign security rights to user groups, and then assign users to the user groups appropriate to their roles. Users inherit permissions directly from the groups to which they belong, and indirectly as members of groups that belong to other groups.

Group memberships allow users to have more than one access level for the same permission key. For example, Grant-level access could be specified for a user for a specific permission key but the user could belong to a group with Deny-level access for the same key. When situations like this occur, the access level with the highest precedence is in effect for the user.

Deny-level access can also be applied when the permission is not currently granted. This allows users to specifically be denied a permission, instead of users not being granted access because they have None-level access.

Grant-level permissions can be applied when the a Deny-level permission has been inherited, but the permission itself will not be granted. To grant the permission, the user must be removed from the group that has the deny permission or the deny permission must be removed from the group.

The general principles on defining permissions are:
  • Deny overrides Grant.

  • Grant overrides None or Override.

  • Override overrides None.

Table 1. Permission Access Levels In Order of Precedence (Highest to Lowest)
Access Level Description Appearance of Access levels in Security Screen in Client Shell Appearance of Access levels in Security Screen in Browser-Based Applications
Deny

Permission is denied a user or user group to access a feature.

In some cases, a specific user or user group can be denied permission if:
  1. The user group to which the user or user group belongs has been granted permission.
  2. The user group to which the user or user group belongs has not been granted any permission, that is, it has been given “none” access.

Shown as a red X.

The indicators for the permissions for the first case cited in the first column:

  1. The effective permission for the user is shown as “deny” in red while the effective permission for the user group still shows as “grant” in black.
  2. The effective permission for the user is shown as "deny" in red while the effective permission for the user group is shown as "none" in black.

Shown as a red X.

The indicators for the permissions for the two cases cited in the first column:

  1. The user has a red X while the user group has a green check mark beside the permission key.
  2. The user group has a red X beside the permission key.
Grant Permission is granted. The effective permission for both the user and user group is shown as "grant" in black. Both the user and user group have a green check mark.
Override Permission is only granted if the user enters a supervisor password. With this access level, the system prompts the user to enter the user name and password of someone with the Grant access level for the key. The effective permission for both the user and user group is shown as "override" in black. Not applied in some Trapeze applications.
None If no access level is specified for a permission key, permission is not granted to the specified screen or function. The effective permission for both the user and user group is shown as "none" in black.