Object permissions
There are two types of permissions – object permissions (EntitySets, relationships, and directories) and field-level permissions. Field level permissions take precedence over object permissions. The permissions are set as follows: The following chart summarizes the permissions needed in order to successfully execute a given form of data manipulation on an object where permissions are currently in place. Definitions are as follows:
- Owner refers to the user who created an object.
- Group refers to any user who shares a common group ID with the object’s owner.
- Other refers to any user who does not share a common group ID with the object’s owner.
Note: Any user with a GroupID equal to 0 is considered to be a superuser. Superusers are not governed by permissions currently in place on objects, fields, or both. Thus, an object is created by a person logged in as superuser, then permissions applied to the Group are ignored since every user in the creator’s group is a super user. It is not advisable to create objects while logged in as a superuser, in order to take full advantage of Zim’s security features. Different permissions can be assigned to objects, fields, or both for users inside the owner’s group (Group) and to users outside the objects’ owner group (Other).
| Who | EntitySet permission | Field permission | List | Change | Add | Delete |
| owner | R*** | ** | no | no | no | no |
| owner | R*** | R* | yes | no | no | no |
| owner | R*** | RU | yes | no | no | no |
| group | R*** | ** | no | no | no | no |
| group | R*** | R* | yes | no | no | no |
| group | R*** | RU | yes | no | no | no |
| other | R*** | ** | no | no | no | no |
| other | R*** | R* | yes | no | no | no |
| other | R*** | RU | yes | no | no | no |
| owner | RA** | ** | no | no | null(1) | no |
| owner | RA** | R* | yes | no | null(1) | no |
| owner | RA** | RU | yes | no | yes | no |
| group | RA** | ** | no | no | null(1) | no |
| group | RA** | R* | yes | no | null(1) | no |
| group | RA** | RU | yes | no | yes | no |
| other | RA** | ** | no | no | null(1) | no |
| other | RA** | R* | yes | no | null(1) | no |
| other | RA** | RU | yes | no | yes | no |
| owner | RAC* | ** | no | no | null(1) | no |
| owner | RAC* | R* | yes | no | null(1) | no |
| owner | RAC* | RU | yes | yes | yes | no |
| group | RAC* | ** | no | no | null(1) | no |
| group | RAC* | R* | yes | no | null(1) | no |
| group | RAC* | RU | yes | yes | yes | no |
| other | RAC* | ** | no | no | null(1) | no |
| other | RAC* | R* | yes | no | null(1) | no |
| other | RAC* | RU | yes | yes | yes | no |
| owner | RACD | ** | no | no | null(1) | yes |
| owner | RACD | R* | yes | no | null(1) | yes |
| owner | RACD | RU | Yes | yes | null(1) | yes |
| group | RACD | ** | no | no | null(1) | yes |
| group | RACD | R* | yes | no | null(1) | yes |
| group | RACD | RU | yes | yes | yes | yes |
| other | RACD | ** | no | no | null(1) | yes |
| other | RACD | R* | yes | no | null(1) | yes |
| other | RACD | RU | yes | yes | yes | yes |
where R = read, A = Add, C = Change, and D = Delete (1) Null values for all fields with no update permission