Privileges can imply other privileges, meaning that some privileges are supersets of other privileges. As an example, If you have ADMIN privileges on a folder, you can CREATE objects in that folder. Or if you can UPDATE a group's memberships, you can OPTIN or OPTOUT yourself to the group.
Folder privileges
- Admin
- Entity may create groups, attributes, and subfolders in this folder, delete this folder, or assign any privilege to any entity.You can also rename and edit description. If a subject with Admin privilege created an object (group, folder, attribute), then the subject will automatically be an admin of the object. Unless they are in an inherited admin assigned group.
- Create
- Entity may create groups, attributes, and subfolders in this folder
- Attribute read
- Entity may see the attributes assignments for this folder
- Attribute update
- Entity may modify the attributes of this folder
Group privileges
- Member
- Entity is a member of this group
- Admin
- Entity may modify the membership of this group, delete the group or assign privileges for the group. You can also rename and edit description. If a subject with Admin privilege created an object (group, folder, attribute), then the subject will automatically be an admin of the object. Unless they are in an inherited admin assigned group.
- Read
- Entity may see the membership list for this group
- Update
- Entity may modify the membership of this group
- Optin
- Entity may elect to join this group
- Optout
- Entity may elect to leave this group
- Attribute read
- Entity may see the attributes for this group
- Attribute update
- Entity may modify the attributes of this group
- View
- Entity may see that this group exists