Use this resources to view and manage Things5 roles and permissions.
Roles
A role has a name, a set of permissions and optionally a "users_create_child_roles" field.
This field specifies the roles the user is allowed to assign to the new user when creating one. For example let's say the organization has 3 roles: X, Y, Z. The role X has field users_create_child_roles set to Y and Z. The user A has role X. This means that user A when creating a new user B can assign to the new user only roles Y and Z
Permission Hierarchy in Things5
How Permissions Work
In Things5, permissions follow an additive principle within the group hierarchy. This means:
-
Permission Inheritance: Permissions assigned to a parent group automatically extend to all of its child groups.
-
Additive Principle: Permissions are always cumulative. It's not possible to remove or limit permissions inherited from a parent group through more restrictive settings on a child group.
-
Prevalence of the Broadest Permission: In case of multiple roles with different permission levels, the broadest permission always prevails.
Practical Example
Consider a structure where group A is the parent of group B:
-
If a user has a role on group A that provides visibility to machines, and another role on group B that doesn't include this visibility, the user will still maintain visibility to machines for both groups.
-
When performing a query with a specific filter on group B, the system will still return all machines visible based on the permissions of group A.