Skip to main content

The Rights Concept

When first started, the CMS automatically creates an API cms/users and creates an administrative account in it — the name of the account (usually admin) and the password are stored in a configuration file known only to the server. This account receives the following access rights:

  • Full access to all namespaces, which means above all unrestricted (CRUD) manipulation of all APIs
  • All records in all APIs of all records are visible, but cannot be changed or deleted
  • Full access to the API cms/users, i.e. user accounts and their rights can be maintained without restriction — only access to passwords is completely blocked

In general, the following rights can be granted:

  • namespaceAdmin is a list of namespaces to which the account has full access — * is the wildcard for all namespaces. With this right, APIs in the namespace can be displayed, created, modified, and removed. Access to records is not associated with this however.
  • namespaceUser describes analogously the namespaces whose APIs can at least be displayed, again without any rights to records.
  • apiWrite allows full access to records in the designated API — * stands for all APIs in all namespaces, tutorial/* for all APIs in the namespace tutorial. Records can be displayed, created, modified, and removed.
  • apiRead analogously, but exclusively for displaying records.

For each record there is an additional rule: The account that created or modified the record may always also modify or delete it. A read right is not associated with this however. Similarly for an API, though here this special right is only granted to the account with which the API was created.

The following screenshot shows the standard configuration for a tenant CMS_User_01: This receives full access to at least one namespace (here: tutorial), full access to all APIs, and all records in these APIs:

Typical admin user rights for a namespace (here: tutorial)

In this case

  • the tenant CMS_User_01 has full access to API / Collection configuration in namespace tutorial and
  • full access to all records in all APIs / Collections of the namespace tutorial
  • (an email address not set here and currently not used anywhere in the CMS)

Rights can be granted exactly on namespaces (tutorial-1) and APIs (tutorial-1/html), and a cross-cutting wildcard * (all namespaces (*), all APIs (*), or all APIs in a namespace (tutorial-1/*)) is also allowed. Furthermore it is also possible to begin a right with ^, this is then internally used as a regular expression:

  • ^kunde- for all namespaces beginning with kunde-
  • ^kunde-[^/]*/[^/]+$ for all APIs in all namespaces beginning with kunde-
  • ^kunde-[^/]*/config$ for APIs with the name config in all namespaces beginning with kunde-
  • ^[^/]+/config$ for APIs with the name config in all namespaces
  • $in, $nin, $eq, $ne, $exists also for _id, _cms.createdBy, and _cms.modifiedBy

Assigning Passwords

On first login of each user, the user can freely choose their own password. An administrator can only reset (delete) passwords, so that the respective password can be chosen again on the next login.