Permissions to any part of the system are granted in multiple layers as follows:
- Users: any user can explicitly get permissions on objects.
- User groups: any defined user group can explicitly get permissions on objects. This permission propagates to all users included in this group.
- Roles: permissions can be granted for object's owners. Each object has an owner, who is its creator. Items and Portfolios have a manager instead of an owner. Owners can be changed. Changing the owner requires Admin permission, because it changes the security settings for the object by giving the permissions derived from the owner role to a different user. Owners can get permissions as a role, providing control for objects' creators without giving them additional and unwanted power.
- ALL: a virtual group called "All" automatically includes all users. Use it to set permissions that apply to all users, including users that will be added to the system and do not yet exist.
Note: It is recommended to assign security settings for the All group with care.