Policies
Policies determine who is allowed to perform specific actions. You can define your policy on three levels: for a Context, for a Container (Thread, Store, etc), and for items such as messages or files, in case of Containers that include them.
This section covers policies in the Containers' scope.
Overview
Setting a policy in the Container overwrites the policy from the Context. The property of the policy can be set to one of the following values:
- "default" - takes the default value, listed below
- "inherit" - always takes value from the Context (can only be used in Container and item policies)
- "none" - no one can perform this action
- "all" - all Context users can perform this action
- "user" - all Container users can perform this action
- "manager" - all Container managers can perform this action
- "owner" - only Container owner can perform this action
- "itemOwner" - only item owner can perform this action (can only be used in the item policy)
Leaving an empty policy in a Container or item policy results in inherit. In Context it results in default.
You can also combine the values listed above. If you want to allow item updates to be executed only by the item owner, with the additional assumption that they must be an active user of the Container, you can write itemOwner&user. But if you want to allow the Container managers to also update the item, you can write itemOwner&user,manager. In the policy entry, the & character means 'and', and the coma , means or. Operations with & are always performed first.
Default Policy Values
The Endpoint can only define policies on the level of Containers and items. Context level policies include rules connected to, for example, creating Containers – so they have to be defined using Bridge API.
The following tables list the default policy values in PrivMX:
Context
| Policy | Value |
|---|---|
| listUsers | all |
| sendCustomNotification | all |
Thread
| Policy | Value |
|---|---|
| get | user |
| listMy | all |
| listAll | none |
| create | all |
| update | manager |
| delete | manager |
| updatePolicy | manager |
| creatorHasToBeManager | yes |
| updaterCanBeRemovedFromManagers | no |
| ownerCanBeRemovedFromManagers | yes |
| canOverwriteContextPolicy | yes |
| sendCustomNotification | all |
Thread Item
| Policy | Value |
|---|---|
| get | user |
| listMy | user |
| listAll | user |
| create | user |
| update | itemOwner&user,manager |
| delete | itemOwner&user,manager |
Store
| Policy | Value |
|---|---|
| get | user |
| listMy | all |
| listAll | none |
| create | all |
| update | manager |
| delete | manager |
| updatePolicy | manager |
| creatorHasToBeManager | yes |
| updaterCanBeRemovedFromManagers | no |
| ownerCanBeRemovedFromManagers | yes |
| canOverwriteContextPolicy | yes |
| sendCustomNotification | all |
Store Item
| Policy | Value |
|---|---|
| get | user |
| listMy | user |
| listAll | user |
| create | user |
| update | itemOwner&user,manager |
| delete | itemOwner&user,manager |
Inbox
| Policy | Value |
|---|---|
| get | user |
| listMy | all |
| listAll | none |
| create | all |
| update | manager |
| delete | manager |
| updatePolicy | manager |
| creatorHasToBeManager | yes |
| updaterCanBeRemovedFromManagers | no |
| ownerCanBeRemovedFromManagers | yes |
| canOverwriteContextPolicy | yes |
| sendCustomNotification | all |
Policies Manageable by Endpoint on Container Level
Policies for Containers with Items
The following table defines access and management rules for Containers with items.
| ContainerPolicy | Type | Allowed Values | Description |
|---|---|---|---|
| item | ItemPolicy | Container's items policy | |
| get | string | default none all user manager owner | Determines who can get a Container |
| update | string | default none all user manager owner | Determines who can update a Container |
| delete | string | default none all user manager owner | Determines who can delete a Container |
| updatePolicy | string | default none all user manager owner | Determines who can update policy |
| updaterCanBeRemovedFromManagers | string | inherit yes no default | Determines whether the updater can be removed from the list of managers |
| ownerCanBeRemovedFromManagers | string | inherit yes no default | Determines whether the owner can be removed from the list of managers |
Policies for Containers without Items
The following table defines access and management rules for Containers without items.
| ContainerPolicyWithoutItem | Type | Allowed Values | Description |
|---|---|---|---|
| get | string | default none all user manager owner | Determines who can get a Container |
| update | string | default none all user manager owner | Determines who can update a Container |
| delete | string | default none all user manager owner | Determines who can update a Container |
| updatePolicy | string | default none all user manager owner | Determines who can update policy |
| updaterCanBeRemovedFromManagers | string | inherit yes no default | Determines whether the updater can be removed from the list of managers |
| ownerCanBeRemovedFromManagers | string | inherit yes no default | Determines whether the owner can be removed from the list of managers |
Policies for Items
| ItemPolicy | Type | Allowed Values | Description |
|---|---|---|---|
| get | string | user itemOwner manager owner | Determines who can get an item |
| listMy | string | user manager owner | Determines who can list elements created by themselves |
| listAll | string | user manager owner | Determines who can list all items (this policy sets the behavior of methods such as listMessages, listFiles, listEntries) |
| create | string | user manager owner | Determines who can create an item. |
| update | string | user itemOwner manager owner | Determines who can update an item |
| delete | string | user itemOwner manager owner | Determines who can delete an item |