Permissions Concepts

GaP permissions are very powerful. But sometimes newcomers (and others!) get lost in the terms and concepts. This page is intended to set out plainly the Permissions concepts. It borrows heavily from Bernard Durfee's Authorization20 powerpoint presentation.

First pass

This page hasn't received a lot of attention and review, so it's currently a best-effort re-presentation of content from a potentially out of date Powerpoint. This page needs reviewed and updated.

Principal

Who does this permission affect? Who is being granted this permission? Typically this a group, but it may also be an individual.

Activity

What is the activity that this permission restricts? This is "subscribe" in the context of configuring permission to subscribe to a channel. This is "add members" in the context of configuring permission to add members to a group.

Target

What is the activity affecting? This is a channel in the context of configuring permission to subscribe to a channel. This is a group in the context of configuring permission to add members to a group.

Owner

Who does this permission belong to? Is it a permission specific to a channel or does it belong to the framework itself?

Type

The "deny" type of permission allows modeling of explicit denials of particular activities on particular targets for particular users or groups. The typical usage is to deny everyone a permission by default and then use the "grant" type to grant the permission to specific groups.