CentraSite 10.11 | CentraSite User’s Guide | Policy Management | Built-In Design/Change-Time Actions Reference | Set Instance and Profile Permissions
 
Set Instance and Profile Permissions
Sets instance-level permissions on an asset. You can use this action to set top-level View, Modify, or Full permissions on an entire asset and to set View or Modify permissions on individual profiles within an asset.
Note:
You use this action to set permissions on assets only. To set permissions on policies, you must use the Set Permissions action. If you want to assign asset permissions to consumers during the consumer registration process, use the Set Consumer Permission action.
Be aware that the behavior of this action varies depending on the policy's object scope.
*If you use this action in a policy that applies to multiple asset types, you can only use it to set the asset's top-level View, Modify, or Full permissions. Users do not receive View or Modify permission on the individual profiles associated with the asset. You have to assign permissions to the asset's individual profiles manually.
*If you use this action in a policy that applies to one (and only one) type of asset, you can use it to set the asset's top-level View, Modify, or Full permissions and also the View or Modify permissions on its individual profiles.
The permission settings you specify in this action will either replace or be merged with the asset's existing settings, depending on how you set the Remove Existing Permission parameter.
If you set Remove Existing Permission to true, the permission settings specified in the action completely replace the asset's current settings. That is, the asset's previous instance-level settings are completely cleared and the permissions specified by the action are set.
For example if an asset's initial permission settings are as follows:
USER A Full
USER B Full
And you specify the following permissions (with Remove Existing Permission set to true):
USER A Full
GROUP X Modify
The resulting permissions on the asset is:
USER A Full
GROUP X Modify
If you set Remove Existing Permission to false, the permission settings specified by this action are added to the asset's current settings. So, for example, if an asset has the following permission settings:
USER A Full
USER B View
And you specify the following permissions (with Remove Existing Permission set to false):
USER A Modify
USER B Full
GROUP X Modify
The resulting permissions on the asset is:
USER A Full
USER B Full
GROUP X Modify
Note:
The instance-level permissions that this action assigns to a user does not affect any role-based permissions that the user might already have. For example, if user ABC has Manage Assets permission for an organization, and that user also happens to be a member of a group to which this action assigns instance-level permissions, user ABC's Manage Assets permission will override the permission settings that this action assigns to him or her.
Event Scope
Pre-Create
Post-Create
Pre-Update
Pre-State Change
Post-State Change
OnTrigger
Object Scope
Assets
Input Parameters
User/Group Asset Permission
(Object). (Array). An array of permission settings. Each setting in the array identifies one individual user or one group and specifies the permissions for that user or group.
If you specify multiple groups in this array and a user is a member of more than one group, the user will receive the permissions of all those groups combined. For example, if you assign Modify permission to Group A and Full permissions to Group B, users that are members of both groups will get Full permission on the object.
Remove existing permission
(Boolean). Specifies whether the permission settings in the parameters User/Group Asset Permission, Propagate permissions to dependent objects and replace the existing permission settings or whether they are combined with the existing settings.
Propagate permissions to dependent objects
(Boolean). Specifies whether the access permissions defined for the asset instance is automatically propagated to all dependent objects. For example, a Service asset can refer to a WSDL which in turn can refer to one or more XML Schema assets, and when you set this parameter to yes, changes in the access permissions in the Service asset is propagated to all of these dependent assets.
Propagate profile permissions
(Boolean). Specifies whether the profile permissions defined for the asset instance will be automatically propagated to all dependent assets of the same type. The restriction concerning the asset type arises because different asset types can have different sets of profiles.
The use of this parameter is restricted to the following asset types:
*Service
*XML schema
*REST Service
*OData Service