Crust Administrator’s guide

Permission Settings

Permission settings are accessible to organization admins at /admin/permissions.

Permission

Permission is a permitted or denied operation which may be carried out on an object (i.e channel, module, record). Permissions are assigned to roles and roles are assigned to users.

Object

Object can be one of the main Crust services (System, Messaging, CRM) or one of the data types inside those services (Role, Organization, Channel, Module, Chart, Page).

When the object represents data type, permissions can be assigned to a specific data (i.e. specific channel) or as general permission that is applicable to any instance of that data (see inheritance rules ).

Operation

Operation is a user’s action that is validated through Crust permission engine. Operation with a set value (allowed, denied or inherit) forms permission that is assigned to the user role.

Inheritance rules

Each operation is first checked on a specific instance (i.e. can a user update one specific channel). If there is no explicit allow or deny set, Crust checks general permission for selected operation (i.e. can a user update any channel). If there’s no permission set, Crust falls back to internal rules that are operation-specific (i.e. channel owners can update their channels, everyone can open a public channel, etc.).

List of Objects

System

System

Authentication, user role, and application management system.

List of operations:

  • grant: controls if a user can grant permissions on the system’s objects
  • role.create: controls if a user can create a new role

Role

A set of permissions that control operations on the specific or any role in the system.

List of operations:

  • read: controls if a user can access any role
  • update: controls if a user can update any role
  • delete: controls if a user can delete any role
  • members.manage: controls if a user can manage members for any role

Messaging

Messaging

  • grant: controls if a user can grant access to messaging
  • channel.public.create: controls if a user can create a public channel
  • channel.private.create: controls if a user can create a private channel
  • channel.direct.create: controls if a user can create a direct channel

Channel

  • message.send: controls if a user can send a message in any channel
  • message.embed: controls if a user can embed a message in any channel
  • message.attach: controls if a user can attach a file to any channel
  • read: controls if a user can view any channel
  • join: controls if a user can join any channel
  • leave: controls if a user can leave any channel
  • update: controls if a user can update any channel
  • members.manage: controls if a user can manage members in any channel
  • webhooks.manage: controls if a user can manage webhooks in any channel
  • message.update.own: controls if a user can update their messages in any channel
  • message.update.all: controls if a user can update any messages in any channel
  • message.reply: controls if a user can reply to messages in any channel
  • message.react: controls if a user can react to messages in any channel
  • attachments.manage: controls if a user can manage attachment in any channel

CRM

Compose

  • access: controls if a user can access compose
  • grant: controls if a user can grant permissions to compose service

Module

  • read: controls if a user can read any module
  • update: controls if a user can update any module
  • delete: controls if a user can delete any module
  • record.create: controls if a user can create a record under any module
  • record.read: controls if a user can read a record under any module
  • record.update: controls if a user can update a record under any module
  • record.delete: controls if a user can delete a record under any module

Page

  • read: controls if a user can read any page
  • update: controls if a user can update any page
  • delete: controls if a user can delete any page

Chart

  • read: controls if a user can read any chart
  • update: controls if a user can update any chart
  • delete: controls if a user can delete any chart

Trigger

  • read: controls if a user can read any trigger
  • update: controls if a user can update any trigger
  • delete: controls if a user can delete any trigger