.. _mes-permission-tutorial: Permission Tutorial (Legacy) =========================== There is a user, Bob, who just joined Authentise. So Authentise created a user for Bob and he was given the URI ``https://users.authentise.com/users/00000000-0000-0000-0000-00000-BOB/`` upon this creation. You can refer user :ref:`user-tutorial` to know how user Bob was created. Authentise follows MES, which enforces permissions on resources. Now Bob is given a task to create some new materials, printers and update few existing Manufacturer and other resources. So Bob is first redirected to a :ref:`mes-tutorial` to understand how to create few resources managed by the MES system. Bob goes through the tutorial and learns how to create new resources. Now he is all set. To edit the manufacturer ``https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/`` address, he goes about doing it: .. sourcecode:: javascript PUT https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/ Content-Type: application/json { 'address' : 221 B Baker St., } errors: [{ 'code' : 'Unauthorized', 'title' : "You do not have the 'manufacturer.all' permission which is required for this operation" }] He gets thrown aback with the encounter of the first error, and goes to talk to his Senior engineer, Will who is an expert with permissions. Will explains Bob that MES enforces few permission checks on resources. An user needs certain rights in order to create, update or delete a resource. Whereas he can easily view the resources in a bureau if he belongs there. To know how Bob was added to the group you can refer :ref:`mes-membership-tutorial`. Since Bob belongs to the ``authentise`` bureau, he is able to do a GET/LIST on any resources. But he doesn't have other rights as of now. Will also assures Bob that they will work together and give him few rights so that he can create/edit/delete certain resources. Lets see what are the rights Will holds which help him to give rights to others. .. sourcecode:: javascript GET https://users.authentise.com/permissions/? filter[namespace]=erp &filter[holder]=https://users.authentise.com/users/00000000-0000-0000-0000-0000000-WILL/ { "resources" : [{ "holder" : "https://users.authentise.com/users/00000000-0000-0000-0000-0000000-WILL/", "namespace" : "erp", "object" : "https://erp.authentise.com/bureau/00000000-0000-0000-0000-000000bureau/", "right" : "bureau.permission.all", "uri" : "https://users.authentise.com/permissions/5190dc45-eece-4ecf-af8e-f45dcd57e694/" }, { "holder" : "https://users.authentise.com/groups/d3c0c9c5-8198-4ba4-86bf-4071e82a86b8/", "namespace" : "erp", "object" : "https://erp.authentise.com/location/00000000-0000-0000-0000-000000location/", "right" : "location.permission.all", "uri" : "https://users.authentise.com/permissions/5190dc45-eece-4ecf-af8e-847364738473/" }] } So looks like Will has ``bureau.permission.all`` rights on the authentise bureau and ``location.permission.all`` rights on the Sandy, UT location he works at. So there are the permissions a user needs in order to give others individual permissions on resources. Now lets see how Will gives Bob rights. Will uses two specific endpoints in order to give rights to Bob. Permission on Bureau (Legacy) ----------------------------- There are few resources which get directly affected by the rights a user has on the bureau. The list of resources which fall under this category are: .. csv-table:: Rights on Bureau :header: "Resource", "Right" "currency_conversion", ‘currency_conversion.all’ "location", ‘location.all’ "manufacturer", ‘manufacturer.all’ "material", 'material.all' "post_processor_type", 'post_processor_type.all' "printer_type", 'printer_type.all' "service_provider", ‘service_provider.all’ "shipping", 'shipping.all' "third_party", ‘third_party.all’ Will gives Bob his first right on ``bureau`` by giving him ``manufacturer.all`` rights. .. sourcecode:: javascript POST https://erp.authentise.com/permission-bureau/ Content-Type: application/json { "bureau" : https://erp.authentise.com/bureau/00000000-0000-0000-0000-000000bureau/ "right" : "manufacturer.all", "user" : https://users.authentise.com/users/00000000-0000-0000-0000-00000-BOB/ } LOCATION: https://erp.authentise.com/permission-bureau/MANUFACTURER-ALL-0000-0000-BOB/ Now Bob has ``manufacturer.all`` rights on the bureau he belongs to. He can create, edit, delete any manufacturer in the bureau. Bob now tries to edit the manufacturer and gets this in return. .. sourcecode:: javascript PUT https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/ Content-Type: application/json { 'address' : 221 B Baker St., } STATUS CODE: 204 GET https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/ Content-Type: application/json { 'name' : 'West-1', 'address' : '221 B Baker St.', 'notes' : 'West-1 respresents a printer created.', 'contact' : { 'name' : 'John Smith', 'phone' : '123-123-1234', }, 'support' : { 'name' : 'Fred Smith', 'phone' : '123-123-1234', }, 'uri' : https://erp.authentise.com/manufacturer/00000000-0000-0000-0000-000manufacturer/ } He is successfull in editing the manufacturer. Awesome. Will similarly gives other rights in the resources in the list above, so that Bob can create, edit and delete the resources in that list. Permission on Location (Legacy) -------------------------------- There are few resources which get directly affected by the rights a user has on the location. The list of resources which fall under this category are: .. csv-table:: Rights on Location :header: "Resource", "Right" "post_processor", 'post_processor.all' "printer", 'printer.all' "stock", 'stock.all' Will gives Bob the above rights too. One of the requests that he makes to give the rights for printer resource is as follows: .. sourcecode:: javascript POST https://erp.authentise.com/permission-location/ Content-Type: application/json { "location" : https://erp.authentise.com/bureau/00000000-0000-0000-0000-000000location/ "right" : "printer.all", "user" : https://users.authentise.com/users/00000000-0000-0000-0000-00000-BOB/ } LOCATION: https://erp.authentise.com/permission-bureau/PRINTER_ALL-0000-0000-0000-0000-BOB/ With the above permissions Bob will be able to manipulate printer resources. Now, since Will has some special rights, he will also be able to revoke the rights he just gave to Bob. So do so he simply performs a DELETE request as follows: .. sourcecode:: javascript DELETE https://erp.authentise.com/permission-bureau/PRINTER_ALL-0000-0000-0000-0000-BOB/ STATUS CODE: 204 Now if Bob tried to maipulate any of the ``printer`` resources, he will get the same error that he is ``