Setting Read / Write Permissions on a Model
Read and write permissions are set separately using the tabs labeled "Read" and "Write". Within each tab, you can check one or more Permission policies. The policies you choose will be AND'ed together when evaluating permissions; this means that if you choose "By Dimension", the user must match one of the given Value Chain, Ents, Orgs or Sites. But if you choose "By Dimension" and "Custom Permission Policy", the user must match the Value Chain, Ents, Orgs or Sites and satisfy the conditions set forth in the java code for the given Custom Permission Policy class.
Procedure 4.2. To set permissions on a model from the Overview tab
Click the role type you want to work with, the set the permissions level on the Read and Write tabs accordingly. For Dimension permissions, there are four possibilities on each:
Value Chain— anyone with the selected role within the Value Chain can perform the selected action (Read / Write). This prevents a user from performing operations against data that does not belong to his value chain.
Enterprise- anyone within the enterprise and value chain can perform the selected action. This restricts a user from performing actions against data that does not belong to his enterprise.
Org- anyone within the organization, enterprise, and value chain can perform the selected action. This prevents a user from performing actions against data that does not belong to his organization.
Site- anyone within the site, organization, enterprise, and value chain can perform the selected action. This prevents the user from performing actions against data that does not belong to his site.
Within Dimension permissions, the different entities are OR'd when determining access. For example, let's assume you have two Orgs: BuyingOrg and SellingOrg. If you choose "Org" permissions and check both BuyingOrg and SellingOrg, then the user's current role's Org must match either BuyingOrg or SellingOrg to have access to that model. It need not match both.
When working with models programmatically, be sure you fill in the required elements based on your permissions settings or any operations on a model instance will fail.