Basic Permissions and Privileges

Not all applications would require the usage of ACLs to finely tune the permission model for each of the entities in their application. At a default level, the ACLs are defined on each entity within your mitter.io application such that a basic permission model is provided in terms of access and grants to an acting user.

Throughout the document we have covered the permissibiltiy of each operation depending on the actor and this page merely collects all that information in one place. In this document .system referes to the user that is resolved when accessing the APIs using an application access key/secret.

Channel

For a channel:

  1. Creating

    1. Any authenticated user can create a channel

    2. .system can create a channel

  2. Deletion

    1. Only .system can delete a channel

  3. Adding a participant

    1. Any authenticated user add themselves to a channel

    2. .system can add any user to any channel

  4. Removing a participant

    1. Any authenticated user can remove themselves from a channel.

    2. .system can remove any participant from any channel

  5. Getting a list of participants

    1. Any participant of a channel can get a list of all participants in that channel.

    2. .system can get all participants for any channel.

  6. Getting a channel object

    1. Any participant of a channel can access the channel object.

    2. .system can get the channel object for any channel.

Message

For a message:

  1. Sending

    1. Any participant of a channel can send a message to a that channel with themselves as the sender.

    2. .system can send a message to any channel with any user as the sender.

  2. Reading

    1. Any participant of a channel can read and will receive all messages that are sent to a channel.

    2. .system can read any message on any channel, but it won't receive any messages as .system cannot assign delivery endpoints to itself.

  3. Deleting

    1. Any authenticated user can delete a message that was sent by them.

    2. .system can delete any message.

User Operations

  1. Creating

    1. Only .system can create users

  2. Authentication

    1. Only .system can get tokens issued, revoked or listed for any user, except itself.

    2. Any authenticated user can get additional tokens for themselves.

    3. Any authenticated user can revoke any token that has been issued to them.

    4. Any authenticated user an list all token ids for tokens that have been issued to them.

  3. Deletion

    1. Only .system can delete users.

  4. Metadata

    1. Any authenticated user can fetch or patch metadata for themselves.

    2. .system can fetch and patch metadata for any user, except itself.

PreviousFederated AuthenticationNextACLs and Advanced Permission Model

Last updated