Restrict permissions - advanced example

In case multiple lines of permissions are added to an object, they are applied from top to bottom. So if the last permission of a list matches any and has mode deny set, it would overrule all entries before

The following configuration removes root write permissions from the Readonly user group. If Own permission is restricted for this group, users will not be able to edit the configuration items as well:

In this example, any user is restricted and only sees an empty SKOOR Engine, when logging in the first time. Members of the Readonly group are allowed to see the users and alarm devices. Members of the SKOOR Group are allowed to change or add root items, like alarm devices or configuration Items.

No groups below /root are visible when logging in with a user of user group SKOOR or Readonly:

As super user, click Edit parameters on all the 2nd level groups to define permissions:


Open the permissions screen:


The upper half of the permission settings will adjust the access rights for the group itself. The lower part is the setting for all referring objects, which means all objects which have, in this example, root as their parent object. With the following setting, nobody except members of the SKOOR and Readonly user groups is allowed to see the group SKOOR Engine while only the SKOOR group is allowed to edit content: