Sharing & Permissions

In Syntasa, access control operates at two levels:

  • Roles (RBAC): Define access to modules and objects. This doesn't define permissions. 
  • Permissions: Define what actions a user can perform on a specific record of a object. 

Even when a user has access to an object (such as Connections or Runtimes), the actions they can perform depend on the permissions assigned to each object record.

Key Terminology

  • Object : A feature such as Connection, Runtime, App, etc.
  • Object Record: An individual instance of a component (e.g., a specific connection or runtime).

How Permissions Work at the Record Level

When a user creates an object record (for example, a connection), they can choose to keep it private or share it with others. Records can be shared with:

  • Public
  • User Groups

During sharing, a permission level (such as Viewer, Editor, or Manager) is assigned to the record. This permission defines what actions other users can perform on that specific object record.

Example Scenario

Given:

  • User A belongs to Group X
  • User B belongs to Group Y
  • User C belongs to Group Z

A connection record named Connection A exists:

  • Shared with Group X with Viewer permission
  • Shared with Group Y with Editor permission
  • Shared with Group Z with Manager permission
  • Shared with Public with Viewer Permission

Outcome:

  • User A can view the details of Connection A but cannot edit, delete, or share it.
  • User B can view and edit the details of Connection A but cannot delete, or share it.
  • User C can view, edit, share, and delete Connection A.
  • Any other user from public can view the details of Connection A but cannot edit, delete, or share it.

Even though all three users A, B and C have access to the same connection record, the actions they can perform differ based on the permissions assigned at the record level.

Available Permissions

Syntasa currently supports the following permissions:

  • Use

  • Viewer

  • Execute

  • Editor

  • Deploy

  • Manager

It is important to understand that not all permissions are applicable to every object. The availability of a permission depends on the type of object. This ensures that users only get actions that are relevant to that specific object.

Below is the mapping of permissions based on object type:

  1. Viewer - to all objects

  2. Editor- To all objects

  3. Manager - to all objects

  4. Use - UDP(User-Defined Process) only

  5. Execute - Apps only

  6. Deploy - Apps only

This ensures that users are granted appropriate and context-specific capabilities on each object record, enabling precise and controlled access management.

Permission Definitions

The meaning and capabilities of each permission type are described below (from lowest to highest level of access):

  1. Use
    • Applicable only to UDP
    • Allows the user to use the UDP within an application
    • The user cannot view or modify the UDP definition
  2. Viewer
    • Read-only access to the object record
    • The user can view the configuration
    • Cannot edit, delete, or share the object
  3. Editor
    • Allows modification of the object configuration
    • The user can update details of the object
    • Cannot delete or manage sharing/permissions
  4. Execute
    • Applicable to Apps
    • Allows the user to create jobs and run the app in both development and production workflows
    • Cannot edit, delete, or share the app
  5. Deploy
    • Applicable to Apps
    • Allows the user to deploy workflows to production
    • Includes the ability to modify app configuration required for deployment
  6. Manager
    • Highest level of permission for an object record
    • Allows full control, including: Edit, Delete, Share and manage permissions
    • For Apps, this also includes Execute and Deploy capabilities

Understanding Permission Priority with Multiple Sharing  

With Syntasa 9.1, an object record can be shared simultaneously with public as well as specific user groups, each with different permission levels.

For example, a record can be:

  • Shared with Public with Manager permission
  • Shared with User Group A with Viewer permission

In such cases, a user’s effective access depends on the combination of permissions assigned through public access and group membership. To understand how permissions are evaluated in such scenario where a user has multiple permissions, refer to user guide: Understanding Permission Priority with Multiple Sharing