A ACE user is given an access role containing access functions. The access functions define exactly which ACE functions the user is able to utilise. An overview of the Access roles window, and the full description of how to manage an access role and its access functions, are found in Basics about access roles.
An access function consists of two parts:
- The so-called operation. What the user is allowed to do.
- Modify
- Change configurations of objects.
If you are entitled to
Modify user
, you can e.g. change the surname and first name in a user accounts. - Own
- Create and delete objects, as well as modify as described above.
- View
- View objects, i.e. to see their occurrence and the configurations associated with the objects.
If you are entitled to e.g. View user, you can see a person’s surname and first name but not change the names in the user account.
- Execute
- Carry out the function that object represents. Execute is quite different from Own and Modify. The Execute operation can only be combined with object types that in themselves represent functional possibilities in ACE. See example below.
- The so-called object type. Where and what the user is allowed to Modify, Own, View and Execute.
All described in The list of all access functions.
An example...
The operation is Modify.
The object type is System global address book.
There is an access function named Modify system global address book.
A user with an access role that contains Modify system global address book can change the content of a system global address book.
However, the user cannot create or delete such an address book. This would require the more powerful operation Own. The user’s role would have to contain the Own system global address book access function.