aboutsummaryrefslogtreecommitdiff

Ownership Scoping

back to permissions /// home

When you have a get noscoped permission code (rwo, rwg, ro, rg) jaysonderulo must automatically restrict which rows you can see and modify. This is done through the pinned_to system column.

How pinned_to works

pinned_to is a by default auto managed system column that should be added to tables (unless the table opts out). When you insert a row pinned_to gets set to your user ID.

The server should use this column to filter rows based on your permission level:

Own scoping (rwo, ro)

Should add WHERE table.pinned_to = <your_user_id> to every query. You can only see and modify rows where pinned_to equals your own user ID.

Group scoping (rwg, rg)

Should add a subquery filter that checks if pinned_to belongs to any user in the same core group as you. So you can see rows created by anyone in your core group afaik but not by people in other groups.

On insert

When you insert a row: - pinned_to should be automatically set to your user ID - if you have rwa permission you can explicitly set pinned_to to someone else (like assigning a row to another user) - with any other permission code you cant override pinned_to, its always you so json derulo can strip for you <3

On update and delete

The ownership filter should be applied to the WHERE clause so: - with rwo you can only update/delete rows you own - with rwg you can only update/delete rows owned by someone in your group - with rw/rwa theres little/no restriction (unless overwritten by advanced type rules)

On select and count

Same deal. The filter should be injected so you only see rows youre allowed to see. Count only counts rows you have access to.

Tables without pinned_to

If a table has opted out of the pinned_to system column (via system_column_overrides) then ownership scoping cant work on it. So dont give ownership scoped permissions (rwo, rwg, ro, rg) to tables that dont have the pinned_to column, How the server handles such exceptions is not explecityly rules for JDE v2 so either jsonderulo hangs itself because he cant serve your request or it might just give the permission without o or the g addition. Will be spanked to be standardized in future jde revisions.

generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-02-16 04:17:32 +0000