# Ownership Scoping [back to permissions](README.md) /// [home](../README.md) When you have a get noscoped permission code (`rwo`, `rwg`, `ro`, `rg`) jaysonderulo must automatically restrict which rows you can see and modify. This is done through the `pinned_to` system column. ## How pinned_to works `pinned_to` is a by default auto managed system column that should be added to tables (unless the table opts out). When you insert a row `pinned_to` gets set to your user ID. The server should use this column to filter rows based on your permission level: ### Own scoping (rwo, ro) Should add `WHERE table.pinned_to = ` to every query. You can only see and modify rows where `pinned_to` equals your own user ID. ### Group scoping (rwg, rg) Should add a subquery filter that checks if `pinned_to` belongs to any user in the same core group as you. So you can see rows created by anyone in your core group afaik but not by people in other groups. ## On insert When you insert a row: - `pinned_to` should be automatically set to your user ID - if you have `rwa` permission you can explicitly set `pinned_to` to someone else (like assigning a row to another user) - with any other permission code you cant override `pinned_to`, its always you so json derulo can strip for you <3 ## On update and delete The ownership filter should be applied to the WHERE clause so: - with `rwo` you can only update/delete rows you own - with `rwg` you can only update/delete rows owned by someone in your group - with `rw`/`rwa` theres little/no restriction (unless overwritten by advanced type rules) ## On select and count Same deal. The filter should be injected so you only see rows youre allowed to see. Count only counts rows you have access to. ## Tables without pinned_to If a table has opted out of the `pinned_to` system column (via `system_column_overrides`) then ownership scoping cant work on it. So dont give ownership scoped permissions (`rwo`, `rwg`, `ro`, `rg`) to tables that dont have the `pinned_to` column, How the server handles such exceptions is not explecityly rules for JDE v2 so either jsonderulo hangs itself because he cant serve your request or it might just give the permission without `o` or the `g` addition. Will be spanked to be standardized in future jde revisions.