# Table Permissions

[back to permissions](README.md) /// [home](../README.md)

Every table has a permission code that controls what actions are allowed. These are set in the groups config (both core groups and toolkit groups). A compliant jsonderulo server must support all of these.

## Permission Codes

| Code | Name | Read | Write | Row Restriction |
|------|------|------|-------|----------------|
| `rwa` | read write all | yes | yes | none (can also write system columns) |
| `rw` | read write | yes | yes | none |
| `rwg` | read write group | yes | yes | only rows owned by users in your group |
| `rwo` | read write own | yes | yes | only rows you own |
| `r` | read | yes | no | none |
| `rg` | read group | yes | no | only rows owned by users in your group |
| `ro` | read own | yes | no | only rows you own |

## What the codes mean

### Full access codes

**rwa** is the admin code. full read and write plus the ability to write system columns directly (like setting `pinned_to` to another user on insert). Only give this to trusted admin groups obviously.

**rw** is standard read write. You can read and write everything but system columns should be auto managed by the server, you cant override them.

### Scoped write codes

**rwg** lets you read and write but only rows where `pinned_to` belongs to a user in the same core group as you. Good for team based access where a team can see and edit their own teams stuff.

**rwo** same but personal. you can only touch rows where `pinned_to` equals your own user id.

### Read only codes

**r** read everything, write nothing.

**rg** read only rows belonging to your groups users.

**ro** read only your own rows.

## Format in config

Permission rules are stored as JSON arrays of `"table:code"` strings:

```json
["*:rw", "jde_settings:r", "vfy_logs:r"]
```

`*` is the wildcard. It applies to every table that doesnt have its own explicit rule. So in the example above every table gets `rw` except `jde_settings` and `vfy_logs` which are read only.

## Read only tables

Tables marked as `read_only` in the toolkit config should automatically have their writable codes downgraded:

| Original | Downgraded to |
|----------|--------------|
| `rwa` | `r` |
| `rw` | `r` |
| `rwg` | `rg` |
| `rwo` | `ro` |

So even if your group gives you `rw` on a read only table you effectively only get `r`.