.. _permissions:

Administrative Permissions for Staff users
==========================================
Permissions consist of 3 parts, delimited by a pipe (``|``), these are in
order:

* Category of the permissions
* Object of the permission in the category
* Permission on this object

There are 4 kinds of permissions.

:view:
   The staff user can only see this object, but not change it.
:change:
   Viewing and altering the object is permitted
:add:
   The user can add an object of this type.
:delete:
   The user is able to delete objects of this type.

.. note::
  It is **highly** recommended to not give add, delete, and change permissions
  for objects in the zonecontrol category to users. These objects can usually
  be manipulated via the zone-editor. In the administrative interface, Role
  restrictions are enforced for many of these objects regardless.


admin category
--------------
These are permissions related to the administrative web interface.

:log entry:
   Access permissions for `Log Entries <https://docs.djangoproject.com/en/2.2/ref/contrib/admin/#logentry-objects>`__
   of all actions done by users in the administrative interface.

auth category
-------------
This category relates to all authentication and authorization.

:user:
   Access permissions for :ref:`entities-users`.
:group:
   Access permissions for :ref:`entities-groups`.

Permission details
^^^^^^^^^^^^^^^^^^
Users with the ``auth | group | Can change group`` and ``auth | user | Can change user``
permissions and staff status can add users to the groups they themselves already belong
to. Groups the staff-user is not a member of, are not shown to them unless they have
the superuser permissions.

Only the super-user can:

* See or give staff status
* See or give superuser status
* Edit user permissions
* Edit Group permissions

Recommended auth permissions for staff-user are::

  auth | user | Can change user
  auth | group | Can change group

authtoken category
------------------
This category is about users' API tokens.

:Token:
  Access permissions for Tokens.

zonecontrol category
--------------------
This category has all the objects that are stored inside zone control.

:auditlog:
   These permissions control the user's access to the audit logs.
   Note that audit logs are read-only, whether or not the user has "change" or
   "delete" permissions.
:role:
   Permissions for :ref:`entities-roles`.
:scheduled change:
   Access to the administrative page for scheduled changes.
:server:
   Permissions on the :ref:`entities-servers` objects.
:zone comment:
   Permissions relating to Zone Comments visible in the administrative
   interface.
:zone version:
   Permissions relating to Zone Comments visible in the administrative
   interface.
