.. _permissions: Administrative Permissions for Staff users ========================================== Permissions consist of 3 parts, delimited by a pipe (``|``), these are in order: * Category of the permissions * Object of the permission in the category * Permission on this object There are 4 kinds of permissions. :view: The staff user can only see this object, but not change it. :change: Viewing and altering the object is permitted :add: The user can add an object of this type. :delete: The user is able to delete objects of this type. .. note:: It is **highly** recommended to not give add, delete, and change permissions for objects in the zonecontrol category to users. These objects can usually be manipulated via the zone-editor. In the administrative interface, Role restrictions are enforced for many of these objects regardless. admin category -------------- These are permissions related to the administrative web interface. :log entry: Access permissions for `Log Entries `__ of all actions done by users in the administrative interface. auth category ------------- This category relates to all authentication and authorization. :user: Access permissions for :ref:`entities-users`. :group: Access permissions for :ref:`entities-groups`. Permission details ^^^^^^^^^^^^^^^^^^ Users with the ``auth | group | Can change group`` and ``auth | user | Can change user`` permissions and staff status can add users to the groups they themselves already belong to. Groups the staff-user is not a member of, are not shown to them unless they have the superuser permissions. Only the super-user can: * See or give staff status * See or give superuser status * Edit user permissions * Edit Group permissions Recommended auth permissions for staff-user are:: auth | user | Can change user auth | group | Can change group authtoken category ------------------ This category is about users' API tokens. :Token: Access permissions for Tokens. zonecontrol category -------------------- This category has all the objects that are stored inside zone control. :auditlog: These permissions control the user's access to the audit logs. Note that audit logs are read-only, whether or not the user has "change" or "delete" permissions. :role: Permissions for :ref:`entities-roles`. :scheduled change: Access to the administrative page for scheduled changes. :server: Permissions on the :ref:`entities-servers` objects. :zone comment: Permissions relating to Zone Comments visible in the administrative interface. :zone version: Permissions relating to Zone Comments visible in the administrative interface.