Access Control & management

  1. For models/fields which have no access rules, everyone by default has access.
  2. All users are subject to access rules that have group left blank. Users are also subject to access rules that apply to groups to which they belong.
  3. If contradictory access rules apply to a single user, the most permissive applies.
    1. Example: If a global (group blank) access rule denies access, but a group-specific access rule grants access, then access is allowed.
    2. Example: If a global (group blank) access rule allows access, then everyone will have access; no group-specific rules can block it. (Thus, globally granting access is a bad idea. Better to just leave the target alone, in which case the default rule will apply, permitting access.)
  4. Access “rules” can be set for Groups. These make access dependent on whether the circumstances meet administrator-specified tests. Using these may hurt system speed.