Programmer-oriented reference for permission assignment and evaluation.
| Value |
Meaning |
null |
No access (invisible) |
0 |
Base access (visible, no specific permissions) |
> 0 |
Specific permission bits |
| Scope |
User |
Device |
Enum |
| Instance |
✓ |
✗ |
UserInstancePermissions |
| Project |
✓ |
✓ |
User: UserProjectPermissions, Device: IndividualProjectPermissions |
| Object structure (OT) |
✓ |
✓ |
IndividualTablePermissions |
| Object (O) |
✓ |
✓ |
IndividualTablePermissions |
OT permissions combine with (not replace) project permissions. Object permissions inherit from OT and project.
| Bit |
Name |
Effect |
| 0 |
ALL_PROJECTS_ACCESS |
Equivalent of base project access for all projects |
| 1 |
GROUP_ORGANIZER |
Can create groups |
| Bit |
Name |
Effect |
| 25 |
ARCHITECT |
Create/edit/delete table structures; see deleted structures |
| 26 |
ROLE_MODERATOR |
Manage role permissions/defaults; invite users |
| 28 |
ADMIN |
Full project visibility including deleted/history contexts |
| Bit |
Name |
Effect |
| 27 |
PRIVATE_OBJECTS_ENTRUSTED |
Access all private objects with inherited OT permissions |
| Bit |
Name |
Effect |
| 4 |
OBJECT_MANAGER |
Add/edit/delete objects |
| 5 |
DATA_ANALYST |
Read and process data |
| 6 |
DATA_SOURCE |
Insert data, read last value |
| 7 |
DATA_MANAGER |
Edit/delete data, read last value |
| Bit |
Name |
Effect |
| 0 |
OWNER |
Edit and delete the role |
| 1 |
USER_MODERATOR |
Invite/remove users, manage their role permissions |
| 2 |
DEVICE_MODERATOR |
Create/add/remove devices, manage device role permissions |
| 3 |
DEVICE_DESIGNER |
Configure devices |
| Bit |
Name |
Effect |
| 0 |
IS_OWNED |
Device can be deleted by group |
| 1 |
IS_CONFIGURED |
Device can be configured by group, keys can be managed |
| 2 |
IS_MODERATED |
Device can be added to another group |
Device capability mask is computed from group members' role permissions:
- DEVICE_MODERATOR + DEVICE_DESIGNER → full mask
- DEVICE_MODERATOR only → remove IS_CONFIGURED
- DEVICE_DESIGNER only → remove IS_OWNED and IS_MODERATED
| Action |
ARCHITECT |
ROLE_MODERATOR |
OBJECT_MANAGER |
DATA_ANALYST |
DATA_SOURCE |
DATA_MANAGER |
| View object list |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| View generated OT/DT |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
| View OT/DT structure definition |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
| Create/modify structures |
✓ |
✗ |
✗ |
✗ |
✗ |
✗ |
| Read data |
✓ |
✓ |
✗ |
✓ |
✗ |
✓ |
| Insert data |
✓ |
✗ |
✗ |
✗ |
✓ |
✓ |
| Edit/delete data |
✓ |
✗ |
✗ |
✗ |
✗ |
✓ |
| Create/edit objects |
✓ |
✗ |
✓ |
✗ |
✗ |
✗ |
| Manage role permissions |
✗ |
✓ |
✗ |
✗ |
✗ |
✗ |
Effective rights = Instance → Project → OT → Object.
Rights are additive through the chain. Exception: private objects without PRIVATE_OBJECTS_ENTRUSTED use only explicit object-level grants.
See Permissions for full evaluation flow.