In order to facilitate user management, a special permissions scheme applies to the UserService (only), where permissions are inherited by child users (unless a user is assigned to a different category) as follows:
-
A user with only operator-read permissions (r) has read-only access to operator-level properties of their own user account (all other users are hidden).
-
A user with operator-write permissions (rw) has read/write access to operator-level properties of their own user account (all other users are hidden).
-
A user with admin-Read (rR) permissions has read-only access to all properties of all available users.
-
A user with admin-Write permissions (rwRW) has read/write access to all properties of all available non-super users. Moreover, they have access to the User Manager, so can add new users and also delete selected users. In addition, the Permissions Browser view of the UserService is available.
Starting in AX-3.7 and in security patches for prior releases, changes were made such that a user cannot assign permissions
to other users that they do not have themselves. For example, a “non-super user” cannot assign other users permissions on
categories that they lack.
By default, operator properties of User are Email, Password, Cell Phone Number, and Facets (time format and unit conversion). If needed, from the slot sheet of User(s) you can edit config flags to change which slots are operator versus admin. For example, you might change the fullName slot to operator.
This simplified scheme is useful when you want to let each user reassign their own password, but not have access to other users. In this case, give all “non-super” users operator-write (rw) permissions only on the UserService. By default starting in AX-3.7, the New Station Wizard assigns the UserService to the “Admin” named category (category 2), along with the CategoryService and UserService. Remember, any user granted super user permissions has all access to all objects, and moreover can add more super users.