1 of 1 people found this helpful
In general, access to objects can be restricted to either read or write capabilities by virtues of user permissions mapped via ObjectPermissions object. We haven't implement that feature in our application for reasons of our own.
We just give access to specific workspaces under the Administrator to only authorized "Admins" of that workspace.
e.g. only a few "Admins" would be given access to the User Manager workspace. Hence, only they are allowed to edit/create Groups, Roles and Permissions.
We use the query/report route to provide the list of privileges and their users, to other Business users.
For the report, do you want to include the default permissions, if any, (assigned to all users in your application)?
If there are such permissions, roles or groups, I would suggest to remove them from the query/report, to make the report smaller and yet eliminate obvious/default data.
Thank you so much for the input! Yes, it would be helpful to exclude some common permissions that all users have. Do you have a query that you could share with me? We have no trouble pulling the permissions/roles/groups that are directly granted - it's finding the stuff that is granted indirectly (e.g. a permission on a role, which is on a group, in which the user is enrolled). I was looking at the "FlattenedRoles" and "FlattenedGroups", but that doesn't seem to be what I want either. Any help would be appreciated!
I will try to send you via PM.