Rights Management

Per user data storage

Some ZetaPush services store user data: Database storage (GDA), File Storage (Local Storage), data stacks …
Each time a piece of data is stored, the storage is done for the current user : for example, if a user Foo1 stores DataBar1, the user Foo2 can’t see DataBar1. Unless user Foo1 explicitly shares data with a group containing Foo2

Per User Service Storage

How does access control work ?

Access control is always enabled : that means that there is absolutely no way for one of your users to have access to another user's data without you allowing it.
By default, data is stored separately for each user : two users issuing the same exact GDA request will manipulate different and independent data. For example, if a user Foo1 stores DataBar1, the user Foo2 can’t see DataBar1. Unless user Foo1 explicitly shares data with one of his/her groups containing Foo2
For one user to access data from another user, the owner field of the APIs must be used. The use of this field triggers access control.

There are two ways to share data amongst users :

Group based sharing

Users can share their data using a group within the Groups Management Service . Notice that rights granting is done per service verb. If you grant only read access to a GDA to a group Group1 (get verb), group Group1 cannot write data (put verb). For example, you want user Foo1 to share data with user Foo2. User Foo1 grants his group Group1 the right to read data and adds user Foo2 to his group Group1. Note that the groups are stored per user too : if two users have groups with exactly the same name, they are still different and independent.

Per User Service Storage Allow Group

the sudo keyword

When using the ZMS language, you can use the sudo keyword in your scripts to bypass the access control mechanism.