Authorization consists of the things that happen after authentication has taken place. That is, after a user has logged in. It controls what resources a user owns and is able to manage.
A user can be part of one or more organization. For each organization, the user may have different permissions.
When a user creates a resource, it will be owned by the organization that the user is logged into. All users with read permissions for the specific resource type, in the organization, will be able to view the resource. The same applies to write permissions. If a user has write permission to the particular resource type, they may change the resource, even if they are not the original creator.
This means that all resources for an organization are available to all users in the organization. What decides if a
user may view or modify a resource is up to the permission for the resource, which can be
If a user wants to create a new
VCLGroup that references a resource of type
Domain, the user requires
write access to
VCLGroup and also read permission for
Domain. The domain specified must also be owned by the organization.