# Understanding access control

## <span class="mw-headline" id="bkmrk-usages-1">Usages</span>

TS are based on a principle of building ONE application for MANY users.

Instead of building and maintaining multiple user interfaces, rules declarations restrict what a user can do

- What fields are available
- When records are available
- Whet records are available

Practically any set of rules can be built combining Field access and Data ownership.

## <span class="mw-headline" id="bkmrk-access-policies-1">Access policies</span>

The basic Access policies controls the users access to

- Which Fields are available
- Which Status can be accessed

Permission policies stack together and include

- User group
- Field group (optional)
- Status (optional)

This allows for many combination usecases such as

```
Let Managers READ all data anytime
Let Managers EDIT the pricing when Status is Draft
Let Customers READ all data when Status is Order delivered
Let Administrators EDIT anything anytime except Pricing
```

## <span class="mw-headline" id="bkmrk-data-ownership-1">Data ownership</span>

Data ownership will restrict which record in an entity the user can see.

Different access restrictions exists

- Group membership (aka Exclusive groups)
- Personal record
- Access control lists 
    - Named users
    - Named groups

Classic [Multi tenancy](https://wiki.tsnocode.com/index.php?title=Features/Multi_tenancy "Features/Multi tenancy") is built by utilizing group data ownership.

Note: Depending on the setup the server can run with single or multiple Exclusive groups.

## <span class="mw-headline" id="bkmrk-other-access-control-1">Other access controls</span>

Many other components in the platform have configuration options to make them available to a single group

- Available buttons in the UI
- Status available for selection
- Widgets displayed in dashboards