# Information Access Control

Sometimes, data access should be restricted even within an operation - some users might not be allowed to see the records of a certain area, while others might just be allowed to read without changing. This access control is an integral part of data security, and so RecordM supports it in a flexible way such that data permissions can be fine tuned to any operation.

# Privilege System

The access control mechanism is handled by UserM (opens new window) as part of user management. This section refers specifically to the permissions made available in RecordM.

# Scope

RecordM supports the scopes:

domains (opens new window): defines how domains can be viewed and edited.
definitions (opens new window): defines which permissions the user has for definitions (create, delete, etc. definitions) and whether they can instantiate instances of a certain definition.
instances (opens new window): defines whether the user can alter, create, delete, etc. instances of a specific definition.

# Action

All three scopes support the basic actions of read, update and delete.

The definitions and domain scope also support the create actions, which allow you to create entities of those respective types. Unlike other permissions, create actions do not have an associated id .
Definitions support the instantiate action, that allow users to create instances of that definition.
Instances has the additional actions of export and import

# Entity

Each different scope has different entities that the id in the permission refers to:

domains: the id of the domain that can be affected by users with the permission
definitions: the id of the definition that can be affected by users with the permission
instances: the id of the definition, whose instances can be affected by users with the permission

← $commons.validate The `domains` Scope →