authorisation right, authorisationright, kPMAuthorisationRight — An authorisation right.


authorisation right structure { signature, rule, default rule };
signature : string, default, length 1..255
rule : string, choice
default rule : string, choice, optional


An authorisation right.

An authorisation right sets out rules for access a request or function.


signature. Unique signature of the right.

The signature maps the authorisation right to the internal request or function being authorised. Typically the signature is a combination of the lowercase object name, a period, and the lower case request name.

signature is a string. If signature is omitted, a default is created. signature must be between 1 and 255 characters long, inclusive.

rule. Rule to enforce for right.

The rule is applied when an attempt to access this right occurs.

rule is a string. rule must be one of the following two constants:

  • universal, kPMAuthorisationRightRule_Universal.
  • administrator, kPMAuthorisationRightRule_Administrator.

default rule. Default rule for right.

The rule associated with a right may be changed. Being able to identify if the right has been changed and what the original right was is useful for debugging and restoring engines to their default state.

default rule is a string. default rule is optional. default rule must be one of the following two constants:

  • universal, kPMAuthorisationRightDefaultRule_Universal.
  • administrator, kPMAuthorisationRightDefaultRule_Administrator.