Custom permissions in custom action groups

The default permissions in the primary action group are available to all applications. If a custom action group uses these default permissions, the associated actions must closely match that of the actual operation that is done by an action in the primary action group.

For example, the read permission (action bit r) must be used only by an action that requires read-only access to a protected object.

The authorization service does not know or care about the action. A custom action group can reuse an action bit from the primary action group to create an action in a custom action group for an unrelated operation. However, this situation might cause difficulty for a domain administrator who must be able to distinguish between two dissimilar uses of the same action bit.

A custom action group might use an action that is not appropriately represented by a default permission. A domain administrator can define a new action bit for a permission that can be used and be recognized by the authorization service. See Manage action groups.

• When to create custom permissions
  This example demonstrates how a domain administrator can protect a printer from unauthorized use by creating a custom action.
• Representation of custom actions and action groups
  Use a special syntax to identify custom action bits that belong to action groups other than the primary action group. The primary action group is the default action group.
• Scenario with custom actions
  The following scenarios show how to add custom actions to an ACL policy attached to a protected object.

Parent topic: Action groups and actions