Why does a user have access to an application?
In OpenStudio, a permission does not have a single origin. The system supports five independent sources, each with its own management interface. Understanding which source is responsible for a given authorization is critical for auditing, troubleshooting and governance.
The five sources, in priority order
| Source | How access is granted | Where to manage it | Can be overridden? |
|---|---|---|---|
| 1. Founder | The organization Founder automatically has full access to every permission in every application. This cannot be edited or removed. | Not applicable | No |
| 2. Manual Grant | An administrator explicitly granted this permission to a specific user, optionally with a start date, an expiry date, and a scope parameter. | Manage Permissions → application → permission | Yes — edit, revoke, or let it expire |
| 3. Permission Profile | A profile is a reusable template that bundles several permissions together. When a user is assigned the profile, they inherit all its permissions automatically. | Manage Permissions → application → Profiles tab | Yes — a Manual Grant on the same permission takes precedence over the profile value |
| 4. Permission Package | A package is a cross-application bundle designed to provision an entire role at once. Adding a user to a package writes individual app_auth rows on their behalf with source = package:N. |
Administration → Permissions Workflow | Yes — a Manual Grant or a Sync operation can override the package value |
| 5. Auto-inherit Rule | A system rule automatically grants access based on a condition (e.g., "all members of group X receive permission Y"). Access is added and removed as the condition is met or lost. | Configured by OpenStudio administrators in app_perms_auto_rules |
Partially — a manual grant can override the value but the auto source remains |
What happens when multiple sources apply?
If a user receives the same permission from more than one source simultaneously, the Manage Permissions active table shows all of them and marks each one:
- A ALIGNED badge means the manual value matches the template value — they are redundant but not in conflict.
- A yellow override warning means the manual value differs from the template value — the manual grant takes precedence.
- A READ ONLY badge on an auto or profile row means you cannot edit it directly from this view.
Audit tool: Use Administration → Control and Supervision of Authorizations to view the complete permission matrix for any user under your management scope, with the winning source highlighted for each permission.
