API

Role templates allow you to define allowable actions between resources and a particular actor. In Vista, this actor is representated as either a User or Userset (group of users).

Roles can also inherit permissions from other roles, allowing you to create a heirarchical structure.

Resource templates are types of resource that can be accessed. When creating Resource Templates, you must also specify the potential actions that can be taken on them (read, write, comment, push, pull, etc).

Vista allows defining fine-grain permissions to particular resource objects - these objects are recorded in the system when granting permissions to that resource.

Users represent the end user - they are allowed to perform actions on resources specified either when creating the user, or at a later time.

Users can also be assigned to Usersets, in which case they also inherit the permissions granted to the specified userset.

The API allows you to then check if that user can perform the specified action, on the specified resource.

A userset is a group that can be granted actions to specific resources - the actions and resources can be set either while creating the userset, or at a later time as well.

A userset can also be created from a Role template, in which case it is restricted to the actions and Resource type specified on the Role. These restrictions are a superset of the <action, resource> pairs specified on the role - you must specify which ones to grant.