Granted Accesses

In MQL, users can grant any or all the access privileges they have for a business object to another user or group if you have the “grant” access privilege for the object.

Apps control who has grant access by assigning or denying the grant access in the person definition and in policy definitions.

You can only grant accesses that have been assigned to you in your person definition or in a policy for an object’s current state. For example, if your person definition denies the override access privilege, you cannot grant that privilege to another user. However, you can be granted privileges that are denied in your person definition. This is the only way you can perform a task that is denied in your person definition. You could not then grant the privilege to another user.

The MQL command allows users to:

  • Grant an object to multiple users
  • Have more than one grantor for an object
  • Grant to any user (person/group/role/association)
  • Use a key to revoke access without specific grantor or grantee information

Users cannot give the grant access itself. The intent is to provide just one level of delegation. Although including grant in the list of accesses will not fail, the grantee of the grant access will not be able to grant, unless they already have grant access.

For information on how to grant access to objects, see Granting Business Object Access.