Skip to main content

Managing Permissions

ZeyOS uses a two-level permission system to control who can do what. The first level determines which apps (functions) a user can access. The second level determines which objects (data) a user can see and edit. Understanding this system is essential for setting up ZeyOS correctly.

Overview of the Permission System

LevelControlsManaged By
Function accessWhich apps a user can open and useGroup memberships
Object accessWhich individual records a user can view and editObject ownership

By default, a newly created user has no permissions and cannot access any apps until they are added to at least one group.

Function Access: Groups

Groups are the primary mechanism for granting users access to apps. An administrator creates groups and assigns specific app permissions to each group. Users who are members of a group inherit all the app permissions defined for that group.

How Groups Work

  • Each group has a set of allowed apps (functions).
  • A user who belongs to multiple groups can access the combined set of apps from all their groups.
  • You can assign users to groups either when creating/editing the group or when editing the user profile.

Creating a Group

To learn how to create and manage groups, see Group Management.

Tips

  • If every user should have access to all apps, create a single group with all app permissions and add all users to it.
  • When a user is added to a new group, they must log out and log back in for the change to take effect. Simply reloading the page is not sufficient.

Object Access: Ownership

In addition to function access, every object in ZeyOS (contacts, transactions, emails, tasks, etc.) has an owner that determines who can view and edit it.

Ownership Options

OwnerAccess
PublicAll users in the organization can view the object.
PrivateOnly the object's creator/owner can view it.
A specific groupOnly members of that group can view and edit the object.
Object owner
Object owner

How Ownership Affects Visibility

  • By default, users can see all objects marked as Public.
  • This default behavior can be changed per user: In the user profile, enable the No shared data option. This restricts the user to only see objects that belong to their group(s) or to them personally — even objects marked as "Public" will be hidden.
  • If a user has access to the app containing an object but not to the object itself, only basic information (such as the element's name) will be visible in overviews and linked references.
Sharing data setting
Sharing data setting

Private Objects

For sensitive data — such as personal activities or confidential notes — set the owner to Private. This ensures that no other user can access the object.

Private owner
Private owner

Group-Owned Objects

When you set a group as the owner, only members of that group can view and edit the object. Note that you can only select groups that you are a member of.

Combining Both Levels

The two permission levels work together:

  1. A user must first have access to the app (via group membership) to see any elements in that app.
  2. Within the app, the user can only see objects they are authorized to view (based on ownership settings).

For example, a user in the "Sales" group can open the Transactions app, but they can only see transactions that are either Public, owned by them, or owned by a group they belong to.

Further Reading