[{"data":1,"prerenderedAt":329},["ShallowReactive",2],{"guide:zh:getting-started/access-and-controls":3},{"id":4,"title":5,"body":6,"description":321,"extension":322,"meta":323,"navigation":324,"path":325,"seo":326,"stem":327,"__hash__":328},"guide_zh/zh/user/getting-started/access-and-controls.md","谁能查看和修改什么",{"type":7,"value":8,"toc":310},"minimark",[9,12,16,31,38,49,54,72,86,92,99,118,122,133,149,153,156,162,197,204,207,214,228,232,235,262,265,268,275,298],[10,11,5],"h1",{"id":5},[13,14,15],"p",{},"这是我们被问到最多的问题，因此值得在开头就明确说明。Aptli 的访问模型刻意设计得简单，并基于一个默认原则：",[17,18,19],"callout",{},[13,20,21,25,26,30],{},[22,23,24],"strong",{},"默认情况下，所有人都能查看所有内容——但并非所有人都能修改所有内容。"," 系统默认即开即用，可见性完全开放；而",[27,28,29],"em",{},"编辑","权限则由您授予。随后，您只需在特定需要的地方收窄可见范围即可。",[13,32,33,34,37],{},"控制机制分为",[22,35,36],{},"两个独立层级","。它们层层叠加：用户对任何记录的最终访问权限，取决于这两个层级共同允许的范围。",[39,40,45],"pre",{"className":41,"code":43,"language":44},[42],"language-text","   START: everyone can SEE everything\n              │\n              ▼\n   ┌──────────────────────────────────────────────┐\n   │ LAYER 1 — ADMIN RIGHTS                        │\n   │ \"What may this person CHANGE?\"                │\n   │ Granted per area, per action.                 │\n   │ No right → can view, but not create/edit/delete\n   └──────────────────────────────────────────────┘\n              │\n              ▼\n   ┌──────────────────────────────────────────────┐\n   │ LAYER 2 — ROLE RESTRICTIONS                   │\n   │ \"What may this person's role even SEE?\"       │\n   │ Hides matching records from the role —        │\n   │ everywhere those records would appear.        │\n   └──────────────────────────────────────────────┘\n              │\n              ▼\n   RESULT: what this person can see and do\n","text",[46,47,43],"code",{"__ignoreMap":48},"",[50,51,53],"h2",{"id":52},"第-1-层-管理员权限可修改的内容","第 1 层 — 管理员权限（可修改的内容）",[13,55,56,57,60,61,64,65,64,68,71],{},"每个用户都拥有一组 ",[22,58,59],{},"管理员权限","。每项权限都是针对某个区域内某项操作的单一开关 — 例如 ",[46,62,63],{},"jobsUpdate","、",[46,66,67],{},"sitesDelete",[46,69,70],{},"resourcesCreate","。 拥有该权限即可执行该操作；若无此权限则无法执行。",[13,73,74,75,64,78,81,82,85],{},"这种模式在整个系统中保持一致：大多数领域都包含",[22,76,77],{},"创建",[22,79,80],{},"更新","和",[22,83,84],{},"删除","权限。",[39,87,90],{"className":88,"code":89,"language":44},[42],"   Jobs        →  jobsCreate · jobsUpdate · jobsDelete\n   Sites       →  sitesCreate · sitesUpdate · sitesDelete\n   Resources   →  resourcesCreate · resourcesUpdate · resourcesDelete\n   Reports     →  reportsCreate · reportsUpdate · reportsDelete\n   ... and so on for every area\n",[46,91,89],{"__ignoreMap":48},[13,93,94,95,98],{},"如果",[22,96,97],{},"没有","权限，用户实际上处于只读状态：他们可以打开并查看应用程序中的记录，但无法使用创建/编辑/删除控件。您需要授予权限来扩大每个用户的操作范围。",[13,100,101,102,105,106,109,110,113,114,117],{},"少数权限不针对单一区域——它们解锁特定功能，例如 ",[22,103,104],{},"查看已删除"," (",[46,107,108],{},"viewDeleted",")、",[22,111,112],{},"协助取货"," 或 ",[22,115,116],{},"审计视图","。这些权限的运作方式相同：持有或未持有。",[50,119,121],{"id":120},"第二层-角色限制可见内容","第二层 — 角色限制（可见内容）",[13,123,124,125,128,129,132],{},"第一层从不",[27,126,127],{},"隐藏","任何内容——它仅管理编辑权限。若要将内容从视图中移除，需使用",[22,130,131],{},"角色","。",[13,134,135,137,138,141,142,145,146,148],{},[22,136,131],{},"是一组命名用户，附带一组",[22,139,140],{},"限制","。每条限制都是一条规则，其实质是：",[27,143,144],{},"“该角色的成员不应触碰符合此条件的记录。”"," 限制的主要作用是",[22,147,127],{},"符合条件的记录——对于该角色而言，这些记录在任何地方都不会显示。",[150,151,152],"h3",{"id":152},"三个层级",[13,154,155],{},"对于任意给定的记录，用户最终会处于以下其中一个状态：",[39,157,160],{"className":158,"code":159,"language":44},[42],"   ┌────────────────────────────────┬──────┬───────┐\n   │                                │ SEE  │ EDIT  │\n   ├────────────────────────────────┼──────┼───────┤\n   │ Open                           │  ✓   │  ✓ *  │\n   │ View-only                      │  ✓   │  ✗    │\n   │ Hidden          (role-hidden)  │  ✗   │  ✗    │\n   └────────────────────────────────┴──────┴───────┘\n\n   * Editing requires the matching admin right from Layer 1.\n",[46,161,159],{"__ignoreMap":48},[163,164,165,172,189],"ul",{},[166,167,168,171],"li",{},[22,169,170],{},"公开"," — 可见，且任何拥有相关管理员权限的人均可编辑。",[166,173,174,177,178,181,182,185,186,188],{},[22,175,176],{},"仅查看"," — 可见，但不可编辑。 这仅仅是当某人",[22,179,180],{},"不具备编辑权限","（第1层）时，其看到的任何记录的状态。由于默认可见且允许编辑，",[27,183,184],{},"大多数","人对于",[27,187,184],{},"内容都是只读的——这是正常状态，而非特殊的锁定措施。",[166,190,191,193,194,196],{},[22,192,127],{}," — 某个",[22,195,131],{},"将记录隐藏，因此该记录完全不会出现在该用户的列表或地图上。",[13,198,199,200,203],{},"由于角色规则关联的是",[22,201,202],{},"符合特定条件的记录","（而非整个页面），因此一个角色可能仅能查看工作、站点或要素的子集，而另一个角色则能查看同一集合中的不同子集。",[150,205,206],{"id":206},"适用于所有层级",[13,208,209,210,213],{},"通过角色隐藏记录并非某个界面的专属功能。 ",[22,211,212],{},"相同的视图规则在整个系统中统一适用","——职位、工单、报告、资源、站点、库存、地图要素、用户、角色等，其列表均需经过当前用户的角色限制筛选。只要在某处为某个角色隐藏某类记录，该角色在任何查看位置都会被隐藏。",[17,215,216],{},[13,217,218,221,222,224,225,227],{},[22,219,220],{},"关于两层机制协同工作的说明。"," ",[27,223,127],{}," 由角色决定并适用于所有场景。",[27,226,29],{}," 由管理员权限决定——因此，让某组用户仅能查看而不作动的可靠方法是撤销其编辑权限。 （角色虽也可包含编辑/创建/删除规则，但请将管理员权限视为真正的编辑门槛。）",[50,229,231],{"id":230},"所有人皆可查看一切的例外情况","“所有人皆可查看一切”的例外情况",[13,233,234],{},"这种开放的默认设置有几个刻意设计的例外：",[163,236,237,250,256],{},[166,238,239,242,243,245,246,249],{},[22,240,241],{},"已删除的记录会被隐藏","，除非某人持有 ",[22,244,104],{}," 权限 ",[27,247,248],{},"且"," 请求显示它们。软删除的项目仍可恢复，但不会显示在视图中。",[166,251,252,255],{},[22,253,254],{},"个人站点归其所有者所有。"," 员工的个人库存站点对他人可见，但只有其所有者才能编辑它——无论站点权限如何。",[166,257,258,261],{},[22,259,260],{},"孤立地图要素","（其父图层已被删除）将保持隐藏，除非您明确查看已删除内容。",[13,263,264],{},"其余内容均遵循以下规则：默认可见，需授权方可修改，并在您认为有必要时通过角色权限进行限制。",[50,266,267],{"id":267},"这在管理区域中的体现",[13,269,270,271,274],{},"您可通过 ",[22,272,273],{},"管理"," 菜单管理这两个层级：",[163,276,277,285,291],{},[166,278,279,284],{},[280,281,283],"a",{"href":282},"/guide/admin/","用户"," — 分配用户的管理权限（第 1 层）及其角色成员资格。",[166,286,287,290],{},[280,288,131],{"href":289},"/guide/authorization/"," — 定义角色及其权限限制（第 2 层）。",[166,292,293,297],{},[280,294,296],{"href":295},"/guide/admin/granting-access/","授予访问权限"," — 添加新用户并进行配置。",[13,299,300,301,305,306,309],{},"如需了解完整的安全架构，请参阅 ",[280,302,304],{"href":303},"/guide/authentication/","身份验证","（用户如何证明身份）和 ",[280,307,308],{"href":289},"授权","（如何深入配置权限和角色）。",{"title":48,"searchDepth":311,"depth":311,"links":312},2,[313,314,319,320],{"id":52,"depth":311,"text":53},{"id":120,"depth":311,"text":121,"children":315},[316,318],{"id":152,"depth":317,"text":152},3,{"id":206,"depth":317,"text":206},{"id":230,"depth":311,"text":231},{"id":267,"depth":311,"text":267},"Aptli 的访问模型分为两层：管理员权限控制每个人可以修改的内容，角色限制控制他们可以查看的内容。默认设置为开放状态；您可以在此基础上进行限制。","md",{},true,"/zh/user/getting-started/access-and-controls",{"title":5,"description":321},"zh/user/getting-started/access-and-controls","uBZQ3kbcA5uPL-_yTWqnCSxScJR0FxIFybiVPWq89K8",1781607695709]