Alexey, Thanks. I have a better understanding now and this is what I came up with. The only issue is that I can't seem to figure out how to allow a vendor to display their entire row or rows (page=row&id=x) as it doesn't seem that there is a way to apply a tag to a row. # Admin access allow {$userid_1} allow {IOurAdmins} # Vendor Access Permissions # Restrict specific pages and tabs deny {$page_config} deny {$tab_tags} deny {$tab_rackcode} or {$tab_system} deny {$page_rackspace} and {$tab_edit} deny {$page_rack} and ( {$tab_edit} or {$tab_newrack} or {$tab_tagroller} ) allow {RemoteSupportUsers} and {$tab_default} and ( {$page_index} or {$page_rackspace} ) allow {RemoteSupportUsers} and {$tab_default} and {$page_reports} or {$tab_vendor1} # Vendor1 allow {Vendor1 users} and {$tab_default} and {$page_depot} allow {Vendor1 users} and {Vendor1 managed assets} deny {Vendor1 users} # Vendor2 Support allow {Vendor2 users} and {$tab_default} and {$page_depot} allow {Vendor2 users} and {Vendor2 managed assets} deny {Vendor2 users} # Readonly user can see everything allow {$username_readonly} and {$tab_default} deny {$username_readonly} ________________________________________ From: Alexey Andriyanov [alan@xxxxxxxxxx] Sent: Thursday, August 09, 2012 2:13 PM To: racktables-users@xxxxxxxxxxxxx Cc: Sears, Paul Subject: Re: [racktables-users] Complex permissions question, help requested 09.08.2012 22:37, Sears, Paul пишет: > > allow {$userid_1} or {Admins} > deny {$page_config} > allow {RemoteSupport} and {asset} and {$tab_default} and {$page_index} > and {$page_rackspace} and {$page_depot} and {$page_rack} this rule never matches - you should separate different $page_ tags by OR, not AND. Also, you don't have the 'asset' tag. > > deny {$tab_rackcode} or {$tab_system} or ({$page_rackspace} and > {$tab_edit} ) or ({$page_rack} and {$tab_edit}) or {$tab_newrack} or > {$tab_tagroller} > > allow {$username_vendor1} and {vendor1} and {vendor1 asset} Do you have a tag named 'vendor1 asset' ? If no, this rule won't ever match. > deny {$username_vendor1} > > allow {$username_vendor2} and {vendor2} and {vendor2 asset} > deny {$username_vendor2} > > allow {$username_readonly} and {$tab_default} > deny {$username_readonly} -- Best regards, Alexey