Skedulo permissions and access control

Permission restrictions for schedulers and resources.

Object and field level permissions for Skedulo user roles

Skedulo enforces object and field level permissions for all standard and custom objects.

Standard Skedulo objects include default permission settings that can be modified using the /standalone/permissions/role endpoint.

This provides a layer of security by storing data for object and field permissions, which are enforced when accessing backend data.

Administrators can assign permissions to a role using the Skedulo Lens API.

Role permission defaults

  • Users with the Administrator in Skedulo have full CRUD permissions on all objects and fields.
  • Schedulers have the same permission in Skedulo and Skedulo for Salesforce for for all objects provided by Skedulo. They also have full access to Accounts and Contacts.

    Because Accounts and Contacts are Skedulo for Salesforce objects, permissions for these are determined by their permission settings in Salesforce.

  • Resource permissions for all Skedulo defined objects are the same for both Skedulo and Skedulo for Salesforce.

Object level permissions

Fields inherit permissions from their object unless they have permissions explicitly defined.

This means that if "create" is false at the object level, all fields on that object will have the same "create": false permission restriction.

If a single field on the object needs to be creatable, then the entire object must also be creatable.

For example, resources have read-only permission on the Regions object, which means that all fields on Regions are also read-only for resource users:

{
  "result": {
    "Regions": {
      "read": true,
      "create": false,
      "update": false,
      "delete": false,
      "fields": {
        "Radius": {
          "read": true,
          "create": false,
          "update": false
        },
        "Timezone": {
          "read": true,
          "create": false,
          "update": false
        },
        "Name": {
          "read": true,
          "create": false,
          "update": false
        },
        "CountryCode": {
          "read": true,
          "create": false,
          "update": false
        },
        "Description": {
          "read": true,
          "create": false,
          "update": false
        },
        "GeoLongitude": {
          "read": true,
          "create": false,
          "update": false
        },
        "UID": {
          "read": true,
          "create": false,
          "update": false
        },
        "GeoLatitude": {
          "read": true,
          "create": false,
          "update": false
        },
        "GeoLocation": {
          "read": true,
          "create": false,
          "update": false
        }
      }
    }
  }
}

Custom object permissions

Custom objects must be assigned role permissions if they need to be accessible by schedulers and resources.

Field permissions can be modified on custom objects in Skedulo using the Skedulo web application or remotely using the Skedulo Lens API.

Custom object permissions are defined on creation and can also be modified in the Skedulo web UI or from the Skedulo Lens API endpoint at any time.

Querying role permissions

You can fetch a list of calculated permissions for the current user by querying the /custom/permissions REST endpoint.

The following example queries permissions for the Shifts object for the current user with the administrator role (all true):

Method: GET

Endpoint: /custom/permissions?names=Shifts

This returns a JSON encoded list of all read, create, and update field permissions for the object:

{
  "result": {
    "Shifts": {
      "read": true,
      "create": true,
      "update": true,
      "delete": true,
      "fields": {
        "Duration": {
          "read": true,
          "create": true,
          "update": true
        },
        "LocationId": {
          "read": true,
          "create": true,
          "update": true
        },
        "Start": {
          "read": true,
          "create": true,
          "update": true
        },
        "RegionId": {
          "read": true,
          "create": true,
          "update": true
        },
        "UID": {
          "read": true,
          "create": true,
          "update": true
        },
        "IsDraft": {
          "read": true,
          "create": true,
          "update": true
        },
        "End": {
          "read": true,
          "create": true,
          "update": true
        },
        "DisplayName": {
          "read": true,
          "create": true,
          "update": true
        }
      }
    }
  }
}

Role-based permissions

Setting permissions for users and objects based on their role.

Insufficient access

Insufficient access errors and overriding default permissions.