Overview
This document describes how to change permissions for documents, files, or folders in the Knowledge Base, including:- Add permissions — Grant users access to a file or folder.
- Delete permissions — Revoke users’ access to a file or folder.
- Modify permissions — Change users’ permission role on a file or folder.
- Set permission inheritance mode — Control whether a file or folder inherits permissions from its parent node.
- Get permission inheritance mode — Query the current permission inheritance mode of a file or folder.
Core concept: All permission operations are based on the file’s dentryUuid (the unique file identifier). The operator must have permission management capability on the target file.
Permission overview
The following describes the different user types and permission roles, along with the capabilities each role grants.Permission roles (roleId)
When changing permissions, you must specify a permission role:| roleId | Role name | Capabilities |
|---|---|---|
| OWNER | Owner | Highest permission. Read, write, manage permissions, and assign permissions. |
| MANAGER | Manager | Read, write, and manage permissions (cannot assign permissions). |
| EDITOR | Editor | View, edit, download, and add. |
| DOWNLOADER | Viewer with download | View and download. |
| READER | View only | View only. Cannot download. |
Member types (members.type)
| type value | Description | Meaning of members.id |
|---|---|---|
| USER | User | Employee userId |
| ORG | Organization | Organization ID |
| DEPT | Department | Department ID |
| TAG | Custom tag | Tag ID |
| CONVERSATION | Chat | Conversation ID |
Implementation: Add permissions
Call the APIPOST /v2.0/storage/spaces/dentries/{dentryUuid}/permissions to grant specified members access to a file or folder.
For API details, see the Add permissions document. For how to call the API, see the documentation on calling Server APIs.
Required parameters
dentryUuid(Path): The unique identifier of the target file or folder. Obtain it through the File Search API.unionId(Query): The operator’s unionId. Obtain it by calling the Query user details API.roleId(Body): The permission role to grant, for example EDITOR.members(Body): The list of members to authorize. For each member, specifytype(member type) andid(member ID).
Implementation: Modify permissions
Call the APIPUT /v2.0/storage/spaces/dentries/{dentryUuid}/permissions to change the permission role of specified members to a new role.
Important restriction when downgrading permissions: If a member’s current permission is inherited from a parent node, and the inherited role is higher than the target role you want to set, the modification will not take effect.
- Example: If a parent folder grants a user EDITOR permission, modifying the user to READER on a subfolder will fail because the inherited EDITOR permission still applies.
- Solution: First call the Set permission inheritance mode API on the file or folder, set the inheritance mode to BREAK to stop inheriting parent permissions, and then modify the permissions.
For API details, see the Modify permissions document. For how to call the API, see the documentation on calling Server APIs.
Required parameters
dentryUuid(Path): The unique identifier of the target file or folder. Obtain it through the File Search API.unionId(Query): The operator’s unionId. Obtain it by calling the Query user details API.roleId(Body): The target permission role after modification (for example, changing from EDITOR to READER).members(Body): The list of members whose permissions will be modified.
Implementation: Delete permissions
Call the APIPOST /v2.0/storage/spaces/dentries/{dentryUuid}/permissions/remove to remove specified members’ access to a file or folder.
For API details, see the Delete permissions document. For how to call the API, see the documentation on calling Server APIs.
Required parameters
dentryUuid(Path): The unique identifier of the target file or folder. Obtain it through the File Search API.unionId(Query): The operator’s unionId. Obtain it by calling the Query user details API.roleId(Body): The permission role to delete (must match the role the member currently holds).members(Body): The list of members whose permissions will be deleted.
Implementation: Set permission inheritance mode
Call the APIPUT /v2.0/storage/spaces/dentries/{dentryUuid}/permissions/inheritances to control whether a file or folder inherits permissions from its parent node.
Two inheritance modes
- PASS_ON (Pass on): The current node inherits all permissions from its parent nodes. For the same member, the highest role applies. (Default mode)
- BREAK (Break): Permission inheritance is broken at the current node, and the node no longer inherits parent permissions. Use this mode when you need independent permissions on a node.
Notes
- BREAK mode cannot be applied to the OWNER or MANAGER role.
- For API details, see the Set permission inheritance mode document. For how to call the API, see the documentation on calling Server APIs.
Required parameters
dentryUuid(Path): The unique identifier of the target file or folder. Obtain it through the File Search API.unionId(Query): The operator’s unionId. Obtain it by calling the Query user details API.inheritance(Body): The inheritance mode, either PASS_ON or BREAK.
Implementation: Get permission inheritance mode
Call the APIGET /v2.0/storage/spaces/dentries/{dentryUuid}/permissions/inheritances to query the current permission inheritance mode of a file or folder.
Notes
- The API returns the
inheritancefield, with a value of PASS_ON (Pass on) or BREAK (Break). - For API details, see the Get permission inheritance mode document. For how to call the API, see the documentation on calling Server APIs.
Required parameters
dentryUuid(Path): The unique identifier of the target file or folder. Obtain it through the File Search API.unionId(Query): The operator’s unionId. Obtain it by calling the Query user details API.
Typical scenarios and steps
Scenario 1: Grant edit permission on a file to a user
- Call the File Search API to obtain the
dentryUuidof the target file. - Call the Query user details API to obtain the target user’s
userIdand the operator’sunionId. - Call the Add permissions API with
roleId = "EDITOR",members[0].type = "USER", andmembers[0].id = target user userId.
Scenario 2: Downgrade a user’s permission from Editor to Read-only
- Call the File Search API to obtain the
dentryUuidof the target file. - Call the Query user details API to obtain the target user’s
userId. - Call the Modify permissions API with
roleId = "READER", and specify the target user inmembers.
Scenario 3: Remove all permissions of a user on a file
- Call the File Search API to obtain the
dentryUuidof the target file. - Call the Query user details API to obtain the target user’s
userId. - Call the Delete permissions API with
roleIdset to the permission role the user currently holds, and specify the target user inmembers.
Scenario 4: Set independent permissions for a subfolder (without inheriting from the parent folder)
- Call the File Search API to obtain the
dentryUuidof the subfolder. - Call the Set permission inheritance mode API with
inheritance = "BREAK"to break permission inheritance. - Call the Add permissions API to configure the required permission members and roles for the folder independently.
Notes
- The operator (
unionId) must have permission management capability on the target file. Otherwise, an insufficient permissions error will be returned. - When deleting permissions,
roleIdmust match the permission role the member currently holds. Otherwise, the operation will be invalid. - Inheritance of the OWNER and MANAGER roles cannot be broken using BREAK mode.
- The
memberslist supports up to 30 members per call. For more members, send the request in batches. - Currently, all permission APIs are supported only by internal apps. Third-party apps are not supported.