Customer-user capabilities can be granted on HsM as a whole, on customers, and on users. From those grants HsM calculates the effective capabilities a specific user is granted when interacting with the system in the context of a specific customer.

Customer-user capability grants on the system

Capabilities can not be granted by users or operators of the HsM system, but are granted by the system manufacturer and are used to enforce the license agreement between system manufacturer and instance operator. HsM does not provide any API to modify customer-user capability grants on the system.

Customer-user capability grants on customers

Customer-user capabilities grants on customers can be managed (i.e. created, deleted) by users with customer permission EDIT_CAPABILITY_GRANTS_ON_CUSTOMERS. A user can only grant customer-user capabilities to a customer that this user effectively has himself, a user can only remove capability grants for capabilities the user effectively has himself with an capability level of Available.

A customer capability grant can be defined to propagate to descendant customers via hierarchy customer relationships, reseller customer relationships and/or facility management relationships.

Note: If a user has permission EDIT_CAPABILITY_GRANTS_ON_CUSTOMERS on a customer and if a there is a capability grant for specific capability with availability level Available on that customer, then that user can modify this grant to availability level hidden or disabled or can delete the grant. Since this will remove the capability from the effective capabilities of that user the same user cannot set the availability level of that capability to available again or grant this capability again.

Customer-user capability grants on users

Customer-user capabilities can be granted by users who have EDIT_USERS permission. Only customer-user capabilities that are granted on the system with a capability level of available can be granted on a user.