The rights that you can grant or deny user groups are also called permissions or authorizations. In the Authorizer, the following rights are distinguished:
You can grant a user group any combination of rights up to all four. In fact, you will find All as a standard item in the Authorizer. If you want to grant the right to select and insert, for example, you will have to define these rights separately (that is, in two different records).
You can assign these rights at table level and (with the exception of the Delete right) at column level. You could, for example, grant all user groups in a department access to an Employees table, but reserve access to certain fields (such as Salary) to the Manager. You could do this by making the Manager a user in a user group all by him/herself, or by defining a condition that is based on his/her user name.
Table rights are overruled and/or enhanced by column rights. Column rights (and column conditions) are needed to further restrict rights already given at the table level.
It is possible, for example, to deny an end user the right to select data from, or insert data into, a specific column of a table.
Conceptual rules enforced by the Rules Engine are "stronger" than authorization rules. If, for example, you specify the right to insert data into one specific column of a table, but at the table level more than one column is defined as mandatory, the Rules Engine will report violation of this conceptual rule to the end user on an attempted record insertion.
If for an application/user group/table combination, a record exists with the All right, no other rights can exist for that same application/user group/table combination.