Permissions

A node defines seven independent permissions:

When XP evaluates whether a caller may perform an operation, it collects every ACL entry whose principal matches the caller — directly, transitively through group membership, through any role they hold, and through the dynamic system roles (system.everyone for anyone, system.authenticated for signed-in users).

An operation is permitted if at least one matching entry grants it.

Every node carries its own explicit ACL. There is no read-time inheritance from the parent — a change to a parent’s ACL does not automatically flow down to its descendants.

When a node is created, it receives a copy of its parent’s ACL as its starting state. This is a one-time copy, not a live link: subsequent changes to the parent do not affect the new node.

To set the same ACL on many nodes at once, use the hierarchical apply operation: the ACL is written to a target node and, optionally, to all its descendants.

The root node of every repository (000-000-000-000) carries its own ACL that governs operations performed against the repository root. It does not act as a default for descendants.

A node’s ACL is shared across every branch the node exists in. Setting or applying permissions on a node takes effect immediately on that node in every branch — there is no per-branch ACL state and no "publish permissions" step between branches.

When permissions are applied hierarchically, the set of affected descendants is determined by the node tree in the branch where the operation runs. The resulting ACL change is then written to each of those nodes across every branch they appear in.