From d0e5087b2007faee95e04e0e530df3206dc7290f Mon Sep 17 00:00:00 2001
From: Zach Fox <fox@highfidelity.io>
Date: Mon, 6 May 2019 10:19:58 -0700
Subject: [PATCH] Add permission

---
 .../resources/describe-settings.json          | 1330 +++++++++--------
 domain-server/src/DomainGatekeeper.cpp        |    2 +
 .../src/DomainServerSettingsManager.cpp       |    6 +
 libraries/networking/src/LimitedNodeList.cpp  |    5 +
 libraries/networking/src/LimitedNodeList.h    |    2 +
 libraries/networking/src/Node.h               |    1 +
 libraries/networking/src/NodePermissions.cpp  |    5 +
 libraries/networking/src/NodePermissions.h    |    3 +-
 8 files changed, 713 insertions(+), 641 deletions(-)

diff --git a/domain-server/resources/describe-settings.json b/domain-server/resources/describe-settings.json
index 352106dcf7..fbbbec9cf2 100644
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@@ -1,5 +1,5 @@
 {
-  "version": 2.2,
+  "version": 2.3,
   "settings": [
     {
       "name": "metaverse",
@@ -221,130 +221,138 @@
           ]
         },
         {
-          "name": "standard_permissions",
-          "type": "table",
-          "label": "Domain-Wide User Permissions",
-          "help": "Indicate which types of users can have which <a data-toggle='tooltip' data-html=true title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level permissions that might otherwise apply to that user. Additionally, if more than one parameter is applicable to a given user, the permissions given to that user will be the sum of all applicable parameters. For example, let&rsquo;s say only localhost users can connect and only logged in users can lock and unlock entities. If a user is both logged in and on localhost then they will be able to both connect and lock/unlock entities.</p>'>domain-wide permissions</a>.",
-          "caption": "Standard Permissions",
-          "can_add_new_rows": false,
-          "groups": [
-            {
-              "label": "Type of User",
-              "span": 1
-            },
-            {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level permissions that might otherwise apply to that user. Additionally, if more than one parameter is applicable to a given user, the permissions given to that user will be the sum of all applicable parameters. For example, let&rsquo;s say only localhost users can connect and only logged in users can lock and unlock entities. If a user is both logged in and on localhost then they will be able to both connect and lock/unlock entities.</p>'>?</a>",
-              "span": 10
-            }
-          ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": ""
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ],
-          "non-deletable-row-key": "permissions_id",
-          "non-deletable-row-values": [ "localhost", "anonymous", "logged-in" ],
-          "default": [
-            {
-                "id_can_connect": true,
-                "id_can_rez_tmp_certified": true,
-                "permissions_id": "anonymous"
-            },
-            {
-                "id_can_connect": true,
-                "id_can_rez_tmp_certified": true,
-                "permissions_id": "friends"
-            },
-            {
-                "id_can_adjust_locks": true,
-                "id_can_connect": true,
-                "id_can_connect_past_max_capacity": true,
-                "id_can_kick": true,
-                "id_can_replace_content": true,
-                "id_can_rez": true,
-                "id_can_rez_certified": true,
-                "id_can_rez_tmp": true,
-                "id_can_rez_tmp_certified": true,
-                "id_can_write_to_asset_server": true,
-                "permissions_id": "localhost"
-            },
-            {
-                "id_can_connect": true,
-                "id_can_rez_tmp_certified": true,
-                "permissions_id": "logged-in"
-            }
-          ]
+            "name": "standard_permissions",
+            "type": "table",
+            "label": "Domain-Wide User Permissions",
+            "help": "Indicate which types of users can have which <a data-toggle='tooltip' data-html=true title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level permissions that might otherwise apply to that user. Additionally, if more than one parameter is applicable to a given user, the permissions given to that user will be the sum of all applicable parameters. For example, let&rsquo;s say only localhost users can connect and only logged in users can lock and unlock entities. If a user is both logged in and on localhost then they will be able to both connect and lock/unlock entities.</p>'>domain-wide permissions</a>.",
+            "caption": "Standard Permissions",
+            "can_add_new_rows": false,
+            "groups": [
+                {
+                    "label": "Type of User",
+                    "span": 1
+                },
+                {
+                    "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level permissions that might otherwise apply to that user. Additionally, if more than one parameter is applicable to a given user, the permissions given to that user will be the sum of all applicable parameters. For example, let&rsquo;s say only localhost users can connect and only logged in users can lock and unlock entities. If a user is both logged in and on localhost then they will be able to both connect and lock/unlock entities.</p>'>?</a>",
+                    "span": 10
+                }
+            ],
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": ""
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ],
+            "non-deletable-row-key": "permissions_id",
+            "non-deletable-row-values": [ "localhost", "anonymous", "logged-in" ],
+            "default": [
+                {
+                    "id_can_connect": true,
+                    "id_can_rez_tmp_certified": true,
+                    "permissions_id": "anonymous"
+                },
+                {
+                    "id_can_connect": true,
+                    "id_can_rez_tmp_certified": true,
+                    "permissions_id": "friends"
+                },
+                {
+                    "id_can_adjust_locks": true,
+                    "id_can_connect": true,
+                    "id_can_connect_past_max_capacity": true,
+                    "id_can_kick": true,
+                    "id_can_replace_content": true,
+                    "id_can_rez": true,
+                    "id_can_rez_certified": true,
+                    "id_can_rez_tmp": true,
+                    "id_can_rez_tmp_certified": true,
+                    "id_can_write_to_asset_server": true,
+                    "id_can_get_and_set_private_user_data": true,
+                    "permissions_id": "localhost"
+                },
+                {
+                    "id_can_connect": true,
+                    "id_can_rez_tmp_certified": true,
+                    "permissions_id": "logged-in"
+                }
+            ]
         },
         {
           "name": "group_permissions",
@@ -361,111 +369,118 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a users in specific groups can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in, as well as permissions from the previous section.  Group permissions are only granted if the user doesn&rsquo;t have their own row in the per-account section, below.</p>'>?</a>",
-              "span": 10
+                "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a users in specific groups can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in, as well as permissions from the previous section.  Group permissions are only granted if the user doesn&rsquo;t have their own row in the per-account section, below.</p>'>?</a>",
+                "span": 10
             }
           ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": "Group Name",
-              "readonly": true,
-              "hidden": true
-            },
-            {
-              "name": "rank_id",
-              "label": "Rank ID",
-              "readonly": true,
-              "hidden": true
-            },
-            {
-              "name": "rank_order",
-              "label": "Rank Order",
-              "readonly": true,
-              "hidden": true
-            },
-            {
-              "name": "rank_name",
-              "label": "",
-              "readonly": true
-            },
-            {
-              "name": "group_id",
-              "label": "Group ID",
-              "readonly": true,
-              "hidden": true
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": "Group Name",
+                    "readonly": true,
+                    "hidden": true
+                },
+                {
+                    "name": "rank_id",
+                    "label": "Rank ID",
+                    "readonly": true,
+                    "hidden": true
+                },
+                {
+                    "name": "rank_order",
+                    "label": "Rank Order",
+                    "readonly": true,
+                    "hidden": true
+                },
+                {
+                    "name": "rank_name",
+                    "label": "",
+                    "readonly": true
+                },
+                {
+                    "name": "group_id",
+                    "label": "Group ID",
+                    "readonly": true,
+                    "hidden": true
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ]
         },
         {
           "name": "group_forbiddens",
@@ -482,108 +497,115 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a users in specific groups can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users in specific groups can replace entire content sets by wiping existing domain content.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in.  Group permissions are only granted if the user doesn&rsquo;t have their own row in the per-account section, below.</p>'>?</a>",
-              "span": 10
+                "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a users in specific groups can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users in specific groups can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in.  Group permissions are only granted if the user doesn&rsquo;t have their own row in the per-account section, below.</p>'>?</a>",
+                "span": 10
             }
           ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": "Group Name",
-              "hidden": true
-            },
-            {
-              "name": "rank_id",
-              "label": "Rank ID",
-              "hidden": true
-            },
-            {
-              "name": "rank_order",
-              "label": "Rank Order",
-              "hidden": true
-            },
-            {
-              "name": "rank_name",
-              "label": "",
-              "readonly": true
-            },
-            {
-              "name": "group_id",
-              "label": "Group ID",
-              "readonly": true,
-              "hidden": true
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": "Group Name",
+                    "hidden": true
+                },
+                {
+                    "name": "rank_id",
+                    "label": "Rank ID",
+                    "hidden": true
+                },
+                {
+                    "name": "rank_order",
+                    "label": "Rank Order",
+                    "hidden": true
+                },
+                {
+                    "name": "rank_name",
+                    "label": "",
+                    "readonly": true
+                },
+                {
+                    "name": "group_id",
+                    "label": "Group ID",
+                    "readonly": true,
+                    "hidden": true
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ]
         },
         {
           "name": "permissions",
@@ -596,86 +618,93 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level or group permissions that might otherwise apply to that user.</p>'>?</a>",
-              "span": 10
+                "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether a user can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether a user change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether a user can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether a user can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether a user can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether a user can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether a user can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether a user can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Note that permissions assigned to a specific user will supersede any parameter-level or group permissions that might otherwise apply to that user.</p>'>?</a>",
+                "span": 10
             }
           ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": ""
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": ""
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ]
         },
         {
           "name": "ip_permissions",
@@ -688,86 +717,93 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide IP Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users from specific IPs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific IPs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users from specific IPs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users from specific IPs can create new entities with a finite lifetime.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether users from specific IPs can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether users from specific IPs can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users from specific IPs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users from specific IPs can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users from specific IPs can replace entire content sets by wiping existing domain content.</li></ul><p>Note that permissions assigned to a specific IP will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). IP address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
-              "span": 10
+                "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide IP Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users from specific IPs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific IPs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users from specific IPs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users from specific IPs can create new entities with a finite lifetime.</li><li><strong>Rez Temporary</strong><br />Sets whether a user can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether users from specific IPs can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether users from specific IPs can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users from specific IPs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users from specific IPs can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users from specific IPs can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Note that permissions assigned to a specific IP will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). IP address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
+                "span": 10
             }
           ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": ""
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": ""
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ]
         },
         {
           "name": "mac_permissions",
@@ -780,86 +816,93 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide MAC Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users with specific MACs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific MACs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users with specific MACs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users with specific MACs can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether users with specific MACs can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether users with specific MACs can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users with specific MACs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users with specific MACs can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users with specific MACs can replace entire content sets by wiping existing domain content.</li></ul><p>Note that permissions assigned to a specific MAC will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). MAC address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
-              "span": 10
+                "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide MAC Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users with specific MACs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific MACs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users with specific MACs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users with specific MACs can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether users with specific MACs can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether users with specific MACs can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users with specific MACs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users with specific MACs can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users with specific MACs can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Note that permissions assigned to a specific MAC will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). MAC address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
+                "span": 10
             }
           ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": ""
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": ""
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ]
         },
         {
           "name": "machine_fingerprint_permissions",
@@ -872,86 +915,93 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide Machine Fingerprint Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users with specific Machine Fingerprints can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific Machine Fingerprints can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users with specific Machine Fingerprints can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users with specific Machine Fingerprints can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether users with specific Machine Fingerprints can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether users with specific Machine Fingerprints can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users with specific Machine Fingerprints can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users with specific Machine Fingerprints can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users with specific Machine Fingerprints can replace entire content sets by wiping existing domain content.</li></ul><p>Note that permissions assigned to a specific Machine Fingerprint will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). Machine Fingerprint address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
-              "span": 10
+                "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide Machine Fingerprint Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users with specific Machine Fingerprints can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific Machine Fingerprints can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users with specific Machine Fingerprints can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users with specific Machine Fingerprints can create new entities with a finite lifetime.</li><li><strong>Rez Certified</strong><br />Sets whether users with specific Machine Fingerprints can create new certified entities.</li><li><strong>Rez Temporary Certified</strong><br />Sets whether users with specific Machine Fingerprints can create new certified entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users with specific Machine Fingerprints can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users with specific Machine Fingerprints can connect even if the domain has reached or exceeded its maximum allowed agents.</li><li><strong>Replace Content</strong><br>Sets whether users with specific Machine Fingerprints can replace entire content sets by wiping existing domain content.</li><li><strong>Can Get and Set Private User Data</strong><br>Sets whether a user can get and set the Private User Data entity property</li></ul><p>Note that permissions assigned to a specific Machine Fingerprint will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). Machine Fingerprint address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
+                "span": 10
             }
           ],
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": ""
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_certified",
-              "label": "Rez Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp_certified",
-              "label": "Rez Temporary Certified",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_kick",
-              "label": "Kick Users",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_replace_content",
-              "label": "Replace Content",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
+            "columns": [
+                {
+                    "name": "permissions_id",
+                    "label": ""
+                },
+                {
+                    "name": "id_can_connect",
+                    "label": "Connect",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_adjust_locks",
+                    "label": "Lock / Unlock",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez",
+                    "label": "Rez",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp",
+                    "label": "Rez Temporary",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_certified",
+                    "label": "Rez Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_rez_tmp_certified",
+                    "label": "Rez Temporary Certified",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_write_to_asset_server",
+                    "label": "Write Assets",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_connect_past_max_capacity",
+                    "label": "Ignore Max Capacity",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_kick",
+                    "label": "Kick Users",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_replace_content",
+                    "label": "Replace Content",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                },
+                {
+                    "name": "id_can_get_and_set_private_user_data",
+                    "label": "Can Get and Set Private User Data",
+                    "type": "checkbox",
+                    "editable": true,
+                    "default": false
+                }
+            ]
         },
         {
           "name": "multi_kick_logged_in",
diff --git a/domain-server/src/DomainGatekeeper.cpp b/domain-server/src/DomainGatekeeper.cpp
index 8c7beaa614..6493080987 100644
--- a/domain-server/src/DomainGatekeeper.cpp
+++ b/domain-server/src/DomainGatekeeper.cpp
@@ -282,6 +282,7 @@ void DomainGatekeeper::updateNodePermissions() {
             userPerms.permissions |= NodePermissions::Permission::canRezTemporaryCertifiedEntities;
             userPerms.permissions |= NodePermissions::Permission::canWriteToAssetServer;
             userPerms.permissions |= NodePermissions::Permission::canReplaceDomainContent;
+            userPerms.permissions |= NodePermissions::Permission::canGetAndSetPrivateUserData;
         } else {
             // at this point we don't have a sending socket for packets from this node - assume it is the active socket
             // or the public socket if we haven't activated a socket for the node yet
@@ -374,6 +375,7 @@ SharedNodePointer DomainGatekeeper::processAssignmentConnectRequest(const NodeCo
     userPerms.permissions |= NodePermissions::Permission::canRezTemporaryCertifiedEntities;
     userPerms.permissions |= NodePermissions::Permission::canWriteToAssetServer;
     userPerms.permissions |= NodePermissions::Permission::canReplaceDomainContent;
+    userPerms.permissions |= NodePermissions::Permission::canGetAndSetPrivateUserData;
     newNode->setPermissions(userPerms);
     return newNode;
 }
diff --git a/domain-server/src/DomainServerSettingsManager.cpp b/domain-server/src/DomainServerSettingsManager.cpp
index 4e833f6b77..2deb51f2e3 100644
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@@ -441,6 +441,12 @@ void DomainServerSettingsManager::setupConfigMap(const QString& userConfigFilena
             }
         }
 
+        if (oldVersion < 2.3) {
+            unpackPermissions();
+            _standardAgentPermissions[NodePermissions::standardNameLocalhost]->set(NodePermissions::Permission::canGetAndSetPrivateUserData);
+            packPermissions();
+        }
+
 
         // write the current description version to our settings
         *versionVariant = _descriptionVersion;
diff --git a/libraries/networking/src/LimitedNodeList.cpp b/libraries/networking/src/LimitedNodeList.cpp
index 82f3459c15..34eecf5ee8 100644
--- a/libraries/networking/src/LimitedNodeList.cpp
+++ b/libraries/networking/src/LimitedNodeList.cpp
@@ -197,6 +197,11 @@ void LimitedNodeList::setPermissions(const NodePermissions& newPermissions) {
         newPermissions.can(NodePermissions::Permission::canReplaceDomainContent)) {
         emit canReplaceContentChanged(_permissions.can(NodePermissions::Permission::canReplaceDomainContent));
     }
+    if (originalPermissions.can(NodePermissions::Permission::canGetAndSetPrivateUserData) !=
+        newPermissions.can(NodePermissions::Permission::canGetAndSetPrivateUserData)) {
+        emit canGetAndSetPrivateUserDataChanged(_permissions.can(NodePermissions::Permission::canGetAndSetPrivateUserData));
+    }
+}
 }
 
 void LimitedNodeList::setSocketLocalPort(quint16 socketLocalPort) {
diff --git a/libraries/networking/src/LimitedNodeList.h b/libraries/networking/src/LimitedNodeList.h
index 8593ad4b1b..3684b50648 100644
--- a/libraries/networking/src/LimitedNodeList.h
+++ b/libraries/networking/src/LimitedNodeList.h
@@ -124,6 +124,7 @@ public:
     bool getThisNodeCanWriteAssets() const { return _permissions.can(NodePermissions::Permission::canWriteToAssetServer); }
     bool getThisNodeCanKick() const { return _permissions.can(NodePermissions::Permission::canKick); }
     bool getThisNodeCanReplaceContent() const { return _permissions.can(NodePermissions::Permission::canReplaceDomainContent); }
+    bool getThisNodeCanGetAndSetPrivateUserData() const { return _permissions.can(NodePermissions::Permission::canGetAndSetPrivateUserData); }
 
     quint16 getSocketLocalPort() const { return _nodeSocket.localPort(); }
     Q_INVOKABLE void setSocketLocalPort(quint16 socketLocalPort);
@@ -368,6 +369,7 @@ signals:
     void canWriteAssetsChanged(bool canWriteAssets);
     void canKickChanged(bool canKick);
     void canReplaceContentChanged(bool canReplaceContent);
+    void canGetAndSetPrivateUserDataChanged(bool canGetAndSetPrivateUserData);
 
 protected slots:
     void connectedForLocalSocketTest();
diff --git a/libraries/networking/src/Node.h b/libraries/networking/src/Node.h
index fe3177d785..07c599913b 100644
--- a/libraries/networking/src/Node.h
+++ b/libraries/networking/src/Node.h
@@ -83,6 +83,7 @@ public:
     bool getCanWriteToAssetServer() const { return _permissions.can(NodePermissions::Permission::canWriteToAssetServer); }
     bool getCanKick() const { return _permissions.can(NodePermissions::Permission::canKick); }
     bool getCanReplaceContent() const { return _permissions.can(NodePermissions::Permission::canReplaceDomainContent); }
+    bool getCanGetAndSetPrivateUserData() const { return _permissions.can(NodePermissions::Permission::canGetAndSetPrivateUserData); }
 
     using NodesIgnoredPair = std::pair<std::vector<QUuid>, bool>;
 
diff --git a/libraries/networking/src/NodePermissions.cpp b/libraries/networking/src/NodePermissions.cpp
index 92ebf1d01e..e0de649c05 100644
--- a/libraries/networking/src/NodePermissions.cpp
+++ b/libraries/networking/src/NodePermissions.cpp
@@ -67,6 +67,7 @@ NodePermissions::NodePermissions(QMap<QString, QVariant> perms) {
         Permission::canConnectPastMaxCapacity : Permission::none;
     permissions |= perms["id_can_kick"].toBool() ? Permission::canKick : Permission::none;
     permissions |= perms["id_can_replace_content"].toBool() ? Permission::canReplaceDomainContent : Permission::none;
+    permissions |= perms["id_can_get_and_set_private_user_data"].toBool() ? Permission::canGetAndSetPrivateUserData : Permission::none;
 }
 
 QVariant NodePermissions::toVariant(QHash<QUuid, GroupRank> groupRanks) {
@@ -94,6 +95,7 @@ QVariant NodePermissions::toVariant(QHash<QUuid, GroupRank> groupRanks) {
     values["id_can_connect_past_max_capacity"] = can(Permission::canConnectPastMaxCapacity);
     values["id_can_kick"] = can(Permission::canKick);
     values["id_can_replace_content"] = can(Permission::canReplaceDomainContent);
+    values["id_can_get_and_set_private_user_data"] = can(Permission::canGetAndSetPrivateUserData);
     return QVariant(values);
 }
 
@@ -166,6 +168,9 @@ QDebug operator<<(QDebug debug, const NodePermissions& perms) {
     if (perms.can(NodePermissions::Permission::canReplaceDomainContent)) {
         debug << " can_replace_content";
     }
+    if (perms.can(NodePermissions::Permission::canGetAndSetPrivateUserData)) {
+        debug << " get-and-set-private-user-data";
+    }
     debug.nospace() << "]";
     return debug.nospace();
 }
diff --git a/libraries/networking/src/NodePermissions.h b/libraries/networking/src/NodePermissions.h
index 1b0b9d220d..583c1b29ac 100644
--- a/libraries/networking/src/NodePermissions.h
+++ b/libraries/networking/src/NodePermissions.h
@@ -75,7 +75,8 @@ public:
         canKick = 64,
         canReplaceDomainContent = 128,
         canRezPermanentCertifiedEntities = 256,
-        canRezTemporaryCertifiedEntities = 512
+        canRezTemporaryCertifiedEntities = 512,
+        canGetAndSetPrivateUserData = 1024
     };
     Q_DECLARE_FLAGS(Permissions, Permission)
     Permissions permissions;