Note: you must not delete or rename the Default config scope!

A lot of object types have a 'scopeRef' attribute (usually referencing configScope) that is used to determine the access permissions on objects of the type.

In this way instead of having to set and maintain access permissions for each individual object it is possible to create a limited set of configScope objects with the necessary permissions (e.g. the 'Default' one that has full access for administrators and read-only access for everyone).

Obviously it is not desirable that 'normal' users could change the value of scopeRef, because doing it they could change the access permissions on the object itself. The solution is to have scopeRef in a different access class - typically 'Protected', so that it is possible to grant read/write access on object for the 'normal' stuff without granting write access on scopeRef itself.

All of the scopeRef attributes in the schema are in the 'Protected' access class.

About scopeRef and objectUI

When an object type has a scopeRef attribute, then the objectUI used to create objects of this type must be configured so that scopeRef is initialized to the "Default" configScope object.

You can write the <init> section of the objectUI like this:

<init>

  <gn4:myObjectType>

    <gn4:scopeRef>

      <gn4:keyVal>Default</gn4:keyVal>

    </gn4:scopeRef>

  </gn4:myObjectType>

</init>