By default, no participants are authorized to create or modify agreements. When you configure agreements for your system, you must set up an agreement managers group. After you create the group, you must give the group, or individual members of the group, appropriate access control permissions for working with agreements.

There are no out-of-the-box access control policy rules defined for the AuthorizationAgreement object type. However, because the Agreement object is a descendant of WTObject, it inherits the out-of-the-box access control rules that are set for WTObject. For example, by default, context managers have Full Control (All) on agreements created in their context. Having the appropriate access control permissions, however, does not allow a context manager to modify an agreement unless he or she is a member of the agreement managers group. Only agreement managers can do more than view or subscribe to an agreement. Non-agreement managers with Read access to agreements can see the agreement information page, but the page has a limited Actions list and does not have the Authorized Objects or Authorized Participants tabs.

For more information on access control and the agreement managers group, see Setting Access Control Permissions for Agreement Managers.