Permissions Inheritance
Permissions inheritance refers to the settings of Allow, Deny or Not Set for Users, Roles and Groups.
Permissions for a particular User, Role or Group are tri-state:
- Allow: Gives the item permission to administer that area of functionality.
- Deny: Refuses the item permission to administer that area of functionality.
- Not Set: Allows the item to inherit their permissions from a Parent.
Calculating Permissions
The list of operations which can be Allowed or Denied for a User are described in:
Table 148, “Terminology: Group Permissions”
Table 150, “Terminology: Role Permissions”
Table 152, “Terminology: User Permissions”
When calculating a User’s permission for a particular operation, the following order is followed:
- Check for Explicit User Allow/Deny.
- Check For Explicit User Role(s) Deny.
- Check For Explicit User Role(s) Allow.
- Check For Explicit Group(s) Deny.
- Check For Explicit Group(s) Allow.
- Check For Explicit Group(s) Role Deny.
- Check For Explicit Group(s) Role Allow.
- Steps 4 to 7 are repeated for Parents of the Parent groups (until there are no more Parent groups) and if no explicit permissions are found, then Deny.
See “Set Permissions: Users, Groups and Roles” and see “Set Permissions: Multiple Groups with Conflicting Settings” for examples.