Access Control Lists Inheritance
Access Control List inheritance refers to the settings of Allow, Deny or Inherited for Users, Roles and Groups so they can access Data Definitions, Users, Roles and Groups.
Permissions for a particular User, Role or Group are tri-state:
- Allow: Gives the item permission to administer that area of functionality.
- Deny: Refuses the item permission to administer that area of functionality.
- Inherited: Allows the item to inherit their permissions from a Parent.
Item is a User, Group or Role
Note: Item refers to the User, Group or Role to which you want give another User, Group or Role access.
For a User, Group or Role, the operations which can be set to Allow, Deny or Inherited are:
- Read
- Update
- Delete
- Change password (Not available for Roles)
- Set access control
These operations are described in:
Table 154, “Terminology: Group Access Control List (ACLs)”
Table 158, “Terminology: Role Access Control List (ACLs)”
Table 161, “Terminology: User Access Control List (ACLs)”
- The access settings for a User to an operation on the Item (User, Group or Role) are calculated:
- Check for Explicit User Allow/Deny.
- Check For Explicit User Role(s) Deny.
- Check For Explicit User Role(s) Allow.
- Check For Explicit Group(s) Deny.
- Check For Explicit Group(s) Allow.
- Check For Explicit Group(s) Role Deny.
- Check For Explicit Group(s) Role Allow.
- Steps iv to vii are repeated for Parents of the Parent groups (until there are no more Parent groups).
- If no explicit access permissions are found, repeat step 1 with the Roles to which the item belongs.
- If no explicit access permissions are found, repeat step 1 with the Groups to which the item belongs.
- If no explicit access permissions are found, repeat step 1 with the Parents of the Groups to which the item belongs.
- If no explicit permissions are found, then Deny access for the User to the item.
Item is a Data Definition
For a Data Definition, the operations which can be set to Allow, Deny or Inherit can be seen in Table 17, “Terminology: Data Definition Access Control List (ACLs)”
Note: Item refers to the User, Group or Role to which you want give another User, Group or Role access.
- The access settings for a User to a Data Definition are calculated:
- Check for Explicit User Allow/Deny for the operation.
- Check For Explicit User Role(s) Deny for the operation.
- Check For Explicit User Role(s) Allow for the operation.
- Check For Explicit Group(s) Deny for the operation.
- Check For Explicit Group(s) Allow for the operation.
- Check For Explicit Group(s) Role Deny for the operation.
- Check For Explicit Group(s) Role Allow for the operation.
- Steps i to vii are repeated for the Category and Parent Categories to which the Data Definition is assigned, until there are no more Parent Categories.
- If no explicit permissions are found, then Deny access for the User to the operation on the Data Definition.