Access Control Lists Inheritance
Permissions for a particular User, Role or Group are tri-state:
- Allow: Gives the item permission to administer that area of functionality.
- Deny: Refuses the item permission to administer that area of functionality.
- Inherited: Allows the item to inherit their permissions from a Parent.
Item is a User, Group or Role
Note: Item refers to the User, Group or Role to which you want give another User, Group or Role access.
For a User, Group or Role, the operations which can be set to Allow, Deny or Inherited are:
- Read
- Update
- Delete
- Change password (Not available for Roles)
- Set access control
These operations are described in:
Table 154, “Terminology: Group Access Control List (ACLs)”
Table 158, “Terminology: Role Access Control List (ACLs)”
Table 161, “Terminology: User Access Control List (ACLs)”
- The access settings for a User to an operation on the Item (User, Group or Role) are calculated:
- Check for Explicit User Allow/Deny.
- Check For Explicit User Role(s) Deny.
- Check For Explicit User Role(s) Allow.
- Check For Explicit Group(s) Deny.
- Check For Explicit Group(s) Allow.
- Check For Explicit Group(s) Role Deny.
- Check For Explicit Group(s) Role Allow.
- Steps iv to vii are repeated for Parents of the Parent groups (until there are no more Parent groups).
- If no explicit access permissions are found, repeat step 1 with the Roles to which the item belongs.
- If no explicit access permissions are found, repeat step 1 with the Groups to which the item belongs.
- If no explicit access permissions are found, repeat step 1 with the Parents of the Groups to which the item belongs.
- If no explicit permissions are found, then Deny access for the User to the item.
Item is a Data Definition
For a Data Definition, the operations which can be set to Allow, Deny or Inherit can be seen in Table 17, “Terminology: Data Definition Access Control List (ACLs)”
Note: Item refers to the User, Group or Role to which you want give another User, Group or Role access.
- The access settings for a User to a Data Definition are calculated:
- Check for Explicit User Allow/Deny for the operation.
- Check For Explicit User Role(s) Deny for the operation.
- Check For Explicit User Role(s) Allow for the operation.
- Check For Explicit Group(s) Deny for the operation.
- Check For Explicit Group(s) Allow for the operation.
- Check For Explicit Group(s) Role Deny for the operation.
- Check For Explicit Group(s) Role Allow for the operation.
- Steps i to vii are repeated for the Category and Parent Categories to which the Data Definition is assigned, until there are no more Parent Categories.
- If no explicit permissions are found, then Deny access for the User to the operation on the Data Definition.