Rules to determine authorization across multiple security groups

One person can be a member of multiple security groups. In order to determine the net results of the accumulation of rules within these groups the following rules apply:

  1. The base rule is deny. Unless specified otherwise, a person is not allowed  to view or edit anything.
  2. Deny is stronger than allow. In case of conflicting settings the deny clause will overrule an allow clause.
  3. Specific policies overrule more generic policies. For example, a policy that allows viewing of all collateral for all machines is overruled by a policy that allows editing of all collateral for a specific machine.
  4. If viewing is not allowed, editing is never allowed even if a specific policy allows would allow editing. (It makes no sense to be able to edit something that you cannot view.) Note, however, that the view and edit rules are distinct.

For example: 

1.   In the group "Machine-specific security" the following is defined:

      

Persons John and Harry are both members of this group. Peter is not a member a of this group. 

2.  Harry and Peter are also a member of the group "Users." John, however, is not a member of the group "Users." Note that this distinction requires actively deselecting him from this group, because all persons are assigned to the group "Users" by default.

The security group "Users" by definition allows its members to view collateral for all machines.

3.   John, Pete, and Harry are all members of the group "Logfile and collateral uploaders".

The security group "Logfile and collateral uploaders" by definition allows its members to edit all documents for all machines. 

The resulting authorizations for John, Harry, and Pete are as follows:

  • John is not allowed to see all documents for all machines (rule 1).
  • John is allowed to view the document 10-K-W-BB-45-V3 for machine 15.01.3001005 (rule 3).
  • John is not allowed edit any document (rule 4).
  • Harry is not allowed to see all documents for all machines (rule 2).
  • Harry is allowed to view the document 10-K-W-BB-45-V3 for machine 15.01.3001005 (rule 3).
  • Harry is not allowed edit any document (rule 4).
  • Pete  is allowed to view all documents for all machines (rule 1).
  • Pete is allowed to edit all documents for all machines (rule 1). 

 

Have more questions? Submit a request

Comments