Previous Topic: How Access Authority to a Resource Is DeterminedNext Topic: Accumulative Group Rights (ACCGRR)


Interaction Between User and Group Access Authorities

You can explicitly grant or deny access authorities to a user, and also to groups to which the user belongs. Sometimes these can conflict. The following example shows what results if conflicting access authorities are assigned to the same resource when a user is a member of two groups (Group 1 and Group 2).

It assumes that the accumulative group rights option is set (the default setting).

Access Authority for User

Access Authority for Group 1

Access Authority for Group 2

Resulting Access Authority

Access denied

(Any)

(Any)

Access denied

Access granted

(Any)

(Any)

Access granted

(Not defined)

Access granted

(Not defined)

Access granted

(Not defined)

(Not defined)

Access granted

Access granted

(Not defined)

Access granted

Access granted

Access granted

(Not defined)

Access denied

(Any)

Access denied

(Not defined)

(Any)

Access denied

Access denied

Where an entry is shown as (Not defined), this means that no entry for the user or group is defined.

Where an entry is shown as (Any), this means that the access authority does not matter, because CA ControlMinder does not check it.