Permission Inheritance from a Group

CA ITCM Security Features › Authorization › Overview of Permissions › Object Permissions › Permission Inheritance from a Group

Permission Inheritance from a Group

If an object is member of a group, the security subsystem in CA ITCM supports dynamic inheritance of permissions from a group to a member, as follows:

A flag marks a group for dynamic inheritance.
The specified member permissions are inherited to all members of this group.
If a member is added to a group, it automatically inherits the permissions of the group.

The design of group security is based on following decisions:

Security inheritance can be turned on or off on a group. When turned on, the group becomes a security group (the application may use a different icon for visualization).
The group will have two permission masks, one for the group itself (just like any other secured object) and an inheritance mask.
When a group inherits from a parent group, both masks will be changed to the inherit mask of the parent group.
The permission mask of a member of a group or many groups is evaluated to the "union" of all the permissions from the member’s parents, and so on. (the permissions are ORed together).
The inheritance is done from parent to child which can result in a recursive update of objects.
There are no restrictions of inheritance depth.
In the order of precedence, object permissions preside over group permissions, which preside over class permissions.
If an object is a member of at least one security group, the only change allowed on that object is to apply object security, because applying class security would break the model. For class security to become active, the object needs to be removed from the group or security inheritance turned off on the group.

Note: Inheritance from a group is switched off, if the security level of an object is set to object-level.

The following illustration shows the inheritance when an object is a member of a group and the group enables the inheritance of the object permissions:

Graphic showing the inheritance when an object is member of a group and the group enables the inheritance of the object permissions

Group g1.1 is a sub-group of group g1. The computers "john" and "smith" are members of the group g1.1.

For the group g1 inheritance of permissions is disabled, for g1.1 it is enabled. Therefore, the computers "john" and "smith" inherit their permissions from the permissions of group g1.1.