Purpose: To explain the permission hierarchy used when two or more permissions of the same level conflict.

Permission Hierarchy

A unique permission can be assigned to many roles and many roles can be assigned to a user. In addition, the same unique permission can be overridden at the user level. In other words, a single permission could be assigned to a user from multiple roles or at the user level.

When conflicting permissions are applied to a user, the following two rules are used to select the final effective permission:

• The assignment at the user level always takes precedence over any assignment at the role level.
• If a permission is assigned to multiple roles and subsequently those roles are assigned to a user, the permission assignment with the highest action takes precedence. The possible actions, from highest to lowest, are:
1. Granted
2. Granted with Restriction Set
3. Read-only with Restriction Set
4. Read-only
5. Blocked with Restriction Set
6. Blocked

Note: If two permissions with restrictions sets of the same level (i.e. two permissions set as "Blocked with Restriction Set") are applied to a single user, the two different permission sets will be combined using the above hierarchy as a guide.

 

 

---

© 2005-2006 MicroFour, Inc. All Rights Reserved.