Specifying permissions

To ease the administration of IBM® Content Manager OnDemand, most customers organize their users into groups, add the groups to folders and application groups, and specify permissions for the groups. You should plan your groups before you begin creating them. After you start using the system, you might find it difficult to change the organization of your groups.

Remember: These group definitions are not the same as IBM i group profiles, although the names can match if you find that easier to maintain.

When you add a user to a group, the user automatically obtains the permissions that were specified for the group. When you add a user to more than one group, the user normally obtains the permissions of all of the groups. For example, using the group properties listed in the table, a user that belongs to both groups can open the Student Bills and Student Transcripts folders.

Table 1. Group permissions
Group	GID	Folders	Permission
Admissions	1080100	Student Transcripts	Access
Accounting	1080101	Student Bills	Access

Most situations involve adding a group to a folder, specifying permissions for the group, and then adding users to the group. However, there may be situations when you need to deny a group of users access to a folder. When you use groups to deny access to a folder, you must understand how Content Manager OnDemand determines folder permissions for a group (and users assigned to the group). For example, consider the group properties listed in the following table.

Table 2. Group permissions
Group	GID	Folders	Permission
Admissions	1080100	Student Bills	None
Admissions	1080100	Student Transcripts	Access
Accounting	1080101	Student Bills	Access
Accounting	1080101	Student Transcripts	Access

A user that belongs to both groups can not open the Student Bills folder.

When a user belongs to more than one group, Content Manager OnDemand uses the group identifier (GID) to determine the user's permissions. When two (or more) groups provide permissions for the same folder, the user obtains the permissions of the group with the lowest GID.

It is important to note that you cannot change a GID after a group has been created. You can, however, modify the value that is presented as the suggested GID when the group is created.

In the example depicted in the second table, both groups have been added to the Student Bills folder. Since the Admissions group has a smaller GID than the Accounting group, Content Manager OnDemand uses the permissions specified for the Admissions group to determine the permissions of a user that is assigned to both groups. Consequently, users assigned to both groups cannot access the Student Bills folder.

You might wonder why you would assign a user to more than one group, or why you would create a group with no access to a folder. The examples that follow might help answer these questions, and clarify the Content Manager OnDemand permission hierarchy. As you review the examples, remember the following rules:

By default, only an application group/folder administrator, a system administrator, or the person who created the folder can access the folder
You can use the *PUBLIC name to specify default permissions for all other users
You can specify permissions for specific groups and users:
- All of the users that belong to a group that you add to a folder will obtain the permissions that you specify for the group
- A user that belongs to two (or more) groups that have been added to the same folder will obtain the permissions of the group that has the lowest GID
- The permissions that you specify for a user override all other permissions, including any default permissions (*PUBLIC) and any groups to which the user belongs and that are added to the folder