Specifying permissions

About this task

To ease the administration of Content Manager OnDemand, most customers organize their users into groups, add the groups to folders and application groups, and specify permissions for the groups. You should plan your groups before you begin creating them. After you start using the system, you might find it difficult to change the organization of your groups.

When you add a user to a group, the user automatically obtains the permissions that were specified for the group. When you add a user to more than one group, the user normally obtains the permissions of all of the groups. For example, using the group properties listed in Table 1, a user that belongs to both groups can open the Student Bills and Student Transcripts folders.

Table 1. Group permissions
Group GID Folders Permission
Admissions 1080100 Student Transcripts Access
Accounting 1080101 Student Bills Access
Most situations involve adding a group to a folder, specifying permissions for the group, and then adding users to the group. However, there might be situations when you need to deny a group of users access to a folder. When you use groups to deny access to a folder, you must understand how Content Manager OnDemand determines folder permissions for a group (and users assigned to the group). For example, consider the group properties listed in Table 2.
Table 2. Group permissions
Group GID Folders Permission
Admissions 1080100 Student Bills None
Admissions 1080100 Student Transcripts Access
Accounting 1080101 Student Bills Access
Accounting 1080101 Student Transcripts Access
A user that belongs to both groups can not open the Student Bills folder.

When a user belongs to more than one group, Content Manager OnDemand uses the group identifier (GID) to determine the user's permissions. When two (or more) groups provide permissions for the same folder, the user obtains the permissions of the group with the lowest GID. In the example depicted in Table 2, both groups have been added to the Student Bills folder. Since the Admissions group has a lower GID than the Accounting group, Content Manager OnDemand uses the permissions specified for the Admissions group to determine the permissions of a user that is assigned to both groups. Consequently, users assigned to both groups cannot access the Student Bills folder.

You're probably asking yourself, why would I assign a user to more than one group or why would I create a group with no access to a folder? Perhaps some examples will help answer these questions (and clarify the Content Manager OnDemand permission hierarchy). As you review the examples, please remember the following rules:
  • By default, the person that created the folder, a system administrator, and an application group/folder/cabinet administrator can access the folder
  • You can use the *PUBLIC name to specify default permissions for all other users
  • You can specify permissions for specific groups and users:
    • All of the users that belong to a group that you add to a folder will obtain the permissions that you specify for the group
    • A user that belongs to two (or more) groups that have been added to the same folder will obtain the permissions of the group that has the lowest GID
    • The permissions that you specify for a user override all other permissions, including any default permissions (*PUBLIC) and any groups to which the user belongs and that are added to the folder