Specifying permissions
About this task
To ease the administration of Content Manager OnDemand, most customers organize their users into groups, add the groups to folders and application groups, and specify permissions for the groups. You should plan your groups before you begin creating them. After you start using the system, you might find it difficult to change the organization of your groups.
When you add a user to a group, the user automatically obtains the permissions that were specified for the group. When you add a user to more than one group, the user normally obtains the permissions of all of the groups. For example, using the group properties listed in Table 1, a user that belongs to both groups can open the Student Bills and Student Transcripts folders.
Group | GID | Folders | Permission |
---|---|---|---|
Admissions | 1080100 | Student Transcripts | Access |
Accounting | 1080101 | Student Bills | Access |
Group | GID | Folders | Permission |
---|---|---|---|
Admissions | 1080100 | Student Bills | None |
Admissions | 1080100 | Student Transcripts | Access |
Accounting | 1080101 | Student Bills | Access |
Accounting | 1080101 | Student Transcripts | Access |
When a user belongs to more than one group, Content Manager OnDemand uses the group identifier (GID) to determine the user's permissions. When two (or more) groups provide permissions for the same folder, the user obtains the permissions of the group with the lowest GID. In the example depicted in Table 2, both groups have been added to the Student Bills folder. Since the Admissions group has a lower GID than the Accounting group, Content Manager OnDemand uses the permissions specified for the Admissions group to determine the permissions of a user that is assigned to both groups. Consequently, users assigned to both groups cannot access the Student Bills folder.
why would I assign a user to more than one groupor
why would I create a group with no access to a folder?Perhaps some examples will help answer these questions (and clarify the Content Manager OnDemand permission hierarchy). As you review the examples, please remember the following rules:
- By default, the person that created the folder, a system administrator, and an application group/folder/cabinet administrator can access the folder
- You can use the *PUBLIC name to specify default permissions for all other users
- You can specify permissions for specific groups and users:
- All of the users that belong to a group that you add to a folder will obtain the permissions that you specify for the group
- A user that belongs to two (or more) groups that have been added to the same folder will obtain the permissions of the group that has the lowest GID
- The permissions that you specify for a user override all other permissions, including any default permissions (*PUBLIC) and any groups to which the user belongs and that are added to the folder