Coordination between access control items

You need to coordinate the outcome when multiple access control items apply to the same operation or attribute. It is possible that a user might be granted permissions by one access control item that are denied by another access control item.

A user might have multiple group memberships. The user's access is based on the widest privilege granted to any of the groups in which the user is a member. However, the user's access is disabled if it is explicitly denied to any of the groups of which the user is a member.

When conflict occurs between two or more access control items, the following rules apply:

  • An explicit denial (with a Deny selection) by one access control item overrides an explicit grant by other access control items.
  • An explicit grant by one access control item overrides an implied denial (with a None selection) by other access control items.

Use the Deny selection sparingly because an explicit denial overrides all other choices. You might use the None selection instead of the Deny selection.

For an attribute, the permission for a write operation takes precedence over the permission for a read operation. If you explicitly deny read permission and explicitly grant write permission, you are able to see the attribute on the form. The write permission takes precedence over the read permission.

Generally, if a user is granted permission to view or modify an attribute, the user can also see the attribute on the user interface even if read permission is denied. For example, if an access control item grants permission to define an access group, a member of the access control item can also view the access group list, regardless of whether the operation to view group members is granted or denied.