Scenarios: Using access control settings

The following case scenarios provide examples of how the system may respond with various settings.

Scenario 1: Using explicit settings

If a user or group is assigned multiple roles and the explicit ACL settings within these roles conflict, the most restrictive explicit setting will be used.

For example, we create a Test Performer and a Test Reviewer role for the Test object type. Each role has the Write ACL permission explicitly set to the following:

  • Test Performer has Write = Granted
  • Test Reviewer has Write = Denied

If we assign both roles (Test Performer and Test Reviewer) to a user called Tester1, Tester1 will not be able to create new Test objects even though the Test Performer role has Write = Granted. This is because the Write = Denied permission of the Test Reviewer role is more restrictive than the Write = Granted permission, and the most restrictive setting is automatically applied.

Scenario 2: Using explicit and unspecified settings

If a user or group is assigned multiple roles and one role has an explicit ACL settings but the other role has Unspecified for the same permission, the explicit setting will be used.

For example, we create an Initial Test and a Final Test role for the Test object type. The roles have the Write ACL permission set to the following:

  • Initial Test has Write = Granted
  • Final Test has Write = Unspecified

If we assign both roles (Initial Test and Final Test) to a user called Tester1, Tester1 will be able to create new Test objects even though the Final Test role has Write = Unspecified. This is because the Write = Granted permission is explicit and the explicit setting is automatically applied.

Scenario 3: Using unspecified settings

If a user or group is assigned a single role and the ACL settings within this role:

  • Use the default value Unspecified, and
  • No other access control has been explicitly set for the user or group

then access is DENIED.

For example, we create an Initial Test role for the Test object type. The role has the Write ACL permission set to the following:

Initial Test has Write = Unspecified

If we assign the role (Initial Test) to a user called Tester1 and Tester1 has not been granted access through any group-inheritance, Tester1 will not be able to create new Test objects.