Effective access rights define what operations are allowed on an entry.
Calculating a User's Effective Entry Access Rights
A user's effective entry access rights for a document or folder are calculated from the entry access rights that were assigned to that user, assigned to a group to which that user belongs, and/or inherited from a parent folder of the desired document or folder. The inheritance of entry access rights depends on two factors: if inheritance is allowed and scope. Any document or folder can be configured to either allow or block entry access rights inheritance. If a particular document or folder blocks inheritance, a user's effective entry access rights will never be affected by the entry access rights assigned to the folder it resides in or any other ancestor folder. If inheritance is allowed, scope determines if the entry access rights assigned to a particular user or group on a folder will be applied to the document or folder for which a user's effective entry access rights are being calculated.
In the course of calculating a user's effective entry access rights, there may be conflicting rights assignments. Conflicts are handled in two ways.
- Rights assigned to an entry directly will always take precedence over rights inherited from a parent folder.
- If a user has been both allowed and denied access to an entry, the denied status takes precedence. For instance, if a user has been allowed access to an entry by inheritance from one group and denied access to that same entry by inheritance from another group, the user will not have access to that entry. If the user has been denied access, whether directly or through inheritance, they will not be able to perform the action on the document.
The process of calculating a user's effective entry access rights starts with a document or folder. The entry access rights assigned to that user for that document or folder are combined with the entry access rights assigned to all groups to which the user belongs. When combining these entry access rights, denied rights take precedence over rights that have been allowed. This combination of the entry access rights specifically assigned to a document or folder forms a base set of effective rights for that user.
The Effective Rights tab displays the effective entry access rights for the selected entry. However, in addition to entry access rights, security tags and privileges can impact a user's access to an entry. To view the effective security for the currently connected user, taking into account entry access, tags, records management operations, and privileges, the user should open the entry's Properties dialog and select the Rights tab.
Viewing Effective Rights
The Effective Rights tab of the Entry Access dialog box displays the rights a user or group has for a document or folder. When calculating the effective rights for a user or group, inheritance from folders higher in the folder tree is taken into account, as is group membership.
You can also view detailed inheritance information for a specific right. This will display the settings that contributed to determining whether a particular right is granted or denied. For example, if the Read right is allowed for a user because it was explicitly set on the entry, the inheritance information dialog box will indicate that; if it was inherited from higher in the folder tree, the folder on which it was set will be indicated. If a right is denied, the inheritance information will indicate whether it was explicitly denied or inherited a deny (and on what folder the deny was set), or whether the right was simply never granted in the first place. If the user is a member of multiple groups, information for all groups from which they inherit the right will be displayed. In addition, if a right is granted or denied due to multiple settings (for instance, if the Read right was granted both on the entry itself and on its parent folder), all settings will be displayed.
To view the effective rights for a specific trustee
- Select the entry you want to view rights on, and either right-click or open the Tools menu, and then select Access Rights.
- Open the Effective Rights tab, and click Choose.
Tip: If you want to view the rights for the trustee you are currently logged in as, they will already be displayed by default and you can skip to step 4.
- From the Choose Trustee dialog box, select either Repository trustee or Domain account depending on the type of user you want to view effective rights for. For domain accounts, click Browse
to open the Select User or Group dialog box. - Review the rights granted to the specified user.
- To view more information about inheritance for a specific right, select View detailed inheritance information at the bottom of the dialog box and then select a right. Information as to why a particular right was granted or denied (including folder tree inheritance and group inheritance) will be displayed at the bottom of the dialog box.
To view the effective rights for a specific trustee
- Log in to the web client as a user with the Manage Entry Access privilege.
- Select the entry you want to view rights on.
- Select More Options, and then Advanced. Under Advanced, select Show Security.
- Select the Effective Rights tab.
- By default, you will see effective rights for the currently-connected user. To view effective rights for another user, remove Current Connection and add another trustee in the Add trustee option.
- Review the rights granted to the specified user.
- To view more information about inheritance for a specific right, select View detailed inheritance information at the bottom of the dialog box and then select a right. Information as to why a particular right was granted or denied (including folder tree inheritance and group inheritance) will be displayed at the bottom of the dialog box.