Scope and Inheritance

Scope and inheritance determine what part of the folder tree is affected by a specific entry access right. On the folder on which the right was directly configured, the right is considered an explicit right. Any documents or folders who fall within the scope configured when setting that explicit right has inherited the right.

Entry Access Rights Settings

Entry access rights have three possible settings:

  • Deny: The right is denied for the user.

  • Allow: The right has been allowed for the user.

  • Blank: This right does not imply any access. If a user has inherited an allow from somewhere else, and has no relevant deny settings for the right, they will be allowed to perform the action; if they have only blanks, they will be implicitly denied.

Rights Calculations

In the Folder Structure

In the folder structure, any right that has been explicitly set takes precedence over rights that have been inherited. This is true regardless of whether the right is an allow or a deny. If a deny has been inherited from a folder higher in the folder tree, but an allow is set on a folder or document lower in the folder tree, the explicit allow will take precedence over the inherited deny. The user may not be able to browse to the document in question as they were denied access higher in the tree, but they can still locate it via searches, shortcuts, or links.

In Users and Groups

In users and groups, there is no concept of an explicit or inherited right. All users and groups are considered to be on the same level, without the hierarchy implicit in the folder tree. Therefore, when it comes to configuring security for users and groups, a deny will always take precedence over an allow, and an allow will always take precedence over a blank.

List of Scopes

In addition to assigning entry access rights directly on a document or folder, you can also allow documents and folders to inherit the entry access rights assigned to a folder. To create a cohesive and consistent security policy, we recommend using inheritance wherever possible, rather than configuring security independently on individual documents.

Scope allows you to determine how far down the folder tree a particular right will be inherited. These range from the very broad (This entry, subfolders, and documents) to the very narrow (This entry only), with many options in between.

Note that scopes can be combined on the same entry. If you want a user to be able to open but not modify folders, but to be able to modify the documents within the folder, you could configure the folder with the Browse and Read rights set with a scope of This folder and subfolders, and then also configure the Browse, Read and Modify Contents with a scope of Documents only on the same folder. This allows you to affect all subfolders and documents with just two configurations.

The following table lists the nine possible scopes and shows if the assigned entry access control rights will be applied to a particular entry when that scope is used.

Scopes for Entry Access Rights
Scope Applies rights to selected entry Applies rights to subfolders in selected folder Applies rights to documents in selected folder Applies rights to all subsequent subfolders Applies rights to documents in all subsequent subfolders
This folder, subfolders, and documents

x

x

x

x

x

This folder and subfolders

x

x

 

x

 

This folder and its immediate children

x

x

x

 

 

Subfolders and documents only

 

x

x

x

x

Subfolders only

 

x

 

x

 

Documents only

 

 

x

 

x

Immediate children only

 

x

x

 

 

Documents that are immediate children only

 

 

x

 

 

This entry only

x