security merge

[iceacman]

For example
there are two user groups: A and B
in framework manager, we have a object X ,which A has access and B has NO access
now we have a user who is member of both groups: A and B
logically, he has no access to object X

Due to user's demands and some constraints, there is unfortunately one user like this who need to access X and there is no possibility to create another group just for him.
So, is there a way satisfay this need?

Thx

[MFGF]

Hi,

When you say group B has no access to object X, do you mean group B doesn't have "Allow" checked or do you mean group B has "Deny" checked?

If it's the former, simply add the user into the access list and check the "Allow" option for the user.

If the latter, you will need to change your strategy to use the former approach. Uncheck the "Deny" option for Group B and add the user to the list and check "Allow". Then make sure thsat Group B has no inherited access defined at higher levels within the structure.

Cheers!

MF.

[iceacman]

Thanks MF
group B is denied to object X
and we cannot uncheck the deny for group B since there are other normal users who are under group B and who shouldn't have access to object X.

obviously there is a problem of designing the serucity group in the beginning, and as now it's already in production, i'm wondering maybe there is a workground other than creating a new group, which is doable but will cost pretty much dimes.
something like when user have two groups, 'allow' will take the place of 'deny' wherever there is a  contradiction.

Hi,

When you say group B has no access to object X, do you mean group B doesn't have "Allow" checked or do you mean group B has "Deny" checked?

If it's the former, simply add the user into the access list and check the "Allow" option for the user.

If the latter, you will need to change your strategy to use the former approach. Uncheck the "Deny" option for Group B and add the user to the list and check "Allow". Then make sure thsat Group B has no inherited access defined at higher levels within the structure.

Cheers!

MF.

[MFGF]

Thanks MF
group B is denied to object X
and we cannot uncheck the deny for group B since there are other normal users who are under group B and who shouldn't have access to object X.

obviously there is a problem of designing the serucity group in the beginning, and as now it's already in production, i'm wondering maybe there is a workground other than creating a new group, which is doable but will cost pretty much dimes.
something like when user have two groups, 'allow' will take the place of 'deny' wherever there is a  contradiction.

Hi,

It's not the way it works, sorry. If you omit access by not checking the "Allow" checkbox, then it's a simple job to allow access from a different user/group etc. However, checking "Deny" is specifying an explicit deny, and it overrides "Allow" checked elsewhere.

MF.

[iceacman]

so just one question, if i uncheck 'deny' and 'allow' at the same time? will this group be granted the right to access or not?

Hi,

It's not the way it works, sorry. If you omit access by not checking the "Allow" checkbox, then it's a simple job to allow access from a different user/group etc. However, checking "Deny" is specifying an explicit deny, and it overrides "Allow" checked elsewhere.

MF.

[MFGF]

so just one question, if i uncheck 'deny' and 'allow' at the same time? will this group be granted the right to access or not?

No - not unless they are granted access elsewhere. That's my point. If you restrict access by not having "allow" checked, then you can easily allow it for another group or user - that's what I was suggesting in my first reply. If you have "deny" checked, it overrides any other "allow" options for the group or user.

Cheers!

MF.

[iceacman]

ok thanks again, looks like we have no other choice but a group^.^

No - not unless they are granted access elsewhere. That's my point. If you restrict access by not having "allow" checked, then you can easily allow it for another group or user - that's what I was suggesting in my first reply. If you have "deny" checked, it overrides any other "allow" options for the group or user.

Cheers!

MF.