Rights are set on an object for a principal to control access to the object. It's difficult for you to set the explicit value of every possible right for every principal on every object. If you have 100 rights, 1000 users, and 10,000 objects, you'll need to store billions of rights in memory and maintain each one.
The BI platform recognizes two types of inheritance:
Inheritance resolve this problem. With inheritance, the rights that principals have to objects in the system come from a combination of their memberships and objects. These memberships are in different groups and sub-groups, and the objects, have inherited rights from parent folders and sub-folders. These principals can inherit rights as the result of group membership. Sub-groups can inherit rights from parent groups. Principals can inherit rights from parent folders.
By default, principals who have rights to a folder inherit the same rights for any objects that are then published to that folder. The strategy is to set the appropriate rights for principals at the folder level first, then publish objects to that folder.
Determining Effective Rights
If a user belongs to more than one group, and a conflict exists in the rights assignments between the groups to which the user belongs, the Denied (D) right overrule a Granted (G) right. The Granted (G) right overrule a Not Specified (NS) right.
- NS = D
- NS + G = G
- NS + D = D
- G + D = D
- NS + G + D = D
See the following video to determine effective rights scenarios involving users, groups and folders.
Following scenarios are covered in the video:
- A user is a member of a group. The user and group have different rights to the same folder.
- A user is a member of two different groups, and each group has been assigned different rights to the same folder.
- A user is a member of two different groups and each group have rights to folders at different levels.
- A user is a member of a subgroup that is a member of a group. The parent group is Granted and the subgroup is Denied to the same folder.
- A user is a member of a subgroup that is a member of a group. The parent group is Denied while the subgroup is Granted access to the same folder.
- A user is a member of a subgroup that is a member of a group. The group and subgroup have different assigned rights to a folder and subfolder.
- A subgroup is a member of a group and the user is a member of both the group and subgroup. The group and subgroup have different rights to the same folder.
Keep these considerations in mind when you set rights on an object:
- Each access level grants some rights, denies some rights, and leaves the other rights unspecified. When a user is granted several access levels, the system aggregates the effective rights and denies any unspecified rights by default.
- When you assign several access levels to a principal on an object, the principal has the combination of each access level's rights.
- Advanced rights can be combined with access levels to customize the rights settings for a principal on an object. But, if the advanced right contradicts a right in the access level, the advanced right will override the right in the access level.
- Rights override makes it possible for rights set on a child object to override rights that are inherited from the parent object.