2-10 C
HAPTER
2: W
ORKING
W
ITH
S
ECURITY
Dominant Permission
When a user belongs to more than one group with different permissions, or is
individually defined for specific objects, which permission is used?
Rule 1. Individuals permissions overrule the permissions for a group. An
individual permission overrides a group permission, even if the group permission
changes after the individual member was modified.
Rule 2. Explicit permission overrules inherited permission. So, what happens
when a user belongs to more than one group, and the permissions of one group
grant something while the other denies it?
Here is a fictitious example: Bill Gallagan belongs to the JrSales group and the
Developers group. Here are the inherited permissions for All Attachments for both
groups:
Figure 2-12 All Attachments Permissions by User Group
Delete Attachments is permitted in the Developers group and not permitted in
the JrSales group.
Here is what the permissions look like for Mr. Gallagan:
Figure 2-13 All Attachments Permissions by User
The negative permission is an overriding factor in this case. There are two ways to
adjust this:
