Rules of calculating user permissions
In this section we'll review how to calculate value (inherited, allow, deny) of a certain permission for a certain user.
User can be bound to Role directly or via a group of users. Role is connected with permissions including one of the three available types of access:
- Inherited - the same as not defined. Does not influence whether an operation is permitted or forbidden.
- Allow - operation is permitted.
- Deny - operations is denied.
User can be bound to several roles, and there can be different types of access specified for the same permission in each role, i.e. the following rules should be applied when defining final type of access:
- In case there is at least one Allow type and no Deny type in the types of access, final type of Permission is Allow. In other words, this operation will be permitted.
- On all other cases final type of Permission is Deny. It means that operation will be denied.