When you select a target in the Extended Access at: target dialog box, by default the dialog box shows all the subjects in the extended ACL with access settings to the target. Included are subjects whose access is set at and inherited from a higher target through the scope This container and all descendants. (You can select Show Modified to see only the subjects with access set directly at the target.)

About this task

More than one subject that is shown at a selected target can apply to a particular user. For example, a user might be a member of two groups, both of which have access set to the target O=Renovations. The following precedence rules are applied to determine the access a user has to a target when there are multiple subjects that apply to the user at the target.

1. Access set for a subject with the scope This container only take precedence over access set for a subject with the scope This container and all descendants regardless of subject type. For example, the access set for the subject */Renovations and the scope This container only takes precedence over the access set for the subject Kathy Brown/Renovations and the scope This container and all descendants.

2. Among subjects with the same scope, access for a more-specific type of subject take precedence over access for a less-specific type of subject. The order of subject specificity, from most specific to least specific, is:

a. Individual user or server

b. Self

c. Group

d. A wildcard, -- for example */Renovations

e. -Default-

For example, the access set for Kathy Brown/Renovations with the scope This container and all descendants takes precedence over the access set for the group Admins/Renovations with the scope This container and all descendants.

Note: Even after precedence rules are applied, a user's access can never exceed the access the database ACL allows the user.

Tip: To determine a user's effective access to an extended ACL target after extended access settings and database access are evaluated, select the target in the Extended Access at: target dialog box, then click Effective Access.

Table 1. Examples of precedence rules

Subject 1	Subject 2	Combined access (can never exceed the access granted in the database ACL)	Rule applied
Subject: */Renovations Scope: This container and all descendants Allow: Read, Browse Deny: Create, Delete, Write	Subject: */Renovations Scope: This container only Allow: Create, Delete, Write Deny: Read, Browse	Allow: Create, Delete, Write Deny: Read, Browse	Rule 1
Subject: Admins/Renovations group Scope: This container and all descendants. Allow: All	Subject: */Renovations Scope: This container and all descendants Deny: All	Allow: All	Rule 2
Subject: Admins/Renovations group Scope: This container and all descendants Allow: Read, Browse Deny: Create, Delete, Write	Subject: Managers/Renovations group Scope: This container and all descendants Allow: Create, Delete, Write Deny: Read, Browse	Deny: All	Rule 3

Related concepts
Elements of an extended ACL
Setting up and managing an extended ACL

Related tasks
Extended ACL access settings

Help on Help

All Help Contents

Help on Help