Access privileges are integral to presenting users with their views of data. Users can view only those elements and menu options for which they have a View permission.
In general, it is efficient to define access privileges for groups, then assign users to the groups, and finally customize the access privileges for individual users, if necessary.
When determining access permissions, the server first checks to see if the element has permissions set for a user or group. Three types of permission are possible:
Positive: Grants the user permissions for an object
Null: Permissions have no effect on user access for an object
Deny: Permissions override the inheritance of a granted permission
Individual user permissions always override the privileges of the groups to which the user belongs. If a group is denied access to an object, but a user who is a group member is granted access, that user can access the object. Conversely, if the group can access an object, but a group member is denied access, that user cannot access the object. If a user holds a null permission and is a member of two or more groups with conflicting permissions, deny permissions take precedence.
Access privileges can be granted for specific elements at any level of the element hierarchy. For example, a user can have access to view a server that is connected to the network, but can be denied access to any other network components. Access control can be assigned to the, , , , , and hierarchies.
Perform the following steps to assign access privileges:
Create groups, but do not assign users to them yet.
Go through the element hierarchy and assign access privileges to different groups.
Assign users to groups.
Assign different access privileges for specific elements to individual users in groups.
By default, the privileges assigned to higher levels of a hierarchy are automatically inherited by the lower levels of the hierarchy. However, it is possible to set different permissions on a lower-level element and have those permissions flow down the hierarchy.
If there is no defined permission for a requested element, then security processing moves up the hierarchy until it locates a defined permission. In ascending the hierarchy, the first permission granting or denying permission takes precedence. However if a user is a member of two or more groups with conflicting permissions at the same level in the element hierarchy, the Deny permissions take precedence.