How permissions are derived
When a request for a remote control session is initiated, all of the groups to which the user and target belong to are determined. The following statements can be true for the groups.
- No grandparent group present: Any parent groups that are found for the user and target have user or target members only.
- Grandparent group present: Due to the group hierarchy that is created through manage group membership, any parent groups that are found also have user group, and target group members.
The next thing that is determined is, which permissions links are created between any of these groups. The permissions for the session are derived from using the following set of rules.
Rule 1: No grandparent group. There can be 2 scenarios.
- The user and target are members of a single user group and target group only.
- The policies for the session are set from the one permissions link that is defined for their parent user group and target group combination.
- User and target are also members of other user and target groups.
- The policies for the session are derived from comparing the multiple permissions links that are defined for any parent user group and target group combinations.
Rule 2: Grandparent group.
The policies for the session are derived from comparing multiple permissions links. The links that are defined for any parent user group and target group combinations, and any permissions links that are defined for any grandparent groups are all considered.
Where multiple permissions links are present within the group hierarchy, the value and priority
that is set for each enabled policy, within each link, is checked. The following rules for the
priority values, determine what is applied to the session policy.
- Priority 5 No
- If a policy in any of the relevant permissions links has this value set, the session policy is set to priority 5 No. This value overrides all other values.
- Priority 1 No
- This value is set for the session policy if there are no priority 5 values set in any existing permissions links.
- Priority 0 No
- This value is set for the session policy if there are no priority 1 or 5 values set for any of the existing permissions links.
- Priority 5 Yes
- This value is set for the session policy if there are no priority 5 No values set for any of the existing permissions links. Priority 5 Yes overrides any lower priority No.
- Priority 1 Yes
- This value is set for the session policy if there are no priority 5 values, or priority 1 No values set for any of the existing permissions links.
- Priority 0 Yes
- This value is set for the session policy if there are no higher priority values set or a priority 0 No set for any of the existing permissions links.