Adding a subject twice to a target category with different target scopes
Although not typically done, you can add one subject two times to one target category with different access settings. Add the subject to the target category and specify access for the scope This container only. Add the subject again to the same target category and specify access for the scope This container and all descendants. Using this approach, you can use one subject entry to set a subject's access to multiple target subcategories, rather than setting the subject's access separately at each subcategory.
About this task
For example, suppose you want to allow members of the group Admins/Renovations full access to documents categorized directly under O=Renovations. You also want to allow members of the group to browse and read documents categorized under OU=East and OU=West, but want to prevent them from creating, deleting, writing, and setting extended access settings for these documents. You want to deny the group access to all other documents. To accomplish this you could do the following:
- Add Admins/Renovations to the database ACL with Editor access and all privileges and administration roles.
- Add Admins/Renovations as a subject at / (root), deny all access and select the scope This container and all descendants.
- Add Admins/Renovations to O=Renovations, allow all access and select the scope This container only.
- Add Admins/Renovations to O=Renovations again, allow only Browse and Read access and deny all other access and select the scope This container and all descendants.
When you create a subject entry for the Admins/Renovations group at the organization level (O=Renovations) and specify the scope This container only, you determine the level of access the Admins group has to documents contained directly within the Renovations organization only; your action does not define access to documents in subordinate organizational containers. On the other hand, a secondary subject for the same Admins/Renovations group at the same O=Renovations organization level but with the scope This container and all descendants, determines the level of access the Admins group has to documents not only in the Renovations organization, but in the subordinate East and West organizational units (OU=East or OU=West) as well.