Precedence rules used to resolve access conflicts at a target

When you select a target in the Extended Access at: target dialog box, by default the dialog box shows all the subjects in the extended ACL with access settings to the target. Included are subjects whose access is set at and inherited from a higher target through the scope This container and all descendants. (You can select Show Modified to see only the subjects with access set directly at the target.)

About this task

More than one subject that is shown at a selected target can apply to a particular user. For example, a user might be a member of two groups, both of which have access set to the target O=Renovations. The following precedence rules are applied to determine the access a user has to a target when there are multiple subjects that apply to the user at the target.

  1. Access set for a subject with the scope This container only take precedence over access set for a subject with the scope This container and all descendants regardless of subject type. For example, the access set for the subject */Renovations and the scope This container only takes precedence over the access set for the subject Kathy Brown/Renovations and the scope This container and all descendants.
  2. Among subjects with the same scope, access for a more-specific type of subject take precedence over access for a less-specific type of subject. The order of subject specificity, from most specific to least specific, is:
    1. Individual user or server
    2. Self
    3. Group
    4. A wildcard, -- for example */Renovations
    5. -Default-

    For example, the access set for Kathy Brown/Renovations with the scope This container and all descendants takes precedence over the access set for the group Admins/Renovations with the scope This container and all descendants.

  3. When evaluating more than one group subject or more than one wildcard subject, the access settings of the subjects are combined, with Deny access taking precedence over Allow access. For example, if the group Admins/Renovations denies Write access and allows all other access, and the group Managers/Renovations denies Create access and allows all other access, users that are members of both groups are denied Write and Create access and allowed all other access.
Note: Even after precedence rules are applied, a user's access can never exceed the access the database ACL allows the user.
Tip: To determine a user's effective access to an extended ACL target after extended access settings and database access are evaluated, select the target in the Extended Access at: target dialog box, then click Effective Access.
Table 1. Examples of precedence rules
Subject 1 Subject 2 Combined access (can never exceed the access granted in the database ACL) Rule applied

Subject: */Renovations

Scope: This container and all descendants

Allow: Read, Browse

Deny: Create, Delete, Write

Subject: */Renovations

Scope: This container only

Allow: Create, Delete, Write

Deny: Read, Browse

Allow: Create, Delete, Write

Deny: Read, Browse

 Rule 1

Subject: Admins/Renovations group

Scope: This container and all descendants.

Allow: All

Subject: */Renovations

Scope: This container and all descendants

Deny: All

 Allow: All Rule 2

Subject: Admins/Renovations group

Scope: This container and all descendants

Allow: Read, Browse

Deny: Create, Delete, Write

Subject: Managers/Renovations group

Scope: This container and all descendants

Allow: Create, Delete, Write

Deny: Read, Browse

 Deny: All Rule 3