Summary of rules for ACLs, roles, and users
These are the major rules that govern the construction of ACLs and the interactions among nodes, roles, and users:
- The ACL for a system node is automatically applied to any other nodes contained within that node. In effect, creating an ACL for a container node automatically creates default ACLs for all of its content nodes, their content nodes, and so on.
- Any ACL explicitly defined for any content node always takes precedence over the default ACL created for higher-level container nodes. For example, the ACL for a parent node grants a permission to a user or role. The ACL, though, for a child node denies that permission. In this instance, the permission is denied.
- Permissions that are not explicitly defined for a node are automatically defined by the closest ancestor node. For example, the ACL for a node does not explicitly grant or deny a permission. That permission is granted by the ACL for the parent node but denied by the ACL for the grandparent node. In this instance, the permission is granted.
- Permission settings for any role are automatically applied to any roles and users that belong to that role. In effect, setting the permissions for a role creates a default template for all the members of that role. For example if Role A belongs to Role B, by default Role A has the same permission settings as Role B.
- In example, one role is a member of
another role. Permission settings for a member role take precedence over permission
settings for a role to which the member role belongs.
If there are multiple role membership levels, then the closest role in the membership hierarchy takes precedence. For example, Role A belongs to Role B, which in turn belongs to Role C.
In another example, if a permission is not specified for Role A but is granted for Role B, then that permission is granted to users who belong to Role A. This is even if it is explicitly denied for Role C.
Conversely, a permission that is granted for Role C but denied for Role B is also denied for Role A.
- Users who belong to multiple roles are automatically granted any permissions that are granted to any of those roles. This applies even if one or more other roles deny those same permissions.
- Permission settings for a user always take precedence over the permissions settings for the roles to which that user belongs.