3Com 10031370-01 User Manual

2-10

C

HAPTER

2: W

ORKING

W

ITH

S

ECURITY

Dominant Permission
When a user belongs to more than one group with different permissions, or is

individually defined for specific objects, which permission is used?

Rule 1. Individual’s permissions overrule the permissions for a group. An

individual permission overrides a group permission, even if the group permission

changes after the individual member was modified.

Rule 2. Explicit permission overrules inherited permission. So, what happens

when a user belongs to more than one group, and the permissions of one group

grant something while the other denies it?

Here is a fictitious example: Bill Gallagan belongs to the JrSales group and the

Developers group. Here are the inherited permissions for All Attachments for both

groups:

Figure 2-12 ‘All Attachments’ Permissions by User Group

Delete Attachments is permitted in the Developers group and not permitted in

the JrSales group.

Here is what the permissions look like for Mr. Gallagan:

Figure 2-13 ‘All Attachments’ Permissions by User

The negative permission is an overriding factor in this case. There are two ways to

adjust this: