Determining Effective Rights

The effective rights a specific user has on an object - what the user can actually do with the object - are determined by examining ACEs in a specific order. The first ACE that matches both the user and the desired access right determines whether the user has that right on the object. An ACE matches the user if it specifies the user or any group the user is directly or indirectly a member of. An ACE matches the desired right if the right is listed in the ACE.

ACEs are examined in the following order:

  1. ACEs explicitly set on the object

  2. ACEs explicitly set on the object's parent

  3. ACEs explicitly set on the object's further ancestors, nearest ancestor first

At each object, ACEs are checked in ACL order (the order displayed for an object on the Access Control page). Order can be changed among multiple ACEs on the same object by using the up arrow and down arrow buttons next to the ACEs.

If no matching ACE is found after all levels are examined (back to the root or Global ACE), access is allowed by default (this is for back-compatibility with non-ACL mode).

Copyright © Thunderstone Software     Last updated: May 19 2023
Copyright © 2023 Thunderstone Software LLC. All rights reserved.