This document outlines the various user and permission related facts and expectations.
GlobalSearch
expectations when using GlobalSearch. Note that this information is current as of version 6.3 and greater. Older versions may have different results.
User permissions ALWAYS trump override group permissions. If a user is directly secured to a resource, only the user’s permission set is considered. It has historically be assumed or considered that user and group permissions should be blended. This may or may not be possible, but we should draw a line in the sand of either we support it, or we don’t and document it at such. The most ideal scenario is “Yes, we support it”.
Supporting combined permissions would take on a “least restrictive” model. The SUM of all permissions applied are when the user gets.
If there meaningful challenges to and additive approach to users and groups together, then we should abort and document as not possible.
If we are not going to allow it, we should not allow the user to do it. Meaning, if a user is assigned permissions to an archive, we should flag a save error if that user is a member of any groups also being secured. Likewise, we should remove the ability to secure a user to an archive that already has group permissions that include the user in questionGroup permissions are always additive. If a user is a member of multiple groups, the sum of all permissions for secured groups of which the user is a member are considered.
Multiple groups with the same, or overlapping permissions, should will not impact the experience.
It is a valid scenario for a user to be in two different groups that have identical permissions, both of which are secured to a single resource.
Test scenarios will cover discretely different permission sets for merge tests.
Specifically, testing Group1 with full permissions and Group 2 with View only permissions is not a valid test. This means you are getting Group1’s permissions, it does not necessarily mean you are getting the combine permission set.
With regard to conflicting permissions that can not be merged, conflicts are expected. This can happen with Default searches, Queue searches, and Direct searchedsearches.
If two groups have default searches and the user is a member of both groups, the first group returned should apply to these options. Groups should be inspected in the order they were added, allowing the user to control this behavior to their specific needs.
Searches and Archives are different objects with their own discrete security. As such, having permissions to an Archive does not imply permissions to any specific search.
A user individually secured to an archive with no individual permissions on a search for that Archive would inherit the permissions of any group they are a member of on that search. The converse (group permissions on Archive, individual permissions on search) would result in the user’s direct permissions applying to searches.
Default/Queue/Direct options are search level permissions and would also respect user before group paradigm.
.
Email/Print/Export
Permissions in this area are redundant.
Permissions for these elements should be flattened.
For aesthetics, one security option for “Export/Print/Email” should be available.
On upgrade, customers with any combination of the 3 permissions from a version that separately secured the 3 should have the singular option enabled (Bitwise 128?).