How Does GlobalSearch Determine Permissions for Users & Groups?
GlobalSearch uses either workgroup users or active directory users to assign permissions within its application.
Moving forward, for the remainder of this KB “Permissions” will refer to permissions within the GlobalSearch application, not in reference to Windows system security permissions or Windows GP.
Implicit vs. Explicit Permissions and Permission Inheritance
Permissions can be assigned to groups or individual users. When a group is secured, all users in that group gain the permissions of the group, implicitly. This is Permissions Inheritance or Implicit Permission. It means that users, by way of being part of a group, naturally gain the rights and privileges of that group. Upon logging into GS, a user is checked for group membership first and assigned the privileges and rights for that group on a case by case basis. If that group’s membership permissions change, so will that user. THIS MEANS THE USERS DO NOT NEED TO BE SECURED IN ANY WAY TO GLOBALSEARCH. DOING SO WILL GIVE EXPLICIT PERMISSIONS TO THAT USER. (See below)
As an example, if GroupA is secured to Archive1 with Permissions Blue, Green and Red, all members of GroupA will also have permissions Blue, Green and Red without needing to be manually added to that archive.
Individual user assignment of permissions abrogates, or overrides group permissions. That means a user’s permissions, regardless of group membership, will always take precedence. ONCE YOU ASSIGN A USER TO AN ARCHIVE, PERMISSIONS INHERITANCE FROM ANY GROUP MEMBERSHIP IS OVERRIDDEN. This means that for all intents & purposes related to GlobalSearch, securing a user that is already within a group, effectively removes that user from that group’s permissions pool on that discrete set of permissions. This is called Explicit Permissions Assignment.
As an example, GroupA is secured to Archive1 with Permissions Blue, Green, and Red. However, user JDoe in GroupA also needs to be assigned Permission Orange. That user will need to be explicitly assigned to Archive1 and given rights to Permission Orange. This will effectively remove the user from GroupA, and explicitly assign all of GroupA’s permissions to that user AND give him access to Permission Orange.
Most importantly though FUTURE PERMISSION CHANGES TO GROUP A WILL NO LONGER AFFECT JDOE since he is no longer associated with GroupA as far as GlobalSearch is concerned.
Multiple Group Membership & Conflicting Permissions
If a user is part of multiple groups secured to the same discrete permissions set, GlobalSearch will attempt to combine permissions sets to give the user the union of the two permissions sets.
We have seen issues in the past where a user's explicit permissions can cause issues if those permissions conflict with a secured group's permissions. We suggest that, when possible, avoid securing a user differently than a group that user is secured to.
If, for example, Susan is secured to GroupA, and GroupA has access to all searches, but Susan has access to only one search, there may be possible permissions conflicts. A suggestion in an instance such as this would be to secure multiple groups that Susan is a part of, rather than securing Susan and a group which she is a constituent of.