Permission Levels and Sets
-
Allowed security entities
-
Denied security entities
Denied permissions take precedence over allowed permissions. The connectors can reproduce the repository security model by resolving for each document the intersection of all permissions sets from all security layers.
New Permission Levels and Sets
Starting with the CES 7.0.5388 April 2013 monthly release, a document in the unified index may be assigned permissions from more than one security layer (called Permission levels), each containing one or more Permission sets. This feature allows to more easily and more transparently reproduce repository security models. The intersection of multiple permission levels and sets is done by a background security cache management process rather than by the connector at indexing time. Refreshing the security cache allows to pick up changes made in repository groups without having to refresh the source.
-
Permission set
-
A permission set consists of a set of allowed and a set of denied security entities and can also allow anonymous access. For a security entity to be considered allowed by a permission set, it must be in the allowed set and not be in the denied set. A security entity can also be unknown to a permission set.
-
Permission level
-
A permission level consists of one or more permission sets. For a security entity to be considered allowed by a permission level, it must be allowed by all its permission sets and not denied by any permission set. A security entity can also be unknown to a permission level.
Tip: When you use the Index security permissions and specify additional security permissions to index source permission option, these additional permissions become a permission level (see Modifying Source Security Permissions).
-
Document Permissions
-
Document permissions is the intersection of one or more permission levels, each containing one or more permission sets.
When a security model uses permissions with priority, for a security entity to be considered allowed, the following algorithm is used to determine the resolved permissions:
-
Check the first permission level:
-
If the security entity is allowed or denied, stop and use that permission.
-
If the security entity is unknown, check the next permission level.
-
-
If the security entity is unknown after checking all levels, consider it denied.
-
-
Anonymous access
-
If a permission set allows anonymous access, everyone is considered allowed. Denied entities, however, can still exist and have precedence.
What's Next?
You can see the permission levels and sets for a document and review the associated
security entities from the Index Browser (see Reviewing Document Details from the Index Browser).