Permission inheritance

This topic describes concepts critical to understanding how folder permissions are inherited.

Understanding HCL Compass permission inheritance is key to developing a robust workspace folder access-control policy.

Baseline permissions: the Everyone group

In addition to user groups, workspace folder permissions use a predefined group called Everyone, which contains every HCL Compass user. User membership is automatic and implicit. It is not possible to change the membership of the Everyone group.

The Everyone group is used to establish a baseline permission from which modifications can then be applied. For example, the default permission for the Public Queries folder for all users is Read-Only . Use the Everyone group to change default permission without creating and managing an explicit group.

Inheritance by group and subgroup

Just as permissions are defined for groups rather than for individuals, the permission inheritance model depends on a user's group and subgroup membership.

A Folder Administrator can assign different permissions to a folder for a group and its subgroup. If a user is indirectly a member of a group because they are directly a member of a subgroup, and the group and subgroup have different access to a folder (for example, Read-Write versus Read-Only), the user's access is always determined by the subgroup access.

In contrast, if a user is a direct member of multiple groups, regardless of whether the groups are subgroups of each other, and the groups have different access levels, the user's access is determined by the group with the highest level of permission precedence. Direct membership in a group has precedence over indirect membership when determining permission inheritance.

Inheritance by folder and subfolder

Users who can change permissions on a folder include any user with the Public Folder Administrator or Security Administrator privilege, or any user who is a member of a group that has been granted the Change-Permission permission on a folder.

By default, a subfolder inherits the permissions of its parent folder. A user who can change permissions can override the inherited folder permissions for their groups by assigning different permissions to a subfolder. If the permissions on a subfolder are overridden, and the subfolder has subfolders, the subfolders inherit the override permissions. The Security Administrator and Public Folder Administrator can access any folder or subfolder regardless of the permission assigned to the folder.

Effective permissions

The term effective permission relates to both a group's access to a particular folder and to an individual user's access.

Effective permission for a group on a folder

The effective permission for a group on a folder is:
  1. The explicit applied permission for the group to that folder, if there is one.
  2. If there is no explicit applied permission, evaluate each group parentage level for an applied permission. The closest group parentage level that has an applied permission determines the effective permission. If there is more than one applied permission at this group parentage level, the effective permission is the highest precedence applied permission. For purposes of determining parentage level, the Everyone group is considered the most distant parentage level.
  3. Otherwise, the effective permission is the same as the effective permission for the group on the parent folder. If there is no parent folder (for example, the Public Queries folder), the effective permission is the default (Read-Only for the Public Queries folder).

Effective permission for a user

The effective permission for a user on a folder is:
  1. The highest precedence applied permission to that folder among the groups the user is a member of, if there is one.
  2. If there is no explicit applied permission, evaluate each of the user's group parentage levels for an applied permission. The closest group parentage level that has an applied permission determines the effective permission. If there is more than one applied permission at this group parentage level, the effective permission is the highest precedence applied permission. For purposes of determining parentage level, the Everyone group is considered the most distant parentage level.
  3. Otherwise, the effective permission is the same as the effective permission for the user on the parent folder. If there is no parent folder (for example, the Public Queries folder), the effective permission is the default (Read-Only for the Public Queries folder).

Timing considerations

Updates to folder permissions for a user group or subgroup take effect in the current HCL Compass session as soon as the Folder Administrator makes the update. Within the same replica as the current session, updates take effect on all sessions started after the change is committed to the database. In other replicas, updates take effect on sessions started after the replicas have been synchronized with the replica containing the current session and the synchronization is complete.

Because there is a delay before permission changes have an effect on other sessions, users may access the database with less restrictive permissions than the administrator has set for them for a period of time after the permissions have been changed in the current session.