Workspace folder permissions and permission precedence

To determine the effective permissions for a user or group, the workspace folder permissions model defines two permission categories: folder access and setting folder permissions.

One permission from each category can be applied to a folder for a group.

Folder access permissions

Permissions are set on workspace folders, not on the workspace items within the folders. A permission and the group to which the permission applies is called an access control element (ACE). The set of ACEs applied to a single folder constitutes the access control list (ACL) for the folder.

The following folder access permissions are defined:

Read-Limited

Users can see the folder itself, but can see only the contents of subfolders for which they have an explicit permission of at least Read-Only.

Read-Write

Users can read, write, and execute the entire contents of the folder. Users can also create workspace items, including subfolders, and rename, modify, and delete workspace items.

Read-Only
Users can read and execute the entire contents of the folder, but cannot modify the folder or its contents.
No-Access

Users can see the folder name, subject to a Read-Limited permission, but not its contents. If the parent folder grants Read-Write permission to a group to which the user belongs, the user can modify the folder name.

Permission precedence

Permission precedence is used to evaluate a user's or group's effective permission to access a folder and its contents. Many users belong to multiple Compass groups and subgroups, and a subgroup can inherit permissions from many groups. If membership in these groups and the rules of group permission inheritance result in the user or group being granted multiple permissions for a particular folder and its contents, the effective permission is determined by permission precedence.

Permission precedence, from lowest to highest, is as follows:
  1. No-Access
  2. Read-Only
  3. Read-Write
  4. Read-Limited

Setting folder permissions: the Change-Permission permission

Only a user with the Security Administrator or Public Folder Administrator privilege can set the Change-Permission permission on a folder. The following permission is defined to change a folder permission:

Change-Permission permission
Grants permission to change the permissions on the folder. Users in groups that are granted this permission can change the Read-Limited, Read-Write, Read-Only, and No-Access permissions on the folder or any of its subfolders for the groups of which they are members, including the Everyone group.
Attention: The Change-Permissions permission is independent of folder content and visibility permissions. After it is granted, this permission is implicitly inherited by all subfolders. It is not possible to remove or override an implicitly granted Change-Permission permission from a subfolder.