How Unica Campaign evaluates permissions

When a user performs a task or tries to access an object, Unica Campaign performs the following steps.

  1. Identifies all groups and roles to which this user belongs within the global security policy.

    Users can belong to one, many, or no roles. Users belong to the Owner role if they own an object; they belong to the Folder Owner role if they own the folder in which an object resides.

    Users belong to other roles only if they have been specifically assigned to that role (either directly or because they belong in a group assigned to that role).

  2. Identifies whether the object being accessed is assigned to a custom-defined policy. If so, the system identifies all groups and roles to which the user belongs within this custom policy.
  3. Aggregates the permissions for all roles to which the user belongs, based on results from steps 1 and 2. Using this composite role, the system evaluates the permissions for the action are evaluated as follows:
    1. If any roles have Denied permission for this action, then the permissions are aggregated as follows:
      1. Consider a Global Policy, 1 Custom Policy, and a permission DENIED for the Custom Policy role. Then, DENIAL of any permission for a Custom policy Role takes precedence over permissions assigned to the Global Policy Role.
      2. Consider a Global Policy, 2 or more Custom Policies, a permission DENIED for one of the Custom policy roles, and the same permission GRANTED to the other Custom policy role. Then, GRANT of any permission of Custom policy takes precedence over DENIAL of permission of the Custom policy.
    2. If no roles have Denied permission for this action, then it checks to determine whether any roles have Granted permission for this action. If so, the user is allowed to perform the action.
    3. If neither a nor b is true, the user is denied the permission.

Example for one custom policy

Consider one custom policy under Global Policy : CustomPolicyA. CustomPolicyA has CustomPolicyARole, that has Add/Edit Unica Campaign permission DENIED.

Consider UserA who has CustomPolicyARole assigned. DENIAL of Add/Edit Unica Campaign permission for a CustomPolicyARole takes precedence over permissions assigned to the Global Policy Role. Hence, the Add/Edit Unica Campaign objects are not visible to UserA.

Example for two custom policies

Consider two custom policies under Global Policy: CustomPolicyA and CustomPolicyB. Both CustomPolicyA and CustomPolicyB have CustomPolicyARole and CustomPolicyBRole respectively. CustomPolicyARole has Add/Edit Unica Campaign permission GRANTED. CustomPolicyBRole has Add/Edit Unica Campaign permission DENIED.

UserA has both CustomPolicyARole and CustomPolicyBRole assigned. GRANT of Add/Edit permission of CustomPolicyARole takes precedence over DENIAL of permission of the CustomPolicyBRole. Hence, the Add/Edit Unica Campaign objects are visible to UserA.