You are viewing limited content. For full access, please sign in.

Question

Question

How to override group membership rights for an individual user

Administration Version 10 Directory Server Laserfiche
Updated December 15, 2021
asked on December 14, 2021

We've just (finally) upgraded from United version 8.3.x to RIO 10.4, now using LFDS and I'm struggling with a security/permissions issue.  

I have a department specific AD security group that is tied to a Group in LFDS that defines that departments basic access rights (basically to view documents only). 

For a few specific individuals in that AD security group, I need to override those basic access rights with the ability to edit those same documents.

In the united version, I was able to define a Laserfiche User that was tied to a specific AD user that was a member of that same departments AD security group and give them different permissions.  Much of our access rights security has been based on this methodology and I'm not finding a way to replicate it within LFDS under RIO.  

The version 10 administration documentation says that security is cumulative which doesn't seem to be correct.  It appears that the effective rights end up being whatever is the most restrictive, as nowhere in the access rights definitions have I set and "deny" rules.

Thanks in advance!

0 0

Answer

SELECTED ANSWER
replied on December 14, 2021 Show version history

User rights are indeed cumulative. We often have "base" level groups that give read/browse type access, then some users will be added to a secondary group that grants "edit/delete" type access just like you described in your scenario (for example, general staff vs a senior/supervisor).

The only time more restrictive rights would take precedence is if you Deny or set a group as Read-Only (i.e., checking the read only box, not just "Allow" on view/browse) because the priority in determining rights/access goes None < Allow < Deny/Read-Only.

If you confirmed there are no Deny rights, the other thing to check is whether or the "Make read-only" option is checked for your basic group.

To test all of this this, I'd suggest creating a test user that is a member of your "edit" group, but not a member of your "basic" group, then check their effective rights.

2 0
replied on December 15, 2021

Jason - thanks for the mental jump-start! Sometimes that's all it takes.

It was in fact the "read-only" checkbox that was set in my basic group definition(s).  I unchecked that setting on the offending basic group(s) and now have the cumulative permissions that I had originally expected and wanted.

 

Much appreciated!

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...