When users log onto a server configuration, they are identified individually by their user names and as members of the groups to which they belong. The application stores this information as an access token for each user. As users perform operations on application objects (projects, views, folders, and items), the application examines these tokens and the access rights for the objects on which the users are performing the operations. The application checks access rights in layers. The right to access an object begins with the System Policy dialog, which can be accessed from the Server Administration tool.
Unless group privileges are being ignored, these privileges also override and take precedence over rights configured elsewhere. Privileges are group properties set on the Privileges tab of the Group Properties dialog in the client. A user is granted the same privileges as those of the group to which he or she belongs. If the user belongs to two groups, and one is granted certain privileges while the other is denied the same privileges, the user is granted the privileges. The Membership tab of the My Account dialog displays the logged-on user's group membership information.
After consideration of group privileges, the application checks the access rights granted for specific objects. Settings on the Access Rights dialogs for projects, views, folders, and individual items grant or deny users or groups the ability to perform operations at those levels. It is important to remember that if access rights are granted to any user or group at a given level in an Access Rights dialog, users or groups who are not granted access rights at that level are effectively denied all rights.
Ultimately, if a user can see an object and is not stopped from performing an operation by a deny record, the user can do anything that a grant record allows, whether as an individual user or as a member of any group. The only exception has to do with privileges.