General Access Rights Rules

Keep these general rules in mind when granting access rights:

• Access rights can be overridden by the fact that a user is the object’s owner. Usually, the owner is the person who created the object.
• Access rights can be overridden by privileges given to a group that includes the user. These privileges are set per group from the Server. By default, the Administrators group has full privileges (rights to do anything and everything).
• Access rights should be set at the highest possible level.
• The client checks for access rights from the lowest level (the item level) to the highest level (the project level).
• If one grant record is created for a node, a grant record for that node should be created for every group that requires access to the project at that level. The Administrators group should have a grant record for each node, so that, if privileges are ignored, administrators can still change access rights.
• If access rights are set for any user or group for a node, all users or groups without a grant record for that node will be denied all access rights at that level for that node.
• Every view within a project has the same project-level access rights.
• When you derive a child view from an existing view, the new view has no view-level access rights. However, folders and items in the child view that existed in the parent view retain the same folder-level or item-level access rights that they had in the parent view. Changing these access rights in either the parent or the child view also changes them in the other view because you are changing the rights on the same object. If the folders or items in either the parent view or the child view branch, they can have different access rights, because they are different objects.
• Folders that are moved or shared from one view to another retain any access rights assigned to them at the folder level in the new view. However, if they branch, they lose their folder-level access rights.
• Items that are moved or shared from one view to another retain any access rights assigned to them at the item level to the new view. However, if they branch, they lose their item-level access rights.
• Avoid setting item-level access rights.
• Avoid creating deny records. But if you deny rights, follow both of these rules: a) never allow any node on an Access Rights dialog to have only deny rights records, and b) verify that deny rights records for a node precede any grant rights records for the node.