Inherited permissions
When access rights are set for a group, they apply to every process, object, or resource in that group, including all child groups and their contents. This also applies when moving groups and items to another group – all items inherit the permissions of the group they are moved to, overwriting any permissions already applied. Each time a group or item is moved and the permissions are changed, a message box displays informing that the move will have an impact.
If a group is unrestricted, the Access Rights for child groups can be set as required, for restricted groups, the Access Rights for child groups can be viewed but not edited.
Moving groups
To move groups the following permissions are required and must be enabled in the user's security role permissions so they can be applied at group level as required:
- Edit group permissions are required to move any group.
- Manage Access Rights and Edit group permissions are required to move a restricted group to a different parent or ancestor group. To move a restricted group within the same restricted ancestor, no additional permissions are required as the groups already share the same inherited permissions.
Groups can be directly and indirectly restricted:
- Directly – Permissions are determined by the access rights applied specifically to that group.
- Indirectly – Permissions are determined by the access rights applied to a parent group.
The impact of moving to and from groups with different access levels is explained in the following tables.
The group being moved does not have any permissions applied.
Move to... |
Required group permissions |
Impact on source group |
|
---|---|---|---|
Source |
Target |
||
Root |
N/A |
N/A |
Permissions are unaffected – The source group is unrestricted and has moved to the root so group permissions do not apply. |
Unrestricted |
N/A |
N/A |
Permissions are unaffected – The source and target groups are unrestricted so group permissions do not apply. |
Restricted |
N/A |
Edit Group Manage Access Rights |
Increased restrictions – The source group inherits permissions of the new restricted ancestor. |
The group being moved has permissions applied directly.
Move to... |
Required group permissions |
Impact on source group |
|
---|---|---|---|
Source |
Target |
||
Root |
Edit Group Manage Access Rights |
N/A |
Permissions are unaffected – The source group maintains its permissions. |
Unrestricted |
Edit Group Manage Access Rights |
N/A |
Decreased restrictions – The source group is now unrestricted as it is inheriting permissions for an unrestricted ancestor. |
Restricted |
Edit Group Manage Access Rights |
Edit Group Manage Access Rights |
Modified restrictions – The source group inherits the permissions of the new ancestor group – restrictions could be increased, decreased, or unchanged, depending on the permissions of the target group. |
The group being moved does not have any permissions directly applied but inherits them from an ancestor group.
Move to... |
Required group permissions |
Impact on source group |
|
---|---|---|---|
Source |
Target |
||
Root |
Edit Group Manage Access Rights |
N/A |
Decreased restrictions – The source group is now unrestricted as it is no longer inheriting permissions. |
Unrestricted |
Edit Group Manage Access Rights |
N/A |
Decreased restrictions – The source group is now unrestricted as it is inheriting permissions from an unrestricted ancestor. |
Restricted |
Edit Group Manage Access Rights |
Edit Group Manage Access Rights |
Modified restrictions – The source group inherits the permissions of the new ancestor group – restrictions could be increased, decreased, or unchanged, depending on the permissions of the target group. |