Content Management and Capture

 View Only
  • 1.  Role-based access - Cascade roles

    Posted Thu April 21, 2022 05:30 AM
    Hi,

    we're implementing role-based accesses for the first time.
    In the documentation, there's no explanation about the cascade roles.

    In a role A we add another role B as member. Each role, A and B, has its own access permissions.

    How the roles A and B access permissions are handled on an object, it is a combination or exclusive ,... ?


    Thanks for help

    ------------------------------
    Yannick Martin
    ------------------------------


  • 2.  RE: Role-based access - Cascade roles

    IBM Champion
    Posted Fri April 22, 2022 05:42 AM
    Which product in which version are you referring to?

    ------------------------------
    Gerold Krommer
    ------------------------------



  • 3.  RE: Role-based access - Cascade roles

    Posted Fri April 22, 2022 06:28 AM
    Hi,

    oh sorry, this is for FileNet 5.5.x.

    Thanks

    ------------------------------
    Yannick Martin
    ------------------------------



  • 4.  RE: Role-based access - Cascade roles

    Posted Fri April 22, 2022 06:49 PM
    You can't reduce access using a role, you can only add to it. So, I believe if you add Role B to Role A, then Role B users will get all the access rights of Role A and Role B.

    ------------------------------
    RUTH Hildebrand-Lund
    ------------------------------



  • 5.  RE: Role-based access - Cascade roles

    Posted Mon April 25, 2022 06:16 AM
    The answer depends on what role permissions you assign to an object.

    In the example you gave, if you assign only a role permission for A then all of the members of A and B will be granted the access defined by the role class of A. In other words, only the membership of B is included in the membership of A, the access definitions of B play no role (pun intended).

    Conversely, if you assign only a role permission for B then A is irrelevant and the members of B get the access defined by the role class of B.

    Finally, if you assign role permissions for both A and B, the direct members of A will get the access defined by A, but the members of B will get the union of the access defined by A and B.

    ------------------------------
    Mike
    ------------------------------



  • 6.  RE: Role-based access - Cascade roles

    Posted 11 days ago
    Hi Michael,

    it seems that the first level role permissions are first applied, so the following sentence isn't right :
    "Conversely, if you assign only a role permission for B then A is irrelevant and the members of B get the access defined by the role class of B."

    For object securized by role A (without permissions), the members of role B (role B is included in role A membership) don't have any access.
    So I have added directly the role B in object security, then the members of role B have access to the object.

    If I have some time I'll make some other tests.

    Best regards


    ------------------------------
    Yannick Martin
    ------------------------------