Access Rights Are Assigned According to Closest Access Control List.

May 14, 2004 | KB: 1000515

https://support.laserfiche.com/kb/1000515/access-rights-are-assigned-according-to-closest-access-control-list-

Laserfiche 6, Plus 6

LaserFiche uses ACLs for determining access rights to objects in the LaserFiche database. ACL stands for access control list. An access control list is a list of permissions for a specified object. Whenever an administrator uses the Assign Rights dialog box to assign group or user rights, the administrator is creating an ACL.

User access rights are assigned and inherited according to the nearest access control list (ACL). LaserFiche does not take into account the permissiveness of all inherited rights when assigning rights to a user for a particular object.

User rights are assigned according to the first ACL found that the user belongs to. In those situations where one ACL contains multiple group entries that affect the user, the user inherits the combined rights of all the group entries. If the ACL contains group entries and a user entry, the access rights of the user entry will override any rights from the group entries. Users will not inherit rights from any ACL found higher in the directory structure.

Note: When you click an object and select Assign Rights from the Security menu, the users and groups in bold are entries in the Access Control List for that selected object.

Note: The information presented in this article applies to all versions of LaserFiche 6.

Take note of the following example directory structure:

Root

L Folder A

L Folder A1

L Folder A2

Using the preceding directory structure, the following is an example showing the rights inheritance behavior of LaserFiche:

Sample_User is a member of Groups 1, 2, 3, 4.

Group 1 is assigned the Browse, Read, Write, See Annotations, and See Redactions rights to Root. At this point, Sample_User has the Browse, Read, Write, See Annotations, and See Redactions rights to all the folders in the example directory structure.

Group 2 is assigned the Delete right to Folder A. Group 3 is assigned the Delete Shortcut right to Folder A. Sample_User has now been restricted to the Delete and Delete Shortcut rights for folders A, A1, and A2. However, Sample_User still has the Browse, Read, Write, See Annotations, and See Redactions rights to the Root folder.

Group 4 is assigned the Access Control right to Folder A2. Sample_User has now been restricted to the Access Control right for Folder A2. However, Sample_User still has the Delete and Delete Shortcut rights to folders A and A1. Additionally, Sample_User still has the Browse, Read, Write, See Annotations, and See Redactions rights to the Root folder.

Sample_User is assigned the Browse and Read rights to Folder A2. Now, Sample_User no longer has the Access Control right to Folder A2 and only has the Browse and Read rights. However, Sample_User still has the Delete and Delete Shortcut rights to folders A and A1. Additionally, Sample_User still has the Browse, Read, Write, See Annotations, and See Redactions rights to the Root folder.