Summary
When configuring folder security, you can add the same user or group multiple times to the entry access rights listing through the use of scopes. A benefit of this behavior is that it allows you to quickly configure a set of entry access rights that will only apply to a folder and another set that will only apply to its entries.
More Information
The use of scopes allows you to configure multiple sets of access rights for a particular user or group on a folder. Although these access rights are being configured on a folder, the entries that will be secured by these access rights is determined by the selected scope. This allows a user or group to have one set of rights on a folder and a different set of rights on the entries residing in that folder. This type of configuration allows you to quickly set up security without having to grant unnecessary rights on either a folder or its entries.
Example 1: The following folder structure will be used to illustrate this feature. Joe's Folder contains one folder and one document, respectively named Joe's Subfolder and Joe's Document. Using scope, you only need to set rights on Joe's Folder to control access to Joe's Subfolder and Joe's Document.
| Joe's Folder | |
| L | Joe's Subfolder |
| L | Joe's Document |
Note: In order for this example to work, Joe's Subfolder and Joe's Document must allow rights inheritance. Otherwise, those entries will only be secured by the entry access rights
directly assigned to them. Additionally, you should keep in mind that inherited rights do not override assigned rights. For more information, please refer to the following article:
1000825 INFO: Assigned Entry Access Rights are Never Overwritten.
Example 2: Another use of scopes is to configure a folder as a "drop-box" or "blind drop" or recycle bin where users are able to create documents, but will be unable to see the contents of that folder.