Discussions
Categories
Groups
Community Home
Categories
INTERNAL ENABLEMENT
POPULAR
THRUST SERVICES & TOOLS
CLOUD EDITIONS
Quick Links
MY LINKS
HELPFUL TIPS
Back to website
Home
Web CMS (TeamSite)
Pessimistic security
gddub
From the Best Practices Manual:
"a WorkSpace member is included in two WorkGroups (roles), both of which are specified in a single policy. In the policy, one of the two WorkGroups is granted delete access and the other is granted view access.
Because of the pessimistic security model, the member has only view access to objects assigned this policy because view is the more restrictive of the two access levels."
We have also noticed that a workspace member, included in two workgroups (granted and revoked) but different security policy( one view and one modify), the member has only view access. View access only, for any object in the workspace.
Should we expect this from Pessimistic security?
Find more posts tagged with
Comments
dbguy
The documentation is probably wrong. In that example, the user would have delete access. The pessimistic part plays a role in the denials. If there were a third workgroup in the same policy, the same user is its member, and the workgroup is denied view, then the user would have no access. If you are denied through some path, you will never have access, even if explicitly granted.
Now, on your example. If I understood it right: the user is a member of two workgroups. Each workgroup is used in a different policy. In one policy the workgroup is granted view, and in the other it is revoked modify. To see the behavior you described, the default access in the policy with the revoke is probably set to at least view.
