In this situation, the precedence of permissions will be applied and the effective permissions would be as follows:
- User A has Approver permission on System C through the Group to System assignment.
- User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection B assignment. These Review rights on File C1 take precedence over the Approve rights on System C because assignment to a Collection containing an Account or File is more specific than a collection containing just the System. User A may still Approve requests to all accounts on System C and all of C’s files with the exception of File C1.
- Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override the Approver rights from Group A.
- Since User A is in both Groups A and B the user has both Review and Request rights on all the items in Collection B. Assignments at the same hierarchy level are combined.
- User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still denied access because the User to Collection assignment trumps the Group to Account in a Collection assignment. If User B had instead been assigned the Review permission directly (as opposed to through Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that one account.
- User B also has Review rights on all Accounts and Files on System A and File C1 on System C.
- User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes both policies User C received via the Group to Collection assignments, but only for Account B1. User C still has Review and Request permissions to System A and File C1.
- User D has been granted ISA rights over Collection A. This assignment takes precedence over D’s Request permission on System A, which is through the Group B to Collection B. D still retains the Request permissions on Account B1 and File C1 from the Group assignment, however that removes D’s ISA permissions on Account B1 (although D still has ISA permissions over any other accounts on System B).
Where there is more than one permission granted at the same level of the permission hierarchy those permissions are combined, as long as one of those permissions is not “Denied”. If a User is in 3 different groups (A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor) the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System.