Effective Policy

In this section:

How to:

A combination of rules determines whether or not a user can access a particular tool, resource, or ability. Users who belong to multiple groups may be permitted the use of a tool in one group and denied the use of the tool in another. A folder may have no rules explicitly applied to it, but inherit the rules of its parent folder. When a user attempts to access a resource, all of the relevant security rules are evaluated, and the result of the combined rules for the user on that resource is determined. This result is the effective policy for the user on the resource.

Rules that are relevant to the given subject and resource can include:

When a user does not have the abilities that you expect, reviewing the effective policy for users can be a helpful troubleshooting step.

Order of Precedence

Conflicts between rules are resolved by the order of precedence. Listed in descending order, the order of precedence is:

In general, rules are used to permit privileges, because, by default, privileges are not permitted. Privileges not explicitly permitted (by Permit or Over Permit) are denied. By default, privileges are Not Set, which means they are not permitted. When one rule permits a privilege for a user on a resource and another denies it, the privilege is typically denied. (Session privileges are treated differently, as discussed below.) Permitted rules overturn Not Set rules, resulting in an effective policy that permits the privilege. Denied rules overturn Permitted rules (except for session privileges), resulting in an effective policy that denies the privilege. Over Permitted rules overturn Denied rules, resulting in an effective policy that permits the privilege.

No group takes precedence over another group and user rules do not take precedence over group rules. If you would like to permit individual users a privilege denied to their groups, you cannot permit this privilege simply by creating a rule that permits the privilege for the user on the selected resource, because the effective policy for the user is determined by prioritizing the rule that denies the privilege to the group over the rule that permits the privilege to the user. Instead, you must create a rule that over permits the privilege to the user, which will be prioritized above the rule that denies the privilege to the group.

Over Permitted rules are typically used to address unusual situations, such as when one member of a group needs access to a resource, but access is denied to that group. Over Permitted rules can also be used to ensure that a privilege is always permitted to a particular group, no matter what other rules apply. For example, a built-in rule that Over Permits the Full Control role to members of the Administrators group on IBFS:/ (the entire file system), with the scope of folder and children is included. This rule is a safeguard that prevents administrators from losing control of resources within the system if a Denied rule is applied to the EVERYONE group.

The Clear Inheritance rule removes an inherited rule for a role on a resource, changing the access on the resource to Not Set. When a user belongs to multiple roles with overlapping privileges, any privileges shared with the cleared role are evaluated to Not Set.

Session privileges enable menu bar drop-down list items, nodes on the Resources tree, and other global user capabilities, such as many of the buttons in the desktop products. Because session privileges govern access to tools that may be necessary in multiple locations, a session privilege is permitted when it is denied by one rule but permitted by another. For example, if you are able to run deferred procedures in the Sales folder but denied this ability in the Finance folder, you still need access to the Deferred Status interface so that you can see your deferred reports from the Sales folder.

Procedure: How to View the Effective Policy for a User on a Resource

The Effective Policy dialog box indicates why a user does or does not have a certain capability. To view the effective policy of other users, you must be permitted the following privileges:

  • View Rules on a Resource (opViewRulesOn), which enables the Rules on this Resource and Effective Policy options on the Security shortcut menu.
  • Manage Rules on Resources (opManageRulesOn), which enables the Rules option on the Security shortcut menu.

Users with only the View Rules on a Resource privilege may view the effective policy only for themselves, on particular resources. If a user does not have the appropriate privileges, the options to view or manage rules and effective policy will not appear in the shortcut menus.

  1. Right-click a resource and click Security, then Effective Policy.

    The Effective Policy dialog box appears, listing the effective policy calculated for each privilege appearing in a rule on this resource.

    If you have the appropriate privileges, you can select other users from the User drop-down list to see their effective policies.

  2. To show the effective policy for all privileges for this user on this resource, including those not applied to the resource in any rules, select Show all Privileges.
  3. To see how the effective policy for a privilege is evaluated, select the privilege in the Privileges box.

    The Effective Policy dialog box displays the policy evaluation for all the groups to which the user belongs at every level of the hierarchy above the resource, displaying the following information for each level:

    • Path Element.
    • Effective Policy. The access set on this folder by the combination of all applicable rules.
    • Subject.
    • Role.
    • Access. The access set on this folder by rules applying directly to this level of the hierarchy.
    • Apply To. Whether the policy applies to the folder for the path element only, the folder and its children, or only the children of the folder for the path element.
  4. To produce a rich text version of the information produced in the dialog box, select a privilege and click Create Report.