Calculating a user's effective rights

When a user attempts to perform an action on a Crystal Enterprise object, the APS determines the user's rights to that object. If the user possesses sufficient rights, the APS permits the user to perform the requested action.

Although the calculations performed by the APS can become quite complex, there are several ways to keep your object security model clear, consistent, and easy to maintain. For complete details on setting up a system that makes sense for your Crystal Enterprise system, see Customizing a 'top-down' inheritance model.

To calculate the user's effective rights, the APS follows a complex algorithm. This sequence of steps, and its various possible outcomes, is provided for administrators and/or system architects who prefer to know exactly how the APS calculates the rights a user has to any object. The algorithm is described here and then illustrated in a different way using pseudocode:

1. The APS checks the rights that have been directly granted or denied to the user's account. The APS immediately denies any right that is explicitly denied.

   Tip:    If an individual user's account has not been assigned any rights to the object, then group inheritance is enabled by default. As the result, you can make all your object rights settings at the group level to save administrative effort.

2. If folder inheritance is enabled for the user, the APS determines the rights that the user has to the object's parent folder. The APS determines these rights by ascending the inheritance tree to the level at which the inherited rights begin to take effect. The APS denies any right that is explicitly denied (even if the right had already been explicitly granted).
3. If group inheritance is enabled for the user, the APS determines the rights specified on the object for each of the groups that the user belongs to. The APS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted).
4. If group inheritance is enabled for the user, and folder inheritance is enabled for a group that the user belongs to, then the APS determines the rights that the group has to the parent folder. The APS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted).
5. The APS completes the algorithm by denying any rights that remain "Not Specified."

As the result, when both types of inheritance are enabled, the APS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied.

When you disable both types of inheritance for a user, you reduce this algorithm to two steps (1 and 5). Thus, the APS grants the user only those rights that he or she has been explicitly granted. This provides you with the least complicated way of ensuring that a user has only those rights that you have explicitly granted to him or her for a particular object.

When you disable folder inheritance for a user, you reduce this algorithm to three steps (1, 3, and 5). When you disable group inheritance for a user, you reduce this algorithm to three different steps (1, 2, and 5). In both cases, the APS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied.

This pseudocode is provided as another way to illustrate and describe the algorithm that the APS follows in order to determine whether a user is authorized to perform an action on a particular object:

IF {
    (User granted right to object = True)
    OR    [
        (Inherit Parent Folder Rights = True) AND (User granted right to 
parent folder = True)
        ]
    OR        [
        (Inherit Group Rights = True) AND (Group granted right to object = 
True)
        ]
    OR  [
        (Inherit Group Rights = True) AND (Group granted right to parent 
folder = True)
    ]
}
AND    {
    (User denied right to object = False)
    AND    [
        (Inherit Parent Folder Rights = False)
        OR ((Inherit Parent Folder Rights = True) AND (User denied right to 
parent folder =  False))
        ]
    AND    [
        (Inherit Group Rights = False)
        OR ((Inherit Group Rights = True) AND (Group denied right to object 
= False))
        ]
    AND    [
        (Inherit Group Rights = False)
        OR ((Inherit Group Rights = True) AND (Group denied right to parent 
folder = False))
        ]
}
THEN        {
    User action authorized = True
}
ELSE        {
    User action authorized = False
}