This object stores a principal's security information; that is, it gives you access to the roles, rights, and limits for specific users or groups. It also determines whether the principal can inherit rights from a group or parent folder. A principal that has been given explicit rights to an object can be retrieved from the ObjectPrincipals Collection; a principal whose rights are inherited or whose rights have not been specified are stored on the system and can be retrieved with the AnyPrincipal Property.

Roles

A role or access mode is a predefined set of object rights that allow you to set common object security levels quickly. They are designed to cover the most common cases of security rights sets, and can be applied to the principal with the Role Property. It is recommended that you start by using roles, and then apply more granular rights if necessary. The rights that are listed for each role are always granted to the principal, and never denied. See the "Appendix A: Object Rights and Access Levels" in the Crystal Enterprise Administrator's Guide for a list of the granular rights granted for each role. When you assign a principal a role, the set of granted rights are automatically added to the principal's SecurityRights Collection.

Limits

To set a principal's limits on an object, add the principal to, or retrieve it from, the ObjectPrincipal collection, and then use the Limits Property to specify a value for each limit. Limits that are explicitly specified or that are inherited from a parent folder or user group are stored in the SecurityLimits Collection.

Rights

To set a principal's rights on an object, add the principal to, or retrieve it from, the ObjectPrincipal collection, and then use the Rights Property to give the principal specific rights. A right can be explicitly granted, explicitly denied, or not specified. Rights that are not specified are any available rights that have not been added to the principal's SecurityRights Collection.

Inheritance of rights

A principal can inherit rights from the groups it belongs to and from the parent folder of the object that it is being granted rights to. When rights are inherited, you can still explicitly set rights on the object. For tips on using folder and group inheritance, see the Crystal Enterprise Administrator's Guide.

Tip:    By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder.

Properties

Property	Description
AdvancedInheritFolders Property	Returns True if rights can be inherited from parent folders, and False otherwise.
AdvancedInheritGroups Property	Returns True if rights can be inherited from parent user groups, and False otherwise.
AttributesSet Property	Indicates whether the principal has explicit rights or limits set on the object. Read-Only.
ID Property	The principal's ID. Read-Only.
Inherited Property	Returns True if the principal's rights are inherited from a parent folder or user group on which explicit rights have not been set, and False otherwise.
InheritedRights Property	Returns the collection of rights that the principal inherits from parent folders or user groups. Read-Only
Limits Property	Returns a collection of limits that are set for the principal. Read-Only.
Name Property	The name of the principal.
Rights Property	Returns a collection of explicit rights that are set for the principal. Read-Only.
Role Property	Specifies the role for the principal. This is the recommended way of applying rights.