DIRECTORY SERVICES


Precedence rules used to resolve access conflicts at a target
When you select a target in the "Extended Access at: target" dialog box, by default the dialog box shows all the subjects in the extended ACL with access settings to the target. Included are subjects whose access is set at and inherited from a higher target through the scope "This container and all descendants." (You can select "Show Modified" to see only the subjects with access set directly at the target.)

More than one subject that is shown at a selected target can apply to a particular user. For example, a user might be a member of two groups, both of which have access set to the target O=Acme. The following precedence rules are applied to determine the access a user has to a target when there are multiple subjects that apply to the user at the target.

Note Even after precedence rules are applied, a user's access can never exceed the access the database ACL allows the user.

1. Access set for a subject with the scope "This container only" take precedence over access set for a subject with the scope "This container and all descendants" regardless of subject type. For example, the access set for the subject */Acme and the scope "This container only" takes precedence over the access set for the subject Kathy Brown/Acme and the scope "This container and all descendants."

2. Among subjects with the same scope, access for a more-specific type of subject take precedence over access for a less-specific type of subject. The order of subject specificity, from most specific to least specific, is:


3. When evaluating more than one group subject or more than one wildcard subject, the access settings of the subjects are combined, with Deny access taking precedence over Allow access. For example, if the group Admins/Acme denies Write access and allows all other access, and the group Managers/Acme denies Create access and allows all other access, users that are members of both groups are denied Write and Create access and allowed all other access.

Tip To determine a user's effective access to an extended ACL target after extended access settings and database access are evaluated, select the target in the "Extended Access at target" dialog box, then click Effective Access.

Examples of precedence rules
Subject 1Subject 2Combined access (can never exceed the access granted in the database ACL)Rule applied
Subject: */Acme

Scope: "This container and all descendants"

Allow: Read, Browse

Deny: Create, Delete, Write

Subject: */Acme

Scope: "This container only"

Allow: Create, Delete, Write

Deny: Read, Browse

Allow: Create, Delete, Write

Deny: Read, Browse

Rule 1
Subject: Admins/Acme group

Scope: "This container and all descendants."

Allow: All

Subject: */Acme

Scope: "This container and all descendants"

Deny: All

Allow: AllRule 2
Subject: Admins/Acme group

Scope: "This container and all descendants"

Allow: Read, Browse

Deny: Create, Delete, Write

Subject: Managers/Acme group

Scope: "This container and all descendants"

Allow: Create, Delete, Write

Deny: Read, Browse

Deny: AllRule 3
See also