Some Sweeping Generalizations

Access to resources can be inherited from group settings.

Access to resources can be explicitly assigned to a user and override inherited settings. Linking resources at lower levels for users within a subgroup means the users in the subgroup have more access than higher level users in a parent group; access does not flow up.

If there is a conflict in inherited resources, the most permissive wins. For example, if the Human Resources universe is linked at the root or Plastics Express level and then disabled at the descendant, Sales and Marketing level, Sales and Marketing will still have access to Human Resources, as it is more permissive.

Linking and unlinking resources is better than enabling and disabling resources. The inheritance is clearer and the repository tables will be smaller.

For complex column and row-level restrictions, secure data at the database level.

User definitions and command set restrictions are global. Timestamps and profiles are group-specific.

Timestamps affect response time more than other restrictions and can easily be ignored by users changing their local clock settings.

Row restrictions are per universe. Multiple restrictions from different groups that apply to the same universe will all be appended to each query.

While universe, document, and stored procedure restrictions follow a “most permissive” flow, command restrictions do not. When determining command restrictions, the most restrictive are applied. For example, if a group or user has software functionality set to Hidden anywhere, the functionality will be hidden, as it is the most restrictive setting.