Content Server Manual / Version 2110
Table Of ContentsThis section will explain in detail how the rights for a resource are computed from a set of rules. First it is defined if a rule is applicable. A rule is applicable if it is involved in the computation of rights for a certain operation. Look at the following rule table described earlier:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1 |
Article |
X |
X |
- |
- |
- |
- | |
/F1 |
Folder |
X |
- |
- |
- |
- |
Table 3.78. Example rules for rights computation
In the following cases the first rule in the rule table is not applicable:
A user of a different group G2 which is not a subgroup of G wants to operate on a resource.
A user of group G (or a subgroup) wants to operate on a content item in a different folder F2 which is not a subfolder of F1.
A user of group G (or a subgroup) wants to operate on a content item teaser1 in folder F1 (or a subfolder). Content item teaser1 has the content type Teaser, which is not a subtype of Article.
The first rule is applicable only, if
the user is member of group G or a subgroup and
the user operates on a resource in folder F1 or a subfolder of F1 and
the content item has type Article or a subtype of Article.
It is now possible that two or more rules are applicable to a resource. Have a look at the next rule table:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G1 |
/F1 |
Article |
X |
X |
- |
- |
- |
- | |
/F1 |
Folder |
X |
- |
- |
- |
- | |||
G2 |
/F1 |
Article |
X |
- |
X |
- |
- |
- | |
G1 |
/F1/F2 |
Article |
X |
- |
- |
X |
- |
- | |
/F1/F2 |
Folder |
X |
- |
- |
- |
- | |||
G1 |
/F1 |
ShortArticle |
X |
X |
- |
- |
X |
- |
Table 3.79. Example for conflicting rules
Let's assume the following:
G2 is a subgroup of G1,
F2 is a subfolder of F1 and
the content type ShortArticle is a subtype of Article.
Users of group G2 have no EDIT rights on articles in folder F1 but DELETE rights. In subfolder F2 there are no EDIT and DELETE rights for articles but APPROVE rights. And finally there are no DELETE and APPROVE rights for content items of type ShortArticle in F1, but READ, EDIT and PUBLISH rights. There are lots of conflicting situations, for example:
A user of group G2 wants to edit or delete an article content item directly in folder F1.
A user of group G1, not G2, wants to edit, approve or delete an article content item in subfolder F2.
A user of group G1, not G2, wants to edit, approve, delete or publish a short article content item in subfolder F1.
These conflicts are resolved by the definition, that a more specific rule takes precedence over a less specific rule. A rule r1 is more specific than a rule r2 if and only if
SP1.) The group in rule r1 is a subgroup of the group in r2
SP2.) The groups are equal and the resource in rule r1 is located inside the folder of rule r2
SP3.) The groups and the resources are equal and the resource type in rule r1 is a subtype of the resource type in rule r2
Rules are not merged as can be seen from the definition. If you apply the definition, you get the following conflict resolutions for the three examples above:
G2 is a subgroup of G1. From SP1 it follows that the user in group G2 who wants to edit or delete an article content item directly in folder F1, has the rights to READ and DELETE, but not to EDIT.
F2 is located in F1. From SP2 it follows that the user in group G1 who wants to edit, approve or delete an article content item in subfolder F2, has the rights to READ and APPROVE, but not to EDIT and DELETE.
ShortArticle is a subtype of Article. From SP3 it follows that the user, who wants to edit, approve, delete or publish a short article content item in subfolder F1, has the rights to READ, EDIT and PUBLISH, but not to DELETE and APPROVE.
A rule that is preceded by another rule is said to be shaded. A rule is called effective if it is applicable and not shaded. The effective rights of a group, a resource and a resource type are the union of the rights of the effective rules. To explain this, look at the following rule table:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1 |
Article |
X |
X |
- |
- |
- |
- | |
/F1 |
Folder |
X |
- |
- |
- |
- | |||
G |
/F2 |
Article |
X |
- |
- |
X |
- |
- | |
/F2 |
Folder |
X |
- |
- |
- |
- |
Table 3.80. Example rules to compute effective rights
If a user is member of group G then the effective rights for the two folders F1 and F2 are unified, so the user can read articles in both folders, edit articles in F1 and approve articles in F2. Of course the user cannot edit articles in F2 nor can he approve articles in F1.
The effective rights are nearly the rights of a group on a resource for a resource type. There are only three exceptions:
Navigate Through: If there are no effective rules for a Folder F1 and the group has non-empty effective rights for a resource located beneath F1 then the group has implicit READ rights for F1 and the folder type "+". This sounds more complicated than it is. Look at the simple example:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1/F2 |
Article |
X |
X |
- |
- |
- |
- | |
/F1/F2 |
+ |
X |
- |
- |
- |
- |
Table 3.81. Example rules with implicit navigate through right
The user in group G can edit the article in folder F2. There is an implicit navigate through right for folder F1. The example above is equivalent to:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1 |
+ |
X |
- |
- |
- |
- | ||
G |
/F1/F2 |
Article |
X |
X |
- |
- |
- |
- | |
/F1/F2 |
+ |
X |
- |
- |
- |
- |
Table 3.82. Example rules with resolved navigate through right
If the effective rights are not empty, the group also has the implicit READ right for any resource and resource type:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1 |
Article |
- |
X |
- |
- |
- |
- | |
/F1 |
+ |
X |
- |
- |
- |
- |
Table 3.83. Example rules with implicit READ right
In the example above the user in group G has implicit READ right for an article in F1. This is equivalent to:
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1 |
Article |
X |
X |
- |
- |
- |
- | |
/F1 |
Folder |
X |
- |
- |
- |
- |
Table 3.84. Example rules with explicit READ right
If a group has no READ rights on a parent folder for folder type "+", then a child folder has no READ rights at all. The READ right can only be withdrawn explicitly by a rule with empty rights.
Group |
Resource |
Resource Type |
READ |
EDIT |
DELETE |
APPROVE |
PUBLISH |
SUPERVISE |
FOLDER |
---|---|---|---|---|---|---|---|---|---|
G |
/F1 |
Folder |
- |
- |
- |
- |
- | ||
G |
/F1/F2 |
Article |
X |
X |
- |
- |
- |
- | |
/F1/F2 |
Folder |
X |
- |
- |
- |
- |
Table 3.85. Example rules with READ right withdrawn
A user in group G does not have READ rights on folder F2 because there is no READ right for the parent folder F1. To grant READ rights, the right must be explicitly set in the first row or the first row must be removed.
The effective rights of a group on a resource for a resource type with the three exceptions above are displayed in Studio in the User Manager in the Effective Rules tab.