KB73058163: WebCenter - User permissions override group permissions

Summary

User membership rights overrule group membership rights and role assignment rights.

Symptoms

User permissions override group permissions. User denial is neglected in case a user is assigned to a role.

Solution

A user in a project gets permissions (view, download, change properties etc) from different sides:

• Permissions from the user itself if the user is invited directly into the project
• Permissions from one or multiple groups in which the user sits, if these groups are invited to the project
• Permissions from roles in the project to which the user is assigned

This raises the question what happens in case these permissions conflict. Examples of conflicts:

• The user's permission is broader than group or role permissions (for one of the properties)
• The user's permission is narrower than group or role permissions
• The group permissions are different
• The role permissions are different

A user in a project gets permissions (view, download, change properties etc) from different sides:

• Permissions from the user itself if the user is invited directly into the project
• Permissions from one or multiple groups in which the user sits, if these groups are invited to the project
• Permissions from roles in the project to which the user is assigned, either directly or via a group (you invite a group as the role assignee, consequently users in this group can do things according to this role)

This raises the question what happens in case these permissions conflict. Examples of conflicts:

• The user's permission is broader than group or role permissions (for one of the properties)
• The user's permission is narrower than group or role permissions
• The group permissions are different
• The role permissions are different

WebCenter 12 behavior (and I really hope I have it right now…)

User permissions overrule group permissions, no matter whether the user is invited via a role or not.

You probably don’t (fully) understand this sentence, so I go in more details now…

In order to determine the permissions of the current user in a project, WebCenter will:

1. First look for all invitations in person. This can be just with your name, or via a role.
2. If this is the case
   1. Your permissions is the sum of your personal memberships.  So if you are invited personally (without a role) and also with a role, it will take for each the most permissive
   2. Group permissions and Role via group permissions are NOT taken into account
3. If this is NOT the case (so you are only invited via a group or via a role group assignment, your personal name appears nowhere in the members table)
   1. Your permission is the sum of your group memberships (via role or not)

WebCenter 12.1 behavior 

(Only) personal/simple user permissions (not via a role) overrule group and role permissions

In order to determine the permissions of the current user in a project, WebCenter will:

1. First look for an invitation in person, not via a role
2. If this is the case
   1. Your permissions is just the permission found for this person
   2. All other permissions (via role or via group) are NOT taken into account
3. If this is NOT the case
   1. Your permission is the sum of your user as role memberships and your group memberships (via role or not)

Example1: No Roles

• User1 is invited personally (no role) and via a group Group1 (no role). 
• User1 has view rights only.
• Group1 has full rights
• Outcome: User1 has view rights only. The group rights are denied based on the overruling behavior of the user permission
• Typically seen as a good solution. Although somewhat unexpected sometimes, not a lot of criticism. Remark that all decisions are taken by the project manager here…
• No difference between WCR 12 and WCR 12.1

Example 2: User and Direct Role

• User2 is invited personally (no role) and as MARKETING role (so the marketing role is assigned to User2, not to a group in which User2 sits)
• User1 has view rights only
• MARKETING role has full rights
• Outcome WCR12: User1 has full rights.  The user permissions are added since they are considered to be on the same level.
• Outcome WCR12.1: User1 has view rights only. The personal user rights overrule the role rights.
  • This is criticized because this situation can build up with following WCR operations:
  • The Project Manager adds user1 as a normal user with for example only view rights. This can f.e. be done via Add more members in project creation.
  • Via a task or other method, a user is invited in a role MARKETING with more rights.
  • A task is given to the marketing role to execute work, including uploading a document
  • This fails for lack of rights since the rights given to MARKETING are disregarded in favor of the direct user right

Example 3: Direct role and Group

• User3 is invited via a group SOMEUSERS and personally as MARKETING role (so the marketing role is assigned to User3, not to a group in which User3 sits)
• SOMEUSERS has view, download and edit approval rights
• MARKETING role has view, download and edit task rights
• Outcome WCR12: User3 has view and download rights. The rights assigned to SOMEUSERS are not given
  • This was criticized by customers : People assigning the marketing role to User3 don’t realize that User3 will lose rights caused by this. Many anomalies possible like people losing access to folders they have added documents to etc. Generally people don’t expect role assignments to limit your rights.
• Outcome WCR12.1: The rights of the group and the role will be added so User3 has view, download, edit approval and edit task rights.

Example 4: Group role and Group

• User4 is invited via a group SOMEUSERS. User4 is also member of group MARKETEERS, which is invited in the project as MARKETING role
• SOMEUSERS has view, download and edit approval rights
• MARKETING role has view, download and edit task rights
• Outcome WCR 12 and WCR12.1: The rights of the group and the role will be added so User4 has view, download, edit approval and edit task rights.

Workaround

The typical case is where a user has too restricted rights in person and the customer hopes that group/role assignments will extend the rights. You must assign to the user in person to extend.  

Generally it is a good practice to not invite users in person without using any roles when you are planning to use roles in a project.

Future outlook

For WebCenter 12.1.1 we plan to automate the above workaround in following way:

• When a user who is already invited to the project in person is assigned into a role (directly or via a group), the personal rights will be extended with the role rights. (the rights will not be taken away though when de-assigning the user from the role).