How do I have to set the user permissions to ensure they can only see those objects they are allowed to access?

There is one common mistake PD Server administrators often make when trying to organize shared and exclusive access on different objects for different users in a database simultaneously.

They enable full access on the entire database for User1 and also use the Deny flag in order to exclude users from accessing specific objects within the database (see picture below):

 

mceclip0.png

mceclip1.png

 

Another reason for this error is reading access for the entire database being provided to all users in the Server policies (Manage -> Server policies), as you can see here:

 

mceclip2.png

 

This approach is wrong as it allows full reading access by default. In this case, a restricted user (User 1) will have full reading access to all new objects in the root folder of the database created by other users intentionally or by error.

Furthermore, it is not recommended to use the Deny flag for routine rights assignment because of its specific features. Usually, rights on the server can be assigned correctly without using the Deny flag at all. 

Here is a simple example: Within a database, the users User1 and User2 should have private folders for exclusive access and one common folder for shared access. In this case, you should allow User1 and User2 to access the database in general, but no reading/modifying/adding/deleting access:

 

mceclip4.png

mceclip5.png

 

Now, you can assign access rights to single users on specific folders within the database:

  • User 1 gets full access to the Folder for User 1 and the Shared Folder
  • User 2 gets full access to the Folder for User 2 and the Shared Folder

 

mceclip6.png

mceclip7.png

 

Of course, group objects can also be used here instead of User 1 and User 2, so that all members of these groups will have access to their own or shared folders only and no access to any newly created entries or folders within the database. If new folders or entries for User 1 or User 2 are added to the same database in the further course, the administrator can assign access rights to single users or groups on those folders or entries individually in the Entries and Folders tab. This way, you can ensure at all times that single users and groups can only see those entries and folders they have been explicitly assigned access to by the admin.

 

Was this article helpful?
16 out of 16 found this helpful

Comments

0 comments

Please sign in to leave a comment.