There is one common mistake PD Server administrators often make when trying to organize shared and exclusive access on different objects for different users in a database simultaneously.
They enable full access on the entire database for User1 and also use the Deny flag in order to exclude users from accessing specific objects within the database (see picture below):
Another reason for this error is reading access for the entire database being provided to all users in the Server policies (Manage -> Server policies), as you can see here:
This approach is wrong as it allows full reading access by default. In this case, a restricted user (User 1) will have full reading access to all new objects in the root folder of the database created by other users intentionally or by error.
Furthermore, it is not recommended to use the Deny flag for routine rights assignment because of its specific features. Usually, rights on the server can be assigned correctly without using the Deny flag at all.
Here is a simple example: Within a database, the users User1 and User2 should have private folders for exclusive access and one common folder for shared access. In this case, you should allow User1 and User2 to access the database in general, but no reading/modifying/adding/deleting access:
Now, you can assign access rights to single users on specific folders within the database:
- User 1 gets full access to the Folder for User 1 and the Shared Folder
- User 2 gets full access to the Folder for User 2 and the Shared Folder
Of course, group objects can also be used here instead of User 1 and User 2, so that all members of these groups will have access to their own or shared folders only and no access to any newly created entries or folders within the database. If new folders or entries for User 1 or User 2 are added to the same database in the further course, the administrator can assign access rights to single users or groups on those folders or entries individually in the Entries and Folders tab. This way, you can ensure at all times that single users and groups can only see those entries and folders they have been explicitly assigned access to by the admin.