How do I have to set the user permissions to ensure they can only see those objects they are allowed to access?

Follow

There is one common mistake PD Server administrators often do when trying to organize shared and exclusive access on different objects for different users in a database simultaneously.

They enable full access on the entire database for User1 and also use the Deny flag in order to exclude users from accessing specific objects within the database (see picture below):

 

mceclip0.png

mceclip1.png

 

Another reason causing this error is when reading access is provided to all users and the entire database in the Server policies (Manage -> Server policies), as you can see here:

 

mceclip2.png

 

This approach proves wrong as it allows full reading access by default. In this case, a restricted user (User1) will have full reading access to all new objects in the root folder of the database created by other users intentionally or by error.

Besides, it is further not recommended to use the Deny flag for routine rights assignment because of its specific features. Usually, rights on the server can be assigned correctly without using the Deny flag at all. 

Here is a simple example: Within a database, the users User1 and User2 should have private folders for exclusive access and one common folder for shared access. In this case, you should allow User1 and User2 to access the corresponding database in general but there should not be reading/modifying/adding/deleting access in any case:

 

mceclip4.png

mceclip5.png

 

Now, you can assign access rights to single users on specific folders within the database:

  • User1 gets full access to the Folder for User1 and the Shared Folder
  • User2 gets full access to the Folder for User2 and the Shared Folder

 

mceclip6.png

mceclip7.png

 

Of course, group objects can also be used here instead of User1 and User2, so that all members of these groups will have access to their own or shared folders only and no access to any newly created entries or folders within the database. If new folders or entries for User1 or User2 are added to the same database in the further course, the administrator can assign access rights to single users or groups on those folders or entries individually in the Entries and Folders tab. This way, you can ensure at all times that single users and groups can only see those entries and folders they have been explicitly assigned access to by the admin.

 

11 out of 11 found this helpful

Comments

0 comments

Please sign in to leave a comment.