There is one common mistake PD Server administrators often do when trying to organize shared and exclusive access on different objects for different users in a database simultaneously.
They enable full access on the entire database for User1 and also use the Deny flag in order to exclude users from accessing specific objects within the database (see picture below):
Another reason causing this error is when reading access is provided to all users and the entire database in the Server policies (Manage -> Server policies), as you can see here:
This approach proves wrong as it allows full reading access by default. In this case, a restricted user (User1) will have full reading access to all new objects in the root folder of the database created by other users intentionally or by error.
Besides, it is further not recommended to use the Deny flag for routine rights assignment because of its specific features. Usually, rights on the server can be assigned correctly without using the Deny flag at all.
Here is a simple example: Within a database, the users User1 and User2 should have private folders for exclusive access and one common folder for shared access. In this case, you should allow User1 and User2 to access the corresponding database in general but there should not be reading/modifying/adding/deleting access in any case:
Now, you can assign access rights to single users on specific folders within the database:
- User1 gets full access to the Folder for User1 and the Shared Folder
- User2 gets full access to the Folder for User2 and the Shared Folder
Of course, group objects can also be used here instead of User1 and User2, so that all members of these groups will have access to their own or shared folders only and no access to any newly created entries or folders within the database. If new folders or entries for User1 or User2 are added to the same database in the further course, the administrator can assign access rights to single users or groups on those folders or entries individually in the Entries and Folders tab. This way, you can ensure at all times that single users and groups can only see those entries and folders they have been explicitly assigned access to by the admin.