If you want to create a complex folder structure with several nesting levels and set different group permissions, it might be useful to know how the permission priority order is implemented in the Documents module.
There are three levels of priorities in the Documents module (listed in order of increasing importance):
- Folder hierarchy: Parent folders and Subfolders
- If you do not specify certain permissions on a subfolder, the subfolder inherits the parent folder permissions.
- If some specific permissions on a subfolder are set, permissions on the subfolder have the higher priority than permissions on its parent folder.
- Profile: Everyone, Groups, User, Admin
- User permissions have the higher priority than group permissions (i.e. you can assign permissions to an individual user, no matter which permissions has a group he/she belongs to).
- There is no group hierarchy, all groups are equal (i.e. one group cannot have priority over another).
Four levels of priority (listed in order of increasing importance):
- Access rights: Full Access, Read Only, Access Denied
- Access Denied access rights have the higher priority than Read Only access rights.
- Read Only access rights have the higher priority than Full Access access rights.
- If a user belongs to several groups with different permissions on a folder, the user has access rights with the higher priority.
When a user is trying to access a shared folder, the permissions is checked in accordance with the priority order above:
- if the current folder has permissions that differ from the parent folder permissions,
- which profile-based permissions are specified on the current folder,
- which access rights has the user.
The following example illustrates the scenario when a user belongs to a group with Full Access permissions on the parent folder and Read Only permissions on the nested folder, while the user has been granted with individual Full Access permissions on the nested folder.
The following examples illustrate the scenarios when a user belongs to several groups with different permissions on a folder.
If the first group has Full Access permissions on a folder and the second group has Read Only permissions on the same folder, the user who belongs to both the groups at the same time has permissions with the higher priority (in this case, Read Only).
If a user belongs to a group that does not have access to the folder and to a group with Read Only access, Access Denied permissions have the higher priority, consequently, the user does not have access to the folder.
If you want the user to have other access type, you need to provide individual permissions to him/her.
If a folder contains several subfolders, you can change permissions on the subfolders independently from the parent folder permissions.
If one and the same user belongs to several groups with different permissions, his/her permissions on every nested folder can be different depending on the permissions specified for each of the groups.