Access privileges for users in multiple groups

A user might belong to more than one group. At the same time, access can be allowed or denied to any group. A well-defined logic applies to this situation so that you can determine if the user has access or not. The rule is: The access privileges closest to the user prevail. This concept is explained further below.

Say that User A belongs to multiple groups, shown in the following illustration. More specifically, User A and User B are both members of the All Employees Group, and another group known as the Template Group. User C, however, is not a member of the Template Group. What happens as access is denied to these groups? First, we will deny access to the All Employees group, and then the Template Group.

An organizational chart with the top-level hierarchy as all employees group.

Before we get into that, however, let's establish a baseline by examining the following case. The following illustration is a version of the User Permissions tab that has been modified to simultaneously show the permissions for all the users and groups listed in the box. (In reality, you need to select the name in the box to see if that user or group has been allowed or denied.) In this case, All Employees, Template Group, and User A are all explicitly allowed. Although User B and User C are not shown in the box below, they are also implicitly allowed because they are members of All Employees and Template Group.

A box with the allow checkbox selected for all employees, template group, and user A.

Now, let's say that you do not want everyone in the company to have access to this template. So, you deny permission to All Employees. The User Permissions Tab would now appear similar to the following illustration. All the members of the Template Group are allowed access. User A is not only a member of the Template Group (implicit), but is also listed in the box explicitly. So User A is allowed access both explicitly and implicitly. User B is a member of the Template Group and has access though membership implicitly in that group, but does not have explicit access.

But remember User C who previously had access to this template? User C is only a member of All Employees, and because the All Employees Group has been denied access, User C can no longer access this template.

A box with the allow checkbox selected for template group and user A and with the deny checkbox selected for all employees.

Finally, let's say that you deny access to the Template Group because you want them to use another template. However, you want User A to keep using this same template. User A still has access because User A is explicitly listed here, and access is therefore allowed.

Now remember User B who previously had access to this template? Because User B is a member of the Template Group, and access is denied to that Group, User B can no longer access this template. The only person who can access the template is User A.

An organizational chart with user A denied access from the all employees group and template group but allowed access from the warehouse group.

In the case of two top-level group hierarchies, the process has an added twist. The same user could be allowed access in one and not the other. An example of this case is shown in the following illustration. The same rule applies: The access privileges closest to the user prevail. In the following illustration, User A still has access.

In the case of a "tie," the user with the allow access wins. In the following illustration, say you deny access to User A in the Template Group, but allow access to User A in the All Employees Group. User A will still have access.

An organizational chart with user A allowed access from the all employess group but denied access from the template group.