Need to be able to assign different rights at different folder levels.
Information:
I have a thought on the current functionality of rights framework in ZCM.
If an administrator has following rights
/Bundles Allow -> Assign Bundle right
Deny -> all other rights
/Bundles/Security Allow -> all bundle rights
In this case if We login into ZCC as the above administrator and go to /Bundle/Security Folder, only "Assign Bundle" functionality is working remaining all (Create/Delete) not working even though he had all rights for that bundle folder. This means We are doing the "and" of current and parent folder rights. If We do "and" of "allow" and "deny" always the output is "deny".
In this way I can not address the use case of denying most of the rights to all folders and allow all rights to one folder(above example). This doubt I got long back while testing rights functionality, forgot to check with you. Now one customer came with this use case.
I got a thought to address this use case without effecting others, Instead of doing "and" operation between child and parent folders rights, give precedence to the closest parent folder rights (who ever has rights) of that object.
If the folder hierachy is like Bundle->F1->F2(inside F1)->F3(inside F2)->F4(inside F3) and admin has rights to F1 and F3 folders. In this case objects under folder F3 and F4 get rights configured at F3 folder irrespective of rights configured at F1 folder.
Allow to assign rights to a user in zcc and have different rights at each folder level.
by: Kurt F. | over a year ago | Other
Comments
It is a rather common concept (at least on Windows) to have "Deny" definitions override any subsequent "Allow"s. As of current, you can use "Unset" instead of "Deny" to get exactly what you're asking for. As this is a design decision and is working as expected by a vast majority of admins, I cannot see a way to change this behavior without breaking almost anything concerning user rights in ZCC.