How are conflicting permissions handled?


#1

When a user is given multiple AdminGroups or Roles which have conflicting permissions how are those handled? Is it handled in order of which permission is read first or last?

For example if I have a user with the C3.Group.ReadAll group but I also assign them a custom role that has this permission:

deny:ExampleType::*

Would the user be able to do a fetch on the ExampleType?


#2

I believe they are OR’d. See topic documentation at:
<your-env>/documentation/topic/tutorial-access-control


#3

" Note that these permissions are OR-ed, so that a user needs at least one but not both access paths defined in order to access an object. So even if we deny access fetching any HotDog objects through an ActionCondition like "HotDogStand:read::(meta.createdBy == 'owner')" , a User will still be able to fetch HotDogs for which there is an AclPrivilege defined that finds a path from a HotDog to that User."


#4

From <your-env>/documentation/topic/access-control: Permissions within the same Role have an AND relationship and Permissions across different Roles have an OR relationship.

  • allow AND deny = deny
  • allow OR deny = allow

In the example you gave above, the user will be able to fetch ExampleType objects.