How Campaign evaluates permissions
When a user performs a task or tries to access an object, Campaign performs the following steps:
1.
Identifies all groups and roles to which this user belongs within the global security policy. A user can belong to one, many, or no roles. A user belongs to the Owner role if they own an object; they belong to the Folder Owner role if they own the folder in which an object resides. A user belongs to other roles only if they have been specifically assigned to that role (either directly or because they belong in a group assigned to that role).
2.
Identifies whether the object being accessed has been assigned to a custom-defined policy, if any exist. If so, the system then identifies all groups and roles to which the user belongs within this custom policy.
3.
Aggregates the permissions for all roles to which the user belongs, based on results from steps 1 and 2. Using this composite role, the system evaluates the permissions for the action as follows:
a.
If any roles have Denied permission for this action, then the user is not allowed to perform it.
b.
If no roles have Denied permission for this action, then it checks to determine whether any roles have Granted permission for this action. If so, the user is allowed to perform the action.
c.
If neither a nor b is true, the user is denied the permission.
Copyright IBM Corporation 2015. All Rights Reserved.