Scenario 3: Restricted access within a division
Employees within a division of your company require read access to the same set of objects (campaigns, offers, templates, and so on), but they are allowed to edit and delete only their own objects and objects in folders that they own.
Solution
Define a Read-Only role that grants only read permissions on objects. Assign all users within the division to this role. Keep the default permissions as defined for the Owner and Folder Owner roles.
*
If your company requires only a single security policy, you can use the global policy and assign all users to the Review role.
Each user is allowed to edit or delete their own objects (under the Owner role) and objects in their own folders (under the Folder Owner role), but only view objects and folders owned by others (under the Read-Only role).
The following table shows a sample subset of the object permissions for this scenario.
Object permissions for Scenario 3
Functions/Role
Folder Owner
Object Owner
Reviewer
Campaigns
permissions granted
permissions granted
permissions inherited
*
Add Campaigns
permissions granted
permissions granted
permissions blocked
*
Edit Campaigns
permissions granted
permissions granted
permissions blocked
*
Delete Campaigns
permissions granted
permissions granted
permissions blocked
*
View Campaign Summary
permissions granted
permissions granted
permissions granted
Offers
permissions granted
permissions granted
permissions inherited
*
Add Offers
permissions granted
permissions granted
permissions blocked
*
Edit Offers
permissions granted
permissions granted
permissions blocked
*
Delete Offers
permissions granted
permissions granted
permissions blocked
*
View Offer Summary
permissions granted
permissions granted
permissions granted
Copyright IBM Corporation 2015. All Rights Reserved.