Multiple NACLs on Single Object is not applying permissions to all users

Question

Hi All, 
 I have some automatic permissions being applied to a Variation object which is driven by two metadata properties Project and New Project. Each project has its own NACL and when selected automatically apply both NACLs to the Variation object. So first inspection appears all is working. 
 However, only users which exist in both Projects user groups/NACLs have permissions to read and edit the document. Any user which is unique to either project does not have permissions applied. 
 Our customer needs users from both Project NACLs to be applied to the object. Any tips on ensuring that users from both NACLs are included in the effective permissions would be appreciated

Joonas Linkola · Answer

This is how the effective permissions work when there are multiple sources for permissions. You can think of those sources as layers: the user needs to get at least read rights through every layer to be able to see the object. So in this case you'll need to redesign your permission model so that you will only have one NACL that gives access to both project teams instead of the two. 
 If you are currently pushing the permissions from the Project object type, consider if you could disable these automatic permissions and then have one automatic NACL on the Variation class that covers both teams. The NACL would look something like this if you are listing the team members on the Project object metadata: 
 
 Project.Project manager.M-Files user 
 Project.Project team.M-Files user 
 New Project.Project manager.M-Files user 
 New Project.Project team.M-Files user 
 
 So the same access control list would pick up users from both Project and New Project.

Multiple NACLs on Single Object is not applying permissions to all users

Contact Us

Schedule a Demo

Careers

Trust Center

Privacy Policy

Security Hall of Fame

M-Files Community

Support Portal

Help Center

Product Center

Download M-Files

User Guides

Product News