Author Topic: Merging query restriction permissions for multiple usergroups on same app.group?  (Read 1750 times)

davidshe

  • Guest
Hi,

I have a challenge in the OD-administrator to configure permissions for users in multiple groups.
In the documentation, I already found things like: "the user normally obtains the permissions of all of the groups"
That seems valid when permissions do not overlap (like on different folders or application groups), but when permissions overlap:
"When two (or more) groups provide permissions for the same folder, the user obtains the permissions of the group with the lowest GID"

For compliance with GDPR, some documents with a DocumentType (metadata / indexfield) may or may not be seen in the results of a search action.
We use the query restriction option for usergroups in application groups to get this result.

Some users belong to different usergroups. The usergroups have different permissions on the same application group using query restrictions on the DocumentType.
So even when permissions like "view" or "add" may not differ for those groups on the same AG, permissions will differ in combination with a query restriction.
I need to let a user retrieve a selection of documents through one usergroup, and a selection of other documents through another usergroup, using another query restriction.
This concerns the same application group, in which different query restrictions apply to different usergroups where the same user belongs to.

Simplified example:

User X may retrieve DocumentType 1
User Y may retrieve DocumentType 2
User Z may retrieve DocumentType 1+2

User X in UserGroup A
User Y in UserGroup B
User Z in UserGroup A+B

1 Application Group with permissions for UserGroup A and B, having Query Restrictions on DocumentType 1 and DocumentType 2 respectively.

So is this possible: One user in multiple groups, merging the outcome of multiple Query Restrictions that return separate documents?
In other words: Can the permissions for document retrieval be merged based on Query Restriction, for users in multiple usergroups on the same application group?
Or is it still the case that the usergroup with the lowest GID determines all permissions for the application group, overruling any AG permission setting from the other usergroup?
If so, any idea how to accomplish this without creating new usergroups for users with these combined permissions.

Thanks,
Henri

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2231
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
You'd have to test it, but I'm not sure you can stack CMOD query restrictions through multiple group memberships.  Hopefully there's few-enough cases where you can create enough groups in Content Manager OnDemand to satisfy the requirements.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

davidshe

  • Guest
Unfortunately my client (ARSGUI.EXE) is not starting since a few weeks due to a Windows security issue according to the event log.

I'd like to try out the combination of usergroups with different SQL, but the documentation does not give me much hope:
"If the user is a member of more that one group, the groups are checked in ascending group ID number."

But what about exit points? I just read about it.

Thanks anyway,
Henri