Understanding Business Objects Inheritance

When setting up user and group rules, it is important to understand inheritance and how inheritance works. Otherwise you may run into unexpected access rights for your groups and users.

Global to object level hierarchy
By default, groups and users will inherit rights from the highest level. The highest level starts at the Global Settings level. The second level is the folder level; and finally the lowest level is at the object level. If we set rights at the current level itself, then those rights have precedence over inheritance (except if rights have explicitly been denied) Here are a few examples of setting up a group at multiple levels

Group and User security Overlap
Use the following formulas as a guide to understand what happens when inheritance from multiple groups overlap

   

Grant + Deny + Not Specified = Deny Grant + Not Specified = Grant Grant + Deny = Deny Not Specified = Denied

For Predefined access levels, the access level with more access will take precedence.

If “Sales” has “View” access on the Marketing Folder and “Marketing” has “Schedule” access on the Marketing folder. . User rights take precedence over inherited rights User rights will always take precedence over inherited rights. “James” will have “Schedule” access on the Marketing folder. you must uncheck the box that inherits rights. For example: User “James” is part of the “Marketing” and has “Schedule” access on the Marketing folder. View access will then take precedence. To override an inherited deny. The only time an inherited right takes precedence is if an inherited right explicitly denies access. However we set “James” with “View” access on the Marketing folder.For example: If user “James” is part of Group “Sales” and “Marketing”.

Sign up to vote on this title
UsefulNot useful