Permissions inheritance by using a parent group

Assigning a parent group can simplify permissions management in cases where one group, such as a service provider (the parent group), should have access to a set of objects or data belonging to several different child groups. For example, Apex Global is the parent company that provides services through contracts with service providers (child groups).

When you define a parent group, you manage access to objects and data in the application by assigning permissions to the child group. You also configure the objects to allow permissions inheritance. As a result, members of the parent group automatically have the same access as members of the child group.

Any regular or computed group that you create can be a parent group and represents a hierarchical relationship with the child group. The parent group inherits the permissions of the child group. If each child group has unique set of permissions, and if you create a parent group for these child groups, that parent group has all the permissions that all the child groups have, but the child groups will only be restricted to their own set of permissions.

A parent group can have one or more child groups. A child group can also have child groups of its own, forming a multilevel hierarchy, but each child group can only have one parent group. In a multilevel hierarchy, assigning permission to a child group grants access to all ancestor groups, such as the parent group of a parent group.

The following image shows the hierarchical group relationships by using an example of an auto parts supplier, and its dealership and its shops:

Example

The group named Parts Supplier is a parent to the child groups, Dealer A and Dealer B. The Dealer A is the parent group to Shop A1 and Shop A2, and and Dealer B is the parent to Shop B1. The parent group, Part supplier becomes an ancestor to all the child groups in the relationship chain.

221_Parent group inheritance.png
In this example, an auto parts supplier needs to control access to the order database, such that employees of the parts supplier can see orders from all dealers and their respective authorized repair shops, but employees of each dealer can see only their own orders or those of their subcontracted shops. Employees of each shop can see only the orders for their own shop. This is accomplished by assigning Parts Supplier as the parent group for Dealer A and Dealer B, and by assigning Dealer A or Dealer B as the parent group for each of the shop groups.

To assign a parent group, you modify the Group form entry for the child group. See Creating-and-managing-access-control-groups.

Hierarchical group relationships are used for permissions management only, and are not recognized when sending notifications by group.

Object properties that control hierarchical group access

Two object properties determine whether AR System grants access according to a parent group relationship:

  • Static permissions inheritance controls hierarchical access for all AR System object types that use permissions, such as forms, active links, and applications. Hierarchical access to fields is controlled by the permissions of the form. See Assigning-permissions-for-individual-or-multiple-objects.

If the object properties do not include permissions inheritance, any hierarchical relationship defined for any of the groups in the object permission list is ignored.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*