PreviousNext

Group Permissions and Project Lists

Principals accrue group permissions from their project list, a list of all the groups of which a principal or alias is a member. When a principal tries to access an object, the principal has the access rights that accrue from the logical OR of permissions granted to every group with an entry in the ACL and in which the principal is a member. Note that the principal accrues rights only from the name or alias with which the principal logged in, not both names and aliases. (See Creating and Maintaining Principals, Groups, and Organizations for more information on aliases and project lists.)

For example, suppose an ACL contains the following entries:

{user_obj crwxid-}

{group_obj crwx---}

{other_obj -r-----}

{group composers crwx---}

{user bach crwx---}

{user mozart crwx---}

{group performers --w-idt}

User cole is a member of the group composers and the group performers. Because cole accrues permissions from both groups, his access permissions are crwxidt. (The security service provides a method to prevent a group from being included in a project list, thus preventing the group's permissions from being accrued as part of the project list. See Creating and Maintaining Principals, Groups, and Organizations for more information.)