Inheriting and overwriting permissions
Permissions for a folder are inherited by services within the folder. For example, if you allow the role Administrators access to a folder, all services within the folder will also have this role allowed. The Permissions dialog box will show the role, along with other roles that you have added, if any. Folders also inherit permissions from the server root folder.
You can remove roles that a service inherits from a folder. To do so, open the Permissions dialog box for the service, click the role, then click Remove. This will cause that role to not be permitted access to the service. Note that users may be assigned to multiple roles, so that access must be carefully considered based on role membership.
If permissions for a folder are edited, any changes to role permissions are reapplied to all services within the folder. Note that this will overwrite any changes made to those roles for individual services. If you remove a role from the permitted list for the folder, that role will no longer be permitted access to any services within the folder. Similarly, if you add a role to the folder's permissions list, it will be allowed access to all services in the folder.
Overwriting permissions in child folders and services
When setting permissions for the root folder, you may see this message when you click Save:
One or more of the roles you are changing permissions for already has a permission setting in one or more services or folders inside this folder. If you continue, the permissions settings for these roles in child services or folders will be removed. Do you want to save these changes?
This message means that you are adding or removing a role that already had explicit permissions in one or more services within the folder—or in a child folder if editing permissions of the root folder—and that the permission is different than what you are about to apply. If you proceed, all rules for that role in child folders and services will be removed, and the child folders and services will inherit permissions for that role from the folder.
This message means that at least one service or folder's permissions will be different than you explicitly set previously. For example:
- You add permissions for a role to a child folder but remove the role's access to a service within the folder. Later, you add permissions for the role to the root folder. You receive a warning, because if you continue, the service within the child folder will now allow access from the role, when previously access was not allowed.
The message also indicates that changes you make later may not have the effect you expect. For example:
- You allow the Everyone role in the root folder, then remove Everyone from permissions in a child folder EngineeringServices, allowing only a specific role, such as Engineers. Later, you remove Everyone from the root folder. You receive a warning, because if you continue, the explicit removal of permissions from the EngineeringServices folder will no longer be present. If you then readd permissions for Everyone to the root folder, then Everyone will also be allowed access to EngineeringServices. If you want to restrict access to EngineeringServices, you will need to visit that folder's permissions and remove the Everyone role.
- You add permissions for a role to the root folder but then remove that role's permissions for a child folder. You then allow the role access to a service within the child folder. Later, you remove the role's permissions from the root. You receive a warning when saving this change because it will remove the permissions explicitly granted to the role for the service within the child folder. If you then readd permissions for the role to the root folder, all folders and services will allow access by the role.
Note that you will not receive a warning when child services or folders had the same permissions as the one you are applying to a parent. For example, if you allow a role in a service and later allow the same role for the folder of the service, then the service will permit the role because of inheritance, rather than as an explicitly allowed role. You will not receive any warning when making this change. If you then remove the role's permission for the folder, the role will also no longer be allowed for the service, even though you had earlier permitted the role for the service. If you want to allow the role, you will need to add it to the service again.
If you receive this warning when editing permissions of the root folder and are not certain how the changes will affect access to services, you should click Cancel on the warning message and examine permissions of child folders and services. You may need to follow up the application of the permissions change by then reapplying rules to child folders and services to produce the desired security configuration.
If you have added or removed more than one role while editing permissions, the message may mean that multiple roles are affected. You may want to examine the permissions on child folders and services to ensure that you are not overwriting permissions you actually wanted to persist.