Question

Permissions inheritance misunderstood

Hello,



I have the following problem. Users from parent role get inherited permissions from the child role, only if the users from parent role belong to the management role.

Example:

  • Hierarchy

  • Object permissions on Contact section

  • process to give read + write access right to users from same branch (no screenshot needed): read owner's user, read user's branch role, add edit access rights for user's branch role.

After creating a record, this is the access rights setup of the record:

Users:

When I am trying to edit the record using rm_east, it doesn’t work, as expected, because the edit permission aren’t given to any role which belongs to the user, nor any role of the user is inherited from the ones in the record access rights list. 

After adding Region East. Managers group to the rm_east user, he will be able to edit the record. Why does it happen? 

The only two rules I know about inheritance are: 

  • Child role inherits permissions of parent role 

  • Management role inherits permissions of organization role 

Region East. Mangers group is inherited from Managers East and Branch A is inherited from Managers East. The previous two rules don’t give the edit permission to the user. 

Also, I noticed that if I remove Managers East role for rm_east and I keep only the role Region East. Mangers group, he will still have edit access rights on that record.

Why does the user get granted edit permission to the record? That's how it is supposed to work?

 

Best regards,

Valentin

Like 0

Like

4 comments

Hello,

By default, Creatio grants maximum access permissions to the following users:

  • The system administrators with permissions to the “Add any data,” “View any data,” “Edit any data,” and “Delete any data” system operations. These settings have a higher priority than the settings specified in the [ Object permissions ] section.

  • The record author and the management role of the author, including the ability to delegate permissions to other users.

  • The record owner and the management role of the owner, including the ability to delegate permissions to other users.

Could you please send a screenshot of the change access right element setup in Business process  ?

Hello,



I know that when creating an record, Creatio grands by default the roles mentioned, they are indeed added on the records, as you can see in the screenshot.



process to give read + write access right to users from same branch (no screenshot needed): read owner's user, read user's branch role, add edit access rights for user's branch role.

From what I've deduced, the rule is the following: the management role of an organizational role inherits the permissions from the child roles of that organizational role.



Is this true? Is it written anywhere in the documentation? Why does it happen?

I found the answer, on a course from Academy. It is indeed as I expected. There is no need for an answer on this thread anymore.

Users and roles | Creatio Academy | Improve your skills with Creatio Training Courses & Certification

Show all comments