Permission inheritance and flow down

Permissions flow down the tree. This means that when you grant permissions to an object, all subordinate objects inherit those same permissions unless you explicitly grant permissions to objects further down the tree.

Therefore, permission inheritance works as follows:

  • Group permissions flow down the tree to all members of the group unless overridden by User or Group permission assignments further down the tree. Group permissions are additive.
  • User permissions have the highest priority. User permissions override Group permissions assigned higher in the tree, but they are added to Group permissions granted further down the tree. User permissions can be overridden only by granting different User permissions further down the tree.

NOTE  The Create permission implies View.
The Write permission implies Read.
The Manage Policy permission implies Read, Write, and Revoke but does not imply View. Users should be granted the View permission as well.

To see which permissions are assigned to a particular user or group, run an Entitlement Report.

Related Topics Link IconRelated Topics