One domain user can belong to several groups. Permissions can be assigned both directly to the user or inherited from the groups to which they belong.
The "Effective rights" column shows the result of this mechanism and is only displayed for domain users, not for groups or local users.
If both a domain user and the user group to which it belongs are entered in the user management, there may be different settings for group and user.
In such a case, the granted rights always prevail over the denied ones. Example ibaPDA:
Example ibaHD-Server:
The figures show that the user “jdoe” has been denied the “Switch server” right. However, this user still gets the right granted because it is also a member of the “ibaPDA-users” or “ibaHD-users” group, which has this permission.
If a right has been granted, the tooltip on the mouse cursor shows the source(s) that inherited the right.
In this context, similar cases are also possible:
The configured domain user is a member of a group
|
User |
Group |
Effective |
|---|---|---|
|
Granted |
Granted |
Granted |
|
Granted |
Denied |
Granted |
|
Denied |
Granted |
Granted |
|
Denied |
Denied |
Denied |
The configured domain user is a member of more than one group
|
User |
Group 1 |
Group 2 |
Effective |
|---|---|---|---|
|
Granted |
Granted |
Granted |
Granted |
|
Granted |
Granted |
Denied |
Granted |
|
Granted |
Denied |
Granted |
Granted |
|
Granted |
Denied |
Denied |
Granted |
|
Denied |
Granted |
Granted |
Granted |
|
Denied |
Granted |
Denied |
Granted |
|
Denied |
Denied |
Granted |
Granted |
|
Denied |
Denied |
Denied |
Denied |
In the case of users who are members of several groups, ibaPDA successively verifies the group based rights in their listed order in the list of SIDs received from the Active Directory controller (AD controller). This list is requested by ibaPDA from the AD controller whenever a domain user logs on. The group rights are combined with one another according to fixed rules. If the domain user is entered individually in the ibaPDA user management system, its rights are used as the basis for the additional combinations. If the user is not entered in the user management system, only the group rights are taken into account.
The order of the groups in the SID list is important for certain rights.
-
They are determined as granted/denied via a Boolean "OR" function, whereby "Granted" is dominant.
-
For the rights "Auto-close on inactivity" and "Auto-disconnect on inactivity", the lowest value is always applied. For example, if one group has a value of 10 minutes and the other group has a value of 1 minute, 1 minute is applied.
-
The "Force display style" right is applied from the user or the first group with a preselected display style.
-
For the rights "Load layouts from server" and "Save layouts on server", the layout directory is applied from the user or the first group for whom one of these rights is set.
The domain user is not entered in the user management system but is a member of multiple groups
|
Group 1 |
Group 2 |
Effective (current user) |
|---|---|---|
|
Granted |
Granted |
Granted |
|
Granted |
Denied |
Granted |
|
Denied |
Granted |
Granted |
|
Denied |
Denied |
Denied |