 |
|
| Permissions on Folders |
Variation 1: Add Subgroups, Designate Content Creators
This example eliminates the project folders and introduces the following requirements:
-
Regional employees see only content for their region.
-
A central group of managers see all content.
-
A central group of content creators creates all content.
The following figure depicts the folder and group structure.
Variation 1: Folder and Group Structure
![[Variation 1: Folder and Group Structure]](images/demobranch2.gif)
The following table lists the protections for the first four folders:
| Folder | Protections | |
|---|---|---|
| Baseline ACTs | Supplemental Grants | |
![[icon]](images/folder.gif) DemoBranch |
![[icon]](images/small-act.gif) Protect
|
|
![[icon]](images/folderin.gif) DivisionA |
Hide |
![[icon]](images/group.gif) GroupA:
+RM
|
![[icon]](images/folderin2.gif) RegionA1 |
Hide |
RegionA1: +RM,
+R
|
|
RegionA2 |
Hide |
RegionA2: +RM,
+R
|
Notice that you are repeating many of the same explicit settings on each region, and that this will be the case throughout the DemoBranch. For greater efficiency and more centralized control, create a custom ACT (called RegionLevel) that provides the supplemental grants for your content creators (RM, R, WMM) and your managers (RM, R). Remember to protect the ACT itself as explained in step five in Baseline ACTs.
The following table lists the protections for the first four folders:
| Folder | Protections | |
|---|---|---|
| Baseline ACTs | Supplemental Grants | |
|
DemoBranch |
Protect
|
|
|
DivisionA |
Hide |
GroupA:
+RM
|
|
RegionA1 |
Hide |
RegionA1: +RM,
+R
|
|
RegionA2 |
Hide |
RegionA2: +RM,
+R
|
If you decide to offer content at the division level and you want that content to be available to only managers, you might make these changes:
-
Create a DivisionLevel ACT with grants for Managers (RM, R) and ContentCreators (RM, R, WMM). Apply that ACT to each division folder.
Note: This is the same pattern that you use for the RegionLevel ACT, so you could instead simply use that ACT. In this example, you choose to create a separate ACT because you anticipate that the requirements for division-level access and region-level access might diverge in the future.
![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
-
Apply the Protect ACT on each region folder (to take away the inherited grant of WriteMetadata permission that content contributors inherit from their division-level grant of WriteMemberMetadata permission).
Note: If you choose to not do this, members of the content creators group can delete, rename, or change permissions for the region folders.
The following table lists the protections for the first four folders:
| Folder | Protections | |
|---|---|---|
| Baseline ACTs | Supplemental Grants | |
|
DemoBranch |
Protect
|
|
|
DivisionA |
Hide |
GroupA:
+RM
|
|
RegionA1 |
Hide
|
RegionA1: +RM,
+R
|
|
RegionA2 |
Hide
|
RegionA2: +RM,
+R
|
See Also
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.