Permission Origins

Introduction

Permission origins identify the source of each effective permission in the metadata authorization layer. This information can be useful in troubleshooting. It answers the question: Why is this identity granted (or denied) this permission?
In the origins answer, only the controlling (winning, highest precedence) access control is shown. If there are multiple tied winning controls, they are all shown. Other, lower precedence controls are not shown in the answer.
Origins information is available on an object’s Authorization page. See View Authorization Information.

Simple Permission Origins

The following table provides simple examples of permission origins answers. In each example, we are interested in why UserA has an effective grant on FolderA. In each example, UserA is a direct member of both GroupA and GroupB. Each row in the table is for a different (independent) permissions scenario. In the table, the first column depicts the contents of the Origins window. The second column interprets the information.
Origins: Simple Examples
Origins Information
Source of UserA's Effective Grant on FolderA
grant iconuser icon UserA [Explicit]
On FolderA, an explicit grant for UserA
grant icongroup icon GroupA [Explicit]
On FolderA, an explicit grant for GroupA
grant icongroup icon GroupA [Explicit]
grant icongroup icon GroupB [Explicit]
On FolderA, explicit grants for GroupA and GroupB
Note: Two settings are shown because they are tied and they both win (UserA is a direct member of GroupA and GroupB).
grant icongroup icon GroupA [ACT: GroupARead]
On FolderA, an ACT pattern grant for GroupA (from a directly applied ACT)
grant icongroup icon SASUSERS [ACT: GenRead]
On FolderA, an ACT pattern grant for SASUSERS (from a directly applied ACT)
grant icongroup icon GroupA [ACT: GroupARead]
grant icongroup icon GroupB [ACT: GroupBRead]
On FolderA, ACT pattern grants for GroupA and GroupB (from two different directly applied ACTs)
Note: Two settings are shown because they are tied and they both win (UserA is a direct member of GroupA and GroupB).
grant icongroup icon GroupA [ACT: GroupABRead]
grant icongroup icon GroupB [ACT: GroupABRead]
On FolderA, ACT pattern grants for GroupA and GroupB (from the same directly applied ACT)
Note: Two settings are shown because they are tied and they both win (UserA is a direct member of GroupA and GroupB).
grant iconuser icon UserA is unrestricted.
UserA’s status as an unrestricted user (someone who is unrestricted is always granted all permissions)

Inherited Permission Origins

In many cases, the controlling setting is not on the current object. Instead, the controlling setting is defined on a parent object and inherited by the current object.
The following table provides examples in which the controlling setting comes from a parent object. Because the source of the effective permission is a parent object, the answer must identify which parent object has the controlling setting. For this reason, the answers in the following examples identify both a parent object (the object that has the controlling setting) and the controlling setting, itself.
In each example, we are interested in why UserA has an effective grant on FolderA. In each example, UserA is a direct member of both GroupA and GroupB. Each row in the table is for a different (independent) permissions scenario. In the table, the first column depicts the contents of the Origins window. The second column interprets the information.
Origins: Inheritance Examples
Origins Information
Source of UserA's Effective Grant on FolderA
folder icon ParentFolderA
blank spacegrant iconuser icon UserA [Explicit]
On ParentFolderA, an explicit grant for UserA
folder icon ParentFolderA
blank spacegrant icongroup icon GroupA [Explicit]
On ParentFolderA, an explicit grant for GroupA
folder icon ParentFolderA
blank spacegrant icongroup icon GroupA [Explicit]
blank spacegrant icongroup icon GroupB [Explicit]
On ParentFolderA, explicit grants for GroupA and GroupB
folder icon ParentFolderA
blank spacegrant icongroup icon GroupA [ACT: GroupARead]
On ParentFolderA, an ACT pattern grant for GroupA (from a directly applied ACT)
folder icon GreatGrandParentFolderA
blank spacegrant icongroup icon SASUSERS [ACT: GenRead]
On GreatGrandParentFolderA, an ACT pattern grant for SASUSERS (from a directly applied ACT)
folder icon ParentFolderA
blank spacegrant icongroup icon GroupA [ACT: GroupARead]
blank spacegrant icongroup icon GroupB [ACT: GroupBRead]
On ParentFolderA, ACT pattern grants for GroupA and GroupB (from two different directly applied ACTs)
folder icon GrandParentFolderA
blank spacegrant icongroup icon GroupA [ACT: GroupABRead]
blank spacegrant icongroup icon GroupB [ACT: GroupABRead]
On GrandParentFolderA, ACT pattern grants for GroupA and GroupB (from the same directly applied ACT)
Last updated: December 18, 2018