Understanding Rational® ClearQuest® permission inheritance is key to developing a robust workspace folder access-control policy.
The Everyone group is used to establish a baseline permission from which modifications can then be applied. For example, the default permission for the Public Queries folder for all users is Read-Only . Use the Everyone group to change default permission without creating and managing an explicit group.
A Folder Administrator can assign different permissions to a folder for a group and its subgroup. If a user is indirectly a member of a group because they are directly a member of a subgroup, and the group and subgroup have different access to a folder (for example, Read-Write versus Read-Only), the user's access is always determined by the subgroup access.
In contrast, if a user is a direct member of multiple groups, regardless of whether the groups are subgroups of each other, and the groups have different access levels, the user's access is determined by the group with the highest level of permission precedence. Direct membership in a group has precedence over indirect membership when determining permission inheritance.
Users who can change permissions on a folder include any user with the Public Folder Administrator or Security Administrator privilege, or any user who is a member of a group that has been granted the Change-Permission permission on a folder.
By default, a subfolder inherits the permissions of its parent folder. A user who can change permissions can override the inherited folder permissions for their groups by assigning different permissions to a subfolder. If the permissions on a subfolder are overridden, and the subfolder has subfolders, the subfolders inherit the override permissions. The Security Administrator and Public Folder Administrator can access any folder or subfolder regardless of the permission assigned to the folder.
The term effective permission relates to both a group's access to a particular folder and to an individual user's access.
Updates to folder permissions for a user group or subgroup take effect in the current Rational ClearQuest session as soon as the Folder Administrator makes the update. Within the same replica as the current session, updates take effect on all sessions started after the change is committed to the database. In other replicas, updates take effect on sessions started after the replicas have been synchronized with the replica containing the current session and the synchronization is complete.
Because there is a delay before permission changes have an effect on other sessions, users may access the database with less restrictive permissions than the administrator has set for them for a period of time after the permissions have been changed in the current session.