Gaspar,
Think of the permissions as layers. For a single user, there will be
multiple layers of the permissions. At each layer a permission can be
Allowed, Denied, or Implicitly Denied (blank). The rules are:
- If the permission is explicitly denied at any layer, then permission is
DENIED
- If no layer explicitly denies the permission AND it is allowed in at
least one layer, then it is ALLOWED
- If the permissions are implicitly denied at all layers then it is DENIED
A simple example is to determine whether "Bob" (user) can view the project
center. Bob belongs to the Project Manager and the Resource Manager groups.
In order to understand whether he will be able to see the project center, we
must understand which layers of permission apply:
Layer 1: At the server feature level, has the administrator enabled the
project center feature (allowed, denied, or implicitly denied)
Layer 2: At the Project Manager group level, can project managers view the
project center at all (allowed, denied, or implicitly denied)
Layer 3: At the Resource Manager group level, can they view the project
center at all (allowed, denied, implicitly denied)
If it is denied at any layer, then Bob is out of luck. If the permissions
are blank at all layers, then Bob is still out of luck. If there is a mix
of Allowed and blank permissions, Bob will be able to see it.
At this point, a more complex question would be "which views will be
available to Bob in the project center and which projects will Bob see in
these views?" This takes things one level down into understanding
categories and the permissions associated with each category-group pairing.
The same concept of "layers" applies, but at this point it is at the content
level (project, resource, view).
Good Luck
John M.