Inheritance and Competition Among Roles
The Principle
To understand rights inheritance, it is important to know how the role's structure works.
Every YSoft SafeQ 6 installation includes the role everyone by default. This role cannot be deleted. Every YSoft SafeQ 6 user has this role automatically assigned — that is, every user is a member of the role everyone and this cannot be changed. This role is superior to all roles you create.
If you set access rights for the role everyone, these rights will be applied to all users. You can set detailed rights by defining a new role, setting its rights, and assigning it to a user. The new role inherits rights from its superior group everyone, but the settings made in the new role override its parent role settings.
If you set access rights for an individual device, these rights take priority over the settings of the entire device group.
If a user is assigned multiple roles of the same level at the same time, prohibition has priority.
Example: The user1 login is a member of the role everyone, role1, and role2. The role everyone has print access rights set for a device group named Default. For role1, the device group Default is prohibited and for role2, this group is permitted. As a result, user1 is prohibited from printing to all devices included in the Default group because the permission in the everyone role is ignored. user1 is also a member of other roles that are permitted to print to this Default device group, but the role everyone is subordinate to other roles and ignored – the only settings that matter for user1 are the settings made for role1 and role2. Printing is prohibited to the Default group for role1 and permitted for role2. Because prohibition has priority (see above), prohibition is applied.
Unlike function rights, assigning device access rights has one extra feature – the ability to assign default rights to a role. A role's default device rights will apply to all device groups that do not have rights explicitly set for the particular role. A role's default device rights settings have priority over the access right settings of a device group, both for the role everyone and for any other roles.
Example: A user is a member of the role everyone and role1. The role everyone has printing rights set for the device group devices1 and role1 has default rights set for copying. If the user accesses a device that is not part of the device group devices1, printing is permitted to a user because it is permitted to the everyone role. If a user accesses a device that is not part of the device group devices1, copying is permitted to the user because the default rights for copying have been set for their role in relation to all device groups that have not been explicitly set. This means that if a user role1 has printing rights set for the device group devices2, the default settings are ignored and printing is permitted to the user only according to role1's device rights set explicitly for the group devices2.