A database ACL includes a role called [Buyer]. My name is in the ACL with Designer access and no roles assigned. I am also a member of a group called Catalog Buyers, which is in the ACL with Author access and the [Buyer] role assigned. When I open the database in the Notes client, I cannot see design elements that are hidden when @UserRoles does not contain [Buyer]. Does this mean that when my name is in the ACL, my effective access includes only those roles assigned to me personally, and not roles assigned to any groups to which I may belong?
Subject: Name takes precedence
Yes, when a user is listed in the ACL, his effective access is defined solely by his ACL entry. Any groups to which he belongs are ignored.
Subject: RE: Name takes precedence
individual names in the acl always take precedence over groups.
Subject: RE: Name takes precedence
however, Roles should be collective. So if you are a member of an Editor group with [Role1] and a Reader group with [Role2] you will have both roles, regardless of the fact that you are getting access via the Editor group, the higher of the 2 access levels. Not sure if this holds true when also listed individually.
Subject: RE: Name takes precedence
No, it does not. Not having a role is considered a property of the same quality as having a role, so it is the the role not assigned to the person that beats the role assigned to the group.
I must admit, that I wasn’t 100% sure at first as well, although this really is a very basic topic.