Nested groups

Two groups are nested if one of the groups contains the other group as a member.

Permissions for nested groups are treated as cumulative. The access control system treats all members of the contained group as members of the containing group.

For example, group GlobalMarketing, can contain group, BrazilMarketing. All members of BrazilMarketing would be treated as members of GlobalMarketing, inheriting the access rights granted to GlobalMarketing members.

If GlobalMarketing has view access to the File Server portlet, and BrazilMarketing has view access to the World Clock portlet, BrazilMarketing has view access to both the File Server and World Clock portlets.

For example, Jose, as a member of the GlobalMarketing group, can only access the File Server portlet, but Astrid, as a member of the BrazilMarketing group, can access both portlets.

If you do not plan to use nested groups for access control inheritance, to improve performance, in the Access Control Data Management Service, set...

accessControlDataManagement.enableNestedGroups = false

This will limit the membership lookup that Portal Access Control performs to one group level in the hierarchy. A user is granted access rights only by explicit role mappings or role mappings to the groups of which that user is a direct member.

See Setting service configuration properties.

Parent topic:

Users and groups

Related tasks

Set service configuration properties

---