+

Search Tips   |   Advanced Search

Nested groups

Two groups are nested if one of the groups contains the other group as a member. The access control system treats this as though all members of the contained group are also members of the containing group. In other words, permissions for nested groups are treated as cumulative.

One group, GlobalMarketing, could for example contain another group, USMarketing, resulting in all members of USMarketing being treated as members of GlobalMarketing. This means that members of USMarketing inherit the access rights granted to GlobalMarketing members. So, if GlobalMarketing has view access to the File Server portlet, and USMarketing has view access to the Reminder portlet, USMarketing has view access to both the File Server and Reminder portlets. For example, Joe, as a member of the GlobalMarketing group, can only access the File Server portlet, but Susan, as a member of the USMarketing group, can access both portlets.

If we do not plan to use nested groups for access control inheritance, set accessControlDataManagement.enableNestedGroups to false in the Access Control Data Management Service to improve performance. This will limit the membership lookup that Portal Access Control performs to one group level in the hierarchy. This means that a user is granted access rights only by explicit role mappings or role mappings to the groups of which that user is a direct member. See Setting service configuration properties for information.


Parent Administering

Related tasks:

Set service configuration properties