Inheriting Permissions for Users in Multiple Policies and Roles
This section describes how a user in multiple policies and roles inherits permissions for a data element.
Permission Conflicts and Collision Behavior
Policy users can be assigned to multiple roles with different data element permission settings. In this scenario, the resultant access settings applicable for that user are the least restrictive permissions derived from the data element - parent role association.
Masking Rules for Users in Multiple Roles
If the mask settings, which are applied along with the permission settings, for users in multiple roles result in a conflict, then the resultant output differs.
Consider a scenario, where user U1 with a policy P1, associated with roles R1, R2, and R3 and connected with the data element DE1 containing different masks (Left, Right) and output formats, then the resultant output is applicable as per the following table.
| Role | User | Data Element | Output Format | Mask Settings | Resultant Output |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask settings (Left, Right) and thus, the Unprotect access is revoked with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 0, Right: 5 | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character ‘*’ | There is conflict in the mask character settings and thus, the Unprotect access is revoked with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character ‘/’ | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask settings (Left, Right) and thus, the Unprotect access is revoked with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 | |
| R3 | U1 | DE1 | MASK | Left: 0, Right: 5 | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 1 with masked mode | There is conflict in the mask
settings and thus, the Unprotect access is revoked with NULL as
the output. For example: If the value 12345 is masked with
Left: 1, Right: 1 settings in masked mode,
then it results in *234*.If the value 12345 is masked with
Left: 1, Right: 1 settings in clear mode,
then it results in 1***5.As the resultant values are
conflicting, the Unprotect access is revoked with NULL as the
output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 1 with clear mode | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output formats. The resultant output is most permissive, which is CLEAR. |
| R2 | U1 | DE1 | CLEAR | ||
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output formats due to conflicting MASK settings. However, with the CLEAR setting applicable in the order of access as per the role R3, the resultant output is most permissive. In this case, it is CLEAR. |
| R2 | U1 | DE2 | MASK | Left: 0, Right: 5 | |
| R3 | U1 | DE3 | CLEAR |
A data element-role connection with disabled permission for unprotect operation results in a NULL value, by default, and can be set to other no-access values, such as Exception or Protected value.
The following table explains how no-access values work with different output formats for users in multiple roles.
| Sr. No. | Role | User | Data Element | No Access Operation | Output Format | Mask Settings | Resultant Output |
| 1 | R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output formats. If one of the roles has access, then the output format is used. The resultant output is most permissive, which is MASK. | |
| R2 | U1 | DE1 | NULL | ||||
| 2 | R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | ||
| R2 | U1 | DE1 | Protected | ||||
| 3 | R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | ||
| R2 | U1 | DE1 | Exception | ||||
| 4 | R1 | U1 | DE1 | CLEAR | If one of the roles has access, then the output format is used. The resultant output is most permissive, which is CLEAR. | ||
| R2 | U1 | DE1 | NULL | ||||
| 5 | R1 | U1 | DE1 | CLEAR | |||
| R2 | U1 | DE1 | Protected | ||||
| 6 | R1 | U1 | DE1 | CLEAR | |||
| R2 | U1 | DE1 | Exception |
No Access Permissions
If the Unprotect access permission is not assigned to a user, then either the NULL value or noaccess permission, such as, Protected or Exception value is returned. The returned value is based on the permission settings for a role or a data element. If a user is assigned to multiple roles with different permission settings for the data element, then the following no-access permission on the protector is applicable.
| No Access Permission 1 | No Access Permission 2 | Resultant Permission on the Protector |
|---|---|---|
| Protected | NULL | Protected |
| Protected | EXCEPTION | Protected |
| Protected | Mask | Mask |
| Protected | Clear | Clear |
| NULL | EXCEPTION | EXCEPTION |
| NULL | Mask | Mask |
| NULL | Clear | Clear |
| EXCEPTION | Mask | Mask |
| EXCEPTION | Clear | Clear |