Why does one group permission not override another?

I have a test user added to two groups. The LimitedAccess group has these repo server permissions for TestRepo:

The PlasticTestGroup has these repo server permissions:

The PlasticTestGroup has these specific repo permissions for TestRepoForUVC:

The LimitedAccess group does not have any special permissions for this repo.

I have a user that has been placed in both groups.

What I would have expected is that this user would then be able to see the TestRepoForUVC repo and nothing else. Instead, they are unable to see any repos.

I thought the Allow override would override ALL Deny settings. But it seems to only override permission within the same group.

If so, this is a bit of a problem, in that I’m trying to manage users that might belong to multiple groups, and some of those groups need only read access to certain repos, while others need write access to a subset of those repos (and other repos). I’m trying to avoid making a million groups (or just setting up all access per-user). This is especially a problem since by default plastic gives users lots of permissions, so you MUST deny them permissions if you don’t want them to see every repo.

Any explanation on how Plastic is handling this and if I’m understanding correctly?

If the user belongs to two groups, and in one of the groups the user has denied permissions, the deny always prevails. Even when you have explicitly allowed the permissions in the other group the user belongs.

To support this behavior, you can neither allow nor deny the view and read permissions at the server level. Then, you can specifically allow or deny the permissions at the repository level. This way, you won’t need either to overwrite permissions.

Can you clarify on “you can neither allow nor deny the view and read permissions at the server level”? If I do not specify the group’s permissions, isn’t it defaulting to the user’s default permissions which is Allow for everything other than AdvancedQuery?

FYI, I later created a support ticket and will be setting up a meeting with one of you to discuss this over zoom. Feel free to hold off on replies until after. I’ll post the summary here for posterity afterwards.

1 Like