Obliterate question

Busboy · Post by **Busboy** » Wed Sep 12, 2007 6:11 am

Hi,
We have a "local" repository administrator (group right: full admin) for each repository. He would like to obliterate a file, but is unable to do so. Message saying he need admin rights. If we are using global admin account, we are able to obliterate the file. Is this a bug or is the system designed this way? We are using Vault v4.0.4.

Regards,
Kim

Beth · Post by **Beth** » Wed Sep 12, 2007 1:29 pm

I ran a quick check and I believe I got the same results. I don't believe that is what is supposed to happen, so I will log a bug to get this in front of the developers. Good catch.

Just to make sure though, please check to see that your repository Admin can perform the other repository Admin functions and let me know the result.

Busboy · Post by **Busboy** » Thu Sep 13, 2007 1:45 am

We found one more irregularity:

1) User have access rights to repository
2) Upgrade Vault server from 3.x to 4.x
3) Create new local repository group with admin rights and assign user to this group
4) User is now directly assigned with “access” rights and is also member of group with “full admin” rights
5) When user tries to login to admin tool, he does not have admin rights to repository
6) Must delete “Directly assigned” assignment to fix problem

We should have a “total” view for each user where all user rights are listed, both directly assigned rights and inherited from group(s) rights.

Beth · Post by **Beth** » Thu Sep 13, 2007 9:42 am

What you are seeing is by design. How the rights are applied are in this order:

1) Default rights
2) Group rights
3) Directly assigned individual rights

That way, if a group is denied access to an area, but one user needs access, they can be given that one change without having to completely remove them from the group.

If you go to the Users page in the Admin webpage, and click Overview, you should be able to see the rights for that user. Is there more you are wishing to see there?

Busboy · Post by **Busboy** » Fri Sep 14, 2007 12:34 am

I would like to see a view where I can distinguish rights by group membership and directly assigned rights. The admin overview page only summarize the access rights.

Beth · Post by **Beth** » Fri Sep 14, 2007 7:43 am

I will put in a feature request.

The thing to remember is that any direct access rights override group rights, so assign the group rights first and then if you need to adjust, add in direct access adjustments.