HP BB118BV - StorageWorks Data Protector Express Package User Manual page 203

However, he is prevented from having permissions to the volumes on the file or application server.
He is listed on the Permissions page of the volume and these direct permissions are used to deny him
access to the volume. In this example, he is granted Read permission by checking that box, but
denied Write permissions by clearing the appropriate box.
Thus even though this user has effective permissions to the container that contains the volume, his
effective permissions to the volume are determined only by his direct permissions to the volume.
Because he has direct permissions, Data Protector Express does not check to see if he has inherited
permissions.
4. The following example is more complex, but illustrates an important concept: that Data Protector
Express does not check for inherited permissions when there are direct permissions.
This user is a member of the Marketing group, which has five direct permissions to the Marketing
Folder: Create, Modify, Delete, Write, and Read permissions. This user also has direct permissions to
the Marketing Media Folder, but only Write permission.
This user has five effective permissions to objects contained in the Marketing Folder, but not to the
Marketing Media Folder, where he has only one (Write permission). Data Protector Express does
not look to see if this user has effective permissions to the container that contains the Marketing
Media Folder because this user has direct permissions to that object. Thus even though other
members of the Marketing group have effective permissions to the Marketing Media Folder
through inherited permissions, this user will not. This user will have only Write permissions to this
folder.
5. The following example shows how equivalencies and group membership work together to determine
effective permissions.
Suppose that User 1 is a member of the Marketing group and that he is made equivalent to User 2.
What permissions will the user have?
User 1 has permissions to all of the User/Group folders, except the Admin Folder. For example, he
has permissions to User 2's Folder because he is equivalent to User 2. (Note that this equivalency
does not give User 2 permission to User 1's Folder.) User 1 also has the same permissions to the
Machine and Tape Drive that User 2 has.
However, User 1's permissions to the Volume are different from those of User 2. User 1 has direct
permission to the Volume in three ways: as a user, as a member of the Marketing group and as a
result of his equivalency to User 2. When Data Protector Express calculates his effective permissions,
it uses these direct permissions from all three sources. In this case, will have five permissions (Create,
Modify, Delete, Write and Read).
Note that it does not matter that User 1's own direct permissions as a user do not include Create and
Modify permissions. Data Protector Express uses all three sources to determine User 1's effective
permissions to the volume. In this case, User 1's membership in the Marketing group grants him
Create and Modify permissions.
6. Given the above example, suppose we wanted to deny all permissions to the Volume. How could this
be accomplished?
To deny all permissions to the Volume, three things must happen: his equivalency to User 2 must
end; his membership in the Marketing group must end; and his direct permissions must be changed so
that is listed on the Permissions page of the Volume but no permission boxes are checked.