This document outlines various user and permission related expectations when using GlobalSearch. Note that this information is current as of version 6.3 and greater. Older versions may have different results.
User permissions ALWAYS override group permissions. If a user is directly secured to a resource, only the user’s permission set is considered.
Group permissions are always additive. If a user is a member of multiple groups, the sum of all permissions for secured groups of which the user is a member are considered.
Multiple groups with the same, or overlapping permissions, will not impact the experience.
It is a valid scenario for a user to be in two different groups that have identical permissions, both of which are secured to a single resource.
With regard to conflicting permissions that can not be merged, conflicts are expected. This can happen with Default searches, Queue searches, and Direct searches.
If two groups have default searches and the user is a member of both groups, the first group returned should apply to these options. Groups should be inspected in the order they were added, allowing the user to control this behavior to their specific needs.
For Default Searches, if a user is a member of two groups with different default searches, GlobalSearch will prompt the user at the time of Archive selection for which Search to use. We will remember the users choice and not prompt again unless an entry was removed from local storage.
Searches and Archives are different objects with their own discrete security. As such, having permissions to an Archive does not imply permissions to any specific search.
A user individually secured to an archive with no individual permissions on a search for that Archive would inherit the permissions of any group they are a member of on that search. The converse (group permissions on Archive, individual permissions on search) would result in the user’s direct permissions applying to searches.
Default/Queue/Direct options are search level permissions and would also respect user before group paradigm.