DIRECTORY SERVICES
More than one subject that is shown at a selected target can apply to a particular user. For example, a user might be a member of two groups, both of which have access set to the target O=Acme. The following precedence rules are applied to determine the access a user has to a target when there are multiple subjects that apply to the user at the target.
Note Even after precedence rules are applied, a user's access can never exceed the access the database ACL allows the user.
1. Access set for a subject with the scope "This container only" take precedence over access set for a subject with the scope "This container and all descendants" regardless of subject type. For example, the access set for the subject */Acme and the scope "This container only" takes precedence over the access set for the subject Kathy Brown/Acme and the scope "This container and all descendants."
2. Among subjects with the same scope, access for a more-specific type of subject take precedence over access for a less-specific type of subject. The order of subject specificity, from most specific to least specific, is:
Tip To determine a user's effective access to an extended ACL target after extended access settings and database access are evaluated, select the target in the "Extended Access at target" dialog box, then click Effective Access.
Examples of precedence rules
Scope: "This container and all descendants"
Allow: Read, Browse
Deny: Create, Delete, Write
Scope: "This container only"
Allow: Create, Delete, Write
Deny: Read, Browse
Scope: "This container and all descendants."
Allow: All
Deny: All