Overlapping rules
As you develop rules, you will eventually have rules that overlap. By this we mean that conditions in two or more rules target the same user or users. If rules overlap, the rule that provides access will prevail.
If we consider two rules that overlap the following types of overlap can typically occur:
- Identical
Both rules provide read access to the user. In this case read access will be provided.
- Complementary
One rule provides read and the other provides update. In this case, the user is provided with both read and update access.
You can view which user security rules apply to a resource using the audit page in the QMC.
You can also preview the effects of a rule.
Example 1:
In the example One property-value pair in conditions: we created a rule (Rule 1) that allows users belonging to Active Directory group Finance to read the Quarterly results stream. Assume that another rule (Rule 2) giving users belonging to the Active Directory (AD) group Management read access to the Quarterly results steam.
Finally, assume that the Sales director belongs to both Active Directory groups Sales and Management.
Result | Rule 1 | Rule 2 |
---|---|---|
Allow users to | Read | Read |
On resource | Quarterly reports stream | Quarterly reports stream |
Provided that | group=Finance | group=Management |
Evaluates to | FALSE | TRUE |
Resulting access for Sales director | Provide read access | Provide read access |
Example 2:
The Finance office in the UK have published an app to the Quarterly reports stream called UK quarterly outlook. They want Finance users in the UK office to be the only users with read access to that app. For this purpose the UK administrator creates Rule 3 that explicitly states that only users belonging to AD group Finance and UK office have read access. Also assume that Rule 2 from Example 1 and the out-of-the-box Stream rule are also in place.
In this case Finance in the UK may have assumed that the Sales director would not be able to read the UK quarterly outlook app. However, this is not true since Rule 2 allows management to read the Quarterly reports stream and the Stream rule allows all users that have read access to a stream to read all apps on that stream.
Result | Rule 3 | Rule 2 | Stream rule |
---|---|---|---|
Allow users to | Read | Read | Read |
On resource | UK quarterly report published on Quarterly reports stream | Quarterly reports stream | All apps and sheets in a stream |
Provided that | group=Finance AND office=UK | group=Management | User has read access to the stream |
Evaluates to | FALSE | TRUE | TRUE |
Resulting access for Sales director | Provide read access | Provide read access | Provide read access |