...
Susan Bramhall is a uPortal administrator. As the Admin user, someone explicitly granted her (permission directly applied to the Principal) the permission to view the detailed results from the Error Channel instead of the low-information monkey wrench.
Susan Bramhall (GRANT)
Explicitly denies
Andrew Petro has submitted too much feedback via the Feedback Channel and so he has been explicitly denied (permission applied directly to the Principal) permission to render the Feedback Channel. However, others are still below the maximum allowable feedback, and so are still allowed to subscribe.
(DENY) Andrew Petro DENY < Developers < (GRANT) Everyone
Permission inheritance
...
Mark Boyd is a member of the Developers group which is a member of the Everyone group.
Mark Boyd < Developers < (GRANT) Everyone
No inheritance
The Developer Secrets channel is where technically minded folks discuss techy secrets kept from the non-programmers. Only Developers have permission to subscribe.
Mike Z. is not a Developer. He is not a member of any group that has a GRANT or DENY for this permission.
...
Shawn Bayern is in the group Staff which is in the group Everyone.Shawn Bayern < Staff < Everyone
Funny cartoons are innocuous, so you've granted permission to Everyone to subscribe to them.
Shawn Bayern < Staff < GRANT Everyone
But it turns out that upper management is humorless and wants to reduce the loss of productivity to funny cartoons. So they insist on denying permission to subscribe to Staff. Non-staff are still to be allowed to consume funny cartoons.
So you DENY subscribe permission to the group Staff.
Shawn Bayern < (DENY) Staff < (GRANT) Everyone
Shawn has an ancestor group with GRANT but no path to that ancestor unblocked by a DENY.
...
Shoji is both a Developer and a Faculty member. In order to improve portal project implementation metrics, someone decided to DENY Faculty the permission to subscribe to the Portal Issues channel, so it would appear that the end users were having no problems. But Developers have been GRANTed permission to subscribe to this channel so that they can mark issues resolved.
Shoji < (GRANT) Developer
Shoji < (DENY) Developer
Concrete IPermissionPolicy implementations
...
Applies rules in this order:
If the Principal is explicitly denied DENYed permission, this policy DENYs permission.
If the Principal is expcexplicitly GRANTed permission, this policy GRANTs permission.
If the Principal has any ancestor group GRANTed permission, this policy GRANTs permission.
Otherwise the policy DENYs permission by default.
...
Applies rules in this order:
If the Principal is explicitly DENYed permission, this policy DENYs permission.
If the Principal is explicitly GRANTed permission, this policy GRANTs permission.
If the Principal has any "path" traversing child-parent relationships up the groups tree to a group GRANTed permission that is not blocked by a group that is DENYed permission, this policy GRANTs permission.
Otherwise the policy DENYs permission by default.