This page is qualified with "in uPortal 2" because I wanted to post some documentation about how permissions works there and I haven't had a chance to understand how this relates to The DefaultPermissionPolicy and AnyUnblockedGrantPermissionPolicy permission policies appear both in uPortal 2 (for 2.5.4, 2.6) and in the next-gen GaP workproject.
IPermissionPolicy API
How you configure your default permission policy
Default permission policy is configured in portal.properties.
Motivating examples
My apologies for so many examples, but by setting these forth once, we can then talk about the available permission policies and how they treat each case.
Explicitly granted
Susan Bramhall is a uPortal administrator. As the Admin user, someone explicitly granted her (permission directly applied to the Principal) the permission to view the detailed results from the Error Channel instead of the low-information monkey wrench.
(GRANT) Susan Bramhall < Developers < Everyone
Explicitly denies
Andrew Petro has submitted too much feedback via the Feedback Channel and so he has been explicitly denied (permission applied directly to the Principal) permission to render the Feedback Channel. However, others are still below the maximum allowable feedback, and so are still allowed to subscribe.
(DENY) Andrew Petro < Developers < (GRANT) Everyone
Permission inheritance
The uPortal News Channel is potentially of interest to everyone (everyone needs at least one portal), so the Everyone group has been granted permission to subscribe to the channel.
...
Mark Boyd < Developers < (GRANT) Everyone
No inheritance
The Developer Secrets channel is where technically minded folks discuss techy secrets kept from the non-programmers. Only Developers have permission to subscribe.
Mike Z. is not a Developer. He is not a member of any group that has a GRANT or DENY for this permission.
Mike Z. < Staff < Everyone
Path to GRANT blocked by DENY
Shawn Bayern is in the group Staff which is in the group Everyone.
...
Shawn has an ancestor group with GRANT but no path to that ancestor unblocked by a DENY.
In a GRANTed group and also in a DENYed group
Shoji is both a Developer and a Faculty member. In order to improve portal project implementation metrics, someone decided to DENY Faculty the permission to subscribe to the Portal Issues channel, so it would appear that the end users were having no problems. But Developers have been GRANTed permission to subscribe to this channel so that they can mark issues resolved.
Shoji < (GRANT) Developer
Shoji < (DENY) Faculty
Concrete IPermissionPolicy implementations
DefaultPermissionPolicy
Applies rules in this order:
If the Principal is explicitly DENYed permission, this policy DENYs permission.
If the Principal is explicitly GRANTed permission, this policy GRANTs permission.
If the Principal has any ancestor group GRANTed permission, this policy GRANTs permission.
Otherwise the policy DENYs permission by default.
...
Here's how this policy treats each of the examples:
Susan is GRANTed permission to view detailed Error Channel results because of her personal GRANT.
Andrew is DENYed permission to subscribe to the Feedback Channel because of his personal DENY.
Mark is GRANTed permission to subscribe to the uPortal News Channel because he has some ancestor (Everyone) to which the permission is GRANTed and he has not been personally DENYed the permission.
Mike is DENYed permission to subscribe to the Developer Secrets Channel because neither he nor any of his ancestors are GRANTed the permission.
Shawn is GRANTed permission to subscribe to the Funny Cartoons Channel because he has some ancestor to which the permission has been GRANTed (Everyone) and while he is in a subgroup that has had the permission DENYed, he has not been personally DENYed the permission.
Shoji is GRANTed permission to subscribe to th Portal Issues channel because he has some ancestor group (Developer) to which permission has been granted.
AnyUnblockedPathPermissionPolicy
Applies rules in this order:
If the Principal is explicitly DENYed permission, this policy DENYs permission.
If the Principal is explicitly GRANTed permission, this policy GRANTs permission.
If the Principal has any "path" traversing child-parent relationships up the groups tree to a group GRANTed permission that is not blocked by a group that is DENYed permission, this policy GRANTs permission.
Otherwise the policy DENYs permission by default.
...