bmfmancini
commented
3 years ago 
Open bmfmancini opened 3 years ago
bmfmancini
commented
3 years ago
bmfmancini
commented
3 years ago Unless I am wrong I thought the user would inherit the permissions if they were in the group So this user should not be able to see the other default tree since the group permissions are set to revoke access of the others
The workaround is to in the user level set the tree permission to deny then the user can only see the one tree I know the specific user permissions will override the group but the current state any new user would have ALLOW permissions for Graph/Tree/Template
TheWitness
commented
3 years ago Permissions are additive. So if the user has no permissions and the group does, the user gets those permissions. If the user does have permissions and the group does not, the user keeps permissions.
bmfmancini
commented
3 years ago So in practice then if you have revoke access for trees/graphs etc in the group the admin would need to make sure that the new/existing user would also need to have deny deny permissions
Just double checking i will add that to the doco
TheWitness
commented
3 years ago Yea, if you want to have a 100% denial by default, the user has to be that way first.
bmfmancini
commented
3 years ago Ok cool I'll make a note on the doco for that
On Thu., Jan. 21, 2021, 22:33 TheWitness, notifications@github.com wrote:
Yea, if you want to have a 100% denial by default, the user has to be that way first.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Cacti/cacti/issues/4078#issuecomment-765097608, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGEXTGJB4IPL3VT7GKDBVTS3DWZ7ANCNFSM4WN2Z66Q .
Hey Guys,
More regression testing I am finding that when you create a new user and assign that user to a group that has Deny/Dey/Deny the new user will still be able to see the trees/devices/graphs that were denied