Authorizations in cFolders always contain an object (such as a folder or a document), an activity, and a user. You can assign an authorization to a user either explicitly or implicitly. Implicitly means that the user receives the authorizations through the roles or user groups assigned to him or her.
The basic rules for authorizations in cFolders are as follows:
1. Authorizations are inherited through a hierarchy.
Example 1: Folder A has subordinate folder A.1. Steve Gates has write authorization for folder A. This means that he automatically has write authorization for folder A.1, too.
2. User authorizations override authorizations from user groups or roles; authorizations from user groups override authorizations from roles.
Example 2: In folder A, user Steve Gates has read authorization. In addition, user group Product Managers has write authorization. Steve Gates belongs to this user group. However, since user authorizations override authorizations derived from user groups, Steve Gates has read authorization for folder A.
When you filter by users and user groups, the system only displays explicit authorizations and not implicit authorizations. For more information, see SAP Note 788139.
3. Local object authorizations override inherited authorizations if the local and the inherited authorizations are of the same authorization type (user, user group, or role).
Example 3: Bill Ellison, an administrator for folder A.1, sets read authorization for Steve Gates in folder A.1. This restricts Steve Gates’ authorization because the local authorization (folder A.1) overrides the inherited authorization (folder A).
4. If a user has an inherited authorization that is of a different type to the local authorization, for example, one is an authorization from a user group and the other is a user authorization, then rule 2 applies only. The local authorization cannot override the inherited authorization in this case:
Example 4: Steve Gates has read authorization for folder B and for the subfolder B1, which has inherited this authorization. User group Product Managers, which Steve Gates belongs to also has write authorization for subfolder B1. In this case, the valid authorization for Steve Gates is read authorization because this is a user authorization. Although local object authorizations generally override inherited authorizations, user authorizations always override authorizations from user groups.
An object can also have authorizations that are defined by the status of the object. These authorizations override all other possible authorizations. For more information, see Object Authorizations per Status.
When objects are copied, the authorizations are not copied with them. The copied object inherits the authorizations from higher-level objects at the next level of the hierarchy.
Using Authorizations Effectively
There are generally two approaches to using authorizations. If you want a user only to have access to one specific object, you can assign the user the appropriate authorization (read or write) and send a message.
If you want the user to see that there is a collaboration that requires his or her participation you first have to assign authorization at collaboration level and then change the authorization for individual objects.
The method you use depends on the collaboration and the number of objects involved. If you want a user to see at least the name of the collaboration and part of the overview tree, it would be better to assign read authorization for the whole collaboration.