Permissions with multiple user-defined roles


I grant access to our data mainly using owner policies, but I want to create a ReadAll role for certain members to get read-only access to all data.

In the global permissions matrix, all roles have deny for all actions, except for the ReadOnly role which has some read permissions set to granted. When I look at the Roles Permissions table for my data tables, the Find and Describe actions are inherited as granted for the ReadAll role.

When I assign the ReadAll role to a user though, along with some other user-defined roles, it does not inherit the grant permissions from the ReadAll role.

Looking at this article: the grant permission should be assigned because it states that it goes down in the permissions hierarchy until it finds a grant, and only denies when no rule grants it permission.

Looking at this part of the documentation though: it seems to suggest that the logic stops when a role denies permission instead going down in the hierarchy.

I am a bit puzzled by this. If the role has read permissions for the data table, why does a user with that role assigned have not?

Kind regards,

P.S. My application ID is C6730F91-F429-E4C9-FF61-ED62B2B2E100

I messed around a bit, and when I explicitly set the Roles Permissions of my data tables for the ReadAll group (although I set them the same as they are inherited), the user does get access.

This works for me, but I still would like to understand how it works exactly…

Hi Jeroen,

If a custom role has a permission for a table/operation, then a user in that role would also have that permission. For example, take a look (in console) at the “Administrator” role for the “M****nSystems” table. The role has full set of permissions (they are inherited from the global definition though). Now, take a look at the “J**iAdmin” user. The user has the Administrator role and you can see that the permissions from the role have been inherited.

Hope this helps.