Question
Areteans
NZ
Last activity: 19 Jul 2021 12:24 EDT
Access Deny rules vs Access of Role to Object rules
Hello,
I understand that access deny rules are used to deny access to a class. Hope the same functionality can also be achieved by using AROs and configuring ARO with access when which checks exactly opposite of access when used for access deny rules .
Please let me know if my understanding is correct. If yes can you advise what is the benefit of access deny rules over AROs and is there any scenario that can be achieved through access deny and not through AROs.
Any suggestions are appreciated.
Verizon
IN
@SatishKumarL5551 Hi satish,
You are absolutely right about the fact that same functionality can be achieved by using both AROs and Access deny rule. Main benefit what we get out of Access deny rule is easy maintenance and lower rule count.
Scenario: we have a supervisor access group and it has 3 roles: User, Approver and Manager and we need to restrict a particular class instance.
Solution 1:Use ARO, make sure AROs in all 3 roles should be restricted to access level 0.
Solution 2: Use Access Deny role, Wisely update any 1 access roles with access deny restrictions.
Note: Access Deny would take precedence over ARO in case both are true.
Areteans
NZ
@Ashwin Thanks for the insight Ashwin. Regarding solution 2, if one access role denies access and other access roles grant access for above scenario, wouldnt the access be granted. I hope access is granted if atleast one role grants access.
I understand that Access deny takes precedence over ARO but hope its within same role. Please let me know if otherwise.
Ford Motor Company
US
@SatishKumarL5551 You are correct, Rule Resolution sees it has access if one of them allows and another one deny's. Its "OR" not "AND".