Groups

An aPriori group is a-named container of aPriori users (or sub-groups) who share the same access requirements.

Groups have permissions, which are discussed in the next section.

Groups can have sub-groups. You can re-use the same name for different groups; uniqueness is determined by the full path of each group. For example, "/USA/Devel" and "/EU/Devel" are both recognized as valid, unique groups. Every user (even administrators) belong to at least one group: the system-defined group "All Users". (Since slashes are used to specify group paths, you cannot create a group with a slash as parts of its name.) System Administrators can also assign users to additional groups as necessary to control the permissions they have. Note that groups are the primary mechanism for modeling your organization's access requirements.

There are four system-defined groups, including one sub-group. The names in parentheses show the internal aPriori name for the group, which you may encounter in different contexts:

• All Users (all_users)

• System Admins (administrators)

• Super Users (super_user)

• VPE Admins (vpe_administrators)

These system-defined groups cannot be deleted, though the permissions associated with them can be edited. Note that all users (including members of the "System Admins" and "VPE Admins" groups) are members of the "All Users" group.

All other groups are defined by an administrator or other user who is granted group creation permission.

Groups have a default attribute ("name"), and a membership setting (None, Automated, or Manual), but can also have other custom attributes (not to be confused with User Defined Attributes).

If a user is a member of two groups, one of which allows access to a resource, and a second group that denies access to that same resource, that user will be denied access (although aPriori provides the ability to ignore or override "deny" permissions, which will be discussed later).

Note: If you make use of LDAP connections, see Notes about LDAP Connections and Access Control Groups in the System Administrator chapter.

Sub-groups

Groups can contain sub-groups, and sub-groups can also contain other sub-groups. Adding a user to a group automatically adds the user to any parent groups. Removing a user from a group automatically removes the user from all sub-groups. (Removed users are not removed from parent groups since they may belong to other sub-groups of a common parent.)

Sub-groups allow you to model access control situations where, for example, a given user is an administrative user for one project but just a "regular" user for a different project. In a case like this, the user could belong to the "Project A Admins" and "Project B Team Members" groups.

Note: There is not any real difference between creating a user-defined group at a peer level with the system-defined groups and creating it as a sub-group of All Users.

Super Users

The System Admins group has a sub-group called "Super Users", which automatically gets created (but not populated) at installation time.

Note: It is important that the administrator installing aPriori add himself or herself to the Super Users group before doing any other Access Control configuration. Once the Super Users group has at least one member, you can never accidentally delete the last member and potentially lock yourself out of the system.

As you might expect, members of the Access Control Super-Users group have powerful permissions that are not granted to other users. Specifically, they have "strongGrant" permissions for groups and permissions (described later in this chapter). In other words, they have Access Control powers over Access Control features.

Only the following Super-User characteristics can be changed, and they must be changed by a Super User:

• password (which you should change as soon as the installation is done)

• membership in the Super-Users sub-group (you can add and remove members)

Note that you cannot remove the last member of the Super Users group. If you need to remove the last user, you must first add another Super User.