Rights Hierarchy

Rights may be assigned on a user, group or site wide basis.  It is possible that a user, group and sitewide rights can all be in play, so it is important to understand which will take precedent.  The hierarchy of which rights get assigned are as follows.

For any object within the site, the more specific the assignment the more likely it is to override other rights.

Site Wide - least specific. Only gets applied if no other rights are assigned to the object.

Template Rights - Granted rights across all pages built using that template.  

Page Rights - Granted rights across just that page.  More specific than site wide and template wide.

Group Rights - Less specific.  Only get applied if a user isn't directly assigned to the object.  If multiple groups are assigned to the object and the user belongs to multiple groups then the group rights are merged.  For example Susan belongs to both the Management Group and also to the Publishers Group.  If the Management Group has no publish rights, but the Publisher Group does have publish rights, Susan WILL have publish rights.

User Rights - Most specific.  If a user is specifically assigned to an object it will override any other conflicting rights assigned to the object that relate to that user.

The diagram below may help you better understand which rights will override others.  On the far left is the most specific rights, user rights of an object.  That will always override any other rights.  Then Group rights for object, then page user, etc.  Site wide rights are only ever applied if no other rights for that user and object/page/template are found.

Object User > Object Group > Page User > Page Group > Template User > Template Group > Site

Lets look at Alice for a case example (see image below):

Alice belongs to the Media Group.  However Alice is also specifically assigned to that object.  Therefore her specific user rights are used and she cannot publish.  Even though her group can, her user rights are more specific and therefore take precedent.

Lucy, on the other hand, is not specifically assigned to the object.  Instead she is just associated to the Interns group and as such inherits the groups permissions.