In Syntasa, an object record can be shared with public, user groups, or both simultaneously. In such cases, a user may receive multiple permissions for the same record through different sources.
This article explains how Syntasa determines the effective permission for a user when multiple sharing rules apply for a user.
How Permission is Evaluated
When multiple permissions apply to a single user, Syntasa follows these 2 rules:
Group Permission Overrides Public Permission: - If a user is part of any group that has access to the record, then Group-level permissions take precedence over public permissions.
Let's try to understand it with a scenario. Consider a connection record shared as follows:
- Shared with Public → Manager permission
- Shared with User Group X → Editor permission
- User A is a member of User Group X
In this scenario, Public permission (Manager) is ignored for User A because group permissions exist for user A and Group-level permissions always take precedence over public permissions. Therefore, user A is assigned Editor permission for that specific connection record.
Highest Permission Among Groups is Applied: - If a user belongs to multiple groups with different permissions, then the highest permission level among those groups is assigned to the user. You can refer to permission hierarchy at the bottom of the page.
Let's try to understand it with a scenario. Consider a connection record shared as follows:
- Shared with Public → Manager permission
- Shared with User Group X → Editor permission
- Shared with User Group Y → Viewer permission
User A is a member of both User Groups X and Y
This means User A has both Editor and Viewer permissions because they belong to two groups with different permissions on the same connection record. Since Editor > Viewer, the effective permission for User A for that specific is: Editor
This reinforces that:
- Group permissions override public access
- Public permissions apply only when no group-level access exists for the user.
Why This Matters
This behavior ensures that you can:
- Share a record with public or groups based on your access strategy
- Grant broader access to specific users/groups while restricting others, or vice versa
- Flexibly control permissions without needing to duplicate objects
- Apply fine-grained access control using a combination of public and group sharing
Permission Hierarchy
Syntasa permissions follow a defined hierarchy based on increasing levels of access. Each higher permission includes the capabilities of the lower ones, along with additional actions.
USE < VIEWER < EXECUTE < EDITOR < DEPLOY < MANAGER