Just wondering agian...
If I look at the users Instance,OBS and Global rights are they supposed to match exactly to what I see in the Lincense portlets?
What if they don't?
Well it was me again
One of the groups had OBS rights at the top level with unit an descendants.
Removed memberships until
Project - Risk, Issue, Change Request - Create/Edit
was removed and then tested each removed one and monitored which one brought that back.
I had a spreadsheet of rights, but as the global right is
Project - Risk, Issue, Change Request - Edit - All
Project - Risk, Issue, Change Request - Edit
did not bring the OBS (or) instance rights the groups had.
Thanks nick_darlington and Kathryn_Ellis for your effort.
Can you provide a specific example?
I was looking at another system for
Project - Risk, Issue, Change Request - Edit - All or
and could not locate them in the rights of user, groups or OBS units but could locate users having them in the lincense portlets
These are the rights by user view for a specific user filtered for those particular rights.
According to that the users has Project - Risk, Issue, Change Request - View which is an instance (or OBS) right
These are the instance rights the user has
No OBS rights.
In my system I checked with queries that none of the groups where the user was a member had those right at Global, Instance or OBS level and no OBS had those rights either.
where in the rights by user portlet for a user which I random picked from the query results for the view Rights by user . There were others in the query result
Then I ran all Senthil''s queries for the rights displayed in the User's access rights and no results which matches what I see in the GUI.
Just wondering if that is related to these
For the delete/edit/view-all entries, if you navigate to an instance of a project record (for an example user where they are also having other permissions for viewing the project) and can get to the 'Access to this project' section from the drop-down, clicking on the key icon beside the user's name you're interested in may reveal those rights and how they are receiving them:
Whether the rights are global, instance, or via OBS, it should list them here. The trick will probably be identifying at least one user and project combination that you will know this will work for, because for a project where the user isn't having rights, I don't think it will show access to that instance's subobject records either. I could be mistaken about that - I use this page for this 'reverse lookup' reason of determining where a user gets their rights from sometimes, but I'm not personally familiar with all of its business rules and logic that drive the results. Worth a try perhaps if you've not already covered this option.
Just to close this the answer is "Yes, an exact match is expected"
To clarify the above
"Yes, an exact match is expected"
but that is not going to happen.
In Administration - Resources only the Global access rights display the rights that are assigned to the user directly or through a group
The OBS and Instance rights display only the rights that are assigned to the user directly, not rights coming from the membership to a group and I assume not the rights coming from being associated with and OBS unit either.
The license information rights by user on the other hand displays the instance and OBS rights coming from through group memberships.
With nick_darlington 's method you can find that out if you can locate and instance where the user has access.
If not then test with trial and error which group that is.
It is also important to read the right names literally, because there are minor differences between global and the other rights not just the - All at the end.
Retrieving data ...