When you assign multiple roles to a user, the effective security a user has is cumulative. It is a union of least restrictive privileges.
You need to work out effective security practices on a privilege-by-privilege basis. There is no tool provided that performs this analysis for you.
The None access level is not the same as Deny. This behavior is different to the behavior in AD that you might be familiar with.
For example, three security roles have the following access levels on the Update privilege for the Contact entity:
- None
- User
- Business Unit
The effective privilege is the least restrictive of these, that is, Business Unit.
In another example, three security roles have the following access levels on the Assign privilege for the Activity entity:
- User
- Business Unit
- Organization
The effective privilege is the least restrictive of these, that is, Organization.
Determining effective privileges is much easier with the layered approach previously...