Two groups are nested if one of the groups contains the other group as a member. The access control system treats this as though all members of the contained group are also members of the containing group. In other words, permissions for nested groups are treated as cumulative.
One group, GlobalMarketing, could for example contain another group, USMarketing, resulting in all members of USMarketing being treated as members of GlobalMarketing. This means that members of USMarketing inherit the access rights granted to GlobalMarketing members. So, if GlobalMarketing has view access to the File Server
portlet, and USMarketing has view access to the Reminder
portlet, USMarketing has view access to both the File Server
portlets. For example, Joe, as a member of the GlobalMarketing group, can only access the File Server
portlet, but Susan, as a member of the USMarketing group, can access both portlets.
If you do not plan to use nested groups for access control inheritance, set accessControlDataManagement.enableNestedGroups
in the Access Control Data Management Service to improve performance. This will limit the membership lookup that Portal Access Control performs to one group level in the hierarchy. This means that a user is granted access rights only by explicit role mappings or role mappings to the groups of which that user is a direct member. See Setting service configuration properties for information.
Parent topic: Users and groups
Setting service configuration properties