1. Hudu Beta
  2. Support Documents

How Group Permissions and Password Folder Permissions Work

Updated

How Group Permissions and Password Folder Permissions Work

1. Overview

This document outlines the design of our permission system, which uses a combination of Allow List and Deny List group types to manage user access to companies within our application.

2. Core Principles

2.1 Group Types

  • Allow List: Users can only access explicitly allowed companies
  • Deny List: Users can access all companies except explicitly denied ones

2.2 Priority

  • Deny List takes precedence over Allow List
  • If a company is explicitly denied, it remains inaccessible even if allowed by another group

2.3 Cumulative Permissions

  • Permissions stack across multiple groups
  • A user's effective permissions are a combination of all their group memberships

3. Detailed Permission Logic

3.1 Allow List Groups

  • A user can see a company if ANY of their Allow List groups permit it

3.2 Deny List Groups

  • A user cannot see a company if ANY of their Deny List groups restrict it

3.3 Combining Allow and Deny Lists

  1. Collect all denied companies from Deny List groups
  2. Collect all allowed companies from Allow List groups
  3. Remove any companies from the allowed list that appear in the denied list

3.4 Default Access

  • Users in only Allow List groups: No access by default
  • Users in only Deny List groups: Full access by default (except denied companies)
  • Users in both types: No access by default (treated as Allow List)

4. Resolution Algorithm

  1. Start with the default set of accessible companies based on group types
    • If user is in both Allow List and Deny List groups, start with an empty set
    • If user is in only Deny List groups, start with all companies
    • If user is in only Allow List groups, start with no companies
  3. Remove all companies explicitly denied by any Deny List group
  4. Add all companies explicitly allowed by any Allow List group
  5. The resulting set is the user's accessible companies

5. Example Scenarios

Scenario 1: User in Mixed Group Types

User belongs to:
  1. Group A (Deny List): Denies access to companies X and Y
  2. Group B (Allow List): Allows access to companies Y and Z
  3. Group C (Deny List): Denies access to company W
Result:
  • User cannot access companies W, X, and Y (denied by Groups A and C)
  • User can access company Z (allowed by Group B)
  • User cannot access any other companies (due to Allow List default for mixed group types)

Scenario 2: User in Only Allow List Groups

User belongs to:
  1. Group D (Allow List): Allows access to companies P and Q
  2. Group E (Allow List): Allows access to companies Q and R
Result:
  • User can access companies P, Q, and R
  • User cannot access any other companies

Scenario 3: User in Only Deny List Groups

User belongs to:
  1. Group F (Deny List): Denies access to companies M and N
  2. Group G (Deny List): Denies access to companies N and O
Result:
  • User cannot access companies M, N, and O
  • User can access all other companies
Was this article helpful?
0 out of 0 found this helpful