Effective Permissions if user is part of 2 Security Roles.

[james7342]

Question on how role base permissions work if a user is a member of more than 1.

Example: I have a user that is part of the "Registered Users" and "Test Role". The user is assigned a role expiration of 12/31/2023 in Role Registered Users and in Test Role the expiration date is set to 1/2/2023. On a page I assigned both roles with view permissions.

I was hoping a concatenation of the users permission with the expiration of the Test Role prevent the user from seeing the page. In testing though it looks like there is no concatenation. Each role permission is treated uniquely. Access is granted as long as their expiration date is not expired in any role.

[valadas]

Did you "Deny" the view permission or just "Unset" the view permission for one of the roles ?

[james7342]

No Deny on any role as I wanted them to have view access on the page unless one of their expiration date in any role has expired.

Currently I use the registered user role and set an expiration date on the user for membership in the role. When their expiration date expires their view access is removed.

I think DNN is working as designed. As it not really a security permission in the context I was hoping for. The users role membership is removed from the role at the expiration date. If they belong to another role that still has view access the can view the page.

You can see this when looking at the Roles. Example: The role contains 5 members. If user expiration date is reached the number will decrease by 1. Total role membership will become 4.

[valadas]

Yeah, pretty sure this is by design there. If in any role you have the rights and you don't have any "Deny" on any roles you are part of, then you can access the thing...

[james7342]

Yeah. In testing I think it's working as designed. Thanks for taking the time to respond.