A crystal report I find quite useful when analyzing privilliges issues.
What I have found out is that if a privilege is set by the wizard att the top level of an object and You erase all old ones it will erase all privileges records and produce ine at the "top" wilt 31 ( read, writ , execute,,,
I run a wizard för analyst to incident all privilege at the top level: This produce 1 record at the top with the value of 31.
I create another role with no privileges. Except that this one has a Read only on Note in incidents.
I create a user that has both this roles: ( Analyst, analyst2)
Because that the role Analyst 2 has a restriction AND the Analyst role has a top level of RWE ( ReadWrite Exexcute on topp level) nothing is set on the individual Note object) the sum of the isolated privilege Notes in incident will be Read only.
Running the report will reveal these "hidden" privileges and show what the actual privileges will be.
So my way is to se that the prime basic privilege is really set att each object. And erase everything on the add on privilege roles totally first ( with the wizard). And then set the individual to the enhanced privilege. Run the report to confirm the cross tabs of roles and object.
Nice to hear if there are more clever ways to take control of and document the privilege settings.
Privigies V5.rpt 1.0 MB