Applies to: VisualSVN Server 5.2 and later
Effective access permissions are the resultant access permissions that a specified user has to a specified path, based on the combined effect of all the applicable access rules set in VisualSVN Server.
It can often be difficult for an administrator to estimate the effective user permissions that the user has, without testing with that user's account. This is because there can be many applicable access rules, access rules can be set for users and for groups, users can belong to multiple groups, and groups can also be nested.
VisualSVN Server has a feature called Effective Access that makes it easier for the administrator to check whether the access rules are configured correctly and produce the intended result. This feature allows the administrator to see the effective access permissions that a user of interest has to a path of interest. Effective Access queries can be helpful for auditing purposes and for troubleshooting.
Querying effective access in VisualSVN Server Manager
When you query effective access, each query is based on two pieces of information:
- The Path that you want to check access to. This can be the path to a repository or to any folder or file in a repository.
- The User whose access to the specified Path you want to check.
To verify that access to a path is set as intended for a user:
- Open the VisualSVN Server Manager console.
- In the Repositories tree in the pane on the left, navigate to the desired item that is a repository, a folder or a file that you want to check access to. The item you choose defines the path part for your query.
- Right-click this item and select Properties | Security tab | Advanced | Effective Access tab.
- In the Effective Access tab, click Select a user.
- Search for a desired user, select this user and click OK to run the query.
- The table in the lower part of the window will display the effective access permissions that the specified user has to the specified path.
For example, in the screenshot below, the query's result shows that user
John has Read access but no Write access to the
/trunk folder. The
/trunk folder is located at
the root of the repository called MyRepository.
Reminder about unapplied permission changes
If you have made changes to access rules, but have not applied these changes yet (by clicking Apply), the Effective Access tab will remind you about these unapplied changes by displaying the following notification:
When querying the Effective Access permissions for a user, the evaluation will take into account only the existing access rules, i.e. the ones that have already been saved/applied.
How Effective Access permissions are evaluated
When you query and display Effective Access permissions to a path, they are evaluated in the same way as they will be when the user actually attempts to access this path (file or folder).
The query will evaluate the cumulative effect of all the relevant access rules.
Namely, the rules that are relevant to the path specified in the query are:
- Explicit access rules set on this specific folder or file.
- Access rules inherited from the parent folders.
Out of those rules affecting the path, the following access rules will be relevant for the user specified in the query:
- Access rules set specifically for the individual user.
- Access rules set for any groups that the user belongs to.
- Access rules set for any parent groups of the user's group.
The exact way in which the effective permissions are evaluated based on the relevant access rules is described in detail in KB33: Understanding VisualSVN Server authorization.
Limitations of effective access queries
This section lists the things that Effective Access permission queries cannot handle.
Cases where group membership is not known in advance
When using the Windows authentication mode, a query can determine most of the groups that the user belongs to. However, in this mode there are certain edge-case groups for which Effective Access queries cannot determine the user's membership in the group, and the effect of these groups (and their access rules) is not shown in the permissions displayed by the query. This occurs when the user's membership in a group is not known in advance from the user's account, but the user may be automatically and temporarily included into the group based on some varying circumstances. For example, this is the case for groups where the user's membership can only be decided at the time of the user's logon.
The groups, for which Effective Access queries cannot check the user's membership, include:
- The Special Identity Groups that specify the characteristics of the user's logon, such as the Network, Interactive, and Remote Interactive Logon groups. This does not include the Everyone group.
- Groups to which the user is assigned conditionally at logon time by means of Authentication Mechanism Assurance (AMA), based on whether or not the user logs on through a certificate-based method (for example, using a smart-card). This applies only if you have configured such AMA-based conditional assignments.
Setting access rules for these groups will cause a discrepancy between the results in the Effective Access tab and the permissions during real use.
When using the Subverison authentication mode, there are no such limitations. So, permissions displayed in the Effective Access tab will take into account all the groups that the user belongs to.
Queries only for a specified user
You cannot run queries by specifying a group, to check the group's access to a path. You must choose a specific user to run a query.