Specialized Administration > Ensuring Data Security > Access Control > Access Control Overview
  
Access Control Overview
As an administrator, you must ensure that only the appropriate participants have access to objects. Decisions about access rights are expressed as access control rules. There are two types of access control rules:
Policy rules are set in domains for objects of a specific object type within a specific life cycle state and grant, deny, or absolutely deny access control permissions to those objects. These rules determine the types of interactions participants can have with objects of the specified type and life cycle state in the domain. Policy rules form an access control policy for the domain.
Ad hoc rules are set on an object and grant access control permissions to the specific object. These rules determine the types of interactions participants can have with the object.
For example, you can create a policy rule that gives the Publication group permission to modify objects of type WTDocument when they are in the Under Review state of their life cycle. Another policy rule could be created to absolutely deny the Publication group permission to delete WTDocument objects when they are in the Released state of their life cycle. Additionally, an ad hoc rule could be added to a specific instance of a WTDocument, such as a Publications Plan, allowing a select group of users who are not in the Publications group permission to modify this specific document.
Access control lists (ACLs) are derived from the access control rules. There are two types of ACLs:
policy ACLs, which apply to an object type.
ad hoc ACLs, which apply to a specific object.
The ACL is the basic mechanism for enforcing access control decisions when a user attempts to interact with an object. ACLs are created upon demand and are cached to maximize system performance.
When users are viewing the attributes of an object where some of the attributes reference access controlled objects, such as participants, then whether the user sees the value of the attributes is determined by the whether the user has Read permission for the referenced objects. Typically, when a user does not have Read permission for a referenced object, the field shows (Secured information) instead of the attribute value. For example, assume that a user displays information about a product. On the page displayed, one of the product attribute fields is Created By and the value is the name of the user who created the product. If the user displaying the product information does not have Read permission for the user who created the product, then the name of the user will not appear. Instead of the name, the user sees (Secured information).