Basic Administration > Managing Data Security > Understanding When You Can Modify Permissions
  
Understanding When You Can Modify Permissions
A disabled checkbox on the Access table indicates that you cannot change the permission. Checkboxes can be disabled for any of the following reasons:
You have not been granted the right to change the permissions on the object. This right is granted through the Change Permissions permission.
In addition to Change Permissions, you must have the permission that you are trying to grant. For example to grant a user the permission to download a document, you must have both the Change Permissions and Download permissions on the object yourself.
The ability to grant or remove specific permissions through the Access table for single objects or for multiple objects can be limited by the following:
The security preferences that identify which permissions are hidden and which permissions can be edited. By default, these preferences are set so that you cannot change any permissions on objects residing in product and library contexts and that you are allowed to update only the following permissions from the access tables in project, organization, and site contexts:
Full Control (All)
Read
Modify
Download
Modify Content
Change Permissions
The access control policy rules that are in force. These rules are created and maintained by your administrator and cannot be changed by you. For example, if the Download permission is granted in a policy access control rule, the Download permission is disabled. If the Download permission is absolutely denied and Full Control (All) permission was not previously granted via the Edit Access Control action, both the Download and Full Control (All) permissions are disabled.
The ad hoc permissions are applied by other means, such as life cycle templates or workflow. The source types are listed in the Source column of Access Rules table on the Access Information page.
The permissions are granted to parent groups or organizations. You may not have the right to change permissions that are set for parent groups or organizations. For example, if Chris Taylor has Modify permission based on membership in a group and rules for that group, Modify permission cannot be revoked specifically for Chris Taylor; the permission can only be revoked from the group.
The permissions are restricted by an administrative lock. You cannot change any permission that is not Full Control (All) or Administrative if it is restricted by an administrative lock on the object. For example, if the Product Design Package administrative lock is applied to an object and the allowed permissions are Read, Download, and Change Permissions, then a user with Read, Download, Modify, Change Permissions, and Administrative permissions can only grant Change Permissions and Administrative permissions to a user with only Read and Download permissions, assuming that the permissions have not been disabled for any other reason. The Modify permission is disabled for the second user. If the first user grants the second user Administrative permission, the Modify permission checkbox is enabled and can also be granted, if the Modify permission has not been disabled for any other reason, because the second user is no longer restricted by the administrative lock.
The rights to view a participant. If you cannot view a participant, you cannot change any permissions associated with that participant.
The permissions are not applicable to the object.
Whether the object is shared from another context. Permissions that can be granted for all objects shared from a product or library context and for parts shared from any context are limited to Read, Download, and Change Permissions.
Whether the Full Control (All) permission is granted. The Full Control (All) permission grants all permissions currently defined and any permissions that might be defined in the future, unless an absolute deny policy rule is written. When the Full Control (All) permission is granted, then the checkboxes for the other permissions are cleared and disabled.