I have following users groups
- Builders
- User1
- User2
- Contributors
- User1 (Note this is member of Builders also)
- User2 (Note this is member of Builders also)
- User3
- User4
- User5
and following build definitions (Dev build definitions outnumber prod build definitions by many times)
- Dev Builds
- Build Definition 01
- Build Definition 02
- Build Definition 03
- Build Definition 04
- Build Definition 05
- Prod Builds
- Build Definition 51
- Build Definition 52
Since Dev build definitions outnumber the prod build definitions by many times, the default at "All Build Definition" level is to allow access to both Contributors and Builders. I want to deny Contributors access to Prod build definitions. However, if I explicitly Deny, User1 and User2 who are members of both groups gets "denied" that access. The only other option I can use is "Inherited Allow" and "Allow". How else can it be achieved? I would like to keep the default this way so that less number of build definitions require override unless there is no other way.
Here is a typical permission
- All Build Definition
- View Build Definition (Picked one of the permission for sample)
- Builders - Allow
- Contributor - Allow
- One of the Prod Build Definition
- View Build Definiton (Picked one of the permission for sample)
- Builders - Inherited Allow (Options are Allow, Deny, Not Set)
- Contributor - Inherited Allow (Options are Allow, Deny, Not Set)
Here is what happens
- Inherited Allow at Contributor - All users have access
- Deny at Contributor - User 1 and User 2 lose their access regardless of any permissions at Builders group
