How Privileges For Users and Groups Combine
A user's privileges are a combination of those granted directly to the user and every group that user is a member of. When the privileges granted to a user and a group are different, they combine in these ways:
-
In general, the least restrictive permission takes precedence. Exception: If both Allow and Deny lists are defined within a single user or group, the Deny list takes precedence over the Allow list.
-
If a user account lacks a permission but one of its group grants it, the privilege is extended to the user.
-
A group cannot remove permissions from a user. If a group is lacking permission but the user account grants it or another of the user's groups grants it, the privilege is extended to the user.
-
If a group is marked as the default group, all users will be granted the privileges of this group. Privileges granted by the default group cannot be removed for any user. Permissions of the default group are also extended to users who are not logged in.