Let us understand how these privileges work with respect to the roles. If a role is granted a privilege to "view project" at the company level, and not at the object level, then the user can still "view project", whereas, if the user is denied the privilege at the company level and granted the privilege at the object level, then the user cannot "view project". Similarly, if a user's privilege to "view project" is unspecified at the company level but granted the privilege at the object level, then the user will be able to "view project". Let us understand the concept of Roles and Privileges through the illustration below:
| "View" Project privilege | ||||||||
| Company level |  | | | <unspecified> | <unspecified> | <unspecified> |  | |
| Object Level | <unspecified> | | | <unspecified> | | | | <unspecified> |
| Result | | | | | | | | |
Now, let us understand this concept in a user's context who has the following roles in a company: Mark Duncun: is a staff ( since he is a user) is also a developer. If Mark is assigned the privilege of "viewing a task", he will have the following privileges:
| "View" Task privilege | ||||||
| Staff | | | | <unspecified> | <unspecified> | |
| Developer | <unspecified> | | | <unspecified> | | |
| Result | | | | | | |
Lets understand security with respect to the departments and roles. There is a department Sales, and Mark Duncun plays the role of Sales Manager of that department. Now, it is possible that Mark may belong to another department, say, Accounts, and he may not play the role of a manager in Accounts but he may just be a staff in that department. Therefore, the privileges that Mark gets in the Sales department, is not what he gets in the Accounts department. Let's assume, there is one department "Human Resource" with Joe as the head of the department. The "Human Resource" department is responsible for two different projects, with Joe as the manager of P1 and John as the manager for P2. Now, since Joe is the head of the department of "Human Resource", he has the privileges which over-rides his privileges as manager of P1. In other words, Joe has more authority on the department, but less on P1. Whereas, even if Joe is the head of the department of "Human Resource", he still has limited privileges in P2 as compared to John, who has more privileges in P2 since he is the manager.
| Privileges at Department Level | View Project | Edit Project | Delete Project | View Financial | Edit Financial | Add Project |
| Mark (Sales Manager) | | | | | <unspecified> | <unspecified> |
| Privileges at Project level | View Project | Edit Project | Delete Project | View Financial | Edit Financial | Add Project |
| Mark (Staff) | | | | | | <unspecified> |
| Result | | | | | | |