Databases Reference
In-Depth Information
Figure 5-8. Access control graph
•
ALLOWED_DO_NOT_INHERIT
connects an administrator group to an organizational
unit in a way that allows administrators within that group to manage the organi‐
zational unit, but not any of its children.
Sarah
, as a member of
Group 2
, can ad‐
minister
Acme
, but not its child
Spinoff
, because
Group 2
is connected to
Acme
by
an
ALLOWED_DO_NOT_INHERIT
relationship, not an
ALLOWED_INHERIT
relationship.