Explicit permissions trump inherited permissions

We just encountered a permissions problem with spaces and multiple users we cannot solve. We have a space with two subpages in three hierarchy layers like this:

                   User X     User Y
Space A            edit      
\---subpage1       (edit-)    edit
  \---subsubpage1  (edit)

User X has edit rights on the whole space A (including all of its two subpages), but cannot edit subpage1, because user Y has edit rights there and only and thus denies User X its edit rights. We currently cannot solve this and would love some help.

Thanks in advance!

Hi @Qua8zoh6,

It looks like you figured out that one’s explicit allow results in one’s implicit deny. Another good to know rule is that the rights in XWiki are inherited from the root to leaves and in your case the edit chain for the user X is interrupted by the explicit edit of the user Y.
What you need to do now is to explicitly allow Edit right to user X in the subpage1, and thus you will remake the edit chain for user X.

You can read the Rights Rules to get more knowledge about the topic.
Hope it helps!

Thank you, I am aware of the principle of it, but there has to be a better workflow than this. This means triple checking every odd permission if a new user with new permissions is being added and this is not a viable solution in a company with lots of users.

If you know the principle, maybe you are also aware of Groups. To achieve what you need, you can have a Group A with X as a member and a Group B with both X and Y as members. Then, Group A would have Edit on Space A and Group B would have edit on subpage1. Being member of Group B, X will not lose edit on subpage1.