Permissions Explainability Surface

WHO

Primary Subject

User

Primary selector for effective-permission analysis. Engine resolves direct assignments plus all group-derived access.

Resolved Account

Effective Group Membership

Derived

Mechanical Engineering

Change Control Board

QMS Authors

Read-only outcome of subject resolution. This supports explainability without forcing the admin to reason about group inheritance manually.

Optional Scope Constraint

Filter

Focus on One Group Contribution

Include Templates in Assessment

Use Template permissions in results.

Include Work Flows in Assessment

Use work flow inheritance in permissions in results.

Include State Permissions in Assessment

Use work flow state permissions in permissions in results.

Administrative Permissions

Question Type

Folder Permissions

Folder Selection

State Permissions

Transition Permissions

RESULTS SET

Solved Permission Case

Why Lauren McKenna cannot delete files in Released

The trace resolved all direct and inherited contributions for Lauren McKenna in \Projects\Pump Platform\Released. Although her engineering group grants delete rights earlier in the vault path, the Change Control Board contribution is explicitly removed at the Released state, producing a final denied outcome.

Final Result: Denied

Permission Tested

Delete File

Folder permission evaluated with workflow and state inheritance included.

Object Scope

Released

\Projects\Pump Platform\Released under the Work In Process - Engineering workflow.

Primary Blocker

State Rule

Released state subtracts Delete File for Change Control Board members.

Admin Outcome

Explained

No need to inspect folder cards, users, and group assignments manually.

Permission Trace

Subject

Lauren McKenna (lmckenna) resolved with three effective groups. Mechanical Engineering, Change Control Board, QMS Authors
Folder

Mechanical Engineering grants Delete File on the parent project folder. This would allow the action if no stronger subtractive rule applied downstream.
Workflow

Workflow inheritance remains enabled for this path. The engine continues evaluating state-level permission contributions.
State

Released subtracts Delete File for Change Control Board. This state-level rule overrides the earlier folder grant and produces the final deny result.

Contributor	Scope	Effect	Reason
Mechanical Engineering	Folder	Grant	Delete File is allowed on the parent engineering folder set.
Change Control Board	Released State	Subtract	Released content is protected from deletion for controlled-change reviewers.
QMS Authors	Template	Neutral	No additional Delete File contribution was found in the active template chain.

Recommended Admin Actions

Immediate explanation Lauren cannot delete this file because the Released state removes that permission for one of her effective groups.
If deletion should be allowed Update the Released state permission matrix for Change Control Board, or move the user out of the contributing group for this scope.
If current behavior is correct No vault change is needed. The trace confirms the deny is expected and policy-driven.
Time saved The answer is visible without manually traversing user membership, folder permissions, workflow inheritance, and state rules in separate admin tools.