An explicit individual assignment serves as the absolute final authority in Catenda Hub, giving you the power to uniquely lock or downgrade a specific user's permissions. If no individual setting is configured, the system falls back to evaluating a user's inherited paths across the global project baseline, team memberships, and owner statuses.
The access with the highest weight always wins, meaning restrictive tiers like "No Access" will be elevated if any other pathway grants higher rights.
This article contains information about the following topics:
1. Understanding the Access Levels
1.1 From least to most access
Access Level | What it allows | Default for |
No access | Prevents visibility, interaction and navigation to subfolders. | ā |
Read | Minimum privilege to see and download content; no changing operations | ā |
Write | Edit and modify, e.g. rename and move files you uploaded yourself | Single user / all users / team default |
Full access | Control every aspect of the object including permission management. | Administrator and owner default |
1.2 Understanding the Access Levels by Functional Weight
While these options appear in a linear sequence within the user interface, they carry different administrative weight. No Access and Full Access act as the system's structural extremes, while Read serves as the vital minimum threshold for visibility.
Access Level | Functional weight |
No Access (The Ultimate Restriction) | acts as an absolute block that shuts down all other permissions a user might have from teams or file ownership. |
Full Access (The Ultimate Permission) | In any shared or inherited path, this tier automatically overrides and elevates all lesser privileges. |
Write (Active Collaboration) | Intentionally restricts users from destructive management capabilities or deleting files they don't own. |
Read (The Visibility Threshold) | Functions as the entry-point to the system; anything lower drops the user into total invisibility. |
2. How Permissions Interact (By Order of Precedence)
2.1 Project Administrators
Absolute Authority
Project administrators automatically receive Full Access to every section of a project. This system rule bypasses and overrides all matrices, team assignments, owner statuses, and individual restrictions.
2.2 Individual User Settings (The Absolute Overwrite Rule)
Overwrites Everything
When a specific individual user is assigned a permission tier directly, that setting becomes the absolute final authority.
It completely cancels out and replaces any permissions that user would otherwise inherit from the All Users baseline, their Team memberships, or their status as an Item Owner. If a named individual setting is configured, that tier is applied exactly as selectedāeven if it downgrades their access to No Access.
2.3 Inherited Permissions & Owner Status (Highest Access Wins)
When a user does not have an explicit individual assignment configured, Catenda Hub evaluates all remaining paths they belong to and grants the maximum tier found.
All Users Baseline
Sets the fundamental project access level for every member. A user cannot be restricted below this baseline tier unless an individual overwrite is used.
Team Settings
If a user belongs to a team (or multiple teams) with higher access than the baseline, their access escalates to match the highest team tier.
Owner Access
The creator or uploader of an item automatically defaults to Full Access to ensure data privacy. However, administrators can configure an Owner setting (e.g., restricting it to Write access to prevent file deletion). If an owner's team setting or the global baseline provides a higher tier than their owner setting, the highest level wins.
3. Quick reference Matrices
The following matrices map out final effective access levels across different user scenarios, organized in strict order of precedence starting with individual overrides to show exactly how overlapping rules resolve.
This section contains the following topics:
3.1 The Absolute Individual Override Rule
This matrix applies to any project member, including an item owner, who has an explicit individual assignment configured. Because this rule dictates absolute final access, it replaces all other variables.
Inherited Context | Individual User Setting | Final Access Applied |
Any Configuration Tier | No Access | No Access |
Any Configuration Tier | Read | Read |
Any Configuration Tier | Write | Write |
Any Configuration Tier | Full Access | Full Access |
3.2 Standard Users and Team Members
This matrix determines final access for regular project members who do not own the item and do not have an explicit individual assignment configured.
All Users Setting | Team Setting | Regular User Access | Team Member Access |
No Access | No Access | No Access | No Access |
No Access | Read | No Access | Read |
Read | No Access | Read | Read |
Read | Write | Read | Write |
Write | Read | Write | Write |
Full Access | No Access | Full Access | Full Access |
3.3 Item Owners
This matrix determines access for the creator or uploader of an item when no explicit individual assignment is present. It highlights how the global baseline or team settings elevate an owner's access via the highest-access-wins principle.
All Users Setting | Team Setting | Owner Setting | Final Item Owner Access |
No Access | No Access | Full Access | Full Access (Owner default applies) |
Write | No Access | Read | Write (Global baseline elevates owner) |
No Access | No Access | Write | Write (Owner restriction holds) |
No Access | Full Access | Write | Full Access (Team assignment elevates owner) |
Full Access | No Access | Write | Full Access (Global baseline elevates owner) |