Astoria provides two repository-wide sets of capabilities for controlling access: Global and Backstop Access Controls.
Administrators define repository-wide access controls in these objects. The access controls defined by these objects serve as defaults for all objects in the repository.
Global Access Controls provide ultimate access control authorization for all objects in the repository. The privileges defined here cannot be suppressed by turning off inheritance. In addition, Global Access Controls apply to all repository objects, not just those in the cabinets.
Backstop Access Controls provide penultimate hierarchical authorization to repository cabinets and their contents. Backstop Access Controls are not available for Administrative list objects. Unlike Global Access Controls, privileges for this object can be suppressed for individual objects by disabling inheritance on the access controls for that object.
Backstop Access Controls are only consulted on the inheritance path from cabinets. Regular cabinets next consult the Backstop Access Control object before checking the Global Access Control object. Cabinets in releases next consult their respective release object, then consult objects up to the Products cabinet, then consult the Backstop Access Control object before checking the Global Access Control object.