Both the Functional Privileges tab and the Object Association Privileges tab are divided into two grids. One grid is for privilege classes and the second is for privileges that are included in the selected privilege class.
If Allow All Functional and Object Association Privileges (for the (Default) ACD) or Allow All Object Association Privileges for this Role is selected, the role is granted all privileges in all privilege classes. To grant or deny selected privileges to a role, you must clear this option.
By selecting Allow All or Deny All for a privilege class, you select corresponding check boxes for the associated privileges.
For example, you can allow accounts in a role to secure action requests by selecting Allow All for the Associate Action Editors Privilege Class on the Object Association Privileges tab. Accounts in the role can then secure an action request with an ACL that uses the ACD.
Use the Privilege Classes grid to display associated privileges in the Privileges grid. You can also use the Privilege Classes grid to allow or deny all privileges in either a single class or all classes.
To select a row in the Privilege
Classes grid, click a row indicator cell or either an Allow
All or Deny All cell. The grid
arrow
,
indicates the class of privileges displayed.
You can also allow or deny all privileges in all privilege classes. Use Allow All and Deny All for the Privilege Classes grid or select corresponding commands from the shortcut menu. To remove all selections in the Privilege Classes grid, click or select Clear All.
Use the Privileges grid to allow or deny privileges within a privilege class. You can allow or deny a privilege by selecting the corresponding Allow or Deny check box. If both the Allow and Deny check boxes are cleared, the role is denied the privilege.
You can also allow or deny all privileges in the class. Use Allow All and Deny All for the Privileges grid or select corresponding commands from the shortcut menu. To remove all selections in the Privileges grid, click Clear All.
When a user is a member of more than one role, certain rules apply to avoid security conflicts.
Use the Functional Privileges tab on the Role Specifications dialog to assign Functional Privileges to roles in the (Default) ACD.
You can allow or deny access to Functional Privileges for any role in the (Default) Access Control Domain. Configure Functional Security with the Functional Privileges tab on the Role Specifications dialog. For more information see Assigning Privileges.
When a role is denied a Functional Privilege, any functions associated with the privilege are unavailable to the user and group accounts in the role. For example, if the privilege to invoke the Access Definition Editor privilege from the Invoke Definition Editors privilege class is denied to a role, the Access Definition option in the Definitions menu on the main window is unavailable to users in that role and, also, the Edit Access Definition button and menu option are unavailable from any request editor (for example, the Extract Request Editor).
The (Default) ACD governs Functional Privileges. Subordinate ACDs can determine Object Association Privileges only.

The following Functional Privileges, by privilege class, are available.
(Local) privileges refer to requests that are created from another object editor. For example, if a role is denied the Insert Request (Local) privilege, the role is unable to create a local Insert Request from the Restore Request Editor.
(Local) privileges refer to definitions that are created from another object editor. For example, if a role is denied the Access Definition (Local) privilege, the role is unable to create a local Access Definition from the Extract Request Editor.
This class includes the following privileges:
This class includes the following privileges:
This class includes the following privileges:
This class includes the following privileges:
This class includes the following privileges:
Use the Object Association Privileges tab to indicate the types of object for which the role has Object Association Privileges. Object Association Privileges allow the role to use roles defined in the ACD as the basis for an ACL that protects objects of the indicated type.

For more information about working with privileges and privilege classes see Assigning Privileges.