Access Realms

An object with access control directly assigned (as opposed to inherited from the parent object) is said to form an access realm. Any other objects that inherit access control from this object are members of that access realm. For example, if a gallery is explicitly set to Public, and all the photos in this gallery are set to inherit access control, then there is an access realm formed by this gallery and all the gallery photos as well as the gallery itself are members of this access realm.

Setting an object to inherit its access control from the parent object joins the object and, potentially, some or all of its children, with the access realm of the parent object. Subsequently, assigning an object explicit access control settings as opposed to inheriting removes this object from its current access realm and creates a new realm formed by this object.

Each access realm is identified by a unique numeric ID, which is made available through the RealmId member of the AccessDescriptor snapshot. Your application can compare realm identifiers returned for different objects to determine if they belong to the same realm.

Access realms play an important role when working with password-protected objects (objects which access type is set to Password, directly or by inheritance). Providing the correct password unlocks access not only to this particular object but also to all objects from the same access realm. For example, if a user enters the correct password for a password-protected gallery, access is automatically granted to all photos that inherit their access control from that gallery.