Access privilege checking for access to services is implemented in the following order:
Has the global administrator role?
Access privilege granted directly or indirectly through an assigned role; that is, either the user is directly assigned the role, or a group that the user belongs to either directly or indirectly is assigned that role?
If the response is:
Yes, then access is granted and checking stops.
No to the first question, then checking continues.
No to the second question, then access is denied.
