How permissions and roles propagate through an organization depends on where and on what types of objects they are granted. Understanding how permissions and roles propagate can help you to assign them to users appropriately.

Permission and role propagation stops at the organization boundary. Permissions granted within an organization propagate only within that organization. Permissions granted at the system level do not propagate to organizations.

Permissions (and their associated privileges) that apply to an organization are inherited by that organization's database groups and databases. Users or roles can have permissions on specific database groups, and those permissions propagate to databases within the database groups.

Roles apply only to the organization in which they are defined. If a role is defined at the system level, it applies only to the system and is not visible to organizations. If a role is defined within an organization, it applies only to that organization and is not visible to the system or to other organizations.

You can grant permissions and roles on objects within an organization, such as on a database group, on a database, or on a template. For example, granting the Start/Stop Database permission on a database group means that the user or role has the Start/Stop Database permission on all databases within that database group. If a user is granted the Start/Stop Database permission on a database group, that user can start and stop any databases within that database group. However, permissions that apply only to certain types of objects do not propagate to other objects. For example, granting the database group permission Create Database on a database is meaningless.