In a typical instance, the account authorities are structured such that:
- admin is the account authority for themselves and for an account authority called accounts.
- The accounts account acts as the account authority for all other accounts.
An instance can have more than one account authority. This allows management of the accounts to be delegated to different groups.
Account authorities act as an intermediary between product publishers and product subscribers. If accounts under the control of one account authority require products owned by accounts under the control of another account authority, a special method is required to permit the products to be installed.
Assuming we have two account authorities, A and B, and accounts within B need access to products owned by accounts within A:
- As admin, create a user group called "Account authorities", and put A and B in it.
- Grant the account authorities user group grant rights on themselves.
Then, for each product:
- As A, create a Manifest node, and on this:
- Grant permission to the account authorties user group.
- In the manifest items, give "node-read-all-members node-link" to the product install.
- Inherit from the product install.
- As B, subscribe to the required products from A. If these involve installs, the installs can be deleted.
- Accounts within B can now subscribe to the products from accounts within A.
At the time of writing (June 2021) the above procedure throws up a bunch of errors. However, the subscriptions are created and the approach does work.