Group permissions in the Pipeline are resolved using logical connectives. These include (possibly nested) conjunctions, disjunctions, and negations of a FilePermission.

Permissions to access a file is resolved using the AND operator on the file and all its containers, all the way up to the root file system. To have read access to /root/level1/level2/file, read access must be permitted to

• /root,
• /root/level1/,
• /root/level1/level2, and
• /root/level1/level2/file

Furthermore, a group can only have permissions to a file if all its parents allows it. So if a group's place in the group tree is /root/parent1/parent2/self, then in order to have read access to a file, read access must be permitted to

• root group,
• parent1 group,
• parent2 group, and
• self

However, each group can possible have multiple parents. So it is possible that a group belongs on 2 paths of a group tree, eg

• /root/parent1/self, and
• /root/parent2/self

In this case, permissions are resolved using the OR operator. Thus a group only needs permissions through one of its paths. In our example, if parent1 disallows access to a file, but root, parent2, and self all allow it, the self has permissions.