The Client Service evaluates the permissions a specific user is granted on a specific customer (effective customer permission grants) as follows.
Let puc be the set of permissions granted for user u on customer c. Before any permission is added to this set, it is checked if that permission is already in the set - i.e., puc contains no duplicates.
For all roles the user has on the system securable, the contained customer permissions are gathered and all these permissions are added to puc.
For each role assignment the user has on customer c, and that is not flagged as applicable to related customers only, the permissions of the assigned role are added to puc.
For all customer relation types that customer c uses for role inheritance, the relationship path is queried. The relationship path is the ordered set of customers r={p1, p2, ..., pn, c}.
For each ancestor in each of these relationship paths, all role assignments for user u of roles defined to propagate via that specific customer relationship type are gathered and all customer permissions in these roles are added to puc.
