As users log on to a server configuration, they are identified individually by their user names and as members of the groups to which they belong. This information is stored as an access token for each user. Based on a user’s access rights, the server configuration determines which objects a user can see and which operations that user can perform on those objects.
The caching module in the client enforces the same user access rights set. When a client receives a message from a Message Broker, it verifies whether the user is authorized to view the data in the message. If the user has the necessary access rights, the message is stored in the client cache. Otherwise, that object will not be cached.
In a StarTeam client, you can control detailed access rights for a file: the ability to see the file, see history, check-out, check-in, and so on. For example, you can give someone the "see item and its properties" right but deny the "check-out" right.
However, with the MPX Cache Agent, granting someone the "see item and its properties" right implicitly virtually grants them a "MPX Cache Agent check-out" right. This is because the client can get a file's MD5, which is all that is needed to request a MPX Cache Agent check-out. For environments in which this difference in security "interpretation" matters, you should not deploy MPX Cache Agent or deny the "see item and its properties" right for users who should not check-out the corresponding files.