views:

39

answers:

1

Hi,

I'm gonna add authorization, user and groups management to my application, basically... you will can define a set of permissions for a concrete user or group. For example, you could specify whom can use a concrete resource.

So I want to ensure that my assumptions about ACLs are right:

  • A basic rule could be "Grant", "Deny", "NoSet".
  • User permissions have priority over group permissions.
  • "Deny" statement has priority over "Grant".

For example, user "u1" belongs to group "A", the resource "X" has this ACL "u1:grant,A:deny" user "u1" should be able to access the resource, shouldn't it?

If a resource has no ACL set... does it means that anyone can access it? should I provide a default ACL?

Any document about ACL in a general way?

Cheers.

+1  A: 

User permissions have priority over group permissions.

this contradicts with third. You should take union of permissions of user and group. There is no priority, operation is binary - either permission is in this set or not.

Deny denies everything: user and group permissions.

Andrey
So, when I check the user/user-groups rights in a resource, as soon there is a single "deny"... I should deny the access?
vtortola
yes. this is how it works in windows. http://msdn.microsoft.com/en-us/library/aa374872(VS.85).aspx
Andrey