tags:

views:

42

answers:

0
+1  Q: 

ACL group structure: top down or bottom up?

I've put together an ACL permissions system into my application and I'm now wondering about how best to use it, especially in regards to user groups. In it's simplest form, there will be several "role" groups ("admins", "editors", "users", etc) and all users will belong to one of these groups.

My question is: in your experience, is it better* to structure the ARO tree to have the most permissions at the top and remove them as you go down (1) or to have the least permissions at the top and add them as you go down (2).

(1):
- Admins          allow all
  - Editors       deny create, delete
    - Users       deny update

(2):
- Users           allow read
  - Editors       allow update
    - Admins      allow create, delete

What are the pros and cons of each?

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?