tags:

views:

62

answers:

1
+1  Q: 

When should I use ACL in my application

I am pretty much confused as to when should I implement an ACL (access control list) system in my application though I can easily manage permission on groups simply by fetching the session group id and restricting access using the Auth component.

How is an ACL solution better then the approach I discussed above (restricting the group access based on group id) ?

How come implementing an ACL solution simplifies things when it comes to managing access rights in your application ?

Till now I have learned that through ACL permissions can be granted and revoked at runtime, but this functionality is also achievable without using an ACL.

I am very much confused about this, Please help me understand the concept, when to use ACL and the benefits of using ACL in your web application.

I prefer to code with cakePHP v1.3 so it would be great if the explanation is given in context of cakephp but any help (language/technology independent) related to my question is greatly appreciated.

Thanks

+2  A: 

You must use ACLs (or an equivalent user permission mechanism such as literal database User and Permission tables) rather than groups if you need to control access to individual entities which vary dynamically. File systems attach ACL's to individual files since you don't want to create a separate group for each file. Database managers attach ACL's to databases, tables, views, stored procedures and whatnot for the same reason. Web servers deal with web applications in the same manner.

In a business application dealing with business entities, you may want to partition access to entities such as e.g. different sales orders, customers, products or divisions within your company, where not everybody is allowed to create/update or even read the same entities. For instance, when sales staff are in direct competition for bonuses, they don't want everybody else to see all the information on their CRM-stored prospects.

Usually, though, you want to keep your access mechanisms as coarse-grained as is humanly possible: groups are usually good enough. Fine-grained access control mechanisms have a tendency to grow complex, expensive, inaccurate and hard to use correctly. They may even decrease security, since administrative frustration encourages people to find clever workarounds...

Pontus Gagge  2010-07-02 10:11:14

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security