Access Control Lists basics

Posted by vtortola on Stack Overflow See other posts from Stack Overflow or by vtortola
Published on 2010-04-15T14:04:41Z Indexed on 2010/04/15 14:13 UTC
Read the original article Hit count: 595

Filed under:

acl

|

users

|

groups

|

security

|

authorization

Hi,

I'm gonna add authorization, user and groups management to my application, basically... you will can define a set of permissions for a concrete user or group. For example, you could specify whom can use a concrete resource.

So I want to ensure that my assumptions about ACLs are right:

A basic rule could be "Grant", "Deny", "NoSet".
User permissions have priority over group permissions.
"Deny" statement has priority over "Grant".

For example, user "u1" belongs to group "A", the resource "X" has this ACL "u1:grant,A:deny" user "u1" should be able to access the resource, shouldn't it?

If a resource has no ACL set... does it means that anyone can access it? should I provide a default ACL?

Any document about ACL in a general way?

Cheers.

© Stack Overflow or respective owner

Related posts about acl

Difference between array('Acl' => array('type' => 'requester')) and array('Acl' => 'requester') in C

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm following the ACL tutorial for CakePHP 1.3 and I was wondering if there is a functional difference between declaring a behavior like this: var $actsAs = array('Acl' => 'requester'); and like this: var $actsAs = array('Acl' => array('type' => 'requester')); >>> More
Squid + Dans Guardian (simple configuration)

as seen on Server Fault - Search for 'Server Fault'
I just built a new proxy server and compiled the latest versions of squid and dansguardian. We use basic authentication to select what users are allowed outside of our network. It seems squid is working just fine and accepts my username and password and lets me out. But if i connect to dans guardian… >>> More
Squid configuration for proxy server

as seen on Server Fault - Search for 'Server Fault'
I have a server with 10 ip's that I want to give access to some friends via authentication but I'm stuck on squid's config file. Let's say I have these ip's available on my server: 212.77.23.10 212.77.1.10 68.44.82.112 And I want to allocate each one of them to a different user like so: 212.77… >>> More
Unable to get squid working for remote users

as seen on Server Fault - Search for 'Server Fault'
I am trying to setup squid 3.2.4, but I have not been able to get it working for remote users. Works fine locally. Unable to figure out what I am doing wrong... http_port 3128 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/share/ssl-cert/myCA.pem refresh_pattern… >>> More
video and file caching with squid lusca?

as seen on Super User - Search for 'Super User'
hello all i have configured squid lusca on ubuntu 11.04 version and also configured the video caching but the problem is the squid cannot configure the video more than 2 min long and the file of size upto 5.xx mbs only. here is my config please guide me how can i cache the long videos and files with… >>> More

Related posts about users

rake migration aborted: could not find table 'roles'

as seen on Stack Overflow - Search for 'Stack Overflow'
I just inherited code that I'm attempting to run the migrations for but I keep getting a rake aborted error. I've come across others that have what appears to be similar issues, but most involved Heroku and I'm trying to run this locally (to start.) I've tried troubleshooting using both PostgreSQL… >>> More
Including an embedded framework using a cross-project-reference: Header no such file or directory

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to create a Cocoa framework by using a cross-project reference in Xcode. I have 2 projects: one for the framework; one for the application that will use the framework. This framework is not intended to be stored within the system; it is an embedded framework that lives within the application… >>> More
Spork servers super slow (>3m) to start for RSpec & Cucumber BDD

as seen on Stack Overflow - Search for 'Stack Overflow'
I recently installed a fresh development setup on my laptop and now notice that my instances of spork take several minutes to start up. This is also most likely of the RSpec and Cucumber tests start up times running super slow. I ran in diagnostic mode with the -d flag and received the output below… >>> More
Sinatra and XML POST request

as seen on Stack Overflow - Search for 'Stack Overflow'
I don't know is it my mistake or no. So i have that code: <code> post '/singin/get_token' do content_type :xml puts request.body.read puts xmlRequest xmlRequest = REXML::Document.new(request.body.read) ... </code> And when i post something like that: <code> <?xml… >>> More
Exception with RubyAMF and Ruby 1.9 although code works

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm getting an exception with RubyAMF using Ruby 1.9 and Rails 2.3.5. Although code afterward executes normally I'm not very comfortable with seeing such exception in the log file. Do you know what is causing it: >>>>>>>> RubyAMF >>>>>>>>> #<RubyAMF::Actions::PrepareAction:0x0000010139ff48>… >>> More