[Tfug] Ideas for handling group based allow/deny permissions?

Choprboy choprboy at dakotacom.net
Wed Jun 23 15:11:44 MST 2004 

Hello all,

I'm currently working on writing a document management system for 
storing/distributing docs/pictures/etc. between different people in a 
company. Hopefully to be released GPL some day. I am developing this with a 
"group" security policy so that a document xyz.txt may have read/write 
permissions for groups A, C, and D and deny permission for group F. A user 
wanting to look/search for that document may be part of groups B, C, and E 
(the idea being that when you grow to 10,000s of documents and users, it is 
far easier to track/sort permissions then listing every single user 
permission for every single document).

I am currently trying to figure out how to handle the problem that occurs when 
users are members of multiple groups and you allow/deny members in 
overlapping groups... Has anyone done something like this before and how? I 
see a couple options, but nothing really works in all cases.

For instance, consider a company HR document detailing benefits. It applies to 
all full time employees, but not the commisioned sales staff, so you don;t 
want them to see it. You set the permissions so that it is readable by 
everyone in the "employees" group, but denied to anyone in the "sales" group. 
In the following users:

Alice: Marketing coordinator, member of "employees" and "marketing" (etc.)
Bob: Sales, member of "employees" and "sales"

So Alice gets to look at the document, but Bob is denied... But now think 
about Bob's manager Ted:

Ted: Sales manager, member of "employees" "managers" and "sales"

Ted should be able view the document because he is a manager, but because he 
is part of the "sales" group (because he manages/reviews their work) he is 
forbidden from viewing it... So what to do???

I see 2 basic ways around it:
1)Do an "allow group && deny group && allow individual && deny individual" 
type security check, which gets combersome to remember "Ted" must be 
specifically allowed every time.
2)Make lots of different groups (i.e. "sales", "commisioned-sales", 
"salaried-sales", "part-time-sales", etc.) which gets very cumbersome to 
manage users in all the different groups.

Neither of these approaches handles the "user doesn't understand permision 
AND'ng" problem and I don;t think either handles the scaling to 1000's of 
users problem either. Any other suggestions?

Adrian

More information about the tfug mailing list