[Tfug] Ideas for handling group based allow/deny permissions?

elemint at theriver.com elemint at theriver.com
Wed Jun 23 16:21:37 MST 2004 

What about something like this?

http://www.linuxsecurity.com/resource_files/host_security/trustees-quickstart.html


But I do not think it will solve the anding problem where someone is a in
one group that allows read and another that is denied.

What about having the groups without read and without write as apposed to
deny would that achive the same thing they would not have the permission
to read and write but they would not have the all powerful deny, what do
you think?




Jim


> Hello all,
>
> I'm currently working on writing a document management system for
> storing/distributing docs/pictures/etc. between different people in a
> company. Hopefully to be released GPL some day. I am developing this with
> a
> "group" security policy so that a document xyz.txt may have read/write
> permissions for groups A, C, and D and deny permission for group F. A user
> wanting to look/search for that document may be part of groups B, C, and E
> (the idea being that when you grow to 10,000s of documents and users, it
> is
> far easier to track/sort permissions then listing every single user
> permission for every single document).
>
> I am currently trying to figure out how to handle the problem that occurs
> when
> users are members of multiple groups and you allow/deny members in
> overlapping groups... Has anyone done something like this before and how?
> I
> see a couple options, but nothing really works in all cases.
>
> For instance, consider a company HR document detailing benefits. It
> applies to
> all full time employees, but not the commisioned sales staff, so you don;t
> want them to see it. You set the permissions so that it is readable by
> everyone in the "employees" group, but denied to anyone in the "sales"
> group.
> In the following users:
>
> Alice: Marketing coordinator, member of "employees" and "marketing" (etc.)
> Bob: Sales, member of "employees" and "sales"
>
> So Alice gets to look at the document, but Bob is denied... But now think
> about Bob's manager Ted:
>
> Ted: Sales manager, member of "employees" "managers" and "sales"
>
> Ted should be able view the document because he is a manager, but because
> he
> is part of the "sales" group (because he manages/reviews their work) he is
> forbidden from viewing it... So what to do???
>
> I see 2 basic ways around it:
> 1)Do an "allow group && deny group && allow individual && deny individual"
> type security check, which gets combersome to remember "Ted" must be
> specifically allowed every time.
> 2)Make lots of different groups (i.e. "sales", "commisioned-sales",
> "salaried-sales", "part-time-sales", etc.) which gets very cumbersome to
> manage users in all the different groups.
>
> Neither of these approaches handles the "user doesn't understand permision
> AND'ng" problem and I don;t think either handles the scaling to 1000's of
> users problem either. Any other suggestions?
>
> Adrian
> _______________________________________________
> tfug mailing list
> tfug at tfug.org
> https://www.tfug.org/mailman/listinfo/tfug
>

More information about the tfug mailing list