|
|
Subscribe / Log in / New account

Rich access control lists

Rich access control lists

Posted Oct 22, 2015 17:50 UTC (Thu) by nybble41 (subscriber, #55106)
In reply to: Rich access control lists by fandingo
Parent article: Rich access control lists

> What about prison inmates? What about people on no-fly lists?

Personally, I tend to think of those from the opposite (positive) point of view. The group of members of society in good standing; the group of people granted the privilege of flying. (Which should be the same as the first group, but that's a whole other discussion...)

Obviously any particular set of rules can be implemented either way. The problem mainly arises when you add new users to the system. In a pure whitelist scenario, you only have to decide what the new user *should* have access to. Anything you don't grant access to is off-limits, which is a safe default. If you build your system around DENY rules then you also have to make sure the new user gets added to the appropriate blacklists, or they'll have more access than you intended.

to post comments

Rich access control lists

Posted Oct 22, 2015 18:26 UTC (Thu) by fandingo (guest, #67019) [Link]

> Personally, I tend to think of those from the opposite (positive) point of view. The group of members of society in good standing; the group of people granted the privilege of flying. (Which should be the same as the first group, but that's a whole other discussion...)

What a coincidently self-serving stance, but it's still a tortured viewpoint that's incorrect. It simply doesn't comport with reality. The government does not maintain a list of people authorized to fly, so there's no group there. They do maintain list for no-fly and mistakenly-no-fly people. Same thing for inmates; there's no list of free civilians, but there are lists (per jurisdiction) of those incarcerated. To get a list of free people, you need to derive that from the difference between the census and those in prison. The implementation dictates POV.

> Obviously any particular set of rules can be implemented either way. The problem mainly arises when you add new users to the system. In a pure whitelist scenario, you only have to decide what the new user *should* have access to. Anything you don't grant access to is off-limits, which is a safe default. If you build your system around DENY rules then you also have to make sure the new user gets added to the appropriate blacklists, or they'll have more access than you intended.

Meh, that's what administrative user-management tools are for. Let the software handle it.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds