Permissions Priorities?

Results 1 to 2 of 2

Thread: Permissions Priorities?

  1. #1
    Join Date
    Dec 1969

    Default Permissions Priorities?

    This may be a little OT, but I&#039;ve always had the best answers from here, and it&#039;s coding in ASP/SQL, so here goes:<BR><BR>Putting together a user/group based security model, where users are added to an Access List for access to functions. This list has an extra bit field "Allow" to specifiy whether the list explicitly allows or denies access. Users/Groups not on the list, or on the list with a 0 on Allow, are denied. Deny has priority. For example, if a user is explicitly denied access to a resource, he cannot access it even if he is a member of a group which is explicitly granted access. <BR><BR>My question is, how would you suggest doing this the other way round - i.e. in a situation where a user is explicitly granted access, but is a member of a group which is explicitly denied? Should I have user permissions taking priority over group permissions at all times, or denials taking priority over allows? I&#039;m pretty new at designing security, so I&#039;m not really sure which to go for fot the best.<BR><BR>Any comments would be appreciated!<BR><BR>Thanks<BR><BR>Tim

  2. #2
    Join Date
    Dec 1969

    Default RE: Permissions Priorities?

    As far as NTFS is concerned, I think Deny will Override Allow, and then Users override groups. (could be wrong), but whatever you will do will depend on your requirements. I would suggest allowing a user to enter, if the user has been explicitly granted permission and the group has --"deny"--!<BR>It just allows for some flexibility ito what your users can/can&#039;t do. <BR><BR>Most web based Security Systems will auto deny everyone, then explicitly allow various users access based on group / individual permissions.<BR><BR>HTH. <BR><BR>PS: Its late in the day and I may be making no sense at all ;-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts