Re: [WEB SECURITY] ACL for application

["Mr Zebedee" <time4bed@xxxxxxxxx>]

Boing!

I would think the state of the art would be for the ACL setup to allow
only those rights that the role needs in order to perform their
duties. That *may* mean that super admins might not have some lower
level permissions if they are not required to perform that function.

Time for bed,
Zebedee

On 1/8/07, Ankur Jindal <divinepresence@xxxxxxxxx> wrote:
> Hi all
> How are application level ACL's usually implemented? Do you assume
> that the users at
> higher levels, by default, have the same rights as the users at lower
> levels (possibly even more) or does one need to explicitly specify
> what each user can do?
>
> We were preparing an ACL for a web application and were not sure if
> the super admin should be given a specific functionality or not. The
> application multiple user roles and service roles that perform data
> actions. A couple of guys believed that since super admin is the
> highest authority he can do whatever anyone else can do, and so, we
> don't need to lay out all his rights completely. We just need to
> specify what he can do that the others can't.
>
> Another thought was that we write down clearly what everyone can do
> and leave nothing to assumptions/beliefs.
>
> Apologies if this was directed to the wrong list. Suggestions/links to
> existing material are welcome.
>
> Thanks
> Ankur
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]