Let's say I have users, groups (or "roles") and resources, and I want to manage various permissions on those resources. As far as I can see, there are two main "philosophies" when it comes to permissions.
For lack of a better word, I'll call the first one "precedence-based", and it's used, for example, by NTFS or SQL Server:
* All Resources: DENY Group G1
* All Resources: ALLOW Group G2
* Resource R1: ALLOW Group G1
* Resource R1: ALLOW User U
You have a (configurable) unordered set of permissions, and a (built-in) ordered list of precendence rules (e.g. "user permissions override group permissions", "DENY permissions override ALLOW permissions", etc.) which determine which rule applies.
The other system, which I will call "order-based", is used, for example, by iptables:
1. Resource R1: ALLOW User U
2. All Resources: DENY Group G1
3. Resource R1: ALLOW Group G1
4. All Resources: ALLOW Group G2
(5. DENY)
We have a (configurable) ordered list of rules (with an implicit final DENY or ALLOW rule). They are processed sequentially and the first matching rule applies.
I am tempted to choose the second system, because it seems (a) much simpler to understand (no complex precedence rules) and (b) more powerful (just a gut feeling).
However, the first system is widely used as well, so it surely must have some advantages. What are they?
-
@Downvoter: Feedback to improve my question is appreciated.Heinzi– Heinzi10/12/2018 14:02:03Commented Oct 12, 2018 at 14:02
-
both systems are widely used, but they are different, what are the requirements of your applicationEwan– Ewan10/12/2018 14:18:35Commented Oct 12, 2018 at 14:18
-
@Ewan: The requirements of my application are: It must be possible to grant or deny users and/or groups access to specific parts of the application. For example: "User A may not access form F" or "Only Group B may access report R". Anyway, I'm also interested in general thoughts on that matter. Thus, if you can think of any special case where the first system is better suited than the second, please mention it.Heinzi– Heinzi10/15/2018 12:26:51Commented Oct 15, 2018 at 12:26
-
this would normally be done with role based permissions, where you don't specify any denied rules and therefore the order is unimportantEwan– Ewan10/15/2018 12:32:16Commented Oct 15, 2018 at 12:32
-
@Ewan: But what if a customer needs more complex rules (e.g. "Group A may not access form F unless the user is also in group B")? The software will (hopefully) be sold many times and I cannot know how complex the customer's security requirements will be. I want a future-proof solution, but I also don't want to burden my software with unneeded complexity. That's why I ask for the drawbacks and advantages of both systems, so that I can make an informed decision based on the cost/benefit trade-off.Heinzi– Heinzi10/15/2018 15:13:53Commented Oct 15, 2018 at 15:13