ACL implementation

Hi,

I try to implement an ACL based security concept for a large
application. The object tree of the application can contain a lot of
different object types. It is comparable with a filesystem, but there
are not only files and directories. The user can create an object A
of type A1 which can have sub-objects of type B1, B2 (and other
types).
Some constraints can prevent the creation of objects i.e. of type B2
at any time. These constraints are created by the application logic
and
doesn't have any security reasons.

I have looked into the Windows security concept, where ACE structures
(within the ACL) define the possible sub-object types for a given
object. It is possible to grant permissions to a user/group to create
a file and/or a sub-directory as sub-objects. The object ACL knows,
which types are possible. In our application, the set of types are
also known, but not all types are possible.

The problem I have: I can set build permissions for every possible
subtype, but the set of subtypes will be changed over the time by the
constraints.

Would you implement a set of permissions (one for every object type)
which the application have to change every time the constraints will
be changed?
Or would you implement only one permission (create_sub_object allow/
deny)
and let the application decide, which type will be possible?

The first case allows me to grant create-permissions for an object
type B2 to the user independetly of the application constraints (I can
forbid such an action for a user, even if the application allows it
and
vice versa). The user will have more permission than he needs.
And I have to define the order of the object types within the security
module, which could be hard to change.

The second concept doesn't know anything about the sub-object type and
forbids/permits it at all. It will be part of the application to
decide, which type the user can create at this time, the security
module will allow all or none. So it won't be possible to forbid the
create of objects of type B2 for a specific user/group. The user will
have more permissions than he needs, too. Every application which
will use the security manager has to implement a lot of security
stuff,
it won't be encapsulated into the manager.

I'm looking for an ACL concept with dynamic constraints.

Any ideas?
Thanks for all replies.
Andre
.

Relevant Pages

  • Re: HTTP 401.3 error: Please help - Urgent.
    ... Do you get this error for all URLs, or only those involving .CFM. ... get boooted out due to HTTP 401.3: ACL error. ... I have a ADS security group of ALL USERS with read permissions and I ...
    (microsoft.public.inetserver.iis)
  • Re: Migrationn from Exch 5.5 on NT to Exch 2003 on 2003
    ... Security translation can be performed automatically for objects migrated by ... you may use subinacl to replace the ACL. ... Using the Command Line to Edit Multiple Subdirectory Permissions ... Now what i am doing is migrating from an NT ...
    (microsoft.public.windows.server.migration)
  • Re: ACL implementation
    ... I try to implement an ACL based security concept for a large ... I have looked into the Windows security concept, ... I can set build permissions for every possible ...
    (microsoft.public.security)
  • Inherited permission objects appearing in the Security tab
    ... the 'domain\userid's on the Security tab on the 'Properties' of an AD entry ... permissions to update the DL. ... What i'm looking for is a method to identify what type of security acl is ... presented and skip any ACL that has inherited permissions. ...
    (microsoft.public.scripting.vbscript)
  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)