ACL implementation
Andre Rothe
I try to implement an ACL based security concept for a large
application. The object tree of the application can contain a lot of
different object types. It is comparable with a filesystem, but there
are not only files and directories. So the user can create an object A
of type A1 which can have sub-objects of type B1 and B2. Some
constraints can prevent the creation of objects i.e. of type B3 at any
time. These constraints are created by the application logic and
doesn't have any security reasons.
I have looked into the Windows security concept, where ACE structures
(within the ACL) define the possible sub-object types for a given
object. It is possible to grant permissions to a user/group to create
a file and/or a sub-directory as sub-objects. The object ACL knows,
which types are possible.
The problem I have: I can set create permissions for every possible
subtype, but the set of subtypes will be changed over the time by the
constraints.
Would you implement separate permissions which the application have to
change every time the constraints will be changed? Or would you
implement only one permission (create_sub_object allow/deny) and let
the application decide, which type will be possible?
The first case allows me to grant create-permissions for an object
type B2 to the user independetly of the application constraints (I can
forbid such an action for a user, even if the application allows it).
But I have to define the order of the object types within the security
module, which could be hard to change.
The second concept doesn't know anything about the sub-object type and
forbids/permits it at all. It will be part of the application to
decide, which type the user can create at this time, the security
module will allow all or none. So it won't be possible to forbid the
create of objects of type B2 for a specific user/group.
Any other ideas or concepts?
Thanks for all replies.
Andre