[WEB SECURITY] ACL for application
Ankur Jindal
divinepresence at gmail.com
Mon Jan 8 23:30:08 EST 2007
Hi all
How are application level ACL's usually implemented? Do you assume
that the users at
higher levels, by default, have the same rights as the users at lower
levels (possibly even more) or does one need to explicitly specify
what each user can do?
We were preparing an ACL for a web application and were not sure if
the super admin should be given a specific functionality or not. The
application multiple user roles and service roles that perform data
actions. A couple of guys believed that since super admin is the
highest authority he can do whatever anyone else can do, and so, we
don't need to lay out all his rights completely. We just need to
specify what he can do that the others can't.
Another thought was that we write down clearly what everyone can do
and leave nothing to assumptions/beliefs.
Apologies if this was directed to the wrong list. Suggestions/links to
existing material are welcome.
Thanks
Ankur
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list