----- Original Message -----
From: Jochem van Dieten
To: CF-Talk
Sent: Monday, October 13, 2003 5:04 AM
Subject: Re: ACL database design
brob said:
> From: Jochem van Dieten
>> Hugo Ahlenius wrote:
>>
>>> I actually had in mind an unlimited parent/child relationships
>>> in the groups. So that the super-parent would be the "Admin"
>>> group, that all other groups are derived from, like "superusers"
>>> inherit the rights from the admin group, but with rights X,Y & Z
>>> revoked. And the "regular users group" is a child of the
>>> "superusers" group, etc.
>>
>> You do realize this is a "fail open" model? I.e., if somehing goes
>> wrong the user defaults to being Admin, instead of being nobody.
>> Most security systems are designed as "fail close" systems.
>
> Can you explain please?
In this model all users are Admin by default. Suppose you are adding a
new user. At that moment he is Admin. Only when you place him in
different groups he gets certain rights revoked. But what if adding
him to a different group fails? Could be because of a program error,
or even because the person that is setting up the new account gets a
phone call when he is working on it and forgets to finish it.
Security systems should be designed in such a way that by default they
deny access, not grant it. (Fail open and fail close are actually
terms from engineering, if you are designing a refinery or nuclear
installation you have to specify with every single valve if it should
open or close in case of a power or controller failure.)
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
