1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

ACL implementation

Discussion in 'Windows Security' started by Andre Rothe, Oct 12, 2009.

  1. Andre Rothe

    Andre Rothe Guest

    Hi,

    I try to implement an ACL based security concept for a large
    application. The object tree of the application can contain a lot of
    different object types. It is comparable with a filesystem, but there
    are not only files and directories. The user can create an object A
    of type A1 which can have sub-objects of type B1, B2 (and other
    types).
    Some constraints can prevent the creation of objects i.e. of type B2
    at any time. These constraints are created by the application logic
    and
    doesn't have any security reasons.

    I have looked into the Windows security concept, where ACE structures
    (within the ACL) define the possible sub-object types for a given
    object. It is possible to grant permissions to a user/group to create
    a file and/or a sub-directory as sub-objects. The object ACL knows,
    which types are possible. In our application, the set of types are
    also known, but not all types are possible.

    The problem I have: I can set build permissions for every possible
    subtype, but the set of subtypes will be changed over the time by the
    constraints.

    Would you implement a set of permissions (one for every object type)
    which the application have to change every time the constraints will
    be changed?
    Or would you implement only one permission (create_sub_object allow/
    deny)
    and let the application decide, which type will be possible?

    The first case allows me to grant create-permissions for an object
    type B2 to the user independetly of the application constraints (I can
    forbid such an action for a user, even if the application allows it
    and
    vice versa). The user will have more permission than he needs.
    And I have to define the order of the object types within the security
    module, which could be hard to change.

    The second concept doesn't know anything about the sub-object type and
    forbids/permits it at all. It will be part of the application to
    decide, which type the user can create at this time, the security
    module will allow all or none. So it won't be possible to forbid the
    create of objects of type B2 for a specific user/group. The user will
    have more permissions than he needs, too. Every application which
    will use the security manager has to implement a lot of security
    stuff,
    it won't be encapsulated into the manager.

    I'm looking for an ACL concept with dynamic constraints.

    Any ideas?
    Thanks for all replies.
    Andre
     
    Andre Rothe, Oct 12, 2009
    #1
  3. PA Bear [MS MVP]

    PA Bear [MS MVP] Guest

    I think you want to post here instead:
    microsoft.public.windows.server.security

    Andre Rothe wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
    > Hi,
    >
    > I try to implement an ACL based security concept for a large
    > application. The object tree of the application can contain a lot of
    > different object types. It is comparable with a filesystem, but there
    > are not only files and directories. The user can create an object A
    > of type A1 which can have sub-objects of type B1, B2 (and other
    > types).
    > Some constraints can prevent the creation of objects i.e. of type B2
    > at any time. These constraints are created by the application logic
    > and
    > doesn't have any security reasons.
    >
    > I have looked into the Windows security concept, where ACE structures
    > (within the ACL) define the possible sub-object types for a given
    > object. It is possible to grant permissions to a user/group to create
    > a file and/or a sub-directory as sub-objects. The object ACL knows,
    > which types are possible. In our application, the set of types are
    > also known, but not all types are possible.
    >
    > The problem I have: I can set build permissions for every possible
    > subtype, but the set of subtypes will be changed over the time by the
    > constraints.
    >
    > Would you implement a set of permissions (one for every object type)
    > which the application have to change every time the constraints will
    > be changed?
    > Or would you implement only one permission (create_sub_object allow/
    > deny)
    > and let the application decide, which type will be possible?
    >
    > The first case allows me to grant create-permissions for an object
    > type B2 to the user independetly of the application constraints (I can
    > forbid such an action for a user, even if the application allows it
    > and
    > vice versa). The user will have more permission than he needs.
    > And I have to define the order of the object types within the security
    > module, which could be hard to change.
    >
    > The second concept doesn't know anything about the sub-object type and
    > forbids/permits it at all. It will be part of the application to
    > decide, which type the user can create at this time, the security
    > module will allow all or none. So it won't be possible to forbid the
    > create of objects of type B2 for a specific user/group. The user will
    > have more permissions than he needs, too. Every application which
    > will use the security manager has to implement a lot of security
    > stuff,
    > it won't be encapsulated into the manager.
    >
    > I'm looking for an ACL concept with dynamic constraints.
    >
    > Any ideas?
    > Thanks for all replies.
    > Andre <!--colorc--><!--/colorc-->
     
    PA Bear [MS MVP], Oct 12, 2009
    #2

Share This Page