There is a system (windows, asp.net application, linux, whatever...), in this system many user groups exist in the system.
We have one user in two user groups A and B.
In user group A access to folder XY is allowed.
In user group B access to folder XY is denied.
How is the conflict like this resolved?
What are the recommendations/best practices to avoid this situation?
One user, two user groups, first group access allowed, second group access denied, how to resolve conflict?
351 views Asked by This is it AtThere are 3 answers
The conflict is resolved by defining (and applying) rules.
Most of the time, I only define permissions. So, as soon as the user is in one of the groups where the access is allowed, the access is allowed.
But you could define a rule stating that a ban is stronger than a permission, so that once a ban is found, then the ban is applied, even if other groups allow the access. It all depends on your rules.
If you have a mix of granting and denying permissions, I would opt for having denial weigh more than a grant. In that case the conflict in your question would lead to the user being denied access.
However, if possible, I would go for a system where you either only grant permissions or deny permissions, but not both. I would imagine that starting off with a minim set of permissions by default and granting specific permissions to users and/or groups would be easiest to understand for many users.
The Principal of Least Privilege states that the best practice is to ensure that the default state should be to deny access. The user rights system should be used to to add access rights to groups that need it. Under least privilege it should never be necessary to ever ban access.
Of course, while its very difficult to manage, sometimes being able to apply ban permissions as well is pragmatically useful. To be useful, the deny should be stronger than the allow.