Let's suppose that for a certain file the permissions look like this:
rw----r--
Does this mean that everyone except for the group members have read access to the file, or that r which appears for others overrides the group - and gives read access to the group members as well?
Is there any difference for directories?
Yes, that will grant read permission to everyone but the members of the group. It doesn't matter if it's a directory or not. ACLs would probably be better in a situation where one would like to do that.
Related
MarkLogic 9.0.8.2
We have developed API to get & set data in MarkLogic, All data are stored in xml format within MarkLogic
Now we want to expose this API endpoint to external users with below operations
READ
INSERT
UPDATE
NODE-UPDATE
EXECUTE
ADMIN
So we want to create different user credentials based on permission like ReadOnly, ExecuteOnly.
What all Roles & Permissions we need to select to make sure they can perform what they are allowed to?
Note upfront: permissions are about document access, privileges about function access. Execute permission in specific only applies to module access, not document access.
There are many ways to organize your security, but ground basics are usually fairly similar. I'll provide a pattern for you, that I personally consider a good practice, and may prove to be a good general starting point for further expansion.
Start with 4 roles with no properties themselves. Put 'read', 'insert', 'update', and 'node-update' in the names.
Create a fifth role with 'defaults' in the name and give it default permissions for the above four roles, where the capability matches the role name (so 'read' for the read-role, etc).
Then create higher level roles for abstract notions like reader, writer, and maintainer. Reader only inherits the read role, writer inherits reader, insert, update and defaults. Maintainer inherits writer. Deletion is a special kind of update, and not distinguishable. Node-update is a subset of update. I have not come across a use case where I wanted to allow node-update, but not a full update.
Execute permissions makes no sense here, since that only applies to modules, not to documents. Execute privileges are used to allow using particular functionality (like sem:sparql, xdmp:http-get, etc). Apply them as appropriate to reader and writer roles.
Avoid applying more dangerous execute privileges like xdmp:spawn, and xdmp:eval to any of the above roles. If you come across a need for that, then create a role that you use for Amps (you can put 'amps' in the name somewhere), and make sure you use that role only for Amps, and never assign it to roles or users.
Last but not least, you often have multiple distinct datasets in the same database, and you might want to control document access to them independently. Consider looking into Compartment Security instead of creating a distinct set of roles per dataset in such cases.
HTH!
Could anyone please tell me the best approach to resolve the user privilege set if a user is a member of multiple groups that grant non-orthogonal sets of privileges? In the world of authorization, how do we usually deal with the issue (taking the least privilege set, or taking the maximum privilege set, or somewhere in the middle, etc.)?
I'm not exactly sure of the context of your question but I'll try to answer in general. When you have a user who is part of multiple orthogonal groups you:
Use RBAC and assign the user to multiple roles. This would be giving the user the union/maximum privilege set.
Give the user multiple accounts, one per group. For example, you could have the users alex_student and alex_teacher if the student Alex also teaches.
Give the user a minimal set of privileges and allow them to temporarily change them. Something like sudo that works for non-overlapping privileges.
I want to show my users (and myself) what their privileges are and give them the ability
to elevate their privilege (or get someone else to) before running the MakeSymbolicLink
command.
The equivalent command line command (mklink) requires elevation of permissions.
I want to give my users lots of functional shortcuts through a thick next of directories.
The links span disks and remote file systems.
WHat is the programmatic (c# or C++) canonical way to dig out security settings an privilage
for a particular user while logged in ?
You can use WMI and tap into Win32_LogicalFileSecuritySetting or a few other tables and enumerate permissions based on UNC or local file path locations.
System.DirectoryServices namespace in C# also allows you to enumerate permissions on a given user.
So you have a few chioces.
You can find a C++ implementation of what you're looking for in the following CodeProject article: Riding the Vista UAC elevator, up and down. Makes it easy to get the current elevation level, and create new processes in a different elevation level. Really nice stuff, which works in Windows 7 as well.
Everything in Symfony2 looks pretty good however there is one issue I can't seem to find a solution too. The issue is that Symfony2's security component is limited to 30-32 roles/permissions. One of my projects, a project management/issue tracker system, is going to need more than 32 permissions. There are a number of different components of the system that need to have there own set of permissions. Just because someone has create, read, update, or delete permissions to issues does not mean they have those permissions for projects, milestones, etc... Each component is going to need its own create, read, update, and delete permission not to mention component specific permissions and there is no doubt I will reach the 30-32 roles/permission limit.
I have questioned in IRC and the mailing list with no really direction of where to go. I would prefer to be able to just added this functionality on top of the existing security component (preferably through a bundle). I am not sure how I can achieve more than 30-32 roles/permissions with symfony2's security component.
I would really prefer not to have to development my own security system w/ ACL.
as stated before in the question comments by gilden:
But this is exactly the use case for ACL. You can start using the built-in ACL system today! It's quite easy to modify/extend as well to best suit your needs.
For beginners, I think it's best to read these articles from Symfony2 official book in the following order:
Security - Including info about: Authentication and Authorization, Users & Roles, Access Control in Templates & Controllers
Access Control Lists (ACLs) - Including info about: Bootstrapping & configuration, Creating an ACL, an ACE, Checking Access & Cumulative Permissions
Advanced ACL Concepts - Including info about: Design Concepts, Database Table Structure, Scope, Pre- & Post-Authorization Decisions, Process for Reaching Authorization Decisions
There are also some interesting question here at SO.com about Symfony2 ACLs
Good luck!
I think you kind of misunderstood the acl system you can only create 32 kind of role, but by domain object. This is done using bitmasks operations on integers ( this explaining the '32' limitation as an integer is ... well you know the answer ).
So for example the permission to delete one object would be same - 'MASK_DELETE' - for a project a milestone or a ticket. So if you used the ProblematicAclManagerBundle you would just have to do :
$aclManager->addPermission($ticket, $userEntity, MaskBuilder::MASK_DELETE);
or
$aclManager->addPermission($projet, $userEntity, MaskBuilder::MASK_DELETE);
to give your user permission to delete $project or $ticket for instance. It also creates the acl entry for the domain object and the entry for the user if they are not already there. What I need to know though is if you can create different masks names for a class, or every class of a bundle ?
You will find a deeper explaination on acls here
I know this is an old post, but I just wanted to share this with anyone who has a similar answer.
The key to providing a solution is in this sentence in your question:
There are a number of different components of the system that need to have there own set of permissions.
For each of these components you could create a separate voter.
Create a class that extends AclVoter.
Override the supportsClass() method to make sure the voter will only vote for classes of the component it is meant for.
Create your own PermissionMap containing the set of permissions the component needs.
Pass the PermissionMap to the AclVoter in your services configuration.
Tag the voter as security.voter so the AccessDecisionManager will start using it.
This should get you a long way.
I also recommend going thought the code of the ACL Component, there are a lot of features that unfortunately aren't documented.
Does anyone know which WMI Class is to be used to getting information of which users or user groups have permission for a given folder?
Yes, it's possible to to get and set file permissions via WMI; here's a MS Scripting Guys article with explanation and examples.
...but there are so many better/easier ways to manage security, from CACLS/XCACLS to ADSecurity.dll and more.