...
An issue is depending on the directed graph assignments if the overall result of a permission query is an allow or deny.
Gliffy Diagram | ||||||||
---|---|---|---|---|---|---|---|---|
|
Algorithm summary
- Direct assignments trump inherited assignments
- A lower depth inherited assignment trumps a higher depth inherited assignment (on the directed graph of inheritance)
- Inherited ALLOW assignments (of equal depth) trump inherited NOT_ALLOW assignments
...
User jsmith is denied Action<Read> of Resource<English> and Resource<Math> since there are only inherited assignments and one is a DENYthe ones with lower depth have priority
Resource directed graph priority with tie
...
User jsmith is assigned Role<Admin>
Result:
User jsmith is denied allowed Action<Read> of Resource<Math> since there are only inherited assignments with the same depth and one is a DENYALLOW
Resource directed graph priority with tie and different actions
...
User jsmith is assigned Role<Admin>
Result:
User jsmith is denied allowed Action<Read> of Resource<Math> since there are only inherited assignments and the one is a DENYwith the lower depth (tie in resource, Read/Write is lower than Action<Admin>)
Action directed graph priority
...
User jsmith is denied from Action<Read> and Action<Write> of Resource<Math> since there are only inherited assignments and the one is a DENY. The user cannot READ any resources. with the lower depth (tie in resource, Read/Write is lower than Action<Admin>)