Search Results

Search found 587 results on 24 pages for 'acl'.

Page 2/24 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • ACL permissions not behaving as expected

    - by Yarin
    I set the following ACL on my web directory: setfacl -R -d -m mask:002 /var/www and then created a file as root that I expected to be readable by the default (apache) group. -rw--w-r--+ 1 root apache 0 Dec 17 22:32 newfile.py When I run getfacl on the file, I get: # file: newfile.py # owner: root # group: apache user::rw- group::rwx #effective:-w- mask::-w- other::r-- I'm not sure how to read this- but all I know is that the webserver is throwing a permissions error because apache can't read the file. Can anyone explain what is going on here?

    Read the article

  • NFSv3 + ACL: mask is gone on clients

    - by Jorge Suárez de Lis
    I'm sharing a NFS folder among a user group. The default umask on the clients is 0700, and this is a problem because newly created files won't be readable/writable by another users. So, I'm using ACLs to force the umask 0770 on the shared folder, and this works OK on the server, but not on the clients. server # getfacl /export/proyectos getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: export/proyectos # owner: root # group: root user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:mask::rwx default:other::r-x server # getfacl /export/proyectos/innovacion getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: export/proyectos/innovacion # owner: root # group: proyecto-innovacion # flags: ss- user::rwx group::rwx mask::rwx other::--- default:user::rwx default:group::rwx default:mask::rwx default:other::--- As you see, the default (and also a specific on the second directory) mask ACLs are being applied. I mount the whole share on the client: 172.16.54.56:/export/proyectos on /proyectos type nfs (rw,noatime,rsize=131072,wsize=131072,acregmin=10,acl,nfsvers=3,addr=172.16.54.56) But the mask and default:mask ACLs are gone. client $ getfacl /proyectos/ getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: proyectos/ # owner: root # group: root user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:other::r-x client $ getfacl /proyectos/innovacion getfacl: Eliminando «/» inicial en nombres de ruta absolutos # file: proyectos/innovacion # owner: root # group: proyecto-innovacion # flags: ss- user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:other::--- It lacks the default:mask and mask ACLs, the only ones that I've setted. So the proposed solution to enforce umask won't work for me. Why is happening this?

    Read the article

  • sudo or acl or setuid/setgid ?

    - by Xavier Maillard
    Hi, for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...). I think, sudo is defeating here. I'd rather use a mix of setgid/setuid directories and add ACL here and there but I really need to know what are the best practices before starting up. Our servers have %admin, %production, %dba, %users -i.e many groups and many users. Each service (mysql, apache, ...) has its own way to install privileges but members of the %production group must be able to consult configuration file or even log files. There is still the solution to add them into the right groups (mysql...) and set the good permission. But I do not want to usermod all users, I do not want to modify standards permissions since it could change after each upgrade. On the other hand, setting acls and/or mixing setuid/setgid on directories is something I could easily do without "defacing" the standard distribution. What do you think about this ? Taking the mysql example, that would look like this: setfacl d:g:production:rx,d:other::---,g:production:rx,other::--- /var/log/mysql /etc/mysql Do you think this is good practise or should I definetely usermod -G mysql and play with standard permissions system ? Thank you

    Read the article

  • Cisco ASA 8.2 ACL For NAT

    - by javano
    Sadly I have gone back in time to ASA 8.2(5)33 which I am not so familiar with. I have configured NAT between two interfaces but traffic isn't passing becasue I can't get the ACL to work; (The full config which isn't very big is here but to keep this post tidy I have just pasted the important parts below); interface Ethernet0/0 switchport access vlan 108 ! interface Ethernet0/6 switchport access vlan 104 ! interface Ethernet0/7 switchport access vlan 105 ! interface Vlan104 description BUILDING2 nameif BUILDING2 security-level 0 ip address 10.104.0.1 255.255.255.0 ! interface Vlan105 description BUILDING1 nameif BUILDING1 security-level 0 ip address 10.105.0.1 255.255.255.0 ! interface Vlan108 description Main LAN VLAN nameif lan security-level 0 ip address 172.22.0.215 255.255.255.0 ! object-group network obj_net_Remote_Hosts network-object host 111.111.111.3 network-object host 111.111.111.65 object-group network obj_host_pc1_eth1 network-object host 10.104.0.111 object-group network obj_host_pc2_eth1 network-object host 10.104.0.112 object-group network obj_host_pc3_eth1 network-object host 10.104.0.106 object-group network obj_host_pc4_eth1 network-object host 10.104.0.107 object-group network obj_net_PCs description IPs of PCs group-object obj_host_pc1_eth1 group-object obj_host_pc2_eth1 group-object obj_host_pc3_eth1 group-object obj_host_pc4_eth1 access-list acl_NAT_pc1_91 extended permit tcp host 10.104.0.111 host 111.111.111.3 eq 8101 access-list acl_Permit_PCs extended permit tcp object-group obj_net_PCs object-group obj_net_Remote_Hosts eq 8101 ! global (BUILDING1) 11 111.111.222.91 netmask 255.255.255.255 nat (BUILDING2) 11 access-list acl_NAT_pc1_91 access-group acl_Permit_PCs in interface BUILDING2 route BUILDING1 111.111.111.3 255.255.255.255 10.105.0.2 1 route BUILDING1 111.111.111.65 255.255.255.255 10.105.0.2 1 When I try and connect from PC1 to ip 111.111.111.3 I see the following error logged on the ASA console; %ASA-2-106001: Inbound TCP connection denied from 10.104.0.111/38495 to 111.111.111.3/8101 flags SYN on interface blades What the duce!

    Read the article

  • Cisco IOS BVI ACL: Only allow established UDP

    - by George Bailey
    Related: Cisco IOS ACL: Don't permit incoming connections just because they are from port 80 I know we can use the established keyword for TCP.. but what can we do for UDP (short of replacing a Bridge or BVI with a NAT)? Answer I found out what "UDP has no connection" means. DNS uses UDP for example.. named (DNS server) is lisenting on port 53 nslookup (DNS client) starts listening on some random port and sends a packet to port 53 of the server and notes the source port in that packet. nslookup will retry 3 times if necessary. Also the packets are so small that it does not have to worry about them coming in the wrong order. If nslookup receives a response on that port that comes from the servers IP and port then it stops listening. If the server tried to send two responses (for example a response and a response to the retry) then the server would not care if either of them made it because the client has the job to retry. In fact.. unless ICMP 3/3 packet gets through the server would not know about a failure. This is different from TCP where you get connection closed or timed out errors. DNS allows for an easy retry from the client as well as small packets.. so UDP is an excellent choice because it is more efficient. In UDP you would see nslookup sends request named sends answer In TCP you would see nslookup's machine sends SYN named's machine sends SYN-ACK nslookup's machine sends ACK and the request named's machine sends the response That is much more than is necessary for a tiny DNS packet

    Read the article

  • sudo or acl or setuid/setgid?

    - by Xavier Maillard
    for a reason I do not really understand, everyone wants sudo for all and everything. At work we even have as many entries as there are way to read a logfile (head/tail/cat/more, ...). I think, sudo is defeating here. I'd rather use a mix of setgid/setuid directories and add ACL here and there but I really need to know what are the best practices before starting up. Our servers have %admin, %production, %dba, %users -i.e many groups and many users. Each service (mysql, apache, ...) has its own way to install privileges but members of the %production group must be able to consult configuration file or even log files. There is still the solution to add them into the right groups (mysql...) and set the good permission. But I do not want to usermod all users, I do not want to modify standards permissions since it could change after each upgrade. On the other hand, setting acls and/or mixing setuid/setgid on directories is something I could easily do without "defacing" the standard distribution. What do you think about this ? Taking the mysql example, that would look like this: setfacl d:g:production:rx,d:other::---,g:production:rx,other::--- /var/log/mysql /etc/mysql Do you think this is good practise or should I definetely usermod -G mysql and play with standard permissions system ? Thank you

    Read the article

  • ACL suggestions needed for a small light framework developed

    - by Sai
    Hello all, I've developed a small framework that was needed for the firm that I work. The problem is I've not made a full level framework, as developers are finding tough time to understand what is what, So I made a simple structure with app/controllers, app/models, app/views so that they can clearly separate the code and can get used to higher frameworks later. All other things like components/modules/helpers are just coded for now in a file called app_functions.php. The above framework is derived from cakePHP, not all, but just the framework uses a modified code of dispatcher of cake. The models all work with normal sqls, and views with pure html using a template engine. Now I'm trying to develop a small application over it, it cameout well, but ACL is something which many versions of it have not proved that satisfactory. Can anybody suggest a good ACL. I've checked phpGACL(too heavy), Zend_ACL likely won't be compatible, Cakephp's ACL which wont fit in the structure,as we are not using cake's SQLs, as there too many queries hitting the database for one page display.

    Read the article

  • openldap search acl

    - by Patrick
    I'm trying to write an access control for OpenLDAP to allow a user to search with a certain base dn, but only get results back from certain sub dn's. I've played with lots of different rules but cant get it to work. I'm not sure its even possible. For example: I have the user with the dn uid=testuser,ou=people,dc=example,dc=com. I want this user to be able to search with a base of dc=example,dc=com and get back entries in ou=people,dc=example,dc=com. There are lots of other sub OUs under dc=example,dc=com, but only entries in ou=people should be returned (for bonus, I'd only like certain attributes to be returned as well). Can this be done?

    Read the article

  • Windows ACL inheritance issues for FTP server and automated tools

    - by Martin Sall
    I have set up Cerberus FTP server. By default, Cerberus FTP service runs under SYSTEM ACCOUNT. Also I have some console applications which run as scheduled tasks. They are running under a dedicated "Utilities" user account which has "Log on as batch job" permissions. These console applications take uploaded FTP files, process them and then move them to some dedicated archive folder. The problem is that my console apps are throwing Security exceptions when trying to acces the uploaded files. I tried to give the Full control permissions on the ftproot folder for my "Utilities" account and I have checked that "Replace all Child object permissions with inheritable permissions from this object" checkbox, but it affects only current files. When new files are uploaded, they again are not accessible by my "Utilities" account. I tried to go another way and put Cerberus FTP service under "Utilities" account. Then I also needed to give "Utilities" account permissions on Cerberus Data folder in ProgramData. Still no luck - after this operation, Cerberus internal SOAP web service stopped working (although everything else seems to work). I need that SOAP service to be available, so running the Cerberus FTP under "Utilities" account seems to be not an option. Unless I find out, what else do I need to set up for that "Utilities" account to stop Cerberus from complaining. I guess, Cerberus is uploading files to some temporary folder and so those files get the permissions form that folder and keep the same permissions even after moved to the ftproot. What would be the right solution for this which would grant Cerberus FTP server and the "Utilities" account minimal needed permissions to access the contents of the ftproot folder?

    Read the article

  • ProCurve ACL to prevent a subnet from leaving the switch

    - by kce
    I have a single HP ProCurve 2610 in a remote location that is connected in with the rest of the network via SHDSL. There are two Layer-3 networks on this segment. ACLs are setup to deny one subnet (192.0.2.0/24) from ever being able to leave the switch by virtue of being applied to port attached to the upstream connection. The other subnet should be permitted to freely leave the switch. Both subnets are on the same VLAN. Unfortunately SFlow very clearly show broadcast traffic from 192.0.2.0/24 on the upstream connection. ProCurve ACLs are not my strong suit but I feel like I'm missing something very simple here. ip access-list extended "Filter for Camera Network" deny ip 192.0.2.0 0.0.0.255 0.0.0.0 255.255.255.255 log permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit interface 24 name "DSL - UPLINK" access-group "Filter for Camera Network" in exit Unless I am mistaken traffic from 192.0.2.0/24 should be dropped as it crosses the uplink port (int 24) whereas all other traffic will be permited by the following default allow rule. What exactly am I missing here? EDIT: Firstly, why do you have two subnets contained in the same VLAN? Because that's how it was configured by a previous administrator and while it makes conceptual sense that a single subnet is "mapped" to a single VLAN there's no technical constraint that I am aware of that makes this have to be the case. Instead of filtering inbound traffic on your uplink, you should be filtering outbound traffic. The HP2600 series can only filter inbound traffic on interfaces. Should I change my filter to deny any to 192.0.2.0/24?

    Read the article

  • Cisco IOS ACL: Don't permit incoming connections just because they are from port 80

    - by cjavapro
    I am going much based on my memory and I may not be correct on all of this. On a Cisco 851 (IOS) that uses a BVI or a bridge-route (the servers on the inside are configured with static and public IP addresses). I would apply two access lists (both end with deny ip any any log) on FastEthernet4 (the WAN port). There would be one for FA4 in and another for FA4 out. FA4 out would have a line like access-list 110 permit 98.76.54.0 0.0.0.255 gt 1023 any eq http I think this means from 98.76.54.* with a from port of at least 1024 can connect to any other machine with a destination port 80. So, then I have to allow the response to the HTTP connection. FA4 in would have a line like access-list 120 permit any eq http 98.76.54.0 0.0.0.255 gt 1023 Now the problem with that is that anybody on the outside can set their from port to port 80 and then connect to any inside port that is at least 1024. How do we prevent this and require the incoming data to be a response to the outgoing data.

    Read the article

  • Network Service Account not Inherited in ACL

    - by 5lovak
    I have a problem with files that are being moved into a folder that is set to replace permissions on child objects for the Network Service account. The process is that a media file is uploaded to a website, and is encoded by a piece of software. This moves the file to a folder but for some reason the files that get moved there don't inherit the Network Service account in security permissions. If I manually move a file into the folder the permission is inherited. I have used the effective permissions tool to check the Network Service account security permissions on the parent folder but this shows that there is nothing overriding it - the account has full permissions. Can try and supply more info if required, but any answers grealty appreciated!

    Read the article

  • cake's Acl problems...

    - by Gaurav
    I created an application using the method described in the "http:// book.cakephp.org/view/641/Simple-Acl-controlled-Application" but after I try to log in there is an error which says, "DbAcl::allow() - Invalid node [CORE\cake\libs\controller\components\acl.php, line 325]" I did exactly same as mentioned in the website but after loggin in I am given this error msg.. Please help me rectify this. Any help is greatly appreciated..... thanks gaurav sharma

    Read the article

  • Using ASP.NET Membership Provider with an ACL

    - by geekrutherford
    Up until recently one of my applications has used the membership provider within ASP.NET exclusively. However, it has been proposed that while the currently defined roles are beneficial, security needs to be more granular to restrict both access to certain pages and functionality present within a given page.   Unfortunately, the role based security ASP.NET gives you out of the box falls down in this area. This is not due to a lack of foresight by Microsoft, but rather it was simply not designed for implementing both role based security and any inherent ACL you may define within these roles. Mind you some would say an ACL is independent of the role to which a user belongs and is assigned to the user directly.   The application mentioned here has it's own User object (which encapsulates the membership provider user object as a property) and SQL Server table to store extended information not present in the aspnet_users table. While I could have modified the aspnet membership schema to suit the applications needs, it seemed smarter to simply create a separate table with a foreign key back to the aspnet_users table.   Since I have a separate object to store extended user information, I simply created an ACL object and expose it as a property of my user object.   This is all well and good, but it does not help in regards to the SiteMapProvider and restricting access at the page level based on the users ACL.   The straightforward answer would be to develop some code within the databound event for the menu that checks the page title and has hardcoded logic that dictates a user must have certain permissions turned on. The problem with this approach is that it's HARDCODED!!! If you need to change access to a page you'd need to do a build and go through your normal deployment process....ugh!!!   An alternative method, albeit not perfect, is to utilize the resourceKey property on the SiteMapNodes in the SiteMap file with the name of the required permission to view the page. Within the databound event for your menu you iterate the SiteMapNodes in the menus SiteMapProvider looking for a match at the page level based on title. When a match is detected, you have a switch/case on the SiteMapNodes resourceKey (the name of the ACL permission required). The case for the resourceKey ensures the users ACL permission is turned on and viola!!!   This is noteably not perfect in that it is using the resourceKey in a manner other than intended.  Since the application is not localized, using it in the manner described it not an issue.   Below is a sample SiteMap file with the resourceKey used as the ACL permission identifier:     Below is the ItemDataBound event. This application uses the Telerik Menu control:

    Read the article

  • cakePHP - ACL tutorial & SQL Error: 1104

    - by vector
    Greetings! I run into a problem/bug in production environment with SQL Error: 1104 when deploying a project secured with the ACL tutorial. The full error: SQL Error: 1104: The SELECT would examine more than MAX_JOIN_SIZE rows; check your WHERE and use SET SQL_BIG_SELECTS=1 or SET SQL_MAX_JOIN_SIZE=# if the SELECT is okay [CORE/cake/libs/model/datasources/dbo_source.php, line 666] I've build a small site, worked through the ACL tutorial from the official cake book and locally everything is spiffy. dev. setup consists of: XAMPP: myslq 5.1.33, php 5.3 cakePHP 1.2.7 prod. setup: mysql 5.0.33 php 5.2.2 One of the differences I noticed with mysql setup between local and production servers, is that SQL_BIG_SELECTS is disabled on the production server ( and I don't have privileges to change that, posted a support ticked, didn't hear anything yet) Is there anything I can do about this from my end? Thanks in advance.

    Read the article

  • Simple User Access Control with CodeIgniter framework Code (ACL) Library

    - by Hafiz Arslan Akbar
    Friends, I am new User of PHP n CodeIgniter. I just want do a simple task, user access control. there are 5 different user in a class,, I have to write a code which gives just one line output for one user. for example,, by using ACL library, just pick one out put. deal with basic level... Manager , Teacher , Student , Chairperson PHP page contain one text box and button. by using ACL library we just put one code or string in textbox and get related output... some thing like this... text box contain 1, Now Manager access Control,, text box contain 2, Now Teacher Access Control,, text box contain 3, Chairperson access control.. Plz guide step by step. Thanx in advance dear.......

    Read the article

  • Mimic NTFS "Modify" Permissions on an ext3 acl enabled filesystem in linux?

    - by bobinabottle
    I am migrating our file share from Windows Server to Samba on Linux, and the only hurdle I have at the moment is the acl's. Currently we have a number of directories that use the "Modify" permission on NTFS, so users can write to a directory, but once the file is written it cannot be modified. On Linux, I had the idea that I would set an ACL for the directory to have read/write access, but have a default ACL associated with read only access. Is this possible? I'm not quite sure how to set a default ACL that differs from the parent directory. Thanks!

    Read the article

  • Not sure about ACL permissions

    - by Darko Miletic
    I'm writing up something about ACL usage on CentOS but since I still do not have a box ready I would like to ask something. Let us assume we have a folder /var/www/test If I do this in terms of permissions: /bin/chown -R root:root /var/www/test/ /bin/chmod -R u=rwx,go= /var/www/test/ /usr/bin/setfacl -R -m u:apache:rwx /var/www/test/ Will user apache be able to change owner of folder test or of any particular file within that folder? If answer is yes shall I than use group instead of user?

    Read the article

  • Acl mechanism for JSF

    - by michael lucas
    Is there some ready-to-use ACL mechanism for JSF? I know JBoss Seam comes with something like that, but switching to JBoss Seam is not an option in my case. What I need is to easily define which pages given user is allowed to see and which actions to invoke.

    Read the article

  • PHP MySQL Zend-ACL - Find all inherited items (Children / Parents)

    - by Scoobler
    I have one MySQL DB table like the following, the resources table: id | name | type 1 | guest | user 2 | member | user 3 | moderator | user 4 | owner | user 5 | admin | user 6 | index | controller Onto the next table, the rules table: id | user_id | rule | resource_id | extras 1 | 2 | 3 | 1 | null 2 | 3 | 3 | 2 | null 3 | 4 | 3 | 3 | null 4 | 5 | 3 | 4 | null 5 | 6 | 1 | 1 | index,login,register 6 | 6 | 2 | 2 | login,register 7 | 6 | 1 | 2 | logout OK, sorry for the length, but I am trying to give a full picture of what I am trying to do. So the way it works, a role (aka user) can be granted (rule: 1) access to a controller, a role can inherit (rule: 3) access from another role or a role and be denied (rule: 2) access to a controller. (A user is a resource and a controller is a resource) Access to actions are granted / denied using the extras column. This all works, its not a problem with setting up the ACL within zend. What I am now trying to do is show the relationships; to do that I need to find the lowest level a role is granted access to a controller stopping if it has explicitly been removed. I plan on listing the roles. When I click a role, I want it to show all the controllers that role has access to. Then clicking on a controller shows the actions the role is allowed to do. So in the example above, a guest is allowed to view the index action of the index controller along with the login action. A member inherits the same access, but is then denied access to the login action and register action. A moderator inherits the rules of a member. So if I were to select the role moderator. I want to see the controller index listed. If I click on the controller, it should show the allowed actions as being action: index. (which was originally granted to the guest, but hasn't since been dissallowed) Is there any examples to doing this. I am obviously working with the Zend MVC (PHP) and MySQL. Even just a persudo code example would be a helpful starting point - this is one of the last parts of the jigsaw I am putting together. P.S. Obviously I have the ACL object - is it going to be easier to interigate that or is it better to do it my self via PHP/MySQL? The aim will be, show what a role can access which will then allow me to add or edit a role, controller and action in a GUI style (that is somewhat the easy bit) - currently I am updating the DB manually as I have been building the site.

    Read the article

  • User management, authentication and acl plugin for CakePHP?

    - by Jack
    Hi, I am pretty new to CakePHP, having been using rails for a little while. My question is, can anyone recommend a good user management, authentication and acl plugin or component for Cake? I have come across this one, but it has not been updated since 2008. If not can anyone recommend a good book/tutorial site for this kind of set up? I am more than happy to sit down and write this kind of thing myself, but would rather use a tested community plug-in. Cheers

    Read the article

  • Designing An ACL Based Permission System

    - by ryanzec
    I am trying to create a permissions system where everything is going to be stored in MySQL (or some database) and pulled using PHP for a project management system I am building.  I am right now trying to do it is an ACL kind of way.  There are a number key features I want to be able to support: 1.  Being able to assign permissions without being tied to a specific object. The reason for this is that I want to be able to selectively show/hide elements of the UI based on permissions at a point where I am not directly looking at a domain object instance.  For instance, a button to create a new project should only should only be shown to users that have the pm.project.create permission but obviously you can assign a create permission to an domain object instance (as it is already created). 2.  Not have to assign permissions for every single object. Obviously creating permissions entries for every single object (projects, tickets, comments, etc…) would become a nightmare to maintain so I want to have some level of permission inheritance. *3.  Be able to filter queries based on permissions. This would be a really nice to have but I am not sure if it is possible.  What I mean by this is say I have a page that list all projects.  I want the query that pulls all projects to incorporate the ACL so that it would not show projects that the current user does not have pm.project.read access to.  This would have to be incorporated into the main query as if it is a process that is done after that main query (which I know I could do) certain features like pagination become much more difficult. Right now this is my basic design for the tables: AclEntities id - the primary key key - the unique identifier for the domain object (usually the primary key of that object) parentId - the parent of the domain object (like the project object if this was a ticket object) aclDomainObjectId - metadata about the domain object AclDomainObjects id - primary key title - simple string to unique identify the domain object(ie. project, ticket, comment, etc…) fullyQualifiedClassName - the fully qualified class name for use in code (I am using namespaces) There would also be tables mapping AclEntities to Users and UserGroups. I also have this interface that all acl entity based object have to implement: IAclEntity getAclKey() - to the the unique key for this specific instance of the acl domain object (generally return the primary key or a concatenated string of a composite primary key) getAclTitle() - to get the unique title for the domain object (generally just returning a static string) getAclDisplayString() - get the string that represents this entity (generally one or more field on the object) getAclParentEntity() - get the parent acl entity object (or null if no parent) getAclEntity() - get the acl enitty object for this instance of the domain object (or null if one has not been created yet) hasPermission($permissionString, $user = null) - whether or not the user has the permission for this instance of the domain object static getFromAclEntityId($aclEntityId) - get a specific instance of the domain object from an acl entity id. Do any of these features I am looking for seems hard to support or are just way off base? Am I missing or not taking in account anything in my implementation? Is performance something I should keep in mind?

    Read the article

  • Good ACL implementation in Java

    - by yonconf
    Hi All. I'm implementing a web based document management system and I'd like to implement ACLs in my system. My formal requirements are hierarchal permissions (documents inherit permissions from their folders) user groups (users can dynamically create groups and associate users with groups). Such groups can have permissions on objects in the system. My code will query permission on objects in two cases: 1. Manipulating a single document 2. Listing all documents where a manipulation is possible The latter requirement seems the achilles heel for Spring Security ACLs (their method seems likely to incur multiple DB hits for each document I manage) Anyone know of another ACL implementation? Thanks!

    Read the article

  • CakePHP ACL use case(s)

    - by Jonathan
    I have got a simple web app in development, i want to establish a couple of user groups; Admin, Doctors & Patients. Each group would have their access restricted to particular controller actions rather than individual content. So for example, Doctors can view patient records (index & view actions), but cannot delete them. Usually i would create a groups model, and assign the various users to a group. And filter in the beforeFilter() method to determine if the user has access. But if ACL can do the job, why right the code, right? Thanks

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >