[Yanel-dev] Inheritance of policies when creating a new policy
Guillaume Déflache
guillaume.deflache at wyona.com
Thu Oct 15 09:35:26 CEST 2009
Michael Wechner schrieb:
> Hi
Hi!
> The default behaviour is that if no policy exists, then all rights of
> the above policies are inherited.
>
> Now if one creates a new policy with an access policy editor I would
> assume, that the inheritance flag is turned on
> (at the moment it is not), because if not, then it doesn't reflect the
> default behaviour.
It's probably historical, the customers of the first project we coded
the GUI for wanted these defaults I guess... so better not change it
without adding at least a pref to be able to get it back!
> The counter argument would be that for security reasons one wants to
> have it turned off and that one should
> have to set it explicitely.
That does make sense, also one could argue that having to propagate
inheritance by manually editing files can be cumbersome,so better make
that the default, and that the final security decisions by
administrators are better and more often made in a GUI with proper
bird-eye view, so it makes sense to be conservative there and that
someone explicitly takes action for granting more rights there.
SO IMHO it isn't broken, so don't change it! ;)
Cheers,
Guillaume
P.S. : No idea for the "WORLD" stuff, except it's a "magic" value so I
don't like it by default! ;) (But there is maybe no other way.)
More information about the Yanel-development
mailing list