[Yanel-dev] Inheritance of policies when creating a new policy
Michael Wechner
michael.wechner at wyona.com
Thu Oct 15 10:38:57 CEST 2009
Guillaume Déflache schrieb:
> Michael Wechner schrieb:
>> Hi
>
> Hi!
>
>
>> The default behaviour is that if no policy exists, then all rights of
>> the above policies are inherited.
>>
>> Now if one creates a new policy with an access policy editor I would
>> assume, that the inheritance flag is turned on
>> (at the moment it is not), because if not, then it doesn't reflect
>> the default behaviour.
>
> It's probably historical, the customers of the first project we coded
> the GUI for wanted these defaults I guess... so better not change it
> without adding at least a pref to be able to get it back!
it's now configurable and the default value is set to false, such that
is backwards compatible
Cheers
Michi
>
>
>> The counter argument would be that for security reasons one wants to
>> have it turned off and that one should
>> have to set it explicitely.
>
> That does make sense, also one could argue that having to propagate
> inheritance by manually editing files can be cumbersome,so better make
> that the default, and that the final security decisions by
> administrators are better and more often made in a GUI with proper
> bird-eye view, so it makes sense to be conservative there and that
> someone explicitly takes action for granting more rights there.
>
>
> SO IMHO it isn't broken, so don't change it! ;)
>
>
> Cheers,
> Guillaume
>
> P.S. : No idea for the "WORLD" stuff, except it's a "magic" value so I
> don't like it by default! ;) (But there is maybe no other way.)
More information about the Yanel-development
mailing list