The access-control tag has no wiki summary.
26
votes
4answers
3k views
Dynamic Code Evaluation in Java - Clever or Sloppy?
I am trying to create a flexible ACL framework in Java for my application.
Many ACL frameworks are built on a whitelist of rules, where a rule is in the form of owner:action:resource. For example,
...
11
votes
4answers
410 views
When should a private method take the public route to access private data?
When should a private method take the public route to access private data?
For example, if I had this immutable 'multiplier' class (a bit contrived, I know):
class Multiplier {
public:
...
6
votes
1answer
688 views
What is the nicest (user-friendliest) way to tell a user about “Access Denied” error?
Our software implements a layer of role-based security to secure data access, in the form of access control lists. Whenever a user tries to do something that isn't allowed, the software layer will ...
5
votes
4answers
689 views
Why do organizations limit source code access to engineers? [closed]
Most organizations restrict access to the source code to engineers, and even at places like Google, the Android source code is kept off-limits to most engineers within the company. Why?
Note: I am ...
5
votes
1answer
1k views
Standard practices for access control (design pattern)
I'm looking at my interface design and I am struggling to decide which is the most "correct" way to implement role-based access control, given a user and a subject that the user would like to access.
...
4
votes
1answer
1k views
Methodologies for Managing Users and Access?
This is something I'm having a hard time getting my head around. I think I might be making it more complicated than it is.
What I'm trying to do is develop a method to store users in a database with ...
4
votes
2answers
391 views
What kind of permission is this? (Groups+Roles)
I'm starting to need an access control for roles in my app.
I don't know much of this, but I understand how vBulletin works:
I create groups, then give permissions to groups.
I think that what I ...
3
votes
1answer
290 views
How to Implement Restricted Access to Application Features
I'm currently developing a web application, that provides some 'service' to the user. The user will have to select a 'plan' according to which she/he will be allowed to perform application specific ...
2
votes
2answers
224 views
Coding user rights
Imagine a system which has a number of functions and a number of users. A user must have rights to a specific function. Users may belong to a group. A group may belong to a group.
So as a simple ...
2
votes
1answer
164 views
Should I manage authentication on my own if the alternative is very low in usability and I am already managing roles?
As a small in-house dev department, we only have experience with developing applications for our intranet. We use the existing Active Directory for user account management. It contains the accounts of ...
2
votes
1answer
267 views
Restrictive routing best practices for Google App Engine with python?
Say I have a simple structure:
app = webapp2.WSGIApplication([
(r'/', 'pages.login'),
(r'/profile', 'pages.profile'),
(r'/dashboard', 'pages.dash'),
], debug=True)
Basically all pages ...
2
votes
2answers
244 views
Duplication of view access control logic in database queries and application component
Our web application has a complex access control system which incorporates role-based and object-level privileges.
In the business logic layer, this is implemented by a component that obtains (and ...
2
votes
1answer
125 views
What is a good overview of options for access controls/permissions?
I'm in the process of designing the access control portion of a moderately complex application, but I feel like I'm re-discovering a lot of wheels.
Does there exist a good overview of the "access ...
2
votes
3answers
137 views
How do I recreate this Access Control/Group/ whatever methodology in OO/MVC
I am looking at trying to rewrite an application that is mostly procedural to an MVC/OO approach in order to teach myself a deeper understanding of both.
BUT, I am having some conceptual issues with ...
1
vote
1answer
52 views
Embedding XACML PDP?
I need to implement a flexible Access Control system for a framework used by a couple of .NET applications.
I have looked into Attribute-Based Access Control (ABAC) and XACML and this seems to ...
1
vote
1answer
83 views
How can I simplify the following Access Control system design?
I couldn't find a better title for this...
I am trying to create an Access Control for my application and I am having serious trouble with building not an insane system, mainly for performance as ...
1
vote
1answer
36 views
Privilege (Access/Permission) Control for Hierarchial Structured Resource
Question: Is there any standard model or industry defacto implementation for modeling and implementing Access Control in (i.e.) a Document Management System?
Note: I studied a bit the security ...
1
vote
0answers
115 views
Using a Finite State Machine for access management?
My intranet site uses LDAP and Active Directory to authenticate users. There are 2 kinds of Users: Managers and Employees. They are differentiated by having membership in a particular AD group.
In an ...
0
votes
2answers
524 views
Is it a good idea to const-qualify the fields of structure in C?
Consider the following program:
#include <stdlib.h>
#include <stdio.h>
typedef struct S_s {
const int _a;
} S_t;
S_t *
create_S(void) {
return calloc(sizeof(S_t), 1);
}
void
...
0
votes
2answers
1k views
How to implement a hybrid role-based access control model?
I am writing an enterprise web-forms-frontend application for in-house use. It has Direct access control (DAC) masquerading as Role-based access control (RBAC).
For anonymization purposes, let's ...
0
votes
1answer
115 views
Using a Proxy as an ACL
I am building an MVC application in PHP, using Zend Framework.
My model includes Domain Model and Mapper layers. I am trying to keep the domain model in pristine condition and have managed to keep ...
-1
votes
1answer
92 views
mongoDB user management (built in or own implementation) [closed]
I started to evaluate mongoDB for a product catalogue.
Regarding user management and access control: When to use the mongoDB's built in user management and when build one on the application layer?
...
