Hi @jakarman,
If I understand your proposal correctly, then it appears at a high level to be somewhat similar to the practices discussed in David, Cecily and Angie's papers. I'm wondering if an area of difference is the use of ACEs? You don't mention ACEs in the proposal, but given you say your ACTs only grant, I am assuming an implied use of ACEs to deny permissions (to PUBLIC or SASUSERS) when you need to hide/protect folders. Is this correct? Whilst I personally prefer to use ACTs when I can, ACEs can of course also give you to outcome you need, if you are thorough. However ACEs are more difficult to find/manage (unless you have software to help). ACTs also give you the opportunity to encapsulate common patterns in a single location, so that if those patterns change in future they only need to be changed in a single location rather than multiple. Following the best practices will also make an implementation much easier for other/future workers to understand.
Regarding the last points/questions:
Now add some subfolder or going to move some things. Look at the precedence the settings explicit have priority on the ACT’s an the inherited.
In the new folder everything is inherited there is no automatic copy of all ACE’s.
That's right - the subfolder will not have any direct access controls (ACTs, ACEs) unless they are specifically added. However any access controls on the parent will still have an indirect effect. Without any direct access controls on the subfolder, the effective permissions on the subfolder will be the same as the parent folder (except for any potential WMM on parent > WM on child related differences).
The new folder is seeing groups like Act’s and all stuff as inherited the on the Item box is vanished. Will the security give the same results?
The presence of any groups and permissions on the parent folder will be seen as indirect on the subfolder. As mentioned on the previous point, the effective permissions on the subfolder will start out the same as the parent folder (save possible WMM > WM differences). The "on the item" box has not vanished, it is just only considered when direct access controls on the item (subfolder) cannot determine the effective permissions on their own and in that case the items on the parent are then considered. For a newly created subfolder with no additional direct access controls the parent folder will determine the outcome. This is as most people would expect I think.
An other is having this one: “then the access control for the group the user is more closely a member of will win” Having conflicts in right that are as equal in distance there will be a random affect (unpredictable undefined outcome).
There is no random effect. When there are conflicts the outcome is determined. It might appear to be unpredictable without a full knowledge of the implementation and precedence rules. However, if you follow the flow chart David discusses above you will always get a determined outcome. A major benefit of following the best practices he described in his papers is that you don't need to keep all of this in your head to know the outcome as those practices simplify matters greatly and you won't end up with apparent unpredictable outcomes.
Cheers
Paul
... View more
![SASGF 2020 [Virtual] Attendee](/html/@A53A708409112314CE528E074D4C8C1F/badge_icons/badge_sasgf20_attendee.png "SASGF 2020 [Virtual] Attendee"){kind=icon}
