You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 13, 2022. It is now read-only.
Copy file name to clipboardExpand all lines: acl-inheritance.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,18 +17,21 @@ There are two relevant implementations to consider: `default` and `defaultForNew
17
17
18
18
### Strategy 1) `monotonic`
19
19
20
-
In `monotonic`, ACL permissions are cumulative (inherited from the ancestors) and the permission check algorithm sums permissions from left-to-right. The path is explored from root, `/` to the end, or inany direction, as the permission is the union of all the permissions from each ACL file. The search can stop when any ACL file is which gives permission.
20
+
In `monotonic`, ACL permissions are cumulative (inherited from the ancestors) and the permission check algorithm sums permissions over the path. The path is explored in any direction, as the permission is the union of all the permissions from each ACL file. The search can stop when any ACL file is which gives permission.
21
21
22
22
#### Pro
23
+
- Not as fast as defaultForNew but can be
23
24
- Simple hierarchical permission (e.g. everything in `/shared` is shared)
24
25
- Can be fast as it only has to find one ACL file to give the permission it needs
25
-
- An invariant is that an ACL cnnnot be overruled,
26
+
-Monotonic: Once a user or any agent knows the ACL it can apply it as a rule. An ACL is a first class fact. It can be digitally signed, transported, and used to demand access at a later date, etc. Monotonicness is useful.
26
27
27
28
#### Cons
28
-
- It is slower than `default`, since all the path must be taken into consideration. @@@ No, not necessaryily,as the search stops the moment it finds success.
29
-
- It can't have private subfolders within shared folders. Given that permissions cannot be reverted (with the current WAC specification), a subfolder cannot be private in a shared folder. ((A possible solution is NOT include Windows' `DENY` or `DENY all` in the WAC specification. These entries would take precedence to the other (_allow_) permissions). This system is monotonic.
29
+
- It is slower than `defaultFor new`, but the search stops the moment it finds success.
30
+
- It can't have private subfolders within shared folders. Given that permissions cannot be reverted (with the current WAC specification), a subfolder cannot be private in a shared folder. This system is monotonic.
30
31
- User has to be aware of the permissions given to the parent folders
31
32
33
+
((A possible solution is NOT include Windows' `DENY` or `DENY all` in the WAC specification, where these entries would take precedence to the other (_allow_) permissions) That would not be monotonic.
34
+
32
35
### Strategy 2) `default`
33
36
34
37
In `defaultLocal`, ACL permissions are inherited from the most local ACL file which exists, and no others are searched.. The permission check algorithm iterates from the end of path to the beginning stopping at the first existing ACL. Note: Different permission check algorithm may be implemented to find the most significant ACL.
0 commit comments