global and component access policies

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

global and component access policies

Mark Bean
There is a global level access policy for 'access all policies' (view and
modify). These access policies apply to components (e.g. processor) as well
as the controller. Even if a user is explicitly excluded from the component
level access policy 'view/modify the policies', the user still has access
due to the global level policy.

Is this correct/desired behavior?

It seems to me the component level access policies should allow the ability
for a global level policy to be overridden for a given component(s).
Reply | Threaded
Open this post in threaded view
|

Re: global and component access policies

Matt Gilman
Mark,

You are correct that this behavior differs from the policies on the
components themselves. The behavior there always for overriding the allowed
users of an ancestor resource. The policies on the policies themselves are
inherited and not overridden. This is noted in the UI since the behavior is
different from how component policies override ancestor policies. This
choice was made since it allowed for folks to define an administrator for
all things and local/component level administrators.

Matt

On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <[hidden email]> wrote:

> There is a global level access policy for 'access all policies' (view and
> modify). These access policies apply to components (e.g. processor) as well
> as the controller. Even if a user is explicitly excluded from the component
> level access policy 'view/modify the policies', the user still has access
> due to the global level policy.
>
> Is this correct/desired behavior?
>
> It seems to me the component level access policies should allow the ability
> for a global level policy to be overridden for a given component(s).
>
Reply | Threaded
Open this post in threaded view
|

Re: global and component access policies

Mark Bean
Fair enough as long as it was a deliberate choice. In practice, it seems
the "one administrator to rule them all" will/should always have access to
all policies - even all component policies.

Thanks for the response.

-Mark

On Fri, Feb 22, 2019 at 3:46 PM Matt Gilman <[hidden email]> wrote:

> Mark,
>
> You are correct that this behavior differs from the policies on the
> components themselves. The behavior there always for overriding the allowed
> users of an ancestor resource. The policies on the policies themselves are
> inherited and not overridden. This is noted in the UI since the behavior is
> different from how component policies override ancestor policies. This
> choice was made since it allowed for folks to define an administrator for
> all things and local/component level administrators.
>
> Matt
>
> On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <[hidden email]> wrote:
>
> > There is a global level access policy for 'access all policies' (view and
> > modify). These access policies apply to components (e.g. processor) as
> well
> > as the controller. Even if a user is explicitly excluded from the
> component
> > level access policy 'view/modify the policies', the user still has access
> > due to the global level policy.
> >
> > Is this correct/desired behavior?
> >
> > It seems to me the component level access policies should allow the
> ability
> > for a global level policy to be overridden for a given component(s).
> >
>