Designing Permission Schemes
Having worked through many designs for different domain structures, we have come up with a series of rules or guidelines you can follow to structure the design process effectively. The idea is that if you design your permissions schemes using these rules, you will be more likely to create a design with global scope and minimum effort.
The Five Golden Rules of Permissions Design
This list is not exhaustive. We are sure you will be able to think of others beyond these. If, however, these rules spark your creative juices and help you design more effectively, they will have done their job.
The rules are:
Whenever possible, assign object permissions to groups of users rather than individual users.
Design group permissions so that you have a minimum of duplication.
Manage permissions globally from the ACL window.
Allow inheritance: do not orphan sections of the tree.
Keep a log of every unusual change that you have made to the tree, especially when you have orphaned sections of it or applied special rights to certain users.
Let’s look at these rules in more detail.
Rule 1—Apply permissions to groups whenever possible
By default, you should use groups to manage your user permissions. At its simplest, this rule makes sense whenever you have more than one user for whom you wish to set certain permissions.
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access