堆栈内存溢出
  简体   繁体   English

一个用户,两个用户组,允许第一组访问,第二组访问被拒绝,如何解决冲突?

[英]One user, two user groups, first group access allowed, second group access denied, how to resolve conflict?

 原文  2011-02-07 11:32:37       asp.net/ windows/ linux/ macos/ user-management

问题描述

There is a system (windows, asp.net application, linux, whatever...), in this system many user groups exist in the system. 有一个系统(windows,asp.net应用程序,linux等等),在此系统中存在许多用户组。
We have one user in two user groups A and B. 我们在两个用户组A和B中有一个用户。
In user group A access to folder XY is allowed. 在用户组A中,允许访问文件夹XY。
In user group B access to folder XY is denied. 在用户组B中,拒绝访问文件夹XY。
How is the conflict like this resolved? 这样的冲突如何解决?
What are the recommendations/best practices to avoid this situation? 有什么建议/最佳实践来避免这种情况?

3 个解决方案

解决方案1
 0  2011-02-07 11:38:15

The conflict is resolved by defining (and applying) rules. 通过定义(和应用)规则来解决冲突。

Most of the time, I only define permissions. 大多数时候,我只定义权限。 So, as soon as the user is in one of the groups where the access is allowed, the access is allowed. 因此,只要用户位于允许访问的组之一中,就允许访问。

But you could define a rule stating that a ban is stronger than a permission, so that once a ban is found, then the ban is applied, even if other groups allow the access. 但是您可以定义一个规则,说明禁止比权限强,因此一旦找到禁止,即使其他组允许访问,也将应用该禁止。 It all depends on your rules. 这完全取决于您的规则。

解决方案2
 0  2011-02-07 11:42:32

If you have a mix of granting and denying permissions, I would opt for having denial weigh more than a grant. 如果您既有授予权限又有拒绝权限,那么我会选择拒绝权限而不是授予权限。 In that case the conflict in your question would lead to the user being denied access. 在这种情况下,您的问题中的冲突将导致用户被拒绝访问。

However, if possible, I would go for a system where you either only grant permissions or deny permissions, but not both. 但是,如果可能的话,我会选择一个系统,在该系统中,您要么只授予许可权,要么拒绝许可权,但不能同时授予这两种权限。 I would imagine that starting off with a minim set of permissions by default and granting specific permissions to users and/or groups would be easiest to understand for many users. 我可以想象,对于许多用户而言,默认情况下从最小的权限集开始并向用户和/或组授予特定权限将是最容易理解的。

解决方案3
 0 已采纳  2011-02-07 12:23:45

The Principal of Least Privilege states that the best practice is to ensure that the default state should be to deny access. 最小特权负责人指出,最佳实践是确保默认状态应为拒绝访问。 The user rights system should be used to to add access rights to groups that need it. 用户权限系统应用于向需要它的组添加访问权限。 Under least privilege it should never be necessary to ever ban access. 在最小特权下,永远都不需要禁止访问。

Of course, while its very difficult to manage, sometimes being able to apply ban permissions as well is pragmatically useful. 当然,尽管它非常难以管理,但有时也能够应用禁止权限在实用上很有用。 To be useful, the deny should be stronger than the allow. 为了有用,拒绝应该比允许的要强。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将用户添加到Active Directory组的结果为“访问被拒绝” - Add user to Active Directory group results in “Access Denied” 如何检查用户是属于AD组还是嵌套组? - How to check whether a user belongs to an AD group and nested groups? 如何仅查找一个用户登录的组 - How to find just one group a user is logged in as 将访问权限设置为基于用户的Active Directory组的下拉列表项 - Set Access to dropdownlist items based on the User's Active Directory Group 将用户重定向到自定义访问拒绝页面 - Redirect user to custom access denied page 拒绝访问路径-与用户不同 - Access to the path is denied - different from user 用户 ''@localhost 的访问被拒绝(使用密码:否) - Access denied for user ''@localhost (using password: no) 如何检查用户是否在管理员组中 - How to check user is in administrator group or not 如何确定SearchResultEntry是用户还是组? - How to decide if a SearchResultEntry is a user or a group? 模拟用户访问远程服务器上的文件-访问被拒绝 - Impersonate user to access file on remote server - Access denied
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM