[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | *OLD* ALL-IN-1 (tm) Support Conference |
| Notice: | Closed - See Note 4331.l to move to IOSG::ALL-IN-1 |
| Moderator: | IOSG::PYE |
|
| Created: | Thu Jan 30 1992 |
| Last Modified: | Tue Jan 23 1996 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 4343 |
| Total number of notes: | 18308 |
1442.0. "Drawer Access versus Default Access for New Doc's" by UTRTSC::BOSMAN (They sold you the view from a hill) Thu Sep 17 1992 10:38
Hi,
I encountered a problem with the security of advanced shared drawers in
ALL-IN-1 IOS V3.0.
This is the scenario, performed from the MANAGERs account.
1 Create an advanced shared drawer and give a user (in this example
BOSMAN) Read, Create, Delete and Control access. For this same user set
the default access for new documents to Read (only).
2 Create a document.
3 Login to the user's account and select the document created in 2. You
can read it, as expected. When trying to edit you'll see:
You are not allowed to edit this document.
Again as expected.
4 Delete the document (remember, this user doesn't have Delete access for
new documents). The document is placed in the WASTEBASKET.
Not as expected.
5 Empty the wastebasket. You'll receive an error message:
Error deleting file <filespec.>
The entry in the cabinet is gone, but not the file!
Here are the protections on both the WPL-file and the directory it is in.
$ DIR/SECU USER1:[ALLIN1.MGR.ZUICIU5LB.DOC3]ZUIDE1TWK.WPL
Directory USER1:[ALLIN1.MGR.ZUICIU5LB.DOC3]
ZUIDE1TWK.WPL;1 [ALLIN1] (RWED,RWED,RE,)
(IDENTIFIER=[ALLIN1],ACCESS=READ+WRITE+DELETE+CONTROL)
(IDENTIFIER=[OFFICE,BOSMAN],ACCESS=READ)
Directory USER1:[ALLIN1.MGR.ZUICIU5LB]
DOC3.DIR;1 [ALLIN1] (RWED,RWED,,E)
(IDENTIFIER=[ALLIN1],OPTIONS=DEFAULT,ACCESS=READ+WRITE+DELETE+CONTROL)
(IDENTIFIER=[ALLIN1],ACCESS=READ+WRITE+DELETE+CONTROL)
(IDENTIFIER=[OFFICE,BOSMAN],ACCESS=READ+WRITE+DELETE+CONTROL)
(IDENTIFIER=[OFFICE,BOSMAN],OPTIONS=DEFAULT,ACCESS=READ)
Total of 1 file.
What I find remarkable are the two ACEs for [OFFICE,BOSMAN] on DOC3.DIR. In
my opinion, according to the drawer access user BOSMAN has, the
OPTION=DEFAULT should be the same as the other ACE specification.
But then again, what does the default access for new documents do? User
BOSMAN wasn't allowed to Edit, but Delete works fine (except for emptying
the wastebasket).
Can someone shed some light on this one?
Thanks in advance,
Sjaak.
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1442.1 | Problem with processing CONTROL access | IOSG::MAURICE | Ceci n'est pas une note | Thu Sep 17 1992 12:32 | 17 |
| Hi,
I agree this is a problem. It seems to be OK if you don't give the user
CONTROL access to the drawer. But the combination of CONTROL access to
the drawer and not DELETE access to the document will give this
problem.
Please SPR it.
Thanks
Stuart
p.s. The ACLs are correct. The DEFAULT ACEs are applied to every file
(i.e. document) that gets created in the directory. The non-DEFAULT
ACEs are required because you have given the user CONTROL access, which
means that the user is allowed to change the drawer access.
|
| 1442.2 | Strategic case | UTRTSC::BOSMAN | They sold you the view from a hill | Thu Sep 17 1992 13:26 | 6 |
| Thanks Stuart,
Maybe it's a strategic case. You shouldn't give a user less access for
new documents than you gave him for the drawer.
Sjaak.
|
| 1442.3 | | SIOG::T_REDMOND | Thoughts of an Idle Mind | Thu Sep 17 1992 14:01 | 4 |
| All points to the need for careful training when introducing drawers to
users...
T
|