Initial Lockdown

Since the default mode for Access Control when created is to allow all rights to all users for back-compatibility, it is recommended that perms be "locked down" first, and only granted as needed. The admin user, having the irrevocable ability to reset ACLs, should remain a "superuser" with all access, and other accounts turned into lesser-permission users. Lockdown should happen in this order:

  1. Allow superuser: The admin user should have an Allow entry for all rights to the top-level Global object.

  2. Deny everyone: The group Everyone should have a Deny entry for all rights to the top-level Global object.

With these perms, users other than admin - including new users and profiles created in the future - will not be able to see or modify administrative settings. They can be granted perms as needed later, for example, the Read right could be removed from the Global deny ACE so that they can read but not modify any admin action/setting.


Copyright © Thunderstone Software     Last updated: Nov 8 2024
Copyright © 2024 Thunderstone Software LLC. All rights reserved.