Initial Lockdown

Since the default mode for Access Control when created is to allow all rights to all users for back-compatibility, it is recommended that perms be "locked down" first, and only granted as needed. The webinator user, having the irrevocable ability to reset ACLs, should remain a "superuser" with all access, and other accounts turned into lesser-permission users. Lockdown should happen in this order:

  1. Allow superuser: The webinator user should have an Allow entry for all rights to the top-level Global object.

  2. Deny everyone: The group Everyone should have a Deny entry for all rights to the top-level Global object.

With these perms, users other than webinator - including new users and profiles created in the future - will not be able to see or modify administrative settings. They can be granted perms as needed later, for example, the Read right could be removed from the Global deny ACE so that they can read but not modify any admin action/setting.


Copyright © Thunderstone Software     Last updated: Dec 10 2018
Copyright © 2019 Thunderstone Software LLC. All rights reserved.