fsuter · August 28, 2012 15:19 · kitsunet · Aug 29, 2012
diff --git a/First try at policy b/First try at policy
 resources:
  methods:
    (snip)
  entities:
    Cobweb_Monitoring_Domain_Model_Event:
      Cobweb_Monitoring_Events_All: 'ANY'
      Cobweb_Monitoring_Events_Group1: 'this.visibleGroup1 == TRUE'
      Cobweb_Monitoring_Events_Group2: 'this.visibleGroup2 == TRUE'
 roles:
  Administrator: []
  Group1: []
  Group2: []
 acls:
  Administrator:
    methods:
      (snip)
    entities:
      Cobweb_Monitoring_Events_All: GRANT
  Group1:
    methods:
      (snip)
    entities:
      Cobweb_Monitoring_Events_Group1: GRANT
diff --git a/Scenario description b/Scenario description
 I'm trying to implement access-right control to a given model (named Cobweb\Monitoring\Domain\Model\Event).

 The application has 3 roles: Administrator, Group1 and Group2.

 I have added two boolean fields to the model for managing access called "visibleGroup1" and "visibleGroup2".

 What I aim for for the roles:

 - Administrators should see all objects
 - Group1 should only see objects for which "visibleGroup1" is TRUE
 - same for Group2 with "visibleGroup2"

 Above (or below) is my first (and apparently naive) try at a corresponding policy.

 It doesn't work for any group, not even Administrators. Although the have the "ANY" access granted, the 2 other rules are considered as being denied, which is definitely not what I would consider access to "any" resource. It also fails for Group1, because it adds the condition that "visibleGroup2" must not be TRUE, which is again not what I want.

 From what I understand, any resource that is not explicitly granted is denied, which is definitely not what I expected. I hoped to achieve better results with ABSTAIN, but it seems like ABSTAIN behaves the same as DENY in this case. I don't understand the rationale for this.

 How to achieve my scenario?
	resources:
	methods:
	(snip)
	entities:
	Cobweb_Monitoring_Domain_Model_Event:
	Cobweb_Monitoring_Events_All: 'ANY'
	Cobweb_Monitoring_Events_Group1: 'this.visibleGroup1 == TRUE'
	Cobweb_Monitoring_Events_Group2: 'this.visibleGroup2 == TRUE'
	roles:
	Administrator: []
	Group1: []
	Group2: []
	acls:
	Administrator:
	methods:
	(snip)
	entities:
	Cobweb_Monitoring_Events_All: GRANT
	Group1:
	methods:
	(snip)
	entities:
	Cobweb_Monitoring_Events_Group1: GRANT
	I'm trying to implement access-right control to a given model (named Cobweb\Monitoring\Domain\Model\Event).

	The application has 3 roles: Administrator, Group1 and Group2.

	I have added two boolean fields to the model for managing access called "visibleGroup1" and "visibleGroup2".

	What I aim for for the roles:

	- Administrators should see all objects
	- Group1 should only see objects for which "visibleGroup1" is TRUE
	- same for Group2 with "visibleGroup2"

	Above (or below) is my first (and apparently naive) try at a corresponding policy.

	It doesn't work for any group, not even Administrators. Although the have the "ANY" access granted, the 2 other rules are considered as being denied, which is definitely not what I would consider access to "any" resource. It also fails for Group1, because it adds the condition that "visibleGroup2" must not be TRUE, which is again not what I want.

	From what I understand, any resource that is not explicitly granted is denied, which is definitely not what I expected. I hoped to achieve better results with ABSTAIN, but it seems like ABSTAIN behaves the same as DENY in this case. I don't understand the rationale for this.

	How to achieve my scenario?