Unable to overwrite inherited ACL roles in Policy.yaml
Roles are inherited correctly but you can not overwrite a previously defined DENY with a GRANT. It's working fine to overwrite a GRANT with a DENY bit not vice versa.
See attached PDF document for clarification.
Please note: this ticket is related to #8427 (see examples there) but describes a (new) system behaviour (bug).
Updated by Andreas Förthner almost 11 years ago
- Status changed from Accepted to Resolved
I close this issue, as the introduction of the new Everybody role and the fact, that every resource is automatically added to this role with an ABSTAIN privilege, should solve the issue.
Here is a short explanation how privilege evaluation works:
The DENY privilege overrides any other privilege no matter of the inheritance. This is done by intention. By defining a resource it is by default denied to everyone. As soon as one of the roles (or inherited parent roles) gets a GRANT privilge and no DENY privilege the account is allowed to access. The new ABSTAIN privilege is just ignored when evaluating the access decision, but if no other privilege is found, access is denied.