Forum OpenACS Q&A: permissions and Negative Overriding

Collapse
Posted by k k on
Hi folks!

I am trying to figure out if negative/positive overriding (from permissions requirements doc) is working...
an example:
having group G with 'admin' privilege on object O and an user U member-of G I want to restrict U to have only 'read' on O...or viceversa by replacing 'admin'<->'read'

Thanks!

Collapse
Posted by Don Baccus on
I'll have to re-read the requirements doc ... Ars Digita never implemented this though it is something I've thought about.  I've not done so because the extra layer would, I think, kill scalability of the permissions system.

Anyway ... no, there's no way to tell it that user U should not have the same privileges as other members of group G.  The only way to do what you describe is to assign privileges to individual users in the group rather than the group at large.  Or to create relational segments (group subsets) to further partition the group and assign permissions on that basis.

Collapse
Posted by Tilmann Singer on
I wonder why this could be useful except in the most exotic cases, and I think there is almost always a feasible way around it, especially rel_segs as Don mentioned. Also I can't imagine a UI that implements this and isn't intimidatingly confusing.
Collapse
Posted by Jun Yamog on
Hi,

I think the design is not to have negative permissions.  See this very old thread about ACS perms

http://ccm.redhat.com/bboard-archive/acs_design/000KNw.html

I hope its relevant.