-
Type:
Improvement
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 5.1 M1
-
Fix Version/s: 5.1 M2
-
Component/s: None
The problem is that if we do a refuse read on a folder for members group, Administrator user can't read it anymore.
So to avoid this, two solutions :
*1, temporary : Administrator doesn't belong anymore to users
*2 the ace are all analysed, instead of stopping at the first ace that fits and there is a security rule at DOMAIN LEVEL that specify the algorithme between those two :
first rule (the most common i think):
- the user principal ace is the strongest
- then if there is only group ace that fit, if there is one authorised the result is authorised
second rule (when security is very high):
- the user principal ace is the strongest
- then if there is only group ace that fit, if there is one refused the result is refused
another technical solution would be to order the groups, but it is not functionnaly accetable (I don'tknowall the groups when i create mine)
