[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: VCAR question
>...Can a VAGENDA contain a VCAR? If so then isn't having "write" permission
>a VAGENDA with the ability to move another VAGENDA into it the same has
>having full rights since you could create VCARS? Or am I missing
A VAGENDA can contain most things, so at first glance, having the ability to
move another VAGENDA into an existing one, or create a new sub-VAGENDA,
feels like having full rights, it might not be.
If our access control model is changed to:
1) default access is grant
2) inheritence evaluation starts at the root and you work your way down
3) evaluation stops when an explicit DENY is reached
Then you could give someone CREATE or MODIFY access on a VAGENDA to someone
and use other VCARS to still limit what could be done in the "sub" VAGENDAs
introduced by the user.