I am not an infosec professional, but I'm working on a project that requires designing and implementing a permission system for a customer. The system the customer proposes is as follows:
- Users are assigned to roles such as viewer, editor, contributor, and admin to determine their capabilities.
- Users are organized in teams (not the same as roles) that mirror the organization structure. E.g.: Acme Europe, Acme France, and Acme France Finance.
- Resources have ACLs that determine which teams or users can access them.
However, this approach may cause conflicts between the ACLs and the roles a user is in: Bob may be a viewer and part of Acme France Finance, and the ACL for a resource may state that Acme France Finance has edit permissions.
To handle such conflicts, the roles will take precedence, meaning a user's role determines their capabilities, and the ACLs only allow the maximum access level for teams or users if their role permits it. So in the example above, users in Acme France Finance would have edit privileges over the resource at most, depending on their role; Bob would only have view access.
This approach seems complicated, but the customer insists on using both layers. After researching access control systems, it seems like a combination of discretionary access control (DAC) and role-based access control (RBAC). The customer wants the flexibility of DAC but with RBAC as a safety net to prevent things like read-only users from doing more.
My question is: Is it a good idea to combine DAC and RBAC in this way? What are the advantages and disadvantages, and is there a name for this pattern?"
