[mapguide-internals] MapGuide Security model

Bruce Dechant bruce.dechant at autodesk.com
Thu Sep 11 13:02:44 EDT 2008

Hi Kenneth,

The current MapGuide security model has not been fully realized. When it was originally done it was kept simple and is somewhat ad-hoc. There has been talk of updating the existing security model, but that has not been done yet. You bring up some of the shortcomings of the existing model that need to be addressed. This is something that should be discussed with the community and the results turned into an RFC that updates the existing MapGuide security shortcomings and frustrations.


-----Original Message-----
From: mapguide-internals-bounces at lists.osgeo.org [mailto:mapguide-internals-bounces at lists.osgeo.org] On Behalf Of Kenneth Skovhede, GEOGRAF A/S
Sent: Thursday, September 11, 2008 6:56 AM
To: MapGuide Internals Mail List
Subject: [mapguide-internals] MapGuide Security model

I have been working a little with the MapGuide Security settings, and
one thing bothers me greatly.
If I create a new folder, and grant a specific user read/write access,
the user does not get read/write access,
unless the user has read/write access to ALL folders in the path,
including the root folder.

This is both annoying, and very hard to maintain. To prevent that user
from writing into other folders,
I have to explicitly deny the user access (or grant readonly acces) to
every other folder in the root, and
all folders in the newly created folders path.

Even with this elaborate work, it is still possible for the user to
create folders and files in the root folder.
If I decide to add a new folder, and it happens to be in the path of a
folder with write access, I have
to remember to deny the user. Clearly this is going to go wrong many times.

Is this the intention, and was there a problem implementing something else?
Are there any tricks for using security settings?

A visual example of how it currently works:

Library://  <-- User A has RW, user B has RO (assigned)
    Folder1 <-- No matter what I assign here, user B can get no more
than RO access
       Folder2 <-- User A has RW here and above
    Folder3 <-- I must explicitly deny write access to user A here, and
to any folders on this level

What I would expect:

Library:// <-- Deny access to everyone
    Folder1 <-- Assign RW to user B, Assign RO to user A
       Folder2 <-- User B has RW here, can also assign user A RW
    Folder3 <-- Access is denied to everyone

Regards, Kenneth Skovhede, GEOGRAF A/S

mapguide-internals mailing list
mapguide-internals at lists.osgeo.org

More information about the mapguide-internals mailing list