> yes. we have unfortunatly found this the hard way. the
> difficulty is that we model the "lock 'n' key" in a silimar
> way to windows 2000 file permissions - groups AND ad-hoc
> permissions. Our users admins set it themselves and it's only
> education ("please use roles!") that prevents it being a
> real mess.
While Windows ACLs can be set per-user and per-group, any experienced
Windows administrator will advise you to use groups whenever possible.
> we don't allow "blocking" - you either have permission or you
> don't. you are never denied
It's not really too important, but it's worth noting that Windows ACLs do
work this way - that is, you can set a "deny" ACL that will override other
"allow" ACLs. I suspect that most Windows administrators try to avoid using
ACLs this way, though.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email
to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev'
in the message of the email.
CFCDev is run by CFCZone (www.cfczone.org) and supported
by Mindtool, Corporation (www.mindtool.com).
An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED]
