OK, IIUC you want to cut the inheritance at child level, not at
parent level. But what if you want to cut the inheritance only for
a certain user/group?
breaking inheritance at a certain child means that it has no policies at
all. therefore if you wanted to inherit only some permissions they would
have to be regranted on the child. eg...
/live blueGroup=view redGroup=view
|
|---- index inherits
|
|---- bluePage inherits=off
| + grant blueGroup=view
|
|---- redPage inherits=off
+ grant redGroup=view
I do see the merits of the revoke system over the inheritance off
system. Is it possible (or useful) to have both systems together?
I guess this would be possible, but the user interface might become
quite complex.
Would it be worth doing some research into how various operating systems
handle this task? Rather than reinvent the wheel we could model the
lenya access controls on how an existing proven system works, eg posix
acl, or windows xp security dialogs.
Michael R
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
