When Lawson left LAUA security, it redesigned its hierarchical security as so:
- Roles
- Classes
- Tokens (or rules)
- Classes
These all followed the theory of the greatest privilege access since v9
What does this mean?
In the simplest form, it means that if there is an ALL_ACCESS and a DENY_ACCESS rule within the same class or role, the ALL_ACCESS wins and grants access to the rule.
Real world example:
Problem: Say you wanted to grant a user access to view an AP form but noticed that the form itself shows a vendor’s number under the TAX ID field.
If the vendor does not have a vendor number, typically they use their social security number and this is added to the TAX ID field which is a field on the APVENMAST table.
If we set DENY_ACCESS on the TAX ID field within APVENMAST as shown below:
When the user loads the AP form up again, that field will appear blank or greyed out.
Let’s say this user eventually takes on newer tasks and gets a new role assigned to them to submit requisition orders and this newly assigned access inadvertently grants ALL_ACCESS to the APVENMAST table.
This new access now overrides the DENY_ACCESS set on the TAX ID field and the user can now once again see the TAX ID field and reveal sensitive information such as a vendor’s social security number.
I hope this helps when designing your security for employees.