Question

Should access rules overlap or be an addition to each other?

0

At this point it's more of curiosity in terms of best practice, as well as confirmation. Though let's enter the discusion with an open mind set: Should access rules overlap or be an addition to each other? Say I've got an entity 'Email' with attributes 'Message' and 'Status'. When I create an Email, it gets the status draft. When I send it, it gets the status 'Sent'. I can read any message, but only write them while in draft. This means I'll end up with 2 access rules: Read Message, Read Status, no constraints Read/Write Message when Status = Draft I can always read the value of status, no matter the current status. Should I declare that access in the second access rule as well that is used for declaring no write access when the status is draft? Or is it better to keep the access to 'status' empty for the second rule implying write access when status is draft? With other words: Should I write access rules as addition to each other (only select the things that are different) or should I make them overlap - having the same access rules applied across multiple rules in a hierarchical order? Curious!

asked 2025-03-06

Sander Schaeffer

1 answers

Rico Robinson · Accepted Answer · 2025-03-06

Since Access Rules are combined it would make sense to only include the extra access rights and not duplicate what already exists. On the other hand it would mean that in order to understand what access a user has in which situation you would need to mentally add them up or write it down somewhere, making it harder to understand and maintain.

Overlapping Access Rules:
- Pros:
  - Clear and explicit permissions for each rule.
  - Easier to understand and maintain as each rule is self-contained.
- Cons:
  - Potential redundancy, leading to more complex rule management.
  - Higher risk of conflicts or inconsistencies if rules are not carefully managed.
Additive Access Rules:
- Pros:
  - More concise and potentially easier to manage.
  - Reduces redundancy by only specifying differences.
- Cons:
  - Can be harder to understand as permissions are spread across multiple rules.
  - Requires careful consideration to ensure all necessary permissions are granted

The overlapping approach is generally recommended for clarity and maintainability. Each rule is self-contained, making it easier to understand and manage. In your case, explicitly stating that you can read the status in both rules ensures there is no ambiguity.

However, if you have a large number of rules and want to reduce redundancy, the Additive Approach can be effective. Just ensure that the combined effect of all rules grants the necessary permissions without conflicts.