Getting off on the Power to Control Access
Access Control List (“ACL”) is a way to control user access to a website. It manages different groups of users like administrators, managers, employees, customers, etc., where each group accesses different areas of the website. ACL comes built into many web development platforms. We are using CakePHP which has a sophisticated ACP built in, but we’ve never used it before. So, I recently looked into how ACL is implemented on CakePHP. After Googling about it for about an hour, I found a whole bunch of articles and blog posts about how “hard” it is. I then created a test project with ACL to look into the details of it. Oy. I now see what everyone is complaining about.
Personally, I have no idea why anyone needs this type of complex access control. What sort of systems are people building that actually require this level of complexity? A system for CIA?
In the past, I’ve simply added another column in a users’ table called “security_level”. I’ve never even bothered to create “groups” table, because we’ve never come across a situation where it was necessary. (I simply store the security_level value in session and check it wherever I need it.) I’m a pragmatist, so I never bother to create anything that the reality does not require. Having 3 different levels of access seems to take care of pretty much everything.
From a point of view of a pragmatist, I see a serious problem with having a complex ACL. If you need a complex ACL, it means that you must be managing a system that is used by thousands of people working within a complex organizational structure. When you have a complex ACL with thousands of users, managing the access list becomes a full time job. As the security needs change in the real life, someone has to modify the ACL to reflect the new reality. Having the ability to fine-tune the privileges of individual users means that nobody could possibly have a clear picture of what everyone is accessing unless you specifically look it up on the system. This can easily create security holes that nobody is aware of. For instance, one specific user may have access to a top-secret area of the site that nobody is aware of, until someone suspects something and looks him up on the system. (For instance, you meant to temporarily grant him access to a very specific section of the site, but you forget to revoke it later.)
In other words, complexity of a security system is itself a security risk. So, a complex security system defeats the whole point of having a security system. When you simplify the security system, it may create some inconveniences in reality, but the simplicity allows many people to intuitively understand how the security works, which makes it more secure with less room for mistakes and holes.
For instance, with my scheme of just having 3 levels, all I would need to know is what security_level you have. I would then immediately know what you can access and what you cannot. Not just me, but everyone else who has the same security_level would know what that means. Every user in this situation can act as a potential auditor who can keep an eye on other users. Once you start fine-tuning each individual, nobody would have any idea who has access to what, and who should have access to what.
Am I wrong here? What am I missing? Why is everyone going nuts trying to implement such a complex ACL? In reality, the number of websites that actually require that type of complexity would be very small, and those who require it can afford to write their own ACL (such as large government institutions or financial institutions), so what is the point of writing a reusable library? Wouldn’t it make more sense to create a reusable library that is very simple, so that 99% of websites can use it with ease?
I find that many programmers, especially those who studied computer science in college, tend to get so excited about certain abstract ideas like flexibility, scalability, re-usability, and controllability, that they ignore what the reality needs. It reminds me of hardware geeks who get really excited about building super-fast computers even though they have no use for them personally. (All they do is to run benchmark testing utilities to prove their speed.) This lack of central coherence is often absurd.
I think the power to control users is a particularly exciting area for some programmers because it involves controlling actual power (political or organizational), and because the programmers often get to be in the most powerful position (“superuser”). But, they really need to stop masturbating and start focusing on what the reality really needs.
—posted by Dyske