Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Someone in the "engineering" role can apply the "source-code" tag to a file, which will grant people in the "engineering" role read-write permissions, and the "dev-ops" role read permissions. Users don't have tags associated with them, so they don't get permissions from having a tag assigned. They can't because the policy doesn't allow you to stick a bare user into the (role,tag,permission) tuple.

So when you're auditing permissions, you can check to see if the tags have the appropriate permissions, the roles have appropriate tags, and users have appropriate roles.



Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: