DENY ACLs

[Ken Cross]

While I agree that it may be a less-than-optimal set of group definitions,
we're stuck with legacy organizations (WinNT & Win2K) that have exactly
that.  It's not uncommon, either.

There's no question I'll need it -- I just wanted to make sure it hadn't
been done and that I'm not missing something important.

Thanks again for the feedback.

Ken


>
> You're correct. All groups are treated equally, and this case
> would result in those belonging to both groups getting access.
> The POSIX group's response would be that you should not have
> given GroupA access, as that group does not accurately describe
> the set of people you want to have access. Instead you should
> either have a GroupC, made of GroupA-but-not-GroupB, or
> list the individuals.
>
> You can provide the access you want, although it may take
> some work to specify it correctly.
>


To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message