Lawson Security – The Theory of Greatest Privilege Access Explained
When Lawson left LAUA security, it redesigned its hierarchical security as so:
- Tokens (or rules)
These all followed the theory of the greatest privilege access since v9
What does this mean?
In the simplest form, it means that if there is an ALL_ACCESS and a DENY_ACCESS rule within the same class or role, the ALL_ACCESS wins and grants access to the rule.
Real world example:
Problem: Say you wanted to grant a user access to view an AP form but noticed that the form itself shows a vendor’s number under the TAX ID field.
If the vendor does not have a vendor number, typically they use their social security number and this is added to the TAX ID field which is a field on the APVENMAST table.
If we set DENY_ACCESS on the TAX ID field within APVENMAST as shown below:
When the user loads the AP form up again, that field will appear blank or greyed out.
Let’s say this user eventually takes on newer tasks and gets a new role assigned to them to submit requisition orders and this newly assigned access inadvertently grants ALL_ACCESS to the APVENMAST table.
This new access now overrides the DENY_ACCESS set on the TAX ID field and the user can now once again see the TAX ID field and reveal sensitive information such as a vendor’s social security number.
I hope this helps when designing your security for employees.