Disallow multiple access control list entries for the same role


Currently, it is possible to have multiple access control entries for the same role in the same access control list, e.g.

ROLE_USER read=true write=false
ROLE_USER read=false write=true

While it is possible to implement strategies for resolving contradicting ACEs (e.g. depending on order of occurence, more restrictive wins, etc.), there does not seem a valid use case where it would make any sense to actually allow multiple ACEs for a single role within the same ACL.

The goal of this task is ensure that there can be at most one ACE per role so that we don't need any strategies to handle and resolve conflicts that can occur when allowing multiple ACEs per role.

  • Don't allow this in Admin UI

  • Don't allow this via External API (or implement a merge strategy, but preferably disallow)

  • Don't allow this via any other endpoint that can ingest ACLs (or implement merge strategy)

  • Detection and migration of existing ACLs containing multiple ACE per role





Sven Stauber

Tags (folksonomy)


Fix versions

Affects versions