Managing Privileges, etc

The management of privileges and their assignments to roles, persons, etc are the key to securing a veil-based application. It is therefore vital that privilege assignment is itself a privileged operation.

The veil demo does not provide an example of how to do this, and this section does little more than raise the issue.

IT IS VITAL THAT YOU CAREFULLY LIMIT HOW PRIVILEGES ARE MANIPULATED AND ASSIGNED!

Here are some possible rules of thumb that you may wish to apply:

give only the most senior and trusted users the ability to assign privileges;
allow only the DBAs to create privileges;
allow only 1 or 2 security administrators to manage roles;
allow roles or privileges to be assigned only by users that have both the "assign_privileges"/"assign_roles" privileges, and that themselves have the privilege or role they are assigning;
consider having an admin privilege for each table and only allow users to assign privileges on X if they have "admin_x" privilege;
limit the users who have access to the role/privilege management functions, and use function-level privileges to enforce this;
audit/log all assignments of privileges and roles;
send email to the security administrator whenever role_privileges are manipulated and when roles granting high-level privileges are granted.

Next: Exotic and Esoteric uses of Veil