[AccessD] Cascade-delete (was: Estimating Help)

John W. Colby jcolby at colbyconsulting.com
Sun Feb 9 12:10:00 CST 2003


Gustav,

>As a general note, it's the responsibility of a trusted user to not pass
his/her access to an application to another user granted lower
rights to that application and its data.

That's about like the car company saying "it's the responsibility of the
driver not to have an accident", when faced with liability for not providing
safety mechanisms.  Absolutely true, but completely irrelevant.

We as developers have an obligation to do what we can to prevent the
accidents.  To simply throw up our hands and say "you're not supposed to do
that" borders on irresponsible.  In our litigious society that is a
dangerous thing to do.  Someday, somebody is going to sue you because "you
knew it was dangerous, you knew it was going to happen, and you did nothing
to prevent it".  And they will win!  Or at least they will in the US.

John W. Colby
Colby Consulting
www.ColbyConsulting.com

-----Original Message-----
From: accessd-admin at databaseadvisors.com
[mailto:accessd-admin at databaseadvisors.com]On Behalf Of Gustav Brock
Sent: Sunday, February 09, 2003 4:41 AM
To: John W. Colby
Subject: Re: [AccessD] Cascade-delete (was: Estimating Help)


Hi John

> From that point on, I made a conscious effort to at least evaluate what
> power I was giving my users, and make a conscious effort to prevent them
> from doing things they were not authorized to do.

As a general note, it's the responsibility of a trusted user to not
pass his/her access to an application to another user granted lower
rights to that application and its data.

Applying this to your case, as a user you failed, as the developer you
were not to be blamed.

Of course, today you could let the application request the user to
(re)authorize by touching a fingerprint reader each time before a
critical task was to be performed. And so on ... ultimately the
keyboard itself should be capable of real time scanning the user's
fingerprint.

/gustav

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com






More information about the AccessD mailing list