@Willem What a great article!

 

That last one confuses me a little. Many applications are set up to inherit lower-level access to simplify user-role access and ACLs. I read your explanation, which means this won't work with RoleExplicit.

 

For example:

• admin role contains manager role
• manager role contains user role

 

This way

• The user can be granted the only admin role (direct or via group) and inherit manager and user automatically, instead of having to grant them all three.
• lower-level ACLs, like can read [xyz] app table, only need to have the user role, instead of user, manager, and admin.

 

Here is an example of a user that gets the notify_view role through a few levels of inheritance roles. These inherited roles are present in the sys_user_has_role table. All roles granted by a group show inherited=true, and contains roles regardless of whether they are granted through group membership or a direct role, will show inherited=true.

 

 

In OOB(Out-of-Box) Security Attributes: Non-explicit and explicit behavior explained it says:

Security Attributes address nuanced permission needs with an explicit vs. non-explicit (inherited) evaluation of roles permissions.

This leads me to believe top-level roles granted by groups (which are inherited=true) will also be denied.

 

Have you tried to test any of the scenarios above yet?