2023-12-24
Do we actually need negative access control rules (in general)?
Every so often, someone has the great idea to simplify how to specify access controls; they will make their overall policy to deny access by default, and then have all of their access control rules be positive ones. My reaction to date to these systems is that they've just made my life harder, and I was all set to write an entry about it except that as I started writing out the details I realized that I wasn't sure I had a convincing case when negative access rules made things much less convoluted.
In general purpose firewalls, there are definitely cases where you need negative access rules in order to not make things extremely convoluted. If you want to allow all of the Internet access to port 80 and 443 on your web server, except for a collection of IP addresses that you've determined are abusing it, you can in theory write this as a set of positive only rules, but you will be quite annoyed at having to break up the entire IP address space into a set of subnets that amount to 'everything but these IP addresses'.
In a more restricted setting, such as a mesh-capable VPN where you're trying to write out who will have access to what, I'm now not so sure. It feels like negative entries would make some sorts of rules easier, so you could easily say things like 'everyone has full access to their own devices and system administrators have full access to everything except people's own devices', but you can solve this by enumerating what 'everything' is here for system administrators, and arguably you should do so because being explicit is better (and you might discover cases where you don't want sysadmins to have full access after all, which you wouldn't have spotted if you'd been able to sweep it under the rug). To some extent this also depends on how much the ACL system allows you to group things, which in a peculiar way is somewhat like the case of blocking IP addresses on firewalls.
Of course, I would prefer to have more power in access control rules than less power, so in practice I always want both positive and negative rules and positive and negative matches. And I suspect that you can always mechanically translate a set of positive and negative rules into a set of positive only rules, although possibly a quite verbose one. I also believe that negative rules let people more directly express what they want; every 'except' you write into a high level description of what you want is a negative rule wanting to be written.
(This is one of those entries that wound up going in a completely different direction than I expected when I started writing it. Possibly I will wind up finding or being told about a counterexample, too, showing that we really do need negative rules even in relatively restricted contexts.)