While reading “Rule Based Analysis of Computer Security” I stumbled upon the following phrase:
All the desired operations should be allowed, and all the undesired operations should be disallowed
Many times we focus so much on the latter part (disallowed) that we force users to circumvent obstacles in order to share or access information and work in ways that they end up granting more access than what is actually required. Then trouble, friction among admins and users and exceptions emerge.
Managing organized complexity 