http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660I see what you're saying, and it can sometimes be misleading that if the developer queries for books it only returns a subset of the books. This method is most obvious to the programmer. However, I usually use transparent security with the ability to opt out for the reasons Stefan stated. http://ayende.com/4550/the-pitfalls-of-transparent-security#comment3http://ayende.com/4550/the-pitfalls-of-transparent-security#comment3Wed, 30 Jun 2010 15:31:20 GMTTransparently adding a default deny at least might be a good idea http://ayende.com/4550/the-pitfalls-of-transparent-security#comment2http://ayende.com/4550/the-pitfalls-of-transparent-security#comment2Wed, 30 Jun 2010 09:21:46 GMTSure, that' easier to handle. And I'm sure for some systems, that's the way to go. But make one critical mistake in a multi-tenant system hosting mutual competitors, and you're done. Transparent security works, you just need to be able to opt out. Sometimes you forget to opt out, this will result in an exception and will hopefully be caught during testing. If not, an unhandled security exception in production is still better than information disclosure. Another potential advantage: You might want to control who's able to opt out. http://ayende.com/4550/the-pitfalls-of-transparent-security#comment1http://ayende.com/4550/the-pitfalls-of-transparent-security#comment1Wed, 30 Jun 2010 08:51:00 GMT