Clarification about DEFAULT group

[Deadlyelder]

The consumer is, by default, added to the group named DEFAULT but I do not understand the rationale behind this as it is still possible to set rules for this group.
This would constitute as gap within the system from security point of view.

If the group is a must for management reasons (although there is still the ${username}_USERNAME for management}, then maybe its best to set it as reserved group for which no rules can be added?

This is especially required as all the users are part DEFAULT so accidental setting any allow would bypass all other deny rules.

[TK009]

It is supposed to be used when read request is not allowed for all paths by default, but there is some data that should be open to public (for anonymous users). Thus, the DEFAULT group usually should have most restricted permissions.

I understand the problem, but we need some solution for anonymous users also. The DEFAULT group makes it easier in the sense that named users don't have lesser permissions than anonymous by mistake.

Do you think that the DEFAULT group should be changed to a system with a specific "anonymous" user instead? Or do you have other ideas?

[Deadlyelder]

Ah, ok getting it now.

In that case I think it would be better to leave the DEFAULT as it is, that would allow registered and anonymous users to be on the same level, initially.

Having another group specific for anonymous would be more risker as it would need administrating two set of rules, for what might be literally the same level of rules as the DEFAULT

What is the the group {username}_USERNAME for? I was under assumption that this group was for registered users while the DEFAULT was to be for non-registered.

Thanks

[TK009]

What is the the group {username}_USERNAME for? I was under assumption that this group was for registered users while the DEFAULT was to be for non-registered.

It is just for convenience. It can be used to set rules for single user without needing to create a group and adding it to that group.