Back to Security Pattern Catalog

Full Access with Errors

Classification Key : Core Security, Information Disclosure


Some user interfaces offer different options based on the privilege level of the user. The designer of such a user interface faces the challenge that the revelation of the complete interface can cause a problem because the user may not have rights to invoke all functionality. Even the access rights might not be known in advance. This problem generalizes to any interface you design whenever there are multiple modes of usage, such as different access rights. How do you present available functionality that might be partially inaccessible?


Design the application so users see everything that is available to them. When a user performs an operation, check if it is allowed. Generate error notifications if they try to access unauthorized operations.

Known Uses

Amazon lets the surfers view all the options. Authentication is required only before check-out.

Related Patterns

Limited Access, Policy Enforcement Point, Security Session


Wiley Book


Access Control, User Interface, Authentication


Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz