Role hierarchy in JSecurity

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Role hierarchy in JSecurity

vasusanka
I have searched in the forum and the articles written on JSecurity but could not find any information related to this.
I am relatively new to JSecurity/Ki.

Does JSecurity support role hierarchy ?
In the sense, can we create roles which inherit from one another ?
Ex: A "bank employee" role may provide basic privliges.
 A "bank teller" role may extend/inherit from "bank employee" role and provide further privileges.
A "bank manager" role may extend/inherit from "bank teller" role and have more privilges.

Any help is appreciated.

Thanks,
Vasu.
Reply | Threaded
Open this post in threaded view
|

Re: Role hierarchy in JSecurity

Les Hazlewood-3
We make no requirements on your data model - you can have it be whatever you want.

A role check always gets funneled down into the Realm you use (or write yourself), i.e. a call on your realm will occur:

realm.hasRole(PrincipalCollection userPrincipals, String roleName);

Your implementation of that method does whatever it needs to do to check if the given user 'has' that role or not:  you can query a database, iterate over a collection, traverse a Role hierarchical graph, etc - whatever you want to do.

But while this is of course a valid solution, and it is up to you, I would recommend that you think about what you're trying to do with hierarchies.  Most of the time they are often unnecessarily complex and cause more confusion than necessary.

Think of a Role as just a named collection of permissions (The admin role has a collection of permissions:  'edit user', 'print to the printer', etc).
One or more Roles can be assigned to a User, in which case they 'overlap' so to speak, and you 'get' all of the permissions assigned to both roles.

Groups are more often used for what you're discussing.  Where a Role is a named collection of permissions, a Group is usually a named collection of Users.

You can obtain the hierarchy you want by assigning users to groups (which are usually naturally hierarchical), and then assigning one or more Roles to any Group in the hierarchy.

This is, at least in my experience, a very stable and flexible way of implementing complex security rules - Hierarchical Roles usually muddy the waters and are an often more confusing approximation of what I described above.

My $.02

Regards,

Les


On Thu, Jun 4, 2009 at 10:41 AM, vasusanka <[hidden email]> wrote:

I have searched in the forum and the articles written on JSecurity but could
not find any information related to this.
I am relatively new to JSecurity/Ki.

Does JSecurity support role hierarchy ?
In the sense, can we create roles which inherit from one another ?
Ex: A "bank employee" role may provide basic privliges.
 A "bank teller" role may extend/inherit from "bank employee" role and
provide further privileges.
A "bank manager" role may extend/inherit from "bank teller" role and have
more privilges.

Any help is appreciated.

Thanks,
Vasu.
--
View this message in context: http://n2.nabble.com/Role-hierarchy-in-JSecurity-tp3025112p3025112.html
Sent from the JSecurity User mailing list archive at Nabble.com.