Hi Arjan,
your roles are more like permissions, right? So what we effectively need is 1:n mapping between groups and permissions.
Or more precise n:m mapping between roles and permissions with optional groups?
cheers,
adam
> On 02.04.2015, at 22:54, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
> Hi,
>
> On Thu, Apr 2, 2015 at 8:52 PM, David Blevins <dblevins_at_tomitribe.com> wrote:
> > And I would certainly like to tell you how I think about that:)
> >
> > Well, the default examples that are presented in the specs and tutorials are most of the time roles like „monitor“, „administrator“ and „operator“ or sth like that.
> > I find that it does not really match the reality that I work with everyday.
>
> First of all, thanks for the feedback.
>
> I have to say that though I typically use roles like "administrator" in my articles (because it's such an established practice), as an application developer I don't often use roles that way.
>
> At zeef.com for example we're using fine grained roles that control if the user is allowed to do a specific operation. Made up examples that could however be real role names in our software are: VIEW_OWN_ACCOUNT, CLOSE_OWN_ACCOUNT, VIEW_BALANCE, EDIT_BALANCE, VIEW_NEW_USERS, etc.
>
>
> Jan (Cc'ed) had similar feedback. Basically saying "roles are not useful" and "permissions are king".
>
> It depends on which semantic you attach to it.
>
> If you think "roles" are only allowed to be high level things like "administrator", then I agree they are not useful. If you think that if you want something like "VIEW_OWN_ACCOUNT" you can only call that "permission", then I agree again that permissions are king.
>
> However, Java EE does not mandate that a role is only allowed to be something like "administrator". At the end of the day, it's just a collection of attributes attached to a user that you test for. The names of those attributes as well as the semantic value your application assigns to them is yours to decide.
>
> There is often a wish though to group the finer grained roles into a more coarse grained thing. At zeef.com we use the term "group" for this (as Java EE uses too, just not in a standardized way). A group in our system is something like "administrator", "manager", "customer", etc. Every such group maps to multiple roles. And multiple groups can map to the same role.
>
> E.g.
>
> group "customer" can map to roles: VIEW_OWN_ACCOUNT, CLOSE_OWN_ACCOUNT, VIEW_BALANCE
> group "manager" can map to roles: VIEW_BALANCE, EDIT_BALANCE, VIEW_NEW_USERS
>
> I found that there's somewhat of the misconception that a "group" like "administrator" needs to have a 1:1 mapping to a name that's application specific, but has the exact same meaning. E.g. people think that "administrator" is only allowed to be mapped to "admin". But this is not the case in any of the proprietary group-to-role mapping systems in any server that I've used. It's always a many:many mapping and the semantics are again yours to decide.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>