On Apr 2, 2015, at 1:54 PM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> However, Java EE does not mandate that a role is only allowed to be something like "administrator". At the end of the day, it's just a collection of attributes attached to a user that you test for. The names of those attributes as well as the semantic value your application assigns to them is yours to decide.
I've explained that same concept to numerous people and seems there's no end in site -- I'll be saying the same thing one-at-a-time to people till death it seems :)
As these "just strings" are in the code, treating them in a more fine-grained fashion and grouping them externally is the only really usable approach.
I've become disenchanted with "role" and wonder if we wouldn't be better served with a name that doesn't require people to be enlightened to think "outside" its implied use.
It's easy to see where people get the idea to effectively hard-code groups into their code. Here's what wikipedia says in their RBAC page:
- "Role = Job function or title which defines an authority level"
http://en.wikipedia.org/wiki/Role-based_access_control
For the record I'm also quite sick of explaining away the assumptions people inject into "Stateless" EJBs. :) "Actually, they're pooled beans...."
-David