> On 13.04.2015, at 19:33, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
>
> Hi,
>
> On Monday, April 13, 2015, Adam Bien <abien_at_adam-bien.com> wrote:
> your roles are more like permissions, right?
>
> I know what you mean, but technically it's a terminology thing again. What's the exact definition of "permission" and "role"?
The semantics are similar, but the granularity is different. Permissions are finer. Also a role is named a responsibility or facet and permission is usually named after an action.
I think the name we choose in the spec, will affect the naming and "best practices" in the "real world" projects.
>
> Intuitively we may say "permission is about a concrete action or operation", and "role is a facet of a person's identity", but in practice this is not well defined and different security systems (not just Java) greatly blur the lines.
>
> In Java EE, as mentioned, a role can have any semantic meaning the app gives it.
>
>
> So what we effectively need is 1:n mapping between groups and permissions.
>
> Or more precise n:m mapping between roles and permissions with optional groups?
>
> That mapping in fact is already there ;) roles already map to permissions. See http://arjan-tijms.omnifaces.org/2015/04/how-java-ee-translates-webxml.html
>
> But permissions are currently not "named", which may be part of the confusion.
I think dynamically linkable (to roles) and named permissions would be useful.
>
> There's a seperate issue for standardising group to role mapping. IMHO the sometimes mandatory but non standard group to role mapping of a couple of servers is one of the bigger obstacles in the current Java EE security system.
>
> See this example for IBM's WebSphere/Liberty: http://stackoverflow.com/questions/29524920/group-to-role-mapping-in-ibm-liberty-wlp-when-using-war
>
> Kind regards,
> Arjan Tijms
>
>
> cheers,
>
> adam
>
>
>
> > On 02.04.2015, at 22:54, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> >
> > Hi,
> >
> > On Thu, Apr 2, 2015 at 8:52 PM, David Blevins <dblevins_at_tomitribe.com> wrote:
> > > And I would certainly like to tell you how I think about that:)
> > >
> > > Well, the default examples that are presented in the specs and tutorials are most of the time roles like „monitor“, „administrator“ and „operator“ or sth like that.
> > > I find that it does not really match the reality that I work with everyday.
> >
> > First of all, thanks for the feedback.
> >
> > I have to say that though I typically use roles like "administrator" in my articles (because it's such an established practice), as an application developer I don't often use roles that way.
> >
> > At zeef.com for example we're using fine grained roles that control if the user is allowed to do a specific operation. Made up examples that could however be real role names in our software are: VIEW_OWN_ACCOUNT, CLOSE_OWN_ACCOUNT, VIEW_BALANCE, EDIT_BALANCE, VIEW_NEW_USERS, etc.
> >
> >
> > Jan (Cc'ed) had similar feedback. Basically saying "roles are not useful" and "permissions are king".
> >
> > It depends on which semantic you attach to it.
> >
> > If you think "roles" are only allowed to be high level things like "administrator", then I agree they are not useful. If you think that if you want something like "VIEW_OWN_ACCOUNT" you can only call that "permission", then I agree again that permissions are king.
> >
> > However, Java EE does not mandate that a role is only allowed to be something like "administrator". At the end of the day, it's just a collection of attributes attached to a user that you test for. The names of those attributes as well as the semantic value your application assigns to them is yours to decide.
> >
> > There is often a wish though to group the finer grained roles into a more coarse grained thing. At zeef.com we use the term "group" for this (as Java EE uses too, just not in a standardized way). A group in our system is something like "administrator", "manager", "customer", etc. Every such group maps to multiple roles. And multiple groups can map to the same role.
> >
> > E.g.
> >
> > group "customer" can map to roles: VIEW_OWN_ACCOUNT, CLOSE_OWN_ACCOUNT, VIEW_BALANCE
> > group "manager" can map to roles: VIEW_BALANCE, EDIT_BALANCE, VIEW_NEW_USERS
> >
> > I found that there's somewhat of the misconception that a "group" like "administrator" needs to have a 1:1 mapping to a name that's application specific, but has the exact same meaning. E.g. people think that "administrator" is only allowed to be mapped to "admin". But this is not the case in any of the proprietary group-to-role mapping systems in any server that I've used. It's always a many:many mapping and the semantics are again yours to decide.
> >
> > Kind regards,
> > Arjan Tijms
> >
> >
> >
> >
> >
>