User roles vs. user permissions using apache shiro -


i trying model complex permission management system using apache shiro.

english not being native tongue afraid might missing of subtleties of terms such "roles", "permissions", "rights" & "privileges".

for example lets want create system manages resources such printers located inside buildings. db holds information of printer located in building. users of system should able reset printer or print it.

its clear me users "super admins" , able reset , print printer ('printer:*:*')- guess people have "super admin role".

but if should allowed reset printers in specific building ('building:a:*') ? "building admin" (prarametric) role? or permission on specific building? how model using apache shiro?

n.b.
when tagging q added user-roles tag , says:"a user role group of users share same privileges or permissions on system. use tag questions how user roles work in particular security framework, or questions implementation of user roles in program."

would correct assume based on definition there not such role "building admin" because being admin of building not give same permissions being admin of building b? , if so, correct terminology describe "building admin"?

have considered using more 3 tokens within wildcardpermission format?

there no limit number of tokens can used, imagination in terms of ways used in application.

wildcardpermission javadoc

instead of domain:action:instance syntax commonly used in apache shiro examples , documentation, add token represent building, e.g. printer:print,reset:*:buildinga.

the downside of scheme whenever checking if action permitted on particular printer, you'd have specify location, though token representing printer instance might uniquely identify printer:

// let's role buildinga-admin has permission of "printer:*:*:buildinga"  subject.ispermitted("printer:print:epson123:buildinga"); // returns true subject.ispermitted("printer:print:epson123"); // returns false

depending on application domain, maybe structure buildinga:printer:print,reset:epson123 might more appropriate or useful.

to answer other question regarding user roles, you'd correct assume if have both buildinga-admin , buildingb-admin roles, different user roles, if permissions assigned them not same.
might conceive general user role of building admin permissions admins different buildings might have in common, avoid duplicating permissions across different building-specific admin roles.


-

Comments

Post a Comment

Popular posts from this blog

PySide and Qt Properties: Connecting signals from Python to QML -

i trying run simple pyside appliccation design made in qml. call function in qml python in separated thread. i have following qml view: import qt 4.7 rectangle { visible: true width: 100; height: 100 color: "lightgrey" text { id: datestr objectname: "datestr" x: 10 y: 10 text: "init text" font.pixelsize: 12 function updatedata(text) { datestr.text = qstr(text) console.log("you said: " + text) } } } here application: some imports.... #!/usr/bin/python import sys import time pyside import qtdeclarative, qtcore pyside.qtgui import qapplication pyside.qtdeclarative import qdeclarativeview the qthread worker.... #worker thread class worker(qtcore.qthread): updateprogress = qtcore.signal(int) def __init__(self, child): qtcore.qthread.__init__(self) self.child = child def run(self):
Read more

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

Image
when using devexpress, see error: devexpress.wpf.grid.infinitegridsizeexception unhandled message="by default, infinite grid height not allowed since grid rows rendered , hence grid work slowly. fix issue, should place grid container give finite height grid, or should manually specify grid's height or maxheight. note can avoid exception setting gridcontrol.allowinfinitegridsize static property true, in case grid run slowly." the problem dxgrid has infinite height. to fix, set height non-infinite. snoop absolutely invaluable this: if "height" xaml element infinite (i.e. 0 or nan ), can set using one of following: option 1: height="{binding path=actualheight, relativesource={relativesource mode=findancestor, ancestortype=uielement}}" option 2: verticalalignment="stretch" option 3: height="auto" hint: use verticalalignment="stretch" if child of grid <rowdefinition height=
Read more

scala - 'wrong top statement declaration' when using slick in IntelliJ -

Image
i'm porting project scala 2.9 2.10, therefore have use slick instead of scalaquery. i'm using slick 2.1.0 since supports ms access. according this tutorial , upgrade guide changed robs object class , added val robs : why error message wrong top statement declaration , how rid of it? edit: i'm new scala... according this question seems can't put val outside of methods or classes, right? code above directly in packge. right approach slick then? should move code in class or trait? according this changed val robs = tablequery[robs] to object robs extends tablequery(new robs(_)) {} . no warnings or errors anymore. :)
Read more