On 11/4/2015 10:26 AM, Stan Silvert wrote:
On 11/4/2015 9:15 AM, Bill Burke wrote:
> I've alread stated the reason for composite roles:
>
> Say you have a set of applications under the Sales and Marketing
> Department: A Leads Application, Eloqua, and Salesforce. Each of the
> applications has a set of roles that are used to manage access to
> various features of each application. For example, each app might have
> an "admin" role. You would then want to organize permissions into
> categories and assign coarser grain roles to individual users. So, you
> would create a "Sales Admin" composite role that contains the
"admin"
> role of each sales application. Composite roles allow you to group
> together roles into role catagories that you can assign to a specific
> user or user group.
>
> User Groups are different as you want to assign a set of permissions to
> a group of users.
>
> So composite roles are used to group together roles of a set of
> applications. User Groups are used to grant a set of perissions to a
> set of users.
Maybe it's just me, but I think of user groups as just a way to group
users, and roles as a way to group permissions. Roles are assigned to
user groups. Permissions are assigned to roles.
We dont' have the concept of a permission, so, assigning roles to a
composite role is equivalent right now of assigning permissions to a role.
I don't see why you need anything more. In your example, each
application has an admin role that has a set of permissions for the
application. Each admin role can be assigned to a Sales Admin user
group. Sales Admin users are assigned to the Sales Admin user group.
Done.
App developers focus on designing the roles/permission model for the
applications and would deal with roles, composite roles, and clients.
User admins would focus on managing users and defining groups and
assigning permissions/roles to groups and users. Instead of dealing
with fine-grain roles/permissions for each and every application, user
admins just deal with coarse grain composite roles.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com