we are designing security for a finanial application using EJB security.
The users need a way to restrain access to EJB methods based on business rules.
For example there are limits to financial transcactions based on the amounts, e.g. 50K $, 100K $, and so on. If you express this with roles there need to be lots of roles, like PERMITLOAN50K, PERMITLOAN100K
The user data would have to be stored in LDAP. It seems awkward to me to store business rules in LDAP.
In the EJB there would be lots of calls to isUserInRole(PERMITLOAN100K). If the limits are changed, so would have to be the role-names.
Or are there better ideas?
Thanks for any hints,