Security - Role mapping

Discussions

General J2EE: Security - Role mapping

  1. Security - Role mapping (3 messages)

    Good morning everybody,

    I have a rather basic question regarding J2EE security, and I´d appreciate any help on the subject. When mapping users to roles, what is the common practice: to group every functionality needed for a given user under the same role or map the user to several roles?
    For example: a manager also has the priveleges of, say, an analyst. Should the Manager role group all the privileges needed or should the manager be mapped to both Manager and Analyst roles?

    Cheers,
    Eduardo

    Threaded Messages (3)

  2. Security - Role mapping[ Go to top ]

    Good morning everybody,I have a rather basic question regarding J2EE security, and I´d appreciate any help on the subject. When mapping users to roles, what is the common practice: to group every functionality needed for a given user under the same role or map the user to several roles?
    Personally, I map user's to multiple roles. Otherwise, maintenance become a nightmare.

    Think of roles as a "permission group" that defines a set of related permissions. Super users may have access to multiple permission groups, such as someone with access to both Manager and Analyst functions.
  3. Security - Role mapping[ Go to top ]

    Good morning everybody,I have a rather basic question regarding J2EE security, and I´d appreciate any help on the subject. When mapping users to roles, what is the common practice: to group every functionality needed for a given user under the same role or map the user to several roles? For example: a manager also has the priveleges of, say, an analyst. Should the Manager role group all the privileges needed or should the manager be mapped to both Manager and Analyst roles?Cheers,Eduardo
    A typical ACL (access control list) links a resource (like a file) to a number of principals (users and groups). As the system grows, maintaing ACL becomes tough and Roles come in. If access to a particular file is granted to the BoardMembers role, than managing who is granted the BoardMembers role is easier and also more controllable.

    Groups are primarily intended to manage users, not access control entries. A group is ... "a group of users".If a group is created in order to be manage access to a resource, than it starts to look like a role.

    The EJB specs indicate that access to a particular enterprise bean or method is granted to a role (and not a group) and thus clearly distinguishes between the two, you should too!
  4. Thank you very much for your input!

    Seems clear to me now that we should map users to as many
    different roles as needed. Maintanance wise, it´s a wise
    thing to do. :)

    Cheers,
    Eduardo