As of the offline discussion We decided to go ahead with the following databases
*PERMISSIONS* APP_NAME VARCHAR(3) NOT NULL PERMISSION_STRING VARCHAR(50) NOT NULL PRIMARY KEY (APP_NAME, PERMISSION_STRING) *ROLE_PERMISSIONS* APP_NAME VARCHAR(3) NOT NULL PERMISSION_STRING VARCHAR(50) NOT NULL ROLE_ID VARCHAR(100) NOT NULL We decided to use a composite key to uniquely identify the permissions. and to store role_id instead of the name. This component will also have a method to check hasPermission(username, app name, permission string) That will get all the roles assigned to the given user from the IdP client OSGi service (described in mail [1]) and check for role permission mapping from the database. Please update if I have missed any [1] [Architecture] Securing Product Apis and Product artifacts in Stream Processor Regards Suho On Wed, Oct 18, 2017 at 2:47 PM, Tanya Madurapperuma <[email protected]> wrote: > > > On Wed, Oct 18, 2017 at 2:20 PM, Lasantha Samarakoon <[email protected]> > wrote: > >> Where do we maintain the resource to permission mapping? Is it at the >> common component level or each app has to maintain its own mapping? >> >> Resource to permission mapping needs to be maintained at each app level. >> Common component doesn't need to know about the resources but only roles >> and permissions. At the app level we can implement a hasPermission() method >> which check whether any of the roles of the current user has respective >> permission. >> > IMO we should bring that also to the common component. If not every app > developer will have to have their own hasPermission method. > Instead of that i think it would be better if we can provide a common api > for adding resource permission mapping and a common api to check > hasPermission. WDYT? > > Thanks, > Tanya > >> >> *Lasantha Samarakoon* | Software Engineer >> WSO2, Inc. >> #20, Palm Grove, Colombo 03, Sri Lanka >> <https://maps.google.com/?q=20,+Palm+Grove,+Colombo+03,+Sri+Lanka&entry=gmail&source=g> >> Mobile: +94 (71) 214 1576 <071%20214%201576> >> Email: [email protected] >> Web: www.wso2.com >> >> lean . enterprise . middleware >> >> On Wed, Oct 18, 2017 at 2:04 PM, Tanya Madurapperuma <[email protected]> >> wrote: >> >>> Hi Lasantha, >>> >>> Where do we maintain the resource to permission mapping? Is it at the >>> common component level or each app has to maintain its own mapping? >>> >>> Thanks, >>> Tanya >>> >>> On Wed, Oct 18, 2017 at 1:34 PM, Lasantha Samarakoon <[email protected] >>> > wrote: >>> >>>> Hi all, >>>> >>>> In the new React based dashboard component we need to implement a >>>> permission model based on user roles to limit access to dashboard >>>> resources. Since this can be a common requirement among all the React based >>>> apps in under Analytics we thought of introducing a common component to >>>> serve the purpose. Therefore we are thinking of add this component into >>>> carbon-analytics repository. >>>> >>>> Implementation: >>>> >>>> As we discussed internally this component will expose an OSGi service >>>> which provides all the necessary APIs. This includes the following. >>>> >>>> - CRUD operations on permissions (i.e. add/edit/delete/get/list >>>> permissions) >>>> - Grant and revoke permissions from particular roles. >>>> >>>> In order to persist permissions following database will be implemented. >>>> >>>> *PERMISSIONS* >>>> >>>> ID INT AUTO_INCREMENT PRIMARY KEY >>>> APP_NAME VARCHAR(3) NOT NULL >>>> PERMISSION_STRING VARCHAR(50) NOT NULL >>>> >>>> >>>> >>>> *ROLE_PERMISSIONS* >>>> >>>> ID INT AUTO_INCREMENT PRIMARY KEY >>>> PERMISSION_ID INT NOT NULL >>>> ROLE_NAME VARCHAR(100) NOT NULL >>>> >>>> >>>> Since we are not maintaining the roles withing this database schema we >>>> suppose to retrieve them via the SCIM API. >>>> >>>> Appreciate your feedback. >>>> >>>> >>>> Regards, >>>> >>>> *Lasantha Samarakoon* | Software Engineer >>>> WSO2, Inc. >>>> #20, Palm Grove, Colombo 03, Sri Lanka >>>> <https://maps.google.com/?q=20,+Palm+Grove,+Colombo+03,+Sri+Lanka&entry=gmail&source=g> >>>> Mobile: +94 (71) 214 1576 <071%20214%201576> >>>> Email: [email protected] >>>> Web: www.wso2.com >>>> >>>> lean . enterprise . middleware >>>> >>> >>> >>> >>> -- >>> Tanya Madurapperuma >>> >>> Associate Technical Lead, >>> WSO2 Inc. : wso2.com >>> Mobile : +94718184439 <+94%2071%20818%204439> >>> Blog : http://tanyamadurapperuma.blogspot.com >>> >> >> > > > -- > Tanya Madurapperuma > > Associate Technical Lead, > WSO2 Inc. : wso2.com > Mobile : +94718184439 <071%20818%204439> > Blog : http://tanyamadurapperuma.blogspot.com > -- *S. Suhothayan* Associate Director / Architect *WSO2 Inc. *http://wso2.com * <http://wso2.com/>* lean . enterprise . middleware *cell: (+94) 779 756 757 <077%20975%206757> | blog: http://suhothayan.blogspot.com/ <http://suhothayan.blogspot.com/>twitter: http://twitter.com/suhothayan <http://twitter.com/suhothayan> | linked-in: http://lk.linkedin.com/in/suhothayan <http://lk.linkedin.com/in/suhothayan>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
