On Fri, 18 Jan 2002 10:07, Paul Hammant wrote: > Larry, Peter, > > I'd be much keener on 'group' than 'role' per se. A user belongs to one > or more groups. Groups can belong to groups. Some groups can be > mandatory and considered as roles. > I can't remember where I first encoutered this design. Nearly a decade > on AS/400's I guess.
I think you are mixing up terminology here - at least in the Java/J2EE world. That functionality is available it is just termed differently ;) In java the group is just another principle. However a single person could have multiple principles/identitys. In JAAS this is explicitly represented by the Subject object. A Subject would represent a particular user. That user may have different principles associated with them. For instance consider the Subject "Fred". If "Fred" logs in via SSH then he aquires the SSHPrinciple, if "Fred" goes in via the biometric scanners/detectors then he gets the GroovyBioMetricPrinciple, while if he goes in via telnet he gets the WeenyTelnetPrinciple. All these principles represent the same person/Subject. However it would be possible to associate different sets of permissions with different principles. ie If the GroovyBioMetricPrinciple is going to have a lot more permissions than the WeenyTelnetPrinciple. Anyhow if "Fred" the subject belongs to the "admin" group then that just means "Fred" has the "admin" principle added to his subject. I guess this is a bit complex. It may be a good idea not to require a mapping between principles and Roles and make it possible to get permissions via principle or role. Thoughts? -- Cheers, Pete *------------------------------------------------------* | "Common sense is the collection of prejudices | | acquired by age 18. " -Albert Einstein | *------------------------------------------------------* -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
