> > I have seen some very elaborate schemes for group permissions > and anti-permissions with another layer of individual user > permissions and anti-permissions on top of that, but that > really is the wrong way to go, in my opinion. Things get > easily confused, and it's often easy to accidentally assign a > high-ranking individual permission to a person who is nowhere > near authorized to have such a permission, then have that > mistake go undiscovered for a long time. > > A clearly defined set of roles discovered through a rigorous > requirements gathering process eliminates such dangers. Use > these roles directly in ColdFusion MX's security framework, > and you should be good to go.
Adam, I do see your point, in that when you create an object, your really assigning various level of roles for actions within that object. So in order to build it, you first have to level out what kind of actions will be required in the overall application aswell as the object itself. Once you have that list, assign those individual roles to the appropriate methods. However, the dynamics of this can get limited. If I understand correctly, the concept could go like this: BankObject Roles: Transfer,Withdraw,Deposit,Balance In order to carry out getMyMoneyAndShowMeBalanceOnScreen() method, I'd need "Withdraw & Balance" roles. Without one of them I guess, id fail? This works on a basic server-side solution I guess, but the question then lies for me that is, what do you do about the UI based permissions. In that, while I may have access to the Withdraw & Balance "Role" for the BankObject, I still only want the user to have access to certain data within the db. That or certain UI constraints around the BankObjects Screen. I guess what I'm trying to ask/say is that when you throw the User Interface into the equation and start locking down items within the UI, that's when the dynamic permissions kick in. To me it seems like yes, two layers are needed. First being the basic verb actions as the min requirements security. That will get you access to the object firstly. The second layer is the dynamics associated to the object itself, (getting back to the question: Can I Carry out this report? Even though I have access to withdrawl/balance on a personal level, but can I generate a report for all accounts etc? Is that then a separate role aswell : ReportOnAllAccounts). The list could grow quite large for methods? In that data centric roles are different to CFC based roles? P.S Note that a Transfer is combination of Withdraw & Deposit? Regards Scott Barnes Senior Web Developer Alpha Business Systems [EMAIL PROTECTED] 1/31 Thompson St Bowen Hills QLD 4006 Ph +61 07 3216 0999 http://www.alphabus.com.au ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to [EMAIL PROTECTED] with the words 'unsubscribe cfcdev' in the message of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by Mindtool, Corporation (www.mindtool.com). An archive of the CFCDev list is available at www.mail-archive.com/[EMAIL PROTECTED]
