|
In-line comments J From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GroupOne Dev. There you go making a mess of things
again ;-) The
calling app does not need to know about user, actually – all it needs to
know is the user token, which it retrieves from a “login” call.
It doesn’t need to know anything about what the token relates to or what
the token is since all of the logic that actually deals with the token is
contained in the AuthenticationManager, and the only method the calling app _ever_ needs to call on the
AuthenticationManager is “loginUser”. Well the
model that I explained is greatly simplified from what we actually use
internally ;) Internally, our “rights” apply to operations
that you can perform in the system. Each actual “object” (and
by object, I mean accounts, documents, forums, etc., not the actual CFC Objects)
also maintains a separate ACL which describes which users and groups are
allowed to access it. So in our model, you first need to have the right
to perform a certain type of operation, such as retrieve an account balance, and
then you also have to have been granted access to that particular
account. In order to simplify this, we use groups (or roles, if you want
to call them that), to which users and rights can be assigned, and then these
roles can also be assigned to individual objects. It’s fairly complex
in terms of implementation, but the UI for it is actually very easy to use and
the concept of “groups” and “rights” has been extremely
easy for our end users to grasp. Our basic groups and rights data model
is attached if it helps any. Keep in mind that there are also a similar
set of tables for object-level permissions, such as account_groups and
account_users, that I have omitted from the diagram so as to make it easier to
visualize. If there
was a single definitive answer, we’d all be out of jobs ;) |
Security ERD (simplified).pdf
Description: Adobe PDF document
