Hi Stefan, On 10/26/07, Stefan Seelmann <[EMAIL PROTECTED]> wrote: > > Is one role limited to aggregate permissions within an application? > > What about > - roles that aggregate roles (hierarchical roles)
Oh yes we can have role hierarchies where roles are a set of permissions and a set of other roles. I even like the idea of multiple inheritance with role hierarchies, where a role can reference more than one super role. Without multiple inheritance a role could only have zero or one superior roles. Role inheritance is critical for real world use cases. - roles that aggregate roles and permissions of different applications > or systems (enterprise roles) The short answer is yes but there are some details that would need to be addressed based on the scope in which the role is defined. Alex > Applications and Roles > > --------------------------------- > > > > Application designers devise security permissions and roles specific to > > applications. These > > roles represent a set of rights authorizing principals to perform > > operations or access resources > > that must be allowed to fulfill a specific coherent function within > > applications. These rights to > > access resources are the permissions. The set of these permissions, > > needed for a logical > > function to be conducted in the application, is a role. > > > > To be concise we extract the following glossary definitions: > > > > Permission: > > A right required by a system or application to authorize principals > > to perform a > > specific operation or access a resource in some manner. > > > > Role: > > A set of permissions required by a principal to be authorized to > > fulfill a logical function > > within a system or application. > > > > Thanks, > > Alex > >
