Adrian, This is good timing for me as I need to implement a security scheme in which a user's ability to perform CRUD operations is dependent on their level within an organization (ie. someone is a divisional supervisor so they can only modify records within their division and its departments). Does this functionality already exist? Something similar was done for content management.
If this functionality were to be rolled into LDAP service, then I think the LDAP would need to handle a person's party group role associations. It sort of makes sense that if you want to manage a person's authentication outside of OFBiz that you would want to manage their position/role assignments in the same context since they are often related. Going back to the integrated CRUD permission scheme, I am prepared to write that if it is agreed that it is the right way to go. I would make the assumption that permissions are always determined by where a person exists in an organizational structure (but certain Security permissions would override this contextual permission granting) - which is architected by using the PartyRelationship entity and a person's role within that party group (div, dept, etc.) I would like to see PartyRelationship used to associate roles of a person with a party group because it can be time aware and it can enforce some checks by use of the PartyRelationshipType. In general, I am thinking that it would be something like a divisional supervisor needing to approve Content published by a departmental worker. The Content record would need to be tied to a department PartyGroup and the divisional supervisor is able to edit or publish the content by virtue of their hierarchical position and "ADMIN" role. In other cases, instead of a Content entity, it may be the ContactMech for an employee or a purchase order approval. In all these cases, the entity in question needs to be tied to a PartyGroup structure and the permission to perform the operation would be determined by the same method once it was. In content permission granting there was the concept of "purpose". For instance, a departmental supervisor may be able approve some content for publication if its purpose was the weekly newsletter, but not if it were for a corporate report. -Al
