+1 Instead of having users:add, users:edit, users:view and users:delete we can have all of them under users:manage scope.
But when designing the scopes it not possible to consider all the business functionalities so we can provide basic functionalities such as users:manage, roles:view, roles:manage. When it comes to UI, when managing users, viewing roles is also needed. In that case we need to combine two or more scopes and create a special UI permission like 'manage_users' having separate UI permissions make them easy to authorize the UI pages as well as focuses on the real business functionality rather than depending on BE. On Mon, Jul 4, 2016 at 12:20 PM, Prabath Abeysekera <[email protected]> wrote: > IMO, scopes for any application should be designed and implemented taking > the end-to-end business functionalities into account, rather than focussing > on different discrete pieces of small functional units such as UI, BE, etc. > For instance, if some user is authorized to "manage users", the underlying > scopes that make it possible to that particular user to perform the > intended task, should be shared across the UI as well as the BE. In other > words, the same scope that lets the user access the BE resources associated > with managing users, can be re-used to render the associated UI elements as > well. That way, not only it makes us avoid overly redundant scopes, which - > if not managed properly - can be a headache, but also helps us make things > much more simplified. > > Cheers, > Prabath > > On Mon, Jul 4, 2016 at 12:00 PM, Chathura Dilan <[email protected]> > wrote: > >> +Dev >> >> For the UI >> >> IMO, UI should have their own permissions. and they should be associated >> with scopes >> >> Such as >> >> *UI Permission scopes* >> manage_user users:add, users:edit, users:delete, users:view, >> roles:view >> view_user users:view >> >> These UI permissions can to be assigned from the permission tree to a >> role. Once the permission is assigned to a role, the scopes associated with >> the permission also assigned to that role automatically. >> >> For that we can reduce the complexity of assigning the UI permission. >> WDYT? >> >> >> >> >> On Mon, Jul 4, 2016 at 10:16 AM, Milan Perera <[email protected]> wrote: >> >>> Sure, will schedule it in the morning. >>> >>> On Mon, Jul 4, 2016 at 6:27 AM, Prabath Abeysekera <[email protected]> >>> wrote: >>> >>>> Awesome! Shall we review this in the morn and be done with it? >>>> >>>> Cheers, >>>> Prabath >>>> >>>> >>>> On Monday, July 4, 2016, Milan Perera <[email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I've done the $subject and its still in my fork [1]. Let's have a >>>>> review on that and then I will merge. >>>>> I've tested this implementation with JDBC scope validator and it works >>>>> fine. >>>>> >>>>> Currently I just only changed the devicemgt-api and have to do >>>>> necessary changes to other apis as well. >>>>> >>>>> [1] >>>>> https://github.com/milanperera/carbon-device-mgt/commit/49623a4693dcbd35f6b5305c3e29d31254fcb4ce >>>>> >>>>> >>>>> Regards, >>>>> >>>>> -- >>>>> *Milan Perera *| Software Engineer >>>>> WSO2, Inc | lean. enterprise. middleware. >>>>> #20, Palm Grove, Colombo 03, Sri Lanka >>>>> Mobile: +94 77 309 7088 | Work: +94 11 214 5345 >>>>> Email: [email protected] | Web: www.wso2.com >>>>> <http://lk.linkedin.com/in/milanharinduperera> >>>>> >>>> >>>> >>>> -- >>>> Prabath Abeysekara >>>> Technical Lead >>>> WSO2 Inc. >>>> Email: [email protected] >>>> Mobile: +94774171471 >>>> >>>> >>> >>> >>> -- >>> *Milan Perera *| Software Engineer >>> WSO2, Inc | lean. enterprise. middleware. >>> #20, Palm Grove, Colombo 03, Sri Lanka >>> Mobile: +94 77 309 7088 | Work: +94 11 214 5345 >>> Email: [email protected] <[email protected]> | Web: www.wso2.com >>> <http://lk.linkedin.com/in/milanharinduperera> >>> >> >> >> >> -- >> Regards, >> >> Chatura Dilan Perera >> *Associate Tech Lead** - WSO2 Inc.* >> www.dilan.me >> > > > > -- > Prabath Abeysekara > Technical Lead > WSO2 Inc. > Email: [email protected] > Mobile: +94774171471 > -- Regards, Chatura Dilan Perera *Associate Tech Lead** - WSO2 Inc.* www.dilan.me
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
