rules externalised from the code
Hi, We are looking at building a RBAC capability that evaluates security entitlements for users. The business rule to determine an effective role may be based on a combination of the users attributes. e.g. job title, organisation unit, location, organisation. The rules are not going to be all that complicated e.g. if ((user.jobTitle.name == case worker)) AND (user.org.name == companyA) AND (user.location.code == NY)) then addRole(user, securityRole) but we don't want to have to recompile the application each time a rule changes or a rule is added or removed. Options? e.g. DROOLS rule engine (seems a bit too heavy weight for what we want to achieve). In our case the application is built using ISIS and already contains a domain that has all the HR context required for RBAC determinations. i.e. a full object graph containing all the input information to the RBAC rule would be available.The solution would need to fit nicely with ISIS. Any ideas would be appreciated. N.B. do not get confused with Shiro security for the application - that's orthogonal to the functional capability that we are wanting to build.And yes, I know we can go and buy specialized products that do this functional capability but we have good reasons for not going down that path. Thanks in advance, David.
Allow the user to choose a role to work within that role context.
Hi, A question. A user may have a number of roles when using ISIS (i.e. org.apache.isis.security.UserMemento has a list of roles 1). How hard would it be to let the user choose which role they want to use for the session. The story: 1. As an administrator of the application I am also a normal user of the application and I would like to see the reduced view of the application that a normal user would see by choosing my normal user role to be used in the session. Any ideas/ pointers would be appreciated. Thanks, David.
Re: rules externalised from the code
Would JDO query be a candidate (assuming the query text can be associated with an object and loaded from a persistent source at run-time and then executed)? Regards, David. From: David Tildesley davo...@yahoo.co.nz To: users users@isis.apache.org Sent: Wednesday, 7 August 2013 6:44 PM Subject: rules externalised from the code Hi, We are looking at building a RBAC capability that evaluates security entitlements for users. The business rule to determine an effective role may be based on a combination of the users attributes. e.g. job title, organisation unit, location, organisation. The rules are not going to be all that complicated e.g. if ((user.jobTitle.name == case worker)) AND (user.org.name == companyA) AND (user.location.code == NY)) then addRole(user, securityRole) but we don't want to have to recompile the application each time a rule changes or a rule is added or removed. Options? e.g. DROOLS rule engine (seems a bit too heavy weight for what we want to achieve). In our case the application is built using ISIS and already contains a domain that has all the HR context required for RBAC determinations. i.e. a full object graph containing all the input information to the RBAC rule would be available.The solution would need to fit nicely with ISIS. Any ideas would be appreciated. N.B. do not get confused with Shiro security for the application - that's orthogonal to the functional capability that we are wanting to build.And yes, I know we can go and buy specialized products that do this functional capability but we have good reasons for not going down that path. Thanks in advance, David.
Re: rules externalised from the code
Nice solution! On the latest snapshot is possible by using the new executeSql(...) method in the IsisJdoSupport service. El 07/08/2013, a las 09:37, David Tildesley davo...@yahoo.co.nz escribió: Would JDO query be a candidate (assuming the query text can be associated with an object and loaded from a persistent source at run-time and then executed)? Regards, David. From: David Tildesley davo...@yahoo.co.nz To: users users@isis.apache.org Sent: Wednesday, 7 August 2013 6:44 PM Subject: rules externalised from the code Hi, We are looking at building a RBAC capability that evaluates security entitlements for users. The business rule to determine an effective role may be based on a combination of the users attributes. e.g. job title, organisation unit, location, organisation. The rules are not going to be all that complicated e.g. if ((user.jobTitle.name == case worker)) AND (user.org.name == companyA) AND (user.location.code == NY)) then addRole(user, securityRole) but we don't want to have to recompile the application each time a rule changes or a rule is added or removed. Options? e.g. DROOLS rule engine (seems a bit too heavy weight for what we want to achieve). In our case the application is built using ISIS and already contains a domain that has all the HR context required for RBAC determinations. i.e. a full object graph containing all the input information to the RBAC rule would be available.The solution would need to fit nicely with ISIS. Any ideas would be appreciated. N.B. do not get confused with Shiro security for the application - that's orthogonal to the functional capability that we are wanting to build.And yes, I know we can go and buy specialized products that do this functional capability but we have good reasons for not going down that path. Thanks in advance, David.
Re: rules externalised from the code
Hi Oscar, Thanks. That's handy. We'll explore that new feature. Cheers, David. Sent from Yahoo! Mail on Android