Hi, David. We've been using Drools in our current (non-Isis) version. It can seem a bit of overengineering, but the fact is that the core is quite lightweight. If you want Guvnor (the full rules editor and repository) its a big war, but not the core.
Perhaps another option would be to implement it with scripting [1], but I'm quite sure you've considered it as well. I think the only options are to have them hard-coded, or externalized as rules or scripts. Thanks, Oscar [1] http://commons.apache.org/proper/commons-bsf/ El 07/08/2013, a las 08:44, David Tildesley <[email protected]> escribió: > Hi, > > We are looking at building a RBAC capability that evaluates security > entitlements for users. The business rule to determine an effective role may > be based on a combination of the users attributes. e.g. job title, > organisation unit, location, organisation. The rules are not going to be all > that complicated e.g. > > if ((user.jobTitle.name == "case worker")) AND (user.org.name == "companyA") > AND (user.location.code == "NY")) then > addRole(user, securityRole) > > but we don't want to have to recompile the application each time a rule > changes or a rule is added or removed. > > Options? e.g. DROOLS rule engine (seems a bit too heavy weight for what we > want to achieve). > > In our case the application is built using ISIS and already contains a domain > that has all the HR context required for RBAC determinations. i.e. a full > object graph containing all the input information to the RBAC rule would be > available.The solution would need to fit nicely with ISIS. > > > Any ideas would be appreciated. > > N.B. do not get confused with Shiro security for the application - that's > orthogonal to the functional capability that we are wanting to build.And yes, > I know we can go and buy specialized products that do this functional > capability but we have good reasons for not going down that path. > > > Thanks in advance, > David.
