Nice solution! On the latest snapshot is possible by using the new "executeSql(...)" method in the IsisJdoSupport service.
El 07/08/2013, a las 09:37, David Tildesley <davo...@yahoo.co.nz> escribió: > > > Would JDO query be a candidate (assuming the query text can be associated > with an object and loaded from a persistent source at run-time and then > executed)? > > Regards, > David. > > > > ________________________________ > From: David Tildesley <davo...@yahoo.co.nz> > To: users <users@isis.apache.org> > Sent: Wednesday, 7 August 2013 6:44 PM > Subject: rules externalised from the code > > > Hi, > > We are looking at building a RBAC capability that evaluates security > entitlements for users. The business rule to determine an effective role may > be based on a combination of the users attributes. e.g. job title, > organisation unit, location, organisation. The rules are not going to be all > that complicated e.g. > > if ((user.jobTitle.name == "case worker")) AND (user.org.name == "companyA") > AND (user.location.code == "NY")) then > addRole(user, securityRole) > > but we don't want to have to recompile the application each time a rule > changes or a rule is added or removed. > > Options? e.g. DROOLS rule engine (seems a bit too heavy weight for what we > want to achieve). > > In our case the application is built using ISIS and already contains a domain > that has all the HR context required for RBAC determinations. i.e. a full > object graph containing all the input information to the RBAC rule would be > available.The solution would need to fit nicely with ISIS. > > > Any ideas would be appreciated. > > N.B. do not get confused with Shiro security for the application - that's > orthogonal to the functional capability that we are wanting to build.And yes, > I know we can go and buy specialized products that do this functional > capability but we have good reasons for not going down that path. > > > Thanks in advance, > David.