Thanks for your review David,
From: "David E Jones" <[email protected]>
What is a "Security Role"?
Al spoke about Security Role when you are using a permission with _ROLE_ in it.
I took these informations from pages Al wrote in the
old Wiki.
In that page (the "OFBiz security" page) the stuff mentioned about the
role-limited permissions is incorrect.
What is incorrect exactly ? I just put facts I found in code and in answers on
user/dev ML (from Bilgin and Adrian I guess).
The purpose of role-limited permissions is to tie a SecurityPermission to
record level security using the RoleType/PartyRole and
related entities. In OFBiz this is how record level permissions are done, ie
somehow the user (through their Party record) is
associated with another record in the database, and that specific relationship
must exist in order for the role-limited
permission to take effect.
I put your explanation in the role-limited permissions section. I did not
remove the examples for now. I think it helps newbies to
understand how it's used. Please let me know what's wrong
Jacques
-David
On Dec 11, 2008, at 12:27 PM, Jacques Le Roux wrote:
Maybe we could use "Security Roles" and not "Role limited permissions" inside
Security Groups for more flexibility ?
Définitions are in http://docs.ofbiz.org/display/OFBTECH/OFBiz +security
I will use that for now because I need something to move forward
Jacques
From: "Ray" <[email protected]>
It came about from a requirement driven around roles so that was the
suggested limiter. The example would be someone with a role of "Sales
Rep" who works in house answering calls, processing paperwork might
easily deal with 200 a day where as someone operating as "Sales
Consultant" in the field visiting clients personally might only deal
with 20 a day.
They both have security to access the same client view but the user
request was to limit them with a differing number of allowed accesses
based on their roles.
If that needs to be translated in to security groups for implementation
to fit in with OFBiz practices then fine, I'm not struck to it being
roles. This was thought to be a generally useful feature others might be
interested in hence we are trying to make it compatible for the community.
Ray
David E Jones wrote:
Instead of attaching this to a Party RoleType, it would be better to
attach it to a SecurityPermission or SecurityGroup. Access to resources
like pages and such is governed by permissions in OFBiz, and roles are
used for record-level security (like which parties a user can
view/edit/etc as opposed to being able to use the view profile screen).
-David
