Okay, so it seems that Adrian and I have a very similar idea. The only
major difference I see is one is artifact based and the other is
process based. In the artifact based system, each artifact needs to
register itself, and somehow the framework needs to know how to
process access control for each artifact. Each artifact still has
permissions, so it will check to see if the user has specific
permission(s) for the artifact. Access control logic is still
required, and the system will need to know how to process this for
each artifact. I'm not clear yet what that would look like, but so far
it doesn't sound much different.
In the process based system, instead of registering artifacts, the
developer registers process based strings with the system (in the
designs this is handled by seed data). Logic is attached to each
process string (or parent process string when parent/child share the
same logic). Authorization is handled per process by checking to see
if the user has "permission" to perform that process. Processes are
hierarchical (it appears the domain based system is as well) where a
user with access to the higher level of the hierarchy has implied
access to all the lower levels.
The question I believe now is, which is better? I personally think in
terms of processes which is why what I proposed was all process based.
However, artifact based may be more granular, but possibly too
granular. If I understand this right, artifact based we could
potentially have different access requirements for every single form/
screen/service/entity/etc; where in a process based system the
developer would define the processes as part of the application and
these processes could be shared across common artifacts (forms can
share with screens that share with services, etc).
Does this sound like a fair assessment?
Andrew
On May 3, 2009, at 10:22 PM, Adrian Crum wrote:
Understood.
If there is any interest in the design, and we start to flesh it
out, I'm sure those scenarios could be presented and addressed.
-Adrian
--- On Sun, 5/3/09, Andrew Zeneski <andrew.zene...@hotwaxmedia.com>
wrote:
From: Andrew Zeneski <andrew.zene...@hotwaxmedia.com>
Subject: Re: Domain Based Security ( was re: Authz...)
To: dev@ofbiz.apache.org
Date: Sunday, May 3, 2009, 7:11 PM
Because no matter how we design security for the default
implementation in OFBiz there will always be some industry,
or business requirement that is not covered, there is no way
we can plan for every possible scenario. Thus, we need to
make sure there are simple ways to modify the default
behavior without having to intrude into the low level
functionality. This is one of the key issues I have been
trying to solve.
On May 3, 2009, at 7:26 PM, Adrian Crum wrote:
My followup question will be, how do I customize
the access
logic for a specific client so that I can maintain
my own
logic in a private component and avoid problems
when
updating applications?
Why would you want to do that? I can't think of a
reason why a security system would need to be changed.
