(I apologize, I sent this to Shiro Developers, not Shiro Users, I need to read more better)
Hello all, I'm trying to simplify a complex set of rules, I'm going to use the example of schools/districts/courses/assignments... here's my swing at it: Districts, Schools, Courses and Assignments Administrators, Teachers and Students Scenario #1 - I am an administrator, I can create Schools for my district, I can create Courses for my district "district:5:school:create" "district:5:school:*:course:create" Scenario #2 - I am a teacher, I can create courses for my school "district:5:school:23:course:create" Scenario #3 - I am a student I can view my assignments "district:5:school:23:course:14:assignment:23:view" "district:5:school:23:course:14:assignment:24:view" Scenario #4 - I am a consultant, I can view all assignments in a district regardless of school "district:5:school:*:course:*:assignment:*:view" Scenario #5 - I am a principal, I can do whatever I want in my School "district:5:school:23" Scenario #6 - I am a substitute, I can assign students in courses I have access to "district:5:school:23:course:14:assign" "district:5:school:23:course:15:assign" "district:1:school:155:course:15:assign" Here's my problem... Technically speaking Scenario #3 could look like this "assignment:23:view" But that conflicts with Scenario #4 "district:5:school:*:course:*:assignment:*:view" Is it best to have a full chain like I am describing? Is this using Shiro improperly? Any help would be appreciated, I don't want to go down this road and then have someone else come by it in 5 years and put it on DailyWTF :) -- View this message in context: http://shiro-user.582556.n2.nabble.com/Data-Permissions-Heirarchy-tp6375897p6375897.html Sent from the Shiro User mailing list archive at Nabble.com.
