Thanks, Abhishek P On Tue, Jun 13, 2017 at 2:51 PM, Abhishek P <[email protected]> wrote:
> I can think of two ways to accomplish this in an RBAC system: > 1. Your style: Associating unique role with user and adding permissions > 2. Associating unique role to each conversation , which would then be > added to each use in question. > > > > > > On Sat, Jun 10, 2017 at 2:09 AM, dfee <[email protected]> wrote: > >> I'm thinking through a Shiro implementation for a web application, but I'm >> running into a wall when it comes to translating an Allow / Deny ACEs >> system >> into an RBAC permission model (allow only). >> >> Supposed we have two database models <Discussion>, <Message (N:1 of >> Discussion)>. Discussions may be private, and if so, only members of the >> discussion should be aware the discussion exists when searching, view the >> discussion, and post messages to it. Messages, then, should be visible to >> members of the discussion (or if the discussion is public, then available >> to >> all users). >> >> This seemingly requires the following permissions: >> `discussion:create,retrieve,update,delete:{discussion_id}` >> `message:c,r,u,d:message_id` >> >> Due to allowing private conversations, it seems a wildcard strategy >> wouldn't >> work (i.e. `discussion:retrieve:*` granted to a role: `public`). But as >> the >> system scales from 1 public conversation to N public conversations, each >> user gains 2N permissions (`discussion:create,retrieve:{discussion_id}`). >> >> This leads me to believe I don't properly understand modeling as the cost >> of >> retrieving permissions for a user will climb very quickly / scale poorly. >> >> It also seems that each private conversation needs it's own role, to which >> permissions of that channel can be prescribed. >> >> Is there a more sane way to model this? Or is this the constraint of >> using a >> Shiro-type RBAC system? >> >> Thanks, >> Devin >> >> >> >> -- >> View this message in context: http://shiro-user.582556.n2.na >> bble.com/RBAC-architecture-for-web-app-tp7581644.html >> Sent from the Shiro User mailing list archive at Nabble.com. >> > >
