This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes OO, Patterns, UML and Refactoring and the fly likes design query Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » OO, Patterns, UML and Refactoring
Bookmark "design query" Watch "design query" New topic
Author

design query

satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
we are developing a general authentication and authorization application

This is supposed to cater to multiple products of our organisation

Lets say Product A , B & C

We are planning to have different roles which are common ( a master set of roles )

Depending on each applications needs - the roles can be mapped in a mapping table

We also have a set of common functions that user can perform :: ie CRUD operations

Upto this point here is the db design ::

Master table for Products ( Product A , B , C etc )
Master Table for Roles ( Admin , Manager , End user , SuperAdmin etc )
Master Table for Functions ( CRUD operations etc )

Mapping tables ::
1 >
Product_Role_mapping :: Maps the Products to the roles ( Product A might only need roles of " Admin " & " EndUser" while Product B might need roles of "Admin" , " Manager " , " SuperAdmin" )

Now here is my question ::

In addition each role can perform different functions for different products ( defined by business )

As an example ::
"Admin" in "Product A " can " Create " , " Edit " & " delete "
"Admin" in "Product B " can " Create " but NOT ALLOWED to " Edit " & " delete "

I was wondering ::
Option A :: use another database table in which we map the product , role , functions
This would indicate that for a given product , given role - these are allowed functions

Option B :: in Java code check what product it is and what role and programmatically decide if the operation is allowed or not

Personally feel Option A is good.

To what extent is such design relying on db for configuration good ?
should we externalise it from db into a config file ( xml , csv ) for the same ?

One more question regarding another requirement

For the same product ( as en example Product A - there are three roles ::
Admin , Manager & End user )

Admin can Delete Manager as well as End user
Manager can delete end user but NOT Admin
End user can perform no delete operations

The problem here being even with a db mpping table for earlier req - the issue is that for same product the same role can perform " delete" but that "delete" depends on who the logged in user is and on what type(role) of user it is performed .

So for such a situation - what would be the approach ?

Any ideas , criticism is welcome !

Thanks ,
~satish
Varun Chopra
Ranch Hand

Joined: Jul 10, 2008
Posts: 211
In my view, ProductAAdmin and ProductBAamin are different roles because their functions are different. So you should create more roles, as an example:

Admin1 (Create, Modify)
Admin2 (Create, Delete)
Admin3 (Create, Delete, Modify)

Map roles to functions, keep products separate from functions.
Map products to users (admin user or other users) and users to roles.

product>users>roles>functions

As far as using XML or CSV is concerned, I don't think there is agreement on this issue in the industry. You can use property files to define roles and functions (like ACLs) but then you will have to make sure file is re-loaded when you change things. Advantage here is that roles are closer to the application logic where they belong, database is for domain data, hence roles do not belong there. But as I said I am still waiting for a stronger argument in favor of files over db tables.


I could not get your last question, if you elaborate I can try to answer.


-Varun -
(My Blog) - Online Certifications - Webner Solutions
satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
Thanks Varun for your views

earlier question ::
One more question regarding another requirement

For the same product ( as en example Product A - there are three roles ::
Admin , Manager & End user )

Admin & Manager can Delete "End user"
Manager can delete "end user" but NOT "Admin"
End user can perform no delete operations

even with a db mpping table for earlier req - the issue is that for same product the same role can perform " delete" but that "delete" depends on who the logged in user is and on what type(role) of user it is performed .

So for such a situation - what would be the approach ?



what I meant here was that even if we were to design the db table such that we assign what "role" can perform what "functions" in this case the "delete" function can be performed by both "Admin" and "Manager"

However what user type can delete which other user type is further refined

In such a case - would it be fair to place the app logic in application ::

Ex ::


Thanks ,
~satish
[ July 25, 2008: Message edited by: satish bodas ]
Varun Chopra
Ranch Hand

Joined: Jul 10, 2008
Posts: 211
However what user type can delete which other user type is further refined


Again, flatten that out into multiple functions:

<Function List>
Delete Product
Delete User
Delete ADMIN
Delete Manager

And assign all above to ADMIN role, "Delete User" and "Delete Product" to Manager role and so on.
satish bodas
Ranch Hand

Joined: Jun 19, 2008
Posts: 116
Thanks Varun
Varun Chopra
Ranch Hand

Joined: Jul 10, 2008
Posts: 211
You are welcome.
Rajah Nagur
Ranch Hand

Joined: Nov 06, 2002
Posts: 239

[ July 30, 2008: Message edited by: Rajah Nagur ]

You can't wake a person who is <b><i>pretending</i></b> to be asleep.<br />Like what <b>"it"</b> does not like - <i> Gurdjieff </i>
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: design query
 
Similar Threads
Java Job in MA
scwcd companion question
j_security_ckeck problem
J2EE & EJB roles in Ireland
cannot login in tomcat adim