The Permissions API is still a work in progress and won't be fully complete until the 2.6.0.Final release. Having said that though it should be already possible to use it in the way that you're describing. I have been thinking a bit about how a permission management UI should look but haven't come up with anything definitive as yet, although what you have looks like a good start however I would "invert" what you have and make the resource something you select, and then display the assigned permissions for it. I'll try to explain further below while answering your other questions:
1) It is actually quite a challenge to list Permissions based on an identity type. We are currently working on a feature called permission inheritance chains which is planned for the 2.6.0.Final release. Basically this feature will give you the ability to declare the "flow" of privileges between the assignee (such as a group or role) and a user. For example, if user A is the member of group B, and group B is assigned role C, then any permissions assigned to role C should also apply to user A. Hope I explained it clearly, but basically you can't just assume that a permission will be assigned directly to a user, hence no user parameter in the listPermissions() methods in the PermissionManager interface. Instead, from a permission management point of view you should query by the resource that you're interested in to determine which permissions exist for that resource, hence the suggestion above to invert your UI.
2) Sorting operations are currently up to you, if you want a Map that contains the permissions for multiple resources then that will require multiple calls to listPermissions() to populate that Map.
Hope that helps a bit!
Thank you Shane,
The permission inheritance makes perfect sense to me. I just implemented a page to manage users, and when an account try to create a user, I check if the user, the user's role, or the user's group has permission to perform that action. I know that, for the majority of cases, it will be the role or the group that the identity belongs to that will have the permission to perform a given action, and not the identity type itself.
I am going to implement my permission control based on the resource now. When I get the permission object, I only have the assignee in terms of an ID. If that ID can belong to a user, role or group, does this mean that as I create my datatable, I will have to attempt to do a lookup of all three identity types to see which one matches that ID? (That is, if I want the user/role/group name of the assignee, I have to query all the users to see if any have the ID, and then the same for roles and groups.)
Your answer has helped a lot!
You should actually receive a list of IdentityPermission objects, which has a getAssignee() method that returns the IdentityType to which the permission is assigned. If you're only getting an ID and nothing else, then it's a bug.
It could most likely be a bug in our code. Could you describe your database schema in a little more detail?