5 Replies Latest reply on Mar 31, 2014 7:55 PM by shane.bryzak

    The best way to implement a permssion web control.


      Hello everyone,


      My task for this weekend is to design a web control for managing user permissions and I was wondering if someone may have already tried this before. My idea is to have a dropdown menu to select a user, and then a list of resources alongside a datatable full of booleans to mark which permissions are allowed:


      (Dropdown) User:Michael



      In a backing bean, I would have two lists and a user object:

      1) A List<User> current users

      2) A User object that is the current selected user from the dropdown box

      3) A List<Permission> for the selected user



      Upon selection of the user, I would load the table with the values of the permissions list organized by resource. When a boolean is checked or unchecked, the permission would be granted or revoked. My two main questions are:

      1) Is there a way to get a list of Permission based on an identity type?

      2) Is there a way to sort a list of permissions based on the resource? Possibly a Map<Object(Resource), ArrayList<Permission>>.


      This is my favorite feature of the project I'm helping develop, so I hope I can get this working. Any advice would be appreciated.

        • 1. Re: The best way to implement a permssion web control.

          Hi Michael,


          The Permissions API is still a work in progress and won't be fully complete until the 2.6.0.Final release.  Having said that though it should be already possible to use it in the way that you're describing.  I have been thinking a bit about how a permission management UI should look but haven't come up with anything definitive as yet, although what you have looks like a good start however I would "invert" what you have and make the resource something you select, and then display the assigned permissions for it.  I'll try to explain further below while answering your other questions:


          1) It is actually quite a challenge to list Permissions based on an identity type.  We are currently working on a feature called permission inheritance chains which is planned for the 2.6.0.Final release.  Basically this feature will give you the ability to declare the "flow" of privileges between the assignee (such as a group or role) and a user.  For example, if user A is the member of group B, and group B is assigned role C, then any permissions assigned to role C should also apply to user A.  Hope I explained it clearly, but basically you can't just assume that a permission will be assigned directly to a user, hence no user parameter in the listPermissions() methods in the PermissionManager interface.  Instead, from a permission management point of view you should query by the resource that you're interested in to determine which permissions exist for that resource, hence the suggestion above to invert your UI.


          2) Sorting operations are currently up to you, if you want a Map that contains the permissions for multiple resources then that will require multiple calls to listPermissions() to populate that Map.


          Hope that helps a bit!

          • 2. Re: The best way to implement a permssion web control.

            Thank you Shane,


            The permission inheritance makes perfect sense to me. I just implemented a page to manage users, and when an account try to create a user, I check if the user, the user's role, or the user's group has permission to perform that action. I know that, for the majority of cases, it will be the role or the group that the identity belongs to that will have the permission to perform a given action, and not the identity type itself.


            I am going to implement my permission control based on the resource now. When I get the permission object, I only have the assignee in terms of an ID. If that ID can belong to a user, role or group, does this mean that as I create my datatable, I will have to attempt to do a lookup of all three identity types to see which one matches that ID? (That is, if I want the user/role/group name of the assignee, I have to query all the users to see if any have the ID, and then the same for roles and groups.)


            Your answer has helped a lot!

            • 3. Re: The best way to implement a permssion web control.

              You should actually receive a list of IdentityPermission objects, which has a getAssignee() method that returns the IdentityType to which the permission is assigned.  If you're only getting an ID and nothing else, then it's a bug.

              • 4. Re: The best way to implement a permssion web control.

                You are right. The assignees are actually listed as their proper objects. The issue is that the account types' names are null. I'm assuming that this is because they are a custom type. I'll do some more debugging on this soon.

                Screen Shot 2014-03-31 at 10.58.02 AM.png

                • 5. Re: The best way to implement a permssion web control.

                  It could most likely be a bug in our code.  Could you describe your database schema in a little more detail?