Hi All,
I'm pretty much a newbie to JBoss security & JAAS and I need your help with the following requirement we have in our application.

We have a set of predefined permissions that we know in development time and we can assign to EJBs. We need to be able to assign those permissions to roles in the organization through API in the application.

We can't use simple role based security as the most granular actors in our application are roles, so we need to assign the permissions to the roles and not directly to the users (which are eventually assigned a role - managed in the customer user store).

As I mentioned before, the permissions are a closed set and are not configurable. The only configuration is who gets those permissions, and that ability should be given to the Admin of our application.

We considered using an hierarchy of roles, giving each logical role a set of permission-roles and use the standard role-based EJB security. For that we consider a custom login module to flatten the list of roles.

Let me know what you think and if there's any best practice for such scenario.

Just on thing. We want to stay in the JAAS realm as much as possible and avoid using some other security framework.

Thanks,
Eyal