This page discusses the design for authorization for the BRMS/Guvnor.
Authentication is handled already via JAAS and Seam.
The container (through JAAS) provides authentication services for example around LDAP.
Authorization takes this further - by allowing admins to specify who can do what. This role specifying will NOT be done with LDAP groups (as in most organisations, that is far to inflexible and primitive to be useful). Instead, the BRMS will have the ability to assign user accounts to roles (and the roles are assigned capabilities) - ie this will be stored in the BRMS database.
The enforcing of this happens at the service layer (ServiceImplementation) using Seam, but the GUI will also need to be aware of it (using the security service API) so that visual elements aren't shown if they aren't allowed (otherwise people will try something, and get an angry error message back from the server).
Built in roles:
admin = everything
package.admin = everything for that package, including creating snapshots for that package.
package.developer = everything for that package, NOT snapshots (can view snapshots of that package only).
package.analyst = can read all contents. Can only edit/create files of "business" type, can run tests, and edit tests.
package.testonly = can create, run, edit, and delete tests only.
package.readonly = readonly everything.
Fine grained ACLs
This does not cover ACLs on a per asset basis (some work was done in that regard but it is not covered by this).