Brainstorming: Security Configuration Patterns

> David E Jones wrote:
>> 1. artifacts responsible for their own security (especially  
>> services and screens), and security permissions are referred to  
>> directly (ie the actual permissions are configured directly in the  
>> XML tags for the artifact)
>
> If this is referring to my proposal, it's not accurate. It should be  
> more like:
>
> 1. Artifacts (any screen widget, service, or entity) are security-
> aware and exhibit default behavior based on a user's permissions.

>
> This thread is specifically for discussing possible configuration
> patterns to use in OFBiz going forward. Please keep other discussion
> in another thread, including the merits of each possibility... let's
> just brainstorm in this thread.
>
> To get things started, here are the patterns that have been discussed
> recently (in high level terms, we can get into implementation and
> specific practices later on), these are in no particular order:
>
> 1. artifacts responsible for their own security (especially services
> and screens), and security permissions are referred to directly (ie
> the actual permissions are configured directly in the XML tags for the
> artifact)
>
> 2. artifacts responsible for their own security, and no direct
> references are used and instead an indirect security control is
> referred to; this is basically the permission service model we've been
> using where a permission service is basically a security policy that
> refers to permissions, can query/filter/whatever to do record level
> security, and in customization the permission service can be
> overridden or its function changed by ECA rules without touching any
> OOTB code or configuration
>
> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
> and there is external configuration based on those permissions that
> can add other qualifying permissions and/or invoke logic to change how
> that permission is evaluated (ie override the default behavior of
> requiring the user to have that permission and either add additional
> constraints or allow alternative constraints even if the user does not
> have the original permission that triggered it all); this is recursive
> so that if an alternative permission is configured that permission may
> also have further alternative permissions; also being recursive if
> attached logic evaluates other permissions that may have alternative
> permissions and/or permission logic attached to them; as I understand
> what Andrew has implemented, this is the pattern he followed
>
> 4. artifacts are not responsible for their own security except to
> specify whether any sort of permission is required or not (ie a
> require-permission attribute, would be true by default; for example
> most ecommerce screens would have this set to false); access control
> would be configured externally so that you can configure access at the
> most granular level possible (we would go ALL the way here, including:
> screens, services, forms, form fields, menu items, tree nodes, etc,
> etc); the access control tools would have patterns and features to
> facilitate grouping of artifacts, grouping of users (ie just use the
> current SecurityGroup entity), and support for both functionality
> access and record-level access
>
> Can anyone thing of other patterns? Again, PLEASE do not comment on
> which one you like better or what you think the advantages or
> disadvantages are of each in this thread (of course, definitely think
> about such things and feel free to comment in other threads, I just
> want this to be a "hat's off" (yes, that is a reference to Six
> Thinking Hats by Edward de Bono; anyone who hasn't read that should
> give it a go!) brainstorming session.
>
> Thank You!
> -David
>
>

> Hi All:
> One pattern I worked with some time ago is called Role Based Access
> Control (RBAC). This would be similar to #4 below, where you have a
> "role" - with permissions associated with that role - defining
> authorization levels. If you are interested in exploring this further,
> I'd be happy to elaborate.
>
> Ruth
> David E Jones wrote:
>>
>> This thread is specifically for discussing possible configuration
>> patterns to use in OFBiz going forward. Please keep other discussion
>> in another thread, including the merits of each possibility... let's
>> just brainstorm in this thread.
>>
>> To get things started, here are the patterns that have been discussed
>> recently (in high level terms, we can get into implementation and
>> specific practices later on), these are in no particular order:
>>
>> 1. artifacts responsible for their own security (especially services
>> and screens), and security permissions are referred to directly (ie
>> the actual permissions are configured directly in the XML tags for the
>> artifact)
>>
>> 2. artifacts responsible for their own security, and no direct
>> references are used and instead an indirect security control is
>> referred to; this is basically the permission service model we've been
>> using where a permission service is basically a security policy that
>> refers to permissions, can query/filter/whatever to do record level
>> security, and in customization the permission service can be
>> overridden or its function changed by ECA rules without touching any
>> OOTB code or configuration
>>
>> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
>> and there is external configuration based on those permissions that
>> can add other qualifying permissions and/or invoke logic to change how
>> that permission is evaluated (ie override the default behavior of
>> requiring the user to have that permission and either add additional
>> constraints or allow alternative constraints even if the user does not
>> have the original permission that triggered it all); this is recursive
>> so that if an alternative permission is configured that permission may
>> also have further alternative permissions; also being recursive if
>> attached logic evaluates other permissions that may have alternative
>> permissions and/or permission logic attached to them; as I understand
>> what Andrew has implemented, this is the pattern he followed
>>
>> 4. artifacts are not responsible for their own security except to
>> specify whether any sort of permission is required or not (ie a
>> require-permission attribute, would be true by default; for example
>> most ecommerce screens would have this set to false); access control
>> would be configured externally so that you can configure access at the
>> most granular level possible (we would go ALL the way here, including:
>> screens, services, forms, form fields, menu items, tree nodes, etc,
>> etc); the access control tools would have patterns and features to
>> facilitate grouping of artifacts, grouping of users (ie just use the
>> current SecurityGroup entity), and support for both functionality
>> access and record-level access
>>
>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>> which one you like better or what you think the advantages or
>> disadvantages are of each in this thread (of course, definitely think
>> about such things and feel free to comment in other threads, I just
>> want this to be a "hat's off" (yes, that is a reference to Six
>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>> give it a go!) brainstorming session.
>>
>> Thank You!
>> -David
>>
>>
>
>

> Novell Netware has that, plus security groups. You can assign
> permissions to roles or groups, then assign the users to roles or groups.
>
> Another thing Netware has that might be useful - security equivalency.
> If two users require exactly the same sets of permissions, you don't
> have to assign those permissions twice. You assign permissions for one
> user, then make the second user "security equivalent" to the first.
>
> -Adrian
>
> Ruth Hoffman wrote:
>> Hi All:
>> One pattern I worked with some time ago is called Role Based Access
>> Control (RBAC). This would be similar to #4 below, where you have a
>> "role" - with permissions associated with that role - defining
>> authorization levels. If you are interested in exploring this
>> further, I'd be happy to elaborate.
>>
>> Ruth
>> David E Jones wrote:
>>>
>>> This thread is specifically for discussing possible configuration
>>> patterns to use in OFBiz going forward. Please keep other discussion
>>> in another thread, including the merits of each possibility... let's
>>> just brainstorm in this thread.
>>>
>>> To get things started, here are the patterns that have been
>>> discussed recently (in high level terms, we can get into
>>> implementation and specific practices later on), these are in no
>>> particular order:
>>>
>>> 1. artifacts responsible for their own security (especially services
>>> and screens), and security permissions are referred to directly (ie
>>> the actual permissions are configured directly in the XML tags for
>>> the artifact)
>>>
>>> 2. artifacts responsible for their own security, and no direct
>>> references are used and instead an indirect security control is
>>> referred to; this is basically the permission service model we've
>>> been using where a permission service is basically a security policy
>>> that refers to permissions, can query/filter/whatever to do record
>>> level security, and in customization the permission service can be
>>> overridden or its function changed by ECA rules without touching any
>>> OOTB code or configuration
>>>
>>> 3. a hybrid of #1 and #2 where artifacts refer directly to
>>> permissions and there is external configuration based on those
>>> permissions that can add other qualifying permissions and/or invoke
>>> logic to change how that permission is evaluated (ie override the
>>> default behavior of requiring the user to have that permission and
>>> either add additional constraints or allow alternative constraints
>>> even if the user does not have the original permission that
>>> triggered it all); this is recursive so that if an alternative
>>> permission is configured that permission may also have further
>>> alternative permissions; also being recursive if attached logic
>>> evaluates other permissions that may have alternative permissions
>>> and/or permission logic attached to them; as I understand what
>>> Andrew has implemented, this is the pattern he followed
>>>
>>> 4. artifacts are not responsible for their own security except to
>>> specify whether any sort of permission is required or not (ie a
>>> require-permission attribute, would be true by default; for example
>>> most ecommerce screens would have this set to false); access control
>>> would be configured externally so that you can configure access at
>>> the most granular level possible (we would go ALL the way here,
>>> including: screens, services, forms, form fields, menu items, tree
>>> nodes, etc, etc); the access control tools would have patterns and
>>> features to facilitate grouping of artifacts, grouping of users (ie
>>> just use the current SecurityGroup entity), and support for both
>>> functionality access and record-level access
>>>
>>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>>> which one you like better or what you think the advantages or
>>> disadvantages are of each in this thread (of course, definitely
>>> think about such things and feel free to comment in other threads, I
>>> just want this to be a "hat's off" (yes, that is a reference to Six
>>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>>> give it a go!) brainstorming session.
>>>
>>> Thank You!
>>> -David
>>>
>>>
>>
>>
>

>
> This thread is specifically for discussing possible configuration
> patterns to use in OFBiz going forward. Please keep other discussion
> in another thread, including the merits of each possibility... let's
> just brainstorm in this thread.
>
> To get things started, here are the patterns that have been discussed
> recently (in high level terms, we can get into implementation and
> specific practices later on), these are in no particular order:
>
> 1. artifacts responsible for their own security (especially services
> and screens), and security permissions are referred to directly (ie
> the actual permissions are configured directly in the XML tags for the
> artifact)
>
> 2. artifacts responsible for their own security, and no direct
> references are used and instead an indirect security control is
> referred to; this is basically the permission service model we've been
> using where a permission service is basically a security policy that
> refers to permissions, can query/filter/whatever to do record level
> security, and in customization the permission service can be
> overridden or its function changed by ECA rules without touching any
> OOTB code or configuration
>
> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
> and there is external configuration based on those permissions that
> can add other qualifying permissions and/or invoke logic to change how
> that permission is evaluated (ie override the default behavior of
> requiring the user to have that permission and either add additional
> constraints or allow alternative constraints even if the user does not
> have the original permission that triggered it all); this is recursive
> so that if an alternative permission is configured that permission may
> also have further alternative permissions; also being recursive if
> attached logic evaluates other permissions that may have alternative
> permissions and/or permission logic attached to them; as I understand
> what Andrew has implemented, this is the pattern he followed
>
> 4. artifacts are not responsible for their own security except to
> specify whether any sort of permission is required or not (ie a
> require-permission attribute, would be true by default; for example
> most ecommerce screens would have this set to false); access control
> would be configured externally so that you can configure access at the
> most granular level possible (we would go ALL the way here, including:
> screens, services, forms, form fields, menu items, tree nodes, etc,
> etc); the access control tools would have patterns and features to
> facilitate grouping of artifacts, grouping of users (ie just use the
> current SecurityGroup entity), and support for both functionality
> access and record-level access
>
> Can anyone thing of other patterns? Again, PLEASE do not comment on
> which one you like better or what you think the advantages or
> disadvantages are of each in this thread (of course, definitely think
> about such things and feel free to comment in other threads, I just
> want this to be a "hat's off" (yes, that is a reference to Six
> Thinking Hats by Edward de Bono; anyone who hasn't read that should
> give it a go!) brainstorming session.
>
> Thank You!
> -David
>
>

> In security equivalency, what would happen if the permission for first
> user are changed? Does these permission are also applied to second user?
>
> Vikas
>
> On May 5, 2009, at 8:50 PM, Adrian Crum wrote:
>
>> Novell Netware has that, plus security groups. You can assign
>> permissions to roles or groups, then assign the users to roles or groups.
>>
>> Another thing Netware has that might be useful - security equivalency.
>> If two users require exactly the same sets of permissions, you don't
>> have to assign those permissions twice. You assign permissions for one
>> user, then make the second user "security equivalent" to the first.
>>
>> -Adrian
>>
>> Ruth Hoffman wrote:
>>> Hi All:
>>> One pattern I worked with some time ago is called Role Based Access
>>> Control (RBAC). This would be similar to #4 below, where you have a
>>> "role" - with permissions associated with that role - defining
>>> authorization levels. If you are interested in exploring this
>>> further, I'd be happy to elaborate.
>>> Ruth
>>> David E Jones wrote:
>>>>
>>>> This thread is specifically for discussing possible configuration
>>>> patterns to use in OFBiz going forward. Please keep other discussion
>>>> in another thread, including the merits of each possibility... let's
>>>> just brainstorm in this thread.
>>>>
>>>> To get things started, here are the patterns that have been
>>>> discussed recently (in high level terms, we can get into
>>>> implementation and specific practices later on), these are in no
>>>> particular order:
>>>>
>>>> 1. artifacts responsible for their own security (especially services
>>>> and screens), and security permissions are referred to directly (ie
>>>> the actual permissions are configured directly in the XML tags for
>>>> the artifact)
>>>>
>>>> 2. artifacts responsible for their own security, and no direct
>>>> references are used and instead an indirect security control is
>>>> referred to; this is basically the permission service model we've
>>>> been using where a permission service is basically a security policy
>>>> that refers to permissions, can query/filter/whatever to do record
>>>> level security, and in customization the permission service can be
>>>> overridden or its function changed by ECA rules without touching any
>>>> OOTB code or configuration
>>>>
>>>> 3. a hybrid of #1 and #2 where artifacts refer directly to
>>>> permissions and there is external configuration based on those
>>>> permissions that can add other qualifying permissions and/or invoke
>>>> logic to change how that permission is evaluated (ie override the
>>>> default behavior of requiring the user to have that permission and
>>>> either add additional constraints or allow alternative constraints
>>>> even if the user does not have the original permission that
>>>> triggered it all); this is recursive so that if an alternative
>>>> permission is configured that permission may also have further
>>>> alternative permissions; also being recursive if attached logic
>>>> evaluates other permissions that may have alternative permissions
>>>> and/or permission logic attached to them; as I understand what
>>>> Andrew has implemented, this is the pattern he followed
>>>>
>>>> 4. artifacts are not responsible for their own security except to
>>>> specify whether any sort of permission is required or not (ie a
>>>> require-permission attribute, would be true by default; for example
>>>> most ecommerce screens would have this set to false); access control
>>>> would be configured externally so that you can configure access at
>>>> the most granular level possible (we would go ALL the way here,
>>>> including: screens, services, forms, form fields, menu items, tree
>>>> nodes, etc, etc); the access control tools would have patterns and
>>>> features to facilitate grouping of artifacts, grouping of users (ie
>>>> just use the current SecurityGroup entity), and support for both
>>>> functionality access and record-level access
>>>>
>>>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>>>> which one you like better or what you think the advantages or
>>>> disadvantages are of each in this thread (of course, definitely
>>>> think about such things and feel free to comment in other threads, I
>>>> just want this to be a "hat's off" (yes, that is a reference to Six
>>>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>>>> give it a go!) brainstorming session.
>>>>
>>>> Thank You!
>>>> -David
>>>>
>>>>
>

> I think an important thing missing is parentId in SecurityGroup.
> Adding that would give you heirarchy. Groups sort of are roles.  
> Group has association with Subject(UserLogin through  
> UserLoginSecurityGroup), Permission(SecurityGroupPermission),  
> Permission is tied implicitly to action and resource.. Sort of RBAC.
>
> Harmeet
>
> ----- Original Message -----
> From: "Ruth Hoffman" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
> Subject: Re: Brainstorming: Security Configuration Patterns
>
> Hi All:
> One pattern I worked with some time ago is called Role Based Access
> Control (RBAC). This would be similar to #4 below, where you have a
> "role" - with permissions associated with that role - defining
> authorization levels. If you are interested in exploring this further,
> I'd be happy to elaborate.
>
> Ruth
> David E Jones wrote:
>>
>> This thread is specifically for discussing possible configuration
>> patterns to use in OFBiz going forward. Please keep other discussion
>> in another thread, including the merits of each possibility... let's
>> just brainstorm in this thread.
>>
>> To get things started, here are the patterns that have been discussed
>> recently (in high level terms, we can get into implementation and
>> specific practices later on), these are in no particular order:
>>
>> 1. artifacts responsible for their own security (especially services
>> and screens), and security permissions are referred to directly (ie
>> the actual permissions are configured directly in the XML tags for  
>> the
>> artifact)
>>
>> 2. artifacts responsible for their own security, and no direct
>> references are used and instead an indirect security control is
>> referred to; this is basically the permission service model we've  
>> been
>> using where a permission service is basically a security policy that
>> refers to permissions, can query/filter/whatever to do record level
>> security, and in customization the permission service can be
>> overridden or its function changed by ECA rules without touching any
>> OOTB code or configuration
>>
>> 3. a hybrid of #1 and #2 where artifacts refer directly to  
>> permissions
>> and there is external configuration based on those permissions that
>> can add other qualifying permissions and/or invoke logic to change  
>> how
>> that permission is evaluated (ie override the default behavior of
>> requiring the user to have that permission and either add additional
>> constraints or allow alternative constraints even if the user does  
>> not
>> have the original permission that triggered it all); this is  
>> recursive
>> so that if an alternative permission is configured that permission  
>> may
>> also have further alternative permissions; also being recursive if
>> attached logic evaluates other permissions that may have alternative
>> permissions and/or permission logic attached to them; as I understand
>> what Andrew has implemented, this is the pattern he followed
>>
>> 4. artifacts are not responsible for their own security except to
>> specify whether any sort of permission is required or not (ie a
>> require-permission attribute, would be true by default; for example
>> most ecommerce screens would have this set to false); access control
>> would be configured externally so that you can configure access at  
>> the
>> most granular level possible (we would go ALL the way here,  
>> including:
>> screens, services, forms, form fields, menu items, tree nodes, etc,
>> etc); the access control tools would have patterns and features to
>> facilitate grouping of artifacts, grouping of users (ie just use the
>> current SecurityGroup entity), and support for both functionality
>> access and record-level access
>>
>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>> which one you like better or what you think the advantages or
>> disadvantages are of each in this thread (of course, definitely think
>> about such things and feel free to comment in other threads, I just
>> want this to be a "hat's off" (yes, that is a reference to Six
>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>> give it a go!) brainstorming session.
>>
>> Thank You!
>> -David
>>
>>
>

> I think an important thing missing is parentId in SecurityGroup.
> Adding that would give you heirarchy. Groups sort of are roles. Group has association with Subject(UserLogin through UserLoginSecurityGroup), Permission(SecurityGroupPermission), Permission is tied implicitly to action and resource.. Sort of RBAC.
>
> Harmeet
>
> ----- Original Message -----
> From: "Ruth Hoffman" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
> Subject: Re: Brainstorming: Security Configuration Patterns
>
> Hi All:
> One pattern I worked with some time ago is called Role Based Access
> Control (RBAC). This would be similar to #4 below, where you have a
> "role" - with permissions associated with that role - defining
> authorization levels. If you are interested in exploring this further,
> I'd be happy to elaborate.
>
> Ruth
> David E Jones wrote:
>  
>> This thread is specifically for discussing possible configuration
>> patterns to use in OFBiz going forward. Please keep other discussion
>> in another thread, including the merits of each possibility... let's
>> just brainstorm in this thread.
>>
>> To get things started, here are the patterns that have been discussed
>> recently (in high level terms, we can get into implementation and
>> specific practices later on), these are in no particular order:
>>
>> 1. artifacts responsible for their own security (especially services
>> and screens), and security permissions are referred to directly (ie
>> the actual permissions are configured directly in the XML tags for the
>> artifact)
>>
>> 2. artifacts responsible for their own security, and no direct
>> references are used and instead an indirect security control is
>> referred to; this is basically the permission service model we've been
>> using where a permission service is basically a security policy that
>> refers to permissions, can query/filter/whatever to do record level
>> security, and in customization the permission service can be
>> overridden or its function changed by ECA rules without touching any
>> OOTB code or configuration
>>
>> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
>> and there is external configuration based on those permissions that
>> can add other qualifying permissions and/or invoke logic to change how
>> that permission is evaluated (ie override the default behavior of
>> requiring the user to have that permission and either add additional
>> constraints or allow alternative constraints even if the user does not
>> have the original permission that triggered it all); this is recursive
>> so that if an alternative permission is configured that permission may
>> also have further alternative permissions; also being recursive if
>> attached logic evaluates other permissions that may have alternative
>> permissions and/or permission logic attached to them; as I understand
>> what Andrew has implemented, this is the pattern he followed
>>
>> 4. artifacts are not responsible for their own security except to
>> specify whether any sort of permission is required or not (ie a
>> require-permission attribute, would be true by default; for example
>> most ecommerce screens would have this set to false); access control
>> would be configured externally so that you can configure access at the
>> most granular level possible (we would go ALL the way here, including:
>> screens, services, forms, form fields, menu items, tree nodes, etc,
>> etc); the access control tools would have patterns and features to
>> facilitate grouping of artifacts, grouping of users (ie just use the
>> current SecurityGroup entity), and support for both functionality
>> access and record-level access
>>
>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>> which one you like better or what you think the advantages or
>> disadvantages are of each in this thread (of course, definitely think
>> about such things and feel free to comment in other threads, I just
>> want this to be a "hat's off" (yes, that is a reference to Six
>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>> give it a go!) brainstorming session.
>>
>> Thank You!
>> -David
>>
>>
>>    
>
>
>  

> I think an important thing missing is parentId in SecurityGroup.
> Adding that would give you heirarchy. Groups sort of are roles. Group has association with Subject(UserLogin through UserLoginSecurityGroup), Permission(SecurityGroupPermission), Permission is tied implicitly to action and resource.. Sort of RBAC.
>
> Harmeet
>
> ----- Original Message -----
> From: "Ruth Hoffman" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
> Subject: Re: Brainstorming: Security Configuration Patterns
>
> Hi All:
> One pattern I worked with some time ago is called Role Based Access
> Control (RBAC). This would be similar to #4 below, where you have a
> "role" - with permissions associated with that role - defining
> authorization levels. If you are interested in exploring this further,
> I'd be happy to elaborate.
>
> Ruth
> David E Jones wrote:
>  
>> This thread is specifically for discussing possible configuration
>> patterns to use in OFBiz going forward. Please keep other discussion
>> in another thread, including the merits of each possibility... let's
>> just brainstorm in this thread.
>>
>> To get things started, here are the patterns that have been discussed
>> recently (in high level terms, we can get into implementation and
>> specific practices later on), these are in no particular order:
>>
>> 1. artifacts responsible for their own security (especially services
>> and screens), and security permissions are referred to directly (ie
>> the actual permissions are configured directly in the XML tags for the
>> artifact)
>>
>> 2. artifacts responsible for their own security, and no direct
>> references are used and instead an indirect security control is
>> referred to; this is basically the permission service model we've been
>> using where a permission service is basically a security policy that
>> refers to permissions, can query/filter/whatever to do record level
>> security, and in customization the permission service can be
>> overridden or its function changed by ECA rules without touching any
>> OOTB code or configuration
>>
>> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
>> and there is external configuration based on those permissions that
>> can add other qualifying permissions and/or invoke logic to change how
>> that permission is evaluated (ie override the default behavior of
>> requiring the user to have that permission and either add additional
>> constraints or allow alternative constraints even if the user does not
>> have the original permission that triggered it all); this is recursive
>> so that if an alternative permission is configured that permission may
>> also have further alternative permissions; also being recursive if
>> attached logic evaluates other permissions that may have alternative
>> permissions and/or permission logic attached to them; as I understand
>> what Andrew has implemented, this is the pattern he followed
>>
>> 4. artifacts are not responsible for their own security except to
>> specify whether any sort of permission is required or not (ie a
>> require-permission attribute, would be true by default; for example
>> most ecommerce screens would have this set to false); access control
>> would be configured externally so that you can configure access at the
>> most granular level possible (we would go ALL the way here, including:
>> screens, services, forms, form fields, menu items, tree nodes, etc,
>> etc); the access control tools would have patterns and features to
>> facilitate grouping of artifacts, grouping of users (ie just use the
>> current SecurityGroup entity), and support for both functionality
>> access and record-level access
>>
>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>> which one you like better or what you think the advantages or
>> disadvantages are of each in this thread (of course, definitely think
>> about such things and feel free to comment in other threads, I just
>> want this to be a "hat's off" (yes, that is a reference to Six
>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>> give it a go!) brainstorming session.
>>
>> Thank You!
>> -David
>>
>>
>>    
>
>
>  

> To me this seemed to be intent from data model.
>
> - Group is PartyGroup that can be a collection of party through  
> PartyRelationship.
> - PartyGroup is a Party. SecurityGroup can apply to Party hence to a  
> PartyGroup
> - SecurityGroup is not a group of users, it is a role that applies  
> to a Party.
>
>
> On closer inspection that does seem to be the case.
> It seems that SecurityGroup is really a collection of user logins..  
> so not a role at all.
>
> I see your point.. inserting a SecurityRole entity between Group and  
> Permission would be more flexible. In that case SecurityGroup is  
> really a UserLoginGroup.
>
> Harmeet
>
> ----- Original Message -----
> From: "Ruth Hoffman" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, May 5, 2009 1:44:34 PM GMT -05:00 US/Canada Eastern
> Subject: Re: Brainstorming: Security Configuration Patterns
>
> Harmeet:
>
> Groups within OFBiz are similar to roles but in the RBAC model a  
> "role"
> is an entity in and of itself. A group or collection of groups (also
> defined in RBAC as unique entities) may have one or more roles applied
> to them just as a user might. I think the value of RBAC is in its
> extensibility.
>
> For example, by defining "roles" we can abstract the definition of a
> permission (the security constraint in this case) away from the
> assignment of the permission.
>
> Just my 2 cents.
> Ruth
>> I think an important thing missing is parentId in SecurityGroup.
>> Adding that would give you heirarchy. Groups sort of are roles.  
>> Group has association with Subject(UserLogin through  
>> UserLoginSecurityGroup), Permission(SecurityGroupPermission),  
>> Permission is tied implicitly to action and resource.. Sort of RBAC.
>>
>> Harmeet
>>
>> ----- Original Message -----
>> From: "Ruth Hoffman" <[hidden email]>
>> To: [hidden email]
>> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
>> Subject: Re: Brainstorming: Security Configuration Patterns
>>
>> Hi All:
>> One pattern I worked with some time ago is called Role Based Access
>> Control (RBAC). This would be similar to #4 below, where you have a
>> "role" - with permissions associated with that role - defining
>> authorization levels. If you are interested in exploring this  
>> further,
>> I'd be happy to elaborate.
>>
>> Ruth
>> David E Jones wrote:
>>
>>> This thread is specifically for discussing possible configuration
>>> patterns to use in OFBiz going forward. Please keep other discussion
>>> in another thread, including the merits of each possibility... let's
>>> just brainstorm in this thread.
>>>
>>> To get things started, here are the patterns that have been  
>>> discussed
>>> recently (in high level terms, we can get into implementation and
>>> specific practices later on), these are in no particular order:
>>>
>>> 1. artifacts responsible for their own security (especially services
>>> and screens), and security permissions are referred to directly (ie
>>> the actual permissions are configured directly in the XML tags for  
>>> the
>>> artifact)
>>>
>>> 2. artifacts responsible for their own security, and no direct
>>> references are used and instead an indirect security control is
>>> referred to; this is basically the permission service model we've  
>>> been
>>> using where a permission service is basically a security policy that
>>> refers to permissions, can query/filter/whatever to do record level
>>> security, and in customization the permission service can be
>>> overridden or its function changed by ECA rules without touching any
>>> OOTB code or configuration
>>>
>>> 3. a hybrid of #1 and #2 where artifacts refer directly to  
>>> permissions
>>> and there is external configuration based on those permissions that
>>> can add other qualifying permissions and/or invoke logic to change  
>>> how
>>> that permission is evaluated (ie override the default behavior of
>>> requiring the user to have that permission and either add additional
>>> constraints or allow alternative constraints even if the user does  
>>> not
>>> have the original permission that triggered it all); this is  
>>> recursive
>>> so that if an alternative permission is configured that permission  
>>> may
>>> also have further alternative permissions; also being recursive if
>>> attached logic evaluates other permissions that may have alternative
>>> permissions and/or permission logic attached to them; as I  
>>> understand
>>> what Andrew has implemented, this is the pattern he followed
>>>
>>> 4. artifacts are not responsible for their own security except to
>>> specify whether any sort of permission is required or not (ie a
>>> require-permission attribute, would be true by default; for example
>>> most ecommerce screens would have this set to false); access control
>>> would be configured externally so that you can configure access at  
>>> the
>>> most granular level possible (we would go ALL the way here,  
>>> including:
>>> screens, services, forms, form fields, menu items, tree nodes, etc,
>>> etc); the access control tools would have patterns and features to
>>> facilitate grouping of artifacts, grouping of users (ie just use the
>>> current SecurityGroup entity), and support for both functionality
>>> access and record-level access
>>>
>>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>>> which one you like better or what you think the advantages or
>>> disadvantages are of each in this thread (of course, definitely  
>>> think
>>> about such things and feel free to comment in other threads, I just
>>> want this to be a "hat's off" (yes, that is a reference to Six
>>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>>> give it a go!) brainstorming session.
>>>
>>> Thank You!
>>> -David
>>>
>>>
>>>
>>
>>
>>
>

> Actually, SecurityGroup is a group that links permissions
> (SecurityGroupPermission) which then get associated with UserLogins
> (UserLoginSecurityGroup). In some systems a Role is a collection of
> permissions, much like a SecurityGroup in OFBiz.
>
>
> On May 5, 2009, at 2:26 PM, Harmeet Bedi wrote:
>
> To me this seemed to be intent from data model.
>>
>> - Group is PartyGroup that can be a collection of party through
>> PartyRelationship.
>> - PartyGroup is a Party. SecurityGroup can apply to Party hence to a
>> PartyGroup
>> - SecurityGroup is not a group of users, it is a role that applies to a
>> Party.
>>
>>
>> On closer inspection that does seem to be the case.
>> It seems that SecurityGroup is really a collection of user logins.. so not
>> a role at all.
>>
>> I see your point.. inserting a SecurityRole entity between Group and
>> Permission would be more flexible. In that case SecurityGroup is really a
>> UserLoginGroup.
>>
>> Harmeet
>>
>> ----- Original Message -----
>> From: "Ruth Hoffman" <[hidden email]>
>> To: [hidden email]
>> Sent: Tuesday, May 5, 2009 1:44:34 PM GMT -05:00 US/Canada Eastern
>> Subject: Re: Brainstorming: Security Configuration Patterns
>>
>> Harmeet:
>>
>> Groups within OFBiz are similar to roles but in the RBAC model a "role"
>> is an entity in and of itself. A group or collection of groups (also
>> defined in RBAC as unique entities) may have one or more roles applied
>> to them just as a user might. I think the value of RBAC is in its
>> extensibility.
>>
>> For example, by defining "roles" we can abstract the definition of a
>> permission (the security constraint in this case) away from the
>> assignment of the permission.
>>
>> Just my 2 cents.
>> Ruth
>>
>>> I think an important thing missing is parentId in SecurityGroup.
>>> Adding that would give you heirarchy. Groups sort of are roles. Group has
>>> association with Subject(UserLogin through UserLoginSecurityGroup),
>>> Permission(SecurityGroupPermission), Permission is tied implicitly to action
>>> and resource.. Sort of RBAC.
>>>
>>> Harmeet
>>>
>>> ----- Original Message -----
>>> From: "Ruth Hoffman" <[hidden email]>
>>> To: [hidden email]
>>> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
>>> Subject: Re: Brainstorming: Security Configuration Patterns
>>>
>>> Hi All:
>>> One pattern I worked with some time ago is called Role Based Access
>>> Control (RBAC). This would be similar to #4 below, where you have a
>>> "role" - with permissions associated with that role - defining
>>> authorization levels. If you are interested in exploring this further,
>>> I'd be happy to elaborate.
>>>
>>> Ruth
>>> David E Jones wrote:
>>>
>>> This thread is specifically for discussing possible configuration
>>>> patterns to use in OFBiz going forward. Please keep other discussion
>>>> in another thread, including the merits of each possibility... let's
>>>> just brainstorm in this thread.
>>>>
>>>> To get things started, here are the patterns that have been discussed
>>>> recently (in high level terms, we can get into implementation and
>>>> specific practices later on), these are in no particular order:
>>>>
>>>> 1. artifacts responsible for their own security (especially services
>>>> and screens), and security permissions are referred to directly (ie
>>>> the actual permissions are configured directly in the XML tags for the
>>>> artifact)
>>>>
>>>> 2. artifacts responsible for their own security, and no direct
>>>> references are used and instead an indirect security control is
>>>> referred to; this is basically the permission service model we've been
>>>> using where a permission service is basically a security policy that
>>>> refers to permissions, can query/filter/whatever to do record level
>>>> security, and in customization the permission service can be
>>>> overridden or its function changed by ECA rules without touching any
>>>> OOTB code or configuration
>>>>
>>>> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
>>>> and there is external configuration based on those permissions that
>>>> can add other qualifying permissions and/or invoke logic to change how
>>>> that permission is evaluated (ie override the default behavior of
>>>> requiring the user to have that permission and either add additional
>>>> constraints or allow alternative constraints even if the user does not
>>>> have the original permission that triggered it all); this is recursive
>>>> so that if an alternative permission is configured that permission may
>>>> also have further alternative permissions; also being recursive if
>>>> attached logic evaluates other permissions that may have alternative
>>>> permissions and/or permission logic attached to them; as I understand
>>>> what Andrew has implemented, this is the pattern he followed
>>>>
>>>> 4. artifacts are not responsible for their own security except to
>>>> specify whether any sort of permission is required or not (ie a
>>>> require-permission attribute, would be true by default; for example
>>>> most ecommerce screens would have this set to false); access control
>>>> would be configured externally so that you can configure access at the
>>>> most granular level possible (we would go ALL the way here, including:
>>>> screens, services, forms, form fields, menu items, tree nodes, etc,
>>>> etc); the access control tools would have patterns and features to
>>>> facilitate grouping of artifacts, grouping of users (ie just use the
>>>> current SecurityGroup entity), and support for both functionality
>>>> access and record-level access
>>>>
>>>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>>>> which one you like better or what you think the advantages or
>>>> disadvantages are of each in this thread (of course, definitely think
>>>> about such things and feel free to comment in other threads, I just
>>>> want this to be a "hat's off" (yes, that is a reference to Six
>>>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>>>> give it a go!) brainstorming session.
>>>>
>>>> Thank You!
>>>> -David
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>

> Hi,
>
> Ideas:
>
> 1 - LDAP Secure Integration
> 2 - Implementation the Rest URL Secure ( LDAP based ).
> 3 - SOAP Header ( Service BUS Security concept ).
>
>
>
> 2009/5/5 Andrew Zeneski <[hidden email]>
>
>> Actually, SecurityGroup is a group that links permissions
>> (SecurityGroupPermission) which then get associated with UserLogins
>> (UserLoginSecurityGroup). In some systems a Role is a collection of
>> permissions, much like a SecurityGroup in OFBiz.
>>
>>
>> On May 5, 2009, at 2:26 PM, Harmeet Bedi wrote:
>>
>> To me this seemed to be intent from data model.
>>> - Group is PartyGroup that can be a collection of party through
>>> PartyRelationship.
>>> - PartyGroup is a Party. SecurityGroup can apply to Party hence to a
>>> PartyGroup
>>> - SecurityGroup is not a group of users, it is a role that applies to a
>>> Party.
>>>
>>>
>>> On closer inspection that does seem to be the case.
>>> It seems that SecurityGroup is really a collection of user logins.. so not
>>> a role at all.
>>>
>>> I see your point.. inserting a SecurityRole entity between Group and
>>> Permission would be more flexible. In that case SecurityGroup is really a
>>> UserLoginGroup.
>>>
>>> Harmeet
>>>
>>> ----- Original Message -----
>>> From: "Ruth Hoffman" <[hidden email]>
>>> To: [hidden email]
>>> Sent: Tuesday, May 5, 2009 1:44:34 PM GMT -05:00 US/Canada Eastern
>>> Subject: Re: Brainstorming: Security Configuration Patterns
>>>
>>> Harmeet:
>>>
>>> Groups within OFBiz are similar to roles but in the RBAC model a "role"
>>> is an entity in and of itself. A group or collection of groups (also
>>> defined in RBAC as unique entities) may have one or more roles applied
>>> to them just as a user might. I think the value of RBAC is in its
>>> extensibility.
>>>
>>> For example, by defining "roles" we can abstract the definition of a
>>> permission (the security constraint in this case) away from the
>>> assignment of the permission.
>>>
>>> Just my 2 cents.
>>> Ruth
>>>
>>>> I think an important thing missing is parentId in SecurityGroup.
>>>> Adding that would give you heirarchy. Groups sort of are roles. Group has
>>>> association with Subject(UserLogin through UserLoginSecurityGroup),
>>>> Permission(SecurityGroupPermission), Permission is tied implicitly to action
>>>> and resource.. Sort of RBAC.
>>>>
>>>> Harmeet
>>>>
>>>> ----- Original Message -----
>>>> From: "Ruth Hoffman" <[hidden email]>
>>>> To: [hidden email]
>>>> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
>>>> Subject: Re: Brainstorming: Security Configuration Patterns
>>>>
>>>> Hi All:
>>>> One pattern I worked with some time ago is called Role Based Access
>>>> Control (RBAC). This would be similar to #4 below, where you have a
>>>> "role" - with permissions associated with that role - defining
>>>> authorization levels. If you are interested in exploring this further,
>>>> I'd be happy to elaborate.
>>>>
>>>> Ruth
>>>> David E Jones wrote:
>>>>
>>>> This thread is specifically for discussing possible configuration
>>>>> patterns to use in OFBiz going forward. Please keep other discussion
>>>>> in another thread, including the merits of each possibility... let's
>>>>> just brainstorm in this thread.
>>>>>
>>>>> To get things started, here are the patterns that have been discussed
>>>>> recently (in high level terms, we can get into implementation and
>>>>> specific practices later on), these are in no particular order:
>>>>>
>>>>> 1. artifacts responsible for their own security (especially services
>>>>> and screens), and security permissions are referred to directly (ie
>>>>> the actual permissions are configured directly in the XML tags for the
>>>>> artifact)
>>>>>
>>>>> 2. artifacts responsible for their own security, and no direct
>>>>> references are used and instead an indirect security control is
>>>>> referred to; this is basically the permission service model we've been
>>>>> using where a permission service is basically a security policy that
>>>>> refers to permissions, can query/filter/whatever to do record level
>>>>> security, and in customization the permission service can be
>>>>> overridden or its function changed by ECA rules without touching any
>>>>> OOTB code or configuration
>>>>>
>>>>> 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
>>>>> and there is external configuration based on those permissions that
>>>>> can add other qualifying permissions and/or invoke logic to change how
>>>>> that permission is evaluated (ie override the default behavior of
>>>>> requiring the user to have that permission and either add additional
>>>>> constraints or allow alternative constraints even if the user does not
>>>>> have the original permission that triggered it all); this is recursive
>>>>> so that if an alternative permission is configured that permission may
>>>>> also have further alternative permissions; also being recursive if
>>>>> attached logic evaluates other permissions that may have alternative
>>>>> permissions and/or permission logic attached to them; as I understand
>>>>> what Andrew has implemented, this is the pattern he followed
>>>>>
>>>>> 4. artifacts are not responsible for their own security except to
>>>>> specify whether any sort of permission is required or not (ie a
>>>>> require-permission attribute, would be true by default; for example
>>>>> most ecommerce screens would have this set to false); access control
>>>>> would be configured externally so that you can configure access at the
>>>>> most granular level possible (we would go ALL the way here, including:
>>>>> screens, services, forms, form fields, menu items, tree nodes, etc,
>>>>> etc); the access control tools would have patterns and features to
>>>>> facilitate grouping of artifacts, grouping of users (ie just use the
>>>>> current SecurityGroup entity), and support for both functionality
>>>>> access and record-level access
>>>>>
>>>>> Can anyone thing of other patterns? Again, PLEASE do not comment on
>>>>> which one you like better or what you think the advantages or
>>>>> disadvantages are of each in this thread (of course, definitely think
>>>>> about such things and feel free to comment in other threads, I just
>>>>> want this to be a "hat's off" (yes, that is a reference to Six
>>>>> Thinking Hats by Edward de Bono; anyone who hasn't read that should
>>>>> give it a go!) brainstorming session.
>>>>>
>>>>> Thank You!
>>>>> -David
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>

> I think an important thing missing is parentId in SecurityGroup.
> Adding that would give you heirarchy. Groups sort of are roles. Group has association with Subject(UserLogin through UserLoginSecurityGroup), Permission(SecurityGroupPermission), Permission is tied implicitly to action and resource.. Sort of RBAC.
>
> Harmeet
>
> ----- Original Message -----
> From: "Ruth Hoffman" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, May 5, 2009 11:05:12 AM GMT -05:00 US/Canada Eastern
> Subject: Re: Brainstorming: Security Configuration Patterns
>
> Hi All:
> One pattern I worked with some time ago is called Role Based Access
> Control (RBAC). This would be similar to #4 below, where you have a
> "role" - with permissions associated with that role - defining
> authorization levels. If you are interested in exploring this further,
> I'd be happy to elaborate.
>
> Ruth
> David E Jones wrote:
> >
> > This thread is specifically for discussing possible configuration
> > patterns to use in OFBiz going forward. Please keep other discussion
> > in another thread, including the merits of each possibility... let's
> > just brainstorm in this thread.
> >
> > To get things started, here are the patterns that have been discussed
> > recently (in high level terms, we can get into implementation and
> > specific practices later on), these are in no particular order:
> >
> > 1. artifacts responsible for their own security (especially services
> > and screens), and security permissions are referred to directly (ie
> > the actual permissions are configured directly in the XML tags for the
> > artifact)
> >
> > 2. artifacts responsible for their own security, and no direct
> > references are used and instead an indirect security control is
> > referred to; this is basically the permission service model we've been
> > using where a permission service is basically a security policy that
> > refers to permissions, can query/filter/whatever to do record level
> > security, and in customization the permission service can be
> > overridden or its function changed by ECA rules without touching any
> > OOTB code or configuration
> >
> > 3. a hybrid of #1 and #2 where artifacts refer directly to permissions
> > and there is external configuration based on those permissions that
> > can add other qualifying permissions and/or invoke logic to change how
> > that permission is evaluated (ie override the default behavior of
> > requiring the user to have that permission and either add additional
> > constraints or allow alternative constraints even if the user does not
> > have the original permission that triggered it all); this is recursive
> > so that if an alternative permission is configured that permission may
> > also have further alternative permissions; also being recursive if
> > attached logic evaluates other permissions that may have alternative
> > permissions and/or permission logic attached to them; as I understand
> > what Andrew has implemented, this is the pattern he followed
> >
> > 4. artifacts are not responsible for their own security except to
> > specify whether any sort of permission is required or not (ie a
> > require-permission attribute, would be true by default; for example
> > most ecommerce screens would have this set to false); access control
> > would be configured externally so that you can configure access at the
> > most granular level possible (we would go ALL the way here, including:
> > screens, services, forms, form fields, menu items, tree nodes, etc,
> > etc); the access control tools would have patterns and features to
> > facilitate grouping of artifacts, grouping of users (ie just use the
> > current SecurityGroup entity), and support for both functionality
> > access and record-level access
> >
> > Can anyone thing of other patterns? Again, PLEASE do not comment on
> > which one you like better or what you think the advantages or
> > disadvantages are of each in this thread (of course, definitely think
> > about such things and feel free to comment in other threads, I just
> > want this to be a "hat's off" (yes, that is a reference to Six
> > Thinking Hats by Edward de Bono; anyone who hasn't read that should
> > give it a go!) brainstorming session.
> >
> > Thank You!
> > -David
> >
> >
>

> Hi Adrian,
>
> Is it desirable behavior? What if both the user need to have different  
> permission at certain point of time.
>
> Lets take a simple example of Jira. Two person contributing in OFBiz  
> have an account on jira with same and very basic permission. At this  
> moment they did not see any option to assign a task.
>
> Later on one becomes  a committer and now this person have higher  
> permissions (obviously see an option to assign a task) then the other  
> person. Does this mean second person should also be granted the same  
> permission as of the first at this moment, IMO No.
>
> This could be desirable behavior in certain cases but I am not able to  
> think of any example.
>
> Vikas
>
> On May 5, 2009, at 10:39 PM, Adrian Crum wrote:
>
> > Yes.
> >
> > -Adrian
> >
> > Vikas Mayur wrote:
> >> In security equivalency, what would happen if the permission for  
> >> first user are changed? Does these permission are also applied to  
> >> second user?
> >> Vikas
> >> On May 5, 2009, at 8:50 PM, Adrian Crum wrote:
> >>> Novell Netware has that, plus security groups. You can assign  
> >>> permissions to roles or groups, then assign the users to roles or  
> >>> groups.
> >>>
> >>> Another thing Netware has that might be useful - security  
> >>> equivalency. If two users require exactly the same sets of  
> >>> permissions, you don't have to assign those permissions twice. You  
> >>> assign permissions for one user, then make the second user  
> >>> "security equivalent" to the first.
> >>>
> >>> -Adrian
> >>>
> >>> Ruth Hoffman wrote:
> >>>> Hi All:
> >>>> One pattern I worked with some time ago is called Role Based  
> >>>> Access Control (RBAC). This would be similar to #4 below, where  
> >>>> you have a "role" - with permissions associated with that role -  
> >>>> defining authorization levels. If you are interested in exploring  
> >>>> this further, I'd be happy to elaborate.
> >>>> Ruth
> >>>> David E Jones wrote:
> >>>>>
> >>>>> This thread is specifically for discussing possible  
> >>>>> configuration patterns to use in OFBiz going forward. Please  
> >>>>> keep other discussion in another thread, including the merits of  
> >>>>> each possibility... let's just brainstorm in this thread.
> >>>>>
> >>>>> To get things started, here are the patterns that have been  
> >>>>> discussed recently (in high level terms, we can get into  
> >>>>> implementation and specific practices later on), these are in no  
> >>>>> particular order:
> >>>>>
> >>>>> 1. artifacts responsible for their own security (especially  
> >>>>> services and screens), and security permissions are referred to  
> >>>>> directly (ie the actual permissions are configured directly in  
> >>>>> the XML tags for the artifact)
> >>>>>
> >>>>> 2. artifacts responsible for their own security, and no direct  
> >>>>> references are used and instead an indirect security control is  
> >>>>> referred to; this is basically the permission service model  
> >>>>> we've been using where a permission service is basically a  
> >>>>> security policy that refers to permissions, can query/filter/
> >>>>> whatever to do record level security, and in customization the  
> >>>>> permission service can be overridden or its function changed by  
> >>>>> ECA rules without touching any OOTB code or configuration
> >>>>>
> >>>>> 3. a hybrid of #1 and #2 where artifacts refer directly to  
> >>>>> permissions and there is external configuration based on those  
> >>>>> permissions that can add other qualifying permissions and/or  
> >>>>> invoke logic to change how that permission is evaluated (ie  
> >>>>> override the default behavior of requiring the user to have that  
> >>>>> permission and either add additional constraints or allow  
> >>>>> alternative constraints even if the user does not have the  
> >>>>> original permission that triggered it all); this is recursive so  
> >>>>> that if an alternative permission is configured that permission  
> >>>>> may also have further alternative permissions; also being  
> >>>>> recursive if attached logic evaluates other permissions that may  
> >>>>> have alternative permissions and/or permission logic attached to  
> >>>>> them; as I understand what Andrew has implemented, this is the  
> >>>>> pattern he followed
> >>>>>
> >>>>> 4. artifacts are not responsible for their own security except  
> >>>>> to specify whether any sort of permission is required or not (ie  
> >>>>> a require-permission attribute, would be true by default; for  
> >>>>> example most ecommerce screens would have this set to false);  
> >>>>> access control would be configured externally so that you can  
> >>>>> configure access at the most granular level possible (we would  
> >>>>> go ALL the way here, including: screens, services, forms, form  
> >>>>> fields, menu items, tree nodes, etc, etc); the access control  
> >>>>> tools would have patterns and features to facilitate grouping of  
> >>>>> artifacts, grouping of users (ie just use the current  
> >>>>> SecurityGroup entity), and support for both functionality access  
> >>>>> and record-level access
> >>>>>
> >>>>> Can anyone thing of other patterns? Again, PLEASE do not comment  
> >>>>> on which one you like better or what you think the advantages or  
> >>>>> disadvantages are of each in this thread (of course, definitely  
> >>>>> think about such things and feel free to comment in other  
> >>>>> threads, I just want this to be a "hat's off" (yes, that is a  
> >>>>> reference to Six Thinking Hats by Edward de Bono; anyone who  
> >>>>> hasn't read that should give it a go!) brainstorming session.
> >>>>>
> >>>>> Thank You!
> >>>>> -David
> >>>>>
> >>>>>
>

>
> This thread is specifically for discussing possible configuration  
> patterns to use in OFBiz going forward. Please keep other discussion  
> in another thread, including the merits of each possibility... let's  
> just brainstorm in this thread.
>
> To get things started, here are the patterns that have been  
> discussed recently (in high level terms, we can get into  
> implementation and specific practices later on), these are in no  
> particular order:
>
> 1. artifacts responsible for their own security (especially services  
> and screens), and security permissions are referred to directly (ie  
> the actual permissions are configured directly in the XML tags for  
> the artifact)
>
> 2. artifacts responsible for their own security, and no direct  
> references are used and instead an indirect security control is  
> referred to; this is basically the permission service model we've  
> been using where a permission service is basically a security policy  
> that refers to permissions, can query/filter/whatever to do record  
> level security, and in customization the permission service can be  
> overridden or its function changed by ECA rules without touching any  
> OOTB code or configuration
>
> 3. a hybrid of #1 and #2 where artifacts refer directly to  
> permissions and there is external configuration based on those  
> permissions that can add other qualifying permissions and/or invoke  
> logic to change how that permission is evaluated (ie override the  
> default behavior of requiring the user to have that permission and  
> either add additional constraints or allow alternative constraints  
> even if the user does not have the original permission that  
> triggered it all); this is recursive so that if an alternative  
> permission is configured that permission may also have further  
> alternative permissions; also being recursive if attached logic  
> evaluates other permissions that may have alternative permissions  
> and/or permission logic attached to them; as I understand what  
> Andrew has implemented, this is the pattern he followed
>
> 4. artifacts are not responsible for their own security except to  
> specify whether any sort of permission is required or not (ie a  
> require-permission attribute, would be true by default; for example  
> most ecommerce screens would have this set to false); access control  
> would be configured externally so that you can configure access at  
> the most granular level possible (we would go ALL the way here,  
> including: screens, services, forms, form fields, menu items, tree  
> nodes, etc, etc); the access control tools would have patterns and  
> features to facilitate grouping of artifacts, grouping of users (ie  
> just use the current SecurityGroup entity), and support for both  
> functionality access and record-level access
>
> Can anyone thing of other patterns? Again, PLEASE do not comment on  
> which one you like better or what you think the advantages or  
> disadvantages are of each in this thread (of course, definitely  
> think about such things and feel free to comment in other threads, I  
> just want this to be a "hat's off" (yes, that is a reference to Six  
> Thinking Hats by Edward de Bono; anyone who hasn't read that should  
> give it a go!) brainstorming session.
>
> Thank You!
> -David
>

>
> There has been a bit of discussion in this thread (and most of it on  
> topic, so thanks for that), but in reviewing it I can't find any  
> specific alternatives to add to this list. I'd like to move on to  
> discussing the merits of these things soon and see which approach we  
> each like best (or worst!), so if there is anything anyone would  
> like to add to the list or if anyone has questions about any items  
> on this list please speak up!
>
> -David
>
>
> On May 4, 2009, at 11:53 AM, David E Jones wrote:
>
>>
>> This thread is specifically for discussing possible configuration  
>> patterns to use in OFBiz going forward. Please keep other  
>> discussion in another thread, including the merits of each  
>> possibility... let's just brainstorm in this thread.
>>
>> To get things started, here are the patterns that have been  
>> discussed recently (in high level terms, we can get into  
>> implementation and specific practices later on), these are in no  
>> particular order:
>>
>> 1. artifacts responsible for their own security (especially  
>> services and screens), and security permissions are referred to  
>> directly (ie the actual permissions are configured directly in the  
>> XML tags for the artifact)
>>
>> 2. artifacts responsible for their own security, and no direct  
>> references are used and instead an indirect security control is  
>> referred to; this is basically the permission service model we've  
>> been using where a permission service is basically a security  
>> policy that refers to permissions, can query/filter/whatever to do  
>> record level security, and in customization the permission service  
>> can be overridden or its function changed by ECA rules without  
>> touching any OOTB code or configuration
>>
>> 3. a hybrid of #1 and #2 where artifacts refer directly to  
>> permissions and there is external configuration based on those  
>> permissions that can add other qualifying permissions and/or invoke  
>> logic to change how that permission is evaluated (ie override the  
>> default behavior of requiring the user to have that permission and  
>> either add additional constraints or allow alternative constraints  
>> even if the user does not have the original permission that  
>> triggered it all); this is recursive so that if an alternative  
>> permission is configured that permission may also have further  
>> alternative permissions; also being recursive if attached logic  
>> evaluates other permissions that may have alternative permissions  
>> and/or permission logic attached to them; as I understand what  
>> Andrew has implemented, this is the pattern he followed
>>
>> 4. artifacts are not responsible for their own security except to  
>> specify whether any sort of permission is required or not (ie a  
>> require-permission attribute, would be true by default; for example  
>> most ecommerce screens would have this set to false); access  
>> control would be configured externally so that you can configure  
>> access at the most granular level possible (we would go ALL the way  
>> here, including: screens, services, forms, form fields, menu items,  
>> tree nodes, etc, etc); the access control tools would have patterns  
>> and features to facilitate grouping of artifacts, grouping of users  
>> (ie just use the current SecurityGroup entity), and support for  
>> both functionality access and record-level access
>>
>> Can anyone thing of other patterns? Again, PLEASE do not comment on  
>> which one you like better or what you think the advantages or  
>> disadvantages are of each in this thread (of course, definitely  
>> think about such things and feel free to comment in other threads,  
>> I just want this to be a "hat's off" (yes, that is a reference to  
>> Six Thinking Hats by Edward de Bono; anyone who hasn't read that  
>> should give it a go!) brainstorming session.
>>
>> Thank You!
>> -David
>>
>