OFBiz security implementation queries

Hi,

 

I have few questions regarding the OFBiz security implementation. I notice that in OFBiz, security can be enforced in almost everywhere.

 

   1. In the "webapp" element under ofbiz-component.xml, I notice that it has "base-permission" attribute i.e. base-permission="OFBTOOLS,ACCOUNTING".

 

   Question:
       a. If this permission is related back to Security.java which one of the method is being called? Looks like hasPermission method but I am not too sure.
       b. I also notice that OFBTOOLS & ACCOUNTING cannot be found in the Security_Permission table. Though I can see ACCOUNTING_VIEW, ACCOUNTING_UPDATE, etc. Does it mean that I have the full access to ACCOUNTING if I am given ACCOUNTING base-permission?
       c. Which class do I need to check for the base-permission implementation?

   2. widget-screen.xsd has if-has-permission & if-entity-permission elements

   Question:
        a. Could you please give me a pointer on how these if-has-permission & if-entity-permission related back to the Security.java?

   3. In the FTL, one can call hasEntityPermission, hasRolePermission methods of the Security class. This is very clear and I have no issue here.

 

I also notice that Order Manager, Facility & Marketing module make use of Role related tables (Order_Role, Facility_Role, Marketing_Campaign_Role) for their security permission as well. We want to create a more general role table where a role can be associated with Modules & Functions.

 

I am currently doing an details study on whether the current OFBiz security implementations will be suitable for our own access control requirements. Eventually our access control will be based on roles. A user will be given a previledge which is associated with Functions & Modules.

 

I attach the E-R diagram on what we are going to implement for our access control. I would really apprecate if someone could give some feedback or comments.
 

Regards,

Mathius Allo