we are developing a general authentication and authorization application
This is supposed to cater to multiple products of our organisation
Lets say Product A , B & C
We are planning to have different roles which are common ( a master set of roles )
Depending on each applications needs - the roles can be mapped in a mapping table
We also have a set of common functions that user can perform :: ie CRUD operations
Upto this point here is the db design ::
Master table for Products ( Product A , B , C etc )
Master Table for Roles ( Admin , Manager , End user , SuperAdmin etc )
Master Table for Functions ( CRUD operations etc )
Mapping tables ::
1 >
Product_Role_mapping :: Maps the Products to the roles ( Product A might only need roles of " Admin " & " EndUser" while Product B might need roles of "Admin" , " Manager " , " SuperAdmin" )
Now here is my question ::
In addition each role can perform different functions for different products ( defined by business )
As an example ::
"Admin" in "Product A " can " Create " , " Edit " & " delete "
"Admin" in "Product B " can " Create " but NOT ALLOWED to " Edit " & " delete "
I was wondering ::
Option A :: use another database table in which we map the product , role , functions
This would indicate that for a given product , given role - these are allowed functions
Option B :: in
Java code check what product it is and what role and programmatically decide if the operation is allowed or not
Personally feel Option A is good.
To what extent is such design relying on db for configuration good ?
should we externalise it from db into a config file ( xml , csv ) for the same ?
One more question regarding another requirement
For the same product ( as en example Product A - there are three roles ::
Admin , Manager & End user )
Admin can Delete Manager as well as End user
Manager can delete end user but NOT Admin
End user can perform no delete operations
The problem here being even with a db mpping table for earlier req - the issue is that for same product the same role can perform " delete" but that "delete" depends on who the logged in user is and on what type(role) of user it is performed .
So for such a situation - what would be the approach ?
Any ideas , criticism is welcome !
Thanks ,
~satish