...
We’re reimplementing a lot of the functionality of Spring Security’s authorization support. It might be desirable to switch over rather than further implementing a custom solution.
Migration
Existing roles can be expressed in the new permissions table in order to make the same kind of authorization checks. This can be done independently of allowing users to be in multiple organizations. For every administrative account in the system, we’d want to create entries based on their current roles:
Old role | New role | For object |
|---|---|---|
DEVELOPER | DEVELOPER | APP |
RESEARCHER | RESEARCHER | APP |
STUDY_DESIGNER | DEVELOPER | STUDY (one for every study sponsored by user’s organization; every admin user must be in an organization) |
STUDY_COORDINATOR | RESEARCHER | STUDY (one for every study sponsored by user’s organization; every admin user must be in an organization) |
ORG_ADMIN | ADMIN | ORGANIZATION |
ADMIN | ADMIN | APP |
SUPERADMIN | ADMIN | SYSTEM |
WORKER | SUPERADMIN | SYSTEM |
We’d need to update both representations of roles in both places (as part of accounts and part of permissions), move over to authorizing requests using the permissions table, and then remove the bridge code and finally, delete the AccountRoles table.