...
We will introduce a flat table of Permission records that can be easily retrieved by user or by target model object:
Code Block | ||
---|---|---|
| ||
/** * As a string, <userId>[<role>]<appId:objectType:objectId> * e.g. 72f86f59-de37-4432-9839-f8b79b337256[admin]app:api */ class Permission { String guid; // synthetic key makes create/add/update APIs easier String appId; // this always has to be part of the query String userId; String role; // "admin", "developer" String objectType; // "study", "organization", "app", "system" String objectId; // "studyId", "orgId", "appId" boolean transitive; // e.g. true if permission comes from org membership // Suggested toString() descriptor (implicitly scoped to an app): // "2rkp3nU7p8fjUTDVIgjT6T is an organization:sage-bionetworks admin" } |
The service (which we’ll probably access through Spring Security, see below):
...