Page Comparison

public class Permission {
  String guid; // synthetic key makes create/add/update APIs easier
  String appId; // most permissions except system-wide, and usually implicit
  String userId;
  String role; // "admin", "developer"
  String objectTypepermissionType; // "study", "organization", "app", "system"
  String objectId; // "studyId", "orgId", "appId"
  
  // Suggested toString() descriptor (implicitly scoped to an app):
  // "2rkp3nU7p8fjUTDVIgjT6T ∈ {organization:sage-bionetworks admin}"
}

// Each type relates to a specific entity and its ID (indicated in the constructor)
public enum ObjectTypePermissionType {
  ASSESSMENT(ASSESSMENT),
  STUDY(STUDY),
  ORGANIZATION(ORGANIZATION),
  SPONSORED_STUDIES(ORGANIZATION),
  MEMBERS(ORGANIZATION),
  ASSESSMENTS(ORGANIZATION),
  STUDY_PI(STUDY),
  PARTICIPANTS(STUDY);
}

interface PermissionsService {
  Set<Permission> getPermissionsForUser(String appId, String userId);
  Permission addPermission(Permission permission);
  void updatePermission(Permission permission);
  void removePermission(Permission permissions);
  Set<Permission> getPermissionsForObjectgetPermissionsForType(String appId, ObjectTypePermissionType type, String id);
  // this delete may cannotnot be cascaded by the database and must would then 
  // need to be done manually.
  void deletePermissions(String appId, ObjectTypePermissionType type, String id);
  
  /** Spring security will need a very focused method to check, for a 
    * given user and a given object, does the user have any of the required 
    * roles to perform the request. This method can fudge things like 
    * app-scoped permissions, too.
    */
  boolean isAuthorizedAs(AccountId accountId, ObjectTypePermissionType type, String objectId, Role... roles);
}