Java Reference
In-Depth Information
6.4.2. User, groups, and roles
Users, groups, and roles are three interrelated concepts that form the basic building blocks
of EJB security. We've already mentioned users, so let's start with groups. To simplify, ad-
ministration users are divided into groups as shown in
figure 6.4
.
Groups
are a logical parti-
tion for the application to identify users who should have access to different functions—for
example, to administrative functions, customer service support, and so on. All users in the
Administrator group can reset accounts and check account activity, whereas users in the
Customer Service group can only change the status of an order. The application checks to
see if the user is a member of the group before performing an operation. User/group func-
tionality with EJB security is thus analogous to groups in the Unix file system, which sim-
plifies the management of access lists for individual resources.
Figure 6.4. Users and groups
A role is closely related to the concept of a group. A
role
is an application container's ab-
straction of a group. A mapping is typically created to associate application groups to En-
terprise application roles. This separation enables applications to be coded independently of
their deployment environment. An application might be developed with more fine-grained
access controls than presently supported, or it might be purchased from an external vendor
that obviously isn't familiar with the company's internal roles. Thus, this abstraction disso-
ciates groups from the actual group names used in production. An application might have
