Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History

The basic scenario for authorization is to give a user one or more roles in an application. The same user can of course ha a different set of roles in another application.

But what if the same user has different relations to the application?

Example: insurance company

  • Customer - basic privileges to see and modify own insurances
  • Employee - administration privileges
  • Board member - access to top-secret financial statistics

The naive approach is to give the person the flat list of all roles and privileges needed.

To support such a use case some information is needed to differentiate for which relation ("hat") the person is given what set of roles.

Technically this looks like this:

userId applicationId relationId/OrgId roleName roleValue
erikUserId someWebappId customer modify_own_account true
erikUserId someWebappId employee modify_all_accounts true
erikUserId someWebappId board_member financial_statistics true
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.