View Source

The basic scenario for authorization is to give a user one or more roles in an application. The same user can of course ha a different set of roles in another application.

But what if the same user has different relations to the application?

Example: insurance company

* _Customer_ - basic privileges to see and modify own insurances
* _Employee_ - administration privileges
* _Board member_ - access to top-secret financial statistics

The naive approach is to give the person the flat list of all roles and privileges needed.

To support such a use case some information is needed to differentiate for which relation ("hat") the person is given what set of roles.

Technically this looks like this:

||userId || applicationId ||relationId/OrgId ||roleName ||roleValue ||
|erikUserId |someWebappId |customer |modify_own_account |true |
|erikUserId |someWebappId |employee |modify_all_accounts |true |
|erikUserId |someWebappId |board_member |financial_statistics |true |
|erikUserId |anotherWebappId |<notInUse> |admin|true |

roleValue can be true/false or contain data. The use of this field can be chosen for each application. Common usage is true/false to support use cases for disabling access.