[Catalyst] Authz: How granular to make roles?

Merlyn Kline merlyn at zynet.net
Mon Jul 20 08:32:55 GMT 2009

> outside people can have read access. But these people probably
> shouldn't be able to see what I paid for each book. In the old
> system, I checked if the user had jts_access >= 7 in order to
> display this. In the new system, I don't want to create a role
> for "jts_price-paid_viewing" or whatever; on the other hand,
> merely checking the "jts_add" role isn't the actual right I'm
> looking for. Does this matter?

In my experience, what's important is to say what you mean rather than try
to infer it. So in this example, if you're letting people with the jts_add
role see your price-paid field just because the group of people that you
want to show it to happens to match the the group of people with jts_add at
the moment, or because it seems reasonable to infer that someone with
jts_add should be allowed to see your price-paid, then you're asking for
trouble later. OTOH if your app design really does say that people who are
allowed to add records should also be able to see your price-paid field then
using the role for that purpose is perfectly reasonable. You could also show
price-paid to other roles too, of course, so there doesn't have to be a
strictly one-to-one mapping there. If expressing your app design cleanly in
your roles generates lots of trivial-seeming roles then so be it - the minor
tedium of setting that up now will pay off later for sure. Gone are the days
when a byte was so precious that it was worth combining two apparently
similar roles to save one!

Any apparent relationships between roles (e.g. people who have jts_add are
the same as people who have the right to see price-paid) can be expressed in
your role management code, i.e. you can make the granting of jts_add
automatically grant the right to see price-paid. Splitting them into
separate roles later when you realise there are actually some people with
jts_add who shouldn't see your price-paid (or vice versa) then becomes
relatively simple.

In summary: very granular indeed!


More information about the Catalyst mailing list