Let’s say we started off with a more course-grained, “service-oriented” approach and we treated the core RBAC functional specification as a set of “use cases”.
We would have:
class RBAC {
// Admin Functions
function AddUser($name) {}
function DeleteUser($name) {}
function AddRole($name) {}
function DeleteRole($name) {}
function AssignUser($user, $role) {}
function DeassignUser($user, $role) {}
function GrantPermission($object, $operation, $role) {}
function RevokePermission($object, $operation, $role) {}
// System Functions
function CreateSession($user, $session) {}
function DeleteSession($user, $session) {}
function AddActiveRole($user, $session, $name) {}
function DropActiveRole($user, $session, $name) {}
function CheckAccess($session, $operation, $object, $result) {}
// Review Functions
function AssignedUsers($role) {}
function AssignedRoles($user) {}
// Advanced Review Functions
function RolePermissions($role, $result) {}
function UserPermissions($user, $result) {}
function SessionRoles($session, $result) {}
function SessionPermissions($session, $result) {}
function RoleOperationsOnObject($role, $object, $result) {}
function UserOperationsOnObject($user, $object, $result) {}
}
Obviously that is quite a “god” class, so we could break it down further into (where the classes are more like groups of related transaction scripts):
class RBACAdmin {
// Admin Functions
function AddUser($name) {}
function DeleteUser($name) {}
function AddRole($name) {}
function DeleteRole($name) {}
function AssignUser($user, $role) {}
function DeassignUser($user, $role) {}
function GrantPermission($object, $operation, $role) {}
function RevokePermission($object, $operation, $role) {}
}
class RBACSystem {
// System Functions
function CreateSession($user, $session) {}
function DeleteSession($user, $session) {}
function AddActiveRole($user, $session, $name) {}
function DropActiveRole($user, $session, $name) {}
function CheckAccess($session, $operation, $object, $result) {}
}
class RBACReview {
// Review Functions
function AssignedUsers($role) {}
function AssignedRoles($user) {}
}
class RBACAdvancedReview {
// Advanced Review Functions
function RolePermissions($role, $result) {}
function UserPermissions($user, $result) {}
function SessionRoles($session, $result) {}
function SessionPermissions($session, $result) {}
function RoleOperationsOnObject($role, $object, $result) {}
function UserOperationsOnObject($user, $object, $result) {}
}
Even that still seems too procedural for my taste. I know that we might want a service layer later, but I what I was trying to do is come up with a Domain Model – something that encapsulates both the data and the behavior of the system which brought me to create the set of interfaces in my previous post. Now, I can see how you would create permissions, assign those permissions to a role and then assign roles to users with that model, but it is still lacking and that is where I was hoping others might help improve it.
Thanks,
JT