I know Spring Security is good for standard role and permission based authorisation. What I'm not sure is this scenario:
There are 10,000 employees managed in the system, employees organised into an org chart (a tree of who reports to who across departments). Some of these employees are users. These users are only permitted to access employees in their line of responsibility (their branch in the tree / a descendant of their employee).
So I am wondering how do modern Java EE (or other) systems manage these checks? Can Spring Security (ACL) do this and How can it be modelled?
Our old implementation (many years ago) is when a user accesses an employee we can check whether the requested employee is a descendant by recursing up the tree. But this is not the ideal solution and we want to use a new solution.
As I've been working on this subject like for a month now, I can give you my answer to this question, however there might be a better answer.
There is something as Role Hierarchy in Spring Security and if you use ROLE_A > ROLE_B then ROLE_A will have all authorizations that ROLE_B has.
So there are two options here:
1. For every user and its descendants have a pair of roles like . ROLE_USERi for the user and ROLE_USERiDESC for its descendants. You will have
ROLE_USERi > ROLE_USERiDESC
But (as I don't know your org chart) this may be insufficient because there may be a lot of these pairs! It's, somehow, suitable if your tree has two or three levels (ROLE_USER has at most one or two ascendants) because the higher the role is, the more authorities it will have.
2. In my project (which by accident is so much similar) I did the other alternative. I have some basic roles for some basic actions. And I have a "caring group" in which a carer can observe its descendants data.
Why would I do that? Because I have to have roles for some action (like edit, delete, accessing to some sensitive data and ...) and caring groups to observe.
If A is a carer of B, it can observe B's data, but A cannot do anything beyond its authorities.
BTW, It's not yet completely tested and you may come to another possible solution.
See Also: