Managing special roles
I have a web-app configured with spring security which gets users and roles from an ldap tree.
I have a dn ou=User,dc=application for users and, for role, ou=Groups,dc=application .
Every role is an entry in the second subtree and the association is made by attribute member in role entry.
Actually i have 5 different role access (ROLE_A, ROLE_B, ROLE_C, ROLE_D, ROLE_E) : every role gives grant to access to a specific url. Every role are independent.
Role subtree schema (very simple and incomplete)
Now I have to satisfy a request to insert 3 new roles (ROLE_F, ROLE_G, ROLE_H) that can be assigned following a fixed schema :
- ROLE_F can be assigned only if user is in role to ROLE_B, ROLE_D,
- ROLE_G can be assigned only if user is in role ROLE_C or ROLE_E
- ROLE_H can be assigned only if user is in role ROLE_A or ROLE_B
Which is the best pratice to manage these 3 new roles? Shall I consider them as independent and managed dependency in application or what else?