next up previous contents
Next: Grouping groups Up: Grouping access rights Previous: Grouping access rights   Contents


Grouping roles

Each role is allocated at list in the one group. The relations beetwen the the roles and role groups are kept in the separate table (AR_Role_Groups). The role is allocated for the group by the administrator. If we want to add the role to some group, first we have to check the group type (the type of the role has to be the same type like the type of the group) and the group content (role can be added to the group which contains roles definition - not other groups). If these two requirements are agreed then we have to investigate that the new role can cooperate with the other roles which are currently defined in this group. This process is done automatically on the basis of the role constraints defined for the roles. These constraints qualify which roles can not be used in the same time in the one role group. The constraints for the roles are stored in the different table (see section 1.13, figure 1.8): AR_Role_Constraints) than the constraints for the groups (see section 1.13, figure 1.8): AR_Group_Constraints).

Table 1.14: Constraints for the roles
role_cons_id role1_cons_id role2_cons_id 1


The fields role1_id and role2_id are foreign keys to the roles table (AR_Roles table). The algorithm, which veryfies the roles, takes from the group (to which we want to add the role) the current list of its roles. The values from the list are set together one by one with the id of the new role. Each couple of values is used as a condition for the WHERE clause in the following SQL statement:

SELECT role_cons_id FROM ar_role_constraints WHERE (role1_cons_id='existing_role' and role2_cons_id='new_role') or (role1_cons_id='new_role' and role2_cons_id='existing_role')

For each couple of roles one SELECT is executed. When all combination of roles are positively verified (no results for each combination) then the role can be appraised to the group. If there is a result for some union then this means that there are some constraints and role can not be added to the group. The algorithm is not stooped in this point and it just go through the all combinations. All results are collected and then they are showed to the administrator. The administrator has clear picture which roles are in the conflict with the new role.


next up previous contents
Next: Grouping groups Up: Grouping access rights Previous: Grouping access rights   Contents
Marek Imialek 2006-06-22