basically, there is no way to associate a role with a group. if i wanted to display a list of roles for a project, you can't do it right now. there is no table that binds roles with groups. but the grant(User, Group, Role) requires all three. there is no TURBINE_GROUP_ROLE, so there is no way to add a role to a project. so there is no way to display a list of roles for a project. am i missing something? i asked daveb to look at it and he arrived at the same conclusion i did. the point is that roles are global so there is no and should not be an assoc between them again: roles do not belong to projects if the did you whould not need a Group as parameter to grant() it would be implied example: there is role "admin" which has certain permissions (does not matter) the javadocs _say_ role _within_ a group. it says: .. assign user a role within a group... you should read: assign... within a group not role within a group well that's not what it says. no! it's a grammatical ambiguity and if roles are global then why is there a group table? "within" attaches to "assign" if there is only one. sounds like we are where we've started... in our discussion of how you thought the projects should be display with all the roles associated with that project: i can't do that. group is NOT a group of roles! there are no roles assoc with a project let's go back to the example, OK? we have few roles (they are global): hold on one sec. "admin", "developer", "tester", "guest" go ahead but what if you wanted an admin role for each project, why is there even a group table if all roles are global? this is really pissing me off. the docs suck! group is a project yes, i get that [ even though the names are god awful ] but you also said that permission are global, but there is a table relating permissions with roles? role IS a group of permissions i am just trying to produce the first form that we discussed. can we do that? produce what? go ahead i thought we were going to present the admin with a list of projects and the roles associated with those projects and the intersection would be checkboxes. you sure there isn't a mistake in the schema and the rafal just used the global group for everything? omit "associated with those projects" and i agree so you just show a huge list of roles that are global? right not amny though s/amny/many not so many. well, for tambora we have different groups/projects and the roles for those projects are distinct so if this thing works with only global roles then i think there's a problem. how can projects share the same set of roles. can you tell what particular roles those are? i want to see why you need that and persuade you that you do not ;-) in tambora there are two distinct systems, storage and transport and the roles within them are very different. can you elaborate more? can we go over an example of how you think it works. the last time we were discussing this with john, i got the distinct impression that roles were separated by group. we were arguing whether to use checkboxes or lists because you might have to select a project before selecting a role. ;-) ok i continue: fedor> we have few roles (they are global): "admin", "developer", "tester", "guest" ("fedor" is not a role ;-) :-) and we have a few projects: "scarab", "turbine", "velocity" and there are users: jon, geir, jason you do: grant(jon, scarab, admin); grant(jon,scarab,developer) that sucks! grant(jason, scarab, developer) why? it's normal "tester" what if in turbine you wanted "pool-connection-tester" what's the point? you create subproject that doesn't apply to the other projects, you're stuck with totally general categories. in turbine called "pool-connection" and give that user "tester" in it Give another example where you need it but turbine is the top-level project? probably what's the diff? you are telling me that roles will never vary for each individual project? roles are the same but set of roles assigned to a user is individual in our last example user "ThatGuyThatTestsPoolsAndNothingElse" will have "tester" role in "connection-pool" subproject and "guest" role in project "Turbine" but the name tester will be duplicated then "tester" for turbine, and "tester" for the connection pool on the list of roles? what if you had turbine as the tool for a website management tool: you would have content managers, editors, designers. you are telling me that the roles each of these people play would be the same? no way. if they perform different _functions_ say the designer was could change some ui features, the content providers (sorry not content manager) could enter articles, and the editors had approval abilities. those whould be different roles but they are roles of those distinct categories!! those are different roles yes! but there would be roles associated with a designer that bear no relation to the roles of a content manager. what categories are you talking about? designer/content provider/editor you are saying those are roles? those are roles and say you have a site hosting... i think i'm one level away ... a few "web portals" or somethin what's the project(group) breakdown you would have? each site would probably be a project. right but one site might deal with mutual funds and one with books. and each would have "designer/content provider/editor" but roles as far as site management is concerned are the same sure, but you can't get any more specialized then that? example! say you have a mutual fund analyst role, and they can do certains things on the mutual fund site that wouldn't happen on the book site. isn't he just a content provider? yes, but that's a little general. for a huge financial portal you would probably have distinct financial type roles. for a huge literary site you might want to break up what types of content they provide. are we talking about a site management or yes, site management financial analysis tool you are mixing the two i think these would be two different pieces of software no. ok say we just have content provider. as the one role of someone who can add content to the site. ana each would have it's own set of roles go a set of roles only applies to a user, yes? jason is content provider, editor s/is/is a/ or rather : .. is a CP in project A, editor in project B --> Rafal (-fil@gw.e-point.pl) has joined #turbine hi hi hi rafal you are just on time! so what we are saying is that roles are universal across all projects? that one sentence would clear a lot up for me. yes. roles should be abstract I see you wrote a proposal for the admin app I'll read it in a minute yes, i think i have a fundamental misunderstanding that fedor just cleared up. we discussed the role/group stuff with Fedor and Jon a while ago i did not think of roles as universal, but being held within a group/project. yes, but the logs aren't kept anywhere, and i couldn't anything useful in the mail archive, mostly because the search facility sucks. but fedor has been trying to educate me. no... roles are universal, but you assign them to an user *within* a group (project etc) yes, that has finally sunk in. that is the one sentence i was looking for "roles are universal". ok, we were talking about a portal site can we just go a little further with it? we had the roles of designer/content provider/editor sure and we had two sites, a large financial site, and a large literary site. I have working portal software running on Turbine so I know this sort of stuff great! in our system we have a content tree each of the portals would be children of the root node and do you distinguish who is actually allowed to add/edit particuluar types of content? in our system we associate a turbine group with a node (and possibly it's children) then we have roles a few 'editor' roles with varying set of permissions (like edit article, add section and so on) so each group is a different site? yes. you can have a few groups for one site - for particular parts of it. a fragment of the content tree... it's clean and simpe can continue with my example, and then you point me in the right direction vis-a-vis making new groups/perms and what not? what do you think? ok. you have some abstract contnent tree you establish a mapping between the contnent tree and turbine groups for an arbitrary content node, you can give a list of one or more turbine groups that are asociated with it you create a role 'contnent provider' and 'editor' roles define permissions 'add article' 'edit article' 'remove article' 'add section' 'remove section' 'content provider' has article related permissions, 'editor' has both article and section related. so for distinct parts of your site you have created turbine groups. ok that helps a lot too. then assing 'content provider' in 'portal A' group to 'John Doe' user, and so on. and so the 'content provider' role in group A can have a different set of permissions then the role 'content provider' in group B? the administrative application has to check what groups the 'current node' is associated with and check if the user has the permission to execute an action whithn any of these groups. the 'groups' abstraction that Jon forged for Scarab project proved to be really useful... no. a role has a single set of permissions. if you need a different set, you can create a different role, but ... in this portal related stuff here, the permissions should be basicly the same in all parts of the portal. so should be the roles. user 'A' can be content provider for the financial site, and an editor of some part of the other site... how about the notion of a content provider for a financial site being different from that of a content provider for a literary site: say for a financial CP permission to change daily stock quotes, and literary CP say update top 10 list? no, these are different roles why would you like make them one? so then 'financial content provider' and 'literary content provider'? i'm simply trying to understand the model, that's all. and each of those roles have their own perms. ok. yes i think content provider is content provider that's it if the 'content' means the same in both sites, you need one role usually the portal will have both 'articles' and 'applications' embeded in the application tree. usually applications will need different roles/permission than the articles. s/application tree/navigation tree/ thanks, rafal that helps a lot! ok ignore my postings, as i had a fundamental misunderstanding. allright :) i will adjust the proposal as i understand now how it's supposed to work. do you use a webapp for your admin, or using an LDAP client? talking about the proposal, AccessControlList is not pluggable AccessControlBuilder is not used any more (access.control setting in TR.p) we use database console right now :( ah! we don't have too many adminstrators in our portal so it kind of works... yup, i do that too. ok, so the access.control is a property that can be removed now? i will clean that up if that's the case. can i remove the whole access control section from the TR.props. i'm lookin at the master file right now and it's not there hmmm I must have removed it earlier. ok, i'm looking at project i'm working on and it's probably not updated. so people never have to extend the AccessControlList class? no. there's no way to do this now, and I think there is no need to. that's cool. just checking. i will write an xdoc today. with the info i've gathered here and finish the proposal so i can get started on the admin app for tambora and the tdk. good. my friends have some ideas for the UI... I need to write the down. OneWeb (the other e-point project) has quite nice security admin app and we could steal a few bits cool, just toss them in the proposals directory and we can work on them together. sure that would be great! i have to get something working this week for tambora. I'll be back in a minute...