tags:

views:

13

answers:

0
Q: 

Role Based Authorization Guidelines

Does anybody have some pointers for designing roles for authentication in a big organization?

e.g. a user may have a roles as 'manager' within a department 'sales', but have role 'user' for accessing payroll data etc.. Should he then have roles called 'sales_manager' and 'payroll' or are there better ways of doing this?

I want to stop people creating roles like 'sales_javafrontend_user'.

I can't seem to find guidelines on the net..

related questions

Should unauthorized actions in the UI be hidden, disabled, or result in an error?
Porting JDBCRealm from tomcat to OC4J
Any frameworks on Authentication & Authorization for Windows Form Application?
How to design database for authorization and authentication
ASP.NET MVC Authorization
Custom Rails authentication / authorization
How to handle authorization when using NHibernate in .NET
How to allow authorization to an rss feed using ASP.NET MVC?
Security integration with arcPlan Enterprise
Best way to implement fine-grained authorization for a web application?
Authentication system for ASP.NET web applications?
User Access Checking for Rights on Particular Database Objects or Records
Authorizing REST Requests
Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?
How do you restrict access to a certain user using ASP.NET MVC?
Scalable/Reusable Authorization Model
Forms Authentication Error in WCF
What are the best-practices around resource list authorization?
Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat?
Non-interactive authentication/authorization for XML-RPC?
WCF Service authorization patterns
Managing large user databases for single-signon.
Best way to handle user account authentication and passwords
Best practise to authorize all users for just one page in asp.net
Why do I get the error "Unable to update the password" when calling AzMan?