Praktikumsplaner

Appearance

ADR-008 security-roles

Status

accepted

Context

We need to restrict access to certain features of the application so users can only use and see what is meant for them.

Permission-based access would require a non-open source component, and this product should be open source in all aspects.

Decision

We are using a role-based security model in favor of a permission-based model.

Todo

  • All backend rest controller methods need the @PreAuthorized-Annotation for role binding
  • All frontend components that should be secured should have the custom v-security directive
  • Roles for personas have to be defined and implemented in the keycloak

Consequences

Access restrictions have to be considered for each feature. By using role-based access management, the authorization is less complicated, than it would be with permission-based access management, as the granularity is lower and therefore easier to maintain.

Contact and Imprint
Made with 💛 in Munich