Permission based Authorization vs. Role based Authorization - Best Practices - 11g
By Prakash Yamuna-Oracle on Jun 11, 2012
In previous blog posts here and here I have alluded to the support in OWSM for Permission based authorization and Role based authorization support. Recently I was having a conversation with an internal team in Oracle looking to use OWSM for their Web Services security needs and one of the topics was around - When to use permission based authorization vs. role based authorization?
As in most scenarios the answer is it depends! There are trade-offs involved in using the two approaches and you need to understand the trade-offs and you need to understand which trade-offs are better for your scenario.
Role based Authorization:
- Simple to use. Just create a new custom OWSM policy and specify the role in the policy (using EM Fusion Middleware Control).
- Inconsistent if you have multiple type of resources in an application (ex: EJBs, Web Apps, Web Services) - ex: the model for securing EJBs with roles or the model for securing Web App roles - is inconsistent.
- Since the model is inconsistent, tooling is also fairly inconsistent.
- Achieving this use-case using JDeveloper is slightly complex - since JDeveloper does not directly support creating OWSM custom policies.
Permission based Authorization:
- More complex. You need to attach both an OWSM policy and create OPSS Permission authorization policies. (Note: OWSM leverages OPSS Permission based Authorization support).
- More appropriate if you have multiple type of resources in an application (ex: EJBs, Web Apps, Web Services) and want a consistent authorization model.
- Consistent Tooling for managing authorization across different resources (ex: EM Fusion Middleware Control).
- Better Lifecycle support in terms of T2P, etc.
- Achieving this use-case using JDeveloper is slightly complex - since JDeveloper does not directly support creating/editing OPSS Permission based authorization policies.