Page History

...

The AM supports grouping users into User Groups, User Roles, and Policies. From the AM's perspective, all three group types are the same (they are just lists of users), but the different types of lists have meaning to the OFBiz administrator.. The OFBiz administrator will create Groups appropriate for his/her organization, and then assign users as members of those groups.

Groups A user can be a member of a User Group, a User Role, or a Policy. In addition, the groups can be members of each other. For example, user X can be a member of User Group Y, and User Group Y can be a member of Policy User Group Z. Users and groups can be members of more than one group.There is no built-in significance to any group type - they are merely a convenience for the OFBiz administrator. The administrator will create Groups, Roles, and Policies appropriate for his/her organization, and then assign users as members of those groups.

The AM supports assigning artifact permissions to users , and User Groups, User Roles, and Policies. Assigning artifact permissions to a user or group simply means a connection is made between the user or group and a set of artifact permissions. In other words, the user or group "points to" a set of artifact permissions.

...

The Authorization Manager must support the following operations:

1. Create/update/delete users.
2. Create/update/delete User Groups, User Roles, and Policies.
3. Create/delete group memberships.
4. Create/delete artifact permission assignments to users and groups.
5. Return a list of permission flags and permission services for a given user/artifact pair.

Other operations could be included to support a security administration user interface.

...

.

The AM is a security-aware artifact. Users must have the appropriate permissions to perform any of the AM create/delete operations.

...