In a side conversation at the Orange County APLN meeting last week, we got to talking on the subject of role-based security, and I said that there should be a strict separation between permissions and roles, and between roles and users. That is, that the programmers should code their security checks only against permissions (never directly against roles or users), and, going the other way, that users should only be assigned roles (never assigned permissions directly). Continue reading Role-Based Security and Separation of Concerns