UserRoles vs. ModuleRoles

1
Hello! This is a somewhat generic question – hoping to gather some opinions around the idea that every UserRole should correlate with one ModuleRole (a Mendix Best Practice).  Another teammate introduced me to the concept of Role Based Access Control (RBAC) and we’ve been playing around with this and ModuleRoles. Idea being that you would essentially look at each module, start with each entity, and then write a Module role for each one with corresponding pages and microflows.  Assign roles based permissions at the UserRole level.  EX: An application with the User Roles Manager and Employee . A Module named “Inventory Managemenet” may have the ModuleRoles InventoryReadWriteDelete, InventoryReadWrite, InventoryRead, EmployeeProfileReadWriteDelete, EmployeeProfileReadWrite, etc. These are then all correlated with their respective microflows/pages. (This is a REALLY condensed example).  There are definitely valid reasons to have tried this out – the biggest advantage seems to be flexibility/QUICK re-usability, especially when there are a lot of users that are very similar but ever so slightly different.  EX: Take the above Manager, Employee example and add Administrator, Junior Employee, Owner, Intern. Having all of the module roles lined up makes configuring a new UserRole super simple. Pop the Administrator role in and then go down the list and mark off exactly what they should have access to.  The two biggest cons so far are that the above setup has the potential to get WAY too granular and unmanageable, and it breaks Mendix’s best practices.  Again I know this is vague and I can try to give more context if anyone needs any clarifying information – really looking for opinions on why you would or wouldn't take this approach. 
asked
1 answers
0

I think the problem is that this way it is all black or white. With this method you can not have an entity where you have read rights on certain attributes and read/write rights on other attributes from that same entity. And what about XPath constraints. Like I can only read the entity if I am the owner of that object? You would end up with way to much module roles for each entity. With 20 entities in a module (and that is a small module imho) and let say 6 roles for each entity it would mean 120 module roles. That is not workable or am I missing something here?

Regards,

Ronald

 

answered