1

I've been reading the documentation and there are 5 base permissions mentioned:

READ, WRITE, CREATE, DELETE, and ADMINISTRATION

The first four are pretty obvious and I thought ADMINISTRATION meant all of the other four (in a hierarchy sort of way), but according this this other question that is not the case.

So, what does the ADMINISTRATION permission actually mean?

Community
  • 1
  • 1
dosaki
  • 113
  • 3
  • 13
  • The thread you are pointing to is about hierarchies, i.e. if someone can `WRITE` does that mean he also can `READ`. But indeed `ADMINISTRATION` doesn't mean all of the above in this case. `ADMINISTRATION` means can someone change settings for an object or transfer ownership. – M. Deinum Oct 09 '14 at 11:18
  • So `ADMINISTRATION` is used for actions typically seen in a control dashboard? – dosaki Oct 09 '14 at 13:17

1 Answers1

5

They mean nothing. They're strings wrapped up in small permission objects, but in the end, they're placeholders for numbers; 1, 2, 4, 8, 16, ...

Logically you grant User with id 12347 WRITE and READ permissions for Book with id 28543867, but you're really granting permissions 1 and 2. 2 doesn't automatically imply 1 like you might think, because that only makes sense in our brains - you can't edit if you can't view what you're editing. And an ADMIN permission should imply READ, WRITE, DELETE, etc. but it doesn't, because to Spring Security it's not an admin permission, it's just 16.

These permissions are only the default set, but you can extend it, remove some you don't need, replace some with one with different names, or ignore the whole set and redefine yours from scratch. As long as the changes you make are consistent with the API, and each permission has a unique value that's a power of 2, then you can start granting permission SLEEP_LATE(8), DRIVE_20_OVER_THE_SPEED_LIMIT_AFTER_MIDNIGHT(32), etc.

Burt Beckwith
  • 75,342
  • 5
  • 143
  • 156