Authorizations are enforced in the user management engine (UME) using permissions, actions, and roles.
Internally in their Java code, applications define UME permissions and use them for access control. UME permissions are an implementation of Java permissions.
An action is a collection of permissions. Every application defines its own set of actions and specifies the permissions assigned to the actions either in an XML file or (more seldom) dynamically in the code. The actions appear in the user management administration console, where you can group them together into roles.
UME Roles group together actions from one or more applications. You assign roles to users in the user management administration console. By assigning roles to users, you define the users' authorizations.
The following figure illustrates the relationship between permissions, actions, and roles.
The advantage of having both actions and permissions is:
The user management administration console is an application running on the UME. The application defines permissions in the code for activities such as changing a user's profile or modifying roles. In the XML file an action Manage_Roles is defined that groups together all permissions that a user requires to administrate roles. This action includes permissions for viewing, modifying, and deleting roles.
For example, you could create a role called Role Administrator and assign the action Manage_Roles to it. Then you could assign any administrator that requires permissions to administrate roles to the Role Administrator role.
The corresponding UME interfaces are included in the packages: