Broadleaf Microservices
  • v1.0.0-latest-prod

Creating New Permissions

During development, adding new permissions is something you’d usually achieve with SQL inserts via Liquibase change logs.

Let’s assume we want to add a new permission with a permission root called PAYMENT and add it to our FULL_ACCESS role. By default, Broadleaf has a role called FULL_ACCESS with a role ID of -2.

We can have several permutations of this permission (hence calling it a permission root, and not a permission) for different operations:

READ_PAYMENT
UPDATE_PAYMENT
CREATE_PAYMENT
DELETE_PAYMENT
ALL_PAYMENT

However, for most purposes, we really only need to define two: READ and ALL. For example, it doesn’t usually make sense to have a delete permission, but not an update permission. There may be edge cases where something like this is needed, however, so it’s good to know the option is available.

ALL_PAYMENT allows full access to the resource, and READ_PAYMENT provides read access.

We’ll start by inserting the permissions into the auth.BLC_USER_PERMISSION table

INSERT INTO blc_user_permission (id, "name", last_updated) VALUES
('readPayment','READ_PAYMENT','2020-06-01 15:45:44.030')
('allPayment', 'ALL_PAYMENT', '2020-06-01 15:45:44.030');

Then, we add a scope. The scope should be the name of the permission root:

INSERT INTO blc_security_scope (id, "name", "open") VALUES
('PAYMENT_SCOPE', 'PAYMENT', 'N');

Now, we’ll add the ALL_PAYMENT permission to the FULL_ACCESS role:

INSERT INTO blc_role_permission_xref (role_id, permission_id) VALUES
('-2', 'allPayment');

Finally, we’ll add the permission scope:

INSERT INTO blc_permission_scope (id,"permission",is_permission_root,scope_id) VALUES
('paymentScope', 'PAYMENT', 'Y', 'PAYMENT_SCOPE');

If this is a permission to be assigned to customer users, it may be desirable to add the permission to the existing CUSTOMER_USER scope.

In summary, the steps are:

  1. Add the new permission or permissions

  2. Add the security scope for the permission

  3. Assign the permission(s) to one or more roles

  4. Add a permission scope and tie it to the security scope