Liferay Role Association with Users and Permissions Algoritm 6

Role is basically a set of permissions. When a Role is assigned to a User, he is capable to do whatever permitted to that Role. Liferay provide well defined roles and permissions architecture that can be managed from control panel. Through this blog I wanted to describe how user are associated to roles directly or indirectly through Site, Organization and User Groups.

1)Regular Role-Regular role is created to define permissions within the portal scope. User can be associated to Regular Role either directly or if he is member of a site, organization, User Group as follows.

2)Site Role- Site  role is created to define permissions within the site scope. Site Role is assigned to site. If user is member of site either directly or indirectly if he is member of organization or User Group which are further member of that site, he has the permissions of Site Role.

3) Organizational Role- Organizational role is created to define permissions within the organization scope. Organizational Role can be assigned to organization users. If a user is member of organization, he can be assigned to organizational Role.

Permissions Algorithm-Permissions are actions that a user is authorized to do. As permissions is the core part of Liferay Architecture. For each entity, it requires a lot entries to be added in database. In Liferay 6.X Advanced Permissions Algorithm 6 is introduced that reduces the database size significantly.

There are following table in which permission entries are added.

1)ResourceAction- In Liferay we can define action for following resources.

    a) PortletResource

     b) Entity Resource

Resource actions might be like VIEW,UPDATE, DELETE. For each resource action a entry is added in the ResourceAction table. Each resource action is assigned a bitwise value. Let assume following are the values.

VIEW-------------1(001)

UPDATE-----------2(010)

DELETE----------4(100)

2)ResourcePermissions-This table contains the permissions that are assigned to a Role in a particular scope. Permissions are grouped together using bitwise OR and added as single entry.

Permissions->VIEW(001) OR UPDATE(010) OR DELETE(100)=111

So if a role as above three permissions then bitwise OR comes as a single value i.e . 111.It reduces the size of database significantly by eliminating multiple entries.

When it is needed to check that a particular Role has particular permission, algorithm 6 checks it by following rule.

IF((Role Permissions)AND( Action)==(Action)){

     HAS PERMISSION;

}ELSE{

    DON’T HAS PERMISSION

}

3)ResourceBlockPermissions-In Resource Block permissions , similar set of permissions are considered as block so as to reduce duplication. To understand this concept you can go through the blog in which resource block permission are explained very much in detail.

Blogs
I'm not sure if your explanation of Site Role is correct. You write:
If user is member of site either directly or indirectly <...>, he has the permissions of Site Role.

As far as I know Site Roles can still be linked to users, similar as Organisation Role. It could also be a language thing...
Site Role is specific to site scope.So user should be member of site.By directly it means user is direct member of site. Indirectly it means User is member of User Group or Organization which is member of the site.
HI SUSHIL, Is there a way to list down all the permissions associated with the roles and the roles associated with the user, sites etc..if you any example in handy requesting for the same...