I'm looking for some help with ternary associations. I've got three model objects - Users, Resources, and Permissions. Users will have a set of Permissions for a given Resource. I want the User object to have a method:



Is this possible with hibernate, without resorting to creating an intermediate ResourcePermissions object?

Depends how your tables are setup, but it should be fine.

I model a similiar ternary association between my entities Group, UseCase, and Entitlement. Group has a java.util.Map keyed by UseCase whose value is Entitlement.

I know how to map what you're describing. My case differs slightly thought - I want each User/Resource pair to map to a Set of Permissions, not a single one. Yeah, I could play bitmask games to encode a set of permissions as an integer if the complete set of permissions were known a priori, but that might not in fact be the case. What I really want is for User to have a Map of Sets of Permissions, indexed by Resource.

Does this make sense?

Maps whose Map.Entry.value is a collection are not supported.

<diatribe>
I play absolutely no "bitmask games" (although they are not necessarily always bad). A Set of Permissions for a given Resource is just a waaaay more expensive version of that type of bit-masking.
</diatribe>

Are there any plans to support maps whose values are collections? This isn't the first time I would have found that to be helpful. I have plenty of workarounds available, but maps containing collections would seem to be the most elegant model.

I'm a little curious about your diatribe too. You say you don't play bitmask games (e.g. 0x01 == ADD, 0x02 == EDIT, so 0x03 == ADD and EDIT), but then you state that modelling permission combinations as a Set of Permissions is merely a more expensive way to do it. How would you model this problem, then, where you have Users, Resources, and a set of Permissions associated with each pair, if you like neither bitmasks nor maps with sets as values?

Note, btw, that there is at least one pragmatic advantage to using sets of permissions - if you don't know ahead of time what all the permissions are.

Probably not

First, in general, it is typically not good design to assign permissions or entitlements to a particualr user. Typically, users are aggregated into groups and the association is made on the group.

You'll notice I did not say I use "resources" as the basis for my entitlements; I use "use cases". A use case bundles a resource along with some particular action on that resource ("create company", for example).

But given your setup, I would do this with bitmasking and a Hibernate UserType to perform the bit decoding/encoding. When investigating Hibernate, we modelled part of an older system which had basically the same permission setup you describe (except permissions mapped to groups). The way I modelled that was to create a Permission class which defined bean attributes for all the defined permissions in the system ("create", "update", etc). In the database, this was all kept in a single column using bitmasking where a custom UserType mapped the integer value of the column to the appropriate Permission attribute values. The Group class then had a map of permissions keyed by a resource.

I see the allure of using a collection for this, but the bitmasking approach is far more efficient in terms of DB storage and JVM memory and resource usage. The UserType centralizes dealing with the bitmasking stuff leaving other parts of the system to simply deal with a Permission instance.


Its funny how often I hear this and how often I see systems with exactly four... A bitmask based on a java long will be enough I'd be willing to bet.