This could maybe all be done using webwork's stuff (or more specifically, the osUser project from opensymphony) -- This framework seems in unstable and unrelease state. There's been an attempt to revamp it, but it doesn't seem quite alive either. (osUser2) We need a way to provide startup data (like default users etc) for first application installation. Entities we need: - users - groups - roles - permissions A user can belong to several groups. A group can have multiple roles. A role is basically a set of permissions. It's only useful for administration purpose, because it's easier to assign a role than many many permissions to a user or group, while it is useful for the software to be able to distinguish between lots of permissions. Question: is it any useful to assign roles to a specific user? It could be handy in some cases, but from the software point of view, it would probably be more practical to have only a group->roles relation. If there is a need for this, the administrator could always create a group and have only one user be a member of that group!? Persistence: we need database and ldap. If we support ldap, should *all* user data be stored in ldap? How about groups and their roles ? Roles and permission, on the other hand, should only be stored in a place that's only accessible by code (resource files), or even in the code itself. Let's see how this opensymphony project works. For the user interface to user management, what users need to be able to do is: - create, edit and delete users and groups - assign roles to groups (possibly to users, see above) - we could go for sexy stuff like let the users "ask" to get permission to belong to a certain group, and an admin user should approve before this happens. Well, I guess we should keep that kind of possibility in mind but not implement it right away. - users themselves need to be able to edit their own profile (email address, password, applications specific preferences) and to reset their password.