Re: Permission-based authorization with JAAS

Similar Messages

• Permission-based authorization with JAAS

  I need to implement an authorization model in which a user can be authorized to
  view a certain page or a part of a page based on their permissions. The trick
  is that the role definition is dynamic, and I can’t make a policy file ahead
  of time. Instead, I would like to simply retrieve the users permissions and then
  allow access (or, say, use a jsp tag to check if a certain part of the page should
  be displayed) based of whether the user has the permission required, and have
  a configuration file that defines the access policy by mapping actions to permissions.
  I am trying to figure out whether I can use JAAS (at the risk of being strangled
  by omni-present Michael Lee) and the Subject class for this, because all of the
  examples I could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implement my own LoginModule
  if I need to authenticate against a database, in my case, probably via using Weblogic
  entity beans. Sun tutorial states that developers do not need to implement a
  LoginModule, but I do not understand how I can do all that without it. I am using
  Weblogic 7.0 and Struts.
  Any help will be greatly appreciated.
  Natasha

  I need to implement an authorization model in which a user can be authorized to
  view a certain page or a part of a page based on their permissions. The trick
  is that the role definition is dynamic, and I can’t make a policy file ahead
  of time. Instead, I would like to simply retrieve the users permissions and then
  allow access (or, say, use a jsp tag to check if a certain part of the page should
  be displayed) based of whether the user has the permission required, and have
  a configuration file that defines the access policy by mapping actions to permissions.
  I am trying to figure out whether I can use JAAS (at the risk of being strangled
  by omni-present Michael Lee) and the Subject class for this, because all of the
  examples I could find map actions to roles, rather than individual permissions.
  Also, I am confused as to whether or not I would have to implement my own LoginModule
  if I need to authenticate against a database, in my case, probably via using Weblogic
  entity beans. Sun tutorial states that developers do not need to implement a
  LoginModule, but I do not understand how I can do all that without it. I am using
  Weblogic 7.0 and Struts.
  Any help will be greatly appreciated.
  Natasha

• Authorization with JAAS in JSF with facelets

  hi,
  can u please hint me where i did mistake.. i clearly mention what i did and what i getting ..i did this in jsf1.2,tomcat6.x
  i did JAAS authentication in jsf with facelets.but i am unable to do the authorization with JAAS in jsf
  after getting authentication i put the subject in session. if i print the values in suject i got the following out put
  Subject:
  Principal: TypedPrincipal: hari [USER] // user name
  Principal: TypedPrincipal: admin [GROUP] // user role.
  now i want to authorization based on the role.
  for this i wrote policy file --principal.policy like this
  grant Principal com.alw.reports.jaas.TypedPrincipal "admin" {
      permission com.alw.reports.jaas.ViewIdPermission "*";
  grant Principal com.alw.reports.jaas.TypedPrincipal "hari" {
      permission com.alw.reports.jaas.ViewIdPermission "*";
  grant Principal com.alw.reports.jaas.TypedPrincipal "user" {
      permission com.alw.reports.jaas.ViewIdPermission "/contents.jsp";
  };and i set the path for this policy file like
                System.setProperty("java.security.policy", "policy file location" );when i run my application i am getting login page after that i gave username and passwed. it is getting authentication .. but not able to displaying next page that is /pages/welcome.xhtml but directly it is showin /pages/error.xhtml
  i am getting following error
  java.security.AccessControlException: access denied (com.alw.reports.jaas.ViewIdPermission /pages/welcome.xhtml)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at com.alw.reports.jaas.JAASHelper$1.run(JAASHelper.java:87)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Unknown Source)
       at com.alw.reports.jaas.JAASHelper.permitionToAccessViewId(JAASHelper.java:83)
       at com.alw.reports.jaas.JAASActionListener.processAction(JAASActionListener.java:65)
       at javax.faces.component.UICommand.broadcast(UICommand.java:106)
       at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
       at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
       at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
       at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
       at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
       at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Unknown Source)
  my faces-config.xml
  <navigation-rule>
            <display-name>pages/login</display-name>
            <from-view-id>/pages/login.xhtml</from-view-id>
            <navigation-case>
                 <from-outcome>loginSuccess</from-outcome>
                 <to-view-id>/pages/welcome.xhtml</to-view-id>
            </navigation-case>
       </navigation-rule>
  <navigation-case>
                 <from-outcome>errorpage</from-outcome>
                 <to-view-id>
                      /pages/error.xhtml
                 </to-view-id>
            </navigation-case>my command button in login.xhtml
                           <td align="center" colspan="2">
                                <h:commandButton value="Reset" type="reset"/>
                                <h:commandButton   action="loginSuccess"
                                     id="login" value="Login" />
                           </td>my actionlister
  package com.alw.reports.jaas;
  import javax.faces.component.UIOutput;
  import javax.faces.context.FacesContext;
  import javax.faces.event.AbortProcessingException;
  import javax.faces.event.ActionEvent;
  import javax.faces.event.ActionListener;
  import javax.security.auth.Subject;
  public class JAASActionListener implements ActionListener   {
       private ActionListener parent = null;
       public JAASActionListener(javax.faces.event.ActionListener parent) {
            System.out.println("-------------- in JAASActionListener ;");
         this.parent = parent;
       public void processAction(ActionEvent event)
         throws AbortProcessingException {
            System.out.println("-------------- in processAction ;");
         FacesContext context = FacesContext.getCurrentInstance();
         UIOutput comp = null;
         String userid = null, password = null;
         JAASHelper jaasHelper = new JAASHelper();
         // Check to see if they are on the login page.
         boolean onLoginPage = (-1 != context.getViewRoot().getViewId().lastIndexOf("login")) ? true : false;
         if (onLoginPage) {
           if (null != (comp = (UIOutput)
             context.getViewRoot().findComponent("helloForm:username"))) {
             userid = (String) comp.getValue();
           if (null != (comp = (UIOutput)
             context.getViewRoot().findComponent("helloForm:password"))) {
             password = (String) comp.getValue();
           // If JAAS authentication failed
           if (!jaasHelper.authenticate(userid, password)) {
             context.getApplication().getNavigationHandler().handleNavigation(context, null, "login");
             return;
           else {
             // Subject must not be null, since authentication succeeded
                System.out.println("----------- setting the subjects in context in  ActionListner ");
             assert(null != jaasHelper.getSubject());
             // Put the authenticated subject in the session.
             System.out.println("---- putting the authenicated subject in the seesion ");
             context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
         parent.processAction(event);
         Subject subject=(Subject)context.getExternalContext().getSessionMap().get("JAASSubject");
        System.out.println("subject after parent process action>>>>>>>>>>>>>>>>>>>>>"+subject);
        assert(null != subject);
        if(!jaasHelper.permitionToAccessViewId(subject,context,context.getViewRoot().getViewId())){
            context.getApplication().getNavigationHandler().handleNavigation(context, null, "errorpage");
  }can u please hint me where i did mistake
  thanks in advance

  gbabu wrote:
  My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
  For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
  1> if the logged in person is admin, then we want to display admin.xhtml
  2> if the loggend is person is user , then we want to display user.xhtml
  untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]).

• How to set role based Authorization in JAAS

  how to set role based Authorization in JAAS
  i had user name , password and role in FileLogin
  thanks
  arun .v.

  http://dev2dev.bea.com/pub/a/2003/04/Kemp_Helton.html?page=last

• How does the SecurityManager authorize with JAAS?

  Hello,
  I'm using java 1.3 and JAAS, trying to write my own Permission for authorization. How does the SecurityManager know to authorize a method for a Subject? Does the method that I want protected have to explicitly call checkPermission()?
  The examples given are always for FilePermission. They show a program calling Subject.doAs() to perform an action as a particular Subject, and they imply that checkPermission() is called by the methods doing the file access.
  Thanks

  I think you
  a) create a specific permission class (such as a "canDoThisPermission(String targetMethod)" class)
  b) in your method check that the permission is granted by calling
  checkPermission(new CanDoThisPermission(<methname>))
  be sure your new permission class is being loaded from a trusted location (...lib/ext/... for eg.)

• User Based Authorization with ISE

  I am trying to configure ISE to limit the activitiy of individual users once they have logged in from an authorized PC into our netowrk. We basically only want them to be able to connect to specific systems. Is ISE able to do this on a per user basis?

  Yes.
  One of the things you can do via your Authorization policy is to push a downloadable ACL (dACL) to the port (for wired users). For wireless users you can apply a pre-defined Airespace ACL from the WLC to the user session. 

• Hierarchy authorization with variables of type exit

  Hi all,
  I am trying to implement hierarchy based authorizations with variables. After collecting information from the SAP documentation and this forum, I think I know more or less how to do it, but it's not working and it has me very confused.
  These are the steps I have followed:
  - From RSSM, I have created a hierarchy authorization object including my characteristic and 0TCTAUTHH
  - From RSSM again, I have created a hierarchy authorization pointing to the node $ZG_V_008
  - From the Query designer, I have created a hierarchy node variable of processing type customer exit ZG_V_008 (are any special settings needed here?)
  - From the Query designer, I have created <b>another</b> hierarchy node variable of processing type authorization, and I have used this variable to restrict the hierarchy for my characteristic
  - I have edited the EXIT_SAPLRRS0_001 to watch for I_STEP = 0 and give values to ZG_V_008 (we'll get to my code later in case we solve this issue first
  It is my understanding that with this setup, the user exit will be called to process the value of ZG_V_008 in I_STEP = 0, however, when debugging, I don't see any calls for the function with I_STEP = 0.
  What have I done wrong?
  Thanks a lot in advance.
  Guillermo

  Thanks, Jimmy, but that does not help much: my problem is that my user exit is not evaluated with I_STEP=0, but there are no error messages or anything like that.
  I have created a test user <b>without</b> a developer role to see if that could have any impact, but it's still not working.
  Any ideas?

• How to implement JAAS authorization with the weblogic 8.1 server

  i wrote a code for both the authentication as well as authorization using jaas using the config file and the policy file.
  This code works fine stand alone for the authentication as well as authorization.
  But when i runs this code inside the server (Weblogic 8.1), authorization deos not works according to my policy file. i have given the policy file path in the startWeblogicServer.cmd script. even i have tried to work with my policies in the java.policy file by giving its path in the java.security file. but this is also useless.
  Now, i have doubt that either <b>jaas authorization doesn't work with the weblogic</b>(i am using 8.1) or there is some configuration setting is missing from my side.
  Is there anybody who can help me to come out of this problem. Or tell me authorization alternative in the weblogic. I will really appreciate if anyone can help with the some example code.

  read this
  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index.html
  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html

• XWS-Security, JAAS and role-based authorization

  What is my best bet to try to authorize users to use certain web services? For example, let's say a user logs into a web application A, who connects to a web application B implementing Web Services and XWSS.
  A passes along the userNameToken, and B authenticates it (let's say, using JAAS). Now it needs to authorize the user to use the actual web service. Can I do this with JAAS? What is the best way to define the policies? Does it mean I have to create PrivilegedActions for every webservice? What are my other alternatives besides JAAS?
  Thanks in advance.

  Alternatively, is there a way to see which web service the client is requesting from the SecurityEnvironmentHandler (callbackHandler)?

• Permission based access

  I'm guessing this is a fairly common need, but I'm not sure what the proper
  way to implement it is.
  I need to enable our WL7 application to support users with custom
  permissions. I have already implemented a set of custom security providers
  that allow us to authenticate against our database. The next step is
  supporting "feature" or permission based access to various application
  components. I understand how to configure the security on weblogic
  resources, but that is not granular enough for me.
  In our system, each user is granted a set of features or functions that they
  have access to. This may be a global action, such as "Create a user" or it
  may be very specific such as "Change zip code". Our application logic needs
  to check these permissions (and either deny access or modify a menu or some
  other logic).
  My first pass at this was to get security working at the weblogic resource
  level. Then I wrote a utility class that will take a subject and check if
  it has the permission in our database. This works, but it's done outside of
  the JAAS security model and I'm trying to do this the "right" way. It seems
  to me that I need to setup a JAAS security policy and associate Permission
  objects for the features that I need to secure, but I don't know how to do
  this in the context of a weblogic application.
  What is the proper way to do this? Can someone give me some tips or point
  me towards some usefull documentation?
  Thanx,
  Matt

  I don't have any code that I can send you right now (it would take me too
  long to rip out my companies proprietary stuff), but here's the approach I
  took.
  I started from the sample providers that are available on dev2dev (
  http://dev2dev.bea.com/code/codedirect.jsp?highlight=codedirect ). From
  there, I just removed the providers that I didn't need. In the sample
  framework, there are a set of database classes that implement the user
  storage. In the samples, the users are stored in a properties file on the
  disk. I just replaced the code in those files with the appropriate database
  lookups in my environment.
  Couple things that took me time to work through:
  1. You must create a user that is in the Admin group for the server to start
  under. I was not successfull in separating the authentication mechanism for
  the server id and the users.
  2. You cannot use the weblogic datasources or connection pools to access
  your database. Since the server id is authenticating against your custom
  provider, the datasources and pools have not yet been created.
  3. I had trouble configuring my realm using the console. There seemed to be
  an intermittent bug that kept my realm information from being persisted into
  the security store. I exported the security realm configuration into an xml
  file, modified the xml file to exactly what I wanted, and loaded it back
  into the server. The process for doing this is available in the docs (
  http://e-docs.bea.com/wls/docs70/admin_domain/failures.html#1106023 ).
  I would love a workaround for 1 and 2, but so far I haven't found one.
  Good luck!
  Matt Galvin
  GoSolutions
  "Amit" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hi Matt
  In your mail to BEA groups you have mentioned that you
  have implemented authorization/access privileges
  against your DB.
  I need to implement similar functionality where I need
  to store userid, password, role in the DB and then
  make users access Weblogic 7.0 resources based on the
  roles stored in the DB. Could you provide me some code
  or pointers that would could help me?
  Thanks and regards,
  Amit
  "Matt Galvin" <[email protected]> wrote:
  I'm guessing this is a fairly common need, but I'm not sure what the
  proper
  way to implement it is.
  I need to enable our WL7 application to support users with custom
  permissions. I have already implemented a set of custom security
  providers
  that allow us to authenticate against our database. The next step is
  supporting "feature" or permission based access to various application
  components. I understand how to configure the security on weblogic
  resources, but that is not granular enough for me.
  In our system, each user is granted a set of features or functions that
  they
  have access to. This may be a global action, such as "Create a user"
  or it
  may be very specific such as "Change zip code". Our application logic
  needs
  to check these permissions (and either deny access or modify a menu or
  some
  other logic).
  My first pass at this was to get security working at the weblogicresource
  level. Then I wrote a utility class that will take a subject and check
  if
  it has the permission in our database. This works, but it's done outside
  of
  the JAAS security model and I'm trying to do this the "right" way. It
  seems
  to me that I need to setup a JAAS security policy and associatePermission
  objects for the features that I need to secure, but I don't know how
  to do
  this in the context of a weblogic application.
  What is the proper way to do this? Can someone give me some tips or
  point
  me towards some usefull documentation?
  Thanx,
  Matt

• Row-/instance-based authorization

  Hi,
  I'm looking for ways to implement row-/instance-based authorization using Toplink 9.0.4+ and Oracle DB 9.204. The domain objects are represented by standard Java objects (POJO's) not entity-beans.
  My question: what are well-know working approaches to implement this? How did you do that in a project using Toplink and POJO's?
  I guess Label security/Virtual Private Databases would be interesting to consider. But I wonder if it's possible to use that with Toplink. Issues that I see right now:
  - how to propagate the credentials of the user to the database and still use connectionpooling?
  - can Toplink generally make use of Label Security
  Another approach would be to implement a JAAS extension following the lines of the article "Extending JAAS for class-instance authorization" http://www-106.ibm.com/developerworks/java/library/j-jaas/
  I expect this can easily result in a separate query per object. Which probably results in atrocious performance.
  Or this could be implemented by an aspect. But still this would probably necessitate n+1 queries for n objects. In other words: this would still let the appserver do the constraining of results while that is right task for the database of course.
  Your comments and advice are highly appreciated,
  Joost de Vries
  the Netherlands

  The main decision to make is whether to handle the instance level security in the application, or the database.
  As you mentioned there are many ways to handle security in the application.
  Oracle database supports VPD and OLS for row level security. The TopLink 10g 10.0.3 preview has added support for this refer to:
  http://otn.oracle.com/products/ias/toplink/preview/index.html

• BlazeDS role based authorization

  Hi,
  I'm half the way in developing a POC for using flex as the front end of our application and I'm having some security issues.
  I'm using JBoss with JAAS and I figured that using BlazeDS just uses JAAS login module to perform authentication.
  * Will it use JAAS for authorization too? Will EJB method level permission will still apply?
  * How can I use the Subject/Principals/Policies in the client side flex application to inflect some UI restrictions on unauthorized operations?
  Thanks,
  Eyal

  Hey Jiby,
  I already posted this question to the forum http://swforum.sun.com/jive/thread.jspa?threadID=44893&tstart=15 prior to opening this ticket with Sun
  Regards
  Matthew Key

• User based authorization to create Purchase Orders out of Purchase Req.?

  Hello,
  I have the following requiment for my client:
  User based authorization to create Purchase Orders out of Purchase Req.?
  I am told the same can be achieved using same standard menu path in IMG/Customizing.
  Please advise with the menu path and detials, Usefull answers will be rewarded.
  Thanks

  Using OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
  Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
  Next, you've got to associate via SU01 
  Click Parameters, insert a new parameter id EFB to the authorization code. 
  Type in Parameters value you want e.g. XX 
  You have to assign the control for ALL the SAP buyers via thier SAP users id.
  Logoff and login again. Then try to create a Purchase Order without a reference.
  From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
  Regards,
  Ashok

• How can I authenticate and authorize with Web Service on ESB ?

  Hello,
  I want to authenticate and authorize client with Web Service published
  by HTTP/SOAP BC.
  Simply if it is an Web Service as J2EE application, I will use
  Basic Authentication with JAX-RPC and Realm.
  But I think that Web Service published by HTTP/SOAP BC is not belong
  to J2EE Application. Threre is no place to describe security role mapping
  (like web.xml).
  JBI 1.0 the section "5.5.1.1.3 Normalized Message Properties" comments
  JAAS Subject is given in the NM Properties. Really in this package
  com.sun.jbi.internal.security.*
  implements JAAS autentication and authorization (at JaasAuthenticator).
  But I can't see how to configure my Service to use this.
  How can I authenticate and authorize with Web Service on ESB ?
  I referred to the resources.
  Mutual Authentication for Web Services: A Live Example
  http://developers.sun.com/prodtech/appserver/reference/techart/mutual_auth.html
  XML and Web Services Security
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security7.html
  JAAS Authentication Tutorial
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html
  Thanks,
  Takurou
  - environment ---------------------------------------------
  OpenESB : Project Open ESB Starter Kit
  AppServer : Sun Java Systems Application Server 9.0 PE
  OS : Windows XP
  I don't assume to use SSL (if It's necessary I will try).
  User information is stored in a LDAP Server.
  -----------------------------------------------------------

  Hello,
  I read this resource.
  SecurityDesign
  http://www.glassfishwiki.org/jbiwiki/Wiki.jsp?page=SecurityDesign
  Then I think [non-ssl and ssl/tls and so on] securing by basic authentication is ongoing feature at this time.
  But I can't see well why this page comments 'HTTP over SSL, TLS'.
  HTTP/SOAP Binding Component Overview
  http://download.java.net/general/open-esb/docs/jbi-components/httpsoap-bc.html
  Does BC support only "SSL server authentication" ?
  Doesn't BC support "SSL client authentication" by username/password ?
  Thanks,
  Takurou

• Person responsible based Authorization in Projects is not working for me

  Hi,
  Does 'Person responsible' based authorization for WBSE works for the WBS element only, or for the hierarchically sub-ordinate non-WBS objects (meaning Networks, Activities, Materials etc) as well?
  Details:
  (Authorization objects: C_PROJ_VNR and C_PRPS_VNR)
  -- User1 is assigned with role TESTROLE1. This role has the Project manager based WBS & project authorization objects, with person number 101.
  -- User2 is assigned with role TESTROLE2. This role has the Project manager based WBS & project authorization objects, with person number 102.
  Following sample project is created by a super-user:
  PROJ123 (Details: person responsible - 101)
    WBS-1 (Details: person responsible - 101)
      WBS-1/1 (Details: person responsible - 101)
        NETWORK1
        ACTIVITY11
        MATERIAL111
        MATERIAL112
      WBS-1/2 (Details: person responsible - 102)
        NETWORK2
        ACTIVITY21
        MATERIAL211
        MATERIAL212
  Now the requirement of super-user is that WBS-1/1 and its subordinate elements (Activities, Materials etc) should be editable only by User1. And similarly, WBS-1/2 and its subordinate elements should be editable by User2 only.
  My issue:
  Although WBS-1/1 is not accessible to User2, BUT User2 can edit the subordinate elements (NETWORK1, ACTIVITY11, MATERIAL111, MATERIAL112) of WBS-1/1. I do not want User2 to have edit access to subordinate elements of WBS-1/1.
  Above issue is with User1 for WBS-1/2 as well.
  Hope I am clear in explaining my issue. Can anyone please help me understand the standard authorization concept of Person responsible based roles. I suspect that I am going wrong somewhere but I am not able to identify the problem.
  I want to allow access of a part of project to one user, and another part to some other user. And I do not want to go for an ABAP option if I can do above using basis authorizations.
  (Above mentioned problem is not just with part of projects, but with a complete project as well.)
  Hope to see some quick replies. Thanks in anticipation.

  Thanks for the inputs Sreenivas.
  Are you aware of any authorization objects which can restrict access to Networks, Activities, Material components and Milestones, using 'Person responsible' or any other suitable field? I hope you got what I am looking for.
  Restricting WBSE based on 'Person responsible' without restricting sub-ordinate elements is not much useful according to me. It helps only with simple project structures (having only WBSE) and nothing much. Right?
  Thanks again