When I look at Role Based Access Control (RBAC) I see a model where a user is a member of one or more roles and roles hold permissions that grant operations. That is, an operation (a method for example) must ensure that the subject grants the permission for that operation. The subject's role hold these permissions.
[subject] * <-> * [role] * <-> * [permission] * <-> * [operation]
However, when I look at the javax.annotation.security package it defines a much more simplistic model, the operation only checks the role name. This is as far as I can see not RBAC but equivalent to a group based permission check. The admin cannot assign operations to the roles but is stuck with what the developer decided. I expect that this increases the number of roles significantly and makes systems harder to maintain.
[subject] * <-> * [role] * <-> * [operation]
Is my understanding of this correct or do I miss something?
