Manage special roles in ldap

I have a web-app configured with spring security which gets users and roles from an ldap tree.

I have a dn ou=User,dc=application for users and, for role, ou=Groups,dc=application .

Every role is an entry i开发者_如何学运维n the second subtree and the association is made by attribute member in role entry.

Actually i have 5 different role access (ROLE_A, ROLE_B, ROLE_C, ROLE_D, ROLE_E) : every role gives grant to access to a specific url. Every role are independent.

Role subtree schema (very simple and incomplete)

ou=Groups,dc=application . --cn=A --cn=B --cn=C --cn=D --cn=E

Now I have to satisfy a request to insert 3 new roles (ROLE_F, ROLE_G, ROLE_H) that can be assigned following a fixed schema : - ROLE_F can be assigned only if user is in role to ROLE_B, ROLE_D, - ROLE_G can be assigned only if user is in role ROLE_C or ROLE_E - ROLE_H can be assigned only if user is in role ROLE_A or ROLE_B

Which is the best pratice to manage these 3 new roles? Shall I consider them as independent and managed dependency in application or what else?

Thanks

Is there any reason that the new roles might need to be managed as separate items, in that either now or maybe someday in the future e.g. the permissions granted by ROLE_F will not apply to 100% of the ROLE_B people? If so, then I would say they should be managed separately, even if you only suspect that someday they might need to be separate... after all, you might as well put in the little extra effort now to save trouble in the future.

But if all you're really need to do is add new permissions (e.g. those granted by ROLE_F) to the existing groups (ROLE_B in this example), then there's no need for new roles.