public final class DelAdminMgrImpl extends Manageable implements DelAdminMgr, Serializable
Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
This class is NOT thread safe if parent instance variables (Manageable.contextId
or Manageable.adminSess
) are set.
adminSess, contextId
Constructor and Description |
---|
DelAdminMgrImpl() |
Modifier and Type | Method and Description |
---|---|
OrgUnit |
add(OrgUnit entity)
Commands adds a new OrgUnit entity to OrgUnit dataset.
|
void |
addAscendant(AdminRole childRole,
AdminRole parentRole)
This command creates a new role parentRole, and inserts it in the role hierarchy as an immediate ascendant of
the existing role childRole.
|
void |
addAscendant(OrgUnit child,
OrgUnit parent)
This command creates a new orgunit parent, and inserts it in the orgunit hierarchy as an immediate ascendant of
the existing child orgunit.
|
void |
addDescendant(AdminRole parentRole,
AdminRole childRole)
This command creates a new role childRole, and inserts it in the role hierarchy as an immediate descendant of
the existing role parentRole.
|
void |
addDescendant(OrgUnit parent,
OrgUnit child)
This command creates a new orgunit child, and inserts it in the orgunit hierarchy as an immediate descendant of
the existing orgunit parent.
|
void |
addInheritance(AdminRole parentRole,
AdminRole childRole)
This command establishes a new immediate inheritance relationship parentRole <<-- childRole between existing
roles parentRole, childRole.
|
void |
addInheritance(OrgUnit parent,
OrgUnit child)
This command establishes a new immediate inheritance relationship with parent orgunit <<-- child orgunit
|
Permission |
addPermission(Permission perm)
This method will add an administrative permission operation to an existing permission object which resides under
ou=AdminPerms,ou=ARBAC,dc=yourHostName,dc=com container in directory information tree. |
PermObj |
addPermObj(PermObj pObj)
This method will add administrative permission object to admin perms container in directory.
|
AdminRole |
addRole(AdminRole role)
This command creates a new admin role.
|
void |
assignUser(UserAdminRole uAdminRole)
This command assigns a user to an admin role.
|
void |
deassignUser(UserAdminRole uAdminRole)
This method removes assigned admin role from user entity.
|
OrgUnit |
delete(OrgUnit entity)
Commands deletes existing OrgUnit entity to OrgUnit dataset.
|
void |
deleteInheritance(AdminRole parentRole,
AdminRole childRole)
This command deletes an existing immediate inheritance relationship parentRole <<-- childRole.
|
void |
deleteInheritance(OrgUnit parent,
OrgUnit child)
This command deletes an existing immediate inheritance relationship parent <<-- child.
|
void |
deletePermission(Permission perm)
This method will remove administrative permission operation entity from permission object.
|
void |
deletePermObj(PermObj pObj)
This method will remove administrative permission object from perms container in directory.
|
void |
deleteRole(AdminRole role)
This command deletes an existing admin role from the ARBAC database.
|
void |
grantPermission(Permission perm,
AdminRole role)
This command grants an AdminRole the administrative permission to perform an operation on an object to a role.
|
void |
grantPermission(Permission perm,
User user)
This command grants a user the administrative permission to perform an operation on an object to a user.
|
void |
revokePermission(Permission perm,
AdminRole role)
This command revokes the administrative permission to perform an operation on an object from the set
of permissions assigned to an AdminRole.
|
void |
revokePermission(Permission perm,
User user)
This command revokes the administrative permission to perform an operation on an object from the set
of permissions assigned to a user.
|
OrgUnit |
update(OrgUnit entity)
Commands updates existing OrgUnit entity to OrgUnit dataset.
|
Permission |
updatePermission(Permission perm)
This method will update administrative permission operation pre-existing in target directory under
ou=AdminPerms,ou=ARBAC,dc=yourHostName,dc=com container in directory information tree. |
PermObj |
updatePermObj(PermObj pObj)
This method will update administrative permission object in perms container in directory.
|
AdminRole |
updateRole(AdminRole role)
Method will update an AdminRole entity in the directory.
|
assertContext, assertContext, checkAccess, getFullMethodName, setAdmin, setAdminData, setContextId, setEntitySession
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
setAdmin, setContextId
public AdminRole addRole(AdminRole role) throws SecurityException
Role.name
- contains the name of the new AdminRole being targeted for addition to LDAPRole.description
- contains any safe textAdminRole.osPs
* - multi-occurring attribute used to set associations to existing PERMS OrgUnitsAdminRole.osUs
* - multi-occurring attribute used to set associations to existing USERS OrgUnitsAdminRole.beginRange
- contains the name of an existing RBAC Role that represents the lowest role in
hierarchy that administrator (whoever has this AdminRole activated) controls
AdminRole.endRange
- contains the name of an existing RBAC Role that represents that highest role in
hierarchy that administrator may control
AdminRole.beginInclusive
- if 'true' the RBAC Role specified in beginRange is also controlled by the
possessor of this AdminRole
AdminRole.endInclusive
- if 'true' the RBAC Role specified in endRange is also controlled by the
administrator
Role.beginTime
- HHMM - determines begin hour adminRole may be activated into user's ARBAC session
Role.endTime
- HHMM - determines end hour adminRole may be activated into user's ARBAC session.
Role.beginDate
- YYYYMMDD - determines date when adminRole may be activated into user's ARBAC
session
Role.endDate
- YYYYMMDD - indicates latest date adminRole may be activated into user's ARBAC
session
Role.beginLockDate
- YYYYMMDD - determines beginning of enforced inactive statusRole.endLockDate
- YYYYMMDD - determines end of enforced inactive statusRole.dayMask
- 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated
into user's ARBAC sessionaddRole
in interface DelAdminMgr
role
- Contains role name and description.SecurityException
- thrown in the event of data validation or system error.public void deleteRole(AdminRole role) throws SecurityException
Role.name
- contains the name of the new AdminRole being targeted for removaldeleteRole
in interface DelAdminMgr
role
- Contains role name.SecurityException
- Thrown in the event of data validation or system error.public AdminRole updateRole(AdminRole role) throws SecurityException
Role.name
- contains the name of the new AdminRole being targeted for updatingRole.description
- contains any safe textAdminRole.osPs
* - multi-occurring attribute used to set associations to existing PERMS OrgUnitsAdminRole.osUs
* - multi-occurring attribute used to set associations to existing USERS OrgUnitsAdminRole.beginRange
- contains the name of an existing RBAC Role that represents the lowest role in
hierarchy that administrator (whoever has this AdminRole activated) controls
AdminRole.endRange
- contains the name of an existing RBAC Role that represents that highest role in
hierarchy that administrator may control
AdminRole.beginInclusive
- if 'true' the RBAC Role specified in beginRange is also controlled by the
possessor of this AdminRole
AdminRole.endInclusive
- if 'true' the RBAC Role specified in endRange is also controlled by the
administrator
Role.beginTime
- HHMM - determines begin hour adminRole may be activated into user's ARBAC session
Role.endTime
- HHMM - determines end hour adminRole may be activated into user's ARBAC session.
Role.beginDate
- YYYYMMDD - determines date when adminRole may be activated into user's ARBAC session
Role.endDate
- YYYYMMDD - indicates latest date adminRole may be activated into user's ARBAC session
Role.beginLockDate
- YYYYMMDD - determines beginning of enforced inactive statusRole.endLockDate
- YYYYMMDD - determines end of enforced inactive statusRole.dayMask
- 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into
user's ARBAC session
updateRole
in interface DelAdminMgr
role
- Contains role name and new description.SecurityException
- Thrown in the event of data validation or system error.public void assignUser(UserAdminRole uAdminRole) throws SecurityException
ftUserAttrs
aux object class based on:
UserRole.name
- contains the name for already existing AdminRole to be assignedUserRole.userId
- contains the userId for existing UserUserRole.beginTime
- HHMM - determines begin hour AdminRole may be activated into user's RBAC session
UserRole.endTime
- HHMM - determines end hour AdminRole may be activated into user's RBAC session.
UserRole.beginDate
- YYYYMMDD - determines date when AdminRole may be activated into user's RBAC
session
UserRole.endDate
- YYYYMMDD - indicates latest date AdminRole may be activated into user's RBAC
session
UserRole.beginLockDate
- YYYYMMDD - determines beginning of enforced inactive statusUserRole.endLockDate
- YYYYMMDD - determines end of enforced inactive statusUserRole.dayMask
- 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated
into user's ARBAC session
assignUser
in interface DelAdminMgr
uAdminRole
- entity contains User.userId
and
Role.name
and optional Constraints
..SecurityException
- in the event data error in user or role objects or system error.public void deassignUser(UserAdminRole uAdminRole) throws SecurityException
del Role to User assignment in User data set AND User to Role assignment in Admin Role data set.
UserRole.name
- contains the name for already existing
AdminRole to be deassigned
UserRole.userId
- contains the userId for existing User
deassignUser
in interface DelAdminMgr
uAdminRole
- entity contains User.userId
and
Role.name
.SecurityException
- - in the event data error in user or role objects or system error.public OrgUnit add(OrgUnit entity) throws SecurityException
OrgUnit.name
- contains the name of new USERS or PERMS OrgUnit
to be added
OrgUnit.type
- contains the type of OU:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
OrgUnit.description
- contains any safe textadd
in interface DelAdminMgr
entity
- contains OrgUnit name and type.SecurityException
- in the event of data validation or system error.public OrgUnit update(OrgUnit entity) throws SecurityException
OrgUnit.name
- contains the name of new USERS or PERMS OrgUnit
to be updated
OrgUnit.type
- contains the type of OU:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
OrgUnit.description
- contains any safe textupdate
in interface DelAdminMgr
entity
- contains OrgUnit name and type.SecurityException
- in the event of data validation or system error.public OrgUnit delete(OrgUnit entity) throws SecurityException
OrgUnit.name
- contains the name of new USERS or PERMS OrgUnit
to be removed
OrgUnit.type
- contains the type of OU:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
delete
in interface DelAdminMgr
entity
- contains OrgUnit name and type.SecurityException
- in the event of data validation or system error.public void addDescendant(OrgUnit parent, OrgUnit child) throws SecurityException
The command is valid if and only if:
This method:
OrgUnit.name
- contains the name of existing OrgUnit
to be parent
OrgUnit.type
- contains the type of OrgUnit targeted:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
OrgUnit.name
- contains the name of new OrgUnit to be
child
OrgUnit.description
- maps to description attribute
on organizationalUnit object class for new child
addDescendant
in interface DelAdminMgr
parent
- This entity must be present in ORGUNIT data set. Success will add rel with child.child
- This entity must not be present in ORGUNIT data set. Success will add the new entity to ORGUNIT data set.SecurityException
- thrown in the event of data validation or system error.public void addAscendant(OrgUnit child, OrgUnit parent) throws SecurityException
The command is valid if and only if:
This method:
OrgUnit.name
- contains the name of existing OrgUnit to
be parent
OrgUnit.type
- contains the type of OrgUnit targeted:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
OrgUnit.name
- contains the name of new OrgUnit to be
child
OrgUnit.description
- maps to description attribute on organizationalUnit object class for new
child
addAscendant
in interface DelAdminMgr
child
- completion of op assigns new parent relationship with parent orgunit.parent
- completion of op assigns new child relationship with child orgunit.SecurityException
- thrown in the event of data validation or system error.public void addInheritance(OrgUnit parent, OrgUnit child) throws SecurityException
The command is valid if and only if:
OrgUnit.name
- contains the name of existing OrgUnit to
be parent
OrgUnit.type
- contains the type of OrgUnit targeted:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
OrgUnit.name
- contains the name of existing OrgUnit to
be child
addInheritance
in interface DelAdminMgr
parent
- completion of op deassigns child relationship with child orgunit.child
- completion of op deassigns parent relationship with parent orgunit.SecurityException
- thrown in the event of data validation or system error.public void deleteInheritance(OrgUnit parent, OrgUnit child) throws SecurityException
The command is valid if and only if:
OrgUnit.name
- contains the name of existing OrgUnit to
remove as parent
OrgUnit.type
- contains the type of OrgUnit targeted:
OrgUnit.Type.USER
or
OrgUnit.Type.PERM
OrgUnit.name
- contains the name of existing OrgUnit to
remove as child
deleteInheritance
in interface DelAdminMgr
parent
- completion of op removes child relationship with childRole.child
- completion of op removes parent relationship with parentRole.SecurityException
- thrown in the event of data validation or system error.public void addDescendant(AdminRole parentRole, AdminRole childRole) throws SecurityException
This method:
Role.name
- contains the name of existing Role
to be parent
Role.name
- contains the name of new Role to be
child
Role.description
- maps to description attribute
on organizationalRole object class for new child
Role.beginTime
- HHMM - determines begin hour
role may be activated into user's session for new child
Role.endTime
- HHMM - determines end hour role
may be activated into user's session for new child
Role.beginDate
- YYYYMMDD - determines date when
role may be activated into user's session for new child
Role.endDate
- YYYYMMDD - indicates latest date
role may be activated into user's session for new chil
Role.beginLockDate
- YYYYMMDD - determines
beginning of enforced inactive status for new child
Role.endLockDate
- YYYYMMDD - determines end of
enforced inactive status for new child
Role.dayMask
- 1234567, 1 = Sunday, 2 = Monday,
etc - specifies which day role may be activated into user's session for new child
addDescendant
in interface DelAdminMgr
parentRole
- This entity must be present in ADMINROLES data set. Success will add role rel with childRole.childRole
- This entity must not be present in ADMINROLES data set. Success will add the new role entity to
ADMINROLES data set.SecurityException
- thrown in the event of data validation or system error.public void addAscendant(AdminRole childRole, AdminRole parentRole) throws SecurityException
Role.name
- contains the name of existing Role
to be child
Role.name
- contains the name of new Role to be
added as parent
Role.description
- maps to description
attribute on organizationalRole object class for new parent
Role.beginTime
- HHMM - determines begin hour
role may be activated into user's session for new parent
Role.endTime
- HHMM - determines end hour role
may be activated into user's session for new parent
Role.beginDate
- YYYYMMDD - determines date
when role may be activated into user's session for new parent
Role.endDate
- YYYYMMDD - indicates latest date
role may be activated into user's session for new parent
Role.beginLockDate
- YYYYMMDD - determines
beginning of enforced inactive status for new parent
Role.endLockDate
- YYYYMMDD - determines end
of enforced inactive status for new parent
Role.dayMask
- 1234567, 1 = Sunday, 2 = Monday,
etc - specifies which day role may be activated into user's session for new parent
addAscendant
in interface DelAdminMgr
childRole
- completion of op assigns new parent relationship with parentRole.parentRole
- completion of op assigns new child relationship with childRole.SecurityException
- thrown in the event of data validation or system error.public void addInheritance(AdminRole parentRole, AdminRole childRole) throws SecurityException
addInheritance
in interface DelAdminMgr
parentRole
- completion of op deassigns child relationship with childRole.childRole
- completion of op deassigns parent relationship with parentRole.SecurityException
- thrown in the event of data validation or system error.public void deleteInheritance(AdminRole parentRole, AdminRole childRole) throws SecurityException
deleteInheritance
in interface DelAdminMgr
parentRole
- completion of op removes child relationship with childRole.childRole
- completion of op removes parent relationship with parentRole.SecurityException
- thrown in the event of data validation or system error.public Permission addPermission(Permission perm) throws SecurityException
ou=AdminPerms,ou=ARBAC,dc=yourHostName,dc=com
container in directory information tree.
The perm operation entity may have AdminRole
or
User
associations. The target
Permission
must not exist prior to calling.
A Fortress Permission instance exists in a hierarchical, one-many relationship between its parent and itself as stored
in ldap tree: (PermObj
*->
Permission
).
Permission.objName
- contains the name of existing object being
targeted for the permission add
Permission.opName
- contains the name of new permission operation
being added
Permission.roles
* - multi occurring attribute contains RBAC Roles that permission operation is being
granted to
Permission.users
* - multi occurring attribute contains Users that permission operation is being granted
to
Permission.props
* - multi-occurring property key and values are separated with a ':'. e.g.
mykey1:myvalue1
Permission.type
- any safe text
addPermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and
operation, Permission.opName
, that identifies target along with optional other attributes..SecurityException
- - thrown in the event of perm object data or system error.public Permission updatePermission(Permission perm) throws SecurityException
ou=AdminPerms,ou=ARBAC,dc=yourHostName,dc=com
container in directory information tree.
The perm operation entity may also contain AdminRole
or
User
associations to add or remove using this function.
The perm operation must exist before making this call. Only non-null attributes will be updated.
Permission.objName
- contains the name of existing object being
targeted for the permission update
Permission.opName
- contains the name of existing permission
operation being updated
Permission.roles
* - multi occurring attribute contains RBAC
Roles that permission operation is being granted to
Permission.users
* - multi occurring attribute contains Users
that permission operation is being granted to
Permission.props
* - multi-occurring property key and values are
separated with a ':'. e.g. mykey1:myvalue1
Permission.type
- any safe textupdatePermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and operation, Permission.opName
, that
identifies target and any optional data to update. Null or empty attributes will be ignored.SecurityException
- thrown in the event of perm object data or system error.public void deletePermission(Permission perm) throws SecurityException
Permission.objName
- contains the name of existing object being
targeted for the permission delete
Permission.opName
- contains the name of existing permission
operation being removed
deletePermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and
operation, Permission.opName
, that identifies target.SecurityException
- thrown in the event of perm object data or system error.public PermObj addPermObj(PermObj pObj) throws SecurityException
PermObj
instance exists in a hierarchical, one-many relationship
between itself and children as stored in ldap tree: (PermObj
*
-> Permission
).
PermObj.objName
- contains the name of new object being added
PermObj.ou
- contains the name of an existing PERMS OrgUnit this
object is associated with
PermObj.description
- any safe textPermObj.type
- contains any safe textPermObj.props
* - multi-occurring property key and values are
separated with a ':'. e.g. mykey1:myvalue1
addPermObj
in interface DelAdminMgr
pObj
- must contain the PermObj.objName
and
PermObj.ou
. The other attributes are optional.SecurityException
- - thrown in the event of perm object data or system error.public PermObj updatePermObj(PermObj pObj) throws SecurityException
PermObj
instance exists in a hierarchical, one-many relationship
between itself and children as stored in ldap tree: (PermObj
*
-> Permission
).
PermObj.objName
- contains the name of existing object being
updated
PermObj.ou
- contains the name of an existing PERMS OrgUnit this
object is associated with
PermObj.description
- any safe textPermObj.type
- contains any safe textPermObj.props
* - multi-occurring property key and values are
separated with a ':'. e.g. mykey1:myvalue1
updatePermObj
in interface DelAdminMgr
pObj
- must contain the PermObj.objName
. Only non-null
attributes will be updated.SecurityException
- thrown in the event of perm object data or system error.public void deletePermObj(PermObj pObj) throws SecurityException
PermObj.objName
- contains the name of existing object targeted
for removal
deletePermObj
in interface DelAdminMgr
pObj
- must contain the PermObj.objName
of object targeted for
removal.SecurityException
- thrown in the event of perm object data or system error.public void grantPermission(Permission perm, AdminRole role) throws SecurityException
Permission.objName
- contains the object namePermission.opName
- contains the operation nameRole.name
- contains the adminRole namegrantPermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and
operation, Permission.opName
, that identifies target.role
- must contains Role.name
.SecurityException
- Thrown in the event of data validation or system error.public void revokePermission(Permission perm, AdminRole role) throws SecurityException
Permission.objName
- contains the object namePermission.opName
- contains the operation nameRole.name
- contains the adminRole namerevokePermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and operation, Permission.opName
, that identifies target.role
- must contains Role.name
.SecurityException
- Thrown in the event of data validation or system error.public void grantPermission(Permission perm, User user) throws SecurityException
Permission.objName
- contains the object namePermission.opName
- contains the operation nameUser.userId
- contains the userIdgrantPermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and
operation, Permission.opName
, that identifies target.user
- must contain User.userId
of target User entity.SecurityException
- Thrown in the event of data validation or system error.public void revokePermission(Permission perm, User user) throws SecurityException
Permission.objName
- contains the object namePermission.opName
- contains the operation nameUser.userId
- contains the userIdrevokePermission
in interface DelAdminMgr
perm
- must contain the object, Permission.objName
, and
operation, Permission.opName
, that identifies target.user
- must contain User.userId
of target User entity.SecurityException
- Thrown in the event of data validation or system error.Copyright © 2003-2016, The Apache Software Foundation. All Rights Reserved. Generated 20160718-1621