public class DelAccessMgrRestImpl extends AccessMgrRestImpl implements DelAccessMgr
Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
This class is thread safe.
adminSess, contextId
Constructor and Description |
---|
DelAccessMgrRestImpl() |
Modifier and Type | Method and Description |
---|---|
void |
addActiveRole(Session session,
UserAdminRole role)
This function adds an adminRole as an active role of a session whose owner is a given user.
|
Set<String> |
authorizedAdminRoles(Session session)
This function returns the authorized admin roles associated with a session based on hierarchical relationships.
|
boolean |
canAssign(Session session,
User user,
Role role)
This function will determine if the user contains an AdminRole that is authorized assignment control over
User-Role Assignment (URA).
|
boolean |
canDeassign(Session session,
User user,
Role role)
This function will determine if the user contains an AdminRole that is authorized revoke control over
User-Role Assignment (URA).
|
boolean |
canGrant(Session session,
Role role,
Permission perm)
This function will determine if the user contains an AdminRole that is authorized assignment control over
Permission-Role Assignment (PRA).
|
boolean |
canRevoke(Session session,
Role role,
Permission perm)
This function will determine if the user contains an AdminRole that is authorized revoke control over
Permission-Role Assignment (PRA).
|
boolean |
checkAccess(Session session,
Permission perm)
Perform user RBAC authorization.
|
void |
dropActiveRole(Session session,
UserAdminRole role)
This function deactivates adminRole from the active adminRole set of a session owned by a given user.
|
List<UserAdminRole> |
sessionAdminRoles(Session session)
This function returns the active admin roles associated with a session.
|
List<Permission> |
sessionPermissions(Session session)
This function returns the permissions of the session, i.e., the permissions assigned
to its authorized roles.
|
addActiveRole, authenticate, authorizedRoles, createSession, dropActiveRole, getUser, getUserId, sessionRoles
assertContext, assertContext, checkAccess, getFullMethodName, setAdmin, setAdminData, setContextId, setEntitySession
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
setAdmin, setContextId
public boolean canAssign(Session session, User user, Role role) throws SecurityException
canAssign
in interface DelAccessMgr
session
- This object must be instantiated by calling
AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
before passing into the method. No variables need to be set by client after returned from createSession.user
- Instantiated User entity requires only valid userId attribute set.role
- Instantiated Role entity requires only valid role name attribute set.SecurityException
- In the event of data validation error (i.e. invalid userId or role name) or system error.public boolean canDeassign(Session session, User user, Role role) throws SecurityException
canDeassign
in interface DelAccessMgr
session
- This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into
the method. No variables need to be set by client after returned from createSession.user
- Instantiated User entity requires only valid userId attribute set.role
- Instantiated Role entity requires only valid role name attribute set.SecurityException
- In the event of data validation error (i.e. invalid userId or role name) or system error.public boolean canGrant(Session session, Role role, Permission perm) throws SecurityException
canGrant
in interface DelAccessMgr
session
- This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing
into the method. No variables need to be set by client after returned from createSession.role
- Instantiated Role entity requires only valid role name attribute set.perm
- Instantiated Permission entity requires valid object name and operation name attributes set.SecurityException
- In the event of data validation error (i.e. invalid perm or role name) or system error.public boolean canRevoke(Session session, Role role, Permission perm) throws SecurityException
canRevoke
in interface DelAccessMgr
session
- This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing
into the method. No variables need to be set by client after returned from createSession.role
- Instantiated Role entity requires only valid role name attribute set.perm
- Instantiated Permission entity requires valid object name and operation name attributes set.SecurityException
- In the event of data validation error (i.e. invalid perm or role name) or system error.public boolean checkAccess(Session session, Permission perm) throws SecurityException
checkAccess
in interface AccessMgr
checkAccess
in interface DelAccessMgr
checkAccess
in class AccessMgrRestImpl
session
- This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing
into the method. No variables need to be set by client after returned from createSession.perm
- must contain the object, Permission.objName
, and operation, Permission.opName
, of
permission User is trying to access.SecurityException
- in the event of data validation failure, security policy violation or DAO error.public void addActiveRole(Session session, UserAdminRole role) throws SecurityException
The function is valid if and only if:
addActiveRole
in interface DelAccessMgr
session
- object contains the user's returned RBAC and ARBAC sessions from the createSession method.role
- object contains the adminRole name to be activated into session.SecurityException
- is thrown if user is not allowed to activate or runtime error occurs with system.public void dropActiveRole(Session session, UserAdminRole role) throws SecurityException
dropActiveRole
in interface DelAccessMgr
session
- object contains the user's returned RBAC and ARBAC sessions from the createSession method.role
- object contains the adminRole name to be deactivated.SecurityException
- is thrown if user is not allowed to deactivate or runtime error occurs with system.public List<UserAdminRole> sessionAdminRoles(Session session) throws SecurityException
sessionAdminRoles
in interface DelAccessMgr
session
- object contains the user's returned ARBAC session from the createSession method.SecurityException
- is thrown if session invalid or system. error.public Set<String> authorizedAdminRoles(Session session) throws SecurityException
authorizedAdminRoles
in interface DelAccessMgr
session
- object contains the user's returned ARBAC session from the createSession method.SecurityException
- is thrown if session invalid or system. error.public List<Permission> sessionPermissions(Session session) throws SecurityException
sessionPermissions
in interface AccessMgr
sessionPermissions
in interface DelAccessMgr
sessionPermissions
in class AccessMgrRestImpl
session
- This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.SecurityException
- is thrown if runtime error occurs with system.Copyright © 2003-2016, The Apache Software Foundation. All Rights Reserved. Generated 20160718-1621