Class DSDChecker

  • All Implemented Interfaces:
    Validator

    public class DSDChecker
    extends Object
    implements Validator
    This class performs Dynamic Separation of Duty checking on a collection of roles targeted for activation within a particular user's session. This method is called from VUtil.validateConstraints(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.util.VUtil.ConstraintType, boolean) during createSession sequence for users. If DSD constraint violation is detected for a particular role method will remove the role from collection of activation candidates and log a warning. This proc will also consider hierarchical relations between roles (RBAC spec calls these authorized roles). This validator will ensure the role being targeted for activation does not violate RBAC dynamic separation of duty constraints.

    Constraint Targets include

    1. User maps to 'ftCstr' attribute on 'ftUserAttrs' object class
    2. UserRole maps to 'ftRC' attribute on 'ftUserAttrs' object class
    3. Role maps to 'ftCstr' attribute on 'ftRls' object class
    4. AdminRole maps to 'ftCstr' attribute on 'ftRls' object class
    5. UserAdminRole maps to 'ftARC' attribute on 'ftRls' object class
    Author:
    Apache Directory Project