Interface DelReviewMgr

  • All Superinterfaces:
    Manageable
    All Known Implementing Classes:
    DelReviewMgrImpl, DelReviewMgrRestImpl

    public interface DelReviewMgr
    extends Manageable
    This class prescribes the ARBAC02 DelReviewMgr interface for performing policy interrogation of provisioned Fortress ARBAC entities that reside in LDAP directory. These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.

    Administrative Role Based Access Control (ARBAC)

    Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.

    This interface's implementer will NOT be thread safe if parent instance variables (Manageable.setContextId(String) or Manageable.setAdmin(org.apache.directory.fortress.core.model.Session)) are set.

    Author:
    Apache Directory Project
    • Method Detail

      • readRole

        AdminRole readRole​(AdminRole role)
                    throws SecurityException
        Method reads Admin Role entity from the admin role container in directory.

        required parameters

        • Role.name - contains the name of the AdminRole being targeted for read
        Parameters:
        role - contains role name to be read.
        Returns:
        AdminRole entity that corresponds with role name.
        Throws:
        SecurityException - will be thrown if role not found or system error occurs.
      • findRoles

        List<AdminRole> findRoles​(String searchVal)
                           throws SecurityException
        Method will return a list of type Admin Role.

        required parameters

        • Role.name - contains all or some chars in the name of AdminRole(s) targeted for search
        Parameters:
        searchVal - contains the all or some of the chars corresponding to admin role entities stored in directory.
        Returns:
        List of type AdminRole containing role entities that match the search criteria.
        Throws:
        SecurityException - in the event of system error.
      • assignedRoles

        List<UserAdminRole> assignedRoles​(User user)
                                   throws SecurityException
        This function returns the set of admin roles assigned to a given user. The function is valid if and only if the user is a member of the USERS data set.

        required parameters

        • User.userId - contains the userId associated with the User object targeted for search.
        Parameters:
        user - contains userId matching user entity stored in the directory.
        Returns:
        List of type UserAdminRole containing the user admin role data.
        Throws:
        SecurityException - If user not found or system error occurs.
      • assignedUsers

        List<User> assignedUsers​(AdminRole role)
                          throws SecurityException
        This method returns the data set of all users who are assigned the given admin role. This searches the User data set for AdminRole relationship. This method does NOT search for hierarchical Admin Roles relationships.

        required parameters

        • Role.name - contains the name of AdminRole targeted for search
        Parameters:
        role - contains the role name used to search the User data set.
        Returns:
        List of type User containing the users assigned data.
        Throws:
        SecurityException - If system error occurs.
      • read

        OrgUnit read​(OrgUnit entity)
              throws SecurityException
        Commands reads existing OrgUnit entity from OrgUnit dataset. The OrgUnit can be either User or Perm and is set by setting type attribute.

        required parameters

        Parameters:
        entity - contains OrgUnit name and type.
        Returns:
        OrgUnit entity that corresponds with ou name and type.
        Throws:
        SecurityException - in the event of data validation or system error.
      • search

        List<OrgUnit> search​(OrgUnit.Type type,
                             String searchVal)
                      throws SecurityException
        Commands searches existing OrgUnit entities from OrgUnit dataset. The OrgUnit can be either User or Perm and is set by setting type parameter on API.

        required parameters

        Parameters:
        type - either PERM or USER
        searchVal - contains the leading chars that map to OrgUnit.name on existing OrgUnit(s) targeted for search.
        Returns:
        List of type OrgUnit containing the OrgUnit data.
        Throws:
        SecurityException - in the event of data validation or system error.
      • rolePermissions

        List<Permission> rolePermissions​(AdminRole role)
                                  throws SecurityException
        This function returns the set of all ARBAC permissions (op, obj), granted to or inherited by a given ARBAC role. The function is valid if and only if the role is a member of the ROLES data set.

        required parameters

        • Role.name - contains the name to use for the AdminRole targeted for search.
        Parameters:
        role - contains role name, Role.name of AdminRole entity Permission is granted to.
        Returns:
        List of type Permission that contains all perms granted to a role.
        Throws:
        SecurityException - In the event system error occurs.
      • rolePermissions

        List<Permission> rolePermissions​(AdminRole role,
                                         boolean noInheritance)
                                  throws SecurityException
        This function returns the set of all ARBAC permissions (op, obj), granted to or inherited by a given ARBAC role. The function is valid if and only if the role is a member of the ROLES data set.

        required parameters

        • Role.name - contains the name to use for the AdminRole targeted for search.
        Parameters:
        role - contains role name, Role.name of AdminRole entity Permission is granted to.
        noInheritance - if true will NOT include inherited roles in the search.
        Returns:
        List of type Permission that contains all perms granted to a role.
        Throws:
        SecurityException - In the event system error occurs.