Package org.apache.directory.fortress.core

Interface AccessMgr

  • All Superinterfaces:
    Manageable
    All Known Implementing Classes:
    AccessMgrImpl, AccessMgrRestImpl, DelAccessMgrImpl, DelAccessMgrRestImpl
    public interface AccessMgr
extends Manageable
    This object performs runtime access control operations on objects that are provisioned RBAC entities that reside in LDAP directory. These APIs map directly to similar named APIs specified by ANSI and NIST RBAC system functions. Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004. The RBAC Functional specification describes administrative operations for the creation and maintenance of RBAC element sets and relations; administrative review functions for performing administrative queries; and system functions for creating and managing RBAC attributes on user sessions and making access control decisions.

    RBAC0 - Core

    Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add, update, delete identity data and perform identity and access control decisions during runtime operations.

    Rbac Core

    RBAC1 - General Hierarchical Roles

    Simplifies role engineering tasks using inheritance of one or more parent roles.

    Rbac Hierarchy

    RBAC2 - Static Separation of Duty (SSD) Relations

    Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.

    Rbac SSDe

    RBAC3 - Dynamic Separation of Duty (DSD) Relations

    Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.

    Rbac DSD

    This interface's implementer will NOT be thread safe if parent instance variables (Manageable.setContextId(String) or Manageable.setAdmin(org.apache.directory.fortress.core.model.Session)) are set.

    Author:
    Apache Directory Project

    • Method Detail

      • authenticate

        Session authenticate​(String userId,
                     String password)
              throws SecurityException
        Perform user authentication only. It does not activate RBAC roles in session but will evaluate password policies.
        Parameters:
        userId - Contains the userid of the user signing on.
        password - Contains the user's password.
        Returns:
        Session object will be returned if authentication successful. This will not contain user's roles.
        Throws:
        SecurityException - in the event of data validation failure, security policy violation or DAO error.

      • checkAccess

        boolean checkAccess​(Session session,
                    Permission perm)
             throws SecurityException
        Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given session is allowed or not to perform a given operation on a given object. The function is valid if and only if the session is a valid Fortress session, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The session's subject has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the subject's active roles are registered in the object's access control list.
        Parameters:
        perm - must contain the object, Permission.objName, and operation, Permission.opName, of permission User is trying to access.
        session - This object must be instantiated by calling createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        Returns:
        True if user has access, false otherwise.
        Throws:
        SecurityException - in the event of data validation failure, security policy violation or DAO error.

      • checkAccess

        boolean checkAccess​(User user,
                    Permission perm,
                    boolean isTrusted)
             throws SecurityException
        Combine createSession and checkAccess into a single method. This function returns a Boolean value meaning whether the User is allowed or not to perform a given operation on a given object. The function is valid if and only if the user is a valid Fortress user, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The user has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the user's active roles are registered in the object's access control list.
        Parameters:
        user - Contains User.userId, User.password (optional if isTrusted is 'true'), optional User.roles}
        perm - must contain the object, Permission.objName, and operation, Permission.opName, of permission User is trying to access.
        Returns:
        True if user has access, false otherwise.
        Throws:
        SecurityException - in the event of data validation failure, security policy violation or DAO error.

      • isUserInRole

        boolean isUserInRole​(User user,
                     Role role,
                     boolean isTrusted)
              throws SecurityException
        Combine createSession and a role check into a single method. This function returns a Boolean value meaning whether the User has a particular role. The function is valid if and only if the user is a valid Fortress user and the role is a member of the ROLES data set.
        Parameters:
        user - Contains User.userId, User.password (optional if isTrusted is 'true'), optional User.roles}
        role - object contains the role name, Role.name, to be checked.
        Returns:
        True if user has role, false otherwise.
        Throws:
        SecurityException - in the event of data validation failure, security policy violation or DAO error.

      • sessionPermissions

        List<Permission> sessionPermissions​(Session session)
                             throws SecurityException
        This function returns the permissions of the session, i.e., the permissions assigned to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
        Parameters:
        session - This object must be instantiated by calling createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        Returns:
        List<Permission> containing permissions (op, obj) active for user's session.
        Throws:
        SecurityException - is thrown if runtime error occurs with system.

      • sessionRoles

        List<UserRole> sessionRoles​(Session session)
                     throws SecurityException
        This function returns the active roles associated with a session. The function is valid if and only if the session is a valid Fortress session.
        Parameters:
        session - object contains the user's returned RBAC session from the createSession method.
        Returns:
        List<UserRole> containing all roles active in user's session. This will NOT contain inherited roles.
        Throws:
        SecurityException - is thrown if session invalid or system. error.

      • authorizedRoles

        Set<String> authorizedRoles​(Session session)
                     throws SecurityException
        This function returns the authorized roles associated with a session based on hierarchical relationships. The function is valid if and only if the session is a valid Fortress session.
        Parameters:
        session - object contains the user's returned RBAC session from the createSession method.
        Returns:
        Set<String> containing all roles active in user's session. This will contain inherited roles.
        Throws:
        SecurityException - is thrown if session invalid or system. error.

      • addActiveRole

        void addActiveRole​(Session session,
                   UserRole role)
            throws SecurityException
        This function adds a role as an active role of a session whose owner is a given user.

        The function is valid if and only if:

        • the user is a member of the USERS data set
        • the role is a member of the ROLES data set
        • the role inclusion does not violate Dynamic Separation of Duty Relationships
        • the session is a valid Fortress session
        • the user is authorized to that role
        • the session is owned by that user.
        Parameters:
        session - object contains the user's returned RBAC session from the createSession method.
        role - object contains the role name, UserRole.name, to be activated into session.
        Throws:
        SecurityException - is thrown if user is not allowed to activate or runtime error occurs with system.

      • dropActiveRole

        void dropActiveRole​(Session session,
                    UserRole role)
             throws SecurityException
        This function deletes a role from the active role set of a session owned by a given user. The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session, the session is owned by the user, and the role is an active role of that session.
        Parameters:
        session - object contains the user's returned RBAC session from the createSession method.
        role - object contains the role name, UserRole.name, to be deactivated.
        Throws:
        SecurityException - is thrown if user is not allowed to deactivate or runtime error occurs with system.

      • getUserId

        String getUserId​(Session session)
          throws SecurityException
        This function returns the userId value that is contained within the session object. The function is valid if and only if the session object contains a valid Fortress session.
        Parameters:
        session - object contains the user's returned RBAC session from the createSession method.
        Returns:
        The userId value
        Throws:
        SecurityException - is thrown if user session not active or runtime error occurs with system.

      • getUser

        User getUser​(Session session)
      throws SecurityException
        This function returns the user object that is contained within the session object. The function is valid if and only if the session object contains a valid Fortress session.
        Parameters:
        session - object contains the user's returned RBAC session from the createSession method.
        Returns:
        The user value Sample User data contained in Session object:
        Session
        • session.getUserId() => demoUser4
        • session.getInternalUserId() => be2dd2e:12a82ba707e:-7fee
        • session.getMessage() => Fortress checkPwPolicies userId <demouser4> VALIDATION GOOD
        • session.getErrorId() => 0
        • session.getWarningId() => 11
        • session.getExpirationSeconds() => 469831
        • session.getGraceLogins() => 0
        • session.getIsAuthenticated() => true
        • session.getLastAccess() => 1283623680440
        • session.getSessionId() => -7410986f:12addeea576:-7fff
        • ------------------------------------------
        • User user = session.getUser();
          • user.getUserId() => demoUser4
          • user.getInternalId() => be2dd2e:12a82ba707e:-7fee
          • user.getCn() => JoeUser4
          • user.getDescription() => Demo Test User 4
          • user.getOu() => test
          • user.getSn() => User4
          • user.getBeginDate() => 20090101
          • user.getEndDate() => none
          • user.getBeginLockDate() => none
          • user.getEndLockDate() => none
          • user.getDayMask() => 1234567
          • user.getTimeout() => 60
          • List<UserRole> roles = session.getRoles();
            • UserRole userRole = roles.get(i);
            • userRole.getName() => role1
            • userRole.getBeginTime() => 0000
            • userRole.getEndTime() => 0000
            • userRole.getBeginDate() => none
            • userRole.getEndDate() => none
            • userRole.getBeginLockDate() => null
            • userRole.getEndLockDate() => null
            • userRole.getDayMask() => null
            • userRole.getTimeout() => 0
        Throws:
        SecurityException - is thrown if user session not active or runtime error occurs with system.