Class DelAccessMgrImpl
- java.lang.Object
-
- org.apache.directory.fortress.core.impl.Manageable
-
- org.apache.directory.fortress.core.impl.AccessMgrImpl
-
- org.apache.directory.fortress.core.impl.DelAccessMgrImpl
-
- All Implemented Interfaces:
Serializable
,AccessMgr
,DelAccessMgr
,Manageable
public class DelAccessMgrImpl extends AccessMgrImpl implements DelAccessMgr, Serializable
This class implements the ARBAC02 DelAccessMgr interface for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC entities that reside in LDAP directory. These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions. This class also extends the RBAC AccessMgrImpl object which is used for performing runtime session creation and access control decisions based on behalf of administrative user who is logged onto the system. (See the AccessMgr javadoc for more info of how RBAC works). This class provides both sets of functionality as is necessary to fulfill runtime delegated administrative access control functionality within RBAC provisioning systems.Administrative Role Based Access Control (ARBAC)
Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
This class is NOT thread safe if parent instance variables (
Manageable.contextId
orManageable.adminSess
) are set.- Author:
- Apache Directory Project
- See Also:
- Serialized Form
-
-
Field Summary
-
Fields inherited from class org.apache.directory.fortress.core.impl.Manageable
adminSess, contextId
-
-
Constructor Summary
Constructors Constructor Description DelAccessMgrImpl()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addActiveRole(Session session, UserAdminRole role)
This function adds an adminRole as an active role of a session whose owner is a given user.Set<String>
authorizedAdminRoles(Session session)
This function returns the authorized admin roles associated with a session based on hierarchical relationships.boolean
canAdd(Session session, User user)
This function will determine if the user contains an AdminRole that is authorized to add a new User.boolean
canAssign(Session session, User user, Role role)
This function will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA).boolean
canDeassign(Session session, User user, Role role)
This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA).boolean
canEdit(Session session, User user)
This function will determine if the user contains an AdminRole that is authorized update/delete control over User.boolean
canGrant(Session session, Role role, Permission perm)
This function will determine if the user contains an AdminRole that is authorized assignment control over Permission-Role Assignment (PRA).boolean
canRevoke(Session session, Role role, Permission perm)
This function will determine if the user contains an AdminRole that is authorized revoke control over Permission-Role Assignment (PRA).boolean
checkAccess(Session session, Permission perm)
Perform user RBAC authorization.void
dropActiveRole(Session session, UserAdminRole role)
This function deactivates adminRole from the active adminRole set of a session owned by a given user.List<UserAdminRole>
sessionAdminRoles(Session session)
This function returns the active admin roles associated with a session.List<Permission>
sessionPermissions(Session session)
This function returns the permissions of the session, i.e., the permissions assigned to its authorized roles.-
Methods inherited from class org.apache.directory.fortress.core.impl.AccessMgrImpl
addActiveRole, authenticate, authorizedRoles, checkAccess, createSession, createSession, createSession, dropActiveRole, getUser, getUserId, isUserInRole, sessionRoles
-
Methods inherited from class org.apache.directory.fortress.core.impl.Manageable
assertContext, assertContext, checkAccess, getFullMethodName, setAdmin, setAdminData, setContextId, setEntitySession
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.directory.fortress.core.Manageable
setAdmin, setContextId
-
-
-
-
Method Detail
-
canAssign
public boolean canAssign(Session session, User user, Role role) throws SecurityException
This function will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-assign URA.- Specified by:
canAssign
in interfaceDelAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
before passing into the method. No variables need to be set by client after returned from createSession.user
- Instantiated User entity requires only valid userId attribute set.role
- Instantiated Role entity requires only valid role name attribute set.- Returns:
- boolean value true indicates access allowed.
- Throws:
SecurityException
- In the event of data validation error (i.e. invalid userId or role name) or system error.
-
canDeassign
public boolean canDeassign(Session session, User user, Role role) throws SecurityException
This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-revoke URA.- Specified by:
canDeassign
in interfaceDelAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.user
- Instantiated User entity requires only valid userId attribute set.role
- Instantiated Role entity requires only valid role name attribute set.- Returns:
- boolean value true indicates access allowed.
- Throws:
SecurityException
- In the event of data validation error (i.e. invalid userId or role name) or system error.
-
canGrant
public boolean canGrant(Session session, Role role, Permission perm) throws SecurityException
This function will determine if the user contains an AdminRole that is authorized assignment control over Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-assign-p PRA.- Specified by:
canGrant
in interfaceDelAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.role
- Instantiated Role entity requires only valid role name attribute set.perm
- Instantiated Permission entity requires valid object name and operation name attributes set.- Returns:
- boolean value true indicates access allowed.
- Throws:
SecurityException
- In the event of data validation error (i.e. invalid perm or role name) or system error.
-
canRevoke
public boolean canRevoke(Session session, Role role, Permission perm) throws SecurityException
This function will determine if the user contains an AdminRole that is authorized revoke control over Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-revoke-p PRA.- Specified by:
canRevoke
in interfaceDelAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.role
- Instantiated Role entity requires only valid role name attribute set.perm
- Instantiated Permission entity requires valid object name and operation name attributes set.- Returns:
- boolean value true indicates access allowed.
- Throws:
SecurityException
- In the event of data validation error (i.e. invalid perm or role name) or system error.
-
canAdd
public boolean canAdd(Session session, User user) throws SecurityException
This function will determine if the user contains an AdminRole that is authorized to add a new User.- Specified by:
canAdd
in interfaceDelAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
before passing into the method. No variables need to be set by client after returned from createSession.user
- Instantiated User entity requires only valid userId attribute set.- Returns:
- boolean value true indicates access allowed.
- Throws:
SecurityException
- In the event of data validation error (i.e. invalid userId or role name) or system error.
-
canEdit
public boolean canEdit(Session session, User user) throws SecurityException
This function will determine if the user contains an AdminRole that is authorized update/delete control over User.- Specified by:
canEdit
in interfaceDelAccessMgr
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
before passing into the method. No variables need to be set by client after returned from createSession.user
- Instantiated User entity requires only valid userId attribute set.- Returns:
- boolean value true indicates access allowed.
- Throws:
SecurityException
- In the event of data validation error (i.e. invalid userId or role name) or system error.
-
checkAccess
public boolean checkAccess(Session session, Permission perm) throws SecurityException
Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given session is allowed or not to perform a given operation on a given object. The function is valid if and only if the session is a valid Fortress session, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The session's subject has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the subject's active roles are registered in the object's access control list.- Specified by:
checkAccess
in interfaceAccessMgr
- Specified by:
checkAccess
in interfaceDelAccessMgr
- Overrides:
checkAccess
in classAccessMgrImpl
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.perm
- must contain the object,Permission.objName
, and operation,Permission.opName
, of permission User is trying to access.- Returns:
- True if user has access, false otherwise.
- Throws:
SecurityException
- in the event of data validation failure, security policy violation or DAO error.
-
addActiveRole
public void addActiveRole(Session session, UserAdminRole role) throws SecurityException
This function adds an adminRole as an active role of a session whose owner is a given user.The function is valid if and only if:
- the user is a member of the USERS data set
- the role is a member of the ADMIN ROLES data set
- the session is a valid Fortress session
- the user is authorized to that admin role
- the session is owned by that user.
- Specified by:
addActiveRole
in interfaceDelAccessMgr
- Parameters:
session
- object contains the user's returned RBAC and ARBAC sessions from the createSession method.role
- object contains the adminRole name to be activated into session.- Throws:
SecurityException
- is thrown if user is not allowed to activate or runtime error occurs with system.
-
dropActiveRole
public void dropActiveRole(Session session, UserAdminRole role) throws SecurityException
This function deactivates adminRole from the active adminRole set of a session owned by a given user. The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session, the session is owned by the user, and the adminRole is an active adminRole of that session.- Specified by:
dropActiveRole
in interfaceDelAccessMgr
- Parameters:
session
- object contains the user's returned RBAC and ARBAC sessions from the createSession method.role
- object contains the adminRole name to be deactivated.- Throws:
SecurityException
- is thrown if user is not allowed to deactivate or runtime error occurs with system.
-
sessionAdminRoles
public List<UserAdminRole> sessionAdminRoles(Session session) throws SecurityException
This function returns the active admin roles associated with a session. The function is valid if and only if the session is a valid Fortress session.- Specified by:
sessionAdminRoles
in interfaceDelAccessMgr
- Parameters:
session
- object contains the user's returned ARBAC session from the createSession method.- Returns:
- List<UserAdminRole> containing all adminRoles active in user's session. This will NOT contain inherited roles.
- Throws:
SecurityException
- is thrown if session invalid or system. error.
-
authorizedAdminRoles
public Set<String> authorizedAdminRoles(Session session) throws SecurityException
This function returns the authorized admin roles associated with a session based on hierarchical relationships. The function is valid if and only if the session is a valid Fortress session.- Specified by:
authorizedAdminRoles
in interfaceDelAccessMgr
- Parameters:
session
- object contains the user's returned ARBAC session from the createSession method.- Returns:
- Set<String> containing all adminRoles authorized in user's session. This will contain inherited roles.
- Throws:
SecurityException
- is thrown if session invalid or system. error.
-
sessionPermissions
public List<Permission> sessionPermissions(Session session) throws SecurityException
This function returns the permissions of the session, i.e., the permissions assigned to its authorized roles. The function is valid if and only if the session is a valid Fortress session.- Specified by:
sessionPermissions
in interfaceAccessMgr
- Specified by:
sessionPermissions
in interfaceDelAccessMgr
- Overrides:
sessionPermissions
in classAccessMgrImpl
- Parameters:
session
- This object must be instantiated by callingAccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean)
method before passing into the method. No variables need to be set by client after returned from createSession.- Returns:
- List<Permission> containing permissions (op, obj) active for user's session.
- Throws:
SecurityException
- is thrown if runtime error occurs with system.
-
-