Class DelAccessMgrImpl

  • All Implemented Interfaces:
    Serializable, AccessMgr, DelAccessMgr, Manageable

    public class DelAccessMgrImpl
    extends AccessMgrImpl
    implements DelAccessMgr, Serializable
    This class implements the ARBAC02 DelAccessMgr interface for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC entities that reside in LDAP directory. These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions. This class also extends the RBAC AccessMgrImpl object which is used for performing runtime session creation and access control decisions based on behalf of administrative user who is logged onto the system. (See the AccessMgr javadoc for more info of how RBAC works). This class provides both sets of functionality as is necessary to fulfill runtime delegated administrative access control functionality within RBAC provisioning systems.

    Administrative Role Based Access Control (ARBAC)

    Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.

    This class is NOT thread safe if parent instance variables (Manageable.contextId or Manageable.adminSess) are set.

    Author:
    Apache Directory Project
    See Also:
    Serialized Form
    • Constructor Detail

      • DelAccessMgrImpl

        public DelAccessMgrImpl()
    • Method Detail

      • canAssign

        public boolean canAssign​(Session session,
                                 User user,
                                 Role role)
                          throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-assign URA.
        Specified by:
        canAssign in interface DelAccessMgr
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        role - Instantiated Role entity requires only valid role name attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • canDeassign

        public boolean canDeassign​(Session session,
                                   User user,
                                   Role role)
                            throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-revoke URA.
        Specified by:
        canDeassign in interface DelAccessMgr
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        role - Instantiated Role entity requires only valid role name attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • canGrant

        public boolean canGrant​(Session session,
                                Role role,
                                Permission perm)
                         throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized assignment control over Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-assign-p PRA.
        Specified by:
        canGrant in interface DelAccessMgr
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        role - Instantiated Role entity requires only valid role name attribute set.
        perm - Instantiated Permission entity requires valid object name and operation name attributes set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid perm or role name) or system error.
      • canRevoke

        public boolean canRevoke​(Session session,
                                 Role role,
                                 Permission perm)
                          throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized revoke control over Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
        Specified by:
        canRevoke in interface DelAccessMgr
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        role - Instantiated Role entity requires only valid role name attribute set.
        perm - Instantiated Permission entity requires valid object name and operation name attributes set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid perm or role name) or system error.
      • canAdd

        public boolean canAdd​(Session session,
                              User user)
                       throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized to add a new User.
        Specified by:
        canAdd in interface DelAccessMgr
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • canEdit

        public boolean canEdit​(Session session,
                               User user)
                        throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized update/delete control over User.
        Specified by:
        canEdit in interface DelAccessMgr
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • checkAccess

        public boolean checkAccess​(Session session,
                                   Permission perm)
                            throws SecurityException
        Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given session is allowed or not to perform a given operation on a given object. The function is valid if and only if the session is a valid Fortress session, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The session's subject has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the subject's active roles are registered in the object's access control list.
        Specified by:
        checkAccess in interface AccessMgr
        Specified by:
        checkAccess in interface DelAccessMgr
        Overrides:
        checkAccess in class AccessMgrImpl
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        perm - must contain the object, Permission.objName, and operation, Permission.opName, of permission User is trying to access.
        Returns:
        True if user has access, false otherwise.
        Throws:
        SecurityException - in the event of data validation failure, security policy violation or DAO error.
      • addActiveRole

        public void addActiveRole​(Session session,
                                  UserAdminRole role)
                           throws SecurityException
        This function adds an adminRole as an active role of a session whose owner is a given user.

        The function is valid if and only if:

        • the user is a member of the USERS data set
        • the role is a member of the ADMIN ROLES data set
        • the session is a valid Fortress session
        • the user is authorized to that admin role
        • the session is owned by that user.

        Specified by:
        addActiveRole in interface DelAccessMgr
        Parameters:
        session - object contains the user's returned RBAC and ARBAC sessions from the createSession method.
        role - object contains the adminRole name to be activated into session.
        Throws:
        SecurityException - is thrown if user is not allowed to activate or runtime error occurs with system.
      • dropActiveRole

        public void dropActiveRole​(Session session,
                                   UserAdminRole role)
                            throws SecurityException
        This function deactivates adminRole from the active adminRole set of a session owned by a given user. The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session, the session is owned by the user, and the adminRole is an active adminRole of that session.
        Specified by:
        dropActiveRole in interface DelAccessMgr
        Parameters:
        session - object contains the user's returned RBAC and ARBAC sessions from the createSession method.
        role - object contains the adminRole name to be deactivated.
        Throws:
        SecurityException - is thrown if user is not allowed to deactivate or runtime error occurs with system.
      • sessionAdminRoles

        public List<UserAdminRole> sessionAdminRoles​(Session session)
                                              throws SecurityException
        This function returns the active admin roles associated with a session. The function is valid if and only if the session is a valid Fortress session.
        Specified by:
        sessionAdminRoles in interface DelAccessMgr
        Parameters:
        session - object contains the user's returned ARBAC session from the createSession method.
        Returns:
        List<UserAdminRole> containing all adminRoles active in user's session. This will NOT contain inherited roles.
        Throws:
        SecurityException - is thrown if session invalid or system. error.
      • authorizedAdminRoles

        public Set<String> authorizedAdminRoles​(Session session)
                                         throws SecurityException
        This function returns the authorized admin roles associated with a session based on hierarchical relationships. The function is valid if and only if the session is a valid Fortress session.
        Specified by:
        authorizedAdminRoles in interface DelAccessMgr
        Parameters:
        session - object contains the user's returned ARBAC session from the createSession method.
        Returns:
        Set<String> containing all adminRoles authorized in user's session. This will contain inherited roles.
        Throws:
        SecurityException - is thrown if session invalid or system. error.