Interface DelAccessMgr

  • All Superinterfaces:
    Manageable
    All Known Implementing Classes:
    DelAccessMgrImpl, DelAccessMgrRestImpl

    public interface DelAccessMgr
    extends Manageable
    This interface prescribes the API for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC entities that reside in LDAP directory. These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.

    Administrative Role Based Access Control (ARBAC)

    Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group. Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.

    This interface's implementer will NOT be thread safe if parent instance variables (Manageable.setContextId(String) or Manageable.setAdmin(org.apache.directory.fortress.core.model.Session)) are set.

    Author:
    Apache Directory Project
    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      void addActiveRole​(Session session, UserAdminRole role)
      This function adds an adminRole as an active role of a session whose owner is a given user.
      Set<String> authorizedAdminRoles​(Session session)
      This function returns the authorized admin roles associated with a session based on hierarchical relationships.
      boolean canAdd​(Session session, User user)
      This function will determine if the user contains an AdminRole that is authorized to add a new User.
      boolean canAssign​(Session session, User user, Role role)
      This function will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA).
      boolean canDeassign​(Session session, User user, Role role)
      This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA).
      boolean canEdit​(Session session, User user)
      This function will determine if the user contains an AdminRole that is authorized update/delete control over User.
      boolean canGrant​(Session session, Role role, Permission perm)
      This function will determine if the user contains an AdminRole that is authorized assignment control over Permission-Role Assignment (PRA).
      boolean canRevoke​(Session session, Role role, Permission perm)
      This function will determine if the user contains an AdminRole that is authorized revoke control over Permission-Role Assignment (PRA).
      boolean checkAccess​(Session session, Permission perm)
      This function returns a Boolean value meaning whether the subject of a given session is allowed or not to perform a given operation on a given object.
      void dropActiveRole​(Session session, UserAdminRole role)
      This function deactivates adminRole from the active adminRole set of a session owned by a given user.
      List<UserAdminRole> sessionAdminRoles​(Session session)
      This function returns the active admin roles associated with a session.
      List<Permission> sessionPermissions​(Session session)
      This function returns the ARBAC (administrative) permissions of the session, i.e., the permissions assigned to its authorized admin roles.
    • Method Detail

      • canAssign

        boolean canAssign​(Session session,
                          User user,
                          Role role)
                   throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-assign URA.
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        role - Instantiated Role entity requires only valid role name attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • canDeassign

        boolean canDeassign​(Session session,
                            User user,
                            Role role)
                     throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-revoke URA.
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        role - Instantiated Role entity requires only valid role name attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • canGrant

        boolean canGrant​(Session session,
                         Role role,
                         Permission perm)
                  throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized assignment control over Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-assign-p PRA.
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        perm - Instantiated Permission entity requires valid object name and operation name attributes set.
        role - Instantiated Role entity requires only valid role name attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid perm or role name) or system error.
      • canRevoke

        boolean canRevoke​(Session session,
                          Role role,
                          Permission perm)
                   throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized revoke control over Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        perm - Instantiated Permission entity requires valid object name and operation name attributes set.
        role - Instantiated Role entity requires only valid role name attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid perm or role name) or system error.
      • canAdd

        boolean canAdd​(Session session,
                       User user)
                throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized to add a new User.
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • canEdit

        boolean canEdit​(Session session,
                        User user)
                 throws SecurityException
        This function will determine if the user contains an AdminRole that is authorized update/delete control over User.
        Parameters:
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) before passing into the method. No variables need to be set by client after returned from createSession.
        user - Instantiated User entity requires only valid userId attribute set.
        Returns:
        boolean value true indicates access allowed.
        Throws:
        SecurityException - In the event of data validation error (i.e. invalid userId or role name) or system error.
      • checkAccess

        boolean checkAccess​(Session session,
                            Permission perm)
                     throws SecurityException
        This function returns a Boolean value meaning whether the subject of a given session is allowed or not to perform a given operation on a given object. The function is valid if and only if the session is a valid Fortress session, the object is a member of the OBJS data set, and the operation is a member of the OPS data set. The session's subject has the permission to perform the operation on that object if and only if that permission is assigned to (at least) one of the session's active roles. This implementation will verify the roles or userId correspond to the subject's active roles are registered in the object's access control list.
        Parameters:
        perm - object contains obj attribute which is a String and contains the name of the object user is trying to access; perm object contains operation attribute which is also a String and contains the operation name for the object.
        session - This object must be instantiated by calling AccessMgr.createSession(org.apache.directory.fortress.core.model.User, boolean) method before passing into the method. No variables need to be set by client after returned from createSession.
        Returns:
        True of user has access, false otherwise.
        Throws:
        SecurityException - is thrown if runtime error occurs with system.
      • addActiveRole

        void addActiveRole​(Session session,
                           UserAdminRole role)
                    throws SecurityException
        This function adds an adminRole as an active role of a session whose owner is a given user.

        The function is valid if and only if:

        • the user is a member of the USERS data set
        • the role is a member of the ADMIN ROLES data set
        • the session is a valid Fortress session
        • the user is authorized to that admin role
        • the session is owned by that user.

        Parameters:
        session - object contains the user's returned RBAC and ARBAC sessions from the createSession method.
        role - object contains the adminRole name to be activated into session.
        Throws:
        SecurityException - is thrown if user is not allowed to activate or runtime error occurs with system.
      • dropActiveRole

        void dropActiveRole​(Session session,
                            UserAdminRole role)
                     throws SecurityException
        This function deactivates adminRole from the active adminRole set of a session owned by a given user. The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session, the session is owned by the user, and the adminRole is an active adminRole of that session.
        Parameters:
        session - object contains the user's returned RBAC and ARBAC sessions from the createSession method.
        role - object contains the adminRole name to be deactivated.
        Throws:
        SecurityException - is thrown if user is not allowed to deactivate or runtime error occurs with system.
      • sessionAdminRoles

        List<UserAdminRole> sessionAdminRoles​(Session session)
                                       throws SecurityException
        This function returns the active admin roles associated with a session. The function is valid if and only if the session is a valid Fortress session.
        Parameters:
        session - object contains the user's returned ARBAC session from the createSession method.
        Returns:
        List<UserAdminRole> containing all adminRoles active in user's session. This will NOT contain inherited roles.
        Throws:
        SecurityException - is thrown if session invalid or system. error.
      • authorizedAdminRoles

        Set<String> authorizedAdminRoles​(Session session)
                                  throws SecurityException
        This function returns the authorized admin roles associated with a session based on hierarchical relationships. The function is valid if and only if the session is a valid Fortress session.
        Parameters:
        session - object contains the user's returned ARBAC session from the createSession method.
        Returns:
        Set<String> containing all adminRoles authorized in user's session. This will contain inherited roles.
        Throws:
        SecurityException - is thrown if session invalid or system. error.
      • sessionPermissions

        List<Permission> sessionPermissions​(Session session)
                                     throws SecurityException
        This function returns the ARBAC (administrative) permissions of the session, i.e., the permissions assigned to its authorized admin roles. The function is valid if and only if the session is a valid Fortress session.
        Parameters:
        session - object contains the user's returned ARBAC session from the createSession method.
        Returns:
        List<Permission> containing admin permissions (op, obj) active for user's session.
        Throws:
        SecurityException - in the event runtime error occurs with system.