Class Permission

  • All Implemented Interfaces:
    Serializable
    Direct Known Subclasses:
    PermAnt

    public class Permission
    extends FortEntity
    implements Serializable
    All entities (User, Role, Permission, PwPolicy SDSet etc...) are used to carry data between three Fortress layers, starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into (3) DAO layer where persistence with the LDAP server occurs.

    Fortress Processing Layers

    1. Manager layer: AdminMgrImpl, AccessMgrImpl, ReviewMgrImpl,...
    2. Process layer: org.apache.directory.fortress.core.impl.UserP, org.apache.directory.fortress.core.impl.RoleP, org.apache.directory.fortress.core.impl.PermP,...
    3. DAO layer: org.apache.directory.fortress.core.impl.UserDAO, org.apache.directory.fortress.core.impl.RoleDAO, org.apache.directory.fortress.core.impl.PermDAO,...
    Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs. The caller must provide enough information to uniquely identity the entity target within ldap.
    For example, this entity requires setObjName(java.lang.String) and setOpName(java.lang.String) attributes set before passing into AccessMgrImpl APIs. Create methods usually require more attributes (than Read) due to constraints enforced between entities.

    Permission entity attribute usages include

    More Permission entity notes

    • The unique key to locate a Permission entity (which is required for all authZ requests) is objName and opName.
    • The Permission entity is used to target function points within computer programs needing authorization. This permission model allows a one-to-many relationship between the objects PermObj and operations Permission.

    • The object to operation pairings enable application resources to be mapped to Fortress permissions in a way that is natural for object oriented programming.
    • Permissions = Object PermObj 1-* Operations Permission
    • Permissions in Fortress may also be assigned directly to users.
    • Objects objName, Operations opName, Roles roles, Users users are not case sensitive for reads or searches.

    The application entity that requires authorization will be mapped to the PermObj entity and the application's methods or operation names will be mapped to Permission entities. For example, the application entity 'ShoppingCart' has 5 operations - 'create', 'read', 'update', 'delete' and 'checkout'. The following code will create the permissions and perform the necessary grants.

     try
     {
      // Instantiate the AdminMgr first
      AdminMgr adminMgr = AdminMgrFactory.createInstance();
    
      // Now Instantiate the Object
      PermObj shoppingCart = new PermObj("ShoppingCart", "KillerBikes.com");
    
      // Add it to the directory
      adminMgr.addPermObj(shoppingCart);
    
      // Now create the permission operations and grant to applicable roles:
      Permission create = new Permission(shoppingCart.getObjName(), "create");
      adminMgr.addPermission(create);
      adminMgr.grantPermission(create, new Role("Customer"));
    
      Permission read = new Permission(shoppingCart.getObjName(), "read");
      adminMgr.addPermission(read);
      adminMgr.grantPermission(read, new Role("Customer"));
    
      Permission update = new Permission(shoppingCart.getObjName(), "update");
      adminMgr.addPermission(update);
      adminMgr.grantPermission(update, new Role("Admin"));
    
      Permission delete = new Permission(shoppingCart.getObjName(), "delete");
      adminMgr.addPermission(delete);
      adminMgr.grantPermission(delete, new Role("Manager"));
    
      Permission checkout = new Permission(shoppingCart.getObjName(), "checkout");
      adminMgr.addPermission(checkout);
      adminMgr.grantPermission(delete, new Role("Customer"));
     }
     catch (SecurityException ex)
     {
      // log or throw
     }
     

    Notes on the shopping cart example

    • User that activate 'Manager' role into their Sessions will be allowed access to 'ShoppingCart.delete' permission.
    • User that activate 'Admin' role may perform 'ShoppingCart.update'.
    • User with 'Customer' role may perform the 'ShoppingCart.create' 'ShoppingCart.read and 'ShoppingCart.checkout'.
    • Roles must exist in ldap before assignment here, see javadoc Role for details.

    Permission Schema

    This Permission entity extends a single standard ldap structural object class, organizationalRole with one extension structural class, ftOperation, and two auxiliary object classes, ftProperties, ftMods. The following 3 LDAP object classes will be mapped into this entity:

    1. ftOperation STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.

     ------------------------------------------
     Fortress Operation Structural Object Class
     objectclass    ( 1.3.6.1.4.1.38088.2.3
      NAME 'ftOperation'
      DESC 'Fortress Permission Operation Structural Object Class'
      SUP organizationalrole
      STRUCTURAL
      MUST (
          ftId $
          ftPermName $
          ftObjNm $
          ftOpNm
      )
      MAY (
          ftObjId $
          ftRoles $
          ftUsers $
          ftType
      )
     )
     ------------------------------------------
     
    2. ftProperties AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.
    # This aux object class can be used to store custom attributes.
    # The properties collections consist of name/value pairs and are not constrainted by Fortress.
     ------------------------------------------
     AC2: Fortress Properties Auxiliary Object Class
     objectclass ( 1.3.6.1.4.1.38088.3.2
      NAME 'ftProperties'
      DESC 'Fortress Properties AUX Object Class'
      AUXILIARY
      MAY (
          ftProps
      )
     )
     ------------------------------------------
     
    3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
     ------------------------------------------
     Fortress Audit Modification Auxiliary Object Class
     objectclass ( 1.3.6.1.4.1.38088.3.4
      NAME 'ftMods'
      DESC 'Fortress Modifiers AUX Object Class'
      AUXILIARY
      MAY (
          ftModifier $
          ftModCode $
          ftModId
      )
     )
     ------------------------------------------
     
    Author:
    Apache Directory Project
    See Also:
    Serialized Form
    • Constructor Detail

      • Permission

        public Permission​(String objName,
                          String opName)
        This constructor is commonly used to create Permission that is a target for authorization API.
        Parameters:
        objName - maps to 'ftObjNm' attribute in 'ftOperation' object class.
        opName - maps to 'ftOpNm' attribute in 'ftOperation' object class.
      • Permission

        public Permission()
        Default constructor is used by internal Fortress classes and not intended for external use.
      • Permission

        public Permission​(String objName)
        Constructor is used for APIs that do not require opName for example ARBAC canGrant/canRevoke.
        Parameters:
        objName - maps to 'ftObjNm' attribute in 'ftOperation' object class.
      • Permission

        public Permission​(String objName,
                          String opName,
                          String objId)
        This constructor adds the objId which is used for creating Permissions that have an identity.
        Parameters:
        objName - maps to 'ftObjNm' attribute in 'ftOperation' object class.
        opName - maps to 'ftOpNm' attribute in 'ftOperation' object class.
        objId - maps to 'ftObjId' attribute in 'ftOperation' object class.
      • Permission

        public Permission​(String objName,
                          String opName,
                          boolean admin)
        This constructor adds the admin flag which is used to process as Administrative permission.
        Parameters:
        objName - maps to 'ftObjNm' attribute in 'ftOperation' object class.
        opName - maps to 'ftOpNm' attribute in 'ftOperation' object class.
        admin - attribute is used to specify the Permission is to be stored and processed in the Administrative RBAC data sets.
    • Method Detail

      • isAdmin

        public boolean isAdmin()
        Determine if this Permission is for RBAC or ARBAC processing.
        Returns:
        'true' indicates administrative permission.
      • setAdmin

        public void setAdmin​(boolean admin)
        Set will determine if this Permission is for RBAC or ARBAC processing.
        Parameters:
        admin - contains is 'true' if ARBAC permission..
      • setInternalId

        public void setInternalId()
        This attribute is required but is set automatically by Fortress DAO class before object is persisted to ldap. This generated internal id is associated with Permission. This method is used by DAO class and is not available to outside classes. The generated attribute maps to 'ftId' in 'ftOperation' object class.
      • setInternalId

        public void setInternalId​(String internalId)
        Set the internal id that is associated with Permission. This method is used by DAO class and is generated automatically by Fortress. Attribute stored in LDAP cannot be changed by external caller. This method can be used by client for search purposes only.
        Parameters:
        internalId - maps to 'ftId' in 'ftObject' object class.
      • getInternalId

        public String getInternalId()
        Return the internal id that is associated with Permission. This attribute is generated automatically by Fortress when new PermObj is added to directory and is not known or changeable by external client.
        Returns:
        attribute maps to 'ftId' in 'ftOperation' object class.
      • getOpName

        public String getOpName()
        Get the Permission operation name. This is used to specify method name - i.e. Create, Read, Update, Delete, ...
        Returns:
        opName maps to 'ftOpNm' attribute in 'ftOperation' object class.
      • setOpName

        public void setOpName​(String opName)
        Set the Permission operation name. This is used to specify method name - i.e. Create, Read, Update, Delete, ...
        Parameters:
        opName - maps to 'ftOpNm' attribute in 'ftOperation' object class.
      • getObjName

        public String getObjName()
        Get the authorization target's object name. This is typically mapped to the class name for component that is the target for Fortress authorization check. For example 'PatientRelationshipInquire'.
        Returns:
        the name of the object which maps to 'ftObjNm' attribute in 'ftOperation' object class.
      • setObjName

        public void setObjName​(String objName)
        This attribute is required and sets the authorization target object name. This name is typically derived from the class name for component that is the target for Fortress authorization check. For example 'CustomerCheckOutPage'.
        Parameters:
        objName - The target object name
      • getAbstractName

        public String getAbstractName()
        Return the Permission's abstract name which is the value of objName concatenated with OpName, i.e. 'Patient.checkin' This value is automatically generated by the Fortress DAO class.
        Returns:
        abstractName maps to 'ftPermName' attribute in 'ftOperation' object class.
      • setAbstractName

        public void setAbstractName​(String abstractName)
        Set the Permission's abstract name which is the value of objName concatenated with OpName, i.e. 'Patient.checkin' This value is automatically generated by the Fortress DAO class and value will be ignored if set by external client.
        Parameters:
        abstractName - maps to 'ftPermName' attribute in 'ftOperation' object class.
      • getType

        public String getType()
        Get the optional type name which is an unconstrained attribute on Permission entity.
        Returns:
        type maps to 'ftType' attribute in 'ftOperation' object class.
      • setType

        public void setType​(String type)
        Set the optional type name which is an unconstrained attribute on Permission entity.
        Parameters:
        type - maps to 'ftType' attribute in 'ftOperation' object class.
      • getObjId

        public String getObjId()
        Get optional objId attribute which can be used to tag a Permission object with an identity, i.e. objName='Customer', objId='12345'. This value is not constrained by any other object.
        Returns:
        maps to 'ftObjectId' attribute in 'ftOperation' object class.
      • setObjId

        public void setObjId​(String objId)
        Set optional objId which can be used to tag a Permission object with an identity, i.e. objName='Account', objId='09876543'. This value is not constrained by any other object.
        Parameters:
        objId - maps to 'ftObjectId' attribute in 'ftOperation' object class.
      • setRole

        public void setRole​(String role)
        Add a Role name to list of Roles that are valid for this Permission. This is optional attribute.
        Parameters:
        role - maps to 'ftRoles' attribute in 'ftOperation' object class.
      • delRole

        public void delRole​(String role)
        Delete a Role name from list of Roles that are valid for this Permission.
        Parameters:
        role - maps to 'ftRoles' attribute in 'ftOperation' object class.
      • getRoles

        public Set<String> getRoles()
        Return the collection of optional Roles that have been loaded into this entity. This is stored as a multi-occurring attribute of Role names on the 'ftOperation' object class.
        Returns:
        Set containing the roles which maps to 'ftRoles' attribute in 'ftOperation' object class.
      • setRoles

        public void setRoles​(Set<String> roles)
        Set the collection of optional Roles that have been loaded into this entity. This is stored as a multi-occurring attribute of Role names on the 'ftOperation' object class.
        Parameters:
        roles - maps to 'ftRoles' attribute in 'ftOperation' object class.
      • setUser

        public void setUser​(String user)
        Add a UserId to list of Users that are valid for this Permission. This is optional attribute.
        Parameters:
        user - maps to 'ftUsers' attribute in 'ftOperation' object class.
      • getUsers

        public Set<String> getUsers()
        Return the collection of optional Users that have been loaded into this entity. This is stored as a multi-occurring attribute of ftUsers on the 'ftOperation' object class.
        Returns:
        Set containing the Users which maps to 'ftUsers' attribute in 'ftOperation' object class.
      • setUsers

        public void setUsers​(Set<String> users)
        Set the collection of optional Users that have been loaded into this entity. This is stored as a multi-occurring attribute of userIds on the 'ftOperation' object class.
        Parameters:
        users - maps to 'ftUsers' attribute in 'ftOperation' object class.
      • getDn

        public String getDn()
      • setDn

        public void setDn​(String dn)
      • getDescription

        public String getDescription()
        Return the description field on this entity. The description is often used as a human readable label for the permission.
        Returns:
        String containing the description.
      • setDescription

        public void setDescription​(String description)
        Set the optional description field on this entity. The description is used as a human readable label for the permission.
        Parameters:
        description - String contains the description.
      • getProps

        public Props getProps()
        Gets the value of the Props property. This method is used by Fortress Core and Rest and should not be called by external programs.
        Returns:
        possible object is Props
      • setProps

        public void setProps​(Props value)
        Sets the value of the Props property. This method is used by Fortress Core and Rest and should not be called by external programs.
        Parameters:
        value - allowed object is Props
      • addProperty

        public void addProperty​(String key,
                                String value)
        Add name/value pair to list of properties associated with Permission. These values are not constrained by Fortress. Properties are optional.
        Parameters:
        key - contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
        value - The property value
      • getProperty

        public String getProperty​(String key)
        Get a name/value pair attribute from list of properties associated with Permission. These values are not constrained by Fortress. Properties are optional.
        Parameters:
        key - contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
        Returns:
        value containing name/value pair that maps to 'ftProps' attribute in 'ftProperties' aux object class.
      • addProperties

        public void addProperties​(Properties props)
        Add new collection of name/value pairs to attributes associated with Permission. These values are not constrained by Fortress. Properties are optional.
        Parameters:
        props - contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
      • getProperties

        public Properties getProperties()
        Return the collection of name/value pairs to attributes associated with Permission. These values are not constrained by Fortress. Properties are optional.
        Returns:
        Properties contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
      • equals

        public boolean equals​(Object o)
        Matches the objName, opName and objId from two Permission entities.
        Overrides:
        equals in class Object
        Parameters:
        o - contains a Permission entity.
        Returns:
        boolean indicating both Permissions contain matching objName and opName attributes.
      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object
      • setPaSets

        public void setPaSets​(Set<String> paSets)
      • setPaSetName

        public void setPaSetName​(String paSet)