4.25 - Create a Dynamic Separation of Duty (DSD) Set

SDSet createDsdSet(SDSet dsdSet) throws SecurityException

This command creates a named Dynamic Separation of Duty (DSD) set of roles and sets the cardinality n of its subsets that cannot have common users.

The command is valid if and only if:

  • The name of the DSD set is not already in use.
  • All the roles in the DSD set are members of the ROLES data set.
  • n is a natural number greater than or equal to 2 and less than or equal to the cardinality of the DSD role set.
  • The DSD constraint for the new role set is satisfied.

This method:

  • Adds new DSD set.
  • Affects (runtime) role activations.

required parameters:

  • SDSet#name - contains the name to use for the Set to be created.
  • Type of SD Set - ‘DYNAMIC’ (automatically set via this method).

optional parameters:

  • SDSet#members - multivalued attribute contains the RBAC Role names to be added to this set.
  • SDSet#cardinality - default is 2 which is one more than max number of Roles that may be activated by a User from a particular set.
  • SDSet#description - contains any safe text.


  • SecurityException - thrown in the event of data validation or system error.


import org.apache.directory.fortress.core.AdminMgr;
import org.apache.directory.fortress.core.AdminMgrFactory;
import org.apache.directory.fortress.core.model.SDSet;
import org.apache.directory.fortress.core.SecurityException;

public static void testCreateDsdSet()
    String szLocation = ".testCreateDsdSet";
        AdminMgr adminMgr = AdminMgrFactory.createInstance();
        SDSet inDsdSet = new SDSet();
        inDsdSet.setName( "myDsdSetName" );
        inDsdSet.setDescription( "Test dynamic separation of duty set" );
        // Use existing role names:
        inDsdSet.addMember( "role3" );
        inDsdSet.addMember( "role4" );
        // Users may only only activate (into RBAC session) one of the roles in this set:
        inDsdSet.setCardinality( 2 );
        SDSet outDsdSet = am.createDsdSet( inDsdSet );
    catch (SecurityException ex)
        LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);