Package com.webmethods.portal.service.meta2

Interface IAccessService

All Superinterfaces:
IComponent, IInitializable, IMetaComponent
public interface IAccessService extends IMetaComponent
Title: Description: SkiLift Copyright: Copyright (c) 2000 Company: webMethods, Inc The Access Service controls storage and evaluation of rights on things for each user. It maintains and Access Control List (ACL) for each thing. This list consists of Access Control Entries(ACE). There are 2 basic models: Permissive and Restrictive. The main differences is how group membership is evaluated. The model can be changed and extended. For details of how ACL's are evaluated refer to the SDK. The model is set in the system registy. It is recommended that this is set as soon after installation as possible. Models are defined in IAccessModel Default rights are defined in IAccessRight You can define your own rights.

  • Field Details

    • MODEL_UNSET

      static final int MODEL_UNSET
      initial state. Access checks will fail
      See Also:

    • MODEL_PERMISSIVE

      static final int MODEL_PERMISSIVE
      permissive model ignores group deny
      See Also:

    • MODEL_RESTRICTIVE

      static final int MODEL_RESTRICTIVE
      restrictive model evaluates group deny over group grant rights
      See Also:

  • Method Details

    • setAccessModel

      void setAccessModel(int model) throws MetaException
      Set the access control model (usually permissive or restrictive).
      Parameters:
      model - IAccessRight constant
      Throws:
      MetaException - if invalid model ID

    • getAccessModel

      int getAccessModel() throws MetaException
      Get the access control model--mainly used for verification in tests Model should be set at startup
      Returns:
      Access model ID
      Throws:
      MetaException - if invalid model ID

    • getAllRights

      IRightSet getAllRights()
      Returns:
      int the full bitset of all rights (usually IAccessRight.ALL unless more rights have been added)

    • getAccess

      IRightSet getAccess(IThingID thingID, IThingID userID, IRightSet rightSet) throws MetaException
      Evaluates user's rights on thing.
      Parameters:
      thingID - thing to check
      userID - user context
      rightSet - rights to check
      Returns:
      bitset of the user's allowed rights for a given thing.
      Throws:
      MetaException - on DB error or no model set

    • getDelegatable

      IRightSet getDelegatable(IThingID thingID, IThingID userID, IRightSet rightSet) throws MetaException
      Evaluates which rights a user can delegate on this thing
      Parameters:
      thingID - thing to check
      userID - user context
      rightSet - rights to check
      Returns:
      bitset of the user's delegatable rights for a given thing.
      Throws:
      MetaException - on DB error or no model set

    • checkAccess

      boolean checkAccess(IThingID thingID, IThingID userID, IRightSet rightSet) throws MetaException
      Check that a user is granted all of the rights in rightSet.
      Parameters:
      thingID - thing to check
      userID - user context
      rightSet - rights to check
      Returns:
      boolean true if user has access
      Throws:
      MetaException - on DB error or no model set

    • filterList

      boolean[] filterList(IThingIDList thingIDs, IThingID userID, IRightSet rightSet) throws MetaException
      Filter a list of thing IDs for a set of rights.
      Parameters:
      thingIDs - array of thingIDs, ignores 0
      userID - user context
      rightSet - bitset of rights to check
      Returns:
      boolean array corresponding to input array. Set true if access is granted for all given rights
      Throws:
      MetaException - on DB error

    • getAccessList

      IRightSet[] getAccessList(IThingIDList thingIDs, IThingID userID) throws MetaException
      Retrieve the rights that a user has on the list of thingIDs.
      Parameters:
      thingIDs - array of thingIDs, ignores 0
      userID - user context
      Returns:
      int array corresponding to input array with the rights for each thingID for the user.
      Throws:
      MetaException - on DB error

    • setAces

      void setAces(IThingID thingID, Collection<IAce> aces, boolean fRecursive) throws MetaException
      Set the passed in Collection of aces on a thing. Aces that already exist will not be affected, unless the principal that they apply to is the same as one of the passed in aces.
      Parameters:
      thingID - The ID of a thing
      aces - A Collection where the members are IAces
      fRecursive - Adds this ace to children if thingID is container
      Throws:
      MetaException - on DB error

    • removeAces

      void removeAces(IThingID thingID, Collection<IAce> aces, boolean fRecursive) throws MetaException
      Remove the passed in Collection of aces from a thing.
      Parameters:
      thingID - The ID of a thing
      aces - A Collection where the members are IAces
      fRecursive - removes aces to children of thingID if container
      Throws:
      MetaException - on DB error

    • setSecurityRealm

      void setSecurityRealm(IThingID itemID, IThingID policyObjectID, boolean fRecursive) throws MetaException
      Assigns policy object for the given item. When assigned policy object will control the right set for the item (any aces will be ignored)
      Parameters:
      itemID - item to assign policy on
      policyObjectID - ID of the actual policy object
      fRecursive - whether to assign this object recursively
      Throws:
      MetaException

    • setSecurityRealm

      void setSecurityRealm(IThingID itemID, IThingID policyObjectID, boolean fRecursive, boolean disableOverwrite) throws MetaException
      Assigns policy object for the given item. When assigned policy object will control the right set for the item (any aces will be ignored)
      Parameters:
      itemID - item to assign policy on
      policyObjectID - ID of the actual policy object
      fRecursive - whether to assign this object recursively
      disableOverwrite - disable overwrite of policy selections
      Throws:
      MetaException

    • removeSecurityRealm

      void removeSecurityRealm(IThingID itemID, boolean fRecursive) throws MetaException
      Unsets policy object from the given item. When unset the right set will be controlled by aces list
      Parameters:
      itemID - item to remove policy object from
      fRecursive - whether to remove it recursively
      Throws:
      MetaException

    • getSecurityRealm

      IThingID getSecurityRealm(IThingID itemID) throws MetaException
      Returns policy ID. May return null if there are no policy set on the item
      Parameters:
      itemID - item thing ID
      Returns:
      Throws:
      MetaException

    • listSecurityRealmObjects

      IThingIDList listSecurityRealmObjects(IThingID securityRealmID) throws MetaException
      Returns list of object IDs which have assiged to this security realm. May return empty list
      Parameters:
      securityRealmID - thing ID of the security realm
      Returns:
      Throws:
      MetaException

    • getAcl

      HashMap<IThingID,IAce> getAcl(IThingID thingID) throws MetaException
      Get the Acl for a thing. An Acl is simply a set of access control entries (Aces). This function is useful for looking up Aces by principals
      Parameters:
      thingID - The ID of a thing.
      Returns:
      HashMap where the keys are the ThingIDs of principals, and the values are IAces
      Throws:
      MetaException - If thingID not found or DB error

    • getAclView

      IAcl getAclView(IThingID thingID) throws MetaException
      Get the Acl for a thing. An Acl is simply a set of access control entries (Aces). Sorts by group, user then CN Note that this method only returns user and group principals (because non-users don't have CN's and we can't sort) Useful for display purposes.
      Parameters:
      thingID - ID of object
      Returns:
      IAcl object that is ordered by group, user then by name (just name, not first/last)
      Throws:
      MetaException - If thingID not valid or DB error

    • newAce

      IAce newAce(IThingID principalID, IRightSet grantedRights, IRightSet deniedRights, IRightSet exclusiveRights)
      Create a new IAce
      Parameters:
      principalID - user or group thingID
      grantedRights - bitset of granted rights
      deniedRights - bitset of denied rights
      exclusiveRights - bitset of exclusive rights
      Returns:
      IAce object