IAclSecurityManager

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

SAP NetWeaver 7.30 SP01 KMC

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.sap.netweaver.bc.rf.mi.security.acl

Interface IAclSecurityManager

All Superinterfaces:: ISecurityManager

public interface IAclSecurityManager
extends ISecurityManager
extends ISecurityManager

Interface describing an access control list security sub manager, short ACL security sub manager. Each resource may have an ACL with many ACL entries. An entry describes for one principal (may be a user, group or whatever is considered an entity) a permission this principal has on the given resource. The ACL itself is just an envelope for many ACL entries.

An ACL entry may define a permission this principal has on the given resource, but it may also define a permission a principal is denied to have (so called negative ACL entry).

ACLs are propagated down from above the resource hierarchy on the fly, i.e. they are not really set on the descendants but derived when accessed. All descendants not having an own ACL inherit one from their next legator having one. Legators are ancestors responsible for the security permissions of their descendants.

ACLs and ACL entries are factored by this security sub manager and thereby assigned to a resource handle (exactly one ACL per resource handle and null to more ACL entries per ACL).

Each resource handle has to be of a certain object type known by the ACL security sub manager and each object type has special supported permissions. Only supported permissions for a given resource handle can be set, others not. This helps identifying, e.g. in GUI, which permissions are allowed to be set and worked on.

Method Summary
`void`	`addSupportedPermission(IObjectType objectType, IAclPermission permission)` Register permission as supported permission for an object type.
`void`	`assignAcl(IResourceHandle resourceHandle, IAcl acl)` Assign an existent ACL, i.e. copy and assign it to a resource handle when the resource handle has no ACL and the current user in the resource context is an owner of the source ACL.
`IAcl`	`createAcl(IResourceHandle resourceHandle)` Create a new ACL for a resource handle when the resource handle has no ACL and the current user in the resource context is an owner of the inherited ACL.
`IAclEntry`	`createAclEntry(com.sap.security.api.IPrincipal principal, IAclPermission permission, boolean negative, boolean readonly, int sortIndex)` Create a new ACL entry to grant or deny a permission to a principal.
`IAclPermission`	`createPermission(String name)` Register permission with the given name generally for this ACL security sub manager.
`IAcl`	`getAcl(IResourceHandle resourceHandle)` Get ACL of a given resource handle.
`IAcl`	`getInheritedAcl(IResourceHandle resourceHandle)` Get ACL of a given resource handle or an inherited ACL if none is defined directly for the given resource handle.
`IObjectType`	`getObjectType(IResourceHandle resourceHandle)` Get object type this ACL security sub manager interprets the given resource handle.
`IAclPermission`	`getPermission(String name)` Identify and get permission with the given name generally known to this ACL security sub manager.
`List`	`getSupportedAclPermissions(IResourceHandle resourceHandle)` Get list of permissions which are supported by this ACL security sub manager for the given resource handle, i.e. outcome depends on the object type of the given resource handle, e.g. depends whether the resource is a collection or not.
`List`	`getSupportedObjectTypes()` Get list of object types supported by this ACL security sub manager.
`boolean`	`isPermissionUsedInAcl(IAclPermission permission)` Check whether or not a permission is used in an ACL.
`boolean`	`isReadOnly()` Check whether or not this ACL security sub manager is read only and no creation or modification operations of ACLs are allowed.
`List`	`propagateAclRemove(IResourceHandle resource)` Remove the ACLs of the descendants of the resource.
`void`	`removeAcl(IAcl acl)` Remove the given ACL from its resource.
`void`	`removeAcl(IResourceHandle resourceHandle)` Remove the ACL from the given resource.
`void`	`removePermission(IAclPermission permission)` Unregister permission with the given name generally from this ACL security sub manager.
`void`	`removeSupportedPermission(IObjectType objectType, IAclPermission permission)` Unregister permission as no longer supported permission from an object type.
`boolean`	`supportsNegativeAclEntries()` Check whether or not negative ACL entries are supported by this ACL security sub manager.

Methods inherited from interface com.sap.netweaver.bc.rf.mi.security.ISecurityManager
`getSupportedPermissions, isAllowed, isAllowed, isAllowed, isAllowed`

Method Detail

getAcl

IAcl getAcl(IResourceHandle resourceHandle)
            throws AclPersistenceException,
                   ResourceException

Get ACL of a given resource handle. Inherited ACLs are not returned. Please call getInheritedAcl() for that purpose.

Parameters:: resourceHandle - resource handle
Returns:: ACL of a given resource handle
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; ResourceException - when the resource handle was invalid

getInheritedAcl

IAcl getInheritedAcl(IResourceHandle resourceHandle)
                     throws AclPersistenceException,
                            ResourceException

Get ACL of a given resource handle or an inherited ACL if none is defined directly for the given resource handle. A call to this method may involve calling all legators until an ACL is found.

Parameters:: resourceHandle - resource handle
Returns:: the inherited ACL
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; ResourceException - when the resource handle was invalid

createAclEntry

IAclEntry createAclEntry(com.sap.security.api.IPrincipal principal,
                         IAclPermission permission,
                         boolean negative,
                         boolean readonly,
                         int sortIndex)
                         throws AclPersistenceException,
                                UnsupportedOperationException

Create a new ACL entry to grant or deny a permission to a principal. The ACL entry must be assigned to an ACL in order to be activated.

Parameters:: principal - principal; permission - permission; negative - true if the entry denies a permission, false if it grants one; readonly - true if the entry is read only, false otherwise; sortIndex - position of the ACL entry in the ACL (important only with denials)
Returns:: ACL entry
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; UnsupportedOperationException - when a negative ACL entry is requested but not supported

createAcl

IAcl createAcl(IResourceHandle resourceHandle)
               throws AclPersistenceException,
                      AclNotAuthorizedException,
                      AclExistsException,
                      ResourceException

Create a new ACL for a resource handle when the resource handle has no ACL and the current user in the resource context is an owner of the inherited ACL. This user will become the initial owner of the newly created ACL. All ACL entries from the inherited ACL will be copied when applicable to the object type of the given resource handle; all others will be ignored.

Parameters:: resourceHandle - resource handle
Returns:: ACL
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; AclExistsException - when an ACL already exists for the resource handle; ResourceException - when the resource handle was invalid; AclNotAuthorizedException - Exception raised in failure situation

assignAcl

void assignAcl(IResourceHandle resourceHandle,
               IAcl acl)
               throws AclPersistenceException,
                      AclNotAuthorizedException,
                      AclExistsException,
                      ResourceException

Assign an existent ACL, i.e. copy and assign it to a resource handle when the resource handle has no ACL and the current user in the resource context is an owner of the source ACL. All users of the source ACL will become the initial owners of the newly copied and assigned ACL. All ACL entries from the source ACL will be copied when applicable to the object type and ACL security sub manager implementation of the given resource handle; all others will be ignored.

Parameters:: resourceHandle - resource handle; acl - ACL
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; AclExistsException - when an ACL already exists for the resource handle; ResourceException - when the resource handle was invalid; AclNotAuthorizedException - Exception raised in failure situation

removeAcl

void removeAcl(IResourceHandle resourceHandle)
               throws AclPersistenceException,
                      AclNotAuthorizedException,
                      ResourceException

Remove the ACL from the given resource.

Parameters:: resourceHandle - resource handle
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; ResourceException - when the resource handle was invalid; AclNotAuthorizedException - Exception raised in failure situation

removeAcl

void removeAcl(IAcl acl)
               throws AclPersistenceException,
                      AclNotAuthorizedException,
                      ResourceException

Remove the given ACL from its resource.

Parameters:: acl - ACL
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; ResourceException - when the resource handle assigned to the ACL was invalid; AclNotAuthorizedException - Exception raised in failure situation

getPermission

IAclPermission getPermission(String name)
                             throws AclPersistenceException

Identify and get permission with the given name generally known to this ACL security sub manager.

Parameters:: name - permission name
Returns:: permission with the given name
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred

createPermission

IAclPermission createPermission(String name)
                                throws AclPersistenceException,
                                       AclPermissionExistsException

Parameters:: name - permission name
Returns:: newly created permission with the given name
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; AclPermissionExistsException - Exception raised in failure situation

removePermission

void removePermission(IAclPermission permission)
                      throws AclPersistenceException,
                             AclPredefinedPermissionException,
                             AclPermissionUsedException

Unregister permission with the given name generally from this ACL security sub manager. It can only be unregistered if it is not predefined and not used in an ACL.

Parameters:: permission - the permission
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; AclPredefinedPermissionException - Exception raised in failure situation; AclPermissionUsedException - Exception raised in failure situation

getSupportedObjectTypes

List getSupportedObjectTypes()
                             throws AclPersistenceException

Get list of object types supported by this ACL security sub manager.

Returns:: list of the IObjectTypes
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred

getObjectType

IObjectType getObjectType(IResourceHandle resourceHandle)
                          throws AclPersistenceException,
                                 ResourceException

Get object type this ACL security sub manager interprets the given resource handle.

Parameters:: resourceHandle - resource handle
Returns:: IObjectType
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; ResourceException - when the resource handle was invalid

getSupportedAclPermissions

List getSupportedAclPermissions(IResourceHandle resourceHandle)
                                throws ResourceException

Get list of permissions which are supported by this ACL security sub manager for the given resource handle, i.e. outcome depends on the object type of the given resource handle, e.g. depends whether the resource is a collection or not.

Parameters:: resourceHandle - resource handle
Returns:: list of supported permissions of type IAclPermission
Throws:: ResourceException - when the resource handle was invalid

addSupportedPermission

void addSupportedPermission(IObjectType objectType,
                            IAclPermission permission)
                            throws AclPersistenceException,
                                   AclPredefinedPermissionException

Parameters:: objectType - object type; permission - permission
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; AclPredefinedPermissionException - Exception raised in failure situation

removeSupportedPermission

void removeSupportedPermission(IObjectType objectType,
                               IAclPermission permission)
                               throws AclPersistenceException,
                                      AclPredefinedPermissionException,
                                      AclPermissionUsedException

Unregister permission as no longer supported permission from an object type. It can only be unregistered if it is not predefined and not used in an ACL.

Parameters:: objectType - object type; permission - permission
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; AclPredefinedPermissionException - Exception raised in failure situation; AclPermissionUsedException - Exception raised in failure situation

isPermissionUsedInAcl

boolean isPermissionUsedInAcl(IAclPermission permission)
                              throws AclPersistenceException

Check whether or not a permission is used in an ACL.

Parameters:: permission - permission
Returns:: true if the permission is used in an ACL
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred

supportsNegativeAclEntries

boolean supportsNegativeAclEntries()

Check whether or not negative ACL entries are supported by this ACL security sub manager.

Returns:: true if negative ACL entries are supported by this ACL security sub manager

isReadOnly

boolean isReadOnly()
                   throws AclPersistenceException

Check whether or not this ACL security sub manager is read only and no creation or modification operations of ACLs are allowed.

Returns:: true if this ACL security sub manager is read only
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred

propagateAclRemove

List propagateAclRemove(IResourceHandle resource)
                        throws AclPersistenceException,
                               ResourceException

Remove the ACLs of the descendants of the resource.

Returns:: null if all ACLs could be removed successfully otherwise a list of all resource handles for which the operation failed.
Throws:: AclPersistenceException - when a problem with the storage where the ACLs are persisted occurred; ResourceException
Since:: NetWeaver 7.1

Access Rights

This class can be accessed from:

SC	DC	Public Part	ACH
`[sap.com] KMC-CM`	`[sap.com] tc/km/frwk`	`api`	`EP-KM-CM`
`[sap.com] KMC-WPC`	`[sap.com] tc/kmc/wpc/wpcfacade`	`api`	`EP-PIN-WPC-WCM`