IResourceAclManager

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

SAP NetWeaver 7.30 SP01 KMC

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.sapportals.wcm.repository.security

Interface IResourceAclManager

All Known Subinterfaces:: IResourceAclManager4Tx, IResourceAclManagerRaw

public interface IResourceAclManager

An IResourceAclManager administers and persists Access Control Lists (ACL)
- IResourceAclManagers are used by IAclSecurityManagers
- IResourceAclManagers use IAclManagers (one to one)
- IResourceAclManagers operate on IResources
- IAclManagers operate on arbitrary objects which are identified by an unique ID
- IResourceAclManagers pass the RID of the IResources as object ID to the IAclManagers
- IResourceAclManagers pass the logged in user (from the resource context) as the 'caller' to IAclManagers
- IResourceAclManagers use the wrappers IResourceAcl (for IAcl), IResourceAclEntry (for IAclEntry) in order to hide the calls of the IAclManager (so that nobody can pass a fake 'caller')

Abbreviations
ACL: Access Control List
ACE: Access Control List Entry

Method Summary
`boolean`	`addSupportedPermission(IObjectType objectType, IAclPermission permission)` assign a permission to an object type
`boolean[]`	`areAclsUpToDate(IResourceAcl[] acls)` check whether the ACLs are up to date (compared to the database)
`boolean`	`areNegativeAclEntriesSupported()` check whether negative ACEs are supported
`boolean`	`assignForeignAcl(IResourceAcl foreignAcl, IResource resource)` assign an ACL from a foreign IResourceAclManager to a local resource - foreign ACEs which hold permissions that are not supported by the local IResourceAclManager are ignored - locally inherited ACEs are added - the owners are maintained - if the resource inherits an ACL the user must be an owner - fails, if the resource already has an ACL assigned
`IResourceAcl`	`createAcl(IResource resource)` create a new ACL for a resource - initial owner is the user in the resource context - inherited ACEs are added - if the resource inherits an ACL the user must be an owner - fails, if the resource already has an ACL assigned
`IResourceAclEntry`	`createAclEntry(com.sap.security.api.IPrincipal principal, boolean negative, IAclPermission permission, int sortIndex)` create a new ACE for an ACL to grant or deny a permission to a principal
`IResourceAclEntry`	`createAclEntry(com.sapportals.portal.security.usermanagement.IUMPrincipal principal, boolean negative, IAclPermission permission, int sortIndex)` Deprecated. As of NetWeaver 7.1, replaced by `createAclEntry(com.sap.security.api.IPrincipal,boolean,IAclPermission,int)`
`IAclPermission`	`createPermission(String name)` create a new permission (the permission can not be used until it is assigned to an object type by calling the addSupportedPermission() method)
`IResourceAcl`	`getAcl(IResource resource)` get the ACL of a specific resource
`long`	`getDBVersion()` Returns a value representing the state (timestamp or modifycounter) of all persisted acl entries.
`IResourceAcl`	`getInheritedAcl(IResource resource)` get the ACL that a resource inherits by its ancestors
`IObjectType`	`getObjectType(IResource resource)` get the object type of a resource
`IAclPermission`	`getPermission(String name)` get the IAclPermission object of the (supported) permission with a given name
`IObjectTypeList`	`getSupportedObjectTypes()` get a list of object types which are supported by the IResourceAclManager for resources
`IAclPermissionList`	`getSupportedPermissions(IResource resource)` get a list of permissions which are supported by the IResourceAclManager for a specific resource
`boolean`	`isPermissionUsedInAcl(IAclPermission permission)` check whether a permission is used in an ACL
`boolean`	`isReadOnly()` check whether the IResourceAclManager is read only (no creation or modification of ACLs is allowed)
`IResourceList`	`propagateAcl_Remove(IResource resource)` remove the ACLs of the descendants of the resource
`boolean`	`removeAcl(IResource resource)` remove the ACL of a specific resource
`boolean`	`removeAcl(IResourceAcl acl)` remove an ACL
`boolean`	`removePermission(IAclPermission permission)` remove a permission - a permission can only be removed if it is not predefined and not used in an ACL
`boolean`	`removeSupportedPermission(IObjectType objectType, IAclPermission permission)` remove the assignment of a permission to an object type - a supported permission can only be removed if it is not predefined and not used in an ACL

Method Detail

createAclEntry

IResourceAclEntry createAclEntry(com.sapportals.portal.security.usermanagement.IUMPrincipal principal,
                                 boolean negative,
                                 IAclPermission permission,
                                 int sortIndex)
                                 throws AclPersistenceException,
                                        UnsupportedOperationException,
                                        InvalidClassException

Deprecated. As of NetWeaver 7.1, replaced by createAclEntry(com.sap.security.api.IPrincipal,boolean,IAclPermission,int)

create a new ACE for an ACL to grant or deny a permission to a principal

Parameters:: principal - the principal; negative - true if the entry denies a permission, false if it grants (denials are currently unsupported); permission - the permission; sortIndex - the position of the ACE in an ACL (important only with denials)
Returns:: the newly created ACE
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; InvalidClassException - the permission was created by a foreign IResourceAclManager; UnsupportedOperationException - negative ACEs are currently not supported (request support by using the areNegativeAclEntriesSupported() method)

createAclEntry

IResourceAclEntry createAclEntry(com.sap.security.api.IPrincipal principal,
                                 boolean negative,
                                 IAclPermission permission,
                                 int sortIndex)
                                 throws AclPersistenceException,
                                        UnsupportedOperationException,
                                        InvalidClassException

create a new ACE for an ACL to grant or deny a permission to a principal

Parameters:: principal - the principal; negative - true if the entry denies a permission, false if it grants (denials are currently unsupported); permission - the permission; sortIndex - the position of the ACE in an ACL (important only with denials)
Returns:: the newly created ACE
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; InvalidClassException - the permission was created by a foreign IResourceAclManager; UnsupportedOperationException - negative ACEs are currently not supported (request support by using the areNegativeAclEntriesSupported() method)
Since:: NetWeaver 7.1

areNegativeAclEntriesSupported

boolean areNegativeAclEntriesSupported()

check whether negative ACEs are supported

Returns:: true iff negative ACEs are supported

createAcl

IResourceAcl createAcl(IResource resource)
                       throws AclPersistenceException,
                              NotAuthorizedException,
                              AclExistsException,
                              ResourceException

create a new ACL for a resource - initial owner is the user in the resource context - inherited ACEs are added - if the resource inherits an ACL the user must be an owner - fails, if the resource already has an ACL assigned

Parameters:: resource - the resource
Returns:: the newly created ACL
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; NotAuthorizedException - the user in the resource context is not an owner of an inherited ACL; AclExistsException - an ACL already exists for the resource; ResourceException - the resource URI could not be determined

assignForeignAcl

boolean assignForeignAcl(IResourceAcl foreignAcl,
                         IResource resource)
                         throws AclPersistenceException,
                                NotAuthorizedException,
                                AclExistsException,
                                ResourceException

assign an ACL from a foreign IResourceAclManager to a local resource - foreign ACEs which hold permissions that are not supported by the local IResourceAclManager are ignored - locally inherited ACEs are added - the owners are maintained - if the resource inherits an ACL the user must be an owner - fails, if the resource already has an ACL assigned

Parameters:: foreignAcl - the foreign ACL; resource - the local resource
Returns:: true iff the ACL has been assigned
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; NotAuthorizedException - the user in the resource context is not an owner of an inherited ACL; AclExistsException - an ACL already exists for the resource; ResourceException - the resource URI could not be determined

getAcl

IResourceAcl getAcl(IResource resource)
                    throws AclPersistenceException,
                           ResourceException

get the ACL of a specific resource

Parameters:: resource - the resource
Returns:: the ACL of the resource or null in case none is assigned yet
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; ResourceException - the resource URI could not be determined

getInheritedAcl

IResourceAcl getInheritedAcl(IResource resource)
                             throws AclPersistenceException,
                                    ResourceException

get the ACL that a resource inherits by its ancestors

Parameters:: resource - the resource
Returns:: the inherited ACL
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; ResourceException - the resource URI could not be determined

removeAcl

boolean removeAcl(IResource resource)
                  throws AclPersistenceException,
                         NotAuthorizedException,
                         ResourceException,
                         ResourceException

remove the ACL of a specific resource

Parameters:: resource - the resource
Returns:: true iff an ACL did exist and was removed
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; NotAuthorizedException - the user in the resource context is not an owner of the ACL; ResourceException - the resource URI could not be determined

removeAcl

boolean removeAcl(IResourceAcl acl)
                  throws AclPersistenceException,
                         NotAuthorizedException,
                         InvalidClassException,
                         ResourceException

remove an ACL

Parameters:: acl - the ACL
Returns:: true iff the ACL was removed
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; NotAuthorizedException - the caller is not an owner of the access control list; InvalidClassException - the acl was created by a foreign resource acl manager; ResourceException - Exception raised in failure situation

getSupportedObjectTypes

IObjectTypeList getSupportedObjectTypes()
                                        throws AclPersistenceException

get a list of object types which are supported by the IResourceAclManager for resources

Returns:: the object types
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred

getObjectType

IObjectType getObjectType(IResource resource)
                          throws AclPersistenceException,
                                 ResourceException

get the object type of a resource

Parameters:: resource - the resource
Returns:: the object type
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; ResourceException - the resource URI could not be determined

getSupportedPermissions

IAclPermissionList getSupportedPermissions(IResource resource)
                                           throws AclPersistenceException,
                                                  ResourceException

get a list of permissions which are supported by the IResourceAclManager for a specific resource

Parameters:: resource - the resource
Returns:: the permissions
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; ResourceException - the resource URI could not be determined

getPermission

IAclPermission getPermission(String name)
                             throws AclPersistenceException

get the IAclPermission object of the (supported) permission with a given name

Parameters:: name - the name of the permission
Returns:: the permission
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred

addSupportedPermission

boolean addSupportedPermission(IObjectType objectType,
                               IAclPermission permission)
                               throws AclPersistenceException,
                                      PredefinedPermissionException

assign a permission to an object type

Parameters:: objectType - the object type; permission - the permission
Returns:: true iff the permission was assigned successfully
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; PredefinedPermissionException - the permission is predefined and thus not allowed to be changed

removeSupportedPermission

boolean removeSupportedPermission(IObjectType objectType,
                                  IAclPermission permission)
                                  throws AclPersistenceException,
                                         PredefinedPermissionException,
                                         PermissionUsedException

remove the assignment of a permission to an object type - a supported permission can only be removed if it is not predefined and not used in an ACL

Parameters:: objectType - the object type; permission - the permission
Returns:: true iff the assignment was removed successfully
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; PredefinedPermissionException - the permission is predefined and thus not allowed to be changed; PermissionUsedException - Exception raised in failure situation

createPermission

IAclPermission createPermission(String name)
                                throws AclPersistenceException,
                                       PermissionExistsException

create a new permission (the permission can not be used until it is assigned to an object type by calling the addSupportedPermission() method)

Parameters:: name - the permission name
Returns:: the newly created permission
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; PermissionExistsException - a permission with that name exists already

removePermission

boolean removePermission(IAclPermission permission)
                         throws AclPersistenceException,
                                PredefinedPermissionException,
                                PermissionUsedException

remove a permission - a permission can only be removed if it is not predefined and not used in an ACL

Parameters:: permission - the permission
Returns:: true iff the permission was removed successfully
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred; PredefinedPermissionException - the permission is predefined and thus not allowed to be changed; PermissionUsedException - the permission is used in some acl and thus not allowed to be changed

isPermissionUsedInAcl

boolean isPermissionUsedInAcl(IAclPermission permission)
                              throws AclPersistenceException

check whether a permission is used in an ACL

Parameters:: permission - the permission
Returns:: true iff the permission is used in an ACL
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred

isReadOnly

boolean isReadOnly()
                   throws AclPersistenceException

check whether the IResourceAclManager is read only (no creation or modification of ACLs is allowed)

Returns:: true iff the IResourceAclManager is read only
Throws:: AclPersistenceException - a problem with the storage where the ACLs are persisted occurred

areAclsUpToDate

boolean[] areAclsUpToDate(IResourceAcl[] acls)
                          throws AclPersistenceException

check whether the ACLs are up to date (compared to the database)

Parameters:: acls - the ACLs to check
Returns:: a boolean array containing true for the ACLs which are up to date
Throws:: AclPersistenceException - Exception raised in failure situation

propagateAcl_Remove

IResourceList propagateAcl_Remove(IResource resource)
                                  throws AclPersistenceException,
                                         ResourceException,
                                         NoAclException,
                                         InvalidClassException,
                                         NotAuthorizedException

remove the ACLs of the descendants of the resource

Returns:: null if all acls could be removed successfully otherwise a list of all Resources which failed operation
Throws:: AclPersistenceException - Exception raised in failure situation; ResourceException - Exception raised in failure situation; NoAclException - Exception raised in failure situation; InvalidClassException - Exception raised in failure situation; NotAuthorizedException - Exception raised in failure situation

getDBVersion

long getDBVersion()

Returns a value representing the state (timestamp or modifycounter) of all persisted acl entries. If a negative number is returned this method is not supported or an error occured.

Returns:: dBVersion

Access Rights

This class can be accessed from:

SC	DC	Public Part	ACH
`[sap.com] KMC-WPC`	`[sap.com] tc/kmc/wpc/wpcfacade`	`api`	`EP-PIN-WPC-WCM`
`[sap.com] KMC-CM`	`[sap.com] tc/km/frwk`	`api`	`EP-KM-CM`