public interface PermissionCheckingService
This service is used to check for effective permission assignments. Effective permission assignments is the result of
combining actual permission assignments with permission checking rules. Actual permission assignments are
basic relations between objects (such as items, types and so on), principals and permissions as defined by
PermissionManagementService. Permission checking rules are defined by this service and they govern how
should actual permission assignments be interpreted within principal group hierarchy and item type hierarchy with
respect to permission target object - item,type,attribute descriptor or global permissions. Possible outcomes of
permission checking operations are defined by PermissionCheckValue enumeration.
PermissionManagementService allows to define permission assignments to items, types, attribute descriptors.
It also allows to define so called global permission assignments which do not refer to any concrete objects,
but just describe the relation of principal, permission and value (GRANTED or DENIED). This gives 4 possible target
objects of permission assignments (item, type, attribute, global). Permission checking rules are different depending
on the target object. The rule of thumb is that the priority of assignments is (from highest to lowest) is:
item/attribute, type, global. See description of each checking algorithm for details. Some of the methods defined
here use default Principal. This service defines this principal as current session user.
input: principal, permission
When checking global permission assignments, first a permission assignments for a principal is checked. If no assignment is found, principal's group hierarchy is checked using the algorithm for group hierarchy inheritance.
input: principal, permission, type
When checking permission assignments to a type for a principal, the type hierarchy is taken into account. The steps are:
input: principal, permission, attribute descriptor
When checking permission assignments to an attribute descriptor for a principal, the attribute hierarchy is taken into account. The steps are:
input: principal, permission, item instance
When checking permission assignments to an item the steps are:
The following algorithm is used to resolve permission assignments inheritance across group hierarchy of given principal. This algorithm only checks assignments for a single permission and a single principal given as input.
Algorithm input: a permission for which we are checking assignments and a set [P] of principals. Set [P] initially contains only one element: the given principal.
Note that principal groups are also principals, and all members of the group inherit the group's permission assignments as described below.
Definition: Direct super-group of a principal: the group the principal is direct member of (i.e. the super-group contains the principal directly, not through some other group)
PermissionCheckValue.CONFLICTING| Modifier and Type | Method and Description |
|---|---|
PermissionCheckResult |
checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor,
PrincipalModel principal,
java.lang.String permissionName)
Checks if a principal has a permission to an attribute descriptor.
|
PermissionCheckResult |
checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor,
java.lang.String permissionName)
Same as
checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but uses
default principal. |
PermissionCheckResult |
checkAttributeDescriptorPermission(java.lang.String typeCode,
java.lang.String attributeQualifier,
PrincipalModel principal,
java.lang.String permissionName)
Same as
checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but allows
to use String values to specify attribute descriptor. |
PermissionCheckResult |
checkAttributeDescriptorPermission(java.lang.String typeCode,
java.lang.String attributeQualifier,
java.lang.String permissionName)
Same as
checkAttributeDescriptorPermission(String, String, PrincipalModel, String) but uses default
principal. |
PermissionCheckResult |
checkGlobalPermission(PrincipalModel principal,
java.lang.String permissionName)
Checks if a principal has a given permission assigned globally.
|
PermissionCheckResult |
checkGlobalPermission(java.lang.String permissionName)
Same as
checkGlobalPermission(PrincipalModel, String) but uses default principal. |
PermissionCheckResult |
checkItemPermission(ItemModel item,
PrincipalModel principal,
java.lang.String permissionName)
Checks if a principal has a permission to an item.
|
PermissionCheckResult |
checkItemPermission(ItemModel item,
java.lang.String permissionName)
Same as
checkItemPermission(ItemModel, PrincipalModel, String) but uses default principal. |
PermissionCheckResult |
checkTypePermission(ComposedTypeModel type,
PrincipalModel principal,
java.lang.String permissionName)
Checks if a principal has a permission to a type.
|
PermissionCheckResult |
checkTypePermission(ComposedTypeModel type,
java.lang.String permissionName)
Same as
checkTypePermission(ComposedTypeModel, PrincipalModel, String) but uses default principal. |
PermissionCheckResult |
checkTypePermission(java.lang.String typeCode,
PrincipalModel principal,
java.lang.String permissionName)
|
PermissionCheckResult |
checkTypePermission(java.lang.String typeCode,
java.lang.String permissionName)
Same as
checkTypePermission(String, PrincipalModel, String) but uses default principal. |
PermissionCheckResult checkItemPermission(ItemModel item, PrincipalModel principal, java.lang.String permissionName)
PermissionCheckResult checkItemPermission(ItemModel item, java.lang.String permissionName)
checkItemPermission(ItemModel, PrincipalModel, String) but uses default principal.PermissionCheckResult checkTypePermission(ComposedTypeModel type, PrincipalModel principal, java.lang.String permissionName)
PermissionCheckResult checkTypePermission(java.lang.String typeCode, PrincipalModel principal, java.lang.String permissionName)
PermissionCheckResult checkTypePermission(ComposedTypeModel type, java.lang.String permissionName)
checkTypePermission(ComposedTypeModel, PrincipalModel, String) but uses default principal.PermissionCheckResult checkTypePermission(java.lang.String typeCode, java.lang.String permissionName)
checkTypePermission(String, PrincipalModel, String) but uses default principal.PermissionCheckResult checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor, PrincipalModel principal, java.lang.String permissionName)
PermissionCheckResult checkAttributeDescriptorPermission(AttributeDescriptorModel attributeDescriptor, java.lang.String permissionName)
checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but uses
default principal.PermissionCheckResult checkAttributeDescriptorPermission(java.lang.String typeCode, java.lang.String attributeQualifier, PrincipalModel principal, java.lang.String permissionName)
checkAttributeDescriptorPermission(AttributeDescriptorModel, PrincipalModel, String) but allows
to use String values to specify attribute descriptor.PermissionCheckResult checkAttributeDescriptorPermission(java.lang.String typeCode, java.lang.String attributeQualifier, java.lang.String permissionName)
checkAttributeDescriptorPermission(String, String, PrincipalModel, String) but uses default
principal.PermissionCheckResult checkGlobalPermission(PrincipalModel principal, java.lang.String permissionName)
PermissionCheckResult checkGlobalPermission(java.lang.String permissionName)
checkGlobalPermission(PrincipalModel, String) but uses default principal.Copyright © 2018 SAP SE. All Rights Reserved.