Show TOC

Securing Your Composite ApplicationLocate this document in the navigation structure

Permissions

You can set permissions to control the access to particular operations on business objects and application services created in CAF.

Application Services

You can control which users and groups are allowed to execute application services operations by implementing UMEpermission checks. This mechanism uses standard Java permissions and allows you to implement custom logic for verifying user authorizations, as you do for standard Java Enterprise Edition (EE) applications.

More information: Protecting Access to Application Service Operations

Business Objects

To protect access to business object operations, you use access control lists (ACL). They define the privileges (permission access rights) that particular principals have for a particular resource. The principals that you can assign to an ACLare the following:

  • users - single user accounts
  • groups - collections of users and roles
  • roles - collections of tasks, services, and information that is available for groups of users

In CAF you enable permission checks for business object operations at design time and then you configure authorization assignments using the administrative tools of the CAF runtime.

Permission Levels

  • Service level permissions

    These permissions can be defined for a business object and they are valid for all of its instances.

    The permissions can be grouped into business rules. The logical operation OR is established among business rules. For example, if a certain principal in rule1 does not have permission to read an object, but has permission to read in the rule2 , the principal is permitted to read the object as a result.

    For each business rule, you can define conditions (situations for which the business rule is available). The logical operation AND is established among conditions. For example, if condition1 is true, but condition2 is false, the business rule is not available as a result, so the permission is not granted.

  • Instance level permissions

    Permissions at an instance level are available only for a single instance of a particular business object.

    More information: Protecting Access to Business Object Operations

Propagated Permissions

The propagated permissions are used to reduce the complexity and maintenance effort of restricting the access rights for business objects. These permissions allow you to store access rights only for one single instance of the business object that belong to the relationship network and determine the permissions for the other business objects dynamically.

Propagation of permissions does not require additional assigning permissions to principals because the permissions assigned to a parent object are inherited to children.

Tip

The business object Student has a unidirectional association to business object Course. The permission propagation on this association is established. Everyone who has permission to access an instance of business object Student should have the same permission for the associated instance of business object Course . As result, in addition to the information about the student, you can see information about the courses that the student is associated with. The permissions of the object Course do not depend on any characteristics of the object Course , but only on its relation with the object Student . All the maintenance of permissions is done only for object Student .