oracle.ifs.fdk

Interface SecurityManager

All Superinterfaces:

Remote

All Known Implementing Classes:

CoreSecurityManager, SecurityManagerImpl

public interface SecurityManager
extends Remote

The security management interface.

Method Summary

Modifier and Type	Method and Description
Item	addGrants(long id, NamedValue[] def, AttributeRequest[] attributes) Adds the specified grants to the SecurityConfiguration of the target item.
boolean	checkPermission(long target, long userOrGroup, long permission) Determines whether the given DirectoryObject has the given permission on the given target object.
Item	createRole(long target, NamedValue[] def, AttributeRequest[] attributes) Creates a new Role for use in the target domain.
void	deleteRole(long target, NamedValue[] def) Deletes a Role.
Item	findRoleByKey(String key, AttributeRequest[] attributes) Fetches a single OOTB role by its registered role key.
Item[]	getComputedGranteeList(long target, long role, AttributeRequest[] attributes) Deprecated. 10.1.3.0.0 use getComputedUserGranteeList
Item[]	getComputedGroupGranteeList(long target, long role, AttributeRequest[] attributes) Returns the set of groups that are granted the specified role on the specified SecurityConfiguration.
Item[]	getComputedUserGranteeList(long target, long role, AttributeRequest[] attributes) Returns the set of users that are granted the specified role on the specified SecurityConfiguration.
Item	getRole(long id, AttributeRequest[] attributes) Fetches a single role
Item	getRoleByName(String name, AttributeRequest[] attributes) Fetches a single role by its common name.
boolean	hasOnlyExplicitGrantedAccess(long target, long user) Returns true if the specified user has a grant on the specified public object that names the user as the grantee, and the permissions granted by this grant represent all the permissions of that user on the public object.
boolean	hasPropagatingGrants(long target, long user) Returns true if the specified user has any grants on the specified SecurityConfiguration that propagated from a parent.
Item[]	listRoles(long id, NamedValue[] options, AttributeRequest[] attributes) Returns the available security roles in the domain that apply to the given target object.
Item[]	listRolesByItemType(String itemType, NamedValue[] options, AttributeRequest[] attributes) Returns the available security roles in the domain that apply to the given target object class.
void	removeSecurityConfiguration(long id) Removes the SecurityConfiguration from the target item.
Item	setSecurityConfiguration(long id, NamedValue[] def, AttributeRequest[] attributes) Updates the SecurityConfiguration of the target item.
Item	updateRole(long target, NamedValue[] def, AttributeRequest[] attributes) Updates a Role.

Method Detail

getRole

Item getRole(long id,
             AttributeRequest[] attributes)
      throws FdkException

Fetches a single role

Parameters:

id - Id of the role.

attributes - Additional attributes to be fetched.

Throws:

FdkException - if the operation fails.

getRoleByName

Item getRoleByName(String name,
                   AttributeRequest[] attributes)
            throws FdkException

Fetches a single role by its common name.

Note that this method should not be used for pre-defined roles; use findRoleByKey instead.

Parameters:

name - Common name of the role.

attributes - Additional attributes to be fetched.

Returns:

The role matching the specified name, or null if no role exists with that name

Throws:

FdkException - if the operation fails.

findRoleByKey

Item findRoleByKey(String key,
                   AttributeRequest[] attributes)
            throws FdkException

Fetches a single OOTB role by its registered role key.

Parameters:

key - Registered role key of the role, which must match one of the ECM_ROLEKEY-prefixed strings in FdkConstants.

attributes - Additional attributes to be fetched.

Throws:

FdkException - if the operation fails.

listRoles

Item[] listRoles(long id,
                 NamedValue[] options,
                 AttributeRequest[] attributes)
          throws FdkException

Returns the available security roles in the domain that apply to the given target object.

Parameters:

id - the id of the target object

options - Options on the retrieved list. Valid options are:

• notation: {Attribute name, Attribute type}
• {Options.PRIMARY_SORT_ATTRIBUTE, String}
• {Options.PRIMARY_SORT_DIRECTION, Boolean}
• {Options.SECONDARY_SORT_ATTRIBUTE, String}
• {Options.SECONDARY_SORT_DIRECTION, Boolean}

If an attribute name is specified with no direction, ascending is the default. Attribute names must be valid attributes in Attributes.java and must return values that implement Comparable.

attributes - attributes to retrieve.

Throws:

FdkException - if the operation fails.

listRolesByItemType

Item[] listRolesByItemType(String itemType,
                           NamedValue[] options,
                           AttributeRequest[] attributes)
                    throws FdkException

Returns the available security roles in the domain that apply to the given target object class. Use this method for when no object is available (e.g., when setting the security of an object that is yet to be created).

Parameters:

itemType - ItemTypes string representing these supported types:

• ItemTypes.FOLDER
• ItemTypes.DOMAIN
• ItemTypes.CONTAINER
• ItemTypes.WORKSPACE
• ItemTypes.DOCUMENT
• ItemTypes.GROUP
• ItemTypes.FILE_PLAN
• ItemTypes.RECORD_SERIES
• ItemTypes.RECORD_CATEGORY
• ItemTypes.RECORD_FOLDER

options - Options on the retrieved list. Valid options are:

• notation: {Attribute name, Attribute type}
• {Options.PRIMARY_SORT_ATTRIBUTE, String}
• {Options.PRIMARY_SORT_DIRECTION, Boolean}
• {Options.SECONDARY_SORT_ATTRIBUTE, String}
• {Options.SECONDARY_SORT_DIRECTION, Boolean}

If an attribute name is specified with no direction, ascending the default. Attribute names must be valid attributes in Attributes.java and must return values that implement Comparable.

attributes - attributes to retrieve.

Throws:

FdkException - if the operation fails.

createRole

Item createRole(long target,
                NamedValue[] def,
                AttributeRequest[] attributes)
         throws FdkException

Creates a new Role for use in the target domain.

Parameters:

target - The ID of the target domain.

def - Attributes for the new role.

• notation: {Attribute name, Attribute type}
• {Attributes.NAME, String}
• {Attributes.DESCRIPTION, String}
• {Attributes.ACCESS_LEVEL, Long} an ACCESS_LEVEL is a bitmap of the various capabilities. The list of capabilities that can be used for creating a custom role are available from ClientUtils.getSupportedCapabilities(). You can OR these capabilities to create an ACCESS_LEVEL.

attributes - requested attributes for each item, or null.

Throws:

FdkException - if the operation fails.

deleteRole

void deleteRole(long target,
                NamedValue[] def)
         throws FdkException

Deletes a Role.

Parameters:

target - The ID of the target role.

def - Optional attributes.

Throws:

FdkException - if the operation fails.

updateRole

Item updateRole(long target,
                NamedValue[] def,
                AttributeRequest[] attributes)
         throws FdkException

Updates a Role.

Parameters:

target - The ID of the target role.

def - New attributes for the role.

• notation: {Attribute name, Attribute type}
• {Attributes.NAME, String}
• {Attributes.DESCRIPTION, String}
• {Attributes.ACCESS_LEVEL, Long} an ACCESS_LEVEL is a bitmap of the various capabilities. The list of capabilities that can be used for creating a custom role are available from ClientUtils.getSupportedCapabilities(). You can OR these capabilities to create an ACCESS_LEVEL.

attributes - the requested attributes for the item

Returns:

the updated role

Throws:

FdkException - if the operation fails.

setSecurityConfiguration

Item setSecurityConfiguration(long id,
                              NamedValue[] def,
                              AttributeRequest[] attributes)
                       throws FdkException

Updates the SecurityConfiguration of the target item. The entire configuration will replaced as a set and not added to the existing one.

Note: to execute this operation asynchronously, specify the optional RUN_ASYNC option with a value of Boolean.TRUE.

The following restrictions are enforced for Attributes.GRANT

• The same Role may not appear more than once in the same grant
• The "NONE" Role may not appear with any other Role
• The Roles specified must have applicability to the object asscociated with this grant's SC.
• If there are any admin-mode roles, the associated PO must be a Container or Domain
• If there are any admin-mode roles, the grantee must be a user or the Domain's "all admin users" group

Parameters:

id - The ID of the target object

def - Attributes for the securityconfiguration.

• notation: {Attribute name, Attribute type}
• {Options.RUN_ASYNC, Boolean}
• {Attributes.GRANTS, NamedValueSet[]}, where each row corresponds to a grant whose attributes are:
  • {Attributes.GRANTEE, Long}
  • {Attributes.ROLES, long[]}
  • {Attributes.PROPAGATING, Boolean}

attributes - requested attributes for each item, or null.

Returns:

the updated SECURITY_CONFIGURATION, or the BACKGROUND_REQUEST to track the asynchronous operation if the RUN_ASYNC option was specified.

Throws:

FdkException - if the operation fails.

addGrants

Item addGrants(long id,
               NamedValue[] def,
               AttributeRequest[] attributes)
        throws FdkException

Adds the specified grants to the SecurityConfiguration of the target item.

Note: to execute this operation asynchronously, specify the optional RUN_ASYNC option with a value of Boolean.TRUE.

Parameters:

id - The ID of the target object

def - Attributes for the securityconfiguration.

• notation: {Attribute name, Attribute type}
• {Options.RUN_ASYNC, Boolean}
• {Attributes.GRANTS, NamedValueSet[]}, where each row corresponds to a grant whose attributes are:
  • {Attributes.GRANTEE, Long}
  • {Attributes.ROLES, long[]}
  • {Attributes.PROPAGATING, Boolean}

attributes - requested attributes for each item, or null.

Returns:

the updated SECURITY_CONFIGURATION, or the BACKGROUND_REQUEST to track the asynchronous operation if the RUN_ASYNC option was specified.

Throws:

FdkException - if the operation fails.

removeSecurityConfiguration

void removeSecurityConfiguration(long id)
                          throws FdkException

Removes the SecurityConfiguration from the target item.

Parameters:

id - The ID of the target item

Throws:

FdkException - if the operation fails.

checkPermission

boolean checkPermission(long target,
                        long userOrGroup,
                        long permission)
                 throws FdkException

Determines whether the given DirectoryObject has the given permission on the given target object. Note that this will not check the capability restriction (e.g., if the object is locked), only the raw permission bit. In most cases, callers should check the capabilities; this is done by asking for Attributes.CAPABILITIES. See the Javadoc on that attribute for details.

Parameters:

target - The ID of the target PublicObject.

userOrGroup - The ID of the DirectoryObject.

permission - The long (bit value) representing the permission bit.

Throws:

FdkException - if the operation fails.

getComputedGranteeList

Item[] getComputedGranteeList(long target,
                              long role,
                              AttributeRequest[] attributes)
                       throws FdkException

Deprecated. 10.1.3.0.0 use getComputedUserGranteeList

Returns the set of users that are granted the specified role on the specified SecurityConfiguration. This includes users that are granted this role via a grant to a group of which they are a member and users granted the role via a propagating grant from a parent folder. It does not include users who are granted the permissions specified by the role without being specifically granted the role (i.e., using custom roles).

Parameters:

target - The ID of the target security configuration.

role - The ID of the role.

attributes - Attributes on the users to retrieve.

Throws:

FdkException - if the operation fails.

getComputedUserGranteeList

Item[] getComputedUserGranteeList(long target,
                                  long role,
                                  AttributeRequest[] attributes)
                           throws FdkException

Returns the set of users that are granted the specified role on the specified SecurityConfiguration. This includes users that are granted this role via a grant to a group of which they are a member and users granted the role via a propagating grant from a parent folder. It does not include users who are granted the permissions specified by the role without being specifically granted the role.

Parameters:

target - The ID of the target security configuration.

role - The ID of the role.

attributes - Attributes on the users to retrieve.

Returns:

the items that correspond to the users who have the specified role on the specified object.

Throws:

FdkException - if the operation fails.

getComputedGroupGranteeList

Item[] getComputedGroupGranteeList(long target,
                                   long role,
                                   AttributeRequest[] attributes)
                            throws FdkException

Returns the set of groups that are granted the specified role on the specified SecurityConfiguration. This includes groups that are granted this role via a grant to a group of which they are a member. It does not include groups who are granted the permissions specified by the role without being specifically granted the role.

Parameters:

target - The ID of the target security configuration.

role - The ID of the role.

attributes - Attributes on the groups to retrieve.

Returns:

the items that correspond to the groups who have the specified role on the specified object.

Throws:

FdkException - if the operation fails.

hasPropagatingGrants

boolean hasPropagatingGrants(long target,
                             long user)
                      throws FdkException

Returns true if the specified user has any grants on the specified SecurityConfiguration that propagated from a parent. Returns false if no such grants exist.

Parameters:

target - The ID of the target SecurityConfiguration.

user - The ID of the desired user.

Throws:

FdkException - if the operation fails.

hasOnlyExplicitGrantedAccess

boolean hasOnlyExplicitGrantedAccess(long target,
                                     long user)
                              throws FdkException

Returns true if the specified user has a grant on the specified public object that names the user as the grantee, and the permissions granted by this grant represent all the permissions of that user on the public object. Returns false if there exist some other grant that grants the user some permission(s) that are not granted by the explicit grant.

Parameters:

target - The ID of the target SecurityConfiguration.

user - The ID of the desired user.

Throws:

FdkException - if the operation fails.