...
Code Block |
---|
grouperSession = GrouperSession.startRootSession(); top = new StemSave(grouperSession).assignName("top").assignDisplayExtension("top display name").save(); adminadminRole = new GroupSave(grouperSession).assignName("top:admin").assignTypeOfGroup(TypeOfGroup.role).save(); seniorAdmin = new GroupSave(grouperSession).assignName("top:seniorAdmin").assignTypeOfGroup(TypeOfGroup.role).save(); seniorAdmin.getRoleInheritanceDelegate().addRoleToInheritFromThis(adminadminRole); user = new GroupSave(grouperSession).assignName("top:user").assignTypeOfGroup(TypeOfGroup.role).save(); permissionDef = new AttributeDefSave(grouperSession).assignName("top:permissionDef").assignAttributeDefType(AttributeDefType.perm).assignToEffMembership(true).assignToGroup(true).save(); english = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:english").assignDisplayExtension("English").save(); math = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:math").assignDisplayExtension("Math").save(); electricalEngineering = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:electricalEngineering").assignDisplayExtension("Electrical Engineering").save(); chemicalEngineering = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:chemicalEngineering").assignDisplayExtension("Chemical Engineering").save(); artsAndSciences = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:artsAndSciences").assignDisplayExtension("Arts and Sciences").save(); engineering = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:engineering").assignDisplayExtension("Engineering").save(); all = new AttributeDefNameSave(grouperSession, permissionDef).assignName("top:all").assignDisplayExtension("All").save(); all.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(engineering); all.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(artsAndSciences); artsAndSciences.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(english); artsAndSciences.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(math); engineering.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(math); engineering.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(electricalEngineering); engineering.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(chemicalEngineering); permissionDef.getAttributeDefActionDelegate().configureActionList("read, write, readWrite, admin"); read = permissionDef.getAttributeDefActionDelegate().findAction("read", true); write = permissionDef.getAttributeDefActionDelegate().findAction("write", true); readWrite = permissionDef.getAttributeDefActionDelegate().findAction("readWrite", true); admin = permissionDef.getAttributeDefActionDelegate().findAction("admin", true); readWrite.getAttributeAssignActionSetDelegate().addToAttributeAssignActionSet(read); readWrite.getAttributeAssignActionSetDelegate().addToAttributeAssignActionSet(write); admin.getAttributeAssignActionSetDelegate().addToAttributeAssignActionSet(readWrite); subj0 = addSubject("subj0", "person", "subj0"); subj0 = SubjectFinder.findById("subj0", true); |
Algorithm summary
- Direct assignments trump inherited assignments
- A lower depth inherited assignment trumps a higher depth inherited assignment (on the directed graph of inheritance)
- Inherited ALLOW assignments (of equal depth) trump inherited NOT_ALLOW assignments
...
If the application supports users acting as a certain role instead of flattening all permissions into one permissions set (i.e. ability to elevate permissions), then as a User, jsmith cannot Read Arts and Sciences, but as an Admin, jsmith can Read Arts and Sciences
GSH commands:
Code Block |
---|
admin adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.ALLOWED); user.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.DISALLOWED); adminRole.addMember(subj0, truefalse); user.addMember(subj0, truefalse); PermissionFinder.hasPermission(subj0, english, "read"); PermissionFinder.hasPermission(subj0, adminadminRole, english, "read"); PermissionFinder.hasPermission(subj0, user, english, "read"); |
...
Overall, jsmith is allowed Action<Read> of Resource<Arts and sciences> since the subject is assigned directly to Senior admin, it will trump inherited role assignments
GSH commands:
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.DISALLOWED);
seniorAdmin.getPermissionRoleDelegate().assignRolePermission("read", all, PermissionAllowed.ALLOWED);
seniorAdmin.addMember(subj0, true);
PermissionFinder.hasPermission(subj0, artsAndSciences, "read");
PermissionFinder.hasPermission(subj0, seniorAdmin, artsAndSciences, "read");
|
Role assignment vs individual assignment
...
jsmith is not allowed to Read Arts and sciences (overall, or role specific) since an individual assignment trumps a generic role assignment
GSH commands:
Code Block |
---|
Role assignment vs individual assignment up the hierarchy
...
jsmith is allowed to Read Resource<Math> (overall, or role specific) since an individual assignment, even up the resource graph, trumps a generic role assignment. The user can read all resources.
GSH commands:
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.DISALLOWED); adminRole.addMember(subj0, false); adminRole.getPermissionRoleDelegate().assignSubjectRolePermission("read", artsAndSciences, subj0, PermissionAllowed.ALLOWED); PermissionFinder.hasPermission(subj0, artsAndSciences, "read"); PermissionFinder.hasPermission(subj0, adminRole, artsAndSciences, "read"); |
Role assignment vs individual assignment up the hierarchy example 2
...
jsmith is not allowed to Read Resource<Math> (overall, or role specific) since an individual assignment, even up the resource graph, trumps a generic role assignment. The user cannot read any resources.
GSH commands:
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.ALLOWED);
adminRole.addMember(subj0, false);
adminRole.getPermissionRoleDelegate().assignSubjectRolePermission("read", artsAndSciences, subj0, PermissionAllowed.DISALLOWED);
PermissionFinder.hasPermission(subj0, math, "read");
PermissionFinder.hasPermission(subj0, adminRole, math, "read");
|
Resource directed graph priority
...
User jsmith is denied Action<Read> of Resource<English> and Resource<Math> since there are only inherited assignments and the ones with lower depth have priority
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("read", all, PermissionAllowed.ALLOWED);
adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.DISALLOWED);
adminRole.addMember(subj0, false);
PermissionFinder.hasPermission(subj0, math, "read");
PermissionFinder.hasPermission(subj0, adminRole, math, "read");
PermissionFinder.hasPermission(subj0, english, "read");
PermissionFinder.hasPermission(subj0, adminRole, english, "read");
|
Resource directed graph priority with tie
...
User jsmith is allowed Action<Read> of Resource<Math> since there are only inherited assignments with the same depth and one is ALLOW
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("read", engineering, PermissionAllowed.ALLOWED);
adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.DISALLOWED);
adminRole.addMember(subj0, false);
PermissionFinder.hasPermission(subj0, math, "read");
PermissionFinder.hasPermission(subj0, adminRole, math, "read");
|
Resource directed graph priority with tie and different actions
...
User jsmith is allowed Action<Read> of Resource<Math> since there are only inherited assignments and the one with the lower depth (tie in resource, Read/Write is lower than Action<Admin>)
GSH commands:
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("readWrite", engineering, PermissionAllowed.ALLOWED); adminRole.getPermissionRoleDelegate().assignRolePermission("admin", artsAndSciences, PermissionAllowed.DISALLOWED); adminRole.addMember(subj0, false); PermissionFinder.hasPermission(subj0, math, "read"); PermissionFinder.hasPermission(subj0, adminRole, math, "read"); |
Action directed graph priority
...
User jsmith is denied from Action<Read> and Action<Write> of Resource<Math> since there are only inherited assignments and the one with the lower depth (tie in resource, Read/Write is lower than Action<Admin>)
GSH commands:
Code Block |
---|
adminRole.getPermissionRoleDelegate().assignRolePermission("read", all, PermissionAllowed.ALLOWED);
adminRole.getPermissionRoleDelegate().assignRolePermission("read", artsAndSciences, PermissionAllowed.DISALLOWED);
adminRole.addMember(subj0, true);
PermissionFinder.hasPermission(subj0, math, "read");
PermissionFinder.hasPermission(subj0, adminRole, math, "read");
PermissionFinder.hasPermission(subj0, math, "english");
PermissionFinder.hasPermission(subj0, adminRole, math, "english");
|