Authorization (camunda BPM - engine 7.4.0 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.camunda.bpm.engine.authorization
Interface Authorization

All Known Implementing Classes:: AuthorizationEntity

public interface Authorization

An Authorization assigns a set of Permissions to an identity to interact with a given Resource.

EXAMPLES:

User 'jonny' is authorized to start new instances of the 'invoice' process
Group 'marketing' is not authorized to cancel process instances.
Group 'marketing' is not allowed to use the tasklist application.
Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.

Identities

camunda BPM distinguished two types of identities: users and groups. Authorizations can either range over all users (userId = ANY), an individual User or a Group of users.

Permissions

A Permission defines the way an identity is allowed to interact with a certain resource. Examples of permissions are CREATE, READ, UPDATE, DELETE, ... See Permissions for a set of built-in permissions.

A single authorization object may assign multiple permissions to a single user and resource:

 authorization.addPermission(Permissions.READ);
 authorization.addPermission(Permissions.WRITE);
 authorization.addPermission(Permissions.DELETE);

On top of the built-in permissions, camunda BPM allows using custom permission types.

Resources

Resources are the entities the user interacts with. Examples of resources are GROUPS, USERS, process-definitions, process-instances, tasks ... See Resources for a set of built-in resource. The camunda BPM framework supports custom resources.

Authorization Type

There are three types of authorizations:

Global Authorizations (AUTH_TYPE_GLOBAL) range over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
Grant Authorizations (AUTH_TYPE_GRANT) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
Revoke Authorizations (AUTH_TYPE_REVOKE) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.

Authorization Precedence

Authorizations may range over all users, an individual user or a group of users or . They may apply to an individual resource instance or all instances of the same type (resourceId = ANY). The precedence is as follows:

An authorization applying to an individual resource instance preceds over an authorization applying to all instances of the same resource type.
An authorization for an individual user preceds over an authorization for a group.
A Group authorization preced over a GLOBAL authorization.
A Group REVOKE authorization preced over a Group GRANT authorization.

Since:: 7.0
Author:: Daniel Meyer

Field Summary
`static String`	`ANY` The identifier used for relating to all users or all resourceIds.
`static int`	`AUTH_TYPE_GLOBAL` A Global Authorization ranges over all users and groups (userId = `ANY`) and are usually used for fixing the "base" permission for a resource.
`static int`	`AUTH_TYPE_GRANT` A Grant Authorization ranges over a users or a group and grants a set of permissions.
`static int`	`AUTH_TYPE_REVOKE` A Revoke Authorization ranges over a user or a group and revokes a set of permissions.

Method Summary
`void`	`addPermission(Permission permission)` allows granting a permission.
`int`	`getAuthorizationType()` The type og the authorization.
`String`	`getGroupId()`
`String`	`getId()`
`Permission[]`	`getPermissions(Permission[] permissions)` Allows checking whether this authorization grants / revokes a set of permissions.
`String`	`getResourceId()`
`int`	`getResourceType()`
`String`	`getUserId()`
`boolean`	`isEveryPermissionGranted()` Allows checking whether this authorization grants every single permission.
`boolean`	`isEveryPermissionRevoked()` Allows checking whether this authorization revokes every single permission.
`boolean`	`isPermissionGranted(Permission permission)` Allows checking whether this authorization grants a specific permission.
`boolean`	`isPermissionRevoked(Permission permission)` Allows checking whether this authorization revokes a specific permission.
`void`	`removePermission(Permission permission)` allows removing a permission.
`void`	`setGroupId(String groupId)` set the id of the group this authorization is created for
`void`	`setPermissions(Permission[] permissions)` Sets the permissions to the provided value.
`void`	`setResource(Resource resource)` sets the type of the resource
`void`	`setResourceId(String resourceId)` set the id of the resource
`void`	`setResourceType(int resourceTypeId)` sets the type of the resource
`void`	`setUserId(String userId)` set the id of the user this authorization is created for

Field Detail

AUTH_TYPE_GLOBAL

static final int AUTH_TYPE_GLOBAL

A Global Authorization ranges over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.

See Also:: Constant Field Values

AUTH_TYPE_GRANT

static final int AUTH_TYPE_GRANT

A Grant Authorization ranges over a users or a group and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.

See Also:: Constant Field Values

AUTH_TYPE_REVOKE

static final int AUTH_TYPE_REVOKE

A Revoke Authorization ranges over a user or a group and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.

See Also:: Constant Field Values

ANY

static final String ANY

The identifier used for relating to all users or all resourceIds. Cannot be used for groups.

See Also:: Constant Field Values

Method Detail

addPermission

void addPermission(Permission permission)

allows granting a permission. Out-of-the-box constants can be found in Permissions.

removePermission

void removePermission(Permission permission)

allows removing a permission. Out-of-the-box constants can be found in Permissions.

isPermissionGranted

boolean isPermissionGranted(Permission permission)

Allows checking whether this authorization grants a specific permission.

Parameters:: perm - the permission to check for
Throws:: IllegalStateException - if this Authorization is of type AUTH_TYPE_REVOKE

isPermissionRevoked

boolean isPermissionRevoked(Permission permission)

Allows checking whether this authorization revokes a specific permission.

Parameters:: perm - the permission to check for
Throws:: IllegalStateException - if this Authorization is of type AUTH_TYPE_GRANT

isEveryPermissionGranted

boolean isEveryPermissionGranted()

Allows checking whether this authorization grants every single permission.

Returns:: true if every single permission is granted otherwise false
Throws:: IllegalStateException - if this Authorization is of type AUTH_TYPE_REVOKE

isEveryPermissionRevoked

boolean isEveryPermissionRevoked()

Allows checking whether this authorization revokes every single permission.

Returns:: true if every single permission is revoked otherwise false
Throws:: IllegalStateException - if this Authorization is of type AUTH_TYPE_GRANT

getPermissions

Permission[] getPermissions(Permission[] permissions)

Allows checking whether this authorization grants / revokes a set of permissions. Usually the set of built-in permissions is used: Permissions.values() The return value of this method depends on the type of the authorization:

For AUTH_TYPE_GLOBAL: all permissions in the parameter list granted by this authorization are returned.
For AUTH_TYPE_GRANT: all permissions in the parameter list granted by this authorization are returned.
For AUTH_TYPE_REVOKE: all permissions in the parameter list revoked by this authorization are returned.

Parameters:: an - array of permissions to check for.
Returns:: Returns the set of Permissions provided by this Authorization.

setPermissions

void setPermissions(Permission[] permissions)

Sets the permissions to the provided value. Replaces all permissions. The effect of this method depends on the type of this authorization:

For AUTH_TYPE_GLOBAL: all provided permissions are granted.
For AUTH_TYPE_GRANT: all provided permissions are granted.
For AUTH_TYPE_REVOKE: all provided permissions are revoked.

Parameters:: a - set of permissions.

getId

String getId()

Returns:: the ID of the Authorization object

setResourceId

void setResourceId(String resourceId)

set the id of the resource

getResourceId

String getResourceId()

Returns:: the id of the resource

setResourceType

void setResourceType(int resourceTypeId)

sets the type of the resource

setResource

void setResource(Resource resource)