public interface RoleService
A role is a logical grouping of privileges and members. A role is comprised of a set of privileges that are required to perform actions by a user or group assigned to that role. A role is associated with and scoped to a context where it is defined. All repository context types that are configured with the membership capability are available for role management features.
A role created at a context using createRole(String, String, String, Set, Set)
is considered a
defined role and therefore the metadata, privileges and members can all be modified with this instance. An
existing role can also be inherited by additional role contexts that are immediate descendants of the context. By
creating the role using addInheritedRole(String, String, Set)
the role is considered inherited at the
context and therefore the metadata and privileges cannot be modified since the role is defined at a
higher level and is only referenced at this lower level. The members assigned to the role at this context are the
only items that can be modified. This inheritance model promotes the reuse of higher-level role definitions
so security constraints can be managed in more global manner. A change in a higher-level role definition is
automatically reflected in any lower inherited roles. The memberships for these roles are never shared; memberships
within roles are always managed at the context the role was created. To determine if an existing role is defined or
inherited please refer to RoleDescriptor.isInherited()
.
Members (users and groups) of the context may be assigned to the roles associated with the context. This will grant them all the privileges included in the role. Once a privilege is granted within the repository hierarchy, the member has that privilege at that point where it was granted as well as all descendant contexts.
Modifier and Type | Method and Description |
---|---|
Role |
addInheritedRole(String contextId,
String inheritedRoleId,
Set<Principal> members)
Adds an inherited role at the specified context.
|
Role |
createRole(String contextId,
String name,
String description,
Set<String> scopedPrivilegeIds,
Set<Principal> members)
Creates a defined role at the specified context.
|
void |
deleteRole(String roleId)
Deletes the role as well as all inherited roles created from the role.
|
Set<RoleDescriptor> |
getInheritedRoleDescriptorsByRole(String roleId)
Gets all inherited roles across contexts that are associated with the specified role.
|
Role |
getRoleById(String roleId)
Get a role given its identifier.
|
Role |
getRoleByName(String contextId,
String name)
Gets a defined role by specifying its context and name.
|
RoleDescriptor |
getRoleDescriptorById(String roleId)
Gets a role descriptor given its identifier.
|
RoleDescriptor |
getRoleDescriptorByName(String contextId,
String name)
Gets a defined role descriptor by specifying its context and name.
|
Set<RoleDescriptor> |
getRoleDescriptorsByContext(String contextId)
Gets the lightweight representations of all roles that exist at the specified context.
|
Set<RoleDescriptor> |
getRoleDescriptorsByContextAndPrincipal(String contextId,
Principal member)
Gets all of the roles at the specified context that the specified principal is a member of.
|
Set<RoleDescriptor> |
getRoleDescriptorsByContextAndPrivilege(String contextId,
String scopedPrivilegeId)
Gets all of the roles at a given context that include the specified privilege.
|
Set<Role> |
getRolesByContext(String contextId)
Gets all of the roles that exist at the specified context.
|
Set<Role> |
getRolesByIds(Set<String> roleIds)
Gets set of roles given their identifiers.
|
boolean |
hasPrivilege(String contextId,
String scopedPrivilegeId,
Principal member)
Indicates whether the specified principal has the scoped privilege at the given context.
|
boolean |
inheritedRoleExists(String contextId,
String roleId)
Indicates whether an inherited role exists at the specified context with the specified parent role.
|
boolean |
isPrincipalInRole(String roleId,
Principal principal)
Indicates whether the principal is a member of the specified role.
|
void |
removePrincipalFromRoles(String contextId,
Principal member)
Removes the specified principal from all roles at the specified context.
|
void |
removePrincipalsFromRoles(String contextId,
Set<Principal> members)
Removes the specified principals from all roles at the specified context.
|
boolean |
roleExists(String contextId,
String name)
Indicates whether a defined role exists at the specified context with the specified name.
|
Role |
updateRole(Role role)
Updates the name, description, privileges or members of the specified role.
|
Role createRole(String contextId, String name, String description, Set<String> scopedPrivilegeIds, Set<Principal> members) throws RoleExistsException, PrivilegeNotFoundException, InvalidRoleMemberException
contextId
- the context where the role definition will be created.name
- the name of the role.description
- the description of the role.scopedPrivilegeIds
- the scoped privileges to be included in the role.members
- the principals to assign to this role.RoleExistsException
- thrown when a role already exists with this name at the specified context.PrivilegeNotFoundException
- thrown when a privilege provided is not defined or is not a scoped privilege.InvalidRoleMemberException
- thrown if a principal being added is not a member of the context.Role addInheritedRole(String contextId, String inheritedRoleId, Set<Principal> members) throws RoleExistsException, RoleNotFoundException, InvalidRoleMemberException
contextId
- the context to assign the inherited role.inheritedRoleId
- the role identifier of the parent context role definition.members
- the principals to assign to this inherited role.RoleExistsException
- thrown if this role is already inherited at this context.RoleNotFoundException
- thrown if the role specified does not exist or does not exist at the parent
context.InvalidRoleMemberException
- thrown if a principal being added is not a member of the context.Role updateRole(Role role) throws RoleNotFoundException, RoleExistsException, RoleUpdateException, PrivilegeNotFoundException, InvalidRoleMemberException
RoleUpdateException
will be thrown.role
- the role to update.RoleNotFoundException
- thrown if the role specified does not exist.RoleExistsException
- thrown when a new name specified in the update request already exists for the
specified context.RoleUpdateException
- thrown when the name, description or privileges are updated on an inherited role.PrivilegeNotFoundException
- thrown when a privilege provided is not defined or is not a scoped privilege.InvalidRoleMemberException
- thrown if a principal being added is not a member of the context.void deleteRole(String roleId) throws RoleNotFoundException
roleId
- the identifier of the role to delete.RoleNotFoundException
- thrown if the specified role does not exist.boolean roleExists(String contextId, String name)
contextId
- the context to test.name
- the name of the role to test.true
if a role with the specified name is defined at the context, false
otherwise.boolean inheritedRoleExists(String contextId, String roleId)
contextId
- the context to search.roleId
- the role identifier to search for.true
if an inherited role exists at the specified context, false
otherwise.Role getRoleByName(String contextId, String name) throws RoleNotFoundException
contextId
- the context to search.name
- the name of the role to search for.RoleNotFoundException
- thrown if the specified role does not exist.RoleDescriptor getRoleDescriptorByName(String contextId, String name) throws RoleNotFoundException
contextId
- the context to search.name
- the name of the role to search for.RoleNotFoundException
- thrown if the specified role does not exist.Role getRoleById(String roleId) throws RoleNotFoundException
roleId
- the identifier of the desired role.RoleNotFoundException
- thrown when the specified role does not exist.RoleDescriptor getRoleDescriptorById(String roleId) throws RoleNotFoundException
roleId
- the identifier of the desired role descriptor.RoleNotFoundException
- thrown when the specified role does not exist.Set<Role> getRolesByIds(Set<String> roleIds)
roleIds
- the identifiers of the roles to search for.Set<Role> getRolesByContext(String contextId)
contextId
- the context to search..Set<RoleDescriptor> getRoleDescriptorsByContext(String contextId)
contextId
- the context to search.void removePrincipalFromRoles(String contextId, Principal member)
contextId
- the context to search.member
- the principal to remove from all roles at the specified context.void removePrincipalsFromRoles(String contextId, Set<Principal> members)
contextId
- the context to search.members
- the set of principals to remove from all roles at the specified context.boolean isPrincipalInRole(String roleId, Principal principal)
roleId
- the role identifier to search.principal
- the principal to search for.true
if the principal is a member of the specified role at the specified context, false
otherwise.Set<RoleDescriptor> getRoleDescriptorsByContextAndPrincipal(String contextId, Principal member)
contextId
- the context to search.member
- the principal to search for.Set<RoleDescriptor> getRoleDescriptorsByContextAndPrivilege(String contextId, String scopedPrivilegeId) throws PrivilegeNotFoundException
contextId
- the context to search.scopedPrivilegeId
- the scoped privilege in question.PrivilegeNotFoundException
- thrown when the privilege provided is not defined or is not a scoped
privilege.Set<RoleDescriptor> getInheritedRoleDescriptorsByRole(String roleId) throws RoleNotFoundException
roleId
- the role identifier to search for.RoleNotFoundException
- thrown when the specified role does not exist.boolean hasPrivilege(String contextId, String scopedPrivilegeId, Principal member)
PrivilegeNotFoundException
will be thrown as those are not context-based privileges. Will
return true
if the member has been granted the privilege at a higher context.contextId
- the context to search.scopedPrivilegeId
- the scoped privilege to search for.member
- the principal to check.true
if the specified principal has the scoped privilege assigned to them at the specified
context or above, false
otherwise.Copyright (c) 2020, SAS Institute Inc., Cary, NC, USA