redback/rbac/role-management.html - archiva-web-content - Git at Google

 <!DOCTYPE html>
 <!--
  | Generated by Apache Maven Doxia Site Renderer 1.8.1
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta name="Date-Creation-yyyymmdd" content="20070514" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Apache Redback &#x2013; Redback Role Management</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
     <link rel="stylesheet" href="../css/site.css" />
     <link rel="stylesheet" href="../css/print.css" media="print" />
       <script type="text/javascript" src="../js/apache-maven-fluido-1.6.min.js"></script>
       <!-- Google Analytics -->
     <script type="text/javascript">
       var _gaq = _gaq || [];
       _gaq.push(['_setAccount', 'UA-140879-5']);
       _gaq.push(['_trackPageview']);
       (function() {
         var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
         ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
         var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
       })();
     </script>
       </head>
     <body class="topBarEnabled">
                       <a href="https://github.com/apache/archiva-redback-core">
       <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
         src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
         alt="Fork me on GitHub">
     </a>
       <div id="topbar" class="navbar navbar-fixed-top ">
       <div class="navbar-inner">
             <div class="container"><div class="nav-collapse">
             <ul class="nav">
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="../index.html" title="Introduction">Introduction</a></li>
             <li><a href="../authentication.html" title="Authentication">Authentication</a></li>
             <li><a href="../authorization.html" title="Authorization">Authorization</a></li>
             <li><a href="../user-management.html" title="User Management">User Management</a></li>
             <li><a href="../key-store.html" title="Key Stores">Key Stores</a></li>
             <li><a href="../configuration.html" title="Configuration">Configuration</a></li>
             <li class="dropdown-submenu">
 <a href="../rbac/introduction.html" title="Role Based Access Control">Role Based Access Control</a>
               <ul class="dropdown-menu">
                   <li><a href="../rbac/role-management.html" title="Role Management">Role Management</a></li>
               </ul>
             </li>
             <li><a href="../integration/ldap.html" title="Ldap">Ldap</a></li>
             <li><a href="../integration/rest.html" title="Rest">Rest</a></li>
             <li class="dropdown-submenu">
 <a href="../" title="Module Documentation">Module Documentation</a>
               <ul class="dropdown-menu">
                   <li><a href="../core/${archivaReleaseVersion}/" title="Release 2.6">Release 2.6</a></li>
                   <li><a href="../core/${archivaCurrentDevVersion}/" title="Dev 3.0.0-SNAPSHOT">Dev 3.0.0-SNAPSHOT</a></li>
               </ul>
             </li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Development <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="../development/extending-authn.html" title="Extending Redback Authentication">Extending Redback Authentication</a></li>
             <li><a href="http://archiva.apache.org/redback/core" title="Redback Core">Redback Core</a></li>
         </ul>
       </li>
           <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="http://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a></li>
             <li><a href="http://www.apache.org/foundation/" title="Foundation">Foundation</a></li>
             <li><a href="http://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a></li>
             <li><a href="http://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a></li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li class="dropdown-submenu">
 <a href="../project-info.html" title="Project Information">Project Information</a>
               <ul class="dropdown-menu">
                   <li><a href="../ci-management.html" title="CI Management">CI Management</a></li>
                   <li><a href="../mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li>
                   <li><a href="../issue-management.html" title="Issue Management">Issue Management</a></li>
                   <li><a href="../licenses.html" title="Licenses">Licenses</a></li>
                   <li><a href="../team.html" title="Team">Team</a></li>
                   <li><a href="../scm.html" title="Source Code Management">Source Code Management</a></li>
               </ul>
             </li>
         </ul>
       </li>
               </ul>
 <form id="search-form" action="https://www.google.com/search" method="get"  class="navbar-search pull-right" >
       <input value="http://archiva.apache.org/redback" name="sitesearch" type="hidden"/>
   <input class="search-query" name="q" id="query" type="text" />
 </form>
 <script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script>
                     </div>
         </div>
       </div>
     </div>
     <div class="container">
       <div id="banner">
         <div class="pull-left"><a href="http://archiva.apache.org/redback" id="bannerLeft"><img src="../images/redback.jpg"  alt="Redback"/></a></div>
         <div class="pull-right"><a href="http://www.apache.org/" id="bannerRight"><img src="https://www.apache.org/images/asf_logo_wide_2016.png"  alt="Apache Software Foundation"/></a></div>
         <div class="clear"><hr/></div>
       </div>

       <div id="breadcrumbs">
         <ul class="breadcrumb">
         <li class=""><a href="https://www.apache.org" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li>
       <li class=""><a href="../../" title="Archiva">Archiva</a><span class="divider">/</span></li>
       <li class=""><a href="../" title="Redback">Redback</a><span class="divider">/</span></li>
     <li class="active ">Redback Role Management</li>
         <li id="publishDate" class="pull-right">Last Published: 2019-11-29</li>
         </ul>
       </div>
         <div id="bodyColumn" >
 <div class="section">
 <h2><a name="Role_Management"></a>Role Management</h2>
 <p>Managing roles in an application with Redback is governed through an implementation of the Role Manager, an interface defined in the redback-rbac-role-manager artifact that encapsulates most of the most comment role related activities. User assignment of roles, creating and removing of roles based on templates (more on this later), and simple role existence activities. </p>
 <div class="section">
 <h3><a name="Role_Specification"></a>Role Specification</h3>
 <p>Roles are loaded by the Default implementation of the role manager from a series of resources that are discovered in your classpath. The root of these files is searched for as:</p>
 <div class="source"><pre class="prettyprint">
   META-INF/redback/redback-core.xml
 </pre></div>
 <p>This allows to you establish a basic set of resources, operations, roles and role templates that all other referencing applications can extend from. Other files that are loaded are located as:</p>
 <div class="source"><pre class="prettyprint">
   META-INF/redback/redback.xml
 </pre></div>
 <p>Each of these files follows the same model, the one specified by <i>point to xsd generated by modello</i>.</p>
 <div class="section">
 <h4><a name="Basic_Format"></a>Basic Format</h4>
 <div class="source"><pre class="prettyprint">
 &lt;redback-role-model&gt;
   &lt;resources&gt;
     &lt;resource&gt;
       &lt;id&gt;cornflakes&lt;/id&gt;
       &lt;name&gt;cornflakes&lt;/name&gt;
       &lt;permanent&gt;true&lt;/permanent&gt;
       &lt;description&gt;my breakfast cereal&lt;/description&gt;
     &lt;/resource&gt;
   &lt;/resources&gt;
   &lt;operations&gt;
     &lt;operation&gt;
       &lt;id&gt;eat&lt;/id&gt;
       &lt;name&gt;Eat&lt;/name&gt;
       &lt;description&gt;eat something&lt;/description&gt;
     &lt;/operation&gt;
   &lt;/operations&gt;
   &lt;roles&gt;
     &lt;role&gt;
       &lt;id&gt;can-eat-cornflakes&lt;/id&gt;
       &lt;name&gt;Role for happy cornflake eaters&lt;/name&gt;
       &lt;permissions&gt;
         &lt;permission&gt;
           &lt;id&gt;eat-cornflakes-permission&lt;/id&gt;
           &lt;operation&gt;eat&lt;/operation&gt;
           &lt;resource&gt;cornflakes&lt;/resource&gt;
         &lt;/permission&gt;
       &lt;/permissions&gt;
     &lt;/role&gt;
   &lt;/roles&gt;
   &lt;templates&gt;
     &lt;template&gt;
       &lt;id&gt;eater-template&lt;/id&gt;
       &lt;namePrefix&gt;Eater of&lt;/namePrefix&gt;
       &lt;permissions&gt;
         &lt;permission&gt;
           &lt;id&gt;eat-cornflakes-permission&lt;/id&gt;
           &lt;operation&gt;eat&lt;/operation&gt;
           &lt;resource&gt;${resource}&lt;/resource&gt;
         &lt;/permission&gt;
       &lt;/permissions&gt;
     &lt;/template&gt;
   &lt;/templates&gt;
 &lt;/redback-role-model&gt;
 </pre></div></div>
 <div class="section">
 <h4><a name="Resources"></a>Resources</h4>
 <p>Resources are the entities in role based access control that roles provide access to through the binding of the resource with an operation in the form of a permission. In the example above, 'cornflakes' are the resource that are in play.</p></div>
 <div class="section">
 <h4><a name="Operations"></a>Operations</h4>
 <p>Operations are conceptually actions that can be performed, somewhat akin to verbs in the english language. 'Eat' in the example above is and action that can be performed on any given resource.</p></div>
 <div class="section">
 <h4><a name="Roles"></a>Roles</h4>
 <p>Roles are assignable entities that grant permissions to their assignies. In this example, a user that has the can-eat-cornflakes role assigned can...eat cornflakes.</p></div>
 <div class="section">
 <h4><a name="Permissions"></a>Permissions</h4>
 <p>Permissions are the component of a role and role template that bind an operation and a resource together into a form that is useful for authorization. In this simple example we have the 'eat' operation being paired with the 'cornflake' resource which effectively allows assignees to eat thier cornflakes.</p></div>
 <div class="section">
 <h4><a name="Templates"></a>Templates</h4>
 <p>Templates address the fundamental issue in role based access control systems regarding resources that may not exist at the time of role specification. For example it would be virtually impossible to specific all manner of possible foods you might encounter in life at application creation. The 'eater-template' above addresses this. If you are exposed to 'tirimisu', that would be created as a resource at runtime and then the eater-template would be run with the tirimisu as its target resource (note the ${resource})</p></div></div>
 <div class="section">
 <h3><a name="Role_Inheritance"></a>Role Inheritance</h3>
 <p>Roles and Role templates would be woefully boring and tedious to work with if there was not some concept of inheritence. Inhertiance is also added through the model above.</p>
 <div class="source"><pre class="prettyprint">
 META-INF/redback/redback-core.xml

 &lt;redback-role-model&gt;
   &lt;resources&gt;
     &lt;resource&gt;
       &lt;id&gt;cornflakes&lt;/id&gt;
       &lt;name&gt;cornflakes&lt;/name&gt;
       &lt;permanent&gt;true&lt;/permanent&gt;
       &lt;description&gt;my breakfast cereal&lt;/description&gt;
     &lt;/resource&gt;
     &lt;resource&gt;
       &lt;id&gt;milk&lt;/id&gt;
       &lt;name&gt;milk&lt;/name&gt;
       &lt;permanent&gt;true&lt;/permanent&gt;
       &lt;description&gt;white stuff from cows&lt;/description&gt;
     &lt;/resource&gt;
   &lt;/resources&gt;
   &lt;operations&gt;
     &lt;operation&gt;
       &lt;id&gt;eat&lt;/id&gt;
       &lt;name&gt;Eat&lt;/name&gt;
       &lt;description&gt;eat something&lt;/description&gt;
     &lt;/operation&gt;
     &lt;operation&gt;
       &lt;id&gt;drink&lt;/id&gt;
       &lt;name&gt;Drink&lt;/name&gt;
       &lt;description&gt;drink something&lt;/description&gt;
     &lt;/operation&gt;
   &lt;/operations&gt;
   &lt;roles&gt;
     &lt;role&gt;
       &lt;id&gt;can-eat-cornflakes&lt;/id&gt;
       &lt;name&gt;Role for happy cornflake eaters&lt;/name&gt;
       &lt;permissions&gt;
         &lt;permission&gt;
           &lt;id&gt;eat-cornflakes-permission&lt;/id&gt;
           &lt;operation&gt;eat&lt;/operation&gt;
           &lt;resource&gt;cornflakes&lt;/resource&gt;
         &lt;/permission&gt;
       &lt;/permissions&gt;
     &lt;/role&gt;
     &lt;role&gt;
       &lt;id&gt;can-drink-milk&lt;/id&gt;
       &lt;name&gt;Role for milk drinkers&lt;/name&gt;
       &lt;permissions&gt;
         &lt;permission&gt;
           &lt;id&gt;drink-milk-permission&lt;/id&gt;
           &lt;operation&gt;drink&lt;/operation&gt;
           &lt;resource&gt;milk&lt;/resource&gt;
         &lt;/permission&gt;
       &lt;/permissions&gt;
     &lt;/role&gt;
     &lt;role&gt;
       &lt;id&gt;bowl-drinker&lt;/id&gt;
       &lt;name&gt;Bowl Drinker&lt;/name&gt;
       &lt;chlldRoles&gt;
          &lt;childRole&gt;can-eat-cornflakes&lt;/childRole&gt;
          &lt;childRole&gt;can-drink-milk&lt;/childRole&gt;
       &lt;/childRoles&gt;
     &lt;/role&gt;
   &lt;/roles&gt;
   &lt;templates&gt;
     &lt;template&gt;
       &lt;id&gt;eater-template&lt;/id&gt;
       &lt;namePrefix&gt;Eater of&lt;/namePrefix&gt;
       &lt;permissions&gt;
         &lt;permission&gt;
           &lt;id&gt;eat-cornflakes-permission&lt;/id&gt;
           &lt;operation&gt;eat&lt;/operation&gt;
           &lt;resource&gt;${resource}&lt;/resource&gt;
         &lt;/permission&gt;
       &lt;/permissions&gt;
       &lt;childRoles&gt;
         &lt;childRole&gt;can-drink-milk&lt;/childRole&gt;
       &lt;/childRoles&gt;
     &lt;/template&gt;
   &lt;/templates&gt;
 &lt;/redback-role-model&gt;
 </pre></div>
 <p>With this example we have added another resource and operation, which can be combined to allow a user to drink milk. We also added a new role called 'bowl-drinker' which has no additional permissions but illustrates the childRole concept, that someone with this role effectively has the two child roles, which when combined would all someone to eat their cornflakes in the morning, and then drink the milk.</p>
 <p>Also added to this example is the can-drink-milk role to the eater-template, which would allow the user to automatically drink milk during any meal that might be created during runtime.</p>
 <div class="section">
 <h4><a name="Parent_Roles"></a>Parent Roles</h4>
 <p>Since roles can be loaded up from different redback.xml files, it is possible to reference roles in the redback-core.xml file and have them add a child relationship to your role, and example of this is in play with continuum and archiva both. Each of these applications define an extension of the System Administrator role that is created in the redback-xwork-integration artifact (where is the redback-core.xml is). These extensions would simply add:</p>
 <div class="source"><pre class="prettyprint">
   &lt;role&gt;
   ....
     &lt;parentRoles&gt;
       &lt;parentRole&gt;system-administrator&lt;/parentRole&gt;
     &lt;/parentRoles&gt;
   &lt;/role&gt;
 </pre></div>
 <p>Then at role creation the role manager would know to have the System Administrator role create a child role relationship with the corresponding child role.</p></div>
 <div class="section">
 <h4><a name="Child_and_Parent_Templates"></a>Child and Parent Templates</h4>
 <p>Templates can also have child and parent relationships that are all established during runtime. </p>
 <p>NOTE: Roles can not declare childTemplate or parentTemplate relationships since roles are created at startup time. One way around this restriction is to add an aggregator role.</p></div>
 <div class="section">
 <h4><a name="Aggregator_Roles"></a>Aggregator Roles</h4>
 <p>One very useful role pattern to keep track off is an aggregator role. In this case you would have the following example:</p>
 <div class="source"><pre class="prettyprint">
 META-INF/redback/redback-core.xml

 &lt;redback-role-model&gt;
   ...
   &lt;roles&gt;
     ...
     &lt;role&gt;
       &lt;id&gt;eater-aggreator&lt;/id&gt;
       &lt;name&gt;Eat Lots Role&lt;/name&gt;
     &lt;/role&gt;
   &lt;/roles&gt;
   &lt;templates&gt;
     &lt;template&gt;
       &lt;id&gt;eater-template&lt;/id&gt;
       &lt;namePrefix&gt;Eater of&lt;/namePrefix&gt;
       &lt;permissions&gt;
         &lt;permission&gt;
           &lt;id&gt;eat-cornflakes-permission&lt;/id&gt;
           &lt;operation&gt;eat&lt;/operation&gt;
           &lt;resource&gt;${resource}&lt;/resource&gt;
         &lt;/permission&gt;
       &lt;/permissions&gt;
       &lt;parentRole&gt;
         &lt;parentRole&gt;eater-aggregator&lt;/parentRole&gt;
       &lt;/parentRole&gt;
     &lt;/template&gt;
   &lt;/templates&gt;
 &lt;/redback-role-model&gt;
 </pre></div>
 <p>In this example you can see that there is a role that is created at startup time called the eater-aggregator. Initially this role has nothing in it, no permissions, no child roles, nothing, its is totally empty. You can assign this role to someone and they get no added permissions. However, as new roles are created using the eater-template, anyone that has that eater-aggregator role assigned will automatically pick up permissions for each of these new roles. </p></div></div></div>
         </div>
     </div>
     <hr/>
     <footer>
       <div class="container">
         <div class="row">
 <div class="row span12">Apache Redback, Redback, Apache, the Apache feather logo, and the Apache Archiva project logos are trademarks of The Apache Software Foundation.</div>
       <div class="row span12">
         <a href="https://archiva.apache.org/redback-site/privacy-policy.html">Privacy Policy</a>
       </div>
         </div>
         <p id="poweredBy" class="pull-right">  <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" /></a>
   </p>
                           <div id="ohloh" class="pull-right">
       <script type="text/javascript" src="https://www.ohloh.net/p/8659/widgets/project_thin_badge.js"></script>
     </div>
         </div>
     </footer>
     </body>
 </html>
	<!DOCTYPE html>
	<!--
	\| Generated by Apache Maven Doxia Site Renderer 1.8.1
	\| Rendered using Apache Maven Fluido Skin 1.6
	-->
	<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
	<meta charset="UTF-8" />
	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
	<meta name="Date-Creation-yyyymmdd" content="20070514" />
	<meta http-equiv="Content-Language" content="en" />
	<title>Apache Redback – Redback Role Management</title>
	<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
	<link rel="stylesheet" href="../css/site.css" />
	<link rel="stylesheet" href="../css/print.css" media="print" />
	<script type="text/javascript" src="../js/apache-maven-fluido-1.6.min.js"></script>
	<!-- Google Analytics -->
	<script type="text/javascript">
	var _gaq = _gaq \|\| [];
	_gaq.push(['_setAccount', 'UA-140879-5']);
	_gaq.push(['_trackPageview']);
	(function() {
	var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
	ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
	var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
	})();
	</script>
	</head>
	<body class="topBarEnabled">
	<a href="https://github.com/apache/archiva-redback-core">
	<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
	src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png"
	alt="Fork me on GitHub">
	</a>
	<div id="topbar" class="navbar navbar-fixed-top ">
	<div class="navbar-inner">
	<div class="container"><div class="nav-collapse">
	<ul class="nav">
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="../index.html" title="Introduction">Introduction</a></li>
	<li><a href="../authentication.html" title="Authentication">Authentication</a></li>
	<li><a href="../authorization.html" title="Authorization">Authorization</a></li>
	<li><a href="../user-management.html" title="User Management">User Management</a></li>
	<li><a href="../key-store.html" title="Key Stores">Key Stores</a></li>
	<li><a href="../configuration.html" title="Configuration">Configuration</a></li>
	<li class="dropdown-submenu">
	<a href="../rbac/introduction.html" title="Role Based Access Control">Role Based Access Control</a>
	<ul class="dropdown-menu">
	<li><a href="../rbac/role-management.html" title="Role Management">Role Management</a></li>
	</ul>
	</li>
	<li><a href="../integration/ldap.html" title="Ldap">Ldap</a></li>
	<li><a href="../integration/rest.html" title="Rest">Rest</a></li>
	<li class="dropdown-submenu">
	<a href="../" title="Module Documentation">Module Documentation</a>
	<ul class="dropdown-menu">
	<li><a href="../core/${archivaReleaseVersion}/" title="Release 2.6">Release 2.6</a></li>
	<li><a href="../core/${archivaCurrentDevVersion}/" title="Dev 3.0.0-SNAPSHOT">Dev 3.0.0-SNAPSHOT</a></li>
	</ul>
	</li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Development <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="../development/extending-authn.html" title="Extending Redback Authentication">Extending Redback Authentication</a></li>
	<li><a href="http://archiva.apache.org/redback/core" title="Redback Core">Redback Core</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="http://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a></li>
	<li><a href="http://www.apache.org/foundation/" title="Foundation">Foundation</a></li>
	<li><a href="http://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a></li>
	<li><a href="http://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li class="dropdown-submenu">
	<a href="../project-info.html" title="Project Information">Project Information</a>
	<ul class="dropdown-menu">
	<li><a href="../ci-management.html" title="CI Management">CI Management</a></li>
	<li><a href="../mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li>
	<li><a href="../issue-management.html" title="Issue Management">Issue Management</a></li>
	<li><a href="../licenses.html" title="Licenses">Licenses</a></li>
	<li><a href="../team.html" title="Team">Team</a></li>
	<li><a href="../scm.html" title="Source Code Management">Source Code Management</a></li>
	</ul>
	</li>
	</ul>
	</li>
	</ul>
	<form id="search-form" action="https://www.google.com/search" method="get" class="navbar-search pull-right" >
	<input value="http://archiva.apache.org/redback" name="sitesearch" type="hidden"/>
	<input class="search-query" name="q" id="query" type="text" />
	</form>
	<script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script>
	</div>
	</div>
	</div>
	</div>
	<div class="container">
	<div id="banner">
	<div class="pull-left"><a href="http://archiva.apache.org/redback" id="bannerLeft"><img src="../images/redback.jpg" alt="Redback"/></a></div>
	<div class="pull-right"><a href="http://www.apache.org/" id="bannerRight"><img src="https://www.apache.org/images/asf_logo_wide_2016.png" alt="Apache Software Foundation"/></a></div>
	<div class="clear"><hr/></div>
	</div>

	<div id="breadcrumbs">
	<ul class="breadcrumb">
	<li class=""><a href="https://www.apache.org" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li>
	<li class=""><a href="../../" title="Archiva">Archiva</a><span class="divider">/</span></li>
	<li class=""><a href="../" title="Redback">Redback</a><span class="divider">/</span></li>
	<li class="active ">Redback Role Management</li>
	<li id="publishDate" class="pull-right">Last Published: 2019-11-29</li>
	</ul>
	</div>
	<div id="bodyColumn" >
	<div class="section">
	<h2><a name="Role_Management"></a>Role Management</h2>
	<p>Managing roles in an application with Redback is governed through an implementation of the Role Manager, an interface defined in the redback-rbac-role-manager artifact that encapsulates most of the most comment role related activities. User assignment of roles, creating and removing of roles based on templates (more on this later), and simple role existence activities. </p>
	<div class="section">
	<h3><a name="Role_Specification"></a>Role Specification</h3>
	<p>Roles are loaded by the Default implementation of the role manager from a series of resources that are discovered in your classpath. The root of these files is searched for as:</p>
	<div class="source"><pre class="prettyprint">
	META-INF/redback/redback-core.xml
	</pre></div>
	<p>This allows to you establish a basic set of resources, operations, roles and role templates that all other referencing applications can extend from. Other files that are loaded are located as:</p>
	<div class="source"><pre class="prettyprint">
	META-INF/redback/redback.xml
	</pre></div>
	<p>Each of these files follows the same model, the one specified by <i>point to xsd generated by modello</i>.</p>
	<div class="section">
	<h4><a name="Basic_Format"></a>Basic Format</h4>
	<div class="source"><pre class="prettyprint">
	<redback-role-model>
	<resources>
	<resource>
	<id>cornflakes</id>
	<name>cornflakes</name>
	<permanent>true</permanent>
	<description>my breakfast cereal</description>
	</resource>
	</resources>
	<operations>
	<operation>
	<id>eat</id>
	<name>Eat</name>
	<description>eat something</description>
	</operation>
	</operations>
	<roles>
	<role>
	<id>can-eat-cornflakes</id>
	<name>Role for happy cornflake eaters</name>
	<permissions>
	<permission>
	<id>eat-cornflakes-permission</id>
	<operation>eat</operation>
	<resource>cornflakes</resource>
	</permission>
	</permissions>
	</role>
	</roles>
	<templates>
	<template>
	<id>eater-template</id>
	<namePrefix>Eater of</namePrefix>
	<permissions>
	<permission>
	<id>eat-cornflakes-permission</id>
	<operation>eat</operation>
	<resource>${resource}</resource>
	</permission>
	</permissions>
	</template>
	</templates>
	</redback-role-model>
	</pre></div></div>
	<div class="section">
	<h4><a name="Resources"></a>Resources</h4>
	<p>Resources are the entities in role based access control that roles provide access to through the binding of the resource with an operation in the form of a permission. In the example above, 'cornflakes' are the resource that are in play.</p></div>
	<div class="section">
	<h4><a name="Operations"></a>Operations</h4>
	<p>Operations are conceptually actions that can be performed, somewhat akin to verbs in the english language. 'Eat' in the example above is and action that can be performed on any given resource.</p></div>
	<div class="section">
	<h4><a name="Roles"></a>Roles</h4>
	<p>Roles are assignable entities that grant permissions to their assignies. In this example, a user that has the can-eat-cornflakes role assigned can...eat cornflakes.</p></div>
	<div class="section">
	<h4><a name="Permissions"></a>Permissions</h4>
	<p>Permissions are the component of a role and role template that bind an operation and a resource together into a form that is useful for authorization. In this simple example we have the 'eat' operation being paired with the 'cornflake' resource which effectively allows assignees to eat thier cornflakes.</p></div>
	<div class="section">
	<h4><a name="Templates"></a>Templates</h4>
	<p>Templates address the fundamental issue in role based access control systems regarding resources that may not exist at the time of role specification. For example it would be virtually impossible to specific all manner of possible foods you might encounter in life at application creation. The 'eater-template' above addresses this. If you are exposed to 'tirimisu', that would be created as a resource at runtime and then the eater-template would be run with the tirimisu as its target resource (note the ${resource})</p></div></div>
	<div class="section">
	<h3><a name="Role_Inheritance"></a>Role Inheritance</h3>
	<p>Roles and Role templates would be woefully boring and tedious to work with if there was not some concept of inheritence. Inhertiance is also added through the model above.</p>
	<div class="source"><pre class="prettyprint">
	META-INF/redback/redback-core.xml

	<redback-role-model>
	<resources>
	<resource>
	<id>cornflakes</id>
	<name>cornflakes</name>
	<permanent>true</permanent>
	<description>my breakfast cereal</description>
	</resource>
	<resource>
	<id>milk</id>
	<name>milk</name>
	<permanent>true</permanent>
	<description>white stuff from cows</description>
	</resource>
	</resources>
	<operations>
	<operation>
	<id>eat</id>
	<name>Eat</name>
	<description>eat something</description>
	</operation>
	<operation>
	<id>drink</id>
	<name>Drink</name>
	<description>drink something</description>
	</operation>
	</operations>
	<roles>
	<role>
	<id>can-eat-cornflakes</id>
	<name>Role for happy cornflake eaters</name>
	<permissions>
	<permission>
	<id>eat-cornflakes-permission</id>
	<operation>eat</operation>
	<resource>cornflakes</resource>
	</permission>
	</permissions>
	</role>
	<role>
	<id>can-drink-milk</id>
	<name>Role for milk drinkers</name>
	<permissions>
	<permission>
	<id>drink-milk-permission</id>
	<operation>drink</operation>
	<resource>milk</resource>
	</permission>
	</permissions>
	</role>
	<role>
	<id>bowl-drinker</id>
	<name>Bowl Drinker</name>
	<chlldRoles>
	<childRole>can-eat-cornflakes</childRole>
	<childRole>can-drink-milk</childRole>
	</childRoles>
	</role>
	</roles>
	<templates>
	<template>
	<id>eater-template</id>
	<namePrefix>Eater of</namePrefix>
	<permissions>
	<permission>
	<id>eat-cornflakes-permission</id>
	<operation>eat</operation>
	<resource>${resource}</resource>
	</permission>
	</permissions>
	<childRoles>
	<childRole>can-drink-milk</childRole>
	</childRoles>
	</template>
	</templates>
	</redback-role-model>
	</pre></div>
	<p>With this example we have added another resource and operation, which can be combined to allow a user to drink milk. We also added a new role called 'bowl-drinker' which has no additional permissions but illustrates the childRole concept, that someone with this role effectively has the two child roles, which when combined would all someone to eat their cornflakes in the morning, and then drink the milk.</p>
	<p>Also added to this example is the can-drink-milk role to the eater-template, which would allow the user to automatically drink milk during any meal that might be created during runtime.</p>
	<div class="section">
	<h4><a name="Parent_Roles"></a>Parent Roles</h4>
	<p>Since roles can be loaded up from different redback.xml files, it is possible to reference roles in the redback-core.xml file and have them add a child relationship to your role, and example of this is in play with continuum and archiva both. Each of these applications define an extension of the System Administrator role that is created in the redback-xwork-integration artifact (where is the redback-core.xml is). These extensions would simply add:</p>
	<div class="source"><pre class="prettyprint">
	<role>
	....
	<parentRoles>
	<parentRole>system-administrator</parentRole>
	</parentRoles>
	</role>
	</pre></div>
	<p>Then at role creation the role manager would know to have the System Administrator role create a child role relationship with the corresponding child role.</p></div>
	<div class="section">
	<h4><a name="Child_and_Parent_Templates"></a>Child and Parent Templates</h4>
	<p>Templates can also have child and parent relationships that are all established during runtime. </p>
	<p>NOTE: Roles can not declare childTemplate or parentTemplate relationships since roles are created at startup time. One way around this restriction is to add an aggregator role.</p></div>
	<div class="section">
	<h4><a name="Aggregator_Roles"></a>Aggregator Roles</h4>
	<p>One very useful role pattern to keep track off is an aggregator role. In this case you would have the following example:</p>
	<div class="source"><pre class="prettyprint">
	META-INF/redback/redback-core.xml

	<redback-role-model>
	...
	<roles>
	...
	<role>
	<id>eater-aggreator</id>
	<name>Eat Lots Role</name>
	</role>
	</roles>
	<templates>
	<template>
	<id>eater-template</id>
	<namePrefix>Eater of</namePrefix>
	<permissions>
	<permission>
	<id>eat-cornflakes-permission</id>
	<operation>eat</operation>
	<resource>${resource}</resource>
	</permission>
	</permissions>
	<parentRole>
	<parentRole>eater-aggregator</parentRole>
	</parentRole>
	</template>
	</templates>
	</redback-role-model>
	</pre></div>
	<p>In this example you can see that there is a role that is created at startup time called the eater-aggregator. Initially this role has nothing in it, no permissions, no child roles, nothing, its is totally empty. You can assign this role to someone and they get no added permissions. However, as new roles are created using the eater-template, anyone that has that eater-aggregator role assigned will automatically pick up permissions for each of these new roles. </p></div></div></div>
	</div>
	</div>
	<hr/>
	<footer>
	<div class="container">
	<div class="row">
	<div class="row span12">Apache Redback, Redback, Apache, the Apache feather logo, and the Apache Archiva project logos are trademarks of The Apache Software Foundation.</div>
	<div class="row span12">
	<a href="https://archiva.apache.org/redback-site/privacy-policy.html">Privacy Policy</a>
	</div>
	</div>
	<p id="poweredBy" class="pull-right"> <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" /></a>
	</p>
	<div id="ohloh" class="pull-right">
	<script type="text/javascript" src="https://www.ohloh.net/p/8659/widgets/project_thin_badge.js"></script>
	</div>
	</div>
	</footer>
	</body>
	</html>