src/main/java/org/apache/directory/fortress/core/DelReviewMgr.java - directory-fortress-core - Git at Google

 /*
  *   Licensed to the Apache Software Foundation (ASF) under one
  *   or more contributor license agreements.  See the NOTICE file
  *   distributed with this work for additional information
  *   regarding copyright ownership.  The ASF licenses this file
  *   to you under the Apache License, Version 2.0 (the
  *   "License"); you may not use this file except in compliance
  *   with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing,
  *   software distributed under the License is distributed on an
  *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *   KIND, either express or implied.  See the License for the
  *   specific language governing permissions and limitations
  *   under the License.
  *
  */
 package org.apache.directory.fortress.core;


 import java.util.List;

 import org.apache.directory.fortress.core.model.AdminRole;
 import org.apache.directory.fortress.core.model.OrgUnit;
 import org.apache.directory.fortress.core.model.Permission;
 import org.apache.directory.fortress.core.model.User;
 import org.apache.directory.fortress.core.model.UserAdminRole;


 /**
  * This class prescribes the ARBAC02 DelReviewMgr interface for performing policy interrogation of provisioned Fortress
  * ARBAC entities that reside in LDAP directory.
  * These APIs map directly to similar named APIs specified by ARBAC02 functions.  The ARBAC Functional specification
  * describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations.
  * Delegated administrative review functions for performing administrative queries and system functions for creating and
  * managing ARBAC attributes on user sessions and making delegated administrative access control decisions.
  * <h3>Administrative Role Based Access Control (ARBAC)</h3>
  * <img src="./doc-files/ARbac.png" alt="">
  * <p>
  * Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration.  ARBAC provides large enterprises
  * the capability to delegate administrative authority to users that reside outside of the security admin group.
  * Decentralizing administration helps because it provides security provisioning capability to work groups without
  * sacrificing regulations for accountability or traceability.
  * <p>
  * This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)}
  * or {@link Manageable#setAdmin(org.apache.directory.fortress.core.model.Session)}) are set.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 public interface DelReviewMgr extends Manageable
 {
     /**
      * Method reads Admin Role entity from the admin role container in directory.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>{@link AdminRole#name} - contains the name of the AdminRole being targeted for read</li>
      * </ul>
      *
      * @param role contains role name to be read.
      * @return AdminRole entity that corresponds with role name.
      * @throws SecurityException will be thrown if role not found or system error occurs.
      */
     AdminRole readRole( AdminRole role )
         throws SecurityException;


     /**
      * Method will return a list of type Admin Role.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>{@link AdminRole#name} - contains all or some chars in the name of AdminRole(s) targeted for search</li>
      * </ul>
      *
      * @param searchVal contains the all or some of the chars corresponding to admin role entities stored in directory.
      * @return List of type AdminRole containing role entities that match the search criteria.
      * @throws SecurityException in the event of system error.
      */
     List<AdminRole> findRoles( String searchVal )
         throws SecurityException;


     /**
      * This function returns the set of admin roles assigned to a given user. The function is valid if and
      * only if the user is a member of the USERS data set.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>{@link User#userId} - contains the userId associated with the User object targeted for search.</li>
      * </ul>
      *
      * @param user contains userId matching user entity stored in the directory.
      * @return List of type UserAdminRole containing the user admin role data.
      * @throws SecurityException If user not found or system error occurs.
      */
     List<UserAdminRole> assignedRoles( User user )
         throws SecurityException;


     /**
      * This method returns the data set of all users who are assigned the given admin role.  This searches the User data set
      * for AdminRole relationship.  This method does NOT search for hierarchical Admin Roles relationships.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>{@link AdminRole#name} - contains the name of AdminRole targeted for search</li>
      * </ul>
      *
      * @param role contains the role name used to search the User data set.
      * @return List of type User containing the users assigned data.
      * @throws SecurityException If system error occurs.
      */
     List<User> assignedUsers( AdminRole role )
         throws SecurityException;


     /**
      * Commands reads existing OrgUnit entity from OrgUnit dataset.  The OrgUnit can be either User or Perm and is
      * set by setting type attribute.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>
      *     {@link org.apache.directory.fortress.core.model.OrgUnit#name} - contains the name associated with the OrgUnit
      *     object targeted for search.
      *   </li>
      *   <li>
      *     {@link org.apache.directory.fortress.core.model.OrgUnit#type} - contains the type of OU:
      *     {@link org.apache.directory.fortress.core.model.OrgUnit.Type#USER} or
      *     {@link org.apache.directory.fortress.core.model.OrgUnit.Type#PERM}
      *   </li>
      * </ul>
      *
      * @param entity contains OrgUnit name and type.
      * @return OrgUnit entity that corresponds with ou name and type.
      * @throws SecurityException in the event of data validation or system error.
      */
     OrgUnit read( OrgUnit entity )
         throws SecurityException;


     /**
      * Commands searches existing OrgUnit entities from OrgUnit dataset.  The OrgUnit can be either User or Perm and is
      * set by setting type parameter on API.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>
      *     {@link org.apache.directory.fortress.core.model.OrgUnit#type} - contains the type of OU:
      *     {@link org.apache.directory.fortress.core.model.OrgUnit.Type#USER} or
      *     {@link org.apache.directory.fortress.core.model.OrgUnit.Type#PERM}
      *   </li>
      *   <li>searchVal - contains some or all of the chars associated with the OrgUnit objects targeted for search.</li>
      * </ul>
      *
      * @param type      either PERM or USER
      * @param searchVal contains the leading chars that map to {@link OrgUnit#name} on existing OrgUnit(s) targeted for search.
      * @return List of type OrgUnit containing the OrgUnit data.
      * @throws SecurityException in the event of data validation or system error.
      */
     List<OrgUnit> search( OrgUnit.Type type, String searchVal )
         throws SecurityException;

     /**
      * This function returns the set of all ARBAC permissions (op, obj), granted to or inherited by a
      * given ARBAC role. The function is valid if and only if the role is a member of the ROLES data
      * set.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>{@link AdminRole#name} - contains the name to use for the AdminRole targeted for search.</li>
      * </ul>
      *
      * @param role contains role name, {@link AdminRole#name} of AdminRole entity Permission is granted to.
      * @return List of type Permission that contains all perms granted to a role.
      * @throws SecurityException In the event system error occurs.
      */
     List<Permission> rolePermissions( AdminRole role )
         throws SecurityException;


     /**
      * This function returns the set of all ARBAC permissions (op, obj), granted to or inherited by a
      * given ARBAC role. The function is valid if and only if the role is a member of the ROLES data
      * set.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
      *   <li>{@link AdminRole#name} - contains the name to use for the AdminRole targeted for search.</li>
      * </ul>
      *
      * @param role contains role name, {@link AdminRole#name} of AdminRole entity Permission is granted to.
      * @param noInheritance if true will NOT include inherited roles in the search.
      * @return List of type Permission that contains all perms granted to a role.
      * @throws SecurityException In the event system error occurs.
      */
     List<Permission> rolePermissions( AdminRole role, boolean noInheritance )
         throws SecurityException;
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.fortress.core;


	import java.util.List;

	import org.apache.directory.fortress.core.model.AdminRole;
	import org.apache.directory.fortress.core.model.OrgUnit;
	import org.apache.directory.fortress.core.model.Permission;
	import org.apache.directory.fortress.core.model.User;
	import org.apache.directory.fortress.core.model.UserAdminRole;


	/**
	* This class prescribes the ARBAC02 DelReviewMgr interface for performing policy interrogation of provisioned Fortress
	* ARBAC entities that reside in LDAP directory.
	* These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification
	* describes delegated administrative operations for the creation and maintenance of ARBAC element sets and relations.
	* Delegated administrative review functions for performing administrative queries and system functions for creating and
	* managing ARBAC attributes on user sessions and making delegated administrative access control decisions.
	* <h3>Administrative Role Based Access Control (ARBAC)</h3>
	* <img src="./doc-files/ARbac.png" alt="">
	* <p>
	* Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises
	* the capability to delegate administrative authority to users that reside outside of the security admin group.
	* Decentralizing administration helps because it provides security provisioning capability to work groups without
	* sacrificing regulations for accountability or traceability.
	* <p>
	* This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)}
	* or {@link Manageable#setAdmin(org.apache.directory.fortress.core.model.Session)}) are set.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	*/
	public interface DelReviewMgr extends Manageable
	{
	/**
	* Method reads Admin Role entity from the admin role container in directory.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>{@link AdminRole#name} - contains the name of the AdminRole being targeted for read</li>
	* </ul>
	*
	* @param role contains role name to be read.
	* @return AdminRole entity that corresponds with role name.
	* @throws SecurityException will be thrown if role not found or system error occurs.
	*/
	AdminRole readRole( AdminRole role )
	throws SecurityException;


	/**
	* Method will return a list of type Admin Role.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>{@link AdminRole#name} - contains all or some chars in the name of AdminRole(s) targeted for search</li>
	* </ul>
	*
	* @param searchVal contains the all or some of the chars corresponding to admin role entities stored in directory.
	* @return List of type AdminRole containing role entities that match the search criteria.
	* @throws SecurityException in the event of system error.
	*/
	List<AdminRole> findRoles( String searchVal )
	throws SecurityException;


	/**
	* This function returns the set of admin roles assigned to a given user. The function is valid if and
	* only if the user is a member of the USERS data set.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>{@link User#userId} - contains the userId associated with the User object targeted for search.</li>
	* </ul>
	*
	* @param user contains userId matching user entity stored in the directory.
	* @return List of type UserAdminRole containing the user admin role data.
	* @throws SecurityException If user not found or system error occurs.
	*/
	List<UserAdminRole> assignedRoles( User user )
	throws SecurityException;


	/**
	* This method returns the data set of all users who are assigned the given admin role. This searches the User data set
	* for AdminRole relationship. This method does NOT search for hierarchical Admin Roles relationships.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>{@link AdminRole#name} - contains the name of AdminRole targeted for search</li>
	* </ul>
	*
	* @param role contains the role name used to search the User data set.
	* @return List of type User containing the users assigned data.
	* @throws SecurityException If system error occurs.
	*/
	List<User> assignedUsers( AdminRole role )
	throws SecurityException;


	/**
	* Commands reads existing OrgUnit entity from OrgUnit dataset. The OrgUnit can be either User or Perm and is
	* set by setting type attribute.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>
	* {@link org.apache.directory.fortress.core.model.OrgUnit#name} - contains the name associated with the OrgUnit
	* object targeted for search.
	* </li>
	* <li>
	* {@link org.apache.directory.fortress.core.model.OrgUnit#type} - contains the type of OU:
	* {@link org.apache.directory.fortress.core.model.OrgUnit.Type#USER} or
	* {@link org.apache.directory.fortress.core.model.OrgUnit.Type#PERM}
	* </li>
	* </ul>
	*
	* @param entity contains OrgUnit name and type.
	* @return OrgUnit entity that corresponds with ou name and type.
	* @throws SecurityException in the event of data validation or system error.
	*/
	OrgUnit read( OrgUnit entity )
	throws SecurityException;


	/**
	* Commands searches existing OrgUnit entities from OrgUnit dataset. The OrgUnit can be either User or Perm and is
	* set by setting type parameter on API.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>
	* {@link org.apache.directory.fortress.core.model.OrgUnit#type} - contains the type of OU:
	* {@link org.apache.directory.fortress.core.model.OrgUnit.Type#USER} or
	* {@link org.apache.directory.fortress.core.model.OrgUnit.Type#PERM}
	* </li>
	* <li>searchVal - contains some or all of the chars associated with the OrgUnit objects targeted for search.</li>
	* </ul>
	*
	* @param type either PERM or USER
	* @param searchVal contains the leading chars that map to {@link OrgUnit#name} on existing OrgUnit(s) targeted for search.
	* @return List of type OrgUnit containing the OrgUnit data.
	* @throws SecurityException in the event of data validation or system error.
	*/
	List<OrgUnit> search( OrgUnit.Type type, String searchVal )
	throws SecurityException;

	/**
	* This function returns the set of all ARBAC permissions (op, obj), granted to or inherited by a
	* given ARBAC role. The function is valid if and only if the role is a member of the ROLES data
	* set.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>{@link AdminRole#name} - contains the name to use for the AdminRole targeted for search.</li>
	* </ul>
	*
	* @param role contains role name, {@link AdminRole#name} of AdminRole entity Permission is granted to.
	* @return List of type Permission that contains all perms granted to a role.
	* @throws SecurityException In the event system error occurs.
	*/
	List<Permission> rolePermissions( AdminRole role )
	throws SecurityException;


	/**
	* This function returns the set of all ARBAC permissions (op, obj), granted to or inherited by a
	* given ARBAC role. The function is valid if and only if the role is a member of the ROLES data
	* set.
	* <h3></h3>
	* <h4>required parameters</h4>
	* <ul>
	* <li>{@link AdminRole#name} - contains the name to use for the AdminRole targeted for search.</li>
	* </ul>
	*
	* @param role contains role name, {@link AdminRole#name} of AdminRole entity Permission is granted to.
	* @param noInheritance if true will NOT include inherited roles in the search.
	* @return List of type Permission that contains all perms granted to a role.
	* @throws SecurityException In the event system error occurs.
	*/
	List<Permission> rolePermissions( AdminRole role, boolean noInheritance )
	throws SecurityException;
	}