Google Git
Sign in
apache / directory-fortress-core / 3414d3a8d33bef9a80f4461dba94dd98f0959e05 / . / src / main / java / org / apache / directory / fortress / core / impl / ReviewMgrImpl.java
blob: 24d452c92639a0eeeb99ee553907c0d0c35dd3f8 [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.directory.fortress.core.impl;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.directory.fortress.annotation.AdminPermissionOperation;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.ReviewMgr;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.model.OrgUnit;
import org.apache.directory.fortress.core.model.PermObj;
import org.apache.directory.fortress.core.model.Permission;
import org.apache.directory.fortress.core.model.PermissionAttributeSet;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.RoleConstraint;
import org.apache.directory.fortress.core.model.RoleConstraint.RCType;
import org.apache.directory.fortress.core.model.SDSet;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserRole;
import org.apache.directory.fortress.core.util.Config;
import org.apache.directory.fortress.core.util.VUtil;
/**
* This class performs administrative review functions on already provisioned Fortress RBAC entities
* that reside in LDAP directory. These APIs map directly to similar named APIs specified by ANSI and NIST RBAC models.
* Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004.
* The RBAC Functional specification describes administrative operations for the creation
* and maintenance of RBAC element sets and relations; administrative review functions for
* performing administrative queries; and system functions for creating and managing
* RBAC attributes on user sessions and making access control decisions.
* <hr>
* <h3></h3>
* <h4>RBAC0 - Core</h4>
* Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions. API to add,
* update, delete identity data and perform identity and access control decisions during runtime operations.
* <p>
* <img src="../doc-files/RbacCore.png" alt="">
* <hr>
* <h4>RBAC1 - General Hierarchical Roles</h4>
* Simplifies role engineering tasks using inheritance of one or more parent roles.
* <p>
* <img src="../doc-files/RbacHier.png" alt="">
* <hr>
* <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4>
* Enforce mutual membership exclusions across role assignments. Facilitate dual control policies by restricting which
* roles may be assigned to users in combination. SSD provide added granularity for authorization limits which help
* enterprises meet strict compliance regulations.
* <p>
* <img src="../doc-files/RbacSSD.png" alt="">
* <hr>
* <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4>
* Control allowed role combinations to be activated within an RBAC session. DSD policies fine tune role policies that
* facilitate authorization dual control and two man policy restrictions during runtime security checks.
* <p>
* <img src="../doc-files/RbacDSD.png" alt="">
* <hr>`
* <p>
* This class is NOT thread safe if parent instance variables ({@link #contextId} or {@link #adminSess}) are set.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
public class ReviewMgrImpl extends Manageable implements ReviewMgr, Serializable
{
private static final String CLS_NM = ReviewMgrImpl.class.getName();
private UserP userP = new UserP();
private RoleP roleP = new RoleP();
private PermP permP = new PermP();
private SdP ssdP = new SdP();
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Permission readPermission(Permission permission)
throws SecurityException
{
String methodName = "readPermission";
assertContext(CLS_NM, methodName, permission, GlobalErrIds.PERM_OPERATION_NULL);
VUtil.assertNotNullOrEmpty(permission.getObjName(), GlobalErrIds.PERM_OBJECT_NM_NULL, CLS_NM + "." + methodName);
VUtil.assertNotNullOrEmpty(permission.getOpName(), GlobalErrIds.PERM_OPERATION_NM_NULL, CLS_NM + "." + methodName);
checkAccess(CLS_NM, methodName);
return permP.read(permission);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public PermObj readPermObj(PermObj permObj)
throws SecurityException
{
String methodName = "readPermObj";
assertContext( CLS_NM, methodName, permObj, GlobalErrIds.PERM_OBJECT_NULL );
VUtil.assertNotNull( permObj.getObjName(), GlobalErrIds.PERM_OBJECT_NM_NULL, CLS_NM + "." + methodName );
checkAccess(CLS_NM, methodName);
return permP.read(permObj);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public PermissionAttributeSet readPermAttributeSet( PermissionAttributeSet permAttributeSet )
throws SecurityException
{
String methodName = "readPermAttributeSet";
assertContext( CLS_NM, methodName, permAttributeSet, GlobalErrIds.PERM_ATTRIBUTE_SET_NULL );
VUtil.assertNotNull( permAttributeSet.getName(), GlobalErrIds.PERM_ATTRIBUTE_SET_NM_NULL, CLS_NM + "." + methodName );
checkAccess(CLS_NM, methodName);
return permP.read(permAttributeSet);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<Permission> findPermissions(Permission permission)
throws SecurityException
{
String methodName = "findPermissions";
assertContext( CLS_NM, methodName, permission, GlobalErrIds.PERM_OPERATION_NULL );
checkAccess(CLS_NM, methodName);
return permP.search( permission );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<Permission> findPermsByObj(PermObj permObj)
throws SecurityException
{
String methodName = "findPermsByObj";
assertContext( CLS_NM, methodName, permObj, GlobalErrIds.PERM_OBJECT_NULL );
VUtil.assertNotNullOrEmpty(permObj.getObjName(), GlobalErrIds.PERM_OBJECT_NM_NULL, CLS_NM + "." + methodName);
checkAccess(CLS_NM, methodName);
return permP.searchOperations( permObj );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<Permission> findAnyPermissions(Permission permission)
throws SecurityException
{
String methodName = "findAnyPermissions";
assertContext( CLS_NM, methodName, permission, GlobalErrIds.PERM_OPERATION_NULL );
checkAccess(CLS_NM, methodName);
return permP.searchAny( permission );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<PermObj> findPermObjs(PermObj permObj)
throws SecurityException
{
String methodName = "findPermObjs";
assertContext(CLS_NM, methodName, permObj, GlobalErrIds.PERM_OBJECT_NULL);
checkAccess(CLS_NM, methodName);
return permP.search(permObj);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<PermObj> findPermObjs(OrgUnit ou)
throws SecurityException
{
String methodName = "findPermObjs";
assertContext(CLS_NM, methodName, ou, GlobalErrIds.ORG_NULL_PERM);
checkAccess(CLS_NM, methodName);
// pass a "false" which places no restrictions on how many records server returns.
return permP.search(ou, false);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Role readRole(Role role)
throws SecurityException
{
String methodName = "readRole";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
VUtil.assertNotNullOrEmpty( role.getName(), GlobalErrIds.ROLE_NM_NULL, CLS_NM + "." + methodName );
checkAccess(CLS_NM, methodName);
return roleP.read( role );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<Role> findRoles(String searchVal)
throws SecurityException
{
String methodName = "findRoles";
VUtil.assertNotNull( searchVal, GlobalErrIds.ROLE_NM_NULL, CLS_NM + "." + methodName );
checkAccess( CLS_NM, methodName );
Role role = new Role(searchVal);
role.setContextId( this.contextId );
return roleP.search( role );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<String> findRoles(String searchVal, int limit)
throws SecurityException
{
String methodName = "findRoles";
VUtil.assertNotNull(searchVal, GlobalErrIds.ROLE_NM_NULL, CLS_NM + "." + methodName);
checkAccess(CLS_NM, methodName);
Role role = new Role(searchVal);
role.setContextId(this.contextId);
return roleP.search(role, limit);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public final User readUser(User user)
throws SecurityException
{
String methodName = "readUser";
assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
VUtil.assertNotNullOrEmpty( user.getUserId(), GlobalErrIds.USER_ID_NULL, CLS_NM + "." + methodName );
checkAccess( CLS_NM, methodName );
return userP.read( user, true );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public final List<User> findUsers(User user)
throws SecurityException
{
String methodName = "findUsers";
assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
checkAccess(CLS_NM, methodName);
return userP.search( user );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<User> findUsers(OrgUnit ou)
throws SecurityException
{
String methodName = "findUsers";
assertContext(CLS_NM, methodName, ou, GlobalErrIds.ORG_NULL_USER);
checkAccess(CLS_NM, methodName);
// pass a "false" which places no restrictions on how many records server returns.
return userP.search(ou, false);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public final List<String> findUsers(User user, int limit)
throws SecurityException
{
String methodName = "findUsers";
assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
checkAccess(CLS_NM, methodName);
return userP.search(user, limit);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<String> assignedUsers(Role role, int limit)
throws SecurityException
{
String methodName = "assignedUsers";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
List<String> users = null;
// If role occupant is set on role, get it from the role object itself:
if( Config.getInstance().isRoleOccupant() )
{
Role entity = roleP.read( role );
// this one retrieves from the role itself.
users = entity.getOccupants();
if ( users != null && users.size() > limit )
{
users = users.subList( 0, limit );
}
}
// otherwise, search across the people tree for all users assigned to this role:
else
{
users = userP.getAssignedUserIds( role );
}
// No users found for this role.
// return empty list to caller:
if (users == null)
{
users = new ArrayList<>();
}
return users;
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<User> assignedUsers(Role role)
throws SecurityException
{
String methodName = "assignedUsers";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
return userP.getAssignedUsers(role);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<User> assignedUsers(Role role, RoleConstraint roleConstraint)
throws SecurityException
{
String methodName = "assignedUsers";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
return userP.getAssignedUsers(role, roleConstraint);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<UserRole> assignedUsers(Role role, RCType rcType, String keyName)
throws SecurityException
{
String methodName = "assignedUsers";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
return userP.getAssignedUsers(role, rcType, keyName);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<UserRole> assignedRoles(User user)
throws SecurityException
{
String methodName = "assignedRoles";
assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
checkAccess(CLS_NM, methodName);
User ue = userP.read(user, true);
return ue.getRoles();
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<String> assignedRoles(String userId)
throws SecurityException
{
String methodName = "assignedRoles";
VUtil.assertNotNullOrEmpty( userId, GlobalErrIds.USER_NULL, CLS_NM + "." + methodName );
checkAccess(CLS_NM, methodName);
User user = new User(userId);
user.setContextId(this.contextId);
return userP.getAssignedRoles( user );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<User> authorizedUsers(Role role)
throws SecurityException
{
String methodName = "authorizedUsers";
assertContext( CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL );
checkAccess( CLS_NM, methodName );
return userP.getAuthorizedUsers( role );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Set<String> authorizedRoles(User user)
throws SecurityException
{
String methodName = "authorizedRoles";
assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
checkAccess(CLS_NM, methodName);
User ue = userP.read(user, true);
List<UserRole> roles = ue.getRoles();
Set<String> iRoles = null;
if (CollectionUtils.isNotEmpty( roles ))
{
iRoles = RoleUtil.getInstance().getInheritedRoles( roles, this.contextId );
}
return iRoles;
}
/**
* {@inheritDoc}
*/
@Override
public List<Permission> rolePermissions(Role role)
throws SecurityException
{
return rolePermissions( role, false );
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<Permission> rolePermissions(Role role, boolean noInheritance )
throws SecurityException
{
String methodName = "rolePermissions";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
return permP.search( role, noInheritance );
}
/**
* {@inheritDoc}
*/
@Override
public List<PermissionAttributeSet> rolePermissionAttributeSets( Role role, boolean noInhertiance )
throws SecurityException
{
Map<String, PermissionAttributeSet> permAttributeSets = new HashMap<String, PermissionAttributeSet>();
//look through all permissions in the role
List<Permission> permissions = this.rolePermissions( role, noInhertiance );
for(Permission perm : permissions)
{
if( CollectionUtils.isNotEmpty(perm.getPaSets() ))
{
for(String paSetName : perm.getPaSets())
{
if(!permAttributeSets.containsKey( paSetName ))
{
PermissionAttributeSet paSet = new PermissionAttributeSet( paSetName );
paSet.setContextId( this.contextId );
PermissionAttributeSet permAttributeSet = permP.read( paSet );
permAttributeSets.put( paSetName, permAttributeSet );
}
}
}
}
return new ArrayList<>(permAttributeSets.values());
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<Permission> userPermissions(User user)
throws SecurityException
{
String methodName = "userPermissions";
assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
checkAccess(CLS_NM, methodName);
user = readUser(user);
user.setContextId(this.contextId);
return permP.search(user);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<String> permissionRoles(Permission perm)
throws SecurityException
{
String methodName = "permissionRoles";
assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OBJECT_NULL);
checkAccess(CLS_NM, methodName);
Permission pe = permP.read(perm);
List<String> retVals;
if(pe != null && CollectionUtils.isNotEmpty( pe.getRoles() ))
{
retVals = new ArrayList<>(pe.getRoles());
}
else
{
retVals = new ArrayList<>();
}
return retVals;
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Set<String> authorizedPermissionRoles(Permission perm)
throws SecurityException
{
Set<String> authorizedRoles;
String methodName = "authorizedPermissionRoles";
assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OPERATION_NULL);
checkAccess(CLS_NM, methodName);
// Pull the permission from ldap:
Permission pe = permP.read(perm);
// Get all roles that this permission is authorized for:
authorizedRoles = authorizeRoles(pe.getRoles());
return authorizedRoles;
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<String> permissionUsers(Permission perm)
throws SecurityException
{
String methodName = "permissionUsers";
assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OPERATION_NULL);
checkAccess(CLS_NM, methodName);
Permission pe = permP.read(perm);
List<String> retVals;
if(pe != null && CollectionUtils.isNotEmpty( pe.getUsers() ))
{
retVals = new ArrayList<>(pe.getUsers());
}
else
{
retVals = new ArrayList<>();
}
return retVals;
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Set<String> authorizedPermissionUsers(Permission perm)
throws SecurityException
{
Set<String> authorizedUsers = null;
String methodName = "authorizedPermissionUsers";
assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OPERATION_NULL);
checkAccess(CLS_NM, methodName);
// Pull the permission from ldap:
Permission pe = permP.read(perm);
// Get all roles that this permission is authorized for:
Set<String> authorizedRoles = authorizeRoles(pe.getRoles());
if (authorizedRoles != null)
{
// Pull the set of users assigned to descendant or assigned roles from ldap:
authorizedUsers = userP.getAssignedUsers(authorizedRoles, this.contextId);
}
// Now add any users who have been directly assigned to this permission entity:
Set<String> assignedUsers = pe.getUsers();
if (assignedUsers != null)
{
// It is possible this dataset has not yet been instantiated (if perm has no assigned roles):
if (authorizedUsers == null)
{
authorizedUsers = new HashSet<>();
}
authorizedUsers.addAll(assignedUsers);
}
// The returned list includes all assigned users plus any users assigned via authorized roles.
return authorizedUsers;
}
/**
* {@inheritDoc}
*/
private Set<String> authorizeRoles(Set<String> assignedRoles)
{
Set<String> authorizedRoles = null;
if (assignedRoles != null)
{
// Get the descendant roles of all assigned roles from jgrapht hierarchical roles data set:
authorizedRoles = RoleUtil.getInstance().getDescendantRoles(assignedRoles, this.contextId);
}
return authorizedRoles;
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<SDSet> ssdRoleSets(Role role)
throws SecurityException
{
String methodName = "ssdRoleSets";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
return ssdP.search(role, SDSet.SDType.STATIC);
}
/**
* {@inheritDoc}
*/
@AdminPermissionOperation
public List<SDSet> ssdSets(SDSet ssd)
throws SecurityException
{
String methodName = "ssdSets";
ssd.setType(SDSet.SDType.STATIC);
assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
checkAccess(CLS_NM, methodName);
return ssdP.search(ssd);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public SDSet ssdRoleSet(SDSet set)
throws SecurityException
{
String methodName = "ssdRoleSet";
assertContext(CLS_NM, methodName, set, GlobalErrIds.SSD_NULL);
checkAccess(CLS_NM, methodName);
set.setType(SDSet.SDType.STATIC);
return ssdP.read(set);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Set<String> ssdRoleSetRoles(SDSet ssd)
throws SecurityException
{
String methodName = "ssdRoleSetRoles";
assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
checkAccess(CLS_NM, methodName);
ssd.setType(SDSet.SDType.STATIC);
SDSet se = ssdP.read(ssd);
return se.getMembers();
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public int ssdRoleSetCardinality(SDSet ssd)
throws SecurityException
{
String methodName = "ssdRoleSetCardinality";
assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
checkAccess(CLS_NM, methodName);
SDSet se = ssdP.read(ssd);
return se.getCardinality();
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<SDSet> dsdRoleSets(Role role)
throws SecurityException
{
String methodName = "dsdRoleSets";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
return ssdP.search(role, SDSet.SDType.DYNAMIC);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public SDSet dsdRoleSet(SDSet set)
throws SecurityException
{
String methodName = "dsdRoleSet";
assertContext(CLS_NM, methodName, set, GlobalErrIds.DSD_NULL);
checkAccess(CLS_NM, methodName);
set.setType(SDSet.SDType.DYNAMIC);
return ssdP.read(set);
}
/**
* {@inheritDoc}
*/
@AdminPermissionOperation
public List<SDSet> dsdSets(SDSet ssd)
throws SecurityException
{
String methodName = "dsdSets";
ssd.setType(SDSet.SDType.DYNAMIC);
assertContext(CLS_NM, methodName, ssd, GlobalErrIds.DSD_NULL);
checkAccess(CLS_NM, methodName);
return ssdP.search(ssd);
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Set<String> dsdRoleSetRoles(SDSet dsd)
throws SecurityException
{
String methodName = "dsdRoleSetRoles";
assertContext(CLS_NM, methodName, dsd, GlobalErrIds.DSD_NULL);
checkAccess(CLS_NM, methodName);
dsd.setType(SDSet.SDType.DYNAMIC);
SDSet se = ssdP.read(dsd);
return se.getMembers();
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public int dsdRoleSetCardinality(SDSet dsd)
throws SecurityException
{
String methodName = "dsdRoleSetCardinality";
assertContext(CLS_NM, methodName, dsd, GlobalErrIds.DSD_NULL);
checkAccess(CLS_NM, methodName);
SDSet se = ssdP.read(dsd);
return se.getCardinality();
}
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<RoleConstraint> findRoleConstraints(User user, Permission permission, RoleConstraint.RCType rcType) throws SecurityException
{
String methodName = "findRoleConstraints";
assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
assertContext(CLS_NM, methodName, permission, GlobalErrIds.PERM_NULL);
checkAccess(CLS_NM, methodName);
//find roles this permission is authorized for
Permission pe = permP.read(permission);
Set<String> authorizedRoles = authorizeRoles(pe.getRoles());
//find role constraints for the user and the permission's pa set
return userP.findRoleConstraints(authorizedRoles, user, rcType, pe.getPaSets());
}
}