Authorization (camunda BPM Javadocs 7.1.10-ee)

All Known Implementing Classes:

AuthorizationEntity
```
public interface Authorization
```
An Authorization assigns a set of Permissions to an identity to interact with a given Resource.

EXAMPLES:
- User 'jonny' is authorized to start new instances of the 'invoice' process
- Group 'marketing' is not authorized to cancel process instances.
- Group 'marketing' is not allowed to use the tasklist application.
- Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.
Identities

camunda BPM distinguished two types of identities: users and groups. Authorizations can either range over all users (userId = ANY), an individual User or a Group of users.

Permissions

A Permission defines the way an identity is allowed to interact with a certain resource. Examples of permissions are CREATE, READ, UPDATE, DELETE, ... See Permissions for a set of built-in permissions.

A single authorization object may assign multiple permissions to a single user and resource:
```
 authorization.addPermission(Permissions.READ);
 authorization.addPermission(Permissions.WRITE);
 authorization.addPermission(Permissions.DELETE);
 
```
On top of the built-in permissions, camunda BPM allows using custom permission types.

Resources

Resources are the entities the user interacts with. Examples of resources are GROUPS, USERS, process-definitions, process-instances, tasks ... See Resources for a set of built-in resource. The camunda BPM framework supports custom resources.

Authorization Type

There are three types of authorizations:
- Global Authorizations (AUTH_TYPE_GLOBAL) range over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
- Grant Authorizations (AUTH_TYPE_GRANT) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
- Revoke Authorizations (AUTH_TYPE_REVOKE) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
Authorization Precedence

Authorizations may range over all users, an individual user or a group of users or . They may apply to an individual resource instance or all instances of the same type (resourceId = ANY). The precedence is as follows:
1. An authorization applying to an individual resource instance preceds over an authorization applying to all instances of the same resource type.
2. An authorization for an individual user preceds over an authorization for a group.
3. A Group authorization preced over a GLOBAL authorization.
4. A Group REVOKE authorization preced over a Group GRANT authorization.
Since:

7.0

Author:

Daniel Meyer

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`ANY` The identifyer used for relating to all users or all resourceIds.
`static int`	`AUTH_TYPE_GLOBAL` A Global Authorization ranges over all users and groups (userId = `ANY`) and are usually used for fixing the "base" permission for a resource.
`static int`	`AUTH_TYPE_GRANT` A Grant Authorization ranges over a users or a group and grants a set of permissions.
`static int`	`AUTH_TYPE_REVOKE` A Revoke Authorization ranges over a user or a group and revokes a set of permissions.

Method Summary

Methods
Modifier and Type	Method and Description
`void`	`addPermission(Permission permission)` allows granting a permission.
`int`	`getAuthorizationType()` The type og the authorization.
`String`	`getGroupId()`
`String`	`getId()`
`Permission[]`	`getPermissions(Permission[] permissions)` Allows checking whether this authorization grants / revokes a set of permissions.
`String`	`getResourceId()`
`int`	`getResourceType()`
`String`	`getUserId()`
`boolean`	`isPermissionGranted(Permission permission)` Allows checking whether this authorization grants a specific permission.
`boolean`	`isPermissionRevoked(Permission permission)` Allows checking whether this authorization revokes a specific permission.
`void`	`removePermission(Permission permission)` allows removing a permission.
`void`	`setGroupId(String groupId)` set the id of the group this authorization is created for
`void`	`setPermissions(Permission[] permissions)` Sets the permissions to the provided value.
`void`	`setResource(Resource resource)` sets the type of the resource
`void`	`setResourceId(String resourceId)` set the id of the resource
`void`	`setResourceType(int resourceTypeId)` sets the type of the resource
`void`	`setUserId(String userId)` set the id of the user this authorization is created for

- Field Detail
  - AUTH_TYPE_GLOBAL
```
static final int AUTH_TYPE_GLOBAL
```
    A Global Authorization ranges over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
    
    See Also:
    Constant Field Values
  - AUTH_TYPE_GRANT
```
static final int AUTH_TYPE_GRANT
```
    A Grant Authorization ranges over a users or a group and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
    
    See Also:
    Constant Field Values
  - AUTH_TYPE_REVOKE
```
static final int AUTH_TYPE_REVOKE
```
    A Revoke Authorization ranges over a user or a group and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
    
    See Also:
    Constant Field Values
  - ANY
```
static final String ANY
```
    The identifyer used for relating to all users or all resourceIds. Cannot be used for groups.
    
    See Also:
    Constant Field Values
- Method Detail
  - addPermission
```
void addPermission(Permission permission)
```
    allows granting a permission. Out-of-the-box constants can be found in Permissions.
  - removePermission
```
void removePermission(Permission permission)
```
    allows removing a permission. Out-of-the-box constants can be found in Permissions.
  - isPermissionGranted
```
boolean isPermissionGranted(Permission permission)
```
    Allows checking whether this authorization grants a specific permission.
    
    Parameters:
    perm - the permission to check for
    
    Throws:
    
    IllegalStateException - if this Authorization is of type AUTH_TYPE_REVOKE
  - isPermissionRevoked
```
boolean isPermissionRevoked(Permission permission)
```
    Allows checking whether this authorization revokes a specific permission.
    
    Parameters:
    perm - the permission to check for
    
    Throws:
    
    IllegalStateException - if this Authorization is of type AUTH_TYPE_GRANT
  - getPermissions
```
Permission[] getPermissions(Permission[] permissions)
```
    Allows checking whether this authorization grants / revokes a set of permissions. Usually the set of built-in permissions is used: Permissions.values() The return value of this method depends on the type of the authorization:
    - For AUTH_TYPE_GLOBAL: all permissions in the parameter list granted by this authorization are returned.
    - For AUTH_TYPE_GRANT: all permissions in the parameter list granted by this authorization are returned.
    - For AUTH_TYPE_REVOKE: all permissions in the parameter list revoked by this authorization are returned.
    Parameters:
    an - array of permissions to check for.
    
    Returns:
    Returns the set of Permissions provided by this Authorization.
  - setPermissions
```
void setPermissions(Permission[] permissions)
```
    Sets the permissions to the provided value. Replaces all permissions. The effect of this method depends on the type of this authorization:
    - For AUTH_TYPE_GLOBAL: all provided permissions are granted.
    - For AUTH_TYPE_GRANT: all provided permissions are granted.
    - For AUTH_TYPE_REVOKE: all provided permissions are revoked.
    Parameters:
    a - set of permissions.
  - getId
```
String getId()
```
    Returns:
    the ID of the Authorization object
  - setResourceId
```
void setResourceId(String resourceId)
```
    set the id of the resource
  - getResourceId
```
String getResourceId()
```
    Returns:
    the id of the resource
  - setResourceType
```
void setResourceType(int resourceTypeId)
```
    sets the type of the resource
  - setResource
```
void setResource(Resource resource)
```
    sets the type of the resource
  - getResourceType
```
int getResourceType()
```
    Returns:
    the type of the resource
  - setUserId
```
void setUserId(String userId)
```
    set the id of the user this authorization is created for
  - getUserId
```
String getUserId()
```
    Returns:
    the id of the user this authorization is created for
  - setGroupId
```
void setGroupId(String groupId)
```
    set the id of the group this authorization is created for
  - getGroupId
```
String getGroupId()
```
    Returns:
    the id of the group this authorization is created for
  - getAuthorizationType
```
int getAuthorizationType()
```
    The type og the authorization. Legal values:
    Returns:
    the type of the authorization.

Interface Authorization

Identities

Permissions

Resources

Authorization Type

Authorization Precedence

Field Summary

Method Summary

Field Detail

AUTH_TYPE_GLOBAL

AUTH_TYPE_GRANT

AUTH_TYPE_REVOKE

ANY

Method Detail

addPermission

removePermission

isPermissionGranted

isPermissionRevoked

getPermissions

setPermissions

getId

setResourceId

getResourceId

setResourceType

setResource

getResourceType

setUserId

getUserId

setGroupId

getGroupId

getAuthorizationType