public interface Authorization
An Authorization
assigns a set of Permissions
to an identity to interact with a given Resource
.
EXAMPLES:
Camunda Platform distinguished two types of identities: users and
groups. Authorizations can either range over all users
(userId = ANY
), an individual User
or a Group
of users.
A Permission
defines the way an identity is allowed to interact
with a certain resource. Examples of permissions are CREATE
,
READ
, UPDATE
,
DELETE
, ... See Permissions
for a set of
built-in permissions.
A single authorization object may assign multiple permissions to a single user and resource:
authorization.addPermission(Permissions.READ); authorization.addPermission(Permissions.UPDATE); authorization.addPermission(Permissions.DELETE);
On top of the built-in permissions, Camunda Platform allows using custom permission types.
Resources are the entities the user interacts with. Examples of resources are
GROUPS
, USERS
,
process-definitions, process-instances, tasks ... See Resources
for a set
of built-in resource. The Camunda Platform framework supports custom resources.
There are three types of authorizations:
AUTH_TYPE_GLOBAL
) range over
all users and groups (userId = ANY
) and are usually used for fixing the
"base" permission for a resource.AUTH_TYPE_GRANT
) range over
users and groups and grant a set of permissions. Grant authorizations are commonly
used for adding permissions to a user or group that the global authorization revokes.AUTH_TYPE_REVOKE
) range over
users and groups and revoke a set of permissions. Revoke authorizations are commonly
used for revoking permissions to a user or group the the global authorization grants.Authorizations may range over all users, an individual user or a group of users or .
They may apply to an individual resource instance or all instances of the same type
(resourceId = ANY
). The precedence is as follows:
GLOBAL
authorization.REVOKE
authorization preced over a Group
GRANT
authorization.Modifier and Type | Field and Description |
---|---|
static String |
ANY
The identifier used for relating to all users or all resourceIds.
|
static int |
AUTH_TYPE_GLOBAL
A Global Authorization ranges over all users and groups (userId =
ANY ) and are
usually used for fixing the "base" permission for a resource. |
static int |
AUTH_TYPE_GRANT
A Grant Authorization ranges over a users or a group and grants a set of permissions.
|
static int |
AUTH_TYPE_REVOKE
A Revoke Authorization ranges over a user or a group and revokes a set of permissions.
|
Modifier and Type | Method and Description |
---|---|
void |
addPermission(Permission permission)
allows granting a permission.
|
int |
getAuthorizationType()
The type og the authorization.
|
String |
getGroupId() |
String |
getId() |
Permission[] |
getPermissions(Permission[] permissions)
Allows checking whether this authorization grants / revokes a set of permissions.
|
Date |
getRemovalTime()
The removal time indicates the date a historic instance authorization is cleaned up
A removal time can only be assigned to a historic instance authorization.
|
String |
getResourceId() |
int |
getResourceType() |
String |
getRootProcessInstanceId()
The process instance id of the top-level (root) process instance the historic instance
authorization is related to
A root process instance id is only assigned to a historic instance authorization.
|
String |
getUserId() |
boolean |
isEveryPermissionGranted()
Allows checking whether this authorization grants every single permission.
|
boolean |
isEveryPermissionRevoked()
Allows checking whether this authorization revokes every single permission.
|
boolean |
isPermissionGranted(Permission permission)
Allows checking whether this authorization grants a specific permission.
|
boolean |
isPermissionRevoked(Permission permission)
Allows checking whether this authorization revokes a specific permission.
|
void |
removePermission(Permission permission)
allows removing a permission.
|
void |
setGroupId(String groupId)
set the id of the group this authorization is created for
|
void |
setPermissions(Permission[] permissions)
Sets the permissions to the provided value.
|
void |
setResource(Resource resource)
sets the type of the resource
|
void |
setResourceId(String resourceId)
set the id of the resource
|
void |
setResourceType(int resourceTypeId)
sets the type of the resource
|
void |
setUserId(String userId)
set the id of the user this authorization is created for
|
static final int AUTH_TYPE_GLOBAL
ANY
) and are
usually used for fixing the "base" permission for a resource.static final int AUTH_TYPE_GRANT
static final int AUTH_TYPE_REVOKE
static final String ANY
void addPermission(Permission permission)
Permissions
.void removePermission(Permission permission)
Permissions
.boolean isPermissionGranted(Permission permission)
perm
- the permission to check forIllegalStateException
- if this Authorization
is of type AUTH_TYPE_REVOKE
boolean isPermissionRevoked(Permission permission)
perm
- the permission to check forIllegalStateException
- if this Authorization
is of type AUTH_TYPE_GRANT
boolean isEveryPermissionGranted()
IllegalStateException
- if this Authorization
is of type AUTH_TYPE_REVOKE
boolean isEveryPermissionRevoked()
IllegalStateException
- if this Authorization
is of type AUTH_TYPE_GRANT
Permission[] getPermissions(Permission[] permissions)
Permissions.values()
The return value of this method depends on the type of the authorization:
AUTH_TYPE_GLOBAL
: all permissions in the parameter list granted by this authorization are returned. AUTH_TYPE_GRANT
: all permissions in the parameter list granted by this authorization are returned. AUTH_TYPE_REVOKE
: all permissions in the parameter list revoked by this authorization are returned. an
- array of permissions to check for.Permissions
provided by this Authorization
.void setPermissions(Permission[] permissions)
AUTH_TYPE_GLOBAL
: all provided permissions are granted.AUTH_TYPE_GRANT
: all provided permissions are granted.AUTH_TYPE_REVOKE
: all provided permissions are revoked.a
- set of permissions.String getId()
Authorization
objectvoid setResourceId(String resourceId)
String getResourceId()
void setResourceType(int resourceTypeId)
void setResource(Resource resource)
int getResourceType()
void setUserId(String userId)
String getUserId()
void setGroupId(String groupId)
String getGroupId()
int getAuthorizationType()
Date getRemovalTime()
Resources.HISTORIC_TASK
.null
if not related to a historic instance resource
null
if removal time strategy is end and the top-level instance is not finishedString getRootProcessInstanceId()
Resources.HISTORIC_TASK
.null
if not related to a historic instance resourceCopyright © 2021. All rights reserved.