Interface Authorization

  • All Known Implementing Classes:
    AuthorizationEntity

    public interface Authorization

    An Authorization assigns a set of Permissions to an identity to interact with a given Resource.

    EXAMPLES:

    • User 'jonny' is authorized to start new instances of the 'invoice' process
    • Group 'marketing' is not authorized to cancel process instances.
    • Group 'marketing' is not allowed to use the tasklist application.
    • Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.

    Identities

    Camunda Platform distinguished two types of identities: users and groups. Authorizations can either range over all users (userId = ANY), an individual User or a Group of users.

    Permissions

    A Permission defines the way an identity is allowed to interact with a certain resource. Examples of permissions are CREATE, READ, UPDATE, DELETE, ... See Permissions for a set of built-in permissions.

    A single authorization object may assign multiple permissions to a single user and resource:

     authorization.addPermission(Permissions.READ);
     authorization.addPermission(Permissions.UPDATE);
     authorization.addPermission(Permissions.DELETE);
     

    On top of the built-in permissions, Camunda Platform allows using custom permission types.

    Resources

    Resources are the entities the user interacts with. Examples of resources are GROUPS, USERS, process-definitions, process-instances, tasks ... See Resources for a set of built-in resource. The Camunda Platform framework supports custom resources.

    Authorization Type

    There are three types of authorizations:

    • Global Authorizations (AUTH_TYPE_GLOBAL) range over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
    • Grant Authorizations (AUTH_TYPE_GRANT) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization does not grant.
    • Revoke Authorizations (AUTH_TYPE_REVOKE) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.

    Authorization Precedence

    Authorizations may range over all users, an individual user or a group of users. They may apply to an individual resource instance or all instances of the same type (resourceId = ANY). The precedence is as follows:

    1. An authorization applying to an individual resource instance precedes an authorization applying to all instances of the same resource type.
    2. An authorization for an individual user precedes an authorization for a group.
    3. A Group authorization precedes a GLOBAL authorization.
    4. A Group REVOKE authorization precedes a Group GRANT authorization.

    Since:
    7.0
    Author:
    Daniel Meyer
    • Field Detail

      • AUTH_TYPE_GLOBAL

        static final int AUTH_TYPE_GLOBAL
        A Global Authorization ranges over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
        See Also:
        Constant Field Values
      • AUTH_TYPE_GRANT

        static final int AUTH_TYPE_GRANT
        A Grant Authorization ranges over a users or a group and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
        See Also:
        Constant Field Values
      • AUTH_TYPE_REVOKE

        static final int AUTH_TYPE_REVOKE
        A Revoke Authorization ranges over a user or a group and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
        See Also:
        Constant Field Values
      • ANY

        static final String ANY
        The identifier used for relating to all users or all resourceIds. Cannot be used for groups.
        See Also:
        Constant Field Values
    • Method Detail

      • addPermission

        void addPermission​(Permission permission)
        allows granting a permission. Out-of-the-box constants can be found in Permissions.
      • removePermission

        void removePermission​(Permission permission)
        allows removing a permission. Out-of-the-box constants can be found in Permissions.
      • isEveryPermissionGranted

        boolean isEveryPermissionGranted()
        Allows checking whether this authorization grants every single permission.
        Returns:
        true if every single permission is granted otherwise false
        Throws:
        IllegalStateException - if this Authorization is of type AUTH_TYPE_REVOKE
      • isEveryPermissionRevoked

        boolean isEveryPermissionRevoked()
        Allows checking whether this authorization revokes every single permission.
        Returns:
        true if every single permission is revoked otherwise false
        Throws:
        IllegalStateException - if this Authorization is of type AUTH_TYPE_GRANT
      • getPermissions

        Permission[] getPermissions​(Permission[] permissions)
        Allows checking whether this authorization grants / revokes a set of permissions. Usually the set of built-in permissions is used: Permissions.values() The return value of this method depends on the type of the authorization:
        • For AUTH_TYPE_GLOBAL: all permissions in the parameter list granted by this authorization are returned.
        • For AUTH_TYPE_GRANT: all permissions in the parameter list granted by this authorization are returned.
        • For AUTH_TYPE_REVOKE: all permissions in the parameter list revoked by this authorization are returned.
        Parameters:
        an - array of permissions to check for.
        Returns:
        Returns the set of Permissions provided by this Authorization.
      • setPermissions

        void setPermissions​(Permission[] permissions)
        Sets the permissions to the provided value. Replaces all permissions. The effect of this method depends on the type of this authorization:
        Parameters:
        a - set of permissions.
      • setResourceId

        void setResourceId​(String resourceId)
        set the id of the resource
      • getResourceId

        String getResourceId()
        Returns:
        the id of the resource
      • setResourceType

        void setResourceType​(int resourceTypeId)
        sets the type of the resource
      • setResource

        void setResource​(Resource resource)
        sets the type of the resource
      • getResourceType

        int getResourceType()
        Returns:
        the type of the resource
      • setUserId

        void setUserId​(String userId)
        set the id of the user this authorization is created for
      • getUserId

        String getUserId()
        Returns:
        the id of the user this authorization is created for
      • setGroupId

        void setGroupId​(String groupId)
        set the id of the group this authorization is created for
      • getGroupId

        String getGroupId()
        Returns:
        the id of the group this authorization is created for
      • getRemovalTime

        Date getRemovalTime()
        The removal time indicates the date a historic instance authorization is cleaned up A removal time can only be assigned to a historic instance authorization. An authorization belongs to a historic instance when its resource type is Resources.HISTORIC_TASK.
        Returns:
        • the date the historic instance authorization is cleaned up
        • null if not related to a historic instance resource
        • null if removal time strategy is end and the top-level instance is not finished
      • getRootProcessInstanceId

        String getRootProcessInstanceId()
        The process instance id of the top-level (root) process instance the historic instance authorization is related to A root process instance id is only assigned to a historic instance authorization. An authorization is related to a historic instance when its resource type is Resources.HISTORIC_TASK.
        Returns:
        • the process instance id of the top-level (root) process instance
        • null if not related to a historic instance resource