Package org.camunda.bpm.engine

Interface AuthorizationService

All Known Implementing Classes:

AuthorizationServiceImpl

public interface AuthorizationService

The authorization service allows managing Authorizations.

Creating an authorization

An authorization is created between a user/group and a resource. It describes the user/group's permissions to access that resource. An authorization may express different permissions, such as the permission to READ, UPDATE, DELETE the resource. (See Authorization for details).

Granting / revoking permissions

In order to grant the permission to access a certain resource, an authorization object is created:

 Authorization auth = authorizationService.createNewAuthorization();
 //... configure auth
 authorizationService.saveAuthorization(auth);
 

The authorization object can be configured either for a user or a group:

 auth.setUserId("john");
   -OR-
 auth.setGroupId("management");
 

and a resource:

 auth.setResource("processDefinition");
 auth.setResourceId("2313");
 

finally the permissions to access that resource can be assigned:

 auth.addPermission(Permissions.READ);
 

and the authorization object is saved:

 authorizationService.saveAuthorization(auth);
 

As a result, the given user or group will have permission to READ the referenced process definition.

Since:

7.0

Author:

Daniel Meyer

Method Summary

Modifier and Type	Method	Description
AuthorizationQuery	createAuthorizationQuery()	Constructs an authorization query.
Authorization	createNewAuthorization(int authorizationType)	Returns a new (transient) Authorization object.
void	deleteAuthorization(String authorizationId)	Allows deleting a persistent Authorization object.
boolean	isUserAuthorized(String userId, List<String> groupIds, Permission permission, Resource resource)	Allows performing an authorization check.
boolean	isUserAuthorized(String userId, List<String> groupIds, Permission permission, Resource resource, String resourceId)	Allows performing an authorization check.
Authorization	saveAuthorization(Authorization authorization)	Allows saving an Authorization object.

Method Detail

createNewAuthorization

Authorization createNewAuthorization(int authorizationType)

Returns a new (transient) Authorization object. The Object is not yet persistent and must be saved using the saveAuthorization(Authorization) method.

Parameters:

authorizationType - the type of the authorization. Legal values: Authorization.AUTH_TYPE_GLOBAL, Authorization.AUTH_TYPE_GRANT, Authorization.AUTH_TYPE_REVOKE

Returns:

an non-persistent Authorization object.

Throws:

AuthorizationException - if the user has no Permissions.CREATE permissions on Resources.AUTHORIZATION.

saveAuthorization

Authorization saveAuthorization(Authorization authorization)

Allows saving an Authorization object. Use this method for persisting new transient Authorization objects obtained through createNewAuthorization(int) or for updating persistent objects.

Parameters:

authorization - a Authorization object.

Returns:

the authorization object.

Throws:

ProcessEngineException - in case an internal error occurs

AuthorizationException - if the user has no Permissions.CREATE permissions (in case of persisting a transient object) or no Permissions.UPDATE permissions (in case of updating a persistent object) on Resources.AUTHORIZATION

deleteAuthorization

void deleteAuthorization(String authorizationId)

Allows deleting a persistent Authorization object.

Parameters:

authorizationId - the id of the Authorization object to delete.

Throws:

ProcessEngineException - if no such authorization exists or if an internal error occurs.

AuthorizationException - if the user has no Permissions.DELETE permissions on Resources.AUTHORIZATION.

createAuthorizationQuery

AuthorizationQuery createAuthorizationQuery()

Constructs an authorization query.

isUserAuthorized

boolean isUserAuthorized(String userId,
                         List<String> groupIds,
                         Permission permission,
                         Resource resource)

Allows performing an authorization check.

Returns true if the given user has permissions for interacting with the resource is the requested way.

This method checks for the resource type, see Authorization.ANY

Parameters:

userId - the id of the user for which the check is performed.

groupIds - a list of group ids the user is member of

permission - the permission(s) to check for.

resource - the resource for which the authorization is checked.

Throws:

BadUserRequestException - when resource is a Historic Task or Historic Process Instance and historic instance permissions are disabled.

isUserAuthorized

boolean isUserAuthorized(String userId,
                         List<String> groupIds,
                         Permission permission,
                         Resource resource,
                         String resourceId)

Allows performing an authorization check.

Returns true if the given user has permissions for interacting with the resource is the requested way.

Parameters:

userId - the id of the user for which the check is performed.

groupIds - a list of group ids the user is member of

permission - the permission(s) to check for.

resource - the resource for which the authorization is checked.

resourceId - the resource id for which the authorization check is performed.

Throws:

BadUserRequestException - when resource is a Historic Task or Historic Process Instance and historic instance permissions are disabled.