Interface Authorization
-
- All Known Implementing Classes:
AuthorizationEntity
public interface Authorization
An
Authorization
assigns a set ofPermissions
to an identity to interact with a givenResource
.EXAMPLES:
- User 'jonny' is authorized to start new instances of the 'invoice' process
- Group 'marketing' is not authorized to cancel process instances.
- Group 'marketing' is not allowed to use the tasklist application.
- Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.
Identities
Camunda Platform distinguishes two types of identities: users and groups. Authorizations can either range over all users (userId =
ANY
), an individualUser
or aGroup
of users.Permissions
A
Permission
defines the way an identity is allowed to interact with a certain resource. Examples of permissions areCREATE
,READ
,UPDATE
,DELETE
, ... SeePermissions
for a set of built-in permissions.A single authorization object may assign multiple permissions to a single user and resource:
authorization.addPermission(Permissions.READ); authorization.addPermission(Permissions.UPDATE); authorization.addPermission(Permissions.DELETE);
On top of the built-in permissions, Camunda Platform allows using custom permission types.
Resources
Resources are the entities the user interacts with. Examples of resources are
GROUPS
,USERS
, process-definitions, process-instances, tasks ... SeeResources
for a set of built-in resource. The Camunda Platform framework supports custom resources.Authorization Type
There are three types of authorizations:
- Global Authorizations (
AUTH_TYPE_GLOBAL
) range over all users and groups (userId =ANY
) and are usually used for fixing the "base" permission for a resource. - Grant Authorizations (
AUTH_TYPE_GRANT
) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization does not grant. - Revoke Authorizations (
AUTH_TYPE_REVOKE
) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
Authorization Precedence
Authorizations may range over all users, an individual user or a group of users. They may apply to an individual resource instance or all instances of the same type (resourceId =
ANY
). The precedence is as follows:- An authorization applying to an individual resource instance precedes an authorization applying to all instances of the same resource type.
- An authorization for an individual user precedes an authorization for a group.
- A Group authorization precedes a
GLOBAL
authorization. - A Group
REVOKE
authorization precedes a GroupGRANT
authorization.
- Since:
- 7.0
- Author:
- Daniel Meyer
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
ANY
The identifier used for relating to all users or all resourceIds.static int
AUTH_TYPE_GLOBAL
A Global Authorization ranges over all users and groups (userId =ANY
) and are usually used for fixing the "base" permission for a resource.static int
AUTH_TYPE_GRANT
A Grant Authorization ranges over a users or a group and grants a set of permissions.static int
AUTH_TYPE_REVOKE
A Revoke Authorization ranges over a user or a group and revokes a set of permissions.
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description void
addPermission(Permission permission)
allows granting a permission.int
getAuthorizationType()
The type og the authorization.java.lang.String
getGroupId()
java.lang.String
getId()
Permission[]
getPermissions(Permission[] permissions)
Allows checking whether this authorization grants / revokes a set of permissions.java.util.Date
getRemovalTime()
The removal time indicates the date a historic instance authorization is cleaned up A removal time can only be assigned to a historic instance authorization.java.lang.String
getResourceId()
int
getResourceType()
java.lang.String
getRootProcessInstanceId()
The process instance id of the top-level (root) process instance the historic instance authorization is related to A root process instance id is only assigned to a historic instance authorization.java.lang.String
getUserId()
boolean
isEveryPermissionGranted()
Allows checking whether this authorization grants every single permission.boolean
isEveryPermissionRevoked()
Allows checking whether this authorization revokes every single permission.boolean
isPermissionGranted(Permission permission)
Allows checking whether this authorization grants a specific permission.boolean
isPermissionRevoked(Permission permission)
Allows checking whether this authorization revokes a specific permission.void
removePermission(Permission permission)
allows removing a permission.void
setGroupId(java.lang.String groupId)
set the id of the group this authorization is created forvoid
setPermissions(Permission[] permissions)
Sets the permissions to the provided value.void
setResource(Resource resource)
sets the type of the resourcevoid
setResourceId(java.lang.String resourceId)
set the id of the resourcevoid
setResourceType(int resourceTypeId)
sets the type of the resourcevoid
setUserId(java.lang.String userId)
set the id of the user this authorization is created for
-
-
-
Field Detail
-
AUTH_TYPE_GLOBAL
static final int AUTH_TYPE_GLOBAL
A Global Authorization ranges over all users and groups (userId =ANY
) and are usually used for fixing the "base" permission for a resource.- See Also:
- Constant Field Values
-
AUTH_TYPE_GRANT
static final int AUTH_TYPE_GRANT
A Grant Authorization ranges over a users or a group and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.- See Also:
- Constant Field Values
-
AUTH_TYPE_REVOKE
static final int AUTH_TYPE_REVOKE
A Revoke Authorization ranges over a user or a group and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.- See Also:
- Constant Field Values
-
ANY
static final java.lang.String ANY
The identifier used for relating to all users or all resourceIds. Cannot be used for groups.- See Also:
- Constant Field Values
-
-
Method Detail
-
addPermission
void addPermission(Permission permission)
allows granting a permission. Out-of-the-box constants can be found inPermissions
.
-
removePermission
void removePermission(Permission permission)
allows removing a permission. Out-of-the-box constants can be found inPermissions
.
-
isPermissionGranted
boolean isPermissionGranted(Permission permission)
Allows checking whether this authorization grants a specific permission.- Parameters:
perm
- the permission to check for- Throws:
java.lang.IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_REVOKE
-
isPermissionRevoked
boolean isPermissionRevoked(Permission permission)
Allows checking whether this authorization revokes a specific permission.- Parameters:
perm
- the permission to check for- Throws:
java.lang.IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_GRANT
-
isEveryPermissionGranted
boolean isEveryPermissionGranted()
Allows checking whether this authorization grants every single permission.- Returns:
- true if every single permission is granted otherwise false
- Throws:
java.lang.IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_REVOKE
-
isEveryPermissionRevoked
boolean isEveryPermissionRevoked()
Allows checking whether this authorization revokes every single permission.- Returns:
- true if every single permission is revoked otherwise false
- Throws:
java.lang.IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_GRANT
-
getPermissions
Permission[] getPermissions(Permission[] permissions)
Allows checking whether this authorization grants / revokes a set of permissions. Usually the set of built-in permissions is used:Permissions.values()
The return value of this method depends on the type of the authorization:- For
AUTH_TYPE_GLOBAL
: all permissions in the parameter list granted by this authorization are returned. - For
AUTH_TYPE_GRANT
: all permissions in the parameter list granted by this authorization are returned. - For
AUTH_TYPE_REVOKE
: all permissions in the parameter list revoked by this authorization are returned.
- Parameters:
an
- array of permissions to check for.- Returns:
- Returns the set of
Permissions
provided by thisAuthorization
.
- For
-
setPermissions
void setPermissions(Permission[] permissions)
Sets the permissions to the provided value. Replaces all permissions. The effect of this method depends on the type of this authorization:- For
AUTH_TYPE_GLOBAL
: all provided permissions are granted. - For
AUTH_TYPE_GRANT
: all provided permissions are granted. - For
AUTH_TYPE_REVOKE
: all provided permissions are revoked.
- Parameters:
a
- set of permissions.
- For
-
getId
java.lang.String getId()
- Returns:
- the ID of the
Authorization
object
-
setResourceId
void setResourceId(java.lang.String resourceId)
set the id of the resource
-
getResourceId
java.lang.String getResourceId()
- Returns:
- the id of the resource
-
setResourceType
void setResourceType(int resourceTypeId)
sets the type of the resource
-
setResource
void setResource(Resource resource)
sets the type of the resource
-
getResourceType
int getResourceType()
- Returns:
- the type of the resource
-
setUserId
void setUserId(java.lang.String userId)
set the id of the user this authorization is created for
-
getUserId
java.lang.String getUserId()
- Returns:
- the id of the user this authorization is created for
-
setGroupId
void setGroupId(java.lang.String groupId)
set the id of the group this authorization is created for
-
getGroupId
java.lang.String getGroupId()
- Returns:
- the id of the group this authorization is created for
-
getAuthorizationType
int getAuthorizationType()
The type og the authorization. Legal values:- Returns:
- the type of the authorization.
-
getRemovalTime
java.util.Date getRemovalTime()
The removal time indicates the date a historic instance authorization is cleaned up A removal time can only be assigned to a historic instance authorization. An authorization belongs to a historic instance when its resource type isResources.HISTORIC_TASK
.- Returns:
- the date the historic instance authorization is cleaned up
null
if not related to a historic instance resourcenull
if removal time strategy is end and the top-level instance is not finished
-
getRootProcessInstanceId
java.lang.String getRootProcessInstanceId()
The process instance id of the top-level (root) process instance the historic instance authorization is related to A root process instance id is only assigned to a historic instance authorization. An authorization is related to a historic instance when its resource type isResources.HISTORIC_TASK
.- Returns:
- the process instance id of the top-level (root) process instance
null
if not related to a historic instance resource
-
-