Interface Authorization
- All Known Implementing Classes:
AuthorizationEntity
An Authorization
assigns a set of Permissions
to an identity to interact with a given Resource
.
EXAMPLES:
- User 'jonny' is authorized to start new instances of the 'invoice' process
- Group 'marketing' is not authorized to cancel process instances.
- Group 'marketing' is not allowed to use the tasklist application.
- Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.
Identities
Camunda Platform distinguishes two types of identities: users and
groups. Authorizations can either range over all users
(userId = ANY
), an individual User
or a Group
of users.
Permissions
A Permission
defines the way an identity is allowed to interact
with a certain resource. Examples of permissions are CREATE
,
READ
, UPDATE
,
DELETE
, ... See Permissions
for a set of
built-in permissions.
A single authorization object may assign multiple permissions to a single user and resource:
authorization.addPermission(Permissions.READ); authorization.addPermission(Permissions.UPDATE); authorization.addPermission(Permissions.DELETE);
On top of the built-in permissions, Camunda Platform allows using custom permission types.
Resources
Resources are the entities the user interacts with. Examples of resources are
GROUPS
, USERS
,
process-definitions, process-instances, tasks ... See Resources
for a set
of built-in resource. The Camunda Platform framework supports custom resources.
Authorization Type
There are three types of authorizations:
- Global Authorizations (
AUTH_TYPE_GLOBAL
) range over all users and groups (userId =ANY
) and are usually used for fixing the "base" permission for a resource. - Grant Authorizations (
AUTH_TYPE_GRANT
) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization does not grant. - Revoke Authorizations (
AUTH_TYPE_REVOKE
) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
Authorization Precedence
Authorizations may range over all users, an individual user or a group of users.
They may apply to an individual resource instance or all instances of the same type
(resourceId = ANY
). The precedence is as follows:
- An authorization applying to an individual resource instance precedes an authorization applying to all instances of the same resource type.
- An authorization for an individual user precedes an authorization for a group.
- A Group authorization precedes a
GLOBAL
authorization. - A Group
REVOKE
authorization precedes a GroupGRANT
authorization.
- Since:
- 7.0
- Author:
- Daniel Meyer
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The identifier used for relating to all users or all resourceIds.static final int
A Global Authorization ranges over all users and groups (userId =ANY
) and are usually used for fixing the "base" permission for a resource.static final int
A Grant Authorization ranges over a users or a group and grants a set of permissions.static final int
A Revoke Authorization ranges over a user or a group and revokes a set of permissions. -
Method Summary
Modifier and TypeMethodDescriptionvoid
addPermission
(Permission permission) allows granting a permission.int
The type og the authorization.getId()
getPermissions
(Permission[] permissions) Allows checking whether this authorization grants / revokes a set of permissions.The removal time indicates the date a historic instance authorization is cleaned up A removal time can only be assigned to a historic instance authorization.int
The process instance id of the top-level (root) process instance the historic instance authorization is related to A root process instance id is only assigned to a historic instance authorization.boolean
Allows checking whether this authorization grants every single permission.boolean
Allows checking whether this authorization revokes every single permission.boolean
isPermissionGranted
(Permission permission) Allows checking whether this authorization grants a specific permission.boolean
isPermissionRevoked
(Permission permission) Allows checking whether this authorization revokes a specific permission.void
removePermission
(Permission permission) allows removing a permission.void
setGroupId
(String groupId) set the id of the group this authorization is created forvoid
setPermissions
(Permission[] permissions) Sets the permissions to the provided value.void
setResource
(Resource resource) sets the type of the resourcevoid
setResourceId
(String resourceId) set the id of the resourcevoid
setResourceType
(int resourceTypeId) sets the type of the resourcevoid
set the id of the user this authorization is created for
-
Field Details
-
AUTH_TYPE_GLOBAL
static final int AUTH_TYPE_GLOBALA Global Authorization ranges over all users and groups (userId =ANY
) and are usually used for fixing the "base" permission for a resource.- See Also:
-
AUTH_TYPE_GRANT
static final int AUTH_TYPE_GRANTA Grant Authorization ranges over a users or a group and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.- See Also:
-
AUTH_TYPE_REVOKE
static final int AUTH_TYPE_REVOKEA Revoke Authorization ranges over a user or a group and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.- See Also:
-
ANY
The identifier used for relating to all users or all resourceIds. Cannot be used for groups.- See Also:
-
-
Method Details
-
addPermission
allows granting a permission. Out-of-the-box constants can be found inPermissions
. -
removePermission
allows removing a permission. Out-of-the-box constants can be found inPermissions
. -
isPermissionGranted
Allows checking whether this authorization grants a specific permission.- Parameters:
perm
- the permission to check for- Throws:
IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_REVOKE
-
isPermissionRevoked
Allows checking whether this authorization revokes a specific permission.- Parameters:
perm
- the permission to check for- Throws:
IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_GRANT
-
isEveryPermissionGranted
boolean isEveryPermissionGranted()Allows checking whether this authorization grants every single permission.- Returns:
- true if every single permission is granted otherwise false
- Throws:
IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_REVOKE
-
isEveryPermissionRevoked
boolean isEveryPermissionRevoked()Allows checking whether this authorization revokes every single permission.- Returns:
- true if every single permission is revoked otherwise false
- Throws:
IllegalStateException
- if thisAuthorization
is of typeAUTH_TYPE_GRANT
-
getPermissions
Allows checking whether this authorization grants / revokes a set of permissions. Usually the set of built-in permissions is used:Permissions.values()
The return value of this method depends on the type of the authorization:- For
AUTH_TYPE_GLOBAL
: all permissions in the parameter list granted by this authorization are returned. - For
AUTH_TYPE_GRANT
: all permissions in the parameter list granted by this authorization are returned. - For
AUTH_TYPE_REVOKE
: all permissions in the parameter list revoked by this authorization are returned.
- Parameters:
an
- array of permissions to check for.- Returns:
- Returns the set of
Permissions
provided by thisAuthorization
.
- For
-
setPermissions
Sets the permissions to the provided value. Replaces all permissions. The effect of this method depends on the type of this authorization:- For
AUTH_TYPE_GLOBAL
: all provided permissions are granted. - For
AUTH_TYPE_GRANT
: all provided permissions are granted. - For
AUTH_TYPE_REVOKE
: all provided permissions are revoked.
- Parameters:
a
- set of permissions.
- For
-
getId
String getId()- Returns:
- the ID of the
Authorization
object
-
setResourceId
set the id of the resource -
getResourceId
String getResourceId()- Returns:
- the id of the resource
-
setResourceType
void setResourceType(int resourceTypeId) sets the type of the resource -
setResource
sets the type of the resource -
getResourceType
int getResourceType()- Returns:
- the type of the resource
-
setUserId
set the id of the user this authorization is created for -
getUserId
String getUserId()- Returns:
- the id of the user this authorization is created for
-
setGroupId
set the id of the group this authorization is created for -
getGroupId
String getGroupId()- Returns:
- the id of the group this authorization is created for
-
getAuthorizationType
int getAuthorizationType()The type og the authorization. Legal values:- Returns:
- the type of the authorization.
-
getRemovalTime
Date getRemovalTime()The removal time indicates the date a historic instance authorization is cleaned up A removal time can only be assigned to a historic instance authorization. An authorization belongs to a historic instance when its resource type isResources.HISTORIC_TASK
.- Returns:
- the date the historic instance authorization is cleaned up
null
if not related to a historic instance resourcenull
if removal time strategy is end and the top-level instance is not finished
-
getRootProcessInstanceId
String getRootProcessInstanceId()The process instance id of the top-level (root) process instance the historic instance authorization is related to A root process instance id is only assigned to a historic instance authorization. An authorization is related to a historic instance when its resource type isResources.HISTORIC_TASK
.- Returns:
- the process instance id of the top-level (root) process instance
null
if not related to a historic instance resource
-