Class DefaultAuthorizationProvider
- All Implemented Interfaces:
ResourceAuthorizationProvider
Provides the default authorizations for Camunda Platform.
- Author:
- Daniel Meyer
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected void
addPermissions
(AuthorizationEntity authorization, Permission... permissions) protected boolean
areIdsEqual
(String firstId, String secondId) protected AuthorizationEntity
createAuthorization
(String userId, String groupId, Resource resource, String resourceId, Permission... permissions) protected AuthorizationEntity
createGrantAuthorization
(String userId, String groupId, Resource resource, String resourceId, Permission... permissions) protected AuthorizationEntity
createOrUpdateAuthorization
(Task task, String userId, String groupId, Resource resource, boolean isHistoric, Permission... permissions) protected AuthorizationEntity[]
createOrUpdateAuthorizations
(Task task, String groupId, String userId) (1) Fetch existing runtime & history authorizations (2) Update authorizations: (2a) fetched authorization == null -> create a new runtime authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled) -> create a new history authorization (with READ on HISTORIC_TASK) (2b) fetched authorization != null -> Add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled UPDATE or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided -> Add READ on HISTORIC_TASKprotected AuthorizationEntity[]
createOrUpdateAuthorizationsByGroupId
(Task task, String groupId) protected AuthorizationEntity[]
createOrUpdateAuthorizationsByUserId
(Task task, String userId) deleteTaskGroupIdentityLink
(Task task, String groupId, String type) Invoked whenever a group identity link of a task has been deleted.deleteTaskUserIdentityLink
(Task task, String userId, String type) Invoked whenever a user identity link of a task has been deleted.protected HistoryEvent
findHistoricProcessInstance
(String rootProcessInstanceId) protected AuthorizationManager
protected Permission
protected AuthorizationEntity
getGrantAuthorization
(String taskId, String userId, String groupId, Resource resource) protected AuthorizationEntity
getGrantAuthorizationByGroupId
(String groupId, Resource resource, String resourceId) protected AuthorizationEntity
getGrantAuthorizationByUserId
(String userId, Resource resource, String resourceId) protected Permission[]
getHistoricPermissions
(boolean enforceSpecificVariablePermission) protected String
protected String
getRootProcessInstanceId
(Task task) protected Permission[]
getRuntimePermissions
(boolean enforceSpecificVariablePermission) groupMembershipCreated
(String groupId, String userId) Invoked whenever a user is added to a groupprotected boolean
hasEntitySameAuthorizationRights
(AuthorizationEntity authEntity, String userId, String groupId, Resource resource, String resourceId) protected boolean
protected boolean
protected boolean
newDecisionDefinition
(DecisionDefinition decisionDefinition) Invoked whenever a new decision definition is created.newDecisionRequirementsDefinition
(DecisionRequirementsDefinition decisionRequirementsDefinition) Invoked whenever a new decision requirements definition is created.newDeployment
(Deployment deployment) Invoked whenever a new deployment is createdInvoked whenever a new filter is createdInvoked whenever a new group is creatednewProcessDefinition
(ProcessDefinition processDefinition) Invoked whenever a new process definition is creatednewProcessInstance
(ProcessInstance processInstance) Invoked whenever a new process instance is startedInvoked whenever a new task is creatednewTaskAssignee
(Task task, String oldAssignee, String newAssignee) Invoked whenever an user has been assigned to a task.newTaskGroupIdentityLink
(Task task, String groupId, String type) Invoked whenever a new group identity link has been added to a task.newTaskOwner
(Task task, String oldOwner, String newOwner) Invoked whenever an user has been set as the owner of a task.newTaskUserIdentityLink
(Task task, String userId, String type) Invoked whenever a new user identity link has been added to a task.Invoked whenever a new tenant is createdInvoked whenever a new user is createdprotected void
provideRemovalTime
(AuthorizationEntity authorization, Task task) tenantMembershipCreated
(Tenant tenant, Group group) Invoked whenever a group is added to a tenant.tenantMembershipCreated
(Tenant tenant, User user) Invoked whenever an user is added to a tenant.protected void
updateAuthorizationBasedOnCacheEntries
(AuthorizationEntity authorization, String userId, String groupId, Resource resource, String resourceId) Searches through the cache, if there is already an authorization with same rights.
-
Constructor Details
-
DefaultAuthorizationProvider
public DefaultAuthorizationProvider()
-
-
Method Details
-
newUser
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new user is created
- Specified by:
newUser
in interfaceResourceAuthorizationProvider
- Parameters:
user
- a newly created user- Returns:
- a list of authorizations to be automatically added when a new user is created.
-
newGroup
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new group is created
- Specified by:
newGroup
in interfaceResourceAuthorizationProvider
- Parameters:
group
- a newly createdGroup
- Returns:
- a list of authorizations to be automatically added when a new
Group
is created.
-
newTenant
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new tenant is created
- Specified by:
newTenant
in interfaceResourceAuthorizationProvider
- Parameters:
tenant
- a newly createdTenant
- Returns:
- a list of authorizations to be automatically added when a new
Tenant
is created.
-
groupMembershipCreated
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a user is added to a group
- Specified by:
groupMembershipCreated
in interfaceResourceAuthorizationProvider
- Parameters:
groupId
- the id of the group to which the user is addeduserId
- the id of the user who is added to a group a newly createdUser
- Returns:
- a list of authorizations to be automatically added when a new
User
is created.
-
tenantMembershipCreated
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever an user is added to a tenant.
- Specified by:
tenantMembershipCreated
in interfaceResourceAuthorizationProvider
- Parameters:
tenant
- the id of the tenant- Returns:
- a list of authorizations to be automatically added when a new membership is created.
-
tenantMembershipCreated
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a group is added to a tenant.
- Specified by:
tenantMembershipCreated
in interfaceResourceAuthorizationProvider
- Parameters:
tenant
- the id of the tenant- Returns:
- a list of authorizations to be automatically added when a new membership is created.
-
newFilter
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new filter is created
- Specified by:
newFilter
in interfaceResourceAuthorizationProvider
- Parameters:
filter
- the newly created filter- Returns:
- a list of authorizations to be automatically added when a new
Filter
is created.
-
newDeployment
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new deployment is created
- Specified by:
newDeployment
in interfaceResourceAuthorizationProvider
- Parameters:
deployment
- the newly created deployment- Returns:
- a list of authorizations to be automatically added when a new
Deployment
is created.
-
newProcessDefinition
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new process definition is created
- Specified by:
newProcessDefinition
in interfaceResourceAuthorizationProvider
- Parameters:
processDefinition
- the newly created process definition- Returns:
- a list of authorizations to be automatically added when a new
ProcessDefinition
is created.
-
newProcessInstance
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new process instance is started
- Specified by:
newProcessInstance
in interfaceResourceAuthorizationProvider
- Parameters:
processInstance
- the newly started process instance- Returns:
- a list of authorizations to be automatically added when a new
ProcessInstance
is started.
-
newTask
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new task is created
- Specified by:
newTask
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the newly created task- Returns:
- a list of authorizations to be automatically added when a new
Task
is created.
-
newTaskAssignee
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever an user has been assigned to a task.
- Specified by:
newTaskAssignee
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the assignee has been changedoldAssignee
- the old assignee of the tasknewAssignee
- the new assignee of the task- Returns:
- a list of authorizations to be automatically added when an assignee of a task changes.
-
newTaskOwner
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever an user has been set as the owner of a task.
- Specified by:
newTaskOwner
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the owner has been changedoldOwner
- the old owner of the tasknewOwner
- the new owner of the task- Returns:
- a list of authorizations to be automatically added when the owner of a task changes.
-
newTaskUserIdentityLink
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new user identity link has been added to a task.
- Specified by:
newTaskUserIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which a new identity link has been addeduserId
- the user for which the identity link has been createdtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically added when a new user identity link has been added.
-
newTaskGroupIdentityLink
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new group identity link has been added to a task.
- Specified by:
newTaskGroupIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which a new identity link has been addedgroupId
- the group for which the identity link has been createdtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically added when a new group identity link has been added.
-
deleteTaskUserIdentityLink
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a user identity link of a task has been deleted.
- Specified by:
deleteTaskUserIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the identity link has been deleteduserId
- the user for which the identity link has been deletedtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically deleted when a user identity link has been deleted.
-
deleteTaskGroupIdentityLink
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a group identity link of a task has been deleted.
- Specified by:
deleteTaskGroupIdentityLink
in interfaceResourceAuthorizationProvider
- Parameters:
task
- the task on which the identity link has been deletedgroupId
- the group for which the identity link has been deletedtype
- the type of the identity link (e.g.IdentityLinkType.CANDIDATE
)- Returns:
- a list of authorizations to be automatically deleted when a group identity link has been deleted.
-
newDecisionDefinition
Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new decision definition is created.
- Specified by:
newDecisionDefinition
in interfaceResourceAuthorizationProvider
- Parameters:
decisionDefinition
- the newly created decision definition- Returns:
- a list of authorizations to be automatically added when a new
DecisionDefinition
is created.
-
newDecisionRequirementsDefinition
public AuthorizationEntity[] newDecisionRequirementsDefinition(DecisionRequirementsDefinition decisionRequirementsDefinition) Description copied from interface:ResourceAuthorizationProvider
Invoked whenever a new decision requirements definition is created.
- Specified by:
newDecisionRequirementsDefinition
in interfaceResourceAuthorizationProvider
- Parameters:
decisionRequirementsDefinition
- the newly created decision requirements definition- Returns:
- a list of authorizations to be automatically added when a new
DecisionRequirementsDefinition
is created.
-
createOrUpdateAuthorizationsByGroupId
-
createOrUpdateAuthorizationsByUserId
-
createOrUpdateAuthorizations
protected AuthorizationEntity[] createOrUpdateAuthorizations(Task task, String groupId, String userId) (1) Fetch existing runtime & history authorizations (2) Update authorizations: (2a) fetched authorization == null -> create a new runtime authorization (with READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled) -> create a new history authorization (with READ on HISTORIC_TASK) (2b) fetched authorization != null -> Add READ, (UPDATE/TASK_WORK) permission, and READ_VARIABLE if enabled UPDATE or TASK_WORK permission is configurable in camunda.cfg.xml and by default, UPDATE permission is provided -> Add READ on HISTORIC_TASK -
createOrUpdateAuthorization
protected AuthorizationEntity createOrUpdateAuthorization(Task task, String userId, String groupId, Resource resource, boolean isHistoric, Permission... permissions) -
provideRemovalTime
-
getRootProcessInstanceId
-
isHistoryRemovalTimeStrategyStart
protected boolean isHistoryRemovalTimeStrategyStart() -
getHistoryRemovalTimeStrategy
-
findHistoricProcessInstance
-
getHistoricPermissions
-
getRuntimePermissions
-
isHistoricInstancePermissionsEnabled
protected boolean isHistoricInstancePermissionsEnabled() -
getAuthorizationManager
-
getGrantAuthorization
protected AuthorizationEntity getGrantAuthorization(String taskId, String userId, String groupId, Resource resource) -
getGrantAuthorizationByUserId
protected AuthorizationEntity getGrantAuthorizationByUserId(String userId, Resource resource, String resourceId) -
getGrantAuthorizationByGroupId
protected AuthorizationEntity getGrantAuthorizationByGroupId(String groupId, Resource resource, String resourceId) -
createAuthorization
protected AuthorizationEntity createAuthorization(String userId, String groupId, Resource resource, String resourceId, Permission... permissions) -
addPermissions
-
createGrantAuthorization
protected AuthorizationEntity createGrantAuthorization(String userId, String groupId, Resource resource, String resourceId, Permission... permissions) -
getDefaultUserPermissionForTask
-
isEnforceSpecificVariablePermission
protected boolean isEnforceSpecificVariablePermission() -
updateAuthorizationBasedOnCacheEntries
protected void updateAuthorizationBasedOnCacheEntries(AuthorizationEntity authorization, String userId, String groupId, Resource resource, String resourceId) Searches through the cache, if there is already an authorization with same rights. If that's the case update the given authorization with the permissions and remove the old one from the cache. -
hasEntitySameAuthorizationRights
protected boolean hasEntitySameAuthorizationRights(AuthorizationEntity authEntity, String userId, String groupId, Resource resource, String resourceId) -
areIdsEqual
-