Package org.camunda.bpm.engine.authorization

Interface Authorization

All Known Implementing Classes:
AuthorizationEntity
public interface Authorization

An Authorization assigns a set of Permissions to an identity to interact with a given Resource.

EXAMPLES:

  • User 'jonny' is authorized to start new instances of the 'invoice' process
  • Group 'marketing' is not authorized to cancel process instances.
  • Group 'marketing' is not allowed to use the tasklist application.
  • Nobody is allowed to edit process variables in the cockpit application, except the distinct user 'admin'.

Identities

Camunda Platform distinguishes two types of identities: users and groups. Authorizations can either range over all users (userId = ANY), an individual User or a Group of users.

Permissions

A Permission defines the way an identity is allowed to interact with a certain resource. Examples of permissions are CREATE, READ, UPDATE, DELETE, ... See Permissions for a set of built-in permissions.

A single authorization object may assign multiple permissions to a single user and resource:

 authorization.addPermission(Permissions.READ);
 authorization.addPermission(Permissions.UPDATE);
 authorization.addPermission(Permissions.DELETE);

On top of the built-in permissions, Camunda Platform allows using custom permission types.

Resources

Resources are the entities the user interacts with. Examples of resources are GROUPS, USERS, process-definitions, process-instances, tasks ... See Resources for a set of built-in resource. The Camunda Platform framework supports custom resources.

Authorization Type

There are three types of authorizations:

  • Global Authorizations (AUTH_TYPE_GLOBAL) range over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
  • Grant Authorizations (AUTH_TYPE_GRANT) range over users and groups and grant a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization does not grant.
  • Revoke Authorizations (AUTH_TYPE_REVOKE) range over users and groups and revoke a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.

Authorization Precedence

Authorizations may range over all users, an individual user or a group of users. They may apply to an individual resource instance or all instances of the same type (resourceId = ANY). The precedence is as follows:

  1. An authorization applying to an individual resource instance precedes an authorization applying to all instances of the same resource type.
  2. An authorization for an individual user precedes an authorization for a group.
  3. A Group authorization precedes a GLOBAL authorization.
  4. A Group REVOKE authorization precedes a Group GRANT authorization.

Since:
7.0
Author:
Daniel Meyer

  • Field Details

    • AUTH_TYPE_GLOBAL

      static final int AUTH_TYPE_GLOBAL
      A Global Authorization ranges over all users and groups (userId = ANY) and are usually used for fixing the "base" permission for a resource.
      See Also:

    • AUTH_TYPE_GRANT

      static final int AUTH_TYPE_GRANT
      A Grant Authorization ranges over a users or a group and grants a set of permissions. Grant authorizations are commonly used for adding permissions to a user or group that the global authorization revokes.
      See Also:

    • AUTH_TYPE_REVOKE

      static final int AUTH_TYPE_REVOKE
      A Revoke Authorization ranges over a user or a group and revokes a set of permissions. Revoke authorizations are commonly used for revoking permissions to a user or group the the global authorization grants.
      See Also:

    • ANY

      static final String ANY
      The identifier used for relating to all users or all resourceIds. Cannot be used for groups.
      See Also:

  • Method Details

    • addPermission

      void addPermission(Permission permission)
      allows granting a permission. Out-of-the-box constants can be found in Permissions.

    • removePermission

      void removePermission(Permission permission)
      allows removing a permission. Out-of-the-box constants can be found in Permissions.

    • isPermissionGranted

      boolean isPermissionGranted(Permission permission)
      Allows checking whether this authorization grants a specific permission.
      Parameters:
      perm - the permission to check for
      Throws:
      IllegalStateException - if this Authorization is of type AUTH_TYPE_REVOKE

    • isPermissionRevoked

      boolean isPermissionRevoked(Permission permission)
      Allows checking whether this authorization revokes a specific permission.
      Parameters:
      perm - the permission to check for
      Throws:
      IllegalStateException - if this Authorization is of type AUTH_TYPE_GRANT

    • isEveryPermissionGranted

      boolean isEveryPermissionGranted()
      Allows checking whether this authorization grants every single permission.
      Returns:
      true if every single permission is granted otherwise false
      Throws:
      IllegalStateException - if this Authorization is of type AUTH_TYPE_REVOKE

    • isEveryPermissionRevoked

      boolean isEveryPermissionRevoked()
      Allows checking whether this authorization revokes every single permission.
      Returns:
      true if every single permission is revoked otherwise false
      Throws:
      IllegalStateException - if this Authorization is of type AUTH_TYPE_GRANT

    • getPermissions

      Permission[] getPermissions(Permission[] permissions)
      Allows checking whether this authorization grants / revokes a set of permissions. Usually the set of built-in permissions is used: Permissions.values() The return value of this method depends on the type of the authorization:
      • For AUTH_TYPE_GLOBAL: all permissions in the parameter list granted by this authorization are returned.
      • For AUTH_TYPE_GRANT: all permissions in the parameter list granted by this authorization are returned.
      • For AUTH_TYPE_REVOKE: all permissions in the parameter list revoked by this authorization are returned.
      Parameters:
      an - array of permissions to check for.
      Returns:
      Returns the set of Permissions provided by this Authorization.

    • setPermissions

      void setPermissions(Permission[] permissions)
      Sets the permissions to the provided value. Replaces all permissions. The effect of this method depends on the type of this authorization:
      Parameters:
      a - set of permissions.

    • getId

      String getId()
      Returns:
      the ID of the Authorization object

    • setResourceId

      void setResourceId(String resourceId)
      set the id of the resource

    • getResourceId

      String getResourceId()
      Returns:
      the id of the resource

    • setResourceType

      void setResourceType(int resourceTypeId)
      sets the type of the resource

    • setResource

      void setResource(Resource resource)
      sets the type of the resource

    • getResourceType

      int getResourceType()
      Returns:
      the type of the resource

    • setUserId

      void setUserId(String userId)
      set the id of the user this authorization is created for

    • getUserId

      String getUserId()
      Returns:
      the id of the user this authorization is created for

    • setGroupId

      void setGroupId(String groupId)
      set the id of the group this authorization is created for

    • getGroupId

      String getGroupId()
      Returns:
      the id of the group this authorization is created for

    • getAuthorizationType

      int getAuthorizationType()
      The type og the authorization. Legal values:
      Returns:
      the type of the authorization.

    • getRemovalTime

      Date getRemovalTime()
      The removal time indicates the date a historic instance authorization is cleaned up A removal time can only be assigned to a historic instance authorization. An authorization belongs to a historic instance when its resource type is Resources.HISTORIC_TASK.
      Returns:
      • the date the historic instance authorization is cleaned up
      • null if not related to a historic instance resource
      • null if removal time strategy is end and the top-level instance is not finished

    • getRootProcessInstanceId

      String getRootProcessInstanceId()
      The process instance id of the top-level (root) process instance the historic instance authorization is related to A root process instance id is only assigned to a historic instance authorization. An authorization is related to a historic instance when its resource type is Resources.HISTORIC_TASK.
      Returns:
      • the process instance id of the top-level (root) process instance
      • null if not related to a historic instance resource