com.acciente.oacc

Interface AccessControlContext

All Known Implementing Classes:

SQLAccessControlContext

public interface AccessControlContext

The interface with which to define and control access to OACC resources.

An instance of this session is used to both define the OACC resources and the security privileges to them, as well as to query the security system in order to implement access control to these resources.

Definitions:

"session"

An instance of this interface that has been authenticated, that is, security credentials have been associated with this session

"authenticated resource"

The resource that authenticated this session, that is, the resource that logged into this session with a call to one of the authenticate methods

"session resource"

The resource whose security credentials are associated with this session. This is the same as the authenticated resource, unless another resource is being impersonated.

Unless a session is authenticated, all attempts to call any methods other than authenticate, unauthenticate, unimpersonate or a special case of createResource, will fail with a NotAuthenticatedException.

In general, all methods should throw the following unchecked exceptions as described below:

NullPointerException - if a null object reference is passed in any method parameter (in general, all parameters are required)

IllegalArgumentException - if a method parameter is empty or blank, or if a set or sequence of arguments contains null or duplicate elements

Unchecked exceptions explicitly thrown for other reasons are described at the method-level.

Field Summary

Fields

Modifier and Type	Field and Description
static String	SYSTEM_DOMAIN
static String	SYSTEM_RESOURCE_CLASS

Method Summary

Methods

Modifier and Type	Method and Description
void	assertDomainCreatePermissions(Resource accessorResource, DomainCreatePermission domainCreatePermission, DomainCreatePermission... domainCreatePermissions) Checks if the specified accessor resource has the specified domain create permissions.
void	assertDomainCreatePermissions(Resource accessorResource, Set<DomainCreatePermission> domainCreatePermissions) Checks if the specified accessor resource has the specified domain create permissions.
void	assertDomainPermissions(Resource accessorResource, String domainName, DomainPermission domainPermission, DomainPermission... domainPermissions) Checks if the specified accessor resource has the specified domain permissions on the specified domain.
void	assertDomainPermissions(Resource accessorResource, String domainName, Set<DomainPermission> domainPermissions) Checks if the specified accessor resource has the specified domain permissions on the specified domain.
void	assertGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain.
void	assertGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain.
void	assertPostCreateDomainPermissions(Resource accessorResource, DomainPermission domainPermission, DomainPermission... domainPermissions) Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain.
void	assertPostCreateDomainPermissions(Resource accessorResource, Set<DomainPermission> domainPermissions) Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain.
void	assertPostCreateResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object.
void	assertPostCreateResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object.
void	assertResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourceCreatePermission resourceCreatePermission, ResourceCreatePermission... resourceCreatePermissions) Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain.
void	assertResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourceCreatePermission> resourceCreatePermissions) Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain.
void	assertResourcePermissions(Resource accessorResource, Resource accessedResource, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource.
void	assertResourcePermissions(Resource accessorResource, Resource accessedResource, Set<ResourcePermission> resourcePermissions) Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource.
void	authenticate(Credentials credentials) Authenticates this security session using only security credentials.
void	authenticate(Resource resource) Authenticates this security session against an AuthenticationProvider without specifying authentication credentials, if that AuthenticationProvider supports such an operation.
void	authenticate(Resource resource, Credentials credentials) Authenticates this security session.
void	createDomain(String domainName) Creates a new domain (at the root level of the domain hierarchy).
void	createDomain(String domainName, String parentDomainName) Creates a new domain under the specified parent domain.
Resource	createResource(String resourceClassName, String domainName) Creates a new resource of the specified resource class within the specified domain.
Resource	createResource(String resourceClassName, String domainName, Credentials credentials) Creates a new authenticatable resource of the specified resource class within the specified domain.
Resource	createResource(String resourceClassName, String domainName, String externalId) Creates a new resource of the specified resource class within the specified domain, with the specified external id.
Resource	createResource(String resourceClassName, String domainName, String externalId, Credentials credentials) Creates a new authenticatable resource of the specified resource class within the specified domain, with the specified external id.
void	createResourceClass(String resourceClassName, boolean authenticatable, boolean unauthenticatedCreateAllowed) Creates a new resource class.
void	createResourcePermission(String resourceClassName, String permissionName) Creates a new resource permission that may be applied to objects of the specified resource class.
boolean	deleteDomain(String domainName) Deletes the specified domain (and any nested child domains).
boolean	deleteResource(Resource obsoleteResource) Deletes the specified resource.
Set<Resource>	getAccessorResourcesByResourcePermissions(Resource accessedResource, String resourceClassName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Returns a set of resources that have the specified permissions to the specified accessed resource.
Set<Resource>	getAccessorResourcesByResourcePermissions(Resource accessedResource, String resourceClassName, Set<ResourcePermission> resourcePermissions) Returns a set of resources that have the specified permissions to the specified accessed resource.
Resource	getAuthenticatedResource() Returns the resource that is currently authenticated in this session.
Set<DomainCreatePermission>	getDomainCreatePermissions(Resource accessorResource) Gets all direct domain create permissions the specified accessor resource has.
Set<String>	getDomainDescendants(String domainName) Returns the domains which are descendants of the specified domain.
String	getDomainNameByResource(Resource resource) Returns the domain to which the specified resource belongs.
Set<DomainPermission>	getDomainPermissions(Resource accessorResource, String domainName) Gets all domain permissions the accessor resource has directly to the specified domain.
Map<String,Set<DomainPermission>>	getDomainPermissionsMap(Resource accessorResource) Gets all domain permissions the accessor resource has directly to any domain, mapped by domain name.
Set<DomainCreatePermission>	getEffectiveDomainCreatePermissions(Resource accessorResource) Gets all effective domain create permissions the specified accessor resource has, both directly and inherited (from other resources).
Set<DomainPermission>	getEffectiveDomainPermissions(Resource accessorResource, String domainName) Gets all effective domain permissions the accessor resource has to the specified domain.
Map<String,Set<DomainPermission>>	getEffectiveDomainPermissionsMap(Resource accessorResource) Gets all effective domain permissions the accessor resource has to any domain, mapped by domain name.
Set<ResourcePermission>	getEffectiveGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName) Gets the effective global resource permissions the specified accessor resource has to the resources of the specified resource class in the specified domain.
Map<String,Map<String,Set<ResourcePermission>>>	getEffectiveGlobalResourcePermissionsMap(Resource accessorResource) Gets all effective global resource permissions the specified accessor resource has to the resources of the any resource class in any domain, mapped by domain name and resource class name.
Set<ResourceCreatePermission>	getEffectiveResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName) Gets all effective resource create permissions the accessor resource has to the specified resource class in the specified domain (which effectively define the resource permissions the accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain).
Map<String,Map<String,Set<ResourceCreatePermission>>>	getEffectiveResourceCreatePermissionsMap(Resource accessorResource) Gets all effective resource create permissions the accessor resource has to any resource class in any domain, mapped by domain name and resource class name.
Set<ResourcePermission>	getEffectiveResourcePermissions(Resource accessorResource, Resource accessedResource) Gets the effective resource permissions that the specified accessor resource has to the specified accessed resource.
Set<ResourcePermission>	getGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName) Gets the global resource permissions the specified accessor resource has directly to the resources of the specified resource class in the specified domain.
Map<String,Map<String,Set<ResourcePermission>>>	getGlobalResourcePermissionsMap(Resource accessorResource) Gets all global resource permissions the specified accessor resource has directly to any resources of any resource class in any domain, mapped by domain name and resource class name.
ResourceClassInfo	getResourceClassInfo(String resourceClassName) Returns information about the specified resource class.
ResourceClassInfo	getResourceClassInfoByResource(Resource resource) Returns information about the resource class to which the specified resource belongs.
List<String>	getResourceClassNames() Returns the list of names of all resource classes defined in the system
Set<ResourceCreatePermission>	getResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName) Gets all direct resource create permissions the accessor resource has to the specified resource class in the specified domain (which define a subset of the resource permissions the accessor resource would receive directly, if it created a resource of the specified resource class in the specified domain).
Map<String,Map<String,Set<ResourceCreatePermission>>>	getResourceCreatePermissionsMap(Resource accessorResource) Gets all direct resource create permissions the accessor resource has to any resource class in any domain, mapped by domain name and resource class name.
List<String>	getResourcePermissionNames(String resourceClassName) Returns the list of all resource permission names defined for the specified resource class name, including the applicable system permissions as well as any custom permissions
Set<ResourcePermission>	getResourcePermissions(Resource accessorResource, Resource accessedResource) Gets the resource permissions that the specified accessor resource has directly to the specified accessed resource.
Set<Resource>	getResourcesByResourcePermissions(Resource accessorResource, String resourceClassName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, regardless of domain.
Set<Resource>	getResourcesByResourcePermissions(Resource accessorResource, String resourceClassName, Set<ResourcePermission> resourcePermissions) Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, regardless of domain.
Set<Resource>	getResourcesByResourcePermissionsAndDomain(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, within the specified domain or within any descendant domains.
Set<Resource>	getResourcesByResourcePermissionsAndDomain(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, within the specified domain or within any descendant domains.
Resource	getSessionResource() Returns the session resource, that is, the resource whose security credentials are associated with this session.
void	grantDomainCreatePermissions(Resource accessorResource, DomainCreatePermission domainCreatePermission, DomainCreatePermission... domainCreatePermissions) Adds to the set of domain permissions the specified accessor resource will receive if it created a domain.
void	grantDomainCreatePermissions(Resource accessorResource, Set<DomainCreatePermission> domainCreatePermissions) Adds to the set of domain permissions the specified accessor resource will receive if it created a domain.
void	grantDomainPermissions(Resource accessorResource, String domainName, DomainPermission domainPermission, DomainPermission... domainPermissions) Adds to the direct domain permissions the specified accessor resource has on the specified domain.
void	grantDomainPermissions(Resource accessorResource, String domainName, Set<DomainPermission> domainPermissions) Adds to the direct domain permissions the specified accessor resource has on the specified domain.
void	grantGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Adds the global resource permissions a resource has on any resource of the specified resource class in the specified domain.
void	grantGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Adds the global resource permissions a resource has on any resource of the specified resource class in the specified domain.
void	grantResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourceCreatePermission resourceCreatePermission, ResourceCreatePermission... resourceCreatePermissions) Adds to the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.
void	grantResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourceCreatePermission> resourceCreatePermissions) Adds to the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.
void	grantResourcePermissions(Resource accessorResource, Resource accessedResource, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Adds the specified resource permissions to the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.
void	grantResourcePermissions(Resource accessorResource, Resource accessedResource, Set<ResourcePermission> resourcePermissions) Adds the specified resource permissions to the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.
boolean	hasDomainCreatePermissions(Resource accessorResource, DomainCreatePermission domainCreatePermission, DomainCreatePermission... domainCreatePermissions) Checks if the specified accessor resource has the specified domain create permissions.
boolean	hasDomainCreatePermissions(Resource accessorResource, Set<DomainCreatePermission> domainCreatePermissions) Checks if the specified accessor resource has the specified domain create permissions.
boolean	hasDomainPermissions(Resource accessorResource, String domainName, DomainPermission domainPermission, DomainPermission... domainPermissions) Checks if the specified accessor resource has the specified domain permissions on the specified domain.
boolean	hasDomainPermissions(Resource accessorResource, String domainName, Set<DomainPermission> domainPermissions) Checks if the specified accessor resource has the specified domain permissions on the specified domain.
boolean	hasGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain.
boolean	hasGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain.
boolean	hasPostCreateDomainPermissions(Resource accessorResource, DomainPermission domainPermission, DomainPermission... domainPermissions) Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain.
boolean	hasPostCreateDomainPermissions(Resource accessorResource, Set<DomainPermission> domainPermissions) Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain.
boolean	hasPostCreateResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object.
boolean	hasPostCreateResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object.
boolean	hasResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourceCreatePermission resourceCreatePermission, ResourceCreatePermission... resourceCreatePermissions) Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain.
boolean	hasResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourceCreatePermission> resourceCreatePermissions) Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain.
boolean	hasResourcePermissions(Resource accessorResource, Resource accessedResource, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource.
boolean	hasResourcePermissions(Resource accessorResource, Resource accessedResource, Set<ResourcePermission> resourcePermissions) Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource.
void	impersonate(Resource resource) Switches the security credentials of this session to those of the specified resource.
void	revokeDomainCreatePermissions(Resource accessorResource, DomainCreatePermission domainCreatePermission, DomainCreatePermission... domainCreatePermissions) Revokes the specified direct domain permissions from set the specified accessor resource will receive if it created a domain.
void	revokeDomainCreatePermissions(Resource accessorResource, Set<DomainCreatePermission> domainCreatePermissions) Revokes the specified direct domain permissions from set the specified accessor resource will receive if it created a domain.
void	revokeDomainPermissions(Resource accessorResource, String domainName, DomainPermission domainPermission, DomainPermission... domainPermissions) Revokes the direct domain permissions from set the specified accessor resource has on the specified domain.
void	revokeDomainPermissions(Resource accessorResource, String domainName, Set<DomainPermission> domainPermissions) Revokes the direct domain permissions from set the specified accessor resource has on the specified domain.
void	revokeGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Revokes the global resource permissions a resource has on any resource of the specified resource class in the specified domain.
void	revokeGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Revokes the global resource permissions a resource has on any resource of the specified resource class in the specified domain.
void	revokeResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, ResourceCreatePermission resourceCreatePermission, ResourceCreatePermission... resourceCreatePermissions) Revokes the specified permissions from the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.
void	revokeResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourceCreatePermission> resourceCreatePermissions) Revokes the specified permissions from the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.
void	revokeResourcePermissions(Resource accessorResource, Resource accessedResource, ResourcePermission resourcePermission, ResourcePermission... resourcePermissions) Revokes the specified resource permissions from the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.
void	revokeResourcePermissions(Resource accessorResource, Resource accessedResource, Set<ResourcePermission> resourcePermissions) Revokes the specified resource permissions from the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.
void	setCredentials(Resource resource, Credentials newCredentials) Sets the authentication credentials of the specified authenticatable resource (= a resource of a resource class that has been defined with the isAuthenticatable flag set to true).
void	setDomainCreatePermissions(Resource accessorResource, Set<DomainCreatePermission> domainCreatePermissions) Sets the domain permissions the specified accessor resource will receive if it created a domain.
void	setDomainPermissions(Resource accessorResource, String domainName, Set<DomainPermission> domainPermissions) Sets the direct domain permissions the specified accessor resource has on the specified domain.
Resource	setExternalId(Resource resource, String externalId) Sets the external id of the specified resource as an alternative resource identifier, if none was previously set.
void	setGlobalResourcePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourcePermission> resourcePermissions) Sets the global resource permissions a resource has on any resource of the specified resource class in the specified domain.
void	setResourceCreatePermissions(Resource accessorResource, String resourceClassName, String domainName, Set<ResourceCreatePermission> resourceCreatePermissions) Sets the resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.
void	setResourcePermissions(Resource accessorResource, Resource accessedResource, Set<ResourcePermission> resourcePermissions) Sets the specified resource permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.
void	unauthenticate() Logs out of this session, to be specific, disassociates any security credentials from this session.
void	unimpersonate() Unimpersonates the currently impersonated resource.

Field Detail

SYSTEM_DOMAIN

static final String SYSTEM_DOMAIN

See Also:

Constant Field Values

SYSTEM_RESOURCE_CLASS

static final String SYSTEM_RESOURCE_CLASS

See Also:

Constant Field Values

Method Detail

authenticate

void authenticate(Resource resource,
                Credentials credentials)

Authenticates this security session.

The security credentials for this session will be those of the specified and authenticated resource.

Note: Unless a session is authenticated, all attempts to call any other methods (except authenticate) will fail.

Parameters:

resource - the resource to be authenticated

credentials - the credentials to authenticate the resource

Throws:

IllegalArgumentException - if the resource does not exist or is not of an authenticatable resource class

AuthenticationException - if authentication fails

authenticate

void authenticate(Credentials credentials)

Authenticates this security session using only security credentials.

This authentication method requires a custom authentication provider and is not supported by the built-in authentication provider. It is intended for use where the resource identification is embedded in the credentials, such as in authentication protocols using encrypted authentication tokens. When using this method the custom authentication provider must return the resource to OACC from the custom authentication provider implementation.

Note: Unless a session is authenticated, all attempts to call any other methods (except authenticate) will fail.

Parameters:

credentials - the credentials to authenticate the session

Throws:

IllegalArgumentException - if the resource does not exist or is not of an authenticatable resource class

AuthenticationException - if authentication fails

authenticate

void authenticate(Resource resource)

Authenticates this security session against an AuthenticationProvider without specifying authentication credentials, if that AuthenticationProvider supports such an operation.

The security credentials for this session will be those of the specified and authenticated resource.

Note: Unless a session is authenticated, all attempts to call any other methods (except authenticate) will fail.

Parameters:

resource - the resource to be authenticated

Throws:

IllegalArgumentException - if the resource does not exist or is not of an authenticatable resource class

unauthenticate

void unauthenticate()

Logs out of this session, to be specific, disassociates any security credentials from this session.

If no resource is currently authenticated, this call has no effect.

getAuthenticatedResource

Resource getAuthenticatedResource()

Returns the resource that is currently authenticated in this session.

Returns:

a resource

Throws:

NotAuthenticatedException - if no resource is authenticated

impersonate

void impersonate(Resource resource)

Switches the security credentials of this session to those of the specified resource.

The currently authenticated resource has to have IMPERSONATE permissions to the specified resource.

Note that this method is idempotent and will use the authorization credentials of the originally authenticated resource, and not those of any currently impersonated resource.

Parameters:

resource - the resource to be impersonated

Throws:

IllegalArgumentException - if the resource does not exist, or if the resource is not of an authenticatable resource class

NotAuthorizedException - if the authenticated resource does not have permission to impersonate the specified resource

unimpersonate

void unimpersonate()

Unimpersonates the currently impersonated resource.

Restores the session to the credentials of the authenticated resource.

If no resource is currently being impersonated, this call has no effect.

getSessionResource

Resource getSessionResource()

Returns the session resource, that is, the resource whose security credentials are associated with this session.

The session resource is the same as the authenticated resource, unless another resource is being impersonated.

Returns:

a resource

Throws:

NotAuthenticatedException - if no resource is authenticated

setCredentials

void setCredentials(Resource resource,
                  Credentials newCredentials)

Sets the authentication credentials of the specified authenticatable resource (= a resource of a resource class that has been defined with the isAuthenticatable flag set to true).

One of the following has to be true for this method to succeed:

• the specified resource has to either be the currently authenticated resource or
• the currently authenticated resource has to have SUPER-USER permission on the domain that contains the specified resource or
• the currently authenticated resource has to have RESET-CREDENTIALS permission on the specified resource.

Note that this method uses the permissions granted to the originally authenticated resource - and not those of any currently impersonated resource - to check the items listed above. This method will actually throw an exception if called while impersonating another resource, in order to prevent any way of setting another resource's credentials without having the explicit RESET-CREDENTIALS or SUPER-USER permissions.

Parameters:

resource - the resource for which the credentials should be updated. The resource for which the credentials are to be changed must be the current auth resource, or the current auth resource must have SUPER-USER permissions to the domain containing the resource whose credentials are to be changed or must have RESET-CREDENTIALS permissions to the resource whose credentials are to be changed, otherwise an exception is thrown.

newCredentials - the new credentials for the resource

Throws:

IllegalArgumentException - if the resource does not exist, or if the resource is not of an authenticatable resource class

IllegalStateException - if called while impersonating another resource

InvalidCredentialsException - if newCredentials is invalid

NotAuthorizedException - if the authenticated resource does not have permission to reset the credentials of the specified resource

assertDomainPermissions

void assertDomainPermissions(Resource accessorResource,
                           String domainName,
                           Set<DomainPermission> domainPermissions)

Checks if the specified accessor resource has the specified domain permissions on the specified domain. This method takes into account any direct domain permissions, inherited domain permissions and any domain permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

domainName - the domain for which the permission should be checked

domainPermissions - the permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no domain of domainName exists

NotAuthorizedException - if the accessor resource does not have the specified domain permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertDomainPermissions

void assertDomainPermissions(Resource accessorResource,
                           String domainName,
                           DomainPermission domainPermission,
                           DomainPermission... domainPermissions)

Checks if the specified accessor resource has the specified domain permissions on the specified domain. This method takes into account any direct domain permissions, inherited domain permissions and any domain permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

domainName - the domain for which the permission should be checked

domainPermission - the permission to be checked

domainPermissions - the other (optional) permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no domain of domainName exists

NotAuthorizedException - if the accessor resource does not have the specified domain permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasDomainPermissions

boolean hasDomainPermissions(Resource accessorResource,
                           String domainName,
                           Set<DomainPermission> domainPermissions)

Checks if the specified accessor resource has the specified domain permissions on the specified domain. This method takes into account any direct domain permissions, inherited domain permissions and any domain permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

domainName - the domain for which the permission should be checked

domainPermissions - the permissions to be checked

Returns:

true if the accessor resource has the specified domain permissions, false otherwise or if the accessor resource does not exist

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasDomainPermissions

boolean hasDomainPermissions(Resource accessorResource,
                           String domainName,
                           DomainPermission domainPermission,
                           DomainPermission... domainPermissions)

Checks if the specified accessor resource has the specified domain permissions on the specified domain. This method takes into account any direct domain permissions, inherited domain permissions and any domain permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

domainName - the domain for which the permission should be checked

domainPermission - the permission to be checked

domainPermissions - the other (optional) permissions to be checked

Returns:

true if the accessor resource has the specified domain permissions, false otherwise or if the accessor resource does not exist

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertDomainCreatePermissions

void assertDomainCreatePermissions(Resource accessorResource,
                                 Set<DomainCreatePermission> domainCreatePermissions)

Checks if the specified accessor resource has the specified domain create permissions. This method takes into account any direct and inherited domain create permissions.

Parameters:

accessorResource - the resource on which access is being checked

domainCreatePermissions - the domain create permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the accessor resource does not have the specified domain create permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertDomainCreatePermissions

void assertDomainCreatePermissions(Resource accessorResource,
                                 DomainCreatePermission domainCreatePermission,
                                 DomainCreatePermission... domainCreatePermissions)

Checks if the specified accessor resource has the specified domain create permissions. This method takes into account any direct and inherited domain create permissions.

Parameters:

accessorResource - the resource on which access is being checked

domainCreatePermission - the domain create permission to be checked

domainCreatePermissions - the other (optional) domain create permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the accessor resource does not have the specified domain create permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasDomainCreatePermissions

boolean hasDomainCreatePermissions(Resource accessorResource,
                                 Set<DomainCreatePermission> domainCreatePermissions)

Checks if the specified accessor resource has the specified domain create permissions. This method takes into account any direct and inherited domain create permissions.

Parameters:

accessorResource - the resource on which access is being checked

domainCreatePermissions - the domain create permissions to be checked

Returns:

true if the accessor resource has the specified domain create permissions, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasDomainCreatePermissions

boolean hasDomainCreatePermissions(Resource accessorResource,
                                 DomainCreatePermission domainCreatePermission,
                                 DomainCreatePermission... domainCreatePermissions)

Checks if the specified accessor resource has the specified domain create permissions. This method takes into account any direct and inherited domain create permissions.

Parameters:

accessorResource - the resource on which access is being checked

domainCreatePermission - the domain create permission to be checked

domainCreatePermissions - the other (optional) domain create permissions to be checked

Returns:

true if the accessor resource has the specified domain create permissions, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertPostCreateDomainPermissions

void assertPostCreateDomainPermissions(Resource accessorResource,
                                     Set<DomainPermission> domainPermissions)

Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain. The method takes into account any direct and inherited domain create permissions the accessor might have, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

domainPermissions - the permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the accessor resource would not receive the specified permissions after creating a domain, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertPostCreateDomainPermissions

void assertPostCreateDomainPermissions(Resource accessorResource,
                                     DomainPermission domainPermission,
                                     DomainPermission... domainPermissions)

Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain. The method takes into account any direct and inherited domain create permissions the accessor might have, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

domainPermission - the permission to be checked

domainPermissions - the other (optional) permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the accessor resource would not receive the specified permissions after creating a domain, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasPostCreateDomainPermissions

boolean hasPostCreateDomainPermissions(Resource accessorResource,
                                     Set<DomainPermission> domainPermissions)

Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain. The method takes into account any direct and inherited domain create permissions the accessor might have, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

domainPermissions - the permissions to be checked

Returns:

true if the accessor resource would receive the specified permissions after creating a domain

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasPostCreateDomainPermissions

boolean hasPostCreateDomainPermissions(Resource accessorResource,
                                     DomainPermission domainPermission,
                                     DomainPermission... domainPermissions)

Checks if the specified accessor resource would receive the specified domain permissions, if the accessor were to create a domain. The method takes into account any direct and inherited domain create permissions the accessor might have, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

domainPermission - the permission to be checked

domainPermissions - the other (optional) permissions to be checked

Returns:

true if the accessor resource would receive the specified permissions after creating a domain

Throws:

IllegalArgumentException - if the accessorResource does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertGlobalResourcePermissions

void assertGlobalResourcePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   Set<ResourcePermission> resourcePermissions)

Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain. This method takes into account any global permissions that the accessor resource may have, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermissions - the permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the accessor resource does not have the specified global permissions, or if the accessor resource does not exist, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertGlobalResourcePermissions

void assertGlobalResourcePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   ResourcePermission resourcePermission,
                                   ResourcePermission... resourcePermissions)

Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain. This method takes into account any global permissions that the accessor resource may have, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermission - the permission to be checked

resourcePermissions - the other (optional) permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the accessor resource does not have the specified global permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasGlobalResourcePermissions

boolean hasGlobalResourcePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   Set<ResourcePermission> resourcePermissions)

Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain. This method takes into account any global permissions that the accessor resource may have, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermissions - the permissions to be checked

Returns:

true if the accessor resource has the specified global permissions, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasGlobalResourcePermissions

boolean hasGlobalResourcePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   ResourcePermission resourcePermission,
                                   ResourcePermission... resourcePermissions)

Checks if the specified accessor resource has the specified global resource permissions on the specified resource class in the specified domain. This method takes into account any global permissions that the accessor resource may have, as well as any super-user privileges.

Parameters:

accessorResource - the resource on which access is being checked

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermission - the permission to be checked

resourcePermissions - the other (optional) permissions to be checked

Returns:

true if the accessor resource has the specified global permissions, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertResourcePermissions

void assertResourcePermissions(Resource accessorResource,
                             Resource accessedResource,
                             Set<ResourcePermission> resourcePermissions)

Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource. This method takes into account direct, inherited and global permissions of accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

accessedResource - the resource on which access is being requested

resourcePermissions - the permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource or the accessedResource does not exist, or if any resourcePermission is invalid for the resource class of accessedResource

NotAuthorizedException - if the accessor resource does not have the specified permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertResourcePermissions

void assertResourcePermissions(Resource accessorResource,
                             Resource accessedResource,
                             ResourcePermission resourcePermission,
                             ResourcePermission... resourcePermissions)

Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource. This method takes into account direct, inherited and global permissions of accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

accessedResource - the resource on which access is being requested

resourcePermission - the permission to be checked

resourcePermissions - the other (optional) permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource or the accessedResource does not exist, or if any resourcePermission is invalid for the resource class of accessedResource

NotAuthorizedException - if the accessor resource does not have the specified permissions, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasResourcePermissions

boolean hasResourcePermissions(Resource accessorResource,
                             Resource accessedResource,
                             Set<ResourcePermission> resourcePermissions)

Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource. This method takes into account direct, inherited and global permissions of accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

accessedResource - the resource on which access is being requested

resourcePermissions - the permissions to be checked

Returns:

true if the accessor resource has the specified permissions

Throws:

IllegalArgumentException - if the accessorResource or the accessedResource does not exist, or if any resourcePermission is invalid for the resource class of accessedResource

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasResourcePermissions

boolean hasResourcePermissions(Resource accessorResource,
                             Resource accessedResource,
                             ResourcePermission resourcePermission,
                             ResourcePermission... resourcePermissions)

Checks if the specified accessor resource has the specified resource permissions to the specified accessed resource. This method takes into account direct, inherited and global permissions of accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

accessedResource - the resource on which access is being requested

resourcePermission - the permission to be checked

resourcePermissions - the other (optional) permissions to be checked

Returns:

true if the accessor resource has the specified permissions

Throws:

IllegalArgumentException - if the accessorResource or the accessedResource does not exist, or if any resourcePermission is invalid for the resource class of accessedResource

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertResourceCreatePermissions

void assertResourceCreatePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   Set<ResourceCreatePermission> resourceCreatePermissions)

Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain. The method takes into account any any direct and inherited resource create permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourceCreatePermissions - the create permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourceCreatePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the accessor resource does not have the specified resource create permissions for the specified class in the specified domain, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertResourceCreatePermissions

void assertResourceCreatePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   ResourceCreatePermission resourceCreatePermission,
                                   ResourceCreatePermission... resourceCreatePermissions)

Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain. The method takes into account any any direct and inherited resource create permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourceCreatePermission - the create permission to be checked

resourceCreatePermissions - the other (optional) create permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourceCreatePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the accessor resource does not have the specified resource create permissions for the specified class in the specified domain, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasResourceCreatePermissions

boolean hasResourceCreatePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   Set<ResourceCreatePermission> resourceCreatePermissions)

Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain. The method takes into account any any direct and inherited resource create permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourceCreatePermissions - the create permissions to be checked

Returns:

true if the accessor resource has the specified resource create permissions for the specified resource class in the specified domain, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourceCreatePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasResourceCreatePermissions

boolean hasResourceCreatePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   ResourceCreatePermission resourceCreatePermission,
                                   ResourceCreatePermission... resourceCreatePermissions)

Checks if the specified accessor resource has the specified create permissions on an object of the specified class in the specified domain. The method takes into account any any direct and inherited resource create permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourceCreatePermission - the create permission to be checked

resourceCreatePermissions - the other (optional) create permissions to be checked

Returns:

true if the accessor resource has the specified resource create permissions for the specified resource class in the specified domain, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourceCreatePermission is invalid for the resource class, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertPostCreateResourcePermissions

void assertPostCreateResourcePermissions(Resource accessorResource,
                                       String resourceClassName,
                                       String domainName,
                                       Set<ResourcePermission> resourcePermissions)

Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object. The method takes into account any resource create permissions and global resource permissions of the specified accessor resource.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermissions - the permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if any resourcePermission is invalid for the resource class

NotAuthorizedException - if the accessor resource would not receive the specified permissions after creating a resource of the specified class in the specified domain, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

assertPostCreateResourcePermissions

void assertPostCreateResourcePermissions(Resource accessorResource,
                                       String resourceClassName,
                                       String domainName,
                                       ResourcePermission resourcePermission,
                                       ResourcePermission... resourcePermissions)

Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object. The method takes into account any resource create permissions and global resource permissions of the specified accessor resource, as well as any super-user privileges, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermission - the permission to be checked

resourcePermissions - the other (optional) permissions to be checked

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if any resourcePermission is invalid for the resource class

NotAuthorizedException - if the accessor resource would not receive the specified permissions after creating a resource of the specified class in the specified domain, or if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasPostCreateResourcePermissions

boolean hasPostCreateResourcePermissions(Resource accessorResource,
                                       String resourceClassName,
                                       String domainName,
                                       Set<ResourcePermission> resourcePermissions)

Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object. The method takes into account any resource create permissions and global resource permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermissions - the permissions to be checked

Returns:

true if the accessor resource would receive the specified permissions after creating a resource of the specified class in the specified domain, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if any resourcePermission is invalid for the resource class

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

hasPostCreateResourcePermissions

boolean hasPostCreateResourcePermissions(Resource accessorResource,
                                       String resourceClassName,
                                       String domainName,
                                       ResourcePermission resourcePermission,
                                       ResourcePermission... resourcePermissions)

Checks if the specified accessor resource would receive the specified permissions on an object of the specified class in the specified domain, if it were to create such an object. The method takes into account any resource create permissions and global resource permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource requesting the access

resourceClassName - a string resource class name

domainName - the domain in which the permissions should be checked

resourcePermission - the permission to be checked

resourcePermissions - the other (optional) permissions to be checked

Returns:

true if the accessor resource would receive the specified permissions after creating a resource of the specified class in the specified domain, false otherwise

Throws:

IllegalArgumentException - if the accessorResource does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if any resourcePermission is invalid for the resource class

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getResourcesByResourcePermissions

Set<Resource> getResourcesByResourcePermissions(Resource accessorResource,
                                              String resourceClassName,
                                              Set<ResourcePermission> resourcePermissions)

Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, regardless of domain.

The method takes into account direct, inherited and global permissions, as well as resources that are reachable as a result of SUPER-USER permissions.

Parameters:

accessorResource - the resource relative to which the set of accessible resources is computed

resourceClassName - a string resource class name

resourcePermissions - the permissions to check

Returns:

a set of resources

Throws:

IllegalArgumentException - if accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the specified resource class

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getResourcesByResourcePermissions

Set<Resource> getResourcesByResourcePermissions(Resource accessorResource,
                                              String resourceClassName,
                                              ResourcePermission resourcePermission,
                                              ResourcePermission... resourcePermissions)

Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, regardless of domain.

The method takes into account direct, inherited and global permissions, as well as resources that are reachable as a result of SUPER-USER permissions.

Parameters:

accessorResource - the resource relative to which the set of accessible resources is computed

resourceClassName - a string resource class name

resourcePermission - the permission to check

resourcePermissions - the other (optional) permissions to check

Returns:

a set of resources

Throws:

IllegalArgumentException - if accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the specified resource class

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getResourcesByResourcePermissionsAndDomain

Set<Resource> getResourcesByResourcePermissionsAndDomain(Resource accessorResource,
                                                       String resourceClassName,
                                                       String domainName,
                                                       Set<ResourcePermission> resourcePermissions)

Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, within the specified domain or within any descendant domains.

The method takes into account direct, inherited and global permissions, as well as resources that are reachable as a result of SUPER-USER permissions.

Parameters:

accessorResource - the resource relative to which the set of accessible resources is computed

resourceClassName - a string resource class name

domainName - a domain name

resourcePermissions - the permissions to check

Returns:

a set of resources

Throws:

IllegalArgumentException - if accessorResource does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if any resourcePermission is invalid for the specified resource class

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getResourcesByResourcePermissionsAndDomain

Set<Resource> getResourcesByResourcePermissionsAndDomain(Resource accessorResource,
                                                       String resourceClassName,
                                                       String domainName,
                                                       ResourcePermission resourcePermission,
                                                       ResourcePermission... resourcePermissions)

Returns a set of resources (of the specified resource class) on which the specified accessor resource has the specified permissions, within the specified domain or within any descendant domains.

The method takes into account direct, inherited and global permissions, as well as resources that are reachable as a result of SUPER-USER permissions.

Parameters:

accessorResource - the resource relative to which the set of accessible resources is computed

resourceClassName - a string resource class name

domainName - a domain name

resourcePermission - the permission to check

resourcePermissions - the other (optional) permissions to check

Returns:

a set of resources

Throws:

IllegalArgumentException - if accessorResource does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if any resourcePermission is invalid for the specified resource class

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getAccessorResourcesByResourcePermissions

Set<Resource> getAccessorResourcesByResourcePermissions(Resource accessedResource,
                                                      String resourceClassName,
                                                      Set<ResourcePermission> resourcePermissions)

Returns a set of resources that have the specified permissions to the specified accessed resource.

This method works in the reverse direction of the getResourcesByResourcePermissions(com.acciente.oacc.Resource, java.lang.String, java.util.Set<com.acciente.oacc.ResourcePermission>) method, but unlike getResourcesByResourcePermissions it only takes into account direct permissions. In other words, this method ignores accessors that can reach the specified accessed resource via inherited permissions, global permissions and SUPER-USER privileges.

Parameters:

accessedResource - the resource relative to which accessor resources are sought

resourceClassName - a string resource class name

resourcePermissions - the permissions to check

Returns:

a set of accessor resources to the accessedResource

Throws:

IllegalArgumentException - if accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the specified resource class

NotAuthorizedException - if the session resource is not the accessed resource and the session resource does not have query authorization on the accessed resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getAccessorResourcesByResourcePermissions

Set<Resource> getAccessorResourcesByResourcePermissions(Resource accessedResource,
                                                      String resourceClassName,
                                                      ResourcePermission resourcePermission,
                                                      ResourcePermission... resourcePermissions)

Returns a set of resources that have the specified permissions to the specified accessed resource.

This method works in the reverse direction of the getResourcesByResourcePermissions(com.acciente.oacc.Resource, java.lang.String, java.util.Set<com.acciente.oacc.ResourcePermission>) method, but unlike getResourcesByResourcePermissions it only takes into account direct permissions. In other words, this method ignores accessors that can reach the specified accessed resource via inherited permissions, global permissions and SUPER-USER privileges.

Parameters:

accessedResource - the resource relative to which accessor resources are sought

resourceClassName - a string resource class name

resourcePermission - the permission to check

resourcePermissions - the other (optional) permissions to check

Returns:

a set of accessor resources to the accessedResource

Throws:

IllegalArgumentException - if accessorResource does not exist, or if no resource class of resourceClassName exists, or if any resourcePermission is invalid for the specified resource class

NotAuthorizedException - if the session resource is not the accessed resource and the session resource does not have query authorization on the accessed resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getDomainNameByResource

String getDomainNameByResource(Resource resource)

Returns the domain to which the specified resource belongs.

Parameters:

resource - the resource for which to retrieve the domain name

Returns:

a string domain name

Throws:

IllegalArgumentException - if resource does not exists

getDomainDescendants

Set<String> getDomainDescendants(String domainName)

Returns the domains which are descendants of the specified domain. The returned set includes the specified domain (unless the specified domain does not exist); in other words, a domain is considered its own descendant

Note that this returns not just the names of direct first-level descendant domains, but the names of all descendant domains, regardless of level

Parameters:

domainName - a domain name for which to retrieve the descendants

Returns:

a set of unique string domain names, including the domain queried about, or an empty set if the specified domain does not exist

getResourceClassInfo

ResourceClassInfo getResourceClassInfo(String resourceClassName)

Returns information about the specified resource class.

Parameters:

resourceClassName - a string resource class name about which to retrieve information

Returns:

a ResourceClassInfo object containing information about the resource class

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists

getResourceClassInfoByResource

ResourceClassInfo getResourceClassInfoByResource(Resource resource)

Returns information about the resource class to which the specified resource belongs.

Parameters:

resource - a resource about whose resource class to retrieve information

Returns:

returns a ResourceClassInfo object containing information about the resource class of the specified resource

Throws:

IllegalArgumentException - if the specified resource reference does not exist

getResourceClassNames

List<String> getResourceClassNames()

Returns the list of names of all resource classes defined in the system

Returns:

a list of string resource class names

getResourcePermissionNames

List<String> getResourcePermissionNames(String resourceClassName)

Returns the list of all resource permission names defined for the specified resource class name, including the applicable system permissions as well as any custom permissions

Parameters:

resourceClassName - the resource class name for which the permissions should be retrieved

Returns:

a list of string permission names

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists

createResourceClass

void createResourceClass(String resourceClassName,
                       boolean authenticatable,
                       boolean unauthenticatedCreateAllowed)

Creates a new resource class.

Note that creating a resource is only allowed when this session is authenticated with the system-resource (resourceId=0)

Parameters:

resourceClassName - a string resource class name

authenticatable - indicates if resources of this resource class are authenticatable. Typically only resource classes that represent users will be marked as authenticatable.

unauthenticatedCreateAllowed - if true, a resource of this resource class may be created from an unauthenticated session, otherwise the session must be authenticated to create resources of this class.

Throws:

IllegalArgumentException - if a resource class of resourceClassName already exists

NotAuthorizedException - if the authenticated resource is not the system resource

createResourcePermission

void createResourcePermission(String resourceClassName,
                            String permissionName)

Creates a new resource permission that may be applied to objects of the specified resource class.

Note that creating a resource permission is only allowed when this session is authenticated with the system-resource (resourceId=0) and that the new permissionName may not start with an asterisk ('*')

Parameters:

resourceClassName - a string resource class name

permissionName - the string representing the name of this permission. Samples of typical permission names: READ, WRITE, UPDATE, VIEW, POST, EDIT, etc.

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists, or if a resource permission of permissionName already exists, or if the permissionName is prefixed with an asterisk ('*')

NotAuthorizedException - if the authenticated resource is not the system resource

createDomain

void createDomain(String domainName)

Creates a new domain (at the root level of the domain hierarchy).

Parameters:

domainName - a string domain name

Throws:

IllegalArgumentException - if a domain of domainName already exists

NotAuthorizedException - if the session resource is not authorized to create domains

createDomain

void createDomain(String domainName,
                String parentDomainName)

Creates a new domain under the specified parent domain.

Parameters:

domainName - a string domain name

parentDomainName - the domain name of the parent domain

Throws:

IllegalArgumentException - if no domain of parentDomain exists, or if a domain of domainName already exists

NotAuthorizedException - if the session resource is not authorized to create child domains under the specified parent domain

deleteDomain

boolean deleteDomain(String domainName)

Deletes the specified domain (and any nested child domains).

Note this method performs a cascading delete of any permissions any resource has as an accessor resource to this domain or to a resource class-domain tuple, before the specified domain is itself deleted.

Parameters:

domainName - a string domain name

Returns:

true if the domain was deleted as a result of this call, false if the specified domain did not exist

Throws:

IllegalArgumentException - if the specified domain contains any resources

NotAuthorizedException - if the session resource is not authorized to delete the specified domain

createResource

Resource createResource(String resourceClassName,
                      String domainName)

Creates a new resource of the specified resource class within the specified domain.

Note that a custom AuthenticationProvider implementation is required to support creation of an authenticatable resource without providing explicit credentials

Parameters:

resourceClassName - a string resource class name

domainName - a string domain name

Returns:

the resource reference of the newly created resource

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not authorized to create a new resource of the specified resource class in the specified domain

OaccException - if creating the new resource would introduce a cycle between the session resource and new resource via permission inheritance

createResource

Resource createResource(String resourceClassName,
                      String domainName,
                      Credentials credentials)

Creates a new authenticatable resource of the specified resource class within the specified domain.

Parameters:

resourceClassName - a string resource class name

domainName - a string domain name

credentials - the credentials to authenticate the new resource

Returns:

the resource reference of the newly created resource

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists, or if resource class is not authenticatable, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not authorized to create a new resource of the specified resource class in the specified domain

OaccException - if creating the new resource would introduce a cycle between the session resource and new resource via permission inheritance

createResource

Resource createResource(String resourceClassName,
                      String domainName,
                      String externalId)

Creates a new resource of the specified resource class within the specified domain, with the specified external id.

Note that a custom AuthenticationProvider implementation is required to support creation of an authenticatable resource without providing explicit credentials

Parameters:

resourceClassName - a string resource class name

domainName - a string domain name

externalId - a unique string identifier for the new resource

Returns:

the resource reference of the newly created resource

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists, or if no domain of domainName exists, or if a resource with externalId already exists

NotAuthorizedException - if the session resource is not authorized to create a new resource of the specified resource class in the specified domain

OaccException - if creating the new resource would introduce a cycle between the session resource and new resource via permission inheritance

createResource

Resource createResource(String resourceClassName,
                      String domainName,
                      String externalId,
                      Credentials credentials)

Creates a new authenticatable resource of the specified resource class within the specified domain, with the specified external id.

Parameters:

resourceClassName - a string resource class name

domainName - a string domain name

externalId - a unique string identifier for the new resource

credentials - the credentials to authenticate the new resource

Returns:

the resource reference of the newly created resource

Throws:

IllegalArgumentException - if no resource class of resourceClassName exists, or if resource class is not authenticatable, or if no domain of domainName exists, or if a resource with externalId already exists

NotAuthorizedException - if the session resource is not authorized to create a new resource of the specified resource class in the specified domain

OaccException - if creating the new resource would introduce a cycle between the session resource and new resource via permission inheritance

setExternalId

Resource setExternalId(Resource resource,
                     String externalId)

Sets the external id of the specified resource as an alternative resource identifier, if none was previously set.

The externalId has to be globally unique, i.e. it has to be unique across all resource classes and domains.

Parameters:

resource - the resource for which to set the alternative identifier

externalId - a globally unique string identifier for the resource

Returns:

the fully resolved resource reference of the updated resource, i.e. with both resourceId and externalId

Throws:

NotAuthorizedException - if the session resource is not authorized to set the specified resource's externalId by having the *CREATE system permission

IllegalArgumentException - if another resource with externalId already exists, or if the specified resource has previously been associated with another externalId

deleteResource

boolean deleteResource(Resource obsoleteResource)

Deletes the specified resource.

Note this method performs a cascading delete of any permissions the obsolete resource has as an accessor resource OR as an accessed resource, before the specified resource is itself deleted.

Parameters:

obsoleteResource - the resource to be deleted

Returns:

true if the resource was deleted as a result of this call, false if the specified resource did not exist

Throws:

NotAuthorizedException - if the session resource is not authorized to delete the specified obsolete resource

setDomainCreatePermissions

void setDomainCreatePermissions(Resource accessorResource,
                              Set<DomainCreatePermission> domainCreatePermissions)

Sets the domain permissions the specified accessor resource will receive if it created a domain.

Note that the system-defined CREATE permission needs to be included in the specified set of domain create permissions, unless all permissions should be revoked.

Also note that this method replaces any direct domain create permissions previously granted, but does not affect any domain create permissions the specified accessor resource receives via inheritance.

Parameters:

accessorResource - the resource to which the privilege should be granted

domainCreatePermissions - the permissions to be granted to the specified domain

Throws:

IllegalArgumentException - if domainCreatePermissions does not contain the *CREATE permission, or if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not authorized to set domain create permissions on the specified accessor resource

grantDomainCreatePermissions

void grantDomainCreatePermissions(Resource accessorResource,
                                Set<DomainCreatePermission> domainCreatePermissions)

Adds to the set of domain permissions the specified accessor resource will receive if it created a domain.

Note that the system-defined CREATE permission needs to be included in the specified set of domain create permissions, unless the accessor has already been directly granted that privilege beforehand.

This method does not replace any domain create permissions previously granted, but can only add to the set, or upgrade an existing permission's granting rights. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setDomainCreatePermissions(com.acciente.oacc.Resource, java.util.Set<com.acciente.oacc.DomainCreatePermission>) to specify all direct create permissions.

If the accessor resource already has privileges that exceed the requested permission, the requested grant has no effect on the existing permission. If the accessor resource has an existing permission that is incompatible with the requested permission - a request for an ungrantable create permission with grantable post-create "(perm /G)" when accessor already has grantable create permission with ungrantable post-create "(perm) /G", or vice versa - this method will throw an IllegalArgumentException.

Parameters:

accessorResource - the resource to which the privilege should be granted

domainCreatePermissions - the permissions to be granted to the specified domain

Throws:

IllegalArgumentException - if domainCreatePermissions does not contain the *CREATE permission when the accessor resource does not have direct *CREATE permission already, or if accessorResource reference does not exist, or if domainCreatePermissions is empty, or if domainCreatePermissions contains multiple instances of the same system or post-create permission that only differ in the 'withGrant' attribute, or if a requested domain create permission is incompatible with an already existing permission as described above

NotAuthorizedException - if the session resource is not authorized to set domain create permissions on the specified accessor resource

grantDomainCreatePermissions

void grantDomainCreatePermissions(Resource accessorResource,
                                DomainCreatePermission domainCreatePermission,
                                DomainCreatePermission... domainCreatePermissions)

Adds to the set of domain permissions the specified accessor resource will receive if it created a domain.

Note that the system-defined CREATE permission needs to be included in the specified set of domain create permissions, unless the accessor has already been directly granted that privilege beforehand.

This method does not replace any domain create permissions previously granted, but can only add to the set, or upgrade an existing permission's granting rights. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setDomainCreatePermissions(com.acciente.oacc.Resource, java.util.Set<com.acciente.oacc.DomainCreatePermission>) to specify all direct create permissions.

If the accessor resource already has privileges that exceed the requested permission, the requested grant has no effect on the existing permission. If the accessor resource has an existing permission that is incompatible with the requested permission - a request for an ungrantable create permission with grantable post-create "(perm /G)" when accessor already has grantable create permission with ungrantable post-create "(perm) /G", or vice versa - this method will throw an IllegalArgumentException.

Parameters:

accessorResource - the resource to which the privilege should be granted

domainCreatePermission - the permission to be granted to the specified domain

domainCreatePermissions - the other (optional) permissions to be granted to the specified domain

Throws:

IllegalArgumentException - if domainCreatePermissions does not contain the *CREATE permission when the accessor resource does not have direct *CREATE permission already, or if accessorResource reference does not exist, or if domainCreatePermissions contains multiple instances of the same system or post-create permission that only differ in the 'withGrant' attribute, or if a requested domain create permission is incompatible with an already existing permission as described above

NotAuthorizedException - if the session resource is not authorized to set domain create permissions on the specified accessor resource

revokeDomainCreatePermissions

void revokeDomainCreatePermissions(Resource accessorResource,
                                 Set<DomainCreatePermission> domainCreatePermissions)

Revokes the specified direct domain permissions from set the specified accessor resource will receive if it created a domain.

This call does not change inherited domain create permissions the specified accessor resource currently is privileged to. Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has for the permission currently!

Also note that after revoking the specified permissions, the remaining set of direct permissions must still contain the *CREATE system permission. Attempting to revoke a proper subset of the current direct permissions that includes the *CREATE permission will result in an IllegalArgumentException.

This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

domainCreatePermissions - the create permissions to be revoked

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if domainCreatePermissions is empty, or if domainCreatePermissions contains multiple instances of the same system or post-create permission that only differ in the 'withGrant' attribute, or if domainCreatePermissions contains *CREATE system permission and is a proper subset of the currently granted direct domain create permissions

NotAuthorizedException - if the session resource is not authorized to grant (in this case revoke) domain create permissions on the specified accessor resource

revokeDomainCreatePermissions

void revokeDomainCreatePermissions(Resource accessorResource,
                                 DomainCreatePermission domainCreatePermission,
                                 DomainCreatePermission... domainCreatePermissions)

Revokes the specified direct domain permissions from set the specified accessor resource will receive if it created a domain.

This call does not change inherited domain create permissions the specified accessor resource currently is privileged to. Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has for the permission currently!

Also note that after revoking the specified permissions, the remaining set of direct permissions must still contain the *CREATE system permission. Attempting to revoke a proper subset of the current direct permissions that includes the *CREATE permission will result in an IllegalArgumentException.

This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

domainCreatePermission - the create permission to be revoked

domainCreatePermissions - the other (optional) create permissions to be revoked

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if domainCreatePermissions contains multiple instances of the same system or post-create permission that only differ in the 'withGrant' attribute, or if domainCreatePermissions contains *CREATE system permission and is a proper subset of the currently granted direct domain create permissions

NotAuthorizedException - if the session resource is not authorized to grant (in this case revoke) domain create permissions on the specified accessor resource

getDomainCreatePermissions

Set<DomainCreatePermission> getDomainCreatePermissions(Resource accessorResource)

Gets all direct domain create permissions the specified accessor resource has.

This method only takes into account direct domain create permissions and does not return the domain create permissions the specified accessor resource inherits from another resource.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

Returns:

a set of direct domain create permission the accessor resource has

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveDomainCreatePermissions

Set<DomainCreatePermission> getEffectiveDomainCreatePermissions(Resource accessorResource)

Gets all effective domain create permissions the specified accessor resource has, both directly and inherited (from other resources).

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

Returns:

a set of effective domain create permission the accessor resource has

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

setDomainPermissions

void setDomainPermissions(Resource accessorResource,
                        String domainName,
                        Set<DomainPermission> domainPermissions)

Sets the direct domain permissions the specified accessor resource has on the specified domain.

Note that this method overwrites any direct domain permissions to the specified domain that the accessor has, including permissions granted by other resources.

This call does not change inherited domain permissions the specified accessor resource has on the specified domain, or any domain permissions already granted on ancestors of the domain.

Parameters:

accessorResource - the resource to which the privilege should be granted

domainName - a string domain name

domainPermissions - the permissions to be granted on the specified domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not authorized to set domain permissions on the specified domain

grantDomainPermissions

void grantDomainPermissions(Resource accessorResource,
                          String domainName,
                          Set<DomainPermission> domainPermissions)

Adds to the direct domain permissions the specified accessor resource has on the specified domain.

This call does not change inherited domain permissions the specified accessor resource has on the specified domain, or any domain permissions already granted on ancestors of the domain. This method does not replace any domain permissions previously granted, but can only add to the set. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setDomainPermissions(com.acciente.oacc.Resource, java.lang.String, java.util.Set<com.acciente.oacc.DomainPermission>) to specify all direct permissions

Parameters:

accessorResource - the resource to which the privilege should be granted

domainName - a string domain name

domainPermissions - the permissions to be granted on the specified domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists, or if domainPermissions is empty, or if domainPermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to set domain permissions on the specified domain

grantDomainPermissions

void grantDomainPermissions(Resource accessorResource,
                          String domainName,
                          DomainPermission domainPermission,
                          DomainPermission... domainPermissions)

Adds to the direct domain permissions the specified accessor resource has on the specified domain.

This call does not change inherited domain permissions the specified accessor resource has on the specified domain, or any domain permissions already granted on ancestors of the domain. This method does not replace any domain permissions previously granted, but can only add to the set. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setDomainPermissions(com.acciente.oacc.Resource, java.lang.String, java.util.Set<com.acciente.oacc.DomainPermission>) to specify all direct permissions

Parameters:

accessorResource - the resource to which the privilege should be granted

domainName - a string domain name

domainPermission - the permission to be granted on the specified domain

domainPermissions - the other (optional) permissions to be granted on the specified domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists, or if domainPermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to set domain permissions on the specified domain

revokeDomainPermissions

void revokeDomainPermissions(Resource accessorResource,
                           String domainName,
                           Set<DomainPermission> domainPermissions)

Revokes the direct domain permissions from set the specified accessor resource has on the specified domain.

This call does not change inherited domain permissions the specified accessor resource has on the specified domain, or any domain permissions already granted on ancestors of the domain. Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has on the accessed resource! This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

domainName - a string domain name

domainPermissions - the permission to be revoked on the specified domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists, or if domainPermissions is empty, or if domainPermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) domain permissions on the specified domain

revokeDomainPermissions

void revokeDomainPermissions(Resource accessorResource,
                           String domainName,
                           DomainPermission domainPermission,
                           DomainPermission... domainPermissions)

Revokes the direct domain permissions from set the specified accessor resource has on the specified domain.

This call does not change inherited domain permissions the specified accessor resource has on the specified domain, or any domain permissions already granted on ancestors of the domain. Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has on the accessed resource! This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

domainName - a string domain name

domainPermission - the permission to be revoked on the specified domain

domainPermissions - the other (optional) permissions to be revoked on the specified domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists, or if domainPermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) domain permissions on the specified domain

getDomainPermissions

Set<DomainPermission> getDomainPermissions(Resource accessorResource,
                                         String domainName)

Gets all domain permissions the accessor resource has directly to the specified domain.

This method only takes into account direct domain permissions, but not any inherited domain permissions and not any domain permissions the accessor may have to ancestors of the specified domain.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

domainName - a string domain name

Returns:

the set of all direct domain permission the accessor resource has to the domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getDomainPermissionsMap

Map<String,Set<DomainPermission>> getDomainPermissionsMap(Resource accessorResource)

Gets all domain permissions the accessor resource has directly to any domain, mapped by domain name.

This method only takes into account direct domain permissions, but not any inherited domain permissions and not any domain permissions the accessor may have to ancestors of each domain. The result is returned as a map keyed by the domain name, where each value is the set of direct permissions for the domain name of the key.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

Returns:

the sets of direct domain permission the accessor resource has to any domain, mapped by domain name

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveDomainPermissions

Set<DomainPermission> getEffectiveDomainPermissions(Resource accessorResource,
                                                  String domainName)

Gets all effective domain permissions the accessor resource has to the specified domain.

This method takes into account direct domain permissions, inherited domain permissions and any domain permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges. In other words, this method will return the domain permissions the specified accessor resource has to the specified domain as a result of the permissions the accessor has on any ancestor (parent, or grandparent, etc.) of that domain.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

domainName - a string domain name

Returns:

the set of all effective domain permission the accessor resource has to the domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveDomainPermissionsMap

Map<String,Set<DomainPermission>> getEffectiveDomainPermissionsMap(Resource accessorResource)

Gets all effective domain permissions the accessor resource has to any domain, mapped by domain name.

This method takes into account direct domain permissions, inherited domain permissions and any domain permissions the accessor may have to ancestors of each domain, as well as any super-user privileges. The result is returned as a map keyed by the domain name, where each value is the set of permissions for the domain name of the key.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

Returns:

the sets of effective domain permission the accessor resource has to any domain, mapped by domain name

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

setResourceCreatePermissions

void setResourceCreatePermissions(Resource accessorResource,
                                String resourceClassName,
                                String domainName,
                                Set<ResourceCreatePermission> resourceCreatePermissions)

Sets the resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.

Note that the system-defined CREATE permission must be included in the specified set of resource create permissions, unless all permissions should be revoked.

Including the CREATE permission allows the accessor resource to create resources of the specified resource class and domain. But if the CREATE permission is the only one specified, then the accessor would not receive any direct permissions on the newly created resource. This is appropriate, for example, if the accessor would already obtain privileges to the newly created resource via global resource permissions, or if indeed the accessor should not receive any direct access to the newly created resource.

Also note that this method replaces any direct resource create permissions previously granted, but does not affect any resource create permissions the specified accessor resource receives via inheritance or from the specified domain's ancestors.

Parameters:

accessorResource - the resource to which the privilege should be granted

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

resourceCreatePermissions - a set of resource create permissions to be granted

Throws:

IllegalArgumentException - if accessorResource reference is invalid, or if no domain of domainName exists, or if no resource class of resourceClassName exists, or if resourceCreatePermissions does not contain *CREATE permission, or if resourceCreatePermissions contains post-create permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourceCreatePermissions contains multiple instances of the same post-create permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to set resource create permissions on the specified accessor resource

grantResourceCreatePermissions

void grantResourceCreatePermissions(Resource accessorResource,
                                  String resourceClassName,
                                  String domainName,
                                  Set<ResourceCreatePermission> resourceCreatePermissions)

Adds to the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.

Note that the system-defined CREATE permission must be included in the specified set of resource create permissions, unless the accessor has already been directly granted that privilege beforehand.

Granting the CREATE permission allows the accessor resource to create resources of the specified resource class and domain. But if the CREATE permission is the only directly granted one, then the accessor would not receive any direct permissions on the newly created resource. This is appropriate, for example, if the accessor would already obtain privileges to the newly created resource via global resource permissions, or if indeed the accessor should not receive any direct access to the newly created resource.

This method does not replace any resource create permissions previously granted, but can only add to the set, or upgrade an existing permission's granting rights. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setResourceCreatePermissions(com.acciente.oacc.Resource, java.lang.String, java.lang.String, java.util.Set<com.acciente.oacc.ResourceCreatePermission>) to specify all direct create permissions

If the accessor resource already has privileges that exceed the requested permission, the requested grant has no effect on the existing permission. If the accessor resource has an existing permission that is incompatible with the requested permission - a request for an ungrantable create permission with grantable post-create "(perm /G)" when accessor already has grantable create permission with ungrantable post-create "(perm) /G", or vice versa - this method will throw an IllegalArgumentException.

Parameters:

accessorResource - the resource to which the privilege should be granted

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

resourceCreatePermissions - the resource create permissions to be granted

Throws:

IllegalArgumentException - if accessorResource reference is invalid, or if no domain of domainName exists, or if no resource class of resourceClassName exists, or if resourceCreatePermissions is empty, or if resourceCreatePermissions does not contain *CREATE permission when the accessor resource does not have direct *CREATE permission already, or if resourceCreatePermissions contains post-create permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourceCreatePermissions contains multiple instances of the same post-create permission that only differ in the 'withGrant' attribute, or if a requested resource create permission is incompatible with an already existing permission as described above

NotAuthorizedException - if the session resource is not authorized to set resource create permissions on the specified accessor resource

grantResourceCreatePermissions

void grantResourceCreatePermissions(Resource accessorResource,
                                  String resourceClassName,
                                  String domainName,
                                  ResourceCreatePermission resourceCreatePermission,
                                  ResourceCreatePermission... resourceCreatePermissions)

Adds to the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.

Note that the system-defined CREATE permission must be included in the specified set of resource create permissions, unless the accessor has already been directly granted that privilege beforehand.

Granting the CREATE permission allows the accessor resource to create resources of the specified resource class and domain. But if the CREATE permission is the only directly granted one, then the accessor would not receive any direct permissions on the newly created resource. This is appropriate, for example, if the accessor would already obtain privileges to the newly created resource via global resource permissions, or if indeed the accessor should not receive any direct access to the newly created resource.

This method does not replace any resource create permissions previously granted, but can only add to the set, or upgrade an existing permission's granting rights. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setResourceCreatePermissions(com.acciente.oacc.Resource, java.lang.String, java.lang.String, java.util.Set<com.acciente.oacc.ResourceCreatePermission>) to specify all direct create permissions

If the accessor resource already has privileges that exceed the requested permission, the requested grant has no effect on the existing permission. If the accessor resource has an existing permission that is incompatible with the requested permission - a request for an ungrantable create permission with grantable post-create "(perm /G)" when accessor already has grantable create permission with ungrantable post-create "(perm) /G", or vice versa - this method will throw an IllegalArgumentException.

Parameters:

accessorResource - the resource to which the privilege should be granted

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

resourceCreatePermission - the resource create permission to be granted

resourceCreatePermissions - the other (optional) resource create permissions to be granted

Throws:

IllegalArgumentException - if accessorResource reference is invalid, or if no domain of domainName exists, or if no resource class of resourceClassName exists, or if resourceCreatePermissions does not contain *CREATE permission when the accessor resource does not have direct *CREATE permission already, or if resourceCreatePermissions contains post-create permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourceCreatePermissions contains multiple instances of the same post-create permission that only differ in the 'withGrant' attribute, or if a requested resource create permission is incompatible with an already existing permission as described above

NotAuthorizedException - if the session resource is not authorized to set resource create permissions on the specified accessor resource

revokeResourceCreatePermissions

void revokeResourceCreatePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   Set<ResourceCreatePermission> resourceCreatePermissions)

Revokes the specified permissions from the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.

This call does not change inherited resource create permissions the specified accessor resource currently is privileged to. Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has for the permission currently!

Also note that after revoking the specified permissions, the remaining set of direct permissions must still contain the *CREATE system permission. Attempting to revoke a proper subset of the current direct permissions that includes the *CREATE permission will result in an IllegalArgumentException.

This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

resourceCreatePermissions - the resource create permissions to be revoked

Throws:

IllegalArgumentException - if accessorResource reference is invalid, or if no domain of domainName exists, or if no resource class of resourceClassName exists, or if resourceCreatePermissions is empty, or if resourceCreatePermissions contains *CREATE system permission and is a proper subset of the currently granted direct resource create permissions, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourceCreatePermissions contains multiple instances of the same post-create permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) resource create permissions on the specified accessor resource

revokeResourceCreatePermissions

void revokeResourceCreatePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   ResourceCreatePermission resourceCreatePermission,
                                   ResourceCreatePermission... resourceCreatePermissions)

Revokes the specified permissions from the set of resource permissions the specified accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain.

This call does not change inherited resource create permissions the specified accessor resource currently is privileged to. Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has for the permission currently!

Also note that after revoking the specified permissions, the remaining set of direct permissions must still contain the *CREATE system permission. Attempting to revoke a proper subset of the current direct permissions that includes the *CREATE permission will result in an IllegalArgumentException.

This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

resourceCreatePermission - the resource create permission to be revoked

resourceCreatePermissions - the other (optional) resource create permissions to be revoked

Throws:

IllegalArgumentException - if accessorResource reference is invalid, or if no domain of domainName exists, or if no resource class of resourceClassName exists, or if resourceCreatePermissions contains *CREATE system permission and is a proper subset of the currently granted direct resource create permissions, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourceCreatePermissions contains multiple instances of the same post-create permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) resource create permissions on the specified accessor resource

getResourceCreatePermissions

Set<ResourceCreatePermission> getResourceCreatePermissions(Resource accessorResource,
                                                         String resourceClassName,
                                                         String domainName)

Gets all direct resource create permissions the accessor resource has to the specified resource class in the specified domain (which define a subset of the resource permissions the accessor resource would receive directly, if it created a resource of the specified resource class in the specified domain).

This method only takes into account direct resource create permissions, but not inherited resource create permissions and not any resource create permissions the accessor may have to ancestors of the specified domain.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

Returns:

a set of direct resource create permissions

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveResourceCreatePermissions

Set<ResourceCreatePermission> getEffectiveResourceCreatePermissions(Resource accessorResource,
                                                                  String resourceClassName,
                                                                  String domainName)

Gets all effective resource create permissions the accessor resource has to the specified resource class in the specified domain (which effectively define the resource permissions the accessor resource will receive directly, if it created a resource of the specified resource class in the specified domain).

This method takes into account direct resource create permissions, inherited resource create permissions and any resource create permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

resourceClassName - a string resource class name

domainName - a string representing a valid domain name

Returns:

a set of effective resource create permissions

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getResourceCreatePermissionsMap

Map<String,Map<String,Set<ResourceCreatePermission>>> getResourceCreatePermissionsMap(Resource accessorResource)

Gets all direct resource create permissions the accessor resource has to any resource class in any domain, mapped by domain name and resource class name.

Direct resource create permissions make up a subset of the resource permissions the accessor resource will receive directly, if it created a resource of a resource class in a domain.

This method only takes into account direct resource create permissions, but not inherited resource create permissions and not any resource create permissions the accessor may have to ancestors of each domain.

The result is returned as a map keyed by the domain name, where each value is another map keyed by resource class name, in which each value is the set of direct resource create permissions for the resource class and domain name of the respective keys.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

Returns:

a map of maps of direct resource create permissions, keyed by domain name and resource class name

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveResourceCreatePermissionsMap

Map<String,Map<String,Set<ResourceCreatePermission>>> getEffectiveResourceCreatePermissionsMap(Resource accessorResource)

Gets all effective resource create permissions the accessor resource has to any resource class in any domain, mapped by domain name and resource class name.

Resource create permissions effectively define the resource permissions the accessor resource will receive directly, if it created a resource of a resource class in a domain.

This method takes into account direct resource create permissions, inherited resource create permissions and any resource create permissions the accessor may have to ancestors of each domain, as well as any super-user privileges.

The result is returned as a map keyed by the domain name, where each value is another map keyed by resource class name, in which each value is the set of resource create permissions for the resource class and domain name of the respective keys.

Parameters:

accessorResource - the accessor resource relative which permissions should be returned

Returns:

a map of maps of effective resource create permissions, keyed by domain name and resource class name

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

setResourcePermissions

void setResourcePermissions(Resource accessorResource,
                          Resource accessedResource,
                          Set<ResourcePermission> resourcePermissions)

Sets the specified resource permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.

This method replaces any direct resource permissions previously granted, but does not affect any resource permissions the specified accessor resource receives via inheritance.

Parameters:

accessorResource - the resource to which the privilege should be granted

accessedResource - the resource on which the privilege is granted

resourcePermissions - a set of resource permissions to be granted

Throws:

IllegalArgumentException - if accessorResource or accessedResource reference does not exist, or if resourcePermissions contains permissions invalid for resource class of the accessedResource(incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant the specified permissions or revoke the current permissions on the specified accessed resource

OaccException - if granting the specified permissions would introduce a cycle between accessor and accessed resource via permission inheritance

grantResourcePermissions

void grantResourcePermissions(Resource accessorResource,
                            Resource accessedResource,
                            Set<ResourcePermission> resourcePermissions)

Adds the specified resource permissions to the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.

This method does not replace any direct resource permissions previously granted, but can only add to the set. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setResourcePermissions(com.acciente.oacc.Resource, com.acciente.oacc.Resource, java.util.Set<com.acciente.oacc.ResourcePermission>) to specify all direct permissions

Parameters:

accessorResource - the resource to which the privilege should be granted

accessedResource - the resource on which the privilege is granted

resourcePermissions - the resource permission to be granted

Throws:

IllegalArgumentException - if accessorResource or accessedResource reference does not exist, or if resourcePermissions is empty, or if resourcePermissions contains permissions invalid for resource class of the accessedResource(incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant the specified permissions on the specified accessed resource

OaccException - if granting the specified permissions would introduce a cycle between accessor and accessed resource via permission inheritance

grantResourcePermissions

void grantResourcePermissions(Resource accessorResource,
                            Resource accessedResource,
                            ResourcePermission resourcePermission,
                            ResourcePermission... resourcePermissions)

Adds the specified resource permissions to the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.

This method does not replace any direct resource permissions previously granted, but can only add to the set. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setResourcePermissions(com.acciente.oacc.Resource, com.acciente.oacc.Resource, java.util.Set<com.acciente.oacc.ResourcePermission>) to specify all direct permissions

Parameters:

accessorResource - the resource to which the privilege should be granted

accessedResource - the resource on which the privilege is granted

resourcePermission - the resource permission to be granted

resourcePermissions - the other (optional) resource permissions to be granted

Throws:

IllegalArgumentException - if accessorResource or accessedResource reference does not exist, or if resourcePermissions contains permissions invalid for resource class of the accessedResource(incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant the specified permissions on the specified accessed resource

OaccException - if granting the specified permissions would introduce a cycle between accessor and accessed resource via permission inheritance

revokeResourcePermissions

void revokeResourcePermissions(Resource accessorResource,
                             Resource accessedResource,
                             Set<ResourcePermission> resourcePermissions)

Revokes the specified resource permissions from the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.

Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has on the accessed resource! This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

accessedResource - the resource on which the privilege was originally granted

resourcePermissions - the resource permissions to be revoked

Throws:

IllegalArgumentException - if accessorResource or accessedResource reference does not exist, or if resourcePermissions is empty, or if resourcePermissions contains permissions invalid for resource class of the accessedResource(incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) the specified permissions on the specified accessed resource

revokeResourcePermissions

void revokeResourcePermissions(Resource accessorResource,
                             Resource accessedResource,
                             ResourcePermission resourcePermission,
                             ResourcePermission... resourcePermissions)

Revokes the specified resource permissions from the set of permissions that the specified accessor resource has to the specified accessed resource directly, that is not via inheritance or globally.

Note that this method revokes the specified permission regardless of any specified granting right and regardless of the granting right the accessor has on the accessed resource! This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

accessedResource - the resource on which the privilege was originally granted

resourcePermission - the resource permission to be revoked

resourcePermissions - the other (optional) resource permissions to be revoked

Throws:

IllegalArgumentException - if accessorResource or accessedResource reference does not exist, or if resourcePermissions contains permissions invalid for resource class of the accessedResource(incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) the specified permissions on the specified accessed resource

getResourcePermissions

Set<ResourcePermission> getResourcePermissions(Resource accessorResource,
                                             Resource accessedResource)

Gets the resource permissions that the specified accessor resource has directly to the specified accessed resource.

This method only takes into account direct permissions, but not inherited and not global permissions of the specified accessor resource.

Parameters:

accessorResource - the resource relative to which the permissions should be returned

accessedResource - the resource on which the privileges were granted

Returns:

a set of direct resource permissions

Throws:

IllegalArgumentException - if accessorResource or accessedResource does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveResourcePermissions

Set<ResourcePermission> getEffectiveResourcePermissions(Resource accessorResource,
                                                      Resource accessedResource)

Gets the effective resource permissions that the specified accessor resource has to the specified accessed resource.

This method takes into account direct, inherited and global permissions of the specified accessor resource, as well as any super-user privileges.

Parameters:

accessorResource - the resource relative to which the permissions should be returned

accessedResource - the resource on which the privileges were granted

Returns:

a set of effective resource permissions

Throws:

IllegalArgumentException - if accessorResource or accessedResource does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

setGlobalResourcePermissions

void setGlobalResourcePermissions(Resource accessorResource,
                                String resourceClassName,
                                String domainName,
                                Set<ResourcePermission> resourcePermissions)

Sets the global resource permissions a resource has on any resource of the specified resource class in the specified domain.

Global resource permissions are resource permissions that are defined on a resource class for a given domain and thus apply to any and all resources of that resource class and domain. They are not associated directly with every individual resource of that resource class and domain!

Note that the system-defined CREATE resource permission can NOT be set as a global resource permission, because it would be nonsensical. Currently the system-defined INHERIT resource permission may also not be set as a global resource permission.

This method replaces any direct global resource permissions previously granted, but does not affect any global resource permissions the specified accessor resource receives via inheritance or from the specified domain's ancestors.

Parameters:

accessorResource - the resource to which the privilege should be granted

resourceClassName - a string resource class name

domainName - a string domain name

resourcePermissions - the set of resource permissions to be granted globally to the specified resource class and domain

Throws:

IllegalArgumentException - if accessorResource reference is invalid, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if resourcePermissions contains INHERIT permission, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to set global resource permissions for the specified accessor resource

grantGlobalResourcePermissions

void grantGlobalResourcePermissions(Resource accessorResource,
                                  String resourceClassName,
                                  String domainName,
                                  Set<ResourcePermission> resourcePermissions)

Adds the global resource permissions a resource has on any resource of the specified resource class in the specified domain.

Global resource permissions are resource permissions that are defined on a resource class for a given domain and thus apply to any and all resources of that resource class and domain. They are not associated directly with every individual resource of that resource class and domain!

Note that the system-defined CREATE resource permission can NOT be set as a global resource permission, because it would be nonsensical. Currently the system-defined INHERIT resource permission may also not be set as a global resource permission.

This method does not replace any global resource permissions previously granted, but can only add to the set. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setGlobalResourcePermissions(com.acciente.oacc.Resource, java.lang.String, java.lang.String, java.util.Set<com.acciente.oacc.ResourcePermission>) to specify all direct permissions

Parameters:

accessorResource - the resource to which the privilege should be granted

resourceClassName - a string resource class name

domainName - a string domain name

resourcePermissions - the resource permission to be granted globally to the specified resource class and domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if resourcePermissions is empty, or if resourcePermissions contains INHERIT permission, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant the specified permissions on the specified resource class and domain

grantGlobalResourcePermissions

void grantGlobalResourcePermissions(Resource accessorResource,
                                  String resourceClassName,
                                  String domainName,
                                  ResourcePermission resourcePermission,
                                  ResourcePermission... resourcePermissions)

Adds the global resource permissions a resource has on any resource of the specified resource class in the specified domain.

Global resource permissions are resource permissions that are defined on a resource class for a given domain and thus apply to any and all resources of that resource class and domain. They are not associated directly with every individual resource of that resource class and domain!

Note that the system-defined CREATE resource permission can NOT be set as a global resource permission, because it would be nonsensical. Currently the system-defined INHERIT resource permission may also not be set as a global resource permission.

This method does not replace any global resource permissions previously granted, but can only add to the set. Furthermore, removing the 'withGrant' option from an existing permission is not possible with this method alone - revoke the permission first, then re-grant without the 'withGrant' option, or use setGlobalResourcePermissions(com.acciente.oacc.Resource, java.lang.String, java.lang.String, java.util.Set<com.acciente.oacc.ResourcePermission>) to specify all direct permissions

Parameters:

accessorResource - the resource to which the privilege should be granted

resourceClassName - a string resource class name

domainName - a string domain name

resourcePermission - the resource permission to be granted globally to the specified resource class and domain

resourcePermissions - the other (optional) resource permissions to be granted globally

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if resourcePermissions contains INHERIT permission, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant the specified permissions on the specified resource class and domain

revokeGlobalResourcePermissions

void revokeGlobalResourcePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   Set<ResourcePermission> resourcePermissions)

Revokes the global resource permissions a resource has on any resource of the specified resource class in the specified domain.

Note that this method revokes the specified permission(s) regardless of any specified granting right and regardless of the granting right the accessor currently has on the specified global permission! This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

resourceClassName - a string resource class name

domainName - a string domain name

resourcePermissions - the resource permissions to be revoked globally from the specified resource class and domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if resourcePermissions is empty, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) the specified permissions on the specified resource class and domain

revokeGlobalResourcePermissions

void revokeGlobalResourcePermissions(Resource accessorResource,
                                   String resourceClassName,
                                   String domainName,
                                   ResourcePermission resourcePermission,
                                   ResourcePermission... resourcePermissions)

Revokes the global resource permissions a resource has on any resource of the specified resource class in the specified domain.

Note that this method revokes the specified permission(s) regardless of any specified granting right and regardless of the granting right the accessor currently has on the specified global permission! This method is idempotent, that is, when a specified permission is no longer granted, repeated calls to this method will have no effect.

Parameters:

accessorResource - the resource from which the privilege should be revoked

resourceClassName - a string resource class name

domainName - a string domain name

resourcePermission - the resource permission to be revoked globally from the specified resource class and domain

resourcePermissions - the other (optional) resource permissions to be revoked globally

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists, or if resourcePermissions contains permissions invalid for the specified resource class (incl. RESET-CREDENTIALS or IMPERSONATE for unauthenticatable resource classes), or if resourcePermissions contains multiple instances of the same permission that only differ in the 'withGrant' attribute

NotAuthorizedException - if the session resource is not authorized to grant (or in this case revoke) the specified permissions on the specified resource class and domain

getGlobalResourcePermissions

Set<ResourcePermission> getGlobalResourcePermissions(Resource accessorResource,
                                                   String resourceClassName,
                                                   String domainName)

Gets the global resource permissions the specified accessor resource has directly to the resources of the specified resource class in the specified domain.

This method only takes into account direct global resource permissions, but not inherited global resource permissions and not any global resource permissions the accessor may have to ancestors of the specified domain.

Parameters:

accessorResource - the resource relative to which the permissions should be returned

resourceClassName - a string resource class name

domainName - a string domain name

Returns:

a set of direct global resource permissions the accessor resource has to resources in the specified resource class and domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveGlobalResourcePermissions

Set<ResourcePermission> getEffectiveGlobalResourcePermissions(Resource accessorResource,
                                                            String resourceClassName,
                                                            String domainName)

Gets the effective global resource permissions the specified accessor resource has to the resources of the specified resource class in the specified domain.

This method takes into account direct global resource permissions, inherited global resource permissions and any global resource permissions the accessor may have to ancestors of the specified domain, as well as any super-user privileges.

Parameters:

accessorResource - the resource relative to which the permissions should be returned

resourceClassName - a string resource class name

domainName - a string domain name

Returns:

a set of effective global resource permissions the accessor resource has to resources in the specified resource class and domain

Throws:

IllegalArgumentException - if accessorResource reference does not exist, or if no resource class of resourceClassName exists, or if no domain of domainName exists

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getGlobalResourcePermissionsMap

Map<String,Map<String,Set<ResourcePermission>>> getGlobalResourcePermissionsMap(Resource accessorResource)

Gets all global resource permissions the specified accessor resource has directly to any resources of any resource class in any domain, mapped by domain name and resource class name.

This method only takes into account direct global resource permissions, but not inherited global resource permissions and not any global resource permissions the accessor may have to ancestors of each domain.

The result is returned as a map keyed by the domain name, where each value is another map keyed by resource class name, in which each value is the set of global resource permissions for the resource class and domain name of the respective keys.

Parameters:

accessorResource - the resource relative to which the permissions should be returned

Returns:

a map of maps of all direct global resource permissions the accessor resource has, keyed by domain name and resource class name

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)

getEffectiveGlobalResourcePermissionsMap

Map<String,Map<String,Set<ResourcePermission>>> getEffectiveGlobalResourcePermissionsMap(Resource accessorResource)

Gets all effective global resource permissions the specified accessor resource has to the resources of the any resource class in any domain, mapped by domain name and resource class name.

This method takes into account direct global resource permissions, inherited global resource permissions and any global resource permissions the accessor may have to ancestors of each domain, as well as any super-user privileges.

The result is returned as a map keyed by the domain name, where each value is another map keyed by resource class name, in which each value is the set of global resource permissions for the resource class and domain name of the respective keys.

Parameters:

accessorResource - the resource relative to which the permissions should be returned

Returns:

a map of maps of all effective global resource permissions the accessor resource has, keyed by domain name and resource class name

Throws:

IllegalArgumentException - if accessorResource reference does not exist

NotAuthorizedException - if the session resource is not the accessor resource and the session resource does not have query authorization on the accessor resource (explicitly via QUERY or implicitly via IMPERSONATE permissions)