-
Notifications
You must be signed in to change notification settings - Fork 2
Internal Authorization Service
The Internal Authorization Service is used for making internal evaluations, such as assertions against predefined roles and permissions. Predefined roles include administrators and service users who require specific capabilities, such as creating certain types of objects in certain locations.
This service includes utilities for switching permission assignments, and asserting CRUD operations (the affects) against Group, Data, and Role types (the participations) for Users, Accounts, Persons, and Roles (the participants).
The Internal Authorization Service is fairly straightforward to use. Most methods are strongly typed and can be used to check specific access.
The following is an example of how the service is used.
- Given some UserType userA,
- And, given some DirectoryGroupType directoryA,
- Check to see if userA can view directoryA: boolean canView = AuthorizationService.canViewGroup(userA, directoryA);
Within the service, the logic pattern used by canViewGroup is consistent across most of the predefined CRUD operation checks:
- Does userA own directoryA?
- Is directoryA a DATA or BUCKET group and is userA a data administrator in directoryA's organization?
- Is directoryA a ACCOUNT group and is userA an account administrator in directoryA's organization?
- Is the user in the GroupReaderRole in directoryA's organization?
- Is the user Effectively Authorized with the ViewGroup permission for directoryA in directoryA's organization? The ViewGroup permission may have been directly assigned to userA on directoryA, or userA may be in a role directly or indirectly affected by the ViewGroup permission for directoryA.
Except in some holdover cases, the Internal Authorizaton Service should not be querying for participations (refer to the Account Manager Participation Access Control page).
The following example demonstrates how the Internal Authorization Service can be used to assert whether a particular role is able to view a specified data entity.
DataType data = ...;
BaseRoleType role = ...;
boolean canView = AuthorizationService.canViewData(role, data);