Package cz.metacentrum.perun.core.api

Class RoleManagementRules

java.lang.Object
cz.metacentrum.perun.core.api.RoleManagementRules
public class RoleManagementRules extends Object
RoleManagementRules represents a set of rules which is used to determine principal's access rights for managing and reading a role. Moreover, it contains allowed combinations of object and entity to/from which will be the role un/assigned and related roles which can also read attribute value if the role can. Each object and entity also contains a mapping to the specific column in the authz table, so the database query can be created and executed more generally.

roleName is role's unique identification which is used in the configuration file perun-roles.yml primaryObject serves to determine with which object is the role primarily connected. Other objects are just complementary. privilegedRolesToManage serves to determine which roles (in relation to which objects) a user/group has to have, to have rights to set/unset the role to other users/groups. It is a list of maps where each map entry consists from a role name as a key and a role object as a value. Relation between each map in the list is logical OR and relation between each entry in the map is logical AND. Example list - (Map1, Map2...) Example map - key: VOADMIN ; value: Vo key: GROUPADMIN ; value: Group privilegedRolesToRead is same as the privilegedRolesToManage, but its purpose is to determine which roles have rights to read the roleName. entitiesToManage is a map of entities which can be set to the role. Key is a entity name and value is mapping to the database. Example entry: key: User; value: user_id assignedObjects is a map of objects which can be assigned with the role. Key is a object name and value is mapping to the database. Example entry: key: Resource; value: resource_id assignmentCheck is a list of maps defining which of the assigned objects should be checked for being critical (requiring MFA) when setting the role. Example entry: key: MFA; value: Resource invalid input: '<'- If resource is critical, MFA is required Example entry: {} invalid input: '<'- No MFA is required to set this role Example entry: Key: MFA; value: invalid input: '<'- No value means MFA is always required to set this role associatedReadRoles is a list of related roles which are authorized to read attribute value if the main role is authorized. Example list for groupadmin role - value: [GROUPOBSERVER] assignableToAttributes is a flag that determines whether the role can appear in attribute policies. skipMFA is a flag that whether the role should skip MFA check. mfaCriticalRole is a flag marking roles always requiring MFA from users having that role displayName is a more user-friendly name receiveNotifications contains names of objects for which the role should get notifications Example value: Vo ; meaning: will receive notifications when vo application is created/failed

  • Constructor Details

  • Method Details

    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object

    • getAssignedObjects

      public Map<String,String> getAssignedObjects()

    • setAssignedObjects

      public void setAssignedObjects(Map<String,String> assignedObjects)

    • getAssignmentCheck

      public List<Map<String,String>> getAssignmentCheck()

    • setAssignmentCheck

      public void setAssignmentCheck(List<Map<String,String>> assignmentCheck)

    • getAssociatedReadRoles

      public List<String> getAssociatedReadRoles()

    • setAssociatedReadRoles

      public void setAssociatedReadRoles(List<String> associatedReadRoles)

    • getDisplayName

      public String getDisplayName()

    • setDisplayName

      public void setDisplayName(String displayName)

    • getEntitiesToManage

      public Map<String,String> getEntitiesToManage()

    • setEntitiesToManage

      public void setEntitiesToManage(Map<String,String> entitiesToManage)

    • getPrimaryObject

      public String getPrimaryObject()

    • setPrimaryObject

      public void setPrimaryObject(String primaryObject)

    • getPrivilegedRolesToManage

      public List<Map<String,String>> getPrivilegedRolesToManage()

    • setPrivilegedRolesToManage

      public void setPrivilegedRolesToManage(List<Map<String,String>> privilegedRolesToManage)

    • getPrivilegedRolesToRead

      public List<Map<String,String>> getPrivilegedRolesToRead()

    • setPrivilegedRolesToRead

      public void setPrivilegedRolesToRead(List<Map<String,String>> privilegedRolesToRead)

    • getReceiveNotifications

      public List<String> getReceiveNotifications()

    • setReceiveNotifications

      public void setReceiveNotifications(List<String> receiveNotifications)

    • getRoleName

      public String getRoleName()

    • setRoleName

      public void setRoleName(String roleName)

    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object

    • isAssignableToAttributes

      public boolean isAssignableToAttributes()

    • setAssignableToAttributes

      public void setAssignableToAttributes(boolean assignableToAttributes)

    • isMfaCriticalRole

      public boolean isMfaCriticalRole()

    • setMfaCriticalRole

      public void setMfaCriticalRole(boolean mfaCriticalRole)

    • setSkipMFA

      public void setSkipMFA(boolean skipMFA)

    • getSkipMFA

      public boolean getSkipMFA()

    • toString

      public String toString()
      Overrides:
      toString in class Object