Permissions Data Structures
Introduction
A permission is an assignment to a subject of a resource and action. e.g. the subject is John Smith, the action is READ, and the resource is org1234.
Permission objects
Code Block |
---|
PermissionPermissionResource { uri id string uuid string displayName string description } PermissionLookupPermissionResourceLookup { uri id string uuid } PermissionAssignment { PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup String action Subject subject } |
...
Renaming Considerations
When a permission resource is renamed, future retrievals of the old name (id) may result in an indication that the permission resource has moved and the id of the new name. To access a new group at the old name, the request must be qualified.
...
Code Block |
---|
boolean hasPermission(PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup, Subject subject, String action, enum immediacy=any) |
Input
- permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
- subject: Subject object
- action: XXX ?
- immediacy: Constraint on search for subject as an immediate, nonimmediate, or any type of assignment XXX?
...
Code Block |
---|
SubjectList getMembers(PermissionLookupPermissionResourceLookup permissionpermissionResourceLookup, String action, enum immediacy=any) |
Input
- permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
- action: Action qualifier
- immediacy: Constraint on search for subject as an immediate, nonimmediate, or any member of group
...
Code Block |
---|
boolean assignPermission(PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup, String action, Subject subject, bool addOnly=false) |
Input
- permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
- action: qualifies the assignment
- subject: Subject object
- addOnly: If true,
addMember()
fails if subject is already a member of groupID.
...
Code Block |
---|
boolean unassignPermission(PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup, String action, Subject subject, bool addOnly=false) |
Input
- permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
- action: qualifies the assignment
- subject: Subject object
- removeOnly: If true,
unassignPermission()
fails if subject is already not assigned to of permissionID for that action.
...
hasPermission("permission:edu:permission:fifer:groupPrivileges:groups:some:group", "12345678", "READ", "any")
There would be some specified actions and what they mean, e.g. READ means can see permission assignments (and implies VIEW), VIEW means can see the permission exists, ADMIN means can rename / delete / edit the privilege (and implies READ, VIEW, and UPDATE), UPDATE means can assign/unassign the permissions (and implies VIEW)