Page Comparison

Permissions Data Structures

Introduction

A permission is an assignment to a subject of a resource and action. e.g. the subject is John Smith, the action is READ, and the resource is org1234.

Permission objects

Code Block

PermissionPermissionResource {
  uri    id
  string uuid
  string displayName
  string description
}

PermissionLookupPermissionResourceLookup {
  uri    id
  string uuid
}

PermissionAssignment {
 PermissionLookup PermissionResourceLookup permissionLookuppermissionResourceLookup
  String action
  Subject subject
}

...

Renaming Considerations

When a permission resource is renamed, future retrievals of the old name (id) may result in an indication that the permission resource has moved and the id of the new name. To access a new group at the old name, the request must be qualified.

...

Code Block
boolean hasPermission(PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup, Subject subject, String action, enum immediacy=any)

Input

permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
subject: Subject objectpermissionLookup
action: PermissionLookup objectXXX ?
immediacy: Constraint on search for subject as an immediate, nonimmediate, or any type of assignment XXX?

Output

true if subject is an immediate or nonimmediate member (as specified) of group has the specified permission, false otherwise

Availability

...

Code Block
SubjectList getMembers(PermissionLookupPermissionResourceLookup permissionpermissionResourceLookup, String action, enum immediacy=any)

Input

permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
action: Action qualifier
immediacy: Constraint on search for subject as an immediate, nonimmediate, or any member of group

...

subject: Subject object
action: (optional) qualifies the permission
immediacy: Constraint on search for subject as an immediate, nonimmediate, or any member of the relevant groups

Output

List of Group objects

Availability

Mandatory.

getPermissionsForSubject()

Code Block
PermissionAssignmentList getGroupsForPermission(Subject subject, String action, enum privilege)

Input

subject: Subject object
action: Action to qualify the assignment (optional)
privilege: Type of privilege to be checked for (privileges TBD)

Output

List of Group objects for which subject has privilegePermission Assignments

Availability

Mandatory.

assignPermission()

Code Block
boolean assignPermission(PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup, String action, Subject subject, bool addOnly=false)

Input

permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
action: qualifies the assignment
subject: Subject object
addOnly: If true, addMember() fails if subject is already a member of groupID.

Output

true if assignment is successfully added or if addOnly is false and subject is already assigned to permissionID and action, false otherwise.

Availability

Optional. Data store may be read-only.

...

Code Block
boolean unassignPermission(PermissionLookupPermissionResourceLookup permissionLookuppermissionResourceLookup, String action, Subject subject, bool addOnly=false)

Input

permissionLookuppermissionResourceLookup: PermissionLookup PermissionResourceLookup object
action: qualifies the assignment
subject: Subject object
removeOnly: If true, addMemberunassignPermission() fails if subject is already not assigned to of permissionID for that action.

Output

true if assignment is successfully removed or if addOnly is false and subject is already assigned to permissionID and action, false otherwise.

Availability

Optional. Data store may be read-only.

Example of using permissions API for Group privileges

Part of the namespace would be reserved for fifer. e.g. to see if someone can see the membership of a group:

hasPermission("permission:edu:permission:fifer:groupPrivileges:groups:some:group", "12345678", "READ", "any")

There would be some specified actions and what they mean, e.g. READ means can see permission assignments (and implies VIEW), VIEW means can see the permission exists, ADMIN means can rename / delete / edit the privilege (and implies READ, VIEW, and UPDATE), UPDATE means can assign/unassign the permissions (and implies VIEW)

Versions Compared

Old Version 3

New Version Current

Key

Permissions Data Structures

Introduction

Permission objects

Renaming Considerations

Input

Output

Availability

Input

Output

Availability

getPermissionsForSubject()

Input

Output

Availability

assignPermission()

Input

Output

Availability

Input

Output

Availability

Example of using permissions API for Group privileges