Class AuthzResolver
-
Field Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic boolean
authorizedExternal
(PerunSession sess, String policyDefinition, List<PerunBean> objects) Checks if the principal is authorized.static boolean
authorizedInternal
(PerunSession sess, String policyDefinition) Checks if the principal is authorized.static boolean
authorizedInternal
(PerunSession sess, String policyDefinition, PerunBean... objects) Checks if the principal is authorized.static boolean
authorizedInternal
(PerunSession sess, String policyDefinition, List<PerunBean> objects) Checks if the principal is authorized.static boolean
authorizedToManageRole
(PerunSession sess, PerunBean complementaryObject, String role) Check whether the principal is authorized to manage the role on the object.static boolean
authorizedToReadRole
(PerunSession sess, PerunBean complementaryObject, String role) Check whether the principal is authorized to read the role on the object.getAdminGroups
(PerunSession sess, PerunBean complementaryObject, String role) Get all authorizedGroups for complementary object and role.getAdmins
(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.static List<PerunPolicy>
Return all loaded perun policies.static List<RoleManagementRules>
Return all loaded roles management rules.getComplementaryObjectsForRole
(PerunSession sess, String role) Returns all complementary objects for defined role.getComplementaryObjectsForRole
(PerunSession sess, String role, Class perunBeanClass) Returns complementary objects for defined role filtered by particular class, e.g.getFacilitiesWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getGroupRoleNames
(PerunSession sess, Group group) Get all group role names.static AuthzRoles
getGroupRoles
(PerunSession sess, int groupId) Get all roles for a given group.getGroupsWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.static User
getLoggedUser
(PerunSession sess) Returns user which is associated with credentials used to log-in to Perun.getMembersWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.static PerunPrincipal
Returns PerunPrincipal object associated with current session.Get all principal role names.getResourcesWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getRichAdmins
(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.getRoleComplementaryObjectsWithAuthorizedGroups
(PerunSession sess, int userId) Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type.static AuthzRoles
getRolesObtainedFromAuthorizedGroupMemberships
(PerunSession sess, int userId) Returns user's roles resulting from being a VALID member of authorized groups.static List<SecurityTeam>
getSecurityTeamsWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.getUserRoleNames
(PerunSession sess, User user) Get all user role names.static AuthzRoles
getUserRoles
(PerunSession sess, int userId, boolean getAuthorizedGroupBasedRoles) Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups.getVosWhereUserIsInRoles
(PerunSession sess, User user, List<String> roles) Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles.static boolean
hasOneOfTheRolesForObject
(PerunSession sess, PerunBean complementaryObject, Set<String> allowedRoles) This methods verifies if the current principal has one of the given roles for the given object.static boolean
hasRole
(PerunPrincipal perunPrincipal, String role) Returns true if the perunPrincipal has requested role.static boolean
isAuthorized
(PerunSession sess, String role) Deprecated.static boolean
isAuthorized
(PerunSession sess, String role, PerunBean complementaryObject) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, PerunBean bean) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key) Deprecated.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility, boolean checkMfa) Checks if the principal is authorized to do some action of facility attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, boolean checkMfa) Checks if the principal is authorized to do some action of group attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource, boolean checkMfa) Checks if the principal is authorized to do some action of group-resource attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host, boolean checkMfa) Checks if the principal is authorized to do some action of host attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, boolean checkMfa) Checks if the principal is authorized to do some action of member attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group, boolean checkMfa) Checks if the principal is authorized to do some action of member-group attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource, boolean checkMfa) Checks if the principal is authorized to do some action of resource-member attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, PerunBean bean, boolean checkMfa) Checks if the principal is authorized to do some action of PerunBean attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource, boolean checkMfa) Checks if the principal is authorized to do some action of resource attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues, boolean checkMfa) Checks if the principal is authorized to do some action of ues attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, boolean checkMfa) Checks if the principal is authorized to do some action of user attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility, boolean checkMfa) Checks if the principal is authorized to do some action of user-facility attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo, boolean checkMfa) Checks if the principal is authorized to do some action of vo attribute.static boolean
isAuthorizedForAttribute
(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key, boolean checkMfa) Checks if the principal is authorized to do some action of entityless attribute.static boolean
isFacilityAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is facility admin.static boolean
isGroupAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is group admin.isGroupLastAdminInFacilities
(PerunSession sess, Group group, List<Facility> facilities) Checks the facilities and returns those in which group is the last adminisGroupLastAdminInVos
(PerunSession sess, Group group, List<Vo> vos) Checks the vos and return those in which group is the last admin.static boolean
isPerunAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is perun admin.isUserLastAdminInFacilities
(PerunSession sess, User user, List<Facility> facilities) Checks the facilities and returns those in which user is the last adminisUserLastAdminInVos
(PerunSession sess, User user, List<Vo> vos) Checks the vos and return those in which user is the last admin.static boolean
isVoAdmin
(PerunSession sess) Returns true if the perun principal inside the perun session is vo admin.static void
Load perun roles and policies from the configuration file perun-roles.yml.static void
refreshAuthz
(PerunSession sess) Removes all existing roles for the perunPrincipal and call init again.static boolean
roleExists
(String role) Check if the given role exists in the database.static boolean
selfAuthorizedForApplication
(PerunSession sess, Application app) Check if the principal is the owner of the application.static void
setRole
(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) Set role for authorizedGroup and one complementary object.static void
setRole
(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) Set role for auhtorizedGroup and all complementary objects.static void
setRole
(PerunSession sess, User user, PerunBean complementaryObject, String role) Set role for user and one complementary object.static void
Set role for user and all complementary objects.static void
setRole
(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) Set role for authorizedGroups and one complementary object.static void
Set role for given users and one complementary object.static boolean
someAdminExists
(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).static void
unsetRole
(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) Unset role for group and one complementary objectstatic void
unsetRole
(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) Unset role for group and all complementary objectsstatic void
unsetRole
(PerunSession sess, User user, PerunBean complementaryObject, String role) Unset role for user and one complementary object.static void
Unset role for user and all complementary objectsstatic void
unsetRole
(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) Set role for authorizedGroups and one complementary object.static void
Set role for given users and one complementary object.
-
Field Details
-
MFA_CRITICAL_ATTR
- See Also:
-
-
Method Details
-
authorizedExternal
public static boolean authorizedExternal(PerunSession sess, String policyDefinition, List<PerunBean> objects) throws PolicyNotExistsException Checks if the principal is authorized. This method should be accessed through external components.- Parameters:
sess
- PerunSession which contains the principal.policyDefinition
- of policy which contains authorization rules.objects
- as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)- Returns:
- true if the principal has particular rights, false otherwise.
- Throws:
PolicyNotExistsException
- when the given policyDefinition does not exist in the PerunPoliciesContainer.MfaPrivilegeException
- when the principal isn't authenticated with MFA but the policy definition requires it
-
authorizedInternal
public static boolean authorizedInternal(PerunSession sess, String policyDefinition, List<PerunBean> objects) Checks if the principal is authorized. This method should be used in the internal code.- Parameters:
sess
- PerunSession which contains the principal.policyDefinition
- of policy which contains authorization rules.objects
- as list of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)- Returns:
- true if the principal has particular rights, false otherwise.
- Throws:
MfaPrivilegeException
- when the principal isn't authenticated with MFA but the policy definition requires it
-
authorizedInternal
Checks if the principal is authorized. Used when there are no PerunBeans needed for authorization. This method should be used in the internal code.- Parameters:
sess
- PerunSession which contains the principal.policyDefinition
- of policy which contains authorization rules.- Returns:
- true if the principal has particular rights, false otherwise.
- Throws:
MfaPrivilegeException
- when the principal isn't authenticated with MFA but the policy definition requires it
-
authorizedInternal
public static boolean authorizedInternal(PerunSession sess, String policyDefinition, PerunBean... objects) Checks if the principal is authorized. This method should be used in the internal code.- Parameters:
sess
- PerunSession which contains the principal.policyDefinition
- of policy which contains authorization rules.objects
- an array of PerunBeans on which will be authorization provided. (e.g. groups, Vos, etc...)- Returns:
- true if the principal has particular rights, false otherwise.
- Throws:
MfaPrivilegeException
- when the principal isn't authenticated with MFA but the policy definition requires it
-
authorizedToManageRole
public static boolean authorizedToManageRole(PerunSession sess, PerunBean complementaryObject, String role) throws RoleManagementRulesNotExistsException Check whether the principal is authorized to manage the role on the object.- Parameters:
sess
- principal's perun sessioncomplementaryObject
- bounded with the rolerole
- which will be managed- Returns:
- Throws:
RoleManagementRulesNotExistsException
- when the role does not have the management rules.
-
authorizedToReadRole
public static boolean authorizedToReadRole(PerunSession sess, PerunBean complementaryObject, String role) throws RoleManagementRulesNotExistsException Check whether the principal is authorized to read the role on the object.- Parameters:
sess
- principal's perun sessioncomplementaryObject
- bounded with the rolerole
- which will be read- Returns:
- Throws:
RoleManagementRulesNotExistsException
- when the role does not have the management rules.
-
getAdminGroups
public static List<Group> getAdminGroups(PerunSession sess, PerunBean complementaryObject, String role) throws PrivilegeException, RoleCannotBeManagedException Get all authorizedGroups for complementary object and role.- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will get administrator groupsrole
- expected role to filter authorizedGroups by- Returns:
- list of authorizedGroups for complementary object and role
- Throws:
PrivilegeException
RoleCannotBeManagedException
-
getAdmins
public static List<User> getAdmins(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws PrivilegeException, RoleCannotBeManagedException Get all valid user administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role.If onlyDirectAdmins is true, return only direct users of the complementary object for role.
- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will get administratorrole
- expected role to filter managers byonlyDirectAdmins
- if true, get only direct user administrators (if false, get both direct and indirect)- Returns:
- list of user administrators for complementary object and role.
- Throws:
PrivilegeException
RoleCannotBeManagedException
-
getAllPolicies
Return all loaded perun policies.- Returns:
- all loaded policies
-
getAllRolesManagementRules
Return all loaded roles management rules.- Returns:
- all roles management rules
-
getComplementaryObjectsForRole
Returns all complementary objects for defined role.- Parameters:
sess
- perun sessionrole
- to get object for- Returns:
- list of complementary objects
-
getComplementaryObjectsForRole
public static List<PerunBean> getComplementaryObjectsForRole(PerunSession sess, String role, Class perunBeanClass) Returns complementary objects for defined role filtered by particular class, e.g. Vo, Group, ...- Parameters:
sess
- perun sessionrole
- to get object forperunBeanClass
- particular class ( Vo | Group | ... )- Returns:
- list of complementary objects
-
getFacilitiesWhereUserIsInRoles
public static List<Facility> getFacilitiesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException Get all Facilities where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Facilities are retrieved for the given principal.- Parameters:
sess
- Perun sessionuser
- for who Facilities are retrievedroles
- for which Facilities are retrieved- Returns:
- List of Facilities
- Throws:
PrivilegeException
- when the principal is not authorized.
-
getGroupRoleNames
public static List<String> getGroupRoleNames(PerunSession sess, Group group) throws GroupNotExistsException, PrivilegeException Get all group role names.- Parameters:
sess
- perun sessiongroup
- Group- Returns:
- list of strings, which represents roles.
- Throws:
InternalErrorException
GroupNotExistsException
PrivilegeException
-
getGroupRoles
public static AuthzRoles getGroupRoles(PerunSession sess, int groupId) throws GroupNotExistsException, PrivilegeException Get all roles for a given group.- Parameters:
sess
- perun sessiongroupId
- id of a group- Returns:
- AuthzRoles object which contains all roles with perunbeans
- Throws:
InternalErrorException
GroupNotExistsException
PrivilegeException
-
getGroupsWhereUserIsInRoles
public static List<Group> getGroupsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException Get all Groups where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Groups are retrieved for the given principal.Method does not return subgroups of the fetched groups.
- Parameters:
sess
- Perun sessionuser
- for who Groups are retrievedroles
- for which Groups are retrieved- Returns:
- List of Groups
- Throws:
PrivilegeException
- when the principal is not authorized.
-
getLoggedUser
Returns user which is associated with credentials used to log-in to Perun.- Parameters:
sess
- perun session- Returns:
- currently logged user
-
getMembersWhereUserIsInRoles
public static List<Member> getMembersWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException Get all Members where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Members are retrieved for the given principal.- Parameters:
sess
- Perun sessionuser
- for who Members are retrievedroles
- for which Members are retrieved- Returns:
- List of Members
- Throws:
PrivilegeException
- when the principal is not authorized.
-
getPerunPrincipal
Returns PerunPrincipal object associated with current session. It contains necessary information, including user identification, authorization and metadata. Each call of this method refresh the session including authorization data.- Parameters:
sess
- perun session- Returns:
- perunPrincipal object
- Throws:
InternalErrorException
- if the PerunSession is not valid.
-
getPrincipalRoleNames
Get all principal role names.- Parameters:
sess
- perun session- Returns:
- list of strings, which represents roles.
-
getResourcesWhereUserIsInRoles
public static List<Resource> getResourcesWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException Get all Resources where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Resources are retrieved for the given principal.- Parameters:
sess
- Perun sessionuser
- for who Resources are retrievedroles
- for which Resources are retrieved- Returns:
- List of Resources
- Throws:
PrivilegeException
- when the principal is not authorized.
-
getRichAdmins
public static List<RichUser> getRichAdmins(PerunSession sess, PerunBean complementaryObject, List<String> specificAttributes, String role, boolean onlyDirectAdmins, boolean allUserAttributes) throws PrivilegeException, RoleCannotBeManagedException Get all valid richUser administrators (for group-based rights, status must be VALID for both Vo and group) for complementary object and role with specified attributes.If onlyDirectAdmins is true, return only direct users of the complementary object for role with specific attributes. If allUserAttributes is true, do not specify attributes through list and return them all in objects richUser. Ignoring list of specific attributes.
- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will get administratorspecificAttributes
- list of specified attributes which are needed in object richUserrole
- expected role to filter managers byonlyDirectAdmins
- if true, get only direct user administrators (if false, get both direct and indirect)allUserAttributes
- if true, get all possible user attributes and ignore list of specificAttributes (if false, get only specific attributes)- Returns:
- list of richUser administrators for complementary object and role with specified attributes.
- Throws:
PrivilegeException
RoleCannotBeManagedException
-
someAdminExists
public static boolean someAdminExists(PerunSession sess, PerunBean complementaryObject, String role, boolean onlyDirectAdmins) throws PrivilegeException, RoleCannotBeManagedException Check if some valid user with specific role exists for given complementary object (for group-based rights, status must be VALID for both Vo and group).- Parameters:
sess
- perun sessioncomplementaryObject
- for which we will find administratorrole
- expected role to filter managers byonlyDirectAdmins
- if true, search only direct user admins (if false, search both direct and indirect)- Returns:
- true, if some user with required role exists, false otherwise.
- Throws:
PrivilegeException
RoleCannotBeManagedException
-
getRoleComplementaryObjectsWithAuthorizedGroups
public static Map<String,Map<String, getRoleComplementaryObjectsWithAuthorizedGroupsMap<Integer, List<Group>>>> (PerunSession sess, int userId) throws UserNotExistsException, PrivilegeException Returns map of role name and map of corresponding role complementary objects (perun beans) distinguished by type. * together with list of authorized groups where user is member: * Map< RoleName, Map< BeanName, Map< BeanID, List>>> - Parameters:
sess
- perun sessionuserId
- id of a user- Returns:
- Map<String, Map < String, Map < Integer, List < Group>>>> roles with map of complementary objects with associated authorized groups
- Throws:
UserNotExistsException
PrivilegeException
-
getRolesObtainedFromAuthorizedGroupMemberships
public static AuthzRoles getRolesObtainedFromAuthorizedGroupMemberships(PerunSession sess, int userId) throws UserNotExistsException, PrivilegeException Returns user's roles resulting from being a VALID member of authorized groups.- Parameters:
sess
- perun sessionuserId
- id of a user- Returns:
- AuthzRoles object which contains roles with perunbeans
- Throws:
InternalErrorException
UserNotExistsException
PrivilegeException
-
getSecurityTeamsWhereUserIsInRoles
public static List<SecurityTeam> getSecurityTeamsWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException Get all SecurityTeams where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then SecurityTeams are retrieved for the given principal.- Parameters:
sess
- Perun sessionuser
- for who SecurityTeams are retrievedroles
- for which SecurityTeams are retrieved- Returns:
- List of SecurityTeams
- Throws:
PrivilegeException
- when the principal is not authorized.
-
getUserRoleNames
public static List<String> getUserRoleNames(PerunSession sess, User user) throws UserNotExistsException, PrivilegeException Get all user role names. Does not include membership and sponsorship role.- Parameters:
sess
- perun sessionuser
- User- Returns:
- list of strings, which represents roles.
- Throws:
UserNotExistsException
PrivilegeException
-
getUserRoles
public static AuthzRoles getUserRoles(PerunSession sess, int userId, boolean getAuthorizedGroupBasedRoles) throws UserNotExistsException, PrivilegeException Returns user's direct roles, can also include roles resulting from being a VALID member of authorized groups. Returns also sponsorship and membership roles.- Parameters:
sess
- perun sessionuserId
- id of a usergetAuthorizedGroupBasedRoles
- include roles based on membership in authorized groups- Returns:
- AuthzRoles object which contains all roles with perunbeans
- Throws:
InternalErrorException
UserNotExistsException
PrivilegeException
-
getVosWhereUserIsInRoles
public static List<Vo> getVosWhereUserIsInRoles(PerunSession sess, User user, List<String> roles) throws PrivilegeException Get all Vos where the given user has set one of the given roles or the given user is a member of an authorized group with such roles. If user parameter is null then Vos are retrieved for the given principal.- Parameters:
sess
- Perun sessionuser
- for who Vos are retrievedroles
- for which Vos are retrieved- Returns:
- List of Vos
- Throws:
PrivilegeException
- when the principal is not authorized.
-
hasOneOfTheRolesForObject
public static boolean hasOneOfTheRolesForObject(PerunSession sess, PerunBean complementaryObject, Set<String> allowedRoles) This methods verifies if the current principal has one of the given roles for the given object.- Parameters:
sess
- sessioncomplementaryObject
- complementary objectallowedRoles
- set of roles which are tested- Returns:
- true, if the principal is authorized, false otherwise
- Throws:
InternalErrorException
- internal error
-
hasRole
Returns true if the perunPrincipal has requested role.- Parameters:
perunPrincipal
- acting person for whom the role is checkedrole
- role to be checked
-
isAuthorized
Deprecated.Checks if the principal is authorized.- Parameters:
sess
- perun sessionrole
- required role- Returns:
- true if the principal authorized, false otherwise
- Throws:
InternalErrorException
- if something goes wrong
-
isAuthorized
@Deprecated public static boolean isAuthorized(PerunSession sess, String role, PerunBean complementaryObject) Deprecated.Checks if the principal is authorized.- Parameters:
sess
- perunSessionrole
- required rolecomplementaryObject
- object which specifies particular action of the role (e.g. group)- Returns:
- true if the principal authorized, false otherwise
- Throws:
InternalErrorException
- if something goes wrong
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group, Resource resource) Deprecated.Checks if the principal is authorized to do some action of group-resource attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withgroup
- primary Bean of Attribute (can't be null)resource
- secondary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Resource resource) Deprecated.Checks if the principal is authorized to do some action of resource-member attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withresource
- primary Bean of Attribute (can't be null)member
- secondary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user, Facility facility) Deprecated.Checks if the principal is authorized to do some action of user-facility attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withuser
- primary Bean of Attribute (can't be null)facility
- secondary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member, Group group) Deprecated.Checks if the principal is authorized to do some action of member-group attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withmember
- primary Bean of Attribute (can't be null)group
- secondary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, PerunBean bean) Deprecated.Checks if the principal is authorized to do some action of PerunBean attribute.- Parameters:
sess
- sessionactionType
- action typeattrDef
- attr defbean
- bean- Returns:
- true, if principal is authorized for attribute and action
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Vo vo) Deprecated.Checks if the principal is authorized to do some action of vo attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withvo
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, User user) Deprecated.Checks if the principal is authorized to do some action of user attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withuser
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Member member) Deprecated.Checks if the principal is authorized to do some action of member attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withmember
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Group group) Deprecated.Checks if the principal is authorized to do some action of group attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withgroup
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Resource resource) Deprecated.Checks if the principal is authorized to do some action of resource attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withresource
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Facility facility) Deprecated.Checks if the principal is authorized to do some action of facility attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withfacility
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, Host host) Deprecated.Checks if the principal is authorized to do some action of host attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withhost
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, UserExtSource ues) Deprecated.Checks if the principal is authorized to do some action of ues attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withues
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
@Deprecated public static boolean isAuthorizedForAttribute(PerunSession sess, ActionType actionType, AttributeDefinition attrDef, String key) Deprecated.Checks if the principal is authorized to do some action of entityless attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attribute (ex.: write, read, etc...)attrDef
- attribute what principal want to work withkey
- primary Bean of Attribute (can't be null)- Returns:
- true if principal is authorized, false if not
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, Resource resource, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of group-resource attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withgroup
- primary Bean of Attribute (can't be null)resource
- secondary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Resource resource, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of resource-member attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withresource
- primary Bean of Attribute (can't be null)member
- secondary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, Facility facility, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of user-facility attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withuser
- primary Bean of Attribute (can't be null)facility
- secondary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, Group group, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of member-group attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withmember
- primary Bean of Attribute (can't be null)group
- secondary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, PerunBean bean, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of PerunBean attribute.- Parameters:
sess
- sessionactionType
- action typeattrDef
- attr defbean
- beancheckMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true, if principal is authorized for attribute and action
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Vo vo, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of vo attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withvo
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, User user, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of user attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withuser
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Member member, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of member attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withmember
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Group group, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of group attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withgroup
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Resource resource, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of resource attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withresource
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Facility facility, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of facility attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withfacility
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, Host host, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of host attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withhost
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, UserExtSource ues, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of ues attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withues
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isAuthorizedForAttribute
public static boolean isAuthorizedForAttribute(PerunSession sess, AttributeAction actionType, AttributeDefinition attrDef, String key, boolean checkMfa) throws InternalErrorException Checks if the principal is authorized to do some action of entityless attribute.- Parameters:
sess
- perun sessionactionType
- type of action on attributeattrDef
- attribute what principal want to work withkey
- primary Bean of Attribute (can't be null)checkMfa
- if true, checks also MFA rules and throws exception if unmet- Returns:
- true if principal is authorized, false if not
- Throws:
MfaPrivilegeException
- thrown when checkMfa is true and MFA rules are unmetInternalErrorException
-
isFacilityAdmin
Returns true if the perun principal inside the perun session is facility admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is facility admin.
-
isGroupAdmin
Returns true if the perun principal inside the perun session is group admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is group admin.
-
isGroupLastAdminInFacilities
public static List<Facility> isGroupLastAdminInFacilities(PerunSession sess, Group group, List<Facility> facilities) throws PrivilegeException Checks the facilities and returns those in which group is the last admin- Parameters:
sess
- sessgroup
- groupfacilities
- facilities to check- Returns:
- facilities in which the user is last admin
- Throws:
PrivilegeException
-
isGroupLastAdminInVos
public static List<Vo> isGroupLastAdminInVos(PerunSession sess, Group group, List<Vo> vos) throws PrivilegeException Checks the vos and return those in which group is the last admin.- Parameters:
sess
- sessgroup
- groupvos
- vos to check- Returns:
- vos in which the user is last admin
- Throws:
PrivilegeException
-
isPerunAdmin
Returns true if the perun principal inside the perun session is perun admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is perun admin.
-
isUserLastAdminInFacilities
public static List<Facility> isUserLastAdminInFacilities(PerunSession sess, User user, List<Facility> facilities) throws PrivilegeException Checks the facilities and returns those in which user is the last admin- Parameters:
sess
- sessuser
- userfacilities
- facilities to check- Returns:
- facilities in which the user is last admin
- Throws:
PrivilegeException
-
isUserLastAdminInVos
public static List<Vo> isUserLastAdminInVos(PerunSession sess, User user, List<Vo> vos) throws PrivilegeException Checks the vos and return those in which user is the last admin.- Parameters:
sess
- sessuser
- uservos
- vos to check- Returns:
- vos in which the user is last admin
- Throws:
PrivilegeException
-
isVoAdmin
Returns true if the perun principal inside the perun session is vo admin.- Parameters:
sess
- perun session- Returns:
- true if the perun principal is vo admin
-
loadAuthorizationComponents
Load perun roles and policies from the configuration file perun-roles.yml. Roles are loaded to the database and policies are loaded to the PerunPoliciesContainer.- Throws:
PrivilegeException
- when the principal is not authorized.
-
refreshAuthz
Removes all existing roles for the perunPrincipal and call init again.- Parameters:
sess
- perun session
-
roleExists
Check if the given role exists in the database. Check is case-insensitive.- Parameters:
role
- which will be checked- Returns:
- true if role exists, false otherwise.
-
selfAuthorizedForApplication
Check if the principal is the owner of the application.- Parameters:
sess
- PerunSession which contains the principal.app
- application which principal wants to access- Returns:
- true if the principal has particular rights, false otherwise.
-
setRole
public static void setRole(PerunSession sess, User user, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, UserNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for user and all complementary objects.If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
- Parameters:
sess
- perun sessionuser
- the user for setting rolerole
- role of user in a sessioncomplementaryObjects
- objects for which role will be set- Throws:
PrivilegeException
UserNotExistsException
AlreadyAdminException
RoleCannotBeManagedException
RoleCannotBeSetException
-
setRole
public static void setRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws PrivilegeException, UserNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for user and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionuser
- the user for setting rolerole
- role of user in a sessioncomplementaryObject
- object for which role will be set- Throws:
PrivilegeException
UserNotExistsException
AlreadyAdminException
RoleCannotBeManagedException
RoleCannotBeSetException
-
setRole
public static void setRole(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, GroupNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for auhtorizedGroup and all complementary objects.If some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
- Parameters:
sess
- perun sessionauthorizedGroup
- the group for setting rolerole
- role of user in a sessioncomplementaryObjects
- objects for which role will be set- Throws:
PrivilegeException
GroupNotExistsException
AlreadyAdminException
RoleCannotBeManagedException
RoleCannotBeSetException
-
setRole
public static void setRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws PrivilegeException, GroupNotExistsException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for authorizedGroup and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionauthorizedGroup
- the group for setting rolerole
- role of user in a sessioncomplementaryObject
- object for which role will be set- Throws:
PrivilegeException
GroupNotExistsException
AlreadyAdminException
RoleCannotBeManagedException
RoleCannotBeSetException
-
setRole
public static void setRole(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) throws GroupNotExistsException, PrivilegeException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for authorizedGroups and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionauthorizedGroups
- the groups for setting rolecomplementaryObject
- object for which the role will be setrole
- desired role- Throws:
GroupNotExistsException
- if the any of the group don't existPrivilegeException
- insufficient permissionsAlreadyAdminException
- if any of the given users is already adminRoleCannotBeManagedException
- if it is not possible to manage given roleRoleCannotBeSetException
- if role can not be set for given userInternalErrorException
- internal error
-
setRole
public static void setRole(PerunSession sess, List<User> users, String role, PerunBean complementaryObject) throws UserNotExistsException, PrivilegeException, AlreadyAdminException, RoleCannotBeManagedException, RoleCannotBeSetException Set role for given users and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionusers
- users for which the given role is setrole
- desired rolecomplementaryObject
- object for which the role is set- Throws:
UserNotExistsException
- if any of the given users is not foundPrivilegeException
- insufficient permissionsAlreadyAdminException
- if any of the given users is already adminRoleCannotBeManagedException
- if it is not possible to manage given roleRoleCannotBeSetException
- if role can not be set for given userInternalErrorException
- internal error
-
unsetRole
public static void unsetRole(PerunSession sess, List<Group> authorizedGroups, PerunBean complementaryObject, String role) throws GroupNotExistsException, PrivilegeException, GroupNotAdminException, RoleCannotBeManagedException Set role for authorizedGroups and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionauthorizedGroups
- the groups for setting rolecomplementaryObject
- object for which the role will be setrole
- desired role- Throws:
GroupNotExistsException
- if the any of the group don't existPrivilegeException
- insufficient permissionsGroupNotAdminException
- if any of the given groups is not adminInternalErrorException
- internal errorRoleCannotBeManagedException
-
unsetRole
public static void unsetRole(PerunSession sess, Group authorizedGroup, PerunBean complementaryObject, String role) throws PrivilegeException, GroupNotExistsException, GroupNotAdminException, RoleCannotBeManagedException Unset role for group and one complementary objectIf some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionauthorizedGroup
- the group for unsetting rolerole
- role of user in a sessioncomplementaryObject
- object for which role will be unset- Throws:
PrivilegeException
GroupNotExistsException
GroupNotAdminException
RoleCannotBeManagedException
-
unsetRole
public static void unsetRole(PerunSession sess, List<User> users, String role, PerunBean complementaryObject) throws UserNotExistsException, PrivilegeException, UserNotAdminException, RoleCannotBeManagedException Set role for given users and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionusers
- users for which the given role is setrole
- desired rolecomplementaryObject
- object for which the role is set- Throws:
UserNotExistsException
- if any of the given users is not foundPrivilegeException
- insufficient permissionsUserNotAdminException
- if any of the given users is not adminInternalErrorException
- internal errorRoleCannotBeManagedException
-
unsetRole
public static void unsetRole(PerunSession sess, User user, PerunBean complementaryObject, String role) throws PrivilegeException, UserNotExistsException, UserNotAdminException, RoleCannotBeManagedException Unset role for user and one complementary object.If complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary object.
- Parameters:
sess
- perun sessionuser
- the user for unsetting rolerole
- role of user in a sessioncomplementaryObject
- object for which role will be unset- Throws:
PrivilegeException
UserNotExistsException
UserNotAdminException
RoleCannotBeManagedException
-
unsetRole
public static void unsetRole(PerunSession sess, User user, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, UserNotExistsException, UserNotAdminException, RoleCannotBeManagedException Unset role for user and all complementary objectsIf some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
- Parameters:
sess
- perun sessionuser
- the user for unsetting rolerole
- role of user in a sessioncomplementaryObjects
- objects for which role will be unset- Throws:
PrivilegeException
UserNotExistsException
UserNotAdminException
RoleCannotBeManagedException
-
unsetRole
public static void unsetRole(PerunSession sess, Group authorizedGroup, String role, List<PerunBean> complementaryObjects) throws PrivilegeException, GroupNotExistsException, GroupNotAdminException, RoleCannotBeManagedException Unset role for group and all complementary objectsIf some complementary object is wrong for the role, throw an exception. For role "PERUNADMIN" ignore complementary objects.
- Parameters:
sess
- perun sessionauthorizedGroup
- the group for unsetting rolerole
- role of user in a sessioncomplementaryObjects
- objects for which role will be unset- Throws:
PrivilegeException
GroupNotExistsException
GroupNotAdminException
RoleCannotBeManagedException
-