> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar) > <[email protected]> wrote: > > didn¹t know that there are administrator level functions in API. I > couldn¹t find this information in documentation. >
Right now the best source for documentation on what the APIs do is the javadoc: https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/package-summary.html Check out the APIs on accessmgr (rbac policy enforcement), adminmgr (rbac policy provisioning), reviewmgr (rbac policy review), and delaccessMgr (arbac policy enforcement), deladminmgr (arbac policy provisioning, delreviewmgr (arbac policy review). Think of delegated administration as rbac for rbac. It is used solely for the purposes of controlling administrative access to the fortress apis. > > On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar) > <[email protected]> wrote: > > So, if I got it right, there are functions in the REST API that only > administrators can invoke (receive a valid answer). My particular use case > can be solved using these functions. There is an administrator level > function ³userPerms² that gives the same output as rbacPerms. A > fortress-rest-super-user (user Alice) using a request to ³userPerms² can > check permissions for the user Bob. To do this, a fortress-rest-super-user > should get his own session object first. Then he creates a FortRequest > with his session, user entity for Bob, context, and sends it to > ³userPerms². Is it how it works? You don’t have to use the administrator’s session to invoke the APIs. If it is passed, the service will ensure the admin has the permission to invoke the service. If it is not passed that particular (arbac) check will be skipped. But the short answer is ‘yes’, you may interrogate the user’s permissions using the review mgr apis. > > On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar) > <[email protected]> wrote: > > Is userAuthzed an administrator level function that gives the same > information as rbacAuthZ? Keep in mind that userPerms and rbacPerms are not equivalent. userPerms returns ALL permissions that a user has according to their role assignments. rbacPerms returns all permissions that user has according to their role activations. So rbacPerms will be a subset of userPerms. Shawn [email protected]
