Great, thank you! Now I have a clear picture and everything seems logical. /Oleksandr
On 3/5/2015 17:45 , "Shawn McKinney" <[email protected]> wrote: > >> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar) >><[email protected]> wrote: >> >> didn¹t know that there are administrator level functions in API. I >> couldn¹t find this information in documentation. >> > >Right now the best source for documentation on what the APIs do is the >javadoc: > >https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/d >irectory/fortress/core/package-summary.html > >Check out the APIs on accessmgr (rbac policy enforcement), adminmgr (rbac >policy provisioning), reviewmgr (rbac policy review), and delaccessMgr >(arbac policy enforcement), deladminmgr (arbac policy provisioning, >delreviewmgr (arbac policy review). > >Think of delegated administration as rbac for rbac. It is used solely >for the purposes of controlling administrative access to the fortress >apis. > >> >> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar) >><[email protected]> wrote: >> >> So, if I got it right, there are functions in the REST API that only >> administrators can invoke (receive a valid answer). My particular use >>case >> can be solved using these functions. There is an administrator level >> function ³userPerms² that gives the same output as rbacPerms. A >> fortress-rest-super-user (user Alice) using a request to ³userPerms² can >> check permissions for the user Bob. To do this, a >>fortress-rest-super-user >> should get his own session object first. Then he creates a FortRequest >> with his session, user entity for Bob, context, and sends it to >> ³userPerms². Is it how it works? > >You don’t have to use the administrator’s session to invoke the APIs. If >it is passed, the service will ensure the admin has the permission to >invoke the service. If it is not passed that particular (arbac) check >will be skipped. > >But the short answer is ‘yes’, you may interrogate the user’s permissions >using the review mgr apis. > >> >> On May 3, 2015, at 9:53 AM, Oleksandr Bodriagov (Polystar) >><[email protected]> wrote: >> >> Is userAuthzed an administrator level function that gives the same >> information as rbacAuthZ? > >Keep in mind that userPerms and rbacPerms are not equivalent. userPerms >returns ALL permissions that a user has according to their role >assignments. rbacPerms returns all permissions that user has according >to their role activations. So rbacPerms will be a subset of userPerms. > >Shawn >[email protected]
