Chris, Yes it can be done but it requires a little work on your end. There are three steps to the solution:
1. Implement the org.apache.directory.fortress.core.util.timeValidator interface. The existing temporal evaluators all reside inside the same package. You may use one of those as an example. 2. Register the new component with fortress. That is done by dropping a new property in the fortress.properties file. For example here are the temporal validator settings: # these properties will enable temporal constraint checks on role activations: temporal.validator.0=org.apache.directory.fortress.core.util.time.Date temporal.validator.1=org.apache.directory.fortress.core.util.time.LockDate temporal.validator.2=org.apache.directory.fortress.core.util.time.Timeout temporal.validator.3=org.apache.directory.fortress.core.util.time.ClockTime temporal.validator.4=org.apache.directory.fortress.core.util.time.Day 3. Your new validator impl class will need to be made available to the fortress runtime classpath. *** Your use case requires a new validator, e.g.: temporal.validator.5=edu.psu.financial.Account That would be called during the lifecycle of any AccessMgr method - during role the constraint checks. Depending on your requirements, you may need to store new data attributes in ldap to support the new validator. The easiest way to do this would to make it a property. If it needs to be part of the fortress constraint data storage, i.e. need to store within ftRC attribute, it would require work done to the core API to support. Shawn > On Aug 24, 2015, at 9:42 AM, Chris Pike <[email protected]> wrote: > > The Fortress Commander UI and Java API provide mechanisms to set and retrieve > temporal constraints on a role. Is there any way to add additional arbitrary > constraints that are not time related? For example, a bank teller can only > work with a certain set of accounts. > > Thanks, > > ~Chris Pike
