> On Feb 8, 2016, at 10:01 AM, Chris Pike <[email protected]> wrote: > > Is there any documentation or code examples on how to use the session with > the API. I've been experimenting with ARBAC roles, for example, assigning > user to a role > > adminManager.assignUser(new UserRole("testUser", "testRole")); > > > I have an ARBAC role setup to allow this, but the only way I can activate the > ARBAC roles, is to use the access manager to create a session and assign it > to the adminManager before making the assignUser call above. > > Session session = accessManager_.createSession(new User("userInArbacRole"), > true) > adminManager.setAdmin(session); > > > Is this the expected behaviour? Creating the admin manager with a session > doesn't seem to have any effect > > Session session = new Session(new User("userInArbacRole")); > session.setAdminSession(session); > adminManager = AdminMgrFactory.createInstance(session);
Code examples are lacking. There are two types of enforcement with ARBAC. 1. use the DelAccessMgr apis canAssign / Deassign and canGrant / Revoke APIs. 2. enforce method level authorization on Admin and ReviewMgr apis The first type of enforcement requires the client to explicitly call those APIs inside their program. The second type of enforcement requires the caller to set the administrators session, which will then make the check implicitly during invocation to fortress API. Let’s explore the second type a bit more… The use case is fortress will automatically ensure the caller has the permission to call a particular adminMgr API. e.g. addRole, addPerm, addUser, etc... You will need a reference to the administrator’s fortress session. for example: Session myAdminSession = AccessMgr.createSession( new User(…), isTrusted ); Next you will set this session into the particular manager where the enforcement takes place: AdminMgr aMgr = AdminMgrFactory.createInstance(…); aMgr.setAdminSession( myAdminSession ); Once accomplished, the manager impl will call checkAccess on behalf of the session for whatever method is called. This is a method level checkAccess, with no org checks applied. Shawn
