-
Notifications
You must be signed in to change notification settings - Fork 22
Admin Operations
joshua-roberts edited this page Aug 27, 2024
·
6 revisions
- Operations modify the policy state. For example, creating nodes or assignments.
- Each operation has a set of operands and a subset of those operands are
node operands. Node operands denote which operands of an operation are intended to be nodes in the graph. The operands are the only ones accessible to obligation event patterns. - Each operation implements a
canExecutemethod which throws anUnauthorizedExceptionif the given user does not have privileges to execute the operation.
| Name | Operands | Node Operands | Class |
|---|---|---|---|
| assign | ascendant descendants |
ascendant decendants |
AssignOp |
| associate | ua target arset |
ua target |
AssociateOp |
| create_object_attribute | name descendants |
descendants | CreateObjectAttributeOp |
| create_object | name descendants |
descendants | CreateObjectOp |
| create_policy_class | name descendants |
descendants | CreatePolicyClassOp |
| create_user_attribute | name descendants |
descendants | CreateUserAttributeOp |
| create_user | name descendants |
descendants | CreateUserOp |
| deassign | ascendant descendants |
descendants | DeassignOp |
| delete_object_attribute | name type decsendants |
name descendants |
DeleteObjectAttributeOp |
| delete_object | name type decsendants |
name descendants |
DeleteObjectOp |
| delete_policy_class | name type decsendants |
name descendants |
DeletePolicyClassOp |
| delete_user_attribute | name type decsendants |
name descendants |
DeleteUserAttributeOp |
| delete_user | name type decsendants |
name descendants |
DeleteUserOp |
| dissociate | ua target |
ua target |
DissociateOp |
| set_node_properties | name properties |
name | SetNodePrtopertiesOp |
| Name | Operands | Node Operands | Class |
|---|---|---|---|
| create_prohibition | name subject arset intersection containers |
CreateProhibitionOp | |
| delete_prohibition | name subject arset intersection containers |
DeleteProhibitionOp |
| Name | Operands | Node Operands | Class |
|---|---|---|---|
| create_obligation | author name rules |
CreateObligationOp | |
| delete_obligation | author name rules |
DeleteObligationOp | |
| Name | Operands | Node Operands | Class |
|---|---|---|---|
| create_admin_operation | operation | CreateAdminOperationOp | |
| delete_admin_operation | name | DeleteAdminOperationOp | |
| set_resource_operations | operations | SetResourceOperationsOp |
| Name | Operands | Node Operands | Class |
|---|---|---|---|
| create_admin_routine | routine | CreateRoutineOp | |
| delete_admin_routine | name | DeleteRoutineOp |
Custom admin operations can be added to the policy using the OperationsModification interface or with PML.
// create an oepration called "test" with a single operand that is also a node operand
Operation<?> testOp = new Operation<>("test", List.of("a"), Lsit.of("a")) {
@Override
public void canExecute(PAP pap, UserContext userCtx, Map<String, Object> operands) throws PMException {
// need the "assign" access right on the operand "a"
PrivilegeChecker.check(pap, userCtx, (String) operands.get("a"), ASSIGN);
}
@Override
public Object execute(PAP pap, Map<String, Object> operands) throws PMException {
// create two objects in the operand "a"
String a = (String)operands.get("a");
pap.modify().graph().createObject("o1", List.of(a));
pap.modify().graph().createObject("o2", List.of(a));
}
};
pap.modify().operations().createAdminOperation(testOp);
String pml = """
operation test(nodeop string a) {
check "assign" on a
} {
create o "o1" in [a]
create o "o2" in [a]
}
""";
pap.executePML(new UserContext("u1"), pml);In the above examples, the operand a is a node operands and will be available for pattern matching in obligations.