Security

This page describes the FunctionalItemPermission and how it could be used to specify the access to Functional Items and their members.

Overview

FunctionalItemPermission represents the access to FunctionalItem instances and their functionality. It is used for defining:

• access to a FunctionalItem member – i.e. read a property value or event, write a new property value or operation execution.
• FunctionalItem lifecycle – i.e. register a new instance or get an existing from the registry.

Examples for using in permissions.perm file:

• to have all FunctionalItemPermission

  com.prosyst.mbs.services.fim.FunctionalItemPermission "*" ""

• for reading all properties values and receiving all property changed events

  com.prosyst.mbs.services.fim.FunctionalItemPermission "(access=READ) ""

• for GroupAdmin#getParentGroups(String) operation execution

  com.prosyst.mbs.services.fim.FunctionalItemPermission "(&(access=EXEC)(member=getParentGroups)(uid=fim:group:admin)) ""

• for all operations of items with object class defined in com.prosyst.mbs.services.fim.groups package and subpackages

  com.prosyst.mbs.services.fim.FunctionalItemPermission "(&(access=EXEC)(objectClass=com.prosyst.mbs.services.fim.groups.*))) ""

• for items registration with any object class that is not defined in com.prosyst.mbs.services.fim.groups package and subpackages

  com.prosyst.mbs.services.fim.FunctionalItemPermission "(&(lifecycle=REGISTER)(!(objectClass=com.prosyst.mbs.services.fim.groups.*))) ""

Changing permissions runtime:

• to allow a bundle to get all FunctionalItems from the registry

  PermissionInfo itemGetPerm = new PermissionInfo(FunctionalItemPermission.class.getName(), '('
          + FunctionalItemPermission.LIFECYCLE_TYPE_KEY
          + '=' + FunctionalItemPermission.LIFECYCLE_TYPE_VALUE_GET + ')', null);

• to allow a bundle to execute any item operation with name "remove"

  PermissionInfo removePerm = new PermissionInfo(FunctionalItemPermission.class.getName(), "(&("
          + FunctionalItemPermission.ACCESS_TYPE_KEY + '=' + FunctionalItemPermission.ACCESS_TYPE_VALUE_EXEC + ")("
          + MEMBER_KEY + "=remove))", null);  

Examples on how to check the caller permissions in FunctionalItem property getters, setters and operations:

If you are extending AbstractFunctionalItem, there are more protected methods that can be used instead of the code examples listed down.

@Property
  @Description("Switch state.")
  String PROPERTY_STATE = "state";
  ...
  SecurityManager sm = System.getSecurityManager();

• Read property value – property getter method execution

  if (sm != null) {
      sm.checkPermission(new FunctionalItemPermission(this, STATE_PROPERTY, FunctionalItemPermission.ACCESS_TYPE_VALUE_READ));
    }

• Write property value – property setter method execution

  if (sm != null) {
      sm.checkPermission(new FunctionalItemPermission(this, STATE_PROPERTY, FunctionalItemPermission.ACCESS_TYPE_VALUE_WRITE));
    }

• Execute operation

  if (sm != null) {
      sm.checkPermission(new FunctionalItemPermission(this, "toggle", FunctionalItemPermission.ACCESS_TYPE_VALUE_EXEC));
    }

FIM packages permissions:

In addition to the configured FunctionalItemPermissions be sure that import PackagePermissions for FIM packages are allowed only for the required FIM API packages.