HDM supports several types of security permissions that you can use to restrict certain bundles from using some (or all) of the devices and zones.

Setting Permissions to Bundles

To set HDM security permission to a certain bundle:

• Start the OSGi framework with enabled security.
• Use the Permission Admin Service to set permissions to the bundles in your Runtime.

The following example grants a GET permission for all of the devices registered in HDM to a bundle with symbolic name com.prosyst.mbs.demo.hdm.app.

    //Retrieve the Permission Admin Service.

    ServiceReference permref = context.getServiceReference(

            org.osgi.service.permissionadmin.PermissionAdmin.class.getName());

    PermissionAdmin permAdmin = (PermissionAdmin) context.getService(permref);

        //Retrieve the bundle that we want to set permissions to:

    Bundle hdmAppDemo = null;

    Bundle[] installedbundles=context.getBundles();

    for (int i = 0; i < installedbundles.length; i++) {

        if(installedbundles[i].getSymbolicName().equals("com.prosyst.mbs.demo.hdm.app")){

            hdmAppDemo=installedbundles[i];

        }

    }

        //Construct the permission object

    PermissionInfo[] devicePermissions = new PermissionInfo[1];

    devicePermissions[0] = new PermissionInfo("com.prosyst.mbs.services.hdm.HomeDevicePermission",

            "[uid1]", HomeDevicePermission.GET );

        //Set it to the bundle

    permAdmin.setPermissions(hdmAppDemo.getLocation(),devicePermissions);

A condition related to the Home Device Manager is triggered only in case the application that created it has a HomeDevicePermission to access the device. You can use the hdm.security.accadmin.enable system property to turn on/off triggering conditions based on the Access Control Context of the specific application.

Administrative Permissions

They include permissions for adding and removing devices and zones.

Administrative permissions do not support any actions. The name and action arguments of the object constructors are required but ignored.

Devices

The permission for adding and removing devices manually and for performing a search for devices is represented by a com.prosyst.mbs.services.hdm.HomeDeviceAdminPermission object.

Zones

The permission for creating and removing zones is represented by a com.prosyst.mbs.services.hdm.zones.HomeZoneAdminPermission object.

Usage Permission

They include permissions for using devices and zones.

Devices

The permission for using devices is represented by a com.prosyst.mbs.services.hdm.HomeDevicePermission object. The constructor expects two arguments - a device identifier and an identifier for the actions which are allowed by the permission:

Device Identifier

The first argument identifies the devices to which the permission allows access.

To give access only to certain devices:

Pass a comma-separated list of the UIDs of the devices enclosed by square brackets. For example:

[device.uid.1,device.uid.2,device.uid.3]

You can also use the wildcard character, for example a permission created with the string

[device.uid*]

gives access to all devices with UID that begins with device.uid.

To give access only to certain types of devices:

Pass an LDAP filter which matches one or several device properties with predefined values. A permission created with the string

"(" + HomeDevice.DEVICE_CLASSES + "=" + BinarySwitch.class.getName() + ")"

gives access to all Binary Switches.

To give access to all devices:

Pass null.

Supported Actions

The second argument identifies the operations that the permission gives access to. Its value can be one of the constants of the HomeDevicePermission class:

• HomeDevicePermission.GET - The bundle can only retrieve Home Devices and Device Classes Objects, as well as the values of their properties, but cannot change them.
• HomeDevicePermission.DCO_OPERATION - The bundle can get Home Devices and Device Classes Objects, as well as the values of their properties and can execute Device Class Object operations.
• HomeDevicePermission.DEVICE - The bundle can get Home Devices and Device Classes Objects, as well as the values of their properties, but can only change the values of the Home Device properties.
• HomeDevicePermission.DCO_SET - The bundle can get Home Devices and Device Classes Objects, as well as the values of their properties, and can change the values of both types of properties - of Home Devices and of Device Class Objects.
• HomeDevicePermission.ALL - Full permission is granted. The bundle can get Home Devices and Device Classes Objects, as well as the values of their properties, can execute Device Class Object operations and can change the values of both types of properties - of Home Devices and of Device Class Objects.

Zones

The permission for using zones is represented by a com.prosyst.mbs.services.hdm.zones.HomeZonePermission object. The constructor expects two arguments - a zone identifier and an identifier for the actions which are allowed by the permission:

Zone Identifier

The first argument identifies the zones to which the permission allows access.

To give access only to certain zones:

Pass a comma-separated list of the UIDs of the zones enclosed by square brackets. For example:

[zone.uid.1,zone.uid.2,zone.uid.3]

You can also use the wildcard character, for example a permission created with the string

[zone.uid*]

gives access to all zones with UID that begins with zone.uid.

To give access only to certain types of zones:

Pass an LDAP filter which matches one or several zone properties with predefined values. A permission created with the string "(" + HomeZone.TYPE + "=floor)" gives access to all zones with type equal to floor.

To give access to all zones:

Pass null.

Supported Actions

The second argument identifies the operations that the permission gives access to. Its value can be one of the constants of the HomeZonePermission class:

• HomeZonePermission.GET The bundle can only retrieve zones and their properties but cannot actually change them.
• HomeZonePermission.ALL The bundle will be able to change the properties of zones and also execute operations

HDM Security Events

The Home Device Manger can generate com.prosyst.mbs.services.eventadmin.SecurityEvents with specific device and zone permissions. This feature is controlled by the hdm.security.permission.enable system property. It is disabled by default. See Subscribing to Device Events and Subscribing to Zone Events for more information about the events generated by the Home Device Manager. For further information about SecurityEvents, refer to the OSGi Framework documentation.