Package oracle.iam.identity.rolemgmt.api
Interface RoleManager
public interface RoleManager
The
RoleManager API exposes the methods to manage Roles.
The Role VO can be prepared for Create Role APIs as follows -
Use it with following APIs
create(Role)
createRequest(Role)
Role role = new Role();
To populate Catalog into the Role
Catalog catalogAttributes = new Catalog();
catalogAttributes.setCertifiable(true);
role.setAttribute(RoleManagerConstants.CATALOG_ATTRIBUTES, catalogAttributes);
To add one or more parent roles
List<String> roleParents = new ArrayList<String>();
roleParents.add(roleParentKey1);
roleParents.add(roleParentKey2);
role.setAttribute(RoleManagerConstants.ROLE_PARENTS, roleParents);
To add static user memberships
listOfMembers = new ArrayList<RoleGrant>();
RoleGrant member = new RoleGrant(null, userKey);
Calendar c = Calendar.getInstance();
c.add(Calendar.DAY_OF_MONTH, 15);
Date startDate1 = c.getTime();
c.add(Calendar.DAY_OF_MONTH, 25);
Date endDate1 = c.getTime();
member.setAttribute(RoleManagerConstants.ROLE_GRANT_START_DATE, startDate1);
member.setAttribute(RoleManagerConstants.ROLE_GRANT_END_DATE, endDate1);
listOfMembers.add(member);
role.setAttribute(RoleManagerConstants.ROLE_MEMBERSHIPS, listOfMembers);
start/end date can be null. Any future start date will result in a pending grant
which will happen when the start date arrives.
To add access policies for the role
List<String> accessPolicies = new ArrayList<String>();
accessPolicies.add(accessPolicyKey1);
accessPolicies.add(accessPolicyKey2);
role.setAttribute(RoleManagerConstants.ACCESS_POLICIES, accessPolicies);
To add organizations, you must create EntityPublication objects
List<EntityPublication> entityPubs = new ArrayList<EntityPublication>();
entityPubs.add(new EntityPublication(null, PolicyConstants.Resources.ROLE, Long.valueOf(orgKey1), true)) ;
entityPubs.add(new EntityPublication(null, PolicyConstants.Resources.ROLE, Long.valueOf(orgKey2), true)) ;
role.setAttribute(RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO, entityPubs);
For role create, the roleKey will be null in EntityPublication.
During role modify, the role key must be passed.
To pass a user membership rule
SearchRule searchRule = new SearchRule(UserManagerConstants.AttributeName.LASTNAME.getId(), "saini", SearchRule.Operator.EQUAL);
role.setAttribute(RoleManagerConstants.ROLE_USER_MEMBERSHIP_RULE.getId(), userMembershipRule);
The Role VO can be prepared for Modify Role APIs similarly to Create Role,
except for the following differences -
Use it with following APIs
modify(Role)
modify(Set, Role)
modify(String, Object, Role)
modifyRequest(Role)
modifyRequest(Set, Role)
modifyRequest(String, Object, Role)
To modify catalog details
CatalogService catalogService = getService(CatalogService.class);
Catalog catalogAttributes = catalogService.getCatalogItemDetails(null, roleKey, OIMType.Role, null);
// Modify the catalog VO as required
catalogAttributes.setApproverUser("5");
catalogAttributes.setCertifiable(true);
attributes.put(RoleManagerConstants.CATALOG_ATTRIBUTES, catalogAttributes);
To update the organizations published to
//To delete existing publication, it must first be fetched
oracle.iam.platformservice.api.EntityPublicationService entityPubService = getService(oracle.iam.platformservice.api.EntityPublicationService.class);
List<EntityPublication> entityPubsAssigned = entityPubService.listEntityPublications(PolicyConstants.Resources.ROLE, roleKey, null);
Map<String, List<EntityPublication>> entityPubsMap = new HashMap<String, List<EntityPublication>>();
List<EntityPublication> entityPubsAddList = new ArrayList<EntityPublication> ();
List<EntityPublication> entityPubsUpdateList = new ArrayList<EntityPublication> ();
List<EntityPublication> entityPubsDeleteList = new ArrayList<EntityPublication> ();
entityPubsAddList.add(new EntityPublication(roleKey, PolicyConstants.Resources.ROLE, Long.valueOf(orgKey3), true));
entityPubsUpdateList.add(entityPubsAssigned.get(2));
entityPubsDeleteList.add(entityPubsAssigned.get(0));
entityPubsMap.put("ADD", entityPubsAddList);
entityPubsMap.put("UPDATE", entityPubsUpdateList);
entityPubsMap.put("DELETE", entityPubsDeleteList);
attributes.put(RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO,entityPubsMap);
UPDATE and DELETE must have entity publications fetched from backend with publicationID populated
To update parent roles. You can add Parents roles & remove existing parent roles .
Map<String, List<String>> roleParentsUpdate = new HashMap<String, List<String>> ();
List<String> deleteRoleParents = new ArrayList<String>();
deleteRoleParents.add(role1);
deleteRoleParents.add(role2);
List<String> addRoleParents = new ArrayList<String>();
addRoleParents.add(role3);
roleParentsUpdate.put(RoleManagerConstants.ADD, addRoleParents);
roleParentsUpdate.put(RoleManagerConstants.DELETE, deleteRoleParents);
role.setAttribute(RoleManagerConstants.ROLE_PARENTS, roleParentsUpdate);
To update static user memberships
addListOfMembers = new ArrayList<RoleGrant>();
updateListOfMembers = new ArrayList<RoleGrant>();
deleteListOfMembers = new ArrayList<RoleGrant>();
RoleGrant member = new RoleGrant(null, userKey);
Calendar c = Calendar.getInstance();
c.add(Calendar.DAY_OF_MONTH, 15);
Date startDate1 = c.getTime();
c.add(Calendar.DAY_OF_MONTH, 25);
Date endDate1 = c.getTime();
member.setAttribute(RoleManagerConstants.ROLE_GRANT_START_DATE, startDate1);
member.setAttribute(RoleManagerConstants.ROLE_GRANT_END_DATE, endDate1);
addListOfMembers.add(member);
Similarly prepare the updateListOfMembers and deleteListOfMembers.
RoleGrant member = new RoleGrant(null, userKey);
updateListOfMembers.add(member);
RoleGrant member = new RoleGrant(null, userKey);
deleteListOfMembers.add(member);
Map<String, List<RoleGrant>> userMemberships = new HashMap<String, List<RoleGrant>>();
userMemberships.put(RoleManagerConstants.ADD, addListOfMembers);
userMemberships.put(RoleManagerConstants.UPDATE, updateListOfMembers);
userMemberships.put(RoleManagerConstants.DELETE, deleteListOfMembers);
role.setAttribute(RoleManagerConstants.ROLE_MEMBERSHIPS, userMemberships);
start/end date can be null. Any future start date will result in a pending grant
which will happen when the start date arrives.
To update the access policies for the role
Map<String, List<String>> accessPoliciesMap = new HashMap<String, List<String>>();
List<String> accessPoliciesAddList = new ArrayList<String>();
List<String> accessPoliciesDeleteList = new ArrayList<String>();
accessPoliciesAddList.add(accessPolicy3);
accessPoliciesDeleteList.add(accessPolicy2);
accessPoliciesMap.put("ADD", accessPoliciesAddList);
accessPoliciesMap.put("DELETE", accessPoliciesDeleteList);
attributes.put(RoleManagerConstants.ACCESS_POLICIES, accessPoliciesMap);
To get all the details of the role, use the following APIs
getDetails(String, Object, Set)
getDetails(String, Set)
getDirectRoleParents(String, Set, Map)
getRoleParents(String, boolean)
- Author:
- gclerici
-
Method Summary
Modifier and TypeMethodDescriptionaddRoleRelationship(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue) Add a direct relationship between two roles, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.addRoleRelationship(String roleParentKey, String roleChildKey) Add a direct relationship between two roles.This method creates a role.createRequest(Role role) This method raises a request to create the role in the back end data store Please note Role Name and Role Display Name will be trimmed for leading and trailing spacesDelete the role.This method deletes a role based on the search criteriaattributeName=attributeValue.Bulk delete operation.deleteRequest(String roleKey) Raises a request to delete the role.deleteRequest(String attributeName, Object attributeValue) This method raises a request to delete a role based on the search criteriaattributeName=attributeValue.deleteRequest(Set<String> roleKeys) Raises a request to delete all the specified roles.getDetails(String attributeName, Object attributeValue, Set<String> retAttrs) This method return the role details for a role based on the search criteriaattributeName=attributeValue.getDetails(String roleKey, Set<String> retAttrs) Returns the profile details of the specified role.getDetails(String roleKey, Set<String> retAttrs, OperationContext opContext) Returns the profile details of the specified role.Retrieve the roles direct children of the given role.getDirectRoleMembers(String roleKey) getDirectRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) intgetDirectRoleMembersCount(String roleKey) The API returns total direct role members count.Retrieve the roles who are the direct parents of the given role.getDirectRoleParents(String roleChildKey, Set<String> retAttrs, Map<String, Object> configParams, OperationContext opContext) Retrieve the roles who are the direct parents of the given role.getDynamicRoleMembers(String roleKey) Retrieve all the dynamic users members of the given role.Retrieve all the dynamic users members of the given role.getDynamicRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) Retrieve all the dynamic users members of the given role.Retrieve the pending role grants of the given role.getPendingRoleUserRelationshipAttributes(String roleKey, String userKey, Set<String> retAttrs) Lookup the attributes of a pending role grant.Retrieve the pending role grants of the given user.getPendingUserGrantsWithSearchCriteria(String userKey, Set<String> retAttrs, Map<String, Object> configParams, SearchCriteria searchCriteria) Retrieve the pending role grants of the given user.getRoleChildren(String roleParentKey, boolean directAndIndirect) Retrieve the roles children of the given role.longAPI to return the Role Count depending on the search criteria.getRoleGrantDetails(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Set<String> retAttrs) Lookup the attributes of a role grant, where the role is identified uniquely by the search criteriaroleAttributeName=roleAttributeValueand the user is uniquely identified by the search criteriauserAttributeName=userAttributeValue.getRoleGrantDetails(String roleKey, String userKey, Set<String> retAttrs) Lookup the attributes of a role grant, associated betweenroleKeyanduserKey.getRoleGrantDetails(String roleKey, String userKey, Set<String> retAttrs, OperationContext opContext) Lookup the attributes of a role grant, associated betweenroleKeyanduserKey.getRoleIndirectMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) Retrieve the indirect members (users) of the given role matching the specifiedSearchCriteria.getRoleMembers(String roleKey, boolean directAndIndirect) Retrieve all the users members of the given role.getRoleMembers(String roleKey, boolean directAndIndirect, long userBatchSize) Retrieve all the users members of the given role.getRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams, boolean directAndIndirect) Retrieve the users members of the given role matching the specifiedSearchCriteria.getRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams, boolean directAndIndirect, OperationContext opContext) Retrieve the users members of the given role matching the specifiedSearchCriteria.getRoleParents(String roleChildKey, boolean directAndIndirect) Retrieve the roles who are the parents of the given role.getRoleRelationshipDetails(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue, Set<String> retAttrs) Lookup the attributes of a role relationship, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.getRoleRelationshipDetails(String roleParentKey, String roleChildKey, Set<String> retAttrs) Lookup the attributes of a role relationship.getSimilarRoles(Role role) Finds similar roles based on entitlements.getStaticRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) Retrieve all the static user members of the specified role.getUnassignedRoleMembers(String roleKey) Retrieve all the users that are not direct members of the given role.getUnassignedRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) Retrieve all the users that are not direct members of the given role matching the specifiedSearchCriteria.getUnassignedUserMemberships(String userKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) Retrieve all the roles that are not direct memberships of the given user matching the specifiedSearchCriteria.getUserMembershipRule(String roleKey) Returns the user membership rule for the specified RolegetUserMemberships(String userKey, boolean directAndIndirect) Retrieve all the roles that the user is a member of.getUserMemberships(String userKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams, boolean directAndIndirect) Retrieve the roles of the given user matching the specifiedSearchCriteria.getUserRoleGrants(String userKey, SearchCriteria criteria, Map<String, Object> configParams, boolean directAndIndirect, Set<String> roleGrantRetAttrs, Set<String> roleRetAttrs, Set<String> userRetAttrs) Retrieve the role grants of the given user matching the specifiedSearchCriteria.grantRole(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) Grant the role(s) are identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user(s) identified by the search criteriauserAttributeName=userAttributeValue.grantRole(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Map<String, Object> relationshipAttrs) Grant the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.Grant the role identified by roleKey to the specified user/s.Grant the role identified byroleKeyto the specified user(s).Deprecated.Grant the role identified by roleKey to the specified user/s.grantRole(String roleKey, Set<String> userKeys, Map<String, Object> relationshipAttrs, boolean evaluatePolicies) Grant the role identified by roleKey to the specified user/s.grantRoleDirect(String roleKey, List<String> userKeys, List<Map<String, Serializable>> relationshipAttrsList, boolean evaluatePolicies) Grant the role identified by roleKey to the specified user/s.grantRoleRequest(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) Raises a request to grant the role(s) are identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user(s) identified by the search criteriauserAttributeName=userAttributeValue.grantRoleRequest(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Map<String, Object> relationshipAttrs) Raises a request to grant the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.grantRoleRequest(String roleKey, List<String> userKeys, List<Map<String, Serializable>> relationshipAttrs) Raises a request to grant the role identified by roleKey to the specified user/s.grantRoleRequest(String roleKey, Set<String> userKeys) Raises a request to grant the role identified byroleKeyto the specified user/s.Raises a request to grant the role identified by roleKey to the specified user/s.grantRoles(String userKey, Set<String> roleKeys) Grant the roles identified byroleKeysto the user identified byuserKey.Grant the roles identified by roleKeys to the specified user.grantRolesRequest(String userKey, Set<String> roleKeys) Raises a request to grant the roles identified byroleKeysto the user identified byuserKey.Raises a request to grant the roles identified by roleKeys to the specified user.booleanisPendingRoleGrant(String roleKey, String userKey) Return true if the user has the role granted in pending state.booleanisRoleDynamicallyGranted(String roleKey, String userKey) Return true if the user has the role dynamically granted.booleanisRoleGranted(String roleKey, String userKey, boolean directAndIndirect) Return true if the user has the role granted.booleanisRoleParent(String parentRoleKey, String roleChildKey, boolean directAndIndirect) Return true if the role has the given parent.This method modifies the role details for a role based on the search criteriaattributeName=attributeValue.Modifies roles in bulk.This method updates the existing role with the values specified.previewDynamicUserMembership(String roleKey, SearchRule userMembershipRule, Set<String> retAttrs, Map<String, Object> configParams) Preview the user membership rulepreviewDynamicUserSQLMembership(String roleKey, String userMembershipRuleSQL, Set<String> retAttrs, Map<String, Object> configParams) Preview the user membership for the sql ruleremoveRoleRelationship(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue) Remove a direct relationship between two roles, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.removeRoleRelationship(String roleParentKey, String roleChildKey) Remove a direct relationship between two roles.revokeRoleGrant(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) Revoke the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValuefor the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.revokeRoleGrant(String roleKey, Set<String> userKeys) Revoke the role identified byroleKeyto the specified user(s).revokeRoleGrant(String roleKey, Set<String> userKeys, boolean evaluatePolicies) Deprecated.revokeRoleGrantDirect(String roleKey, Set<String> userKeys, boolean evaluatePolicies) Revoke the role identified byroleKeyto the specified user(s).revokeRoleGrantRequest(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) Raises a request to revoke the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValuefor the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.revokeRoleGrantRequest(String roleKey, Set<String> userKeys) Raises a request to revoke the role identified byroleKeyto the specified user(s).revokeRoleGrants(String userKey, Set<String> roleKeys) Revoke the roles identified byroleKeysto the user identified byuserKey.revokeRoleGrantsRequest(String userKey, Set<String> roleKeys) Raises a request to revoke the roles identified byroleKeysto the user identified byuserKey.Searches for roles matching the specifiedSearchCriteria.searchRoleHistory(String roleKey, RoleManagerConstants.RoleHistoryType type, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) Search the role history for specific audit events/types of audit events.setPendingRoleUserRelationshipAttributes(String roleKey, String userKey, Map<String, Object> relationshipAttrs) Update the attributes of a pending role grant.setPendingRoleUserRelationshipAttributesRequest(String roleKey, String userKey, Map<String, Object> relationshipAttrs) Submits a request to update the attributes of a pending role grant.setUserMembershipRule(String roleKey, SearchRule userMembershipRule) Sets the user membership rule on the specified RolesetUserMembershipRule(String roleKey, SearchRule userMembershipRule, boolean evaluateMembershipLater) Sets the user membership rule on the specified Role and membership is evaluated later if evaluateMembershipLater is passed as TRUEsetUserSQLMembershipRule(String roleKey, String userSQLMembershipRule) Sets the user SQL membership rule on the specified RolesetUserSQLMembershipRule(String roleKey, String userSQLMembershipRule, boolean evaluateMembershipLater) Sets the user SQL membership rule on the specified Role and membership is evaluated later if evaluateMembershipLater is passed as TRUEvoidThis method updates UDF entry in Role.xml in MDS repository.updateRoleGrant(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Map<String, Object> args) Update a role grant, where the role is identified uniquely by the search criteriaroleAttributeName=roleAttributeValueand the user is uniquely identified by the search criteriauserAttributeName=userAttributeValue.Update a role grant.updateRoleRelationship(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue, Map<String, Object> args) Update a relationship between two roles, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.Update a relationship between two roles.
-
Method Details
-
create
RoleManagerResult create(Role role) throws ValidationFailedException, AccessDeniedException, RoleAlreadyExistsException, RoleCreateException This method creates a role.- Parameters:
role- The attributes and values for this role. The id field of theroleshould benull, please seeRole(java.util.HashMap)In addition to the setter methods, the following parameters can be passed:List
which has the access policy keys
role.setAttribute(RoleManagerConstants.ACCESS_POLICIES, accessPolicies)
Listto which the role needs to be published to
role.setAttribute(RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO, entityPubs);
List<HashMap<String, Serializable>> which has the user memberships
role.setAttribute(RoleManagerConstants.ROLE_MEMBERSHIPS, roleGrants);
Listwhich has the role parents
role.setAttribute(RoleManagerConstants.ROLE_PARENTS, roleParents);
catalogAttributes is a oracle.iam.catalog.vo.Catalog object
role.setAttribute(RoleManagerConstants.CATALOG_ATTRIBUTES, catalogAttributes);
userMembershipRule is a oracle.iam.platform.entitymgr.vo.SearchRule
role.setAttribute( RoleManagerConstants.RoleAttributeName.USER_MEMBERSHIP_RULE.getId(), userMembershipRule);
Detailed example in the javadoc at class level Please note Role Name and Role Display Name will be trimmed for leading and trailing spaces- Returns:
- RoleManagerResult containing the entity id of the role created in the backend datastore. If Audit mode is enabled it will contain the Request ID.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleAlreadyExistsException- if the role already exists.RoleCreateException- if the orchestration fails for the create operation.
-
createRequest
String createRequest(Role role) throws ValidationFailedException, AccessDeniedException, RoleAlreadyExistsException, RoleCreateException This method raises a request to create the role in the back end data store Please note Role Name and Role Display Name will be trimmed for leading and trailing spaces- Parameters:
role- The attributes and values for this role. The id field of theroleshould benull, please seeRole(java.util.HashMap)- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleAlreadyExistsException- if the role already exists.RoleCreateException- if the request creation fails for the create role operation.
-
modify
RoleManagerResult modify(Role role) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException This method updates the existing role with the values specified.- Parameters:
role- The attributes and values to update the role with. A nonnullvalue is must for the roleroleto identify the entity to be modified, Please seeRole(java.lang.String, java.util.HashMap). In addition to the setter methods, the following parameters can be passed:Map<String, List
> accessPoliciesMap which contains the access policies to add and remove.
role.setAttribute(RoleManagerConstants.ACCESS_POLICIES, accessPoliciesMap)
Map<String, List> entityPubs of publications which needs to be added/updated/removed
role.setAttribute(RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO, entityPubs);
Map<String, List> roleGrants which has user memberships to be added/updated/removed.
role.setAttribute(RoleManagerConstants.ROLE_MEMBERSHIPS, roleGrants);
Map<String, List> roleParents which has the role parents to be added/removed.
role.setAttribute(RoleManagerConstants.ROLE_PARENTS, roleParents);
catalogAttributes is a oracle.iam.catalog.vo.Catalog object
role.setAttribute(RoleManagerConstants.CATALOG_ATTRIBUTES, catalogAttributes);
userMembershipRule is a oracle.iam.platform.entitymgr.vo.SearchRule
role.setAttribute( RoleManagerConstants.RoleAttributeName.USER_MEMBERSHIP_RULE.getId(), userMembershipRule);
Please note Role Name and Role Display Name will be trimmed for leading and trailing spaces Detailed example in the javadoc at class level- Returns:
- RoleManagerResult containing the entity id of the role updated in the backend datastore. If Audit mode is enabled it will contain the Request ID.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given key is not found.
-
modify
RoleManagerResult modify(String attributeName, Object attributeValue, Role role) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException, SearchKeyNotUniqueException, RoleLookupException This method modifies the role details for a role based on the search criteriaattributeName=attributeValue. Please note Role Name and Role Display Name will be trimmed for leading and trailing spaces- Parameters:
attributeName- The attribute name for the search criteriaattributeValue- The attribute value for the search criteriarole- The attributes and values to update the role with. The id field of theroleshould benull, please seeRole(java.util.HashMap).- Returns:
- RoleManagerResult containing the entity id of the role updated in backend datastore. If Audit mode is enabled it will contain the Request ID.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given search criteria is not found.SearchKeyNotUniqueException- if there is more than one role of the search criteriaRoleLookupException- if there is an exception while doing the search.
-
delete
RoleManagerResult delete(String attributeName, Object attributeValue) throws SearchKeyNotUniqueException, ValidationFailedException, AccessDeniedException, RoleDeleteException, NoSuchRoleException, RoleLookupException This method deletes a role based on the search criteriaattributeName=attributeValue.- Parameters:
attributeName- The attribute name for the search criteriaattributeValue- The attribute value for the search criteria- Returns:
- RoleManagerResult containing the entity id of the role deleted in the backend datastore. If Audit mode is enabled it will contain the Request ID.
- Throws:
SearchKeyNotUniqueException- if there is more than one role of the search criteriaValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleDeleteException- if the orchestration fails for delete operation.NoSuchRoleException- if the role with given search criteria is not found.RoleLookupException- if there is an exception while doing the search.
-
deleteRequest
String deleteRequest(String attributeName, Object attributeValue) throws SearchKeyNotUniqueException, ValidationFailedException, AccessDeniedException, RoleDeleteException, NoSuchRoleException This method raises a request to delete a role based on the search criteriaattributeName=attributeValue.- Parameters:
attributeName- The attribute name for the search criteriaattributeValue- The attribute value for the search criteria- Returns:
- The id of the request.
- Throws:
SearchKeyNotUniqueException- if there is more than one role of the search criteriaValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleDeleteException- if the request creation fails for delete role operation.NoSuchRoleException- if the role with given search criteria is not found.RoleLookupException- if there is an exception while doing the search.
-
modify
RoleManagerResult modify(Set<String> roleKeys, Role role) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException Modifies roles in bulk. The profile of all roles whose key is inroleKeysset are updated with value of all bulk modifiable attribute specified in the map. Please note Role Name and Role Display Name will be trimmed for leading and trailing spaces- Parameters:
roleKeys- The keys of the roles whose profiles are to be updated.role- The common set of attributes and values to update the roles with. The id field of theroleshould benull, please seeRole(java.util.HashMap).- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given key is not found.
-
delete
RoleManagerResult delete(String roleKey) throws ValidationFailedException, AccessDeniedException, RoleDeleteException, NoSuchRoleException Delete the role. This is a hard delete operation and will remove the role from the data store.- Parameters:
roleKey- The key of the role to be deleted.- Returns:
- RoleManagerResult containing the entity id of the role deleted in the backend datastore. If Audit mode is enabled it contains Request ID.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleDeleteException- if the orchestration fails for delete operation.NoSuchRoleException- if the role with given key is not found.
-
deleteRequest
String deleteRequest(String roleKey) throws ValidationFailedException, AccessDeniedException, RoleDeleteException, NoSuchRoleException Raises a request to delete the role.- Parameters:
roleKey- The key of the role to be deleted.- Returns:
- The id of the rerequest.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleDeleteException- if the request creation fails for delete role operation.NoSuchRoleException- if the role with given key is not found.
-
delete
RoleManagerResult delete(Set<String> roleKeys) throws ValidationFailedException, AccessDeniedException, RoleDeleteException, NoSuchRoleException Bulk delete operation. It will delete all the specified roles.- Parameters:
roleKeys- The keys of the roles to be deleted.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleDeleteException- if the orchestration fails for delete operation.NoSuchRoleException- if the role with given key is not found.
-
deleteRequest
String deleteRequest(Set<String> roleKeys) throws ValidationFailedException, AccessDeniedException, RoleDeleteException, NoSuchRoleException Raises a request to delete all the specified roles.- Parameters:
roleKeys- The keys of the roles to be deleted.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleDeleteException- if the request creation fails for delete role operation.NoSuchRoleException- if the role with given key is not found.
-
getDetails
Role getDetails(String roleKey, Set<String> retAttrs) throws AccessDeniedException, NoSuchRoleException, RoleLookupException Returns the profile details of the specified role.- Parameters:
roleKey- The key of the role who's details are required.retAttrs- The set of attributes which are to be returned for each role. In addition to standard role attributes, the following can be passed RoleManagerConstants.ACCESS_POLICIES RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO RoleManagerConstants.CATALOG_ATTRIBUTES RoleManagerConstants.ROLE_USER_MEMBERSHIP_RULE- Returns:
- If the role exists then an 'Role' object containing all the
retAttrsof the role are returned otherwiseNoSuchRoleExceptionexception is thrown. - Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleLookupException- if there is an exception while doing the search.NoSuchRoleException- if the role with given key is not found.
-
getDetails
Role getDetails(String roleKey, Set<String> retAttrs, OperationContext opContext) throws AccessDeniedException, NoSuchRoleException, RoleLookupException Returns the profile details of the specified role.- Parameters:
roleKey- The key of the role who's details are required.retAttrs- The set of attributes which are to be returned for each role. In addition to standard role attributes, the following can be passed RoleManagerConstants.ACCESS_POLICIES RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO RoleManagerConstants.CATALOG_ATTRIBUTES RoleManagerConstants.ROLE_USER_MEMBERSHIP_RULEopContext- Context of a request.- Returns:
- If the role exists then an 'Role' object containing all the
retAttrsof the role are returned otherwiseNoSuchRoleExceptionexception is thrown. - Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleLookupException- if there is an exception while doing the search.NoSuchRoleException- if the role with given key is not found.
-
getSimilarRoles
List<RoleConsolidation> getSimilarRoles(Role role) throws RoleManagerException, AccessDeniedException Finds similar roles based on entitlements. Only roles with 50% or higher match are considered. Only the top 3 matches are returned. For each matched role, its role memberships are also compared to determine the percentage of common users.Note that since this API can be used during create and modify, the
rolewill not exist during create operation. Hence, it is expected it to be populated with the access policies for both create and modify scenario. Role key need not be available. However, for modify operation, if therolevo doesn't have ALL its access policies and members populated, then the role key must be populated so the API can fetch the data. Role Name must be passed for modify, to filter out the passed role from the result.- Parameters:
role- The role for whome similar roles are required- Returns:
- The list of top 3 matched similar role. List may contain more matches if multiple roles match with same percentage. List may have less than 3 matches if roles do not match the 50% cut-off. The Relationship has the following attributes: ROLE_KEY is the key of the matching role ROLE_NAME is the name of the matching role ENTITLEMENT_MATCH which is the percentage match for entitlements MEMBERSHIP_MATCH which gives the percentage of common members between the two roles
- Throws:
ValidationFailedExceptionAccessDeniedExceptionRoleManagerException
-
search
List<Role> search(SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleSearchExceptionSearches for roles matching the specifiedSearchCriteria.- Parameters:
criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
Role Nameby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of roles which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleSearchException- if there is an exception while doing the search
-
getDetails
Role getDetails(String attributeName, Object attributeValue, Set<String> retAttrs) throws SearchKeyNotUniqueException, AccessDeniedException, NoSuchRoleException, RoleLookupException This method return the role details for a role based on the search criteriaattributeName=attributeValue.- Parameters:
attributeName- - The attribute name for the search criteriaattributeValue- - The attribute value for the search criteriaretAttrs- - The attributes to be returned for the role. In addition to standard role attributes, the following can be passed RoleManagerConstants.ACCESS_POLICIES RoleManagerConstants.ORGANIZATIONS_PUBLISHED_TO RoleManagerConstants.CATALOG_ATTRIBUTES RoleManagerConstants.ROLE_USER_MEMBERSHIP_RULE- Returns:
- - The role that matches the search criteria
- Throws:
SearchKeyNotUniqueException- if there is more than one role of the search criteriaAccessDeniedException- if the logged-in user does not have the required authorization.RoleSearchException- if there is an exception while doing the searchNoSuchRoleException- if the role with given search criteria is not foundRoleLookupException- if there is an exception while doing the search.
-
grantRole
RoleManagerResult grantRole(String roleKey, Set<String> userKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantException Grant the role identified byroleKeyto the specified user(s).- Parameters:
roleKey- The id of the role to be granted.userKeys- The id(s) of the user to whom to grant the role.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRoleRequest
String grantRoleRequest(String roleKey, Set<String> userKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantException Raises a request to grant the role identified byroleKeyto the specified user/s.- Parameters:
roleKey- The id of the role to be granted.userKeys- The id(s) of the user to whom to grant the role.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If request creation fails.
-
grantRole
@Deprecated RoleManagerResult grantRole(String roleKey, Set<String> userKeys, boolean evaluatePolicies) throws ValidationFailedException, AccessDeniedException, RoleGrantException Deprecated.Grant the role identified byroleKeyto the specified user(s).- Parameters:
roleKey- The id of the role to be granted.userKeys- The id(s) of the user to whom to grant the role.evaluatePolicies- Boolean to indicate whether to evaluate policies or not when user is granted to the role- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
revokeRoleGrant
RoleManagerResult revokeRoleGrant(String roleKey, Set<String> userKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException Revoke the role identified byroleKeyto the specified user(s).- Parameters:
roleKey- The id of the role to be revoked.userKeys- The id(s) of the user to whom to revoke the role.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If operation fails.
-
revokeRoleGrantDirect
RoleManagerResult revokeRoleGrantDirect(String roleKey, Set<String> userKeys, boolean evaluatePolicies) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException Revoke the role identified byroleKeyto the specified user(s).- Parameters:
roleKey- The id of the role to be revoked.userKeys- The id(s) of the user to whom to revoke the role.evaluatePolicies- Boolean to indicate whether to evaluate policies or not when user is revoked from the roleisRequest- Boolean to indicate whether flow is request based- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If operation fails.
-
revokeRoleGrantRequest
String revokeRoleGrantRequest(String roleKey, Set<String> userKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException Raises a request to revoke the role identified byroleKeyto the specified user(s).- Parameters:
roleKey- The id of the role to be revoked.userKeys- The id(s) of the user to whom to revoke the role.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If request creation fails.
-
revokeRoleGrant
@Deprecated RoleManagerResult revokeRoleGrant(String roleKey, Set<String> userKeys, boolean evaluatePolicies) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException Deprecated.Revoke the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The id of the role to be revoked.userKeys- The id(s) of the user to whom to revoke the role.evaluatePolicies- Boolean to indicate whether to evaluate policies or not when user is revoked from the role- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If operation fails.
-
getRoleGrantDetails
Relationship getRoleGrantDetails(String roleKey, String userKey, Set<String> retAttrs) throws AccessDeniedException, NoSuchRoleGrantException, RoleGrantLookupException Lookup the attributes of a role grant, associated betweenroleKeyanduserKey.- Parameters:
roleKey- The id of the role whose grant we are looking up.userKey- The id of the user whose grant we are looking up.retAttrs- The attributes to lookup.- Returns:
- Relationship containing the attributes of the role grant.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantLookupException- If operation fails.NoSuchRoleGrantException- If the grant doesn't exist
-
getRoleGrantDetails
Relationship getRoleGrantDetails(String roleKey, String userKey, Set<String> retAttrs, OperationContext opContext) throws AccessDeniedException, NoSuchRoleGrantException, RoleGrantLookupException Lookup the attributes of a role grant, associated betweenroleKeyanduserKey.- Parameters:
roleKey- The id of the role whose grant we are looking up.userKey- The id of the user whose grant we are looking up.retAttrs- The attributes to lookup.opContext- Context of a request.- Returns:
- Relationship containing the attributes of the role grant.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantLookupException- If operation fails.NoSuchRoleGrantException- If the grant doesn't exist
-
grantRoles
RoleManagerResult grantRoles(String userKey, Set<String> roleKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantException Grant the roles identified byroleKeysto the user identified byuserKey.- Parameters:
userKey- The key of the user to whom to grant the roles.roleKeys- The keys of roles to be granted.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRolesRequest
String grantRolesRequest(String userKey, Set<String> roleKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantException Raises a request to grant the roles identified byroleKeysto the user identified byuserKey.- Parameters:
userKey- The key of the user to whom to grant the roles.roleKeys- The keys of roles to be granted.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If request creation fails.
-
revokeRoleGrants
RoleManagerResult revokeRoleGrants(String userKey, Set<String> roleKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException Revoke the roles identified byroleKeysto the user identified byuserKey.- Parameters:
userKey- The key of the user to whom to revoke the roles.roleKeys- The keys of the roles to be revoked.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If operation fails.
-
revokeRoleGrantsRequest
String revokeRoleGrantsRequest(String userKey, Set<String> roleKeys) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException Raises a request to revoke the roles identified byroleKeysto the user identified byuserKey.- Parameters:
userKey- The key of the user to whom to revoke the roles.roleKeys- The keys of the roles to be revoked.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If request creation fails.
-
updateRoleGrant
RoleManagerResult updateRoleGrant(String roleKey, String userKey, Map<String, Object> args) throws ValidationFailedException, AccessDeniedException, RoleGrantUpdateException, NoSuchRoleGrantExceptionUpdate a role grant.- Parameters:
roleKey- The key of the role whose grant we are updating.userKey- The key of the user whose grant we are updating.args- The attributes and values to update the role grant with.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantUpdateException- If operation fails.NoSuchRoleGrantException- If the role grant doesn't exist
-
getRoleMembers
List<User> getRoleMembers(String roleKey, boolean directAndIndirect) throws AccessDeniedException, RoleMemberException Retrieve all the users members of the given role. It returns both static as well as dynamic role members. Note that this API only checks for direct and indirect memberships based on the directAndIndirect flag.- Parameters:
roleKey- The key of the role whose members we are looking up.directAndIndirect- The flag used to lookup the role members either directly or indirectly. If the directAndIndirect is false, returns only direct assigned members to role. If the directAndIndirect is true, returns both direct and indirect assigned members of given role.- Returns:
- the list of users that are members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getRoleMembers
List<User> getRoleMembers(String roleKey, boolean directAndIndirect, long userBatchSize) throws AccessDeniedException, RoleMemberException Retrieve all the users members of the given role. It returns both static as well as dynamic role members. Note that this API only checks for direct and indirect memberships based on the directAndIndirect flag.- Parameters:
roleKey- The key of the role whose members we are looking up.directAndIndirect- The flag used to lookup the role members either directly or indirectly. If the directAndIndirect is false, returns only direct assigned members to role. If the directAndIndirect is true, returns both direct and indirect assigned members of given role.userBatchSize- It is the number of users to be processed in chunks to address the huge number of users. User can define this paramter while running the task- Returns:
- the list of users that are members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDynamicRoleMembers
Retrieve all the dynamic users members of the given role. Dynamic users members are based on the user membership rule- Parameters:
roleKey- The key of the role whose members we are looking up.- Returns:
- the list of users that are dynamic members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDynamicRoleMembers
List<User> getDynamicRoleMembers(String roleKey, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve all the dynamic users members of the given role. Dynamic users members are based on the user membership rule- Parameters:
roleKey- The key of the role whose members we are looking up.retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that are dynamic members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDynamicRoleMembers
List<User> getDynamicRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve all the dynamic users members of the given role. Dynamic users members are based on the user membership rule- Parameters:
roleKey- The key of the role whose members we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN,retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that are dynamic members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getStaticRoleMembers
List<User> getStaticRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve all the static user members of the specified role.- Parameters:
roleKey- The key of the role whose members we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN,retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that are static members of the specified role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDirectRoleMembers
-
getDirectRoleMembers
List<User> getDirectRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberException -
getRoleMembers
List<User> getRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams, boolean directAndIndirect) throws AccessDeniedException, RoleMemberExceptionRetrieve the users members of the given role matching the specifiedSearchCriteria. This method returns both static as well as dynamic members.- Parameters:
roleKey- The key of the role whose members we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
directAndIndirect- if the directAndIndirect is false returns only direct assigned members to role which are matched with search criteria.if the directAndIndirect is true returns both direct and indirect assigned members of given role which are matched with search criteria.- Returns:
- the list of users that are members of the given role which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getRoleMembers
List<User> getRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams, boolean directAndIndirect, OperationContext opContext) throws AccessDeniedException, RoleMemberExceptionRetrieve the users members of the given role matching the specifiedSearchCriteria. This method returns both static as well as dynamic members.- Parameters:
roleKey- The key of the role whose members we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
directAndIndirect- if the directAndIndirect is false returns only direct assigned members to role which are matched with search criteria.if the directAndIndirect is true returns both direct and indirect assigned members of given role which are matched with search criteria.opContext- Context of a request.- Returns:
- the list of users that are members of the given role which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getPendingUserGrants
List<RoleGrant> getPendingUserGrants(String userKey, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve the pending role grants of the given user. This method returns static grants with future start date.- Parameters:
userKey- The key of the user whose pending role grants we are looking up.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of future role grants
List<RoleGrant>which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user. - Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getPendingUserGrantsWithSearchCriteria
List<RoleGrant> getPendingUserGrantsWithSearchCriteria(String userKey, Set<String> retAttrs, Map<String, Object> configParams, SearchCriteria searchCriteria) throws AccessDeniedException, RoleMemberExceptionRetrieve the pending role grants of the given user. This method returns static grants with future start date.- Parameters:
userKey- The key of the user whose pending role grants we are looking up.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
searchCriteria- passes the sreahc criteria- Returns:
- the list of future role grants
List<RoleGrant>which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user. - Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getPendingRoleGrants
List<RoleGrant> getPendingRoleGrants(String roleKey, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve the pending role grants of the given role. This method returns static grants with future start date.- Parameters:
roleKey- The key of the role whose pending members we are looking up.retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of future role grants
List<RoleGrant>which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user. - Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getRoleIndirectMembers
List<User> getRoleIndirectMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve the indirect members (users) of the given role matching the specifiedSearchCriteria.- Parameters:
roleKey- The key of the role whose indirect members we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that are indirect members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getUnassignedRoleMembers
List<User> getUnassignedRoleMembers(String roleKey) throws AccessDeniedException, RoleMemberException Retrieve all the users that are not direct members of the given role. Note that this API only checks for direct memberships.- Parameters:
roleKey- The key of the role whose not direct members we are looking up.- Returns:
- the list of users that are not members of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getUnassignedRoleMembers
List<User> getUnassignedRoleMembers(String roleKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve all the users that are not direct members of the given role matching the specifiedSearchCriteria.- Parameters:
roleKey- The key of the role whose not direct members we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each user.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that are not direct members of the given role which matched the search criteria. This list is filtered based on the attribute and entity permissions of the logged-in user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
isRoleGranted
boolean isRoleGranted(String roleKey, String userKey, boolean directAndIndirect) throws AccessDeniedException, UserMembershipException Return true if the user has the role granted. This method works for both static as well as dynamic members. Note that this API only checks for direct and indirect memberships based on the directAndIndirect flag.- Parameters:
roleKey- The key of the role whose memberships we are looking up.userKey- The key of the user whose memberships we are looking up.directAndIndirect- if true, checks for both direct and indirect memberships. if false, checks for only direct memberships.- Returns:
- true if the user had the role granted.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.UserMembershipException- If operation fails.
-
isRoleDynamicallyGranted
boolean isRoleDynamicallyGranted(String roleKey, String userKey) throws AccessDeniedException, UserMembershipException Return true if the user has the role dynamically granted. Dynamic role grants are based on the user membership rule- Parameters:
roleKey- The key of the role whose memberships we are looking up.userKey- The key of the user whose memberships we are looking up.- Returns:
- true if the user had the role dynamically granted.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.UserMembershipException- If operation fails.
-
getUserMemberships
List<Role> getUserMemberships(String userKey, boolean directAndIndirect) throws AccessDeniedException, UserMembershipException Retrieve all the roles that the user is a member of. This method works for both static as well as dynamically granted roles. Note that this API checks for direct and indirect memberships based on the directAndIndirect flag.- Parameters:
userKey- The key of the user whose memberships we are looking up.directAndIndirect- The flag used to lookup the user memberships either directly or indirectly. If true, checks for both direct and indirect memberships. If false, checks for only direct memberships.- Returns:
- the list of roles that are granted to the given user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.UserMembershipException- If operation fails.
-
getUserMemberships
List<Role> getUserMemberships(String userKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams, boolean directAndIndirect) throws AccessDeniedException, UserMembershipExceptionRetrieve the roles of the given user matching the specifiedSearchCriteria. This method works for both static as well as dynamically granted roles. Note that this API only checks for direct and indirect memberships based on the directAndIndirect flag.- Parameters:
userKey- The key of the user whose memberships we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
directAndIndirect- The flag used to lookup the user memberships either directly or indirectly. If true, checks for both direct and indirect memberships. If false, checks for only direct memberships.- Returns:
- the list of roles that are granted to the given user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.UserMembershipException- If operation fails.
-
getUserRoleGrants
List<RoleGrant> getUserRoleGrants(String userKey, SearchCriteria criteria, Map<String, Object> configParams, boolean directAndIndirect, Set<String> roleGrantRetAttrs, Set<String> roleRetAttrs, Set<String> userRetAttrs) throws AccessDeniedException, UserMembershipException, NoSuchRoleGrantException, RoleGrantLookupException, NoSuchUserException, UserLookupExceptionRetrieve the role grants of the given user matching the specifiedSearchCriteria. This method works for both static as well as dynamically granted roles. Note that this API only checks for direct and indirect memberships based on the directAndIndirect flag.- Parameters:
userKey- The key of the user whose memberships we are looking up. Required.criteria- The search criteria based on which roles will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.configParams- Parameters to further configure the search operation. These parameters apply to the role entities. If configParams argument is null, defaults are all rows, in ascending order by role key. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
Role Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
directAndIndirect- The flag used to lookup the user memberships either directly or indirectly. If true, checks for direct and indirect memberships. If false, only direct memberships are returned.roleGrantRetAttrs- The set of attributes which are to be returned for each role grant. If null, all attributes are returned.roleRetAttrs- The set of attributes which are to be returned for each role. If null, the role object is not returned.userRetAttrs- The set of attributes which are to be returned for each user. If null, the user object is not returned.- Returns:
- The list of role-user relationships.
- Throws:
AccessDeniedException- If the logged-in user does not have the required authorization.UserMembershipException- If operation fails.RoleGrantLookupException- If role grant lookup fails.NoSuchRoleGrantException- If the grant doesn't existNoSuchUserException- If the user does not exist.UserLookupException- If the user lookup operation fails.
-
getUnassignedUserMemberships
List<Role> getUnassignedUserMemberships(String userKey, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, UserMembershipExceptionRetrieve all the roles that are not direct memberships of the given user matching the specifiedSearchCriteria.- Parameters:
userKey- The key of the user whose not direct memberships we are looking up.criteria- The search criteria based on which entries will be retrieved from the backend. The SearchCriteria Operators supported are AND, OR, NOT, GREATER_THAN, GREATER_EQUAL, LESS_THAN, LESS_EQUAL, EQUAL, NOT_EQUAL and CONTAINS.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
User Keyby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of roles that are not directly granted to the given user.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.UserMembershipException- If operation fails.
-
addRoleRelationship
RoleManagerResult addRoleRelationship(String roleParentKey, String roleChildKey) throws ValidationFailedException, AccessDeniedException, RoleRelationshipException Add a direct relationship between two roles.- Parameters:
roleParentKey- The key of the parent role in the relationship that we are creating.roleChildKey- The key of the child role in the relationship that we are creating.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipException- If operation fails.
-
removeRoleRelationship
RoleManagerResult removeRoleRelationship(String roleParentKey, String roleChildKey) throws ValidationFailedException, AccessDeniedException, RoleRelationshipRemoveException Remove a direct relationship between two roles.- Parameters:
roleParentKey- The key of the parent role in the relationship that we are deleting.roleChildKey- The key of the child role in the relationship that we are deleting.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipRemoveException- If operation fails.
-
getRoleRelationshipDetails
Relationship getRoleRelationshipDetails(String roleParentKey, String roleChildKey, Set<String> retAttrs) throws AccessDeniedException, NoSuchRoleRelationshipException, RoleRelationshipLookupException Lookup the attributes of a role relationship.- Parameters:
roleParentKey- The key of the parent role in the relationship we are looking up.roleChildKey- The key of the child role in the relationship we are looking up.retAttrs- The attributes to lookup.- Returns:
- Relationship containing the attributes of the role relationship.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipLookupException- If operation fails.NoSuchRoleRelationshipException- If the role relationship doesn't exist
-
updateRoleRelationship
RoleManagerResult updateRoleRelationship(String roleKey, String roleChildKey, Map<String, Object> args) throws ValidationFailedException, AccessDeniedException, RoleRelationshipUpdateException, NoSuchRoleRelationshipExceptionUpdate a relationship between two roles.- Parameters:
roleKey- The key of the parent role in the relationship that we are updating.roleChildKey- The key of the child role in the relationship that we are updating.args- The attributes and values to update the role relationship with.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipUpdateException- If operation fails.NoSuchRoleRelationshipException- If the relationship doesn't exist
-
getRoleChildren
List<Role> getRoleChildren(String roleParentKey, boolean directAndIndirect) throws AccessDeniedException, RoleMemberException Retrieve the roles children of the given role. Note that this API only checks for direct and indirect relationships based on the directAndIndirect flag.- Parameters:
roleParentKey- The key of the role whose relationships are looking up.directAndIndirect- The flag used to lookup the role relationships either directly or indirectly. If true, returns all the children, including both direct and indirect. If false, returns only direct children.- Returns:
- the list of roles that are children of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDirectRoleChildren
List<Role> getDirectRoleChildren(String roleParentKey, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve the roles direct children of the given role.- Parameters:
roleParentKey- The key of the role whose children are looking up.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are two configuration parameters. STARTROW, and ENDROW The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.- Returns:
- the list of roles that are direct children of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
isRoleParent
boolean isRoleParent(String parentRoleKey, String roleChildKey, boolean directAndIndirect) throws AccessDeniedException, RoleMemberException Return true if the role has the given parent. Note that this API only checks for for direct and indirect relationships based on the directAndIndirect flag.- Parameters:
parentRoleKey- The key of the role whose relationship we are looking up.directAndIndirect- if true, checks for direct and indirect relationships. If false, checks for only direct relationships.roleChildKey- The key of the role whose relationship we are looking up.- Returns:
- true if the role has the given parent.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getRoleParents
List<Role> getRoleParents(String roleChildKey, boolean directAndIndirect) throws AccessDeniedException, RoleMemberException Retrieve the roles who are the parents of the given role. Note that this API checks for direct and indirect relationship based on directAndIndirect- Parameters:
roleChildKey- The key of the role whose parent we are looking up.directAndIndirect- When set to false, will only return direct parents. When set to true, will return direct and indirect parents.- Returns:
- the list of roles who are the parents of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDirectRoleParents
List<Role> getDirectRoleParents(String roleChildKey, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleMemberExceptionRetrieve the roles who are the direct parents of the given role.- Parameters:
roleChildKey- the key of the role whose parents are looking up.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are two configuration parameters. STARTROW, and ENDROW The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.- Returns:
- the list of roles who are the direct parents of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
getDirectRoleParents
List<Role> getDirectRoleParents(String roleChildKey, Set<String> retAttrs, Map<String, Object> configParams, OperationContext opContext) throws AccessDeniedException, RoleMemberExceptionRetrieve the roles who are the direct parents of the given role.- Parameters:
roleChildKey- the key of the role whose parents are looking up.retAttrs- The set of attributes which are to be returned for each role.configParams- Parameters to further configure the search operation. There are two configuration parameters. STARTROW, and ENDROW The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.opContext- Context of a request.- Returns:
- the list of roles who are the direct parents of the given role.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
updateEntityDefinition
void updateEntityDefinition()This method updates UDF entry in Role.xml in MDS repository. An assumption is that any UDF in Role.xml will only be added or modified through Design console. This API is being invoked from Design console. tcfrmUDFManager. This will be called when user has made any modification in UDF of Roles only. -
grantRole
RoleManagerResult grantRole(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) throws ValidationFailedException, AccessDeniedException, RoleGrantException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserException Grant the role(s) are identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user(s) identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required. authorization.RoleGrantException- If operation fails.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
grantRoleRequest
String grantRoleRequest(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) throws ValidationFailedException, AccessDeniedException, RoleGrantException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserException Raises a request to grant the role(s) are identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user(s) identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.- Returns:
- The id of the reuest.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required. authorization.RoleGrantException- If request creation fails.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
getRoleGrantDetails
Relationship getRoleGrantDetails(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Set<String> retAttrs) throws AccessDeniedException, NoSuchRoleGrantException, RoleGrantLookupException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserException Lookup the attributes of a role grant, where the role is identified uniquely by the search criteriaroleAttributeName=roleAttributeValueand the user is uniquely identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.retAttrs- The attributes to lookup.- Returns:
- Relationship containing the attributes of the role grant.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantLookupException- If operation fails.NoSuchRoleGrantException- If the grant doesn't exist.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
updateRoleGrant
RoleManagerResult updateRoleGrant(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Map<String, Object> args) throws ValidationFailedException, AccessDeniedException, RoleGrantUpdateException, NoSuchRoleGrantException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserExceptionUpdate a role grant, where the role is identified uniquely by the search criteriaroleAttributeName=roleAttributeValueand the user is uniquely identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.args- The attributes and values to update the role grant with.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantUpdateException- If operation fails.NoSuchRoleGrantException- If the role grant doesn't exist.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
revokeRoleGrant
RoleManagerResult revokeRoleGrant(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserException Revoke the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValuefor the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If operation fails.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
revokeRoleGrantRequest
String revokeRoleGrantRequest(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue) throws ValidationFailedException, AccessDeniedException, RoleGrantRevokeException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserException Raises a request to revoke the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValuefor the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantRevokeException- If request creation fails.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
getRoleRelationshipDetails
Relationship getRoleRelationshipDetails(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue, Set<String> retAttrs) throws AccessDeniedException, NoSuchRoleRelationshipException, RoleRelationshipLookupException, SearchKeyNotUniqueException, NoSuchRoleException Lookup the attributes of a role relationship, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.- Parameters:
parentAttrName- The parent role attribute name for the search criteria.parentAttrValue- The parent role attribute value for the search criteria.childAttrName- The child role attribute name for the search criteria.childAttrValue- The child role attribute value for the search criteria.retAttrs- The attributes to lookup.- Returns:
- Relationship containing the attributes of the role relationship.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipLookupException- If operation fails.NoSuchRoleRelationshipException- If the role relationship doesn't exist.SearchKeyNotUniqueException- if there is more than one roles for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.
-
addRoleRelationship
RoleManagerResult addRoleRelationship(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue) throws ValidationFailedException, AccessDeniedException, RoleRelationshipException, SearchKeyNotUniqueException, NoSuchRoleException Add a direct relationship between two roles, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.- Parameters:
parentAttrName- The parent role attribute name for the search criteria.parentAttrValue- The parent role attribute value for the search criteria.childAttrName- The child role attribute name for the search criteria.childAttrValue- The child role attribute value for the search criteria.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipException- If operation fails.SearchKeyNotUniqueException- if there is more than one roles for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.
-
removeRoleRelationship
RoleManagerResult removeRoleRelationship(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue) throws ValidationFailedException, AccessDeniedException, RoleRelationshipRemoveException, SearchKeyNotUniqueException, NoSuchRoleException Remove a direct relationship between two roles, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.- Parameters:
parentAttrName- The parent role attribute name for the search criteria.parentAttrValue- The parent role attribute value for the search criteria.childAttrName- The child role attribute name for the search criteria.childAttrValue- The child role attribute value for the search criteria.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipRemoveException- If operation fails.SearchKeyNotUniqueException- if there is more than one roles for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.
-
updateRoleRelationship
RoleManagerResult updateRoleRelationship(String parentAttrName, Object parentAttrValue, String childAttrName, Object childAttrValue, Map<String, Object> args) throws ValidationFailedException, AccessDeniedException, RoleRelationshipUpdateException, NoSuchRoleRelationshipException, SearchKeyNotUniqueException, NoSuchRoleExceptionUpdate a relationship between two roles, where the parent role is uniquely identified by the search criteriaparentAttrName=parentAttrValueand the child role is uniquely identified by the search criteriachildAttrName=childAttrValue.- Parameters:
parentAttrName- The parent role attribute name for the search criteria.parentAttrValue- The parent role attribute value for the search criteria.childAttrName- The child role attribute name for the search criteria.childAttrValue- The child role attribute value for the search criteria.args- The attributes and values to update the role relationship with.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleRelationshipUpdateException- If operation fails.NoSuchRoleRelationshipException- If the relationship doesn't exist.SearchKeyNotUniqueException- if there is more than one roles for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.
-
getUserMembershipRule
SearchRule getUserMembershipRule(String roleKey) throws AccessDeniedException, NoSuchRoleException, RoleLookupException Returns the user membership rule for the specified Role- Parameters:
roleKey- The id of the role whose details are required.- Returns:
- SearchRule contains the user membershp rule for this role
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.RoleLookupException- if there is an exception while doing the search.NoSuchRoleException- if the role with given key is not found.- Since:
- 11gps2
-
setUserMembershipRule
RoleManagerResult setUserMembershipRule(String roleKey, SearchRule userMembershipRule) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException Sets the user membership rule on the specified Role- Parameters:
roleKey- The key of the role who's details are required.userMembershipRule- User membership rule to set for this role- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given key is not found.- Since:
- 11gps2
-
setUserMembershipRule
RoleManagerResult setUserMembershipRule(String roleKey, SearchRule userMembershipRule, boolean evaluateMembershipLater) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException Sets the user membership rule on the specified Role and membership is evaluated later if evaluateMembershipLater is passed as TRUE- Parameters:
roleKey- The key of the role who's details are required.userMembershipRule- User membership rule to set for this roleevaluateMembershipLater- if TRUE Membership is evaluated later. FALSE it is evaluated immediately in post process handler.- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given key is not found.
-
previewDynamicUserMembership
List<User> previewDynamicUserMembership(String roleKey, SearchRule userMembershipRule, Set<String> retAttrs, Map<String, Object> configParams) throws ValidationFailedException, AccessDeniedException, RoleMemberExceptionPreview the user membership rule- Parameters:
roleKey- the key of the role for which we want to preview the membersuserMembershipRule- User membership rule to previewretAttrs- The attributes to lookup.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
Display Nameby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that match the membership rule
- Throws:
ValidationFailedException- if the rule is syntactically incorrect.AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.- Since:
- 11gps2
-
setUserSQLMembershipRule
RoleManagerResult setUserSQLMembershipRule(String roleKey, String userSQLMembershipRule) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException Sets the user SQL membership rule on the specified Role- Parameters:
roleKey- The key of the role who's details are required.userSQLMembershipRule- User SQL membership rule to set for this role- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given key is not found.
-
setUserSQLMembershipRule
RoleManagerResult setUserSQLMembershipRule(String roleKey, String userSQLMembershipRule, boolean evaluateMembershipLater) throws ValidationFailedException, AccessDeniedException, RoleModifyException, NoSuchRoleException Sets the user SQL membership rule on the specified Role and membership is evaluated later if evaluateMembershipLater is passed as TRUE- Parameters:
roleKey- The key of the role who's details are required.userSQLMembershipRule- User SQL membership rule to set for this roleevaluateMembershipLater- if TRUE Membership is evaluated later. FALSE it is evaluated immediately in post process handler.- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleModifyException- if the orchestration fails for modify operation.NoSuchRoleException- if the role with given key is not found.
-
previewDynamicUserSQLMembership
List<User> previewDynamicUserSQLMembership(String roleKey, String userMembershipRuleSQL, Set<String> retAttrs, Map<String, Object> configParams) throws ValidationFailedException, AccessDeniedException, RoleMemberExceptionPreview the user membership for the sql rule- Parameters:
roleKey- the key of the role for which we want to preview the membersuserMembershipRuleSQL- User membership rule to previewretAttrs- The attributes to lookup.configParams- Parameters to further configure the search operation. There are four configuration parameters. STARTROW, ENDROW, SORTEDBY and SORTORDER.The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.
The SORTEDBY search configuration parameter indicates the attribute on which search result is to be sorted. This parameter is optional and is set to
Display Nameby default.The SORTORDER search configuration parameter indicates the order of sorting. There are two possible values for this parameter. To sort the result in ascending order use SortOrder.ASCENDING and to sort the result in descending order use SortOrder.DESCENDING. This parameter is optional and is set to SortOrder.ASCENDING by default.
- Returns:
- the list of users that match the membership rule
- Throws:
ValidationFailedException- if the rule is syntactically incorrect.AccessDeniedException- if the logged-in user does not have the required authorization.RoleMemberException- If operation fails.
-
grantRole
RoleManagerResult grantRole(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserExceptionGrant the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required. authorization.RoleGrantException- If operation fails.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
grantRole
RoleManagerResult grantRole(String roleKey, Set<String> userKeys, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionGrant the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The key of the role to be granted.userKeys- The keys of the user to whom to grant the role.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRole
RoleManagerResult grantRole(String roleKey, List<String> userKeys, List<Map<String, Serializable>> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionGrant the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The key of the role to be granted.userKeys- The keys of the user to whom to grant the role.relationshipAttrsList- List of map - one for each user. Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRole
RoleManagerResult grantRole(String roleKey, Set<String> userKeys, Map<String, Object> relationshipAttrs, boolean evaluatePolicies) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionGrant the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The key of the role to be granted.userKeys- The keys of the user to whom to grant the role.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.evaluatePolicies- Boolean to indicate whether to evaluate policies or not when user is granted to the role- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRoleDirect
RoleManagerResult grantRoleDirect(String roleKey, List<String> userKeys, List<Map<String, Serializable>> relationshipAttrsList, boolean evaluatePolicies) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionGrant the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The key of the role to be granted.userKeys- The keys of the user to whom to grant the role.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.evaluatePolicies- Boolean to indicate whether to evaluate policies or not when user is granted to the roleisRequest- Boolean to indicate whether flow is request based- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRoleRequest
String grantRoleRequest(String roleAttributeName, Object roleAttributeValue, String userAttributeName, Object userAttributeValue, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantException, SearchKeyNotUniqueException, NoSuchRoleException, NoSuchUserExceptionRaises a request to grant the role uniquely identified by the search criteriaroleAttributeName=roleAttributeValueto the specified user uniquely identified by the search criteriauserAttributeName=userAttributeValue.- Parameters:
roleAttributeName- The role attribute name for the search criteria.roleAttributeValue- The role attribute value for the search criteria.userAttributeName- The user attribute name for the search criteria.userAttributeValue- The user attribute value for the search criteria.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- The id of the reuest.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required. authorization.RoleGrantException- If request creation fails.SearchKeyNotUniqueException- if there is more than one roles or users for the given search criteria.NoSuchRoleException- if the role with given search criteria is not found.NoSuchUserException- if the user with given search criteria is not found.
-
grantRoleRequest
String grantRoleRequest(String roleKey, Set<String> userKeys, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionRaises a request to grant the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The key of the role to be granted.userKeys- The keys of the user to whom to grant the role.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If request creation fails.
-
grantRoleRequest
String grantRoleRequest(String roleKey, List<String> userKeys, List<Map<String, Serializable>> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionRaises a request to grant the role identified by roleKey to the specified user/s.- Parameters:
roleKey- The key of the role to be granted.userKeys- The keys of the user to whom to grant the role.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone. The list is assumed to contain one map entry for each user in userKeys. If the map entries do not match the number of users, then dates will be assumed null for them.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If request creation fails.
-
grantRoles
RoleManagerResult grantRoles(String userKey, Set<String> roleKeys, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionGrant the roles identified by roleKeys to the specified user.- Parameters:
userKey- The key of the user to whom to grant the roles.roleKeys- The keys of roles to be granted.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- RoleManagerResult containing the set of success and failure results. Each failure result has a reason for failure associated with it.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If operation fails.
-
grantRolesRequest
String grantRolesRequest(String userKey, Set<String> roleKeys, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantExceptionRaises a request to grant the roles identified by roleKeys to the specified user.- Parameters:
userKey- The key of the user to whom to grant the roles.roleKeys- The keys of roles to be granted.relationshipAttrs- Map containing following keys:startDate- Date on which Role should be auto-granted to User. Ifnullrole is granted immediately.endDate- Date on which Role should be auto-revoked from User. ifnullrole is never revoked. The dates are assumed to be in server timezone.- Returns:
- The id of the request.
- Throws:
ValidationFailedException- if the validation fails during the request creation.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantException- If request creation fails.
-
getPendingRoleUserRelationshipAttributes
Relationship getPendingRoleUserRelationshipAttributes(String roleKey, String userKey, Set<String> retAttrs) throws AccessDeniedException, NoSuchRoleGrantException, RoleGrantLookupException Lookup the attributes of a pending role grant.- Parameters:
roleKey- The key of the role whose grant we are looking up.userKey- The key of the user whose grant we are looking up.retAttrs- The attributes to lookup.- Returns:
- Relationship containing the attributes of the role grant.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantLookupException- If operation fails.NoSuchRoleGrantException- If the grant doesn't exist
-
setPendingRoleUserRelationshipAttributes
RoleManagerResult setPendingRoleUserRelationshipAttributes(String roleKey, String userKey, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantUpdateException, NoSuchRoleGrantExceptionUpdate the attributes of a pending role grant.- Parameters:
roleKey- The key of the role whose grant we are updating.userKey- The key of the user whose grant we are updating.relationshipAttrs- The attributes and values to update the pending role grant relationship with.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantUpdateException- If operation fails.NoSuchRoleGrantException- If the role grant doesn't exist
-
setPendingRoleUserRelationshipAttributesRequest
String setPendingRoleUserRelationshipAttributesRequest(String roleKey, String userKey, Map<String, Object> relationshipAttrs) throws ValidationFailedException, AccessDeniedException, RoleGrantException, NoSuchRoleGrantExceptionSubmits a request to update the attributes of a pending role grant.- Parameters:
roleKey- The key of the role whose grant we are updating.userKey- The key of the user whose grant we are updating.relationshipAttrs- The attributes and values to update the pending role grant relationship with.- Returns:
- RoleManagerResult containing the status of the operation.
- Throws:
ValidationFailedException- if the validation during the orchestration process fails.AccessDeniedException- if the logged-in user does not have the required authorization.RoleGrantUpdateException- If operation fails.NoSuchRoleGrantException- If the role grant doesn't existRoleGrantException
-
isPendingRoleGrant
boolean isPendingRoleGrant(String roleKey, String userKey) throws AccessDeniedException, UserMembershipException Return true if the user has the role granted in pending state.- Parameters:
roleKey- The key of the role whose memberships we are looking up.userKey- The key of the user whose memberships we are looking up.- Returns:
- true if the user does not have the role granted and the grant is in pending state waiting for the startDate.
- Throws:
AccessDeniedException- if the logged-in user does not have the required authorization.UserMembershipException- If operation fails.
-
searchRoleHistory
List<AuditEvent> searchRoleHistory(String roleKey, RoleManagerConstants.RoleHistoryType type, SearchCriteria criteria, Set<String> retAttrs, Map<String, Object> configParams) throws AccessDeniedException, RoleManagerExceptionSearch the role history for specific audit events/types of audit events.- Parameters:
roleKey- Role keytype- Type of History to be fetchedcriteria- The criteria can be used to filter the type of history you wantretAttrs- List of attribute the search should return.configParams- Parameters to further configure the search operation. There are two configuration parameters. STARTROW, and ENDROW The STARTROW and ENDROW search configuration parameters indicates which subset of the complete search result is to be fetched.- Returns:
- list of
AuditEventsmatching the search criteria. - Throws:
AccessDeniedExceptionRoleManagerException
-
getRoleCount
API to return the Role Count depending on the search criteria. This API should be used when a requirement of role count for a particular criteria is required without calling search and getting all the role result to just get a count.- Parameters:
sc- - SearchCriteria for which the total role count is expected- Returns:
- Count of roles depending on criteria passed.
-
getDirectRoleMembersCount
The API returns total direct role members count.
-