directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: [Bulk] RBAC Constraints
Date Mon, 24 Aug 2015 15:14:46 GMT
Chris,

Yes it can be done but it requires a little work on your end.  There are three steps to the
solution:

1. Implement the org.apache.directory.fortress.core.util.timeValidator interface.  The existing
temporal evaluators all reside inside the same package. You may use one of those as an example.

2. Register the new component with fortress.  That is done by dropping a new property in the
fortress.properties file.  For example here are the temporal validator settings:

# these properties will enable temporal constraint checks on role activations:
temporal.validator.0=org.apache.directory.fortress.core.util.time.Date
temporal.validator.1=org.apache.directory.fortress.core.util.time.LockDate
temporal.validator.2=org.apache.directory.fortress.core.util.time.Timeout
temporal.validator.3=org.apache.directory.fortress.core.util.time.ClockTime
temporal.validator.4=org.apache.directory.fortress.core.util.time.Day

3. Your new validator impl class will need to be made available to the fortress runtime classpath.

***

Your use case requires a new validator, e.g.:

temporal.validator.5=edu.psu.financial.Account

That would be called during the lifecycle of any AccessMgr method - during role the constraint
checks. 

Depending on your requirements, you may need to store new data attributes in ldap to support
the new validator.  The easiest way to do this would to make it a property.  If it needs to
be part of the fortress constraint data storage, i.e. need to store within ftRC attribute,
it would require work done to the core API to support.

Shawn

> On Aug 24, 2015, at 9:42 AM, Chris Pike <clp207@psu.edu> wrote:
> 
> The Fortress Commander UI and Java API provide mechanisms to set and retrieve temporal
constraints on a role. Is there any way to add additional arbitrary constraints that are not
time related? For example, a bank teller can only work with a certain set of accounts.
> 
> Thanks,
> 
> ~Chris Pike


Mime
View raw message