def find_roles(role):
"""
Method will return a list of type Role matching all or part of Role name, Role.name.
required parameters:
role.name - maps to existing role. May be partial name with wildcard on end - *.
"""
utils.validate_role(role)
return roledao.search(role)
def read_role(role):
"""
Method reads Role entity from the role container in directory.
required parameters:
role.name - maps to existing role
"""
utils.validate_role(role)
return roledao.read(role)
def role_perms(role):
"""
This function returns the set of all permissions (op, obj), granted to or inherited by a given role. The function is valid if and only if the role is a member of the ROLES data set.
required parameters:
role.name - maps to existing role
"""
utils.validate_role(role)
return permdao.search_on_roles([role.name])
def assigned_users(role):
"""
This function returns the set of users assigned to a given role. The function is valid if and only if the role is a member of the ROLES data set.
required parameters:
role.name - maps to existing role
"""
utils.validate_role(role)
return roledao.get_members(role)
def delete_role(role):
"""
This command deletes an existing role from the RBAC database. The command is valid if and only if the role to be deleted is a member of the ROLES data set.
This command will also deassign role from all users.
required parameters:
role.name - maps to INetOrgPerson uid
"""
utils.validate_role(role)
return roledao.delete(role)
def revoke(perm, role):
"""
This command revokes the permission to perform an operation on an object from the set of permissions assigned to a role.
The command is implemented by setting the access control list of the object involved.
The command is valid if and only if the pair (operation, object) represents a permission, the role is a member of the ROLES data set, and the permission is assigned to that role.
required parameters:
perm.obj_name - existing perm obj.
perm.obj_name - existing perm op.
role.name - existing role.
optional parameters:
perm.obj_id - object identifier
"""
utils.validate_role(role)
utils.validate_perm(perm)
return permdao.revoke(perm, role)
def grant(perm, role):
"""
This method will add permission operation to an existing permission object which resides under ou=Permissions,ou=RBAC,dc=yourHostName,dc=com container in directory information tree.
The perm operation entity may have Role or User associations. The target Permission must not exist prior to calling.
A Fortress Permission instance exists in a hierarchical, one-many relationship between its parent and itself as stored in ldap tree: (PermObj*->Permission).
required parameters:
perm.obj_name - existing perm obj.
perm.obj_name - existing perm op.
role.name - existing role.
optional parameters:
perm.obj_id - object identifier
"""
utils.validate_role(role)
utils.validate_perm(perm)
return permdao.grant(perm, role)
def deassign(user, role):
"""
This command deletes the assignment of the User from the Role entities.
The command is valid if and only if the user is a member of the USERS data set, the role is a member of the ROLES data set,
and the user is assigned to the role. Any sessions that currently have this role activated will not be effected.
Successful completion includes:
User entity in USER data set has role assignment removed.
Role entity in ROLE data set has userId removed as role occupant.
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
entity = roledao.read(role)
userdao.deassign(user, entity.constraint)
roledao.remove_member(entity, user.uid)
def assign(user, role):
"""
This command assigns a user to a role.
The command is valid if and only if:
The user is a member of the USERS data set
The role is a member of the ROLES data set
The user is not already assigned to the role
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
entity = roledao.read(role)
userdao.assign(user, entity.constraint)
roledao.add_member(entity, user.uid)
def update_role(role):
"""
Method will update a Role entity in the directory. The role must exist in role container prior to this call.
required parameters:
role.name - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
role.props - multi-occurring name:value pairs
role.description
role.constraint.beginDate - YYYYMMDD - determines date when role may be activated.
role.constraint.endDate - YYMMDD - indicates latest date role may be activated.
role.constraint.beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
role.constraint.endLockDate - YYMMDD - determines end of enforced inactive status.
role.constraint.beginTime - HHMM - determines begin hour role may be activated in user's session.
role.constraint.endTime - HHMM - determines end hour role may be activated in user's session.*
role.constraint.dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
"""
utils.validate_role(role)
return roledao.create(role)
def add_role(role):
"""
This command creates a new role. The command is valid if and only if the new role is not already a member of the ROLES data set.
The ROLES data set is updated. Initially, no user or permission is assigned to the new role.
required parameters:
role.name - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
role.props - multi-occurring name:value pairs
role.description
role.constraint.beginDate - YYYYMMDD - determines date when role may be activated.
role.constraint.endDate - YYMMDD - indicates latest date role may be activated.
role.constraint.beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
role.constraint.endLockDate - YYMMDD - determines end of enforced inactive status.
role.constraint.beginTime - HHMM - determines begin hour role may be activated in user's session.
role.constraint.endTime - HHMM - determines end hour role may be activated in user's session.*
role.constraint.dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
"""
utils.validate_role(role)
return roledao.create(role)
