def read_user(user):
"""
Method returns matching User entity that is contained within the people container in the directory.
required parameters:
user.uid - maps to INetOrgPerson uid
"""
utils.validate_user(user)
return userdao.read(user)
def user_perms(user):
"""
This function returns the set of permissions a given user gets through his/her authorized roles. The function is valid if and only if the user is a member of the USERS data set.
required parameters:
user.uid - maps to INetOrgPerson uid
"""
utils.validate_user(user)
usr = userdao.read(user)
return permdao.search_on_roles(usr.roles)
def assigned_roles(user):
"""
This function returns the set of roles assigned to a given user. The function is valid if and only if the user is a member of the USERS data set.
required parameters:
user.uid - maps to existing user
"""
utils.validate_user(user)
usr = userdao.read(user)
return usr.role_constraints
def delete_user(user):
"""
This command deletes an existing user from the RBAC database. The command is valid if and only if the user to be deleted is a member of the USERS data set.
The USERS and UA data sets and the assigned_users function are updated. This method performs a "hard" delete.
It completely removes all data associated with this user from the directory.
User entity must exist in directory prior to making this call else exception will be thrown.
required parameters:
user.uid - maps to INetOrgPerson uid
"""
utils.validate_user(user)
return userdao.delete(user)
def find_users(user):
"""
Return a list of type User of all users in the people container that match all or part of the User.userId field passed in User entity.
required parameters:
user.uid - maps to existing user, can be partial with wildcard on end - *
optional parameters:
user.ou - maps to attribute assignment, can be partial with wildcard on end - *.
"""
utils.validate_user(user)
return userdao.search(user)
def deassign(user, role):
"""
This command deletes the assignment of the User from the Role entities.
The command is valid if and only if the user is a member of the USERS data set, the role is a member of the ROLES data set,
and the user is assigned to the role. Any sessions that currently have this role activated will not be effected.
Successful completion includes:
User entity in USER data set has role assignment removed.
Role entity in ROLE data set has userId removed as role occupant.
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
entity = roledao.read(role)
userdao.deassign(user, entity.constraint)
roledao.remove_member(entity, user.uid)
def assign(user, role):
"""
This command assigns a user to a role.
The command is valid if and only if:
The user is a member of the USERS data set
The role is a member of the ROLES data set
The user is not already assigned to the role
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
entity = roledao.read(role)
userdao.assign(user, entity.constraint)
roledao.add_member(entity, user.uid)
def add_user(user):
"""
This command creates a new RBAC user. The command is valid only if the new user is not already a member of the USERS data set.
The USER data set is updated. The new user does not own any session at the time of its creation.
required parameters:
user.uid - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
user.role_constraints.beginDate - YYYYMMDD - determines date when role may be activated.
user.role_constraints.endDate - YYMMDD - indicates latest date role may be activated.
user.role_constraints.beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
user.role_constraints.endLockDate - YYMMDD - determines end of enforced inactive status.
user.role_constraints.beginTime - HHMM - determines begin hour role may be activated in user's session.
user.role_constraints - HHMM - determines end hour role may be activated in user's session.*
user.role_constraints - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
user.props - multi-occurring name:value pairs
user.pw_policy - slapd pwpolicy
standard iNetOrgPerson attrs, more info here: https://tools.ietf.org/html/rfc2798
user.ou
user.cn
user.sn
user.dn
user.description
user.display_name
user.employee_type
user.title
user.phones
user.mobiles
user.emails
user.department_number
user.l
user.physical_delivery_office_name
user.postal_code
user.room_number
"""
utils.validate_user(user)
return userdao.create(user)
def update_user(user):
"""
This method performs an update on User entity in directory. Prior to making this call the entity must exist in directory.
required parameters:
user.uid - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
user.role_constraints.beginDate - YYYYMMDD - determines date when role may be activated.
user.role_constraints.endDate - YYMMDD - indicates latest date role may be activated.
user.role_constraints.beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
user.role_constraints.endLockDate - YYMMDD - determines end of enforced inactive status.
user.role_constraints.beginTime - HHMM - determines begin hour role may be activated in user's session.
user.role_constraints - HHMM - determines end hour role may be activated in user's session.*
user.role_constraints - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
user.props - multi-occurring name:value pairs
user.pw_policy - slapd pwpolicy
standard iNetOrgPerson attrs, more info here: https://tools.ietf.org/html/rfc2798
user.ou
user.cn
user.sn
user.dn
user.description
user.display_name
user.employee_type
user.title
user.phones
user.mobiles
user.emails
user.department_number
user.l
user.physical_delivery_office_name
user.postal_code
user.room_number
"""
utils.validate_user(user)
return userdao.create(user)