You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:45:06 UTC
[47/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/CfgException.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/CfgException.java b/src/main/java/org/apache/directory/fortress/core/CfgException.java
new file mode 100755
index 0000000..3f45dc3
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/CfgException.java
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+
+/**
+ * This exception extends {@link SecurityException} and is thrown when Fortress cannot find correct cfg for a particular entity.
+ * See the {@link GlobalErrIds} javadoc for list of error ids.
+ *
+ * @author Shawn McKinney
+ */
+public class CfgException extends SecurityException
+{
+
+ /**
+ * Create an exception with an error code that maps to {@link GlobalErrIds} and message text.
+ * @param errorId see {@link GlobalErrIds} for list of valid error codes that can be set. Valid values between 0 & 100_000.
+ * @param msg contains textual information including method of origin and description of the root cause.
+ */
+ public CfgException(int errorId, String msg)
+ {
+ super(errorId, msg);
+ }
+
+ /**
+ * Create exception with error id, message and related exception.
+ * @param errorId see {@link GlobalErrIds} for list of valid error codes that can be set. Valid values between 0 & 100_000.
+ * @param msg contains textual information including method of origin and description of the root cause.
+ * @param previousException contains reference to related exception which usually is system related, i.e. ldap.
+ */
+ public CfgException(int errorId, String msg, Exception previousException)
+ {
+ super(errorId, msg, previousException);
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/CfgRuntimeException.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/CfgRuntimeException.java b/src/main/java/org/apache/directory/fortress/core/CfgRuntimeException.java
new file mode 100755
index 0000000..117d413
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/CfgRuntimeException.java
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+/**
+ * This exception extends {@link BaseRuntimeException} and is thrown when Fortress config startup failed.
+ * This is critical runtime exception and means system is inoperable due to a cfg error.
+ * See the {@link GlobalErrIds} javadoc for list of error ids.
+ *
+ * @author Shawn McKinney
+ */
+public class CfgRuntimeException extends BaseRuntimeException
+{
+ private int subsystem;
+ private Exception exception;
+ private Object moreInfo;
+
+ /**
+ * Create exception with error id, message and related exception.
+ * @param errorId contains error code that is contained within {@link GlobalErrIds}
+ * @param newMsgText contains text related to the exception.
+ * @param newException contains related exception.
+ */
+ public CfgRuntimeException(int errorId, String newMsgText, Exception newException)
+ {
+ super(errorId, newMsgText, newException);
+ this.exception = newException;
+ }
+
+ /**
+ * Create exception with error id and message.
+ * @param errorId contains error code that is contained within {@link GlobalErrIds}
+ * @param newMsgText contains text related to the exception.
+ */
+ public CfgRuntimeException(int errorId, String newMsgText)
+ {
+ super(errorId, newMsgText);
+ }
+
+ /**
+ * Get the exception object.
+ *
+ * @return reference to Exception.
+ */
+ public Exception getException()
+ {
+ return exception;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/CreateException.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/CreateException.java b/src/main/java/org/apache/directory/fortress/core/CreateException.java
new file mode 100755
index 0000000..3a8cadf
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/CreateException.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+
+/**
+ * This exception extends {@link SecurityException} and is thrown when DAO cannot create entity.
+ * See the {@link GlobalErrIds} javadoc for list of error ids.
+ *
+ * @author Shawn McKinney
+ */
+public class CreateException extends SecurityException
+{
+ /**
+ * Create an exception with an error code that maps to {@link GlobalErrIds} and message text.
+ * @param errorId see {@link GlobalErrIds} for list of valid error codes that can be set. Valid values between 0 & 100_000.
+ * @param msg contains textual information including method of origin and description of the root cause.
+ */
+ public CreateException(int errorId, String msg)
+ {
+ super(errorId, msg);
+ }
+
+ /**
+ * Create exception with error id, message and related exception.
+ * @param errorId see {@link GlobalErrIds} for list of valid error codes that can be set. Valid values between 0 & 100_000.
+ * @param msg contains textual information including method of origin and description of the root cause.
+ * @param previousException contains reference to related exception which usually is system related, i.e. ldap.
+ */
+ public CreateException(int errorId, String msg, Exception previousException)
+ {
+ super(errorId, msg, previousException);
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java b/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java
new file mode 100755
index 0000000..66910ba
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java
@@ -0,0 +1,192 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+import org.apache.directory.fortress.core.rbac.UserAdminRole;
+import org.apache.directory.fortress.core.rbac.Permission;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rbac.User;
+
+import java.util.List;
+import java.util.Set;
+
+
+/**
+ * This interface prescribes the API for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC entities
+ * that reside in LDAP directory.
+ * These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative
+ * operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries
+ * and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.
+ * <h3>Administrative Role Based Access Control (ARBAC)</h3>
+ * <img src="./doc-files/ARbac.png">
+ * <p/>
+ * Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group.
+ * Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
+ * <p/>
+ * This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)} or {@link Manageable#setAdmin(org.apache.directory.fortress.core.rbac.Session)}) are set.
+ *
+ * @author Shawn McKinney
+ */
+public interface DelAccessMgr extends Manageable
+{
+ /**
+ * This function will determine if the user contains an AdminRole that is authorized assignment control over
+ * User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-assign URA.
+ *
+ * @param session This object must be instantiated by calling {@link AccessMgr#createSession(org.apache.directory.fortress.core.rbac.User, boolean)} before passing into the method. No variables need to be set by client after returned from createSession.
+ * @param user Instantiated User entity requires only valid userId attribute set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @return boolean value true indicates access allowed.
+ * @throws SecurityException
+ * In the event of data validation error (i.e. invalid userId or role name) or system error.
+ */
+ public boolean canAssign(Session session, User user, Role role)
+ throws SecurityException;
+
+ /**
+ * This function will determine if the user contains an AdminRole that is authorized revoke control over
+ * User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-revoke URA.
+ *
+ * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param user Instantiated User entity requires only valid userId attribute set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @return boolean value true indicates access allowed.
+ * @throws SecurityException
+ * In the event of data validation error (i.e. invalid userId or role name) or system error.
+ */
+ public boolean canDeassign(Session session, User user, Role role)
+ throws SecurityException;
+
+ /**
+ * This function will determine if the user contains an AdminRole that is authorized assignment control over
+ * Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-assign-p PRA.
+ *
+ * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param perm Instantiated Permission entity requires valid object name and operation name attributes set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @return boolean value true indicates access allowed.
+ * @throws SecurityException
+ * In the event of data validation error (i.e. invalid perm or role name) or system error.
+ */
+ public boolean canGrant(Session session, Role role, Permission perm)
+ throws SecurityException;
+
+ /**
+ * This function will determine if the user contains an AdminRole that is authorized revoke control over
+ * Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
+ *
+ * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param perm Instantiated Permission entity requires valid object name and operation name attributes set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @return boolean value true indicates access allowed.
+ * @throws SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
+ */
+ public boolean canRevoke(Session session, Role role, Permission perm)
+ throws SecurityException;
+
+ /**
+ * This function returns a Boolean value meaning whether the subject of a given session is
+ * allowed or not to perform a given operation on a given object. The function is valid if and
+ * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The session's subject has the permission
+ * to perform the operation on that object if and only if that permission is assigned to (at least)
+ * one of the session's active roles. This implementation will verify the roles or userId correspond
+ * to the subject's active roles are registered in the object's access control list.
+ *
+ * @param perm object contains obj attribute which is a String and contains the name of the object user is trying to access;
+ * perm object contains operation attribute which is also a String and contains the operation name for the object.
+ * @param session This object must be instantiated by calling {@link AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
+ * @return True of user has access, false otherwise.
+ * @throws SecurityException
+ * is thrown if runtime error occurs with system.
+ */
+ public boolean checkAccess(Session session, Permission perm)
+ throws SecurityException;
+
+
+ /**
+ * This function adds an adminRole as an active role of a session whose owner is a given user.
+ * <p>
+ * The function is valid if and only if:
+ * <ul>
+ * <li> the user is a member of the USERS data set
+ * <li> the role is a member of the ADMIN ROLES data set
+ * <li> the session is a valid Fortress session
+ * <li> the user is authorized to that admin role
+ * <li> the session is owned by that user.
+ * </ul>
+ * </p>
+ *
+ * @param session object contains the user's returned RBAC and ARBAC sessions from the createSession method.
+ * @param role object contains the adminRole name to be activated into session.
+ * @throws SecurityException
+ * is thrown if user is not allowed to activate or runtime error occurs with system.
+ */
+ public void addActiveRole(Session session, UserAdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * This function deactivates adminRole from the active adminRole set of a session owned by a given user.
+ * The function is valid if and only if the user is a member of the USERS data set, the
+ * session object contains a valid Fortress session, the session is owned by the user,
+ * and the adminRole is an active adminRole of that session.
+ *
+ * @param session object contains the user's returned RBAC and ARBAC sessions from the createSession method.
+ * @param role object contains the adminRole name to be deactivated.
+ * @throws SecurityException is thrown if user is not allowed to deactivate or runtime error occurs with system.
+ */
+ public void dropActiveRole(Session session, UserAdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * This function returns the active admin roles associated with a session. The function is valid if
+ * and only if the session is a valid Fortress session.
+ *
+ * @param session object contains the user's returned ARBAC session from the createSession method.
+ * @return List<UserAdminRole> containing all adminRoles active in user's session. This will NOT contain inherited roles.
+ * @throws SecurityException
+ * is thrown if session invalid or system. error.
+ */
+ public List<UserAdminRole> sessionAdminRoles(Session session)
+ throws SecurityException;
+
+
+ /**
+ * This function returns the authorized admin roles associated with a session based on hierarchical relationships. The function is valid if
+ * and only if the session is a valid Fortress session.
+ *
+ * @param session object contains the user's returned ARBAC session from the createSession method.
+ * @return Set<String> containing all adminRoles authorized in user's session. This will contain inherited roles.
+ * @throws SecurityException is thrown if session invalid or system. error.
+ */
+ public Set<String> authorizedAdminRoles(Session session)
+ throws SecurityException;
+
+ /**
+ * This function returns the ARBAC (administrative) permissions of the session, i.e., the permissions assigned
+ * to its authorized admin roles. The function is valid if and only if the session is a valid Fortress session.
+ *
+ * @param session object contains the user's returned ARBAC session from the createSession method.
+ * @return List<Permission> containing admin permissions (op, obj) active for user's session.
+ * @throws SecurityException in the event runtime error occurs with system.
+ */
+ public List<Permission> sessionPermissions(Session session)
+ throws SecurityException;
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/DelAccessMgrFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/DelAccessMgrFactory.java b/src/main/java/org/apache/directory/fortress/core/DelAccessMgrFactory.java
new file mode 100755
index 0000000..e355a67
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/DelAccessMgrFactory.java
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.rbac.ClassUtil;
+import org.apache.directory.fortress.core.rbac.DelAccessMgrImpl;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rest.DelAccessMgrRestImpl;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+/**
+ * Creates an instance of the DelAccessMgr object.
+ * <p/>
+ * The default implementation class is specified as {@link DelAccessMgrImpl} but can be overridden by
+ * adding the {@link GlobalIds#DELEGATED_ACCESS_IMPLEMENTATION} config property.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public class DelAccessMgrFactory
+{
+ private static String accessClassName = Config.getProperty(GlobalIds.DELEGATED_ACCESS_IMPLEMENTATION);
+ private static final String CLS_NM = DelAccessMgrFactory.class.getName();
+
+ /**
+ * Create and return a reference to {@link DelAccessMgr} object using HOME context.
+ *
+ * @return instance of {@link DelAccessMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAccessMgr createInstance()
+ throws SecurityException
+ {
+ return createInstance( GlobalIds.HOME );
+ }
+
+
+ /**
+ * Create and return a reference to {@link DelAccessMgr} object.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return instance of {@link DelAccessMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAccessMgr createInstance(String contextId)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(contextId, GlobalErrIds.CONTEXT_NULL, CLS_NM + ".createInstance");
+ if (!VUtil.isNotNullOrEmpty(accessClassName))
+ {
+ if(GlobalIds.IS_REST)
+ {
+ accessClassName = DelAccessMgrRestImpl.class.getName();
+ }
+ else
+ {
+ accessClassName = DelAccessMgrImpl.class.getName();
+ }
+ }
+
+ DelAccessMgr accessMgr = (DelAccessMgr) ClassUtil.createInstance(accessClassName);
+ accessMgr.setContextId(contextId);
+ return accessMgr;
+ }
+
+
+ /**
+ * Create and return a reference to {@link DelAccessMgr} object using HOME context.
+ *
+ * @param adminSess contains a valid Fortress A/RBAC Session object.
+ * @return instance of {@link DelAccessMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAccessMgr createInstance(Session adminSess)
+ throws SecurityException
+ {
+ return createInstance( GlobalIds.HOME, adminSess );
+ }
+
+
+ /**
+ * Create and return a reference to {@link DelAccessMgr} object.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @param adminSess contains a valid Fortress A/RBAC Session object.
+ * @return instance of {@link DelAccessMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAccessMgr createInstance(String contextId, Session adminSess)
+ throws SecurityException
+ {
+ DelAccessMgr accessMgr = createInstance(contextId);
+ accessMgr.setAdmin(adminSess);
+ return accessMgr;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/DelAdminMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/DelAdminMgr.java b/src/main/java/org/apache/directory/fortress/core/DelAdminMgr.java
new file mode 100755
index 0000000..c236479
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/DelAdminMgr.java
@@ -0,0 +1,697 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+import org.apache.directory.fortress.core.rbac.AdminRole;
+import org.apache.directory.fortress.core.rbac.OrgUnit;
+import org.apache.directory.fortress.core.rbac.UserAdminRole;
+import org.apache.directory.fortress.core.rbac.PermObj;
+import org.apache.directory.fortress.core.rbac.Permission;
+import org.apache.directory.fortress.core.rbac.User;
+
+/**
+ * This class prescribes the ARBAC02 DelAdminMgr interface for performing policy administration of Fortress ARBAC entities
+ * that reside in LDAP directory.
+ * These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative
+ * operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries
+ * and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.
+ * <p/>
+ * <h3>Administrative Role Based Access Control (ARBAC)</h3>
+ * <img src="./doc-files/ARbac.png">
+ * <p/>
+ * Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group.
+ * Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
+ * <p/>
+ * This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)} or {@link Manageable#setAdmin(org.apache.directory.fortress.core.rbac.Session)}) are set.
+ *
+ * @author Shawn McKinney
+ */
+public interface DelAdminMgr extends Manageable
+{
+ /**
+ * This command creates a new admin role. The command is valid if and only if the new admin role is not
+ * already a member of the ADMIN ROLES data set. The ADMIN ROLES data set is updated.
+ * Initially, no user or permission is assigned to the new role.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#name} - contains the name of the new AdminRole being targeted for addition to LDAP</li>
+ * </ul>
+ * <p/>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#description} - contains any safe text</li>
+ * <li>{@link AdminRole#osPs} * - multi-occurring attribute used to set associations to existing PERMS OrgUnits</li>
+ * <li>{@link AdminRole#osUs} * - multi-occurring attribute used to set associations to existing USERS OrgUnits</li>
+ * <li>{@link AdminRole#beginRange} - contains the name of an existing RBAC Role that represents the lowest role in hierarchy that administrator (whoever has this AdminRole activated) controls</li>
+ * <li>{@link AdminRole#endRange} - contains the name of an existing RBAC Role that represents that highest role in hierarchy that administrator may control</li>
+ * <li>{@link AdminRole#beginInclusive} - if 'true' the RBAC Role specified in beginRange is also controlled by the posessor of this AdminRole</li>
+ * <li>{@link AdminRole#endInclusive} - if 'true' the RBAC Role specified in endRange is also controlled by the administratrator</li>
+ * <li>{@link AdminRole#beginTime} - HHMM - determines begin hour adminRole may be activated into user's ARBAC session</li>
+ * <li>{@link AdminRole#endTime} - HHMM - determines end hour adminRole may be activated into user's ARBAC session.</li>
+ * <li>{@link AdminRole#beginDate} - YYYYMMDD - determines date when adminRole may be activated into user's ARBAC session</li>
+ * <li>{@link AdminRole#endDate} - YYYYMMDD - indicates latest date adminRole may be activated into user's ARBAC session</li>
+ * <li>{@link AdminRole#beginLockDate} - YYYYMMDD - determines beginning of enforced inactive status</li>
+ * <li>{@link AdminRole#endLockDate} - YYYYMMDD - determines end of enforced inactive status</li>
+ * <li>{@link AdminRole#dayMask} - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into user's ARBAC session</li>
+ * </ul>
+ *
+ * @param role Contains role name and description.
+ * @return AdminRole contains reference to entity added.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public AdminRole addRole(AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * This command deletes an existing admin role from the ARBAC database. The command is valid
+ * if and only if the role to be deleted is a member of the ADMIN ROLES data set. This command will
+ * also deassign role from all users.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#name} - contains the name of the new AdminRole being targeted for removal</li>
+ * </ul>
+ * <p/>
+ *
+ * @param role Contains role name.
+ * @throws SecurityException
+ * Thrown in the event of data validation or system error.
+ */
+ public void deleteRole(AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * Method will update an AdminRole entity in the directory. The role must exist in directory prior to this call.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#name} - contains the name of the new AdminRole being targeted for updating</li>
+ * </ul>
+ * <p/>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#description} - contains any safe text</li>
+ * <li>{@link AdminRole#osPs} * - multi-occurring attribute used to set associations to existing PERMS OrgUnits</li>
+ * <li>{@link AdminRole#osUs} * - multi-occurring attribute used to set associations to existing USERS OrgUnits</li>
+ * <li>{@link AdminRole#beginRange} - contains the name of an existing RBAC Role that represents the lowest role in hierarchy that administrator (whoever has this AdminRole activated) controls</li>
+ * <li>{@link AdminRole#endRange} - contains the name of an existing RBAC Role that represents that highest role in hierarchy that administrator may control</li>
+ * <li>{@link AdminRole#beginInclusive} - if 'true' the RBAC Role specified in beginRange is also controlled by the posessor of this AdminRole</li>
+ * <li>{@link AdminRole#endInclusive} - if 'true' the RBAC Role specified in endRange is also controlled by the administratrator</li>
+ * <li>{@link AdminRole#beginTime} - HHMM - determines begin hour adminRole may be activated into user's ARBAC session</li>
+ * <li>{@link AdminRole#endTime} - HHMM - determines end hour adminRole may be activated into user's ARBAC session.</li>
+ * <li>{@link AdminRole#beginDate} - YYYYMMDD - determines date when adminRole may be activated into user's ARBAC session</li>
+ * <li>{@link AdminRole#endDate} - YYYYMMDD - indicates latest date adminRole may be activated into user's ARBAC session</li>
+ * <li>{@link AdminRole#beginLockDate} - YYYYMMDD - determines beginning of enforced inactive status</li>
+ * <li>{@link AdminRole#endLockDate} - YYYYMMDD - determines end of enforced inactive status</li>
+ * <li>{@link AdminRole#dayMask} - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into user's ARBAC session</li>
+ * </ul>
+ *
+ * @param role Contains role name and new description.
+ * @return AdminRole contains reference to entity operated on.
+ * @throws SecurityException
+ * Thrown in the event of data validation or system error.
+ */
+ public AdminRole updateRole(AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * This command assigns a user to an admin role.
+ * Successful completion of this op, the following occurs:
+ * </p>
+ * <ul>
+ * <li> User entity (resides in people container) has role assignment added to aux object class attached to actual user record.
+ * <li> AdminRole entity (resides in admin role container) has userId added as role occupant.
+ * <li> (optional) Temporal constraints may be associated with <code>ftUserAttrs</code> aux object class based on:
+ * <ul>
+ * <li> timeout - number in seconds of session inactivity time allowed.
+ * <li> beginDate - YYYYMMDD - determines date when role may be activated.
+ * <li> endDate - YYMMDD - indicates latest date role may be activated.
+ * <li> beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
+ * <li> endLockDate - YYMMDD - determines end of enforced inactive status.
+ * <li> beginTime - HHMM - determines begin hour role may be activated in user's session.
+ * <li> endTime - HHMM - determines end hour role may be activated in user's session.*
+ * <li> dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
+ * </ul>
+ * </ul>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link UserAdminRole#name} - contains the name for already existing AdminRole to be assigned</li>
+ * <li>{@link UserAdminRole#userId} - contains the userId for existing User</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link UserAdminRole#beginTime} - HHMM - determines begin hour AdminRole may be activated into user's RBAC session</li>
+ * <li>{@link UserAdminRole#endTime} - HHMM - determines end hour AdminRole may be activated into user's RBAC session.</li>
+ * <li>{@link UserAdminRole#beginDate} - YYYYMMDD - determines date when AdminRole may be activated into user's RBAC session</li>
+ * <li>{@link UserAdminRole#endDate} - YYYYMMDD - indicates latest date AdminRole may be activated into user's RBAC session</li>
+ * <li>{@link UserAdminRole#beginLockDate} - YYYYMMDD - determines beginning of enforced inactive status</li>
+ * <li>{@link UserAdminRole#endLockDate} - YYYYMMDD - determines end of enforced inactive status</li>
+ * <li>{@link UserAdminRole#dayMask} - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into user's ARBAC session</li>
+ * </ul>
+ *
+ * @param uAdminRole entity contains {@link org.apache.directory.fortress.core.rbac.User#userId} and {@link org.apache.directory.fortress.core.rbac.AdminRole#name} and optional {@code Constraints}..
+ * @throws SecurityException
+ * in the event data error in user or role objects or system error.
+ */
+ public void assignUser(UserAdminRole uAdminRole)
+ throws SecurityException;
+
+
+ /**
+ * This method removes assigned admin role from user entity. Both user and admin role entities must exist and have role relationship
+ * before calling this method.
+ * Successful completion:
+ * del Role to User assignment in User data set
+ * AND
+ * User to Role assignment in Admin Role data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole#name} - contains the name for already existing AdminRole to be deassigned</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAdminRole#userId} - contains the userId for existing User</li>
+ * </ul>
+ *
+ * @param uAdminRole entity contains {@link org.apache.directory.fortress.core.rbac.User#userId} and {@link org.apache.directory.fortress.core.rbac.AdminRole#name}.
+ * @throws SecurityException - in the event data error in user or role objects or system error.
+ */
+ public void deassignUser(UserAdminRole uAdminRole)
+ throws SecurityException;
+
+ /**
+ * Commands adds a new OrgUnit entity to OrgUnit dataset. The OrgUnit can be either User or Perm and is
+ * set by setting type attribute.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of new USERS or PERMS OrgUnit to be added</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OU: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#description} - contains any safe text</li>
+ * </ul>
+ *
+ * @param entity contains OrgUnit name and type.
+ * @return OrgUnit contains reference to entity added.
+ * @throws SecurityException
+ * in the event of data validation or system error.
+ */
+ public OrgUnit add(OrgUnit entity)
+ throws SecurityException;
+
+ /**
+ * Commands updates existing OrgUnit entity to OrgUnit dataset. The OrgUnit can be either User or Perm and is
+ * set by setting type attribute.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of new USERS or PERMS OrgUnit to be updated</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OU: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#description} - contains any safe text</li>
+ * </ul>
+ *
+ * @param entity contains OrgUnit name and type.
+ * @return OrgUnit contains reference to entity operated on.
+ * @throws SecurityException
+ * in the event of data validation or system error.
+ */
+ public OrgUnit update(OrgUnit entity)
+ throws SecurityException;
+
+ /**
+ * Commands deletes existing OrgUnit entity to OrgUnit dataset. The OrgUnit can be either User or Perm and is
+ * set by setting type attribute.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of new USERS or PERMS OrgUnit to be removed</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OU: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * </ul>
+ *
+ * @param entity contains OrgUnit name and type.
+ * @return OrgUnit contains reference to entity operated on.
+ * @throws SecurityException
+ * in the event of data validation or system error.
+ */
+ public OrgUnit delete(OrgUnit entity)
+ throws SecurityException;
+
+
+ /**
+ * This command creates a new orgunit child, and inserts it in the orgunit hierarchy as an immediate descendant of
+ * the existing orgunit parent.
+ * <p>
+ * The command is valid if and only if:
+ * <ul>
+ * <li> The child orgunit is not a member of the ORGUNITS data set.
+ * <li> The parent orgunit is a member of the ORGUNITS data set.
+ * </ul>
+ * </p>
+ * <p> This method:
+ * <ul>
+ * <li> Adds new orgunit.
+ * <li> Assigns orgunit relationship between new child and pre-existing parent.
+ * </ul>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of existing OrgUnit to be parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OrgUnit targeted: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of new OrgUnit to be child</li>
+ * </ul>
+ * <h4>optional parameters child</h4>
+ * <ul>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.OrgUnit#description} - maps to description attribute on organizationalUnit object class for new child</li>
+ * </ul>
+ *
+ * @param parent This entity must be present in ORGUNIT data set. Success will add rel with child.
+ * @param child This entity must not be present in ORGUNIT data set. Success will add the new entity to ORGUNIT data set.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void addDescendant(OrgUnit parent, OrgUnit child)
+ throws SecurityException;
+
+
+ /**
+ * This command creates a new orgunit parent, and inserts it in the orgunit hierarchy as an immediate ascendant of
+ * the existing child orgunit.
+ * <p>
+ * The command is valid if and only if:
+ * <ul>
+ * <li> The parent is not a member of the ORGUNITS data set.
+ * <li> The child is a member of the ORGUNITS data set.
+ * </ul>
+ * </p>
+ * <p> This method:
+ * <ul>
+ * <li> Adds new orgunit.
+ * <li> Assigns orgunit relationship between new parent and pre-existing child.
+ * </ul>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>child - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of existing OrgUnit to be parent</li>
+ * <li>parent - {@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OrgUnit targeted: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * <li>parent - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of new OrgUnit to be child</li>
+ * </ul>
+ * <h4>optional parameters child</h4>
+ * <ul>
+ * <li>parent - {@link OrgUnit#description} - maps to description attribute on organizationalUnit object class for new child</li>
+ * </ul>
+ *
+ * @param parent completion of op assigns new child relationship with child orgunit.
+ * @param child completion of op assigns new parent relationship with parent orgunit.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void addAscendant(OrgUnit child, OrgUnit parent)
+ throws SecurityException;
+
+
+ /**
+ * This command establishes a new immediate inheritance relationship with parent orgunit <<-- child orgunit
+ * <p/>
+ * The command is valid if and only if:
+ * <ul>
+ * <li> The parent and child are members of the ORGUNITS data set.
+ * <li> The parent is not an immediate ascendant of child.
+ * <li> The child does not properly inherit parent (in order to avoid cycle creation).
+ * </ul>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>parent - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of existing OrgUnit to be parent</li>
+ * <li>parent - {@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OrgUnit targeted: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * <li>child - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of existing OrgUnit to be child</li>
+ * </ul>
+ *
+ * @param parent completion of op deassigns child relationship with child orgunit.
+ * @param child completion of op deassigns parent relationship with parent orgunit.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void addInheritance(OrgUnit parent, OrgUnit child)
+ throws SecurityException;
+
+
+ /**
+ * This command deletes an existing immediate inheritance relationship parent <<-- child.
+ * <p/>
+ * The command is valid if and only if:
+ * <ul>
+ * <li> The orgunits parent and child are members of the ORGUNITS data set.
+ * <li> The parent is an immediate ascendant of child.
+ * <li> The new inheritance relation is computed as the reflexive-transitive closure of the immediate inheritance
+ * relation resulted after deleting the relationship parent <<-- child.
+ * </ul>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>parent - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of existing OrgUnit to remove as parent</li>
+ * <li>parent - {@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OrgUnit targeted: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * <li>child - {@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name of existing OrgUnit to remove as child</li>
+ * </ul>
+ *
+ * @param parent completion of op removes child relationship with childRole.
+ * @param child completion of op removes parent relationship with parentRole.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void deleteInheritance(OrgUnit parent, OrgUnit child)
+ throws SecurityException;
+
+
+ /**
+ * This command creates a new role childRole, and inserts it in the role hierarchy as an immediate descendant of
+ * the existing role parentRole. The command is valid if and only if childRole is not a member of the ADMINROLES data set,
+ * and parentRole is a member of the ADMINROLES data set.
+ * <p/>
+ * This method:
+ * 1 - Adds new role.
+ * 2 - Assigns role relationship between new childRole and pre-existing parentRole.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of existing Role to be parent</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of new Role to be child</li>
+ * </ul>
+ * <h4>optional parameters childRole</h4>
+ * <ul>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#description} - maps to description attribute on organizationalRole object class for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#beginTime} - HHMM - determines begin hour role may be activated into user's session for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#endTime} - HHMM - determines end hour role may be activated into user's session for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#beginDate} - YYYYMMDD - determines date when role may be activated into user's session for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#endDate} - YYYYMMDD - indicates latest date role may be activated into user's session for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#beginLockDate} - YYYYMMDD - determines beginning of enforced inactive status for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#endLockDate} - YYYYMMDD - determines end of enforced inactive status for new child</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#dayMask} - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into user's session for new child</li>
+ * </ul>
+ *
+ * @param parentRole This entity must be present in ADMINROLES data set. Success will add role rel with childRole.
+ * @param childRole This entity must not be present in ADMINROLES data set. Success will add the new role entity to ADMINROLES data set.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void addDescendant(AdminRole parentRole, AdminRole childRole)
+ throws SecurityException;
+
+ /**
+ * This command creates a new role parentRole, and inserts it in the role hierarchy as an immediate ascendant of
+ * the existing role childRole. The command is valid if and only if parentRole is not a member of the ADMINROLES data set,
+ * and childRole is a member of the ADMINROLES data set.
+ * This method:
+ * 1 - Adds new role.
+ * 2 - Assigns role relationship between new parentRole and pre-existing childRole.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of existing Role to be child</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of new Role to be added as parent</li>
+ * </ul>
+ * <h4>optional parameters parentRole</h4>
+ * <ul>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#description} - maps to description attribute on organizationalRole object class for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#beginTime} - HHMM - determines begin hour role may be activated into user's session for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#endTime} - HHMM - determines end hour role may be activated into user's session for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#beginDate} - YYYYMMDD - determines date when role may be activated into user's session for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#endDate} - YYYYMMDD - indicates latest date role may be activated into user's session for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#beginLockDate} - YYYYMMDD - determines beginning of enforced inactive status for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#endLockDate} - YYYYMMDD - determines end of enforced inactive status for new parent</li>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#dayMask} - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day role may be activated into user's session for new parent</li>
+ * </ul>
+ *
+ * @param parentRole completion of op assigns new child relationship with childRole.
+ * @param childRole completion of op assigns new parent relationship with parentRole.
+ * @throws SecurityException thrown in the event of data validation or system error.
+ */
+ public void addAscendant(AdminRole childRole, AdminRole parentRole)
+ throws SecurityException;
+
+ /**
+ * This command establishes a new immediate inheritance relationship parentRole <<-- childRole between existing
+ * roles parentRole, childRole. The command is valid if and only if parentRole and childRole are members of the ADMINROLES data
+ * set, parentRole is not an immediate ascendant of childRole, and childRole does not properly inherit parentRole (in order to
+ * avoid cycle creation).
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of existing AdminRole to be parent</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of existing AdminRole to be child</li>
+ * </ul>
+ *
+ * @param parentRole completion of op deassigns child relationship with childRole.
+ * @param childRole completion of op deassigns parent relationship with parentRole.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void addInheritance(AdminRole parentRole, AdminRole childRole)
+ throws SecurityException;
+
+ /**
+ * This command deletes an existing immediate inheritance relationship parentRole <<-- childRole. The command is
+ * valid if and only if the roles parentRole and childRole are members of the ADMINROLES data set, and parentRole is an
+ * immediate ascendant of childRole. The new inheritance relation is computed as the reflexive-transitive
+ * closure of the immediate inheritance relation resulted after deleting the relationship parentRole <<-- childRole.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>parentRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of existing AdminRole to remove as parent</li>
+ * <li>childRole - {@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the name of existing AdminRole to remove as child</li>
+ * </ul>
+ *
+ * @param parentRole completion of op removes child relationship with childRole.
+ * @param childRole completion of op removes parent relationship with parentRole.
+ * @throws SecurityException
+ * thrown in the event of data validation or system error.
+ */
+ public void deleteInheritance(AdminRole parentRole, AdminRole childRole)
+ throws SecurityException;
+
+
+ /**
+ * This method will add an administrative permission operation to an existing permission object which resides under {@code ou=AdminPerms,ou=ARBAC,dc=yourHostName,dc=com} container in directory information tree.
+ * The perm operation entity may have {@link org.apache.directory.fortress.core.rbac.AdminRole} or {@link org.apache.directory.fortress.core.rbac.User} associations. The target {@link org.apache.directory.fortress.core.rbac.Permission} must not exist prior to calling.
+ * A Fortress Permission instance exists in a hierarchical, one-many relationship between its parent and itself as stored in ldap tree: ({@link org.apache.directory.fortress.core.rbac.PermObj}*->{@link org.apache.directory.fortress.core.rbac.Permission}).
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the name of existing object being targeted for the permission add</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the name of new permission operation being added</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link Permission#roles} * - multi occurring attribute contains RBAC Roles that permission operation is being granted to</li>
+ * <li>{@link Permission#users} * - multi occurring attribute contains Users that permission operation is being granted to</li>
+ * <li>{@link Permission#props} * - multi-occurring property key and values are separated with a ':'. e.g. mykey1:myvalue1</li>
+ * <li>{@link Permission#type} - any safe text</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link Permission#opName}, that identifies target along with optional other attributes..
+ * @return copy of Permission entity.
+ * @throws SecurityException - thrown in the event of perm object data or system error.
+ */
+ public Permission addPermission(Permission perm)
+ throws SecurityException;
+
+
+ /**
+ * This method will update administrative permission operation pre-existing in target directory under {@code ou=AdminPerms,ou=ARBAC,dc=yourHostName,dc=com} container in directory information tree.
+ * The perm operation entity may also contain {@link org.apache.directory.fortress.core.rbac.AdminRole} or {@link org.apache.directory.fortress.core.rbac.User} associations to add or remove using this function.
+ * The perm operation must exist before making this call. Only non-null attributes will be updated.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the name of existing object being targeted for the permission update</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the name of existing permission operation being updated</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#roles} * - multi occurring attribute contains RBAC Roles that permission operation is being granted to</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#users} * - multi occurring attribute contains Users that permission operation is being granted to</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#props} * - multi-occurring property key and values are separated with a ':'. e.g. mykey1:myvalue1</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#type} - any safe text</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, that identifies target and any optional data to update. Null or empty attributes will be ignored.
+ * @return copy of Permission entity.
+ * @throws SecurityException
+ * - thrown in the event of perm object data or system error.
+ */
+ public Permission updatePermission(Permission perm)
+ throws SecurityException;
+
+
+ /**
+ * This method will remove administrative permission operation entity from permission object. A Fortress permission is (object->operation).
+ * The perm operation must exist before making this call.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the name of existing object being targeted for the permission delete</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the name of existing permission operation being removed</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, that identifies target.
+ * @throws SecurityException
+ * - thrown in the event of perm object data or system error.
+ */
+ public void deletePermission(Permission perm)
+ throws SecurityException;
+
+
+ /**
+ * This method will add administrative permission object to admin perms container in directory. The perm object must not exist before making this call.
+ * A {@link org.apache.directory.fortress.core.rbac.PermObj} instance exists in a hierarchical, one-many relationship between itself and children as stored in ldap tree: ({@link org.apache.directory.fortress.core.rbac.PermObj}*->{@link org.apache.directory.fortress.core.rbac.Permission}).
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#objName} - contains the name of new object being added</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#ou} - contains the name of an existing PERMS OrgUnit this object is associated with</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#description} - any safe text</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#type} - contains any safe text</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#props} * - multi-occurring property key and values are separated with a ':'. e.g. mykey1:myvalue1</li>
+ * </ul>
+ *
+ * @param pObj must contain the {@link org.apache.directory.fortress.core.rbac.PermObj#objName} and {@link org.apache.directory.fortress.core.rbac.PermObj#ou}. The other attributes are optional.
+ * @return copy of PermObj entity.
+ * @throws SecurityException - thrown in the event of perm object data or system error.
+ */
+ public PermObj addPermObj(PermObj pObj)
+ throws SecurityException;
+
+
+ /**
+ * This method will update administrative permission object in perms container in directory. The perm object must exist before making this call.
+ * A {@link org.apache.directory.fortress.core.rbac.PermObj} instance exists in a hierarchical, one-many relationship between itself and children as stored in ldap tree: ({@link org.apache.directory.fortress.core.rbac.PermObj}*->{@link org.apache.directory.fortress.core.rbac.Permission}).
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#objName} - contains the name of existing object being updated</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#ou} - contains the name of an existing PERMS OrgUnit this object is associated with</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#description} - any safe text</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#type} - contains any safe text</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#props} * - multi-occurring property key and values are separated with a ':'. e.g. mykey1:myvalue1</li>
+ * </ul>
+ *
+ * @param pObj must contain the {@link org.apache.directory.fortress.core.rbac.PermObj#objName}. Only non-null attributes will be updated.
+ * @return copy of newly updated PermObj entity.
+ * @throws SecurityException
+ * - thrown in the event of perm object data or system error.
+ */
+ public PermObj updatePermObj(PermObj pObj)
+ throws SecurityException;
+
+
+ /**
+ * This method will remove administrative permission object from perms container in directory. This method will also remove
+ * in associated permission objects that are attached to this object.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#objName} - contains the name of existing object targeted for removal</li>
+ * </ul>
+ *
+ * @param pObj must contain the {@link org.apache.directory.fortress.core.rbac.PermObj#objName} of object targeted for removal.
+ * @throws SecurityException - thrown in the event of perm object data or system error.
+ */
+ public void deletePermObj(PermObj pObj)
+ throws SecurityException;
+
+
+ /**
+ * This command grants an AdminRole the administrative permission to perform an operation on an object to a role.
+ * The command is implemented by granting administrative permission by setting the access control list of
+ * the object involved.
+ * The command is valid if and only if the pair (operation, object) represents a permission,
+ * and the adminRole is a member of the ADMIN_ROLES data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the object name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the operation name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the adminRole name</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, that identifies target.
+ * @param role must contains {@link org.apache.directory.fortress.core.rbac.AdminRole#name}.
+ * @throws SecurityException
+ * Thrown in the event of data validation or system error.
+ */
+ public void grantPermission(Permission perm, AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * This command revokes the administrative permission to perform an operation on an object from the set
+ * of permissions assigned to an AdminRole. The command is implemented by setting the access control
+ * list of the object involved.
+ * The command is valid if and only if the pair (operation, object) represents a permission,
+ * the role is a member of the ADMIN_ROLES data set, and the permission is assigned to that AdminRole.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the object name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the operation name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole#name} - contains the adminRole name</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, that identifies target.
+ * @param role must contains {@link org.apache.directory.fortress.core.rbac.AdminRole#name}.
+ * @throws SecurityException Thrown in the event of data validation or system error.
+ */
+ public void revokePermission(Permission perm, AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * This command grants a user the administrative permission to perform an operation on an object to a user.
+ * The command is implemented by granting administrative permission by setting the access control list of
+ * the object involved.
+ * The command is valid if and only if the pair (operation, object) represents an administrative permission,
+ * and the user is a member of the USERS data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the object name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the operation name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User#userId} - contains the userId</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, that identifies target.
+ * @param user must contain {@link org.apache.directory.fortress.core.rbac.User#userId} of target User entity.
+ * @throws SecurityException
+ * Thrown in the event of data validation or system error.
+ */
+ public void grantPermission(Permission perm, User user)
+ throws SecurityException;
+
+
+ /**
+ * This command revokes the administrative permission to perform an operation on an object from the set
+ * of permissions assigned to a user. The command is implemented by setting the access control
+ * list of the object involved.
+ * The command is valid if and only if the pair (operation, object) represents an administrative permission,
+ * the user is a member of the USERS data set, and the permission is assigned to that user.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the object name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the operation name</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User#userId} - contains the userId</li>
+ * </ul>
+ *
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, that identifies target.
+ * @param user must contain {@link org.apache.directory.fortress.core.rbac.User#userId} of target User entity.
+ * @throws SecurityException Thrown in the event of data validation or system error.
+ */
+ public void revokePermission(Permission perm, User user)
+ throws SecurityException;
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/DelAdminMgrFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/DelAdminMgrFactory.java b/src/main/java/org/apache/directory/fortress/core/DelAdminMgrFactory.java
new file mode 100755
index 0000000..649cc47
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/DelAdminMgrFactory.java
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.rbac.ClassUtil;
+import org.apache.directory.fortress.core.rbac.DelAdminMgrImpl;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rest.DelAdminMgrRestImpl;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+/**
+ * Creates an instance of the DelAdminMgr object.
+ * <p/>
+ * The default implementation class is specified as {@link DelAdminMgrImpl} but can be overridden by
+ * adding the {@link GlobalIds#DELEGATED_ADMIN_IMPLEMENTATION} config property.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public class DelAdminMgrFactory
+{
+ private static String dAdminClassName = Config.getProperty(GlobalIds.DELEGATED_ADMIN_IMPLEMENTATION);
+ private static final String CLS_NM = DelAdminMgrFactory.class.getName();
+
+ /**
+ * Create and return a reference to {@link DelAdminMgr} object using HOME context.
+ *
+ * @return instance of {@link DelAdminMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAdminMgr createInstance()
+ throws SecurityException
+ {
+ return createInstance( GlobalIds.HOME );
+ }
+
+ /**
+ * Create and return a reference to {@link DelAdminMgr} object.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return instance of {@link DelAdminMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAdminMgr createInstance(String contextId)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(contextId, GlobalErrIds.CONTEXT_NULL, CLS_NM + ".createInstance");
+ if (!VUtil.isNotNullOrEmpty(dAdminClassName))
+ {
+ if(GlobalIds.IS_REST)
+ {
+ dAdminClassName = DelAdminMgrRestImpl.class.getName();
+ }
+ else
+ {
+ dAdminClassName = DelAdminMgrImpl.class.getName();
+ }
+ }
+
+ DelAdminMgr delAdminMgr = (DelAdminMgr) ClassUtil.createInstance(dAdminClassName);
+ delAdminMgr.setContextId(contextId);
+ return delAdminMgr;
+ }
+
+ /**
+ * Create and return a reference to {@link DelAdminMgr} object using HOME context.
+ *
+ * @param adminSess contains a valid Fortress A/RBAC Session object.
+ * @return instance of {@link DelAdminMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAdminMgr createInstance(Session adminSess)
+ throws SecurityException
+ {
+ return createInstance( GlobalIds.HOME, adminSess );
+ }
+
+ /**
+ * Create and return a reference to {@link DelAdminMgr} object.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @param adminSess contains a valid Fortress A/RBAC Session object.
+ * @return instance of {@link DelAdminMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelAdminMgr createInstance(String contextId, Session adminSess)
+ throws SecurityException
+ {
+ DelAdminMgr delAdminMgr = createInstance(contextId);
+ delAdminMgr.setAdmin(adminSess);
+ return delAdminMgr;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/DelReviewMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/DelReviewMgr.java b/src/main/java/org/apache/directory/fortress/core/DelReviewMgr.java
new file mode 100755
index 0000000..153917f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/DelReviewMgr.java
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+import org.apache.directory.fortress.core.rbac.AdminRole;
+import org.apache.directory.fortress.core.rbac.OrgUnit;
+import org.apache.directory.fortress.core.rbac.UserAdminRole;
+import org.apache.directory.fortress.core.rbac.User;
+
+import java.util.List;
+
+/**
+ * This class prescribes the ARBAC02 DelReviewMgr interface for performing policy interrogation of provisioned Fortress ARBAC entities
+ * that reside in LDAP directory.
+ * These APIs map directly to similar named APIs specified by ARBAC02 functions. The ARBAC Functional specification describes delegated administrative
+ * operations for the creation and maintenance of ARBAC element sets and relations. Delegated administrative review functions for performing administrative queries
+ * and system functions for creating and managing ARBAC attributes on user sessions and making delegated administrative access control decisions.
+ * <h3>Administrative Role Based Access Control (ARBAC)</h3>
+ * <img src="./doc-files/ARbac.png">
+ * <p/>
+ * Fortress fully supports the Oh/Sandhu/Zhang ARBAC02 model for delegated administration. ARBAC provides large enterprises the capability to delegate administrative authority to users that reside outside of the security admin group.
+ * Decentralizing administration helps because it provides security provisioning capability to work groups without sacrificing regulations for accountability or traceability.
+ * <p/>
+ * This interface's implementer will NOT be thread safe if parent instance variables ({@link Manageable#setContextId(String)} or {@link Manageable#setAdmin(org.apache.directory.fortress.core.rbac.Session)}) are set.
+ *
+ * @author Shawn McKinney
+ */
+public interface DelReviewMgr extends Manageable
+{
+ /**
+ * Method reads Admin Role entity from the admin role container in directory.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#name} - contains the name of the AdminRole being targeted for read</li>
+ * </ul>
+ *
+ * @param role contains role name to be read.
+ * @return AdminRole entity that corresponds with role name.
+ * @throws SecurityException
+ * will be thrown if role not found or system error occurs.
+ */
+ public AdminRole readRole(AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * Method will return a list of type Admin Role.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#name} - contains all or some chars in the name of AdminRole(s) targeted for search</li>
+ * </ul>
+ *
+ * @param searchVal contains the all or some of the chars corresponding to admin role entities stored in directory.
+ * @return List of type AdminRole containing role entities that match the search criteria.
+ * @throws SecurityException
+ * in the event of system error.
+ */
+ public List<AdminRole> findRoles(String searchVal)
+ throws SecurityException;
+
+
+ /**
+ * This function returns the set of admin roles assigned to a given user. The function is valid if and
+ * only if the user is a member of the USERS data set.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link User#userId} - contains the userId associated with the User object targeted for search.</li>
+ * </ul>
+ *
+ * @param user contains userId matching user entity stored in the directory.
+ * @return List of type UserAdminRole containing the user admin role data.
+ * @throws SecurityException
+ * If user not found or system error occurs.
+ */
+ public List<UserAdminRole> assignedRoles(User user)
+ throws SecurityException;
+
+ /**
+ * This method returns the data set of all users who are assigned the given admin role. This searches the User data set for
+ * AdminRole relationship. This method does NOT search for hierarchical Admin Roles relationships.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link AdminRole#name} - contains the name of AdminRole targeted for search</li>
+ * </ul>
+ *
+ * @param role contains the role name used to search the User data set.
+ * @return List of type User containing the users assigned data.
+ * @throws SecurityException
+ * If system error occurs.
+ */
+ public List<User> assignedUsers(AdminRole role)
+ throws SecurityException;
+
+
+ /**
+ * Commands reads existing OrgUnit entity from OrgUnit dataset. The OrgUnit can be either User or Perm and is
+ * set by setting type attribute.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains the name associated with the OrgUnit object targeted for search.</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OU: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * </ul>
+ *
+ * @param entity contains OrgUnit name and type.
+ * @return OrgUnit entity that corresponds with ou name and type.
+ * @throws SecurityException in the event of data validation or system error.
+ */
+ public OrgUnit read(OrgUnit entity)
+ throws SecurityException;
+
+ /**
+ * Commands searches existing OrgUnit entities from OrgUnit dataset. The OrgUnit can be either User or Perm and is
+ * set by setting type parameter on API.
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#type} - contains the type of OU: {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} or {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM}</li>
+ * <li>searchVal - contains some or all of the chars associated with the OrgUnit objects targeted for search.</li>
+ * </ul>
+ *
+ * @param type either PERM or USER
+ * @param searchVal contains the leading chars that map to {@link OrgUnit#name} on existing OrgUnit(s) targeted for search.
+ * @return List of type OrgUnit containing the OrgUnit data.
+ * @throws SecurityException
+ *
+ */
+ public List<OrgUnit> search(OrgUnit.Type type, String searchVal)
+ throws SecurityException;
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/DelReviewMgrFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/DelReviewMgrFactory.java b/src/main/java/org/apache/directory/fortress/core/DelReviewMgrFactory.java
new file mode 100755
index 0000000..b751a90
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/DelReviewMgrFactory.java
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core;
+
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.rbac.ClassUtil;
+import org.apache.directory.fortress.core.rbac.DelReviewMgrImpl;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rest.DelReviewMgrRestImpl;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+/**
+ * Creates an instance of the DelReviewMgr object.
+ * <p/>
+ * The default implementation class is specified as {@link DelReviewMgrImpl} but can be overridden by
+ * adding the {@link GlobalIds#DELEGATED_REVIEW_IMPLEMENTATION} config property.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public class DelReviewMgrFactory
+{
+ private static String dReviewClassName = Config.getProperty(GlobalIds.DELEGATED_REVIEW_IMPLEMENTATION);
+ private static final String CLS_NM = DelReviewMgrFactory.class.getName();
+
+ /**
+ * Create and return a reference to {@link DelReviewMgr} object using HOME context.
+ *
+ * @return instance of {@link DelReviewMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelReviewMgr createInstance()
+ throws SecurityException
+ {
+ return createInstance( GlobalIds.HOME );
+ }
+
+ /**
+ * Create and return a reference to {@link DelReviewMgr} object.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return instance of {@link DelReviewMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelReviewMgr createInstance(String contextId)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(contextId, GlobalErrIds.CONTEXT_NULL, CLS_NM + ".createInstance");
+ if (!VUtil.isNotNullOrEmpty(dReviewClassName))
+ {
+ if(GlobalIds.IS_REST)
+ {
+ dReviewClassName = DelReviewMgrRestImpl.class.getName();
+ }
+ else
+ {
+ dReviewClassName = DelReviewMgrImpl.class.getName();
+ }
+ }
+
+ DelReviewMgr delReviewMgr = (DelReviewMgr) ClassUtil.createInstance(dReviewClassName);
+ delReviewMgr.setContextId(contextId);
+ return delReviewMgr;
+ }
+
+ /**
+ * Create and return a reference to {@link DelReviewMgr} object using HOME context.
+ *
+ * @param adminSess contains a valid Fortress A/RBAC Session object.
+ * @return instance of {@link DelReviewMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelReviewMgr createInstance(Session adminSess)
+ throws SecurityException
+ {
+ return createInstance( GlobalIds.HOME, adminSess );
+ }
+
+ /**
+ * Create and return a reference to {@link DelReviewMgr} object.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @param adminSess contains a valid Fortress A/RBAC Session object.
+ * @return instance of {@link DelReviewMgr}.
+ * @throws SecurityException in the event of failure during instantiation.
+ */
+ public static DelReviewMgr createInstance(String contextId, Session adminSess)
+ throws SecurityException
+ {
+ DelReviewMgr delReviewMgr = createInstance(contextId);
+ delReviewMgr.setAdmin(adminSess);
+ return delReviewMgr;
+ }
+}
+