Release 9.0.1.1.0
Part Number A90093-02
 Contents |
 Index |
| Oracle Internet File System Developer Reference Release 9.0.1.1.0 Part Number A90093-02 |
|
This chapter discusses how to secure information in Oracle 9iFS. It covers the following topics:
A fundamental requirement for any content management application is to secure how information is accessed. Oracle 9iFS provides a robust set of interfaces that give you fine-grained control over how information is secured in your application, and that allow you to define broader levels of security that make it easier for end users to manage access to information.
Security in Oracle 9iFS is managed at two levels:
When a user tries to access information stored in an Oracle 9iFS, Oracle 9iFS first determines if that user has access to the repository. Oracle 9iFS maintains a directory of all users who can access the repository. Before allowing a user to access the repository, Oracle 9iFS authenticates the user's credentials. Once authenticated, the user can browse, search, and manipulate information in the repository, within the constraints of the object-level security defined on the information.
Oracle 9iFS also controls how each user can work in the repository. Oracle 9iFS maintains a profile of the user's preferences, such as the user's distinguished name, home folder, content quota and default ACLs. You can extend profiles to include other preferences that are specific to your application.
Oracle 9iFS makes it easier to manage users' access to information by allowing you to define and create user groups. Groups organize sets of users who have something in common. Groups can include other groups, allowing you to create inclusive hierarchies of users. You can extend Oracle 9iFS to define a custom type of group that possesses attributes and behaviors pertinent to groups of that type. Once you've defined and created user groups, you can assign access permissions and content quotas to several users at once by assigning them to a group.
Oracle 9iFS allows you to control how users can access each object in the repository. You can control access to objects in three ways:
Access permissions on PublicObjects are managed with AccessControlLists (ACLs). Whenever a user tries to access a PublicObject, Oracle 9iFS first checks the associated AccessControlList to verify that the user has been granted the appropriate permissions.
An AccessControlList is a list of users and groups who have been granted or revoked access permissions to the PublicObject. Each time a user or group is granted or revoked access permissions, an entry is added to the AccessControlList. Oracle 9iFS resolves a user's effective access to a PublicObject by aggregating the AccessControlEntries in the order that they were created in the AccessControlList. Each AccessControlList is defined independently in Oracle 9iFS and applied to one or more PublicObjects, allowing you to centrally manage common security levels for PublicObjects.
Any user can create an AccessControlList. When an AccessControlList is created, the user can determine who else can apply the AccessControlList to PublicObjects and manage the AccessControlList entries. In this way, users can create personal AccessControlLists that they use to manage access to their information, or share AccessControlLists to manage access to information that they collaborate on with other users. Administrators can also create a special type of AccessControlList, a SystemAccessControlList, to define system-wide security levels that can be applied by any Oracle 9iFS user to information in the repository.
While AccessControlLists can be used to grant and revoke standard permissions defined by Oracle 9iFS, including Discover, GetContent, SetAttribute, SetContent, and Delete, Oracle 9iFS allows you to define custom permissions. You can define extended permissions to manage access to custom application behavior. You can also define broader levels of access by grouping permissions to make it easier for users manage security on PublicObjects.
As discussed in Chapter 5, "Extending Content Types and Attributes", every content type is defined by a ClassObject. You can control which users and groups can create and search for instances of a content type by defining a ClassAccessControlList for the ClassObject.
Users are implicitly granted full access to information in the repository by virtue of being an owner of an object or a system administrator. When a user is designated as the owner of an object in Oracle 9iFS, the user is granted all access permissions to that object. When a user is designated as an administrator, the user is granted all access permissions to all information in the repository. The access permissions are granted implicitly by Oracle 9iFS in that they are not applied by the object's AccessControlList, but supersede it.
This section describes how Oracle 9iFS uses directories to access to the repository. It covers the following topics:
Oracle 9iFS maintains a directory of all users who can access the repository. The directory stores information about the user, such as the user's distinguished name, whether the user is an administrator, how the user is authenticated, and how the user prefers to work in the repository. In addition, the Oracle 9iFS directory manages groups that can be used to organize users hierarchically, classify users, and assign access privileges held in common by several users.
Before allowing a user to access the repository, Oracle 9iFS authenticates the user's credentials. First, the user is identified in the directory by a distinguished name. Second, the user's password is verified against a credential manager. Each user account is associated with a credential manager that is used to authenticate the user's password. This release of Oracle 9iFS provides a built-in credential manager that is used to authenticate all users. Future releases of Oracle 9iFS will support external credential managers.
Each user account in Oracle 9iFS is associated with one or more profiles that store the user's preferences for working with the repository. Oracle 9iFS defines a set of standard preferences that are stored in a primary user profile. The standard preferences include the user's home folder (i.e., the user's personal work area), content quota (i.e., the amount of storage space allocated for the user), and default ACLs (i.e., the AccessControlLists that will be applied by default to objects the user creates).
Oracle 9iFS allows you to store custom preferences for users by creating extended user profiles. For example, you might store preferences that personalize the user's view of the repository in a custom Web application.
Oracle 9iFS allows you to organize users hierarchically into groups. Groups represent sets of users who have something in common. For example, you can create groups for the various roles that users may have (e.g. Manager, Developer, Writer). You can also create groups to represent different companies divisions or projects (e.g., Marketing, Sales, Development). Groups can include other groups, allowing you to create inclusive hierarchies of users. For example, the Oracle group could contain the Server Technologies group, which could contain Oracle 9iFS, Oracle Text, and Oracle interMedia groups.
Groups make it easier to enforce security on information for a set of users. You can grant groups access permissions on objects in the repository. For example, you can grant all managers read access to documents in the repository by creating an AccessControList that designates the Manager group as the Grantee of an AccessControlEntry. This allows you to quickly define the access permissions for all users in that group once, instead of on a user by user basis. As users are added to and removed from the group, the access permissions will be dynamically granted to the current members of the group.
Oracle 9iFS allows you to define custom group types that possess extra attributes and behavior. For example, you could create an Organization group type that possesses the attributes VicePresident and MissionStatement. You can define the group types hierarchically so that group types inherit attributes and behaviors. For example, you might create a group type, Company, with the attributes Address and MainPhoneNumber, and then a subgroup type, Partner, that inherits these attributes and adds the attribute ContractNumber.
Oracle 9iFS provides a set of classes for managing users and groups. The classes DirectoryUser and DirectoryGroup, which descend from PublicObject, serve as the primary interfaces for representing users and groups who work with information in Oracle 9iFS. These classes are supported by a few SystemObject classes that are used to represent each user's preferences for working in the repository, and how users are related to groups. Figure 15-1 illustrates the structure of directory information in Oracle 9iFS.
Every Oracle 9iFS user is represented by an instance of the DirectoryUser class. DirectoryUser possesses attributes and methods for managing the user, including assigning the user administrative privileges, uniquely naming the user, and specifying the credential manager that is used to authenticate the user.s
Table 15-1 lists the most commonly used attributes and methods on DirectoryUser.
Every DirectoryUser possess a profile of preferences for how the user works with the repository, such as the user's home folder and content quota. Oracle 9iFS uses three classes to manage user preferences:
Table 15-2 lists the most commonly used attributes and methods on PrimaryUserProfile.
Table 15-3 lists the most commonly used attributes and methods on ExtendedUserProfile.
Table 15-4 lists the most commonly used attributes and methods on ContentQuota.
Groups are represented in Oracle 9iFS by two content types, DirectoryGroup and GroupMemberRelationship. DirectoryGroup descends from PublicObject and, therefore, acts as the primary interface for managing group membership. GroupMemberRelationship, which descends from SystemObject, represents the relationship between a user and a group. An instance of GroupMemberRelationship is created to represent each user's or group's membership.
You can extend DirectoryGroup to classify groups and to add extra attributes and behaviors that are special for those types of groups. For example, you can create a Organization group that extends DirectoryGroup to include the attributes VicePresident and MissionStatement. You can also extend GroupMemberRelationship to manage extra metadata about each user's membership in the Organization group, like TeamRole.
Table 15-5 lists the most commonly used attributes and methods on DirectoryGroup.
Table 15-6 lists the most commonly used attributes and methods on GroupMemberRelationship.
|
|
The LeftObject attribute references the DirectoryGroup. |
|
getRightObject() |
The RightObject attribute references a user or group who belongs to the DirectoryGroup. |
Oracle 9iFS provides three methods for creating, modifying and deleting DirectoryUsers with PrimaryUserProfiles:
You can use XML files to create and modify DirectoryUsers and PrimaryUserProfiles. When the XML file is imported into Oracle 9iFS, the IfsSimpleXmlParser automatically uses it to create or modify a DirectoryUser instance. The IfsSimpleXmlParser supports a special XML schema, SimpleUser, that makes it easy to create DirectoryUsers. Rather than creating an XML file that includes two elements whose schemas correspond to the DirectoryUser and PrimaryUserProfile classes, the SimpleUser schema allows you to specify DirectoryUser attributes and PrimaryUserProfile attributes in the same element. However to update DirectoryUsers and PrimaryUserProfiles with XML, the schema of the XML file must correspond to the DirectoryUser class or PrimaryUserProfile class according to the syntax rules outlined in Chapter 10, "XML and the Oracle Internet File System".
Example 15-1 and Example 15-2 illustrate how to create and modify DirectoryUsers and PrimaryUserProfiles with XML.
You can use the Oracle 9iFS Java API to programmatically create, modify, and delete DirectoryUsers and PrimaryUserProfiles. The oracle.ifs.adk.user package in the Oracle 9iFS Java API includes a special helper class, UserManager, that provides an easy way to create and delete a DirectoryUser along with a PrimaryUserProfile. Once created, you can modify the DirectoryUser and PrimaryUserProfiles by working directly with the methods defined on their classes.
Example 15-4, Example 15-5, and Example 15-6 illustrate how to create, modify and delete DirectoryUsers and PrimaryUserProfiles with the Java API.
Oracle 9iFS clients provides a graphical user interface for creating DirectoryUsers and PrimaryUserProfiles.
<?xml version = '1.0' standalone = 'yes'?> <SIMPLEUSER> <USERNAME>gking</USERNAME> <PASSWORD>ifs</PASSWORD> <DISTINGUISHEDNAMESUFFIX>.ambiguity.com</DISTINGUISHEDNAMESUFFIX> <ADMINENABLED>true</ADMINENABLED> <HOMEFOLDERROOT>/home</HOMEFOLDERROOT> <EMAILADDRESSSUFFIX>@ambiguity.com</EMAILADDRESSSUFFIX> </SIMPLEUSER>
<?xml version = '1.0' standalone = 'yes'?> <DIRECTORYUSER> <UPDATE RefType = "Name">gking</UPDATE> <DISTINGUISHEDNAME>gking.clarity.com</DISTINGUISHEDNAME> </DIRECTORYUSER>
<?xml version = '1.0' standalone = 'yes'?> <PRIMARYUSERPROFILE> <UPDATE RefType = "Name">gking Primary Profile</UPDATE> <HOMEFOLDER RefType = "Path">/home/system</HOMEFOLDER> </PRIMARYUSERPROFILE>
session.setAdministrationMode(true);
// Creating an user using all the default options; UserManager usermanager = new UserManager(session);
Hashtable userOptions = new Hashtable(); userOptions.put(UserManager.ADMIN_ENABLED, new Boolean(true)); userOptions.put(UserManager.EMAIL_ADDRESS, "gking@oracle.com");
DirectoryUser dUser = usermanager.createUser("gkings", "ifs", userOptions);
Collection duColl = session.getDirectoryUserCollection(); DirectoryUser dUser = (DirectoryUser) duColl.getItems("gking");
session.setAdministrationMode(true);
PrimaryUserProfile pup = dUser.getPrimaryUserProfile(); Collection aclColl = session.getSystemAccessControlListCollection(); AccessControlList defaultAcl = (AccessControlList) aclColl.getItems("PUBLIC"); pup.putDefaultAcl("DOCUMENT", defaultAcl); pup.putDefaultAcl("FOLDER", defaultAcl);
session.setAdministrationMode(true);
Collection duColl = session.getDirectoryUserCollection(); DirectoryUser dUser = (DirectoryUser) duColl.getItems("gking");
String distinguishedName = dUser.getDistinguishedName();
UserManager manager = new UserManager(session);
Hashtable options = new Hashtable();
options.put(UserManager.DISTINGUISHED_NAME, AttributeValue.newAttributeValue(distinguishedName));
options.put(UserManager.FREE_HOME_FOLDER, AttributeValue.newAttributeValue(true));
options.put(UserManager.FREE_CREDENTIAL_MANAGER_USER, AttributeValue.newAttributeValue(true));
options.put(UserManager.CHANGE_OWNER, AttributeValue.newAttributeValue(true)); options.put(UserManager.NEW_OWNER_USER_NAME, AttributeValue.newAttributeValue("system"));
manager.deleteUser(distinguishedName, options);
Defining ExtendedUserProfile classes entails the same steps required for defining any custom class. You create a set of SchemaObject instances to represent the ExtendedUserProfile class. You can modify and delete the ExtendedUserProfile by editing or deleting its SchemaObjects. These development tasks can be done with the Java API, XML files, or the Oracle 9iFS Manager.
Example 15-7 illustrates how to create and modify ExtendedUserProfile classes with XML. It is not possible to delete classes with XML.
Example 15-8 and Example 15-12 illustrate how to define, modify, and delete ExtendedUserProfile classes with Java.
To create a new ExtendedUserProfile class, you subclass the ExtendedUserProfile class provided out-of-the-box with Oracle 9iFS. Your extended class would possess attributes to hold the custom user preferences. For example, you could create a class, CatalogUserProfile, that extends ExtendedUserProfile and includes the extended attributes DefaultLayout and DefaultRole.
To define the ExtendedUserProfile class, follow these steps:
See Chapter 17, "Customizing Content Type Behavior" to learn how to create custom Java classes.
NOTE:
<?xml version="1.0" standalone="yes"?> <CLASSOBJECT> <NAME>CatalogUserProfile</NAME> <SUPERCLASS RefType = "Name">ExtendedUserProfile</SUPERCLASS> <DESCRIPTION>User preferences for the Product Catalog.</DESCRIPTION> <ATTRIBUTES> <ATTRIBUTE> <NAME>DefaultLayout</NAME> <DATATYPE>String</DATATYPE> </ATTRIBUTE> <ATTRIBUTE> <NAME>DefaultRole</NAME> <DATATYPE>String</DATATYPE> </ATTRIBUTE> </ATTRIBUTES> </CLASSOBJECT>
|
NOTE: For a description of each element in an XML file used to create ExtendedUserProfile classes, consult tChapter 5, "Extending Content Types and Attributes". |
session.setAdministrationMode(true);
ClassObjectDefinition codef = new ClassObjectDefinition(session); codef.setAttributeByUpperCaseName(ClassObject.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("CatalogUserProfile"));
ClassObject superClass = session.getClassObjectByName("EXTENDEDUSERPROFILE"); codef.setSuperclass(superClass);
AttributeDefinition attdef1 = new AttributeDefinition(session); attdef1.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("DefaultLayout")); attdef1.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue(Attribute.ATTRIBUTEDATATYPE_STRING)); codef.addAttributeDefinition(attdef1); AttributeDefinition attdef2 = new AttributeDefinition(session); attdef2.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("DefaultRole")); attdef2.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue(Attribute.ATTRIBUTEDATATYPE_STRING)); codef.addAttributeDefinition(attdef2);
ClassObject eupCo = (ClassObject) session.createSchemaObject(codef);
You can add, remove, and update attributes on an ExtendedUserProfile class after it has been created.
session.setAdministrationMode(true);
ClassObject co = session.getClassObjectByName("CATALOGUSERPROFILE");
AttributeDefinition attdef1 = new AttributeDefinition(session); attdef1.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("DefaultWorkArea")); attdef1.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue( Attribute.ATTRIBUTEDATATYPE_PUBLICOBJECT)); co.addAttribute(attdef1);
Attribute att2 = catco.getAttributeFromLabel("DEFAULTROLE"); co.removeAttribute(att2);
Attribute att3 = co.getAttributeFromLabel("DEFAULTWORKAREA"); Collection cdColl = session.getClassDomainCollection(); ClassDomain cd = (ClassDomain) cdColl.getItems("Folder..."); att3.setClassDomain(cd);
session.setAdministrationMode(true);
ClassObject co = session.getClassObjectByName("CATALOGUSERPROFILE");
co.free();
Once you've defined an ExtendedUserProfile class, you can apply the ExtendedUserProfiles to DirectoryUsers. To apply an ExtendedUserProfile, you create an instance of the ExtendedUserProfile class that references the DirectoryUser and holds the user's preferences in extended attributes. ExtendedUserProfile instances can also specify which application uses the profile in the Application attribute inherited from the ExtendedUserProfile class. ExtendedUserProfile instances can subsequently be modified and deleted in the same manner as any other object in Oracle 9iFS. These development tasks can be done with the Java API, XML files or the Oracle 9iFS Manager.
Example 15-11 illustrates how to create an ExtendedUserProfile instance with XML. It is not possible to delete instances with XML.
Example 15-12 and Example 15-13 illustrate how to create and delete an ExtendedUserProfile instance with Java.
<?xml version="1.0" standalone="yes"?> <CATALOGUSERPROFILE> <DIRECTORYUSER RefType = "Name">gking</DIRECTORYUSER> <APPLICATION>ProductCatalog</APPLICATION> <DEFAULTLAYOUT>TreeView</DEFAULTLAYOUT> <DEFAULTROLE>Consumer</DEFAULTROLE> </CATALOGUSERPROFILE>
Collection duColl = session.getDirectoryUserCollection(); DirectoryUser dUser = (DirectoryUser) duColl.getItems("gking");
UserProfileDefinition eupDef = new UserProfileDefinition(session);
ClassObject co = session.getClassObjectByName("CATALOGUSERPROFILE"); eupDef.setClassObject(co);
eupDef.setAttributeByUpperCaseName(ExtendedUserProfile.DIRECTORYUSER_ATTRIBUTE, AttributeValue.newAttributeValue(dUser)); eupDef.setAttributeByUpperCaseName(ExtendedUserProfile.APPLICATION_ATTRIBUTE, AttributeValue.newAttributeValue( "ProductCatalog")); eupDef.setAttributeByUpperCaseName("DEFAULTLAYOUT", AttributeValue.newAttributeValue("TreeView")); eupDef.setAttributeByUpperCaseName("DEFAULTROLE", AttributeValue.newAttributeValue("Consumer"));
ExtendedUserProfile eup = (ExtendedUserProfile) session.createPublicObject(eupDef);
Selector s = new Selector(session); s.setSearchClassname("CATALOGUSERPROFILE"); LibraryObject[] eups = s.getItems(); ExtendedUserProfile eup;
int i; int count = (eups == null) ? 0 : eups.length; for (i = 0; i < count; i++) { eup = (ExtendedUserProfile) eups[i]; eup.free(); }
Oracle 9iFS provides three methods for creating, modifying and deleting DirectoryGroups:
<?xml version = '1.0' standalone = 'yes'?> <DIRECTORYGROUP> <NAME>Managers</NAME> <MEMBERS> <REF reftype='name'>msmith</REF> <REF reftype='name'>rjones</REF> <REF reftype='name'>tturner</REF> </MEMBERS> </DIRECTORYGROUP>
<?xml version = '1.0' standalone = 'yes'?> <DIRECTORYGROUP> <UPDATE RefType = "Name">Managers</UPDATE> <MEMBERS> <REF RefType = 'Name'>csapo</REF> </MEMBERS> </DIRECTORYGROUP>
DirectoryGroupDefinition dgDef = new DirectoryGroupDefinition(session);
dgDef.setAttributeByUpperCaseName("NAME", AttributeValue.newAttributeValue( "Managers"));
DirectoryGroup dg = (DirectoryGroup) session.createPublicObject(dgDef);
DirectoryUser du; LibraryObject[] dus; Selector s = new Selector(session); s.setSearchClassname("DIRECTORYUSER"); s.setSearchSelection("NAME IN ('msmith', 'tturner', 'rjones')"); dus = s.getItems(); int icount = (dus == null) ? 0 : dus.length; for (i = 0; i < icount; i++) { du = (DirectoryUser) du[i];
dg.addMember(du); }
/* * The following example moves DirectoryUsers * from one group to another. */
DirectoryGroup dg1 = ... DirectoryGroup dg2 = ...
DirectoryObject[] dus = dg1.getDirectMembers();
dg2.addMembers(dus);
dg1.removeMembers(dus);
DirectoryGroup dg = ...
dg.free();
|
NOTE: Deleting a DirectoryGroup does not automatically delete the DirectoryUsers in that group. To learn how to delete DirectoryUsers, see "Creating, Modifying, and Deleting DirectoryUsers and PrimaryUserProfiles". |
Defining custom group classes entails the same steps required for defining any custom class. You can create custom group classes with the Java API, XML files, or the Oracle 9iFS Manager.
Example 15-19 illustrates how to create and modify ExtendedUserProfile classes with XML. It is not possible to delete classes with XML.
Example 15-20 and Example 15-21 illustrate how to define, modify, and delete ExtendedUserProfile classes with Java.
To create a custom group class, you subclass the DirectoryGroup class to add custom attributes and behaviors for that type of group. For example, you could create a class, Organization, that extends DirectoryGroup and includes the extended attributes VicePresident and MissionStatement.
To define the custom group class, follow these steps:
See Chapter 17, "Customizing Content Type Behavior" to learn how to create custom Java classes.
NOTE:
<?xml version="1.0" standalone="yes"?> <CLASSOBJECT> <NAME>Organization</NAME> <SUPERCLASS RefType = "Name">DirectoryGroup</SUPERCLASS> <DESCRIPTION>Custom group class to manage organizations.</DESCRIPTION> <ATTRIBUTES> <ATTRIBUTE> <NAME>VicePresident</NAME> <DATATYPE>DirectoryObject</DATATYPE> </ATTRIBUTE> <ATTRIBUTE> <NAME>MissionStatement</NAME> <DATATYPE>String</DATATYPE> </ATTRIBUTE> </ATTRIBUTES> </CLASSOBJECT>
|
NOTE: For a description of each element in an XML file used to create group classes, see Chapter 5, "Extending Content Types and Attributes". |
session.setAdministrationMode(true);
ClassObjectDefinition codef = new ClassObjectDefinition(session); codef.setAttributeByUpperCaseName(ClassObject.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("Organization"));
ClassObject catco = session.getClassObjectByName("DIRECTORYGROUP"); codef.setSuperclass(catco);
AttributeDefinition attdef1 = new AttributeDefinition(session); attdef1.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("VicePresident")); attdef1.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue(Attribute.ATTRIBUTEDATATYPE_ DIRECTORYOBJECT)); codef.addAttributeDefinition(attdef1); AttributeDefinition attdef2 = new AttributeDefinition(session); attdef2.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("MissionStatement")); attdef2.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue(Attribute.ATTRIBUTEDATATYPE_STRING)); codef.addAttributeDefinition(attdef2);
ClassObject groupCo = (ClassObject) session.createSchemaObject(codef);
You can add, remove, and update attributes on a group class after it has been created.
session.setAdministrationMode(true);
ClassObject co = session.getClassObjectByName("ORGANIZATION");
AttributeDefinition attdef1 = new AttributeDefinition(session); attdef1.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("OrganizationWorkArea")); attdef1.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue( Attribute.ATTRIBUTEDATATYPE_PUBLICOBJECT)); co.addAttribute(attdef1);
Attribute att2 = co.getAttributeFromLabel("MISSIONSTATEMENT"); co.removeAttribute(att2);
Attribute att3 = co.getAttributeFromLabel("ORGANIZATIONWORKAREA"); Collection cdColl = session.getClassDomainCollection(); ClassDomain cd = (ClassDomain) cdColl.getItems("Folder..."); att3.setClassDomain(cd);
session.setAdministrationMode(true);
ClassObject groupCo = session.getClassObjectByName("ORGANIZATION");
groupCo.free();
Once you've defined a custom group class, you can create groups of that class and manage their membership. When creating and managing custom groups, you use many of the same XML tags and Java methods that you would to create DirectoryGroups. However when working with custom group instances, you must identify the class of the group.
Example 15-23 and Example 15-24 illustrate how to create and modify instances of a custom group class with XML. It is not possible to delete instances with XML.
Example 15-25, Example 15-26, and Example 15-27 illustrate how to create, modify and delete an custom group instances with Java.
<?xml version = '1.0' standalone = 'yes'?> <ORGANIZATION> <NAME>Development</NAME> <VICEPRESIDENT RefType = "Name">ztolls</VICEPRESIDENT> <MISSIONSTATEMENT>To develop the company products.</MISSIONSTATEMENT> <MEMBERS> <REF RefType ="Name">czacks</REF> <REF RefType = "Name">mwallen</REF> <REF RefType = "Name">ztolls</REF> </MEMBERS> </ORGANIZATION>
<?xml version = '1.0' standalone = 'yes'?> <ORGANIZATION> <UPDATE RefType = "Name">Development</UPDATE> <VICEPRESIDENT RefType = "Name">lrichards</VICEPRESIDENT> <MEMBERS> <REF RefType = "Name">lrichards</REF> </MEMBERS> </ORGANIZATION>
DirectoryGroupDefinition dgDef = new DirectoryGroupDefinition(session);
ClassObject co = session.getClassObjectByName("ORGANIZATION"); dgDef.setClassObject(co);
dgDef.setAttributeByUpperCaseName(DirectoryGroup.NAME_ATTRIBUTE, AttributeValue.newAttributeValue( "Managers")); Collection dus = session.getDirectoryUserCollection(); DirectoryUser du = (DirectoryUser) dus.getItems("tturner") dgDef.setAttributeByUpperCaseName("VICEPRESIDENT", AttributeValue.newAttributeValue(du)); dgDef.setAttributeByUpperCaseName("MISSIONSTATEMENT", AttributeValue.newAttributeValue( "To develop the company products."));
DirectoryGroup dg = (DirectoryGroup) session.createPublicObject(dgDef);
Collection groupDus = session.getDirectoryUserCollection(); int i; int icount = groupDus.getItemCount(); for (i = 0; i < icount; i++) { du = (DirectoryUser) groupDus.getItems(i);
dg.addMember(du); }
/* * The following example adds a DirectoryUser to a custom group. */
Selector s = new Selector(session); s.setSearchClassname("ORGANIZATION"); s.setSearchSelection("NAME = 'Development'");
DirectoryGroup dg = (DirectoryGroup) s.getItems(0);
DirectoryUser du = session.getDirectoryUser(); dg.addMembers(du);
/* * The following example deletes all instances of a custom group. */
Selector s = new Selector(session); s.setSearchClassname("ORGANIZATION"); LibraryObject[] dgs = s.getItems();
DirectoryGroup dg; int i; int icount = (dgs == null) ? 0 : dgs.length; for (i = 0; i < icount; i++) { dg = (DirectoryGroup) dgs[i];
dg.free(); }
|
NOTE: Deleting a custom group instances does not automatically delete the DirectoryUsers in that group. See "Creating, Modifying, and Deleting DirectoryUsers and PrimaryUserProfiles" to learn how to delete DirectoryUsers. |
When a user tries to access information in the repository, Oracle 9iFS first authenticates the user's credentials. Users are authenticated in the following steps:
Example 15-28 illustrates how an application can authenticate a user using a CleartextCredentials. Chapter 4, "Creating an Oracle Internet File System Document" discusses more fully other aspects of working with LibraryServices and LibrarySessions that are beyond the scope of this section.
NOTE:
//Connect to Oracle 9iFS. LibraryService service = LibraryService.startService("IfsDefault", "ifssys"); ConnectOptions cop = new ConnectOptions(); CleartextCredential cred = new CleartextCredential("system", "manager"); LibrarySession session = service.connect(cred, cop);
This section describes how Oracle 9iFS uses AccessControlLists to manage access to PublicObjects. It covers the following topics:
Access to every PublicObject is managed by an AccessControlList. An AccessControlList is a list of users and groups who have been granted or revoked access permissions to the PublicObject. Each time a user or group is granted or revoked access permissions, a new entry is created in the AccessControlList. The entry records the Grantee (i.e., the user or group), the AccessLevel (i.e., a set of permissions), and whether the permissions are being granted or revoked.
If the Grantee is a group, then the entry applies to all users belonging to that group or any of its subgroups. If multiple AccessControlEntries apply to a user, Oracle 9iFS resolves the user's effective access permissions by aggregating the entries in the order that they were created in the AccessControlList. For example, if a user was granted Discover and GetContent in the first entry, then granted SetAttribute and SetContent in a second, and then revoked SetContent in a third, Oracle 9iFS would resolved the effective access permissions to Discover, GetContent and SetAttribute.
AccessControlLists exist independently in the repository, and can be assigned to one or more PublicObjects. An AccessControlList is assigned to a PublicObject by referencing the AccessControlList in the PublicObject's ACL attribute.
Each AccessControlList possesses an attribute, Shared, that indicates if the AccessControlList is private to one PublicObject or shared between multiple PublicObjects. Sharing AccessControlLists makes it easy to control access to many PublicObjects that have similar security constraints. For example, you might create an AccessControlList to control access to all PublicObjects pertaining to a particular project. You can define who can read the project documents, who has been designated as a content contributor in the project, and who manages the folders in the project work area. Subsequently, you can share the AccessControlList across all project documents and folders. This allows you to maintain project security once in a single AccessControlList, instead of separately for each document and folder.
Administrators can create a special type of AccessControlList, a SystemAccessControlList, that defines access permissions that can be applied by any Oracle 9iFS user to information in the repository. Oracle 9iFS is installed with four SystemAccessControlLists: Private, Protected, Published, and Public.
Oracle 9iFS is installed pre-configured with a standard set of permissions that can be granted or revoked in an AccessControlList, including Discover, GetContent, SetAttribute, SetContent, Delete, and many others. Oracle 9iFS also allows you to define custom access permissions, that is ExtendedPermissions, and use them to control if users can perform tasks implemented by custom application code. For example, you can define an custom permission for the ability to digitally sign a document to support an application for managing legal contracts.
The permissions defined out-of-the-box with Oracle 9iFS give you fine grained control over how information is accessed. Oracle 9iFS also allows you to define broader permission levels by grouping access permissions into PermissionBundles. For example, you might group the Discover, Add Item, and Remove Item permissions together into a ModifyFolderPermissionBundle to more easily grant users the ability to modify folders.
Each AccessControlList is represented by an instance of the AccessControlList class. Each entry that grants or revokes access permissions to a user or group is represented by an instance of the AccessControlEntry class. Each AccessControlEntry possesses an attribute, ACL, that references the AccessControlList to which it belongs. The AccessControlEntry also possesses attributes for recording which permissions were granted or revoked to which user or group. An AccessControlEntry can reference an AccessLevel, one or more ExtendedPermissions, and PermissionBundles. AccessLevels represent a set of standard permissions defined by Oracle 9iFS. ExtendedPermissions represent custom permissions that you have defined. PermissionBundles represent higher levels of access comprised of a group of permissions.
Figure 15-2 illustrates the structure of an AccessControlList.
The AccessControlList class serves as the primary interface for granting and revoking permissions to users and groups in the list. Table 15-7 lists the most commonly used attributes and methods on AccessControlList.
The AccessControlEntry class possesses attributes and methods for defining each entry in the AccessControlList: the grantee, the permissions, and whether the permissions are being granted or revoked. The relationship between the AccessControlList and the AccessControlEntry is maintained by two attributes on the AccessControlEntry: ACL and SortSequence. The ACL attribute references the AccessControlList to which the AccessControlEntry belongs. The SortSequence attribute determines the AccessControlEntries relative position to other AccessControlEntries in the AccessControlList. The AccessControlEntries SortSequence is used to determine the precedence of the permissions that they grant or revoke.
Table 15-8 lists the most commonly used attributes and methods on AccessControlEntry.
Oracle 9iFS uses the AccessLevel class to represent a set of standard permissions that have been granted or revoked in an AccessControlEntry. The AccessLevel class possesses constants to represent each standard permission defined by Oracle 9iFS. Table 15-9 lists the standard permissions that are pertinent to PublicObjects.
Table 15-10 lists the most commonly used methods on AccessLevel.
Oracle 9iFS allows you to define custom permissions as instances of the ExtendedPermissions class. For example, you can define an custom permission for the ability to digitally sign a document to support an application for managing legal contracts. To define the custom permission, you would create an instance of the ExtendedPermission class that is uniquely named (e.g., Sign) to identify the custom permission. Subsequently, you can grant and revoke the ExtendedPermission in an AccessControlEntry by constructing an AccessLevel to hold the ExtendedPermissions.
The AccessLevel class in the Java API provides a set of methods for working with ExtendedPermissions. Table 15-11 lists the methods on AccessLevel that are used to work with ExtendedPermissions.
After an ExtendedPermission has been applied to an AccessControlList, you can build custom applications that use the ExtendedPermission to control how users can work with PublicObjects. Your application would implement an override to check if a user has been granted the ExtendedPermission on a PublicObject, and then allow or disallow the user to perform operations based on its findings.
Table 15-12 lists the methods on S_PublicObject that are used to work with ExtendedPermissions.
AccessLevel provides an extensive list of permissions that give you fine control over how information is accessed. However, you may want to define security levels that make it easier for users to apply broader access permissions on PublicObjects.
Oracle 9iFS allows you to define broader security levels as instances of the class PermissionBundle, that are stored persistently in Oracle 9iFS. For example, you might group the Discover, Add Item, and Remove Item permissions together into a ModifyFolderPermissionBundle to more easily grant users the ability to modify folders.
Table 15-13 lists the most commonly used attributes and methods of PermissionBundle.
|
|
Determines the AccessLevels in the PermissionBundle. |
Oracle 9iFS provides three methods for creating, modifying and deleting AccessControlLists:
This section discusses how to define AccessControlLists with XML and Java. For instructions on defining AccessControlLists in the Oracle 9iFS clients, consult the Oracle 9iFS Online Help facility for each client.
You can use XML files to define AccessControlLists in Oracle 9iFS. When the XML file is imported into Oracle 9iFS, the IfsSimpleXmlParser automatically uses it to create or modify a AccessControlList and the AccessControlEntry instances. Oracle 9iFS does not support deleting AccessControlLists using XML.
Example 15-29 and Example 15-30 illustrate how to create and modify AccessControlLists with XML.
<?xml version = '1.0' standalone = 'yes'?> <ACCESSCONTROLLIST> <NAME>ContentManagementProjectACL</NAME> <DESCRIPTION> ACL used to manage access to all information pertaining to the Content Management project. </DESCRIPTION> <OWNER RefType = "Name">guest</OWNER> <ACEs> <ACCESSCONTROLENTRY> <GRANTEE ClassName="DirectoryUser" RefType="Name"> guest </GRANTEE> <ACCESSLEVEL> <DISCOVER> true </DISCOVER> <GETCONTENT> true </GETCONTENT> <SETATTRIBUTE> true </SETATTRIBUTE> <SETCONTENT> true </SETCONTENT> <DELETE> true </DELETE> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> </ACEs> </ACCESSCONTROLLIST>
<?xml version = '1.0' standalone = 'yes'?> <ACCESSCONTROLLIST> <UPDATE RefType = "Name">ContentManagementProjectACL</UPDATE> <OWNER RefType = 'Name'>system</OWNER> <ACEs> <ACCESSCONTROLENTRY> <GRANTEE ClassName='DirectoryUser' RefType="Name"> guest </GRANTEE> <ACCESSLEVEL> <SETATTRIBUTE> true </SETATTRIBUTE> <SETCONTENT> true </SETCONTENT> <DELETE> true </DELETE> </ACCESSLEVEL> <GRANTED>false</GRANTED> </ACCESSCONTROLENTRY> </ACEs> </ACCESSCONTROLLIST>
Each element in the XML configuration file is used to specify the value for the attributes of the AccessControlList and AccessControlEntry instances.
|
NOTE: For a detailed description of the syntax rules for XML configuration files, consult Chapter 10, "XML and the Oracle Internet File System". |
Example 15-14 lists each of the XML elements in a AccessControlList configuration file. The table specifies the Java class and attribute in the Oracle 9iFS Java API that corresponds to the element, how the element is used, and any valid XML attributes for the element
.
The Oracle 9iFS Java API provides a more robust interface for manipulating each component of an AccessControlList. Example 15-31, Example 15-32, and Example 15-33 illustrate how to create, modify, and delete AccessControlLists with the Java API.
DirectoryGroup du = ...
AccessControlListDefinition aclDef = new AccessControlListDefinition(session);
aclDef.setAttributeByUpperCaseName("NAME", AttributeValue.newAttributeValue( "ContentManagementProjectACL")); aclDef.setShared(TRUE);
AccessControlList acl = (AccessControlList) session.createPublicObject(aclDef);
AccessControlEntryDefinition aceDef1 = new AccessControlEntryDefinition(session); aceDef1.setGrantee(du); String[] levels = {"Discover", "GetContent", "SetAttribute", "SetContent", "Delete"}; AccessLevel al1 = new AccessLevel(levels); aceDef1.setDistinctAccessLevel(al1); acl.grantAccess(aceDef1);
AccessControlEntryDefinition aceDef2 = new AccessControlEntryDefinition(session); aceDef2.setGrantee(du); AccessLevel al2 = new AccessLevel(AccessLevel.ACCESSLEVEL_DELETE); aceDef2.setDistinctAccessLevel(al2); acl.revokeAccess(aceDef2);
AccessControlList acl = ... DirectoryUser du = ...
AccessControlEntryDefinition aceDef = new AccessControlEntryDefinition(session); aceDef.setGrantee(du); aceDef.setGranted(true); AccessLevel al = new AccessLevel(); al.enableAllStandardPermissions(); aceDef.setDistinctAccessLevel(al);
AccessControlEntry firstAce = acl.getAccessControlEntrys(0); aceDef.setInsertBeforeAccessControlEntry(firstAce);
acl.addAccessControlEntry(aceDef);
AccessControlList acl = ...
acl.free();
An AccessControlList must be applied to every PublicObject created in Oracle 9iFS. An AccessControlList can be applied in three ways:
This section illustrates how use XML and Java to apply an AccessControlList to a PublicObject.
This section illustrates how to apply an AccessControlList to a PublicObject by explicitly setting the ACL attribute. Example 15-34,Example 15-35, and Example 15-36 illustrate how to use XML to set the ACL attribute. Example 15-37 and Example 15-38 illustrate how to use Java to set the ACL attribute.
<?xml version="1.0" standalone="yes"?> <FOLDER> <NAME>My Work-in-Progress</NAME> <DESCRIPTION> ACL used to manage access to all information pertaining to the Content Management project. </DESCRIPTION> <ACL> <NAME>MyCMWorkInProgressACL</NAME> <ACL RefType = "Name">Private</ACL> <ACEs> <ACCESSCONTROLENTRY> <GRANTEE ClassName='DirectoryGroup' RefType="Name"> CMProjectGroup </GRANTEE> <ACCESSLEVEL> <DISCOVER> true </DISCOVER> <GETCONTENT> true </GETCONTENT> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> </ACEs> </ACL> </FOLDER>
|
NOTE: Example 15-34 sets the AccessControlList's ACL attribute to the Private SystemAccessControlList so that other users will not be able to use the new AccessControlList. |
<?xml version="1.0" standalone="yes"?> <FOLDER> <NAME>Content Management Research</NAME> <ACL RefType = "Name"> ContentManagementProjectACL </ACL> <FOLDERPATH>.</FOLDERPATH> </FOLDER>
<?xml version="1.0" standalone="yes"?> <FOLDER> <UPDATE RefType = "Name">Content Management Research</UPDATE> <ACL RefType = "Name"> Public </ACL> <FOLDERPATH>.</FOLDERPATH> </FOLDER>
Collection aclColl = session.getSystemAccessControlListCollection(); AccessControlList acl = (AccessControlList) aclColl.getItems("Protected");
FolderDefinition fd = new FolderDefinition(session); fd.setAttributeByUpperCaseName(Folder.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("Collateral")); fd.setAttributeByUpperCaseName(Folder.ACL_ATTRIBUTE, AttributeValue.newAttributeValue(acl));
Folder f = (Folder) session.createPublicObject(fd);
/** This example illustrates how to recursively * apply an ACL to multiple PublicObjects. */
session.setAdministrationMode(true);
PublicObject parentFolder, item; FolderPathResolver fpr = new FolderPathResolver(session); fpr.setRootFolder(); parentFolder = fpr.findPublicObjectByPath("/public");
AccessControlList acl = parentFolder.getAcl();
PublicObject[] folderItems = parentFolder.getItems(); for (int i = 0 ; i < parentFolder.getItemCount(); i++ ) {
item = ( PublicObject ) folderItems[i]; if( item instanceof Folder ) { item.setAcl( acl ); } }
If the ACL attribute is not explicitly set when a PublicObject is created, Oracle 9iFS will automatically set the ACL to reference the user's default AccessControlList for that class of object. The default AccessControlList is identified in the user's PrimaryUserProfile. The PrimaryUserProfile possesses two attributes that hold the user's default AccessControlLists:
Both attributes reference a PropertyBundle that consist of a list of Properties, which are name/value pairs. The Name of each Property specifies the class of object to which the AccessControlList applies (e.g., DOCUMENT, FOLDER). The Property's value references the AccessControlList that should be applied by default for instances of that class.
To learn how to specify a default AccessControlList for a user, see the "Profiling Users"section. Example 15-5 illustrates how to add an AccessControlList to the DefaultACLs PropertyBundle in a user's PrimaryUserProfile with Java.
|
NOTE: To learn more about how to work with PropertyBundles, see Chapter 6, "Applying Arbitrary Metadata and Behavior". |
Oracle 9iFS provides an alternative method for controlling access to PublicObjects. Instead of applying an AccessControlList directly to the PublicObject by setting the ACL attribute, you can apply another PublicObject's AccessControlList by setting the SecuringPublicObject attribute.
Every PublicObject includes an attribute, SecuringPublicObject, that can be optionally used to specify another PublicObject that is used to secure this PublicObject. When the SecuringPublicObject attribute references another PublicObject, Oracle 9iFS will use that PublicObject's AccessControlList instead.
Proxy security is particularly useful when working with versioned PublicObjects. For example, you can set the SecuringPublicObject for all versions of a document to reference the document's Family. This enables you to maintain security for all versions of the document in one place, rather than separately on each version.
DocumentDefinition dd = new DocumentDefinition(session); dd.setAttribute(Document.NAME_ATTRIBUTE, AttributeValue.newAttributeValue(docname)); Collection formatColl = session.getFormatCollection(); Format fmt = (Format) formatColl.getItems("Text"); dd.setFormat(fmt); dd.setContent("A new versioned document."); Folder hf = session.getUser().getPrimaryUserProfile().getHomeFolder(); dd.setAddToFolderOption(hf);
VersionDescriptionDefinition vdd = new VersionDescriptionDefinition(session); vdd.setAttribute(VersionDescription.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("Versioning1 VersionDescription")); vdd.setAttribute("VERSIONLABEL", AttributeValue.newAttributeValue("Version 1.0")); vdd.setPublicObjectDefinition(dd);
VersionDescription vd = (VersionDescription)session.createPublicObject(vdd);
Family f = vd.getFamily(); VersionSeries vs = vd.getVersionSeries(); Document d = (Document) vd.getResolvedPublicObject();
d.setSecuringPublicObject(f); vd.setSecuringPublicObject(f); vs.setSecuringPublicObject(f);
Any end user can create an AccessControlList. When a user creates an AccessControlList, Oracle 9iFS automatically designates the user as the owner of that AccessControlList.
As the owner, the user can control how the AccessControlList can be accessed by other users. The owner can specify who can discover the AccessControlList and apply it to their PublicObjects. The owner can also specify who can modify the AccessControlList to grant or revoke permissions. The owner of the AccessControlList determines who can discover and modify it by setting the AccessControlList's ACL attribute, just like any other PublicObject. For example, to prevent other users from discovering the AccessControlList and using it to manage access to their PublicObjects, the owner can set the AccessControlList's ACL attribute to reference the Private SystemAccessControlList. In another case, the owner can share the responsibility of maintaining an AccessControlList by applying an AccessControlList that grants other users the Grant permission. The Grant permission is used to determine who can add new AccessControlEntries to an AccessControlList.
<?xml version = '1.0' standalone = 'yes'?> <OBJECTLIST>
<ACCESSCONTROLLIST> <NAME>CMProjectACLAdministration</NAME> <DESCRIPTION>ACL used to allow the Content Managmeent project members to use the AccessControlList, and project leads to manage AccessControlLists.</DESCRIPTION> <OWNER RefType = "Name">tturner</OWNER> <ACEs> <ACCESSCONTROLENTRY> <GRANTEE ClassName="DirectoryGroup" RefType="Name"> CMProjectGroup </GRANTEE> <ACCESSLEVEL> <DISCOVER> true </DISCOVER> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> <ACCESSCONTROLENTRY> <GRANTEE ClassName="DirectoryGroup" RefType="Name"> CMProjectLeads </GRANTEE> <ACCESSLEVEL> <GRANT> true </GRANT> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> </ACEs> </ACCESSCONTROLLIST>
<ACCESSCONTROLLIST> <NAME>ContentManagementProjectACL</NAME> <DESCRIPTION> ACL used to manage access to all information pertaining to the Content Management project. </DESCRIPTION> <OWNER RefType = "Name">tturner</OWNER> <ACL RefType = "Name">CMProjectACLAdministration</ACL> <ACEs> <ACCESSCONTROLENTRY> <GRANTEE ClassName="DirectoryGroup" RefType="Name"> CMProjectGroup </GRANTEE> <ACCESSLEVEL> <DISCOVER> true </DISCOVER> <GETCONTENT> true </GETCONTENT> <SETCONTENT> true </SETCONTENT> <DELETE> true </DELETE> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> </ACEs> </ACCESSCONTROLLIST> </OBJECTLIST>
You can control which users and groups can create and search for specific classes of information with ClassAccessControlLists.
This section discusses the following:
ClassAccessControlList is a subclass of AccessControlList that is only applied to ClassObjects. Since ClassAccessControlList extends AccessControlList, it possesses all of the attributes and behaviors described in "How AccessControlLists Work" and "AccessControlList Structure". In addition, ClassAccessControlLists possess the attribute, UniqueName, that is used to uniquely identify the ClassAccessControlList by a string. Oracle 9iFS also maintains a collection of ClassAccessControlLists that make it easy to retrieve them from a LibrarySession without having to search the repository.
A ClassAccessControlList is applied to a ClassObject by referencing the ClassAccessControlList in the ClassACL attribute on the ClassObject. ClassAccessControlLists apply two special permissions to ClassObjects: Create and SelectorAccess. These permissions are represented by constants on the AccessLevel class in the Oracle 9iFS Java API.
Table 15-15 lists the AccessLevel constants and their usage
ClassAccessControlLists are created in the same manner as AccessControlLists. The key differences are that:
Example 15-41 and Example 15-42 illustrate how to create a ClassAccessControlList with XML and Java.
<?xml version = '1.0' standalone = 'yes'?> <CLASSACCESSCONTROLLIST> <NAME>ProductCatalogClassACL</NAME> <DESCRIPTION> ClassACL used to manage access any custom classes created for the ProductCatalog application. </DESCRIPTION> <ACEs> <ACCESSCONTROLENTRY> <GRANTEE ClassName="DirectoryGroup" RefType="Name"> CMProjectGroup </GRANTEE> <ACCESSLEVEL> <SELECTORACCESS> true </SELECTORACCESS> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> <ACCESSCONTROLENTRY> <GRANTEE ClassName="DirectoryGroup" RefType="Name"> CMProjectLeads </GRANTEE> <ACCESSLEVEL> <CREATE> true </CREATE> </ACCESSLEVEL> <GRANTED>true</GRANTED> </ACCESSCONTROLENTRY> </ACEs> </CLASSACCESSCONTROLLIST>
DirectoryGroup CMGroup = ... DirectoryGroup CMLeads = ...
session.setAdministrationMode(true);
ClassAccessControlListDefinition aclDef = new ClassAccessControlListDefinition(session);
aclDef.setAttributeByUpperCaseName("NAME", AttributeValue.newAttributeValue( "ProductCatalogClassACL")); aclDef.setShared(TRUE);
ClassAccessControlList classAcl = (ClassAccessControlList) session.createPublicObject(aclDef);
AccessControlEntryDefinition aceDef1 = new AccessControlEntryDefinition(session); aceDef1.setGrantee(dg1); AccessLevel al1 = new AccessLevel(AccessLevel.ACCESSLEVEL_SELECTORACCESS); aceDef1.setDistinctAccessLevel(al1); acl.grantAccess(aceDef1);
AccessControlEntryDefinition aceDef2 = new AccessControlEntryDefinition(session); aceDef2.setGrantee(dg2); AccessLevel al2 = new AccessLevel(AccessLevel.ACCESSLEVEL_CREATE); aceDef2.setDistinctAccessLevel(al2); acl.grantAccess(aceDef2);
You can apply ClassAccessControlLists to ClassObjects by referencing the ClassAccessControlList in the ClassObject' ClassACL attribute.
Example 15-43 illustrates how to apply an existing ClassAccessControlList to a new ClassObject.
|
NOTE: For more information about creating ClassObjects, see Chapter 5, "Extending Content Types and Attributes". |
<?xml version="1.0" standalone="yes"?> <CLASSOBJECT> <NAME>Image</NAME> <SUPERCLASS RefType = "Name">Document</SUPERCLASS> <CLASSACL RefType = "Name">ProductCatalogClassACL</CLASSACL> <ATTRIBUTES> <ATTRIBUTE> <NAME>Width</NAME> <DATATYPE>Integer</DATATYPE> </ATTRIBUTE> <ATTRIBUTE> <NAME>Height</NAME> <DATATYPE>Integer</DATATYPE> </ATTRIBUTE> </ATTRIBUTES> </CLASSOBJECT>
session.setAdministrationMode(true);
ClassObjectDefinition codef = new ClassObjectDefinition(session); codef.setAttributeByUpperCaseName(ClassObject.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("IMAGE")); codef.setAttributeByUpperCaseName(ClassObject.DESCRIPTION_ATTRIBUTE, AttributeValue.newAttributeValue("Image files")); ClassObject superClass = session.getClassObjectByName("DOCUMENT"); codef.setSuperclass(superClass); AttributeDefinition adef1 = new AttributeDefinition(session); adef1.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("Height")); adef1.setAttributeByUpperCaseName(Attribute.DESCRIPTION_ATTRIBUTE, AttributeValue.newAttributeValue("Image Height")); adef1.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue(Attribute.ATTRIBUTEDATATYPE_INTEGER)); adef1.setAttributeByUpperCaseName(Attribute.REQUIRED_ATTRIBUTE, AttributeValue.newAttributeValue(false)); codef.addAttributeDefinition(adef1); AttributeDefinition adef2 = new AttributeDefinition(session); adef2.setAttributeByUpperCaseName(Attribute.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("Width")); adef2.setAttributeByUpperCaseName(Attribute.DESCRIPTION_ATTRIBUTE, AttributeValue.newAttributeValue("Image Width")); adef2.setAttributeByUpperCaseName(Attribute.DATATYPE_ATTRIBUTE, AttributeValue.newAttributeValue(Attribute.ATTRIBUTEDATATYPE_INTEGER)); adef2.setAttributeByUpperCaseName(Attribute.REQUIRED_ATTRIBUTE, AttributeValue.newAttributeValue(false)); codef.addAttributeDefinition(adef2);
Collection classAclColl = session.getClassAccessControlListCollection(); ClassAccessControlList classACL = (ClassAccessControlList) classAclColl.getItems("PRODUCTCATALOGCLASSACL"); codef.setAttributeByUpperCaseName(ClassObject.CLASSACL_ATTRIBUTE, AttributeValue.newAttributeValue(classACL));
ClassObject classObj = (ClassObject) session.createSchemaObject(codef);
Oracle 9iFS implicitly grants full access to information in two cases:
System Administrators are implicitly granted full access to all information in the repository. Any user can be given administration privileges by setting the AdminEnabled attribute on the DirectoryUser object that represents that user. Subsequently, that user can obtain full access to all information in the repository by enabling Administration Mode in their session with Oracle 9iFS.
Example 15-45 and Example 15-46 illustrate how to give a user administration privileges with XML and Java.
Example 15-45 illustrates how a client application enables Administration Mode for the user's session with Oracle 9iFS.
<?xml version = '1.0' standalone = 'yes'?> <SIMPLEUSER> <USERNAME>gking</USERNAME> <PASSWORD>ifs</PASSWORD> <DISTINGUISHEDNAMESUFFIX>.ambiguity.com</DISTINGUISHEDNAMESUFFIX> <ADMINENABLED>true</ADMINENABLED> <HOMEFOLDERROOT>/home</HOMEFOLDERROOT> <EMAILADDRESSSUFFIX>@ambiguity.com</EMAILADDRESSSUFFIX> </SIMPLEUSER>
session.setAdministrationMode(true);
// Creating an user using all the default options; UserManager usermanager = new UserManager(session);
Hashtable userOptions = new Hashtable(); userOptions.put(UserManager.ADMIN_ENABLED, new Boolean(true));
DirectoryUser dUser = usermanager.createUser("Gary.King", "ifs", userOptions);
LibrarySession session = ....
session.setAdministrationMode(true);
Every object in Oracle 9iFS is owned by a user who has full access to that object. The user is given ownership of the object by referencing the user in the object's Owner attribute. When an object is created in the repository, Oracle 9iFS automatically sets the Owner attribute to the user who created the object. The Owner attribute can be modified to reference a different user at any time.
<?xml verssion="1.0" standalone="yes"?> <FOLDER> <NAME>My Work-in-Progress</NAME> <OWNER RefType = "Name">tturner</OWNER> </FOLDER>
<?xml verssion="1.0" standalone="yes"?> <FOLDER> <UPDATE RefType = "Name">My Work-in-Progress</UPDATE> <OWNER RefType = "Name">gking</OWNER> </FOLDER>
FolderDefinition fd = new FolderDefinition(session); fd.setAttributeByUpperCaseName(Folder.NAME_ATTRIBUTE, AttributeValue.newAttributeValue("Collateral"));
Collection duColl = session.getDirectoryUserCollection(); DirectoryUser du = (DirectoryUser) duColl.getItems("tturner"); fd.setAttributeByUpperCaseName(Folder.OWNER_ATTRIBUTE, AttributeValue.newAttributeValue(du));
Folder f = (Folder) session.createPublicObject(fd);
Folder f = ....
Collection duColl = session.getDirectoryUserCollection(); DirectoryUser du = (DirectoryUser) duColl.getItems("gking"); f.setOwner(du);
Oracle 9iFS comes with a two sets of sample code files which you can use to get started working with the Java API.
Oracle 9iFS is installed with runnable sample code files for the examples in this chapter. The sample code files are located in the <ORACLE_HOME>/9ifs/samplecode/oracle/ifs/examples/devdoc/security directory. These sample code files are useful for testing the chapter's examples. However, they must be run in the appropriate sequence and may cause naming conflicts if run more than once.
Table 15-16 lists the sample code files and their corresponding examples.
To run the Java sample code files, follow these steps:
> cd $ORACLE_HOME/9ifs/samplecode/oracle/ifs/examples/devdoc/security > javac CreateUser.java
> java oracle.ifs.examples.documentation.security.CreateUser.java newuser=lrichards admin=false emailAddress=lrichards@ambiguity.com acl=Public Running with arguments : user = system password = manager service = IfsDefault schemapassword = ifssys newuser = lrichards -----------Results---------- New User Created : lrichards DistinguishedName = lrichards AdminEnabled = false
To run the XML configuration files, follow these steps:
In addition to the example sample code files, Oracle 9iFS is installed with more advanced sample code that helps you get started working with the Java API. The API sample code is located in the <ORACLE_HOME>/9ifs/samplecode/api directory. This API sample code is easier to work with than the Documentation sample code files because you can run the samples over and over without naming conflicts.
Table 15-17 lists the API sample code that is relevant to this chapter.
|
 Copyright © 2001 Oracle Corporation. All Rights Reserved. |
|
