/* * $Header: /home/wistrand/cvs/knopflerfish.org/osgi/bundles/useradmin/src/org/osgi/service/useradmin/Group.java,v 1.1.1.1 2004/03/05 20:35:16 wistrand Exp $ * * Copyright (c) The Open Services Gateway Initiative (2001). * All Rights Reserved. * * Implementation of certain elements of the Open Services Gateway Initiative * (OSGI) Specification may be subject to third party intellectual property * rights, including without limitation, patent rights (such a third party may * or may not be a member of OSGi). OSGi is not responsible and shall not be * held responsible in any manner for identifying or failing to identify any or * all such third party intellectual property rights. * * This document and the information contained herein are provided on an "AS * IS" basis and OSGI DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING * BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL * NOT INFRINGE ANY RIGHTS AND ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR * FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL OSGI BE LIABLE FOR ANY * LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF USE OF DATA, INTERRUPTION OF * BUSINESS, OR FOR DIRECT, INDIRECT, SPECIAL OR EXEMPLARY, INCIDENTIAL, * PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND IN CONNECTION WITH THIS * DOCUMENT OR THE INFORMATION CONTAINED HEREIN, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH LOSS OR DAMAGE. * * All Company, brand and product names may be trademarks that are the sole * property of their respective owners. All rights reserved. */ package org.osgi.service.useradmin; /** * A named grouping of roles (Role objects). *

* Whether or not a given Authorization context implies a Group object * depends on the members of that Group object. *

* A Group object can have two kinds of members: basic and * required. * A Group object is implied by an Authorization context if all of * its required members are implied * and at least one of its basic members is implied. *

* A Group object must contain at least one basic member in order * to be implied. In other words, a Group object without any basic member * roles is never implied by any Authorization context. *

* A User object always implies itself. *

* No loop detection is performed when adding members to Group objects, which * means that it is possible to create circular implications. Loop * detection is instead done when roles are checked. The semantics is that * if a role depends on itself (i.e., there is an implication loop), the * role is not implied. *

* The rule that a Group object must have at least one basic member to be implied * is motivated by the following example: * 

 * group foo
 *   required members: marketing
 *   basic members: alice, bob
 *
* Privileged operations that require membership in "foo" can be performed * only by "alice" and "bob", who are in marketing. *

* If "alice" and "bob" ever transfer to a different department, anybody in * marketing will be able to assume the "foo" role, which certainly must be * prevented. * Requiring that "foo" (or any Group object for that matter) must have at least * one basic member accomplishes that. *

* However, this would make it impossible for a Group object to be implied by just * its required members. An example where this implication might be useful * is the following declaration: "Any citizen who is an adult is allowed to * vote." * An intuitive configuration of "voter" would be: * * 

 * group voter
 *   required members: citizen, adult
 *      basic members:
 *
* * However, according to the above rule, the "voter" role could never be * assumed by anybody, since it lacks any basic members. * In order to address this issue a predefined role named * "user.anyone" can be specified, which is always implied. * The desired implication of the "voter" group can then be achieved by * specifying "user.anyone" as its basic member, as follows: * * 
 * group voter
 *   required members: citizen, adult
 *      basic members: user.anyone
 *
* * @version $Revision: 1.1.1.1 $ * @author Open Services Gateway Initiative */ public interface Group extends User { /** * Adds the specified Role object as a basic member to this Group object. * * @param role The role to add as a basic member. * * @return true if the given role could be added as a basic * member, * and false if this Group object already contains a Role object whose name * matches that of the specified role. * * @throws SecurityException If a security manager exists and the caller * does not have the UserAdminPermission with name admin. */ public boolean addMember(Role role); /** * Adds the specified Role object as a required member to this Group object. * * @param role The Role object to add as a required member. * * @return true if the given Role object could be added as a required * member, and false if this Group object already contains a Role object * whose name matches that of the specified role. * * @throws SecurityException If a security manager exists and the caller * does not have the UserAdminPermission with name admin. */ public boolean addRequiredMember(Role role); /** * Removes the specified Role object from this Group object. * * @param role The Role object to remove from this Group object. * * @return true if the Role object could be removed, * otherwise false. * * @throws SecurityException If a security manager exists and the caller * does not have the UserAdminPermission with name admin. */ public boolean removeMember(Role role); /** * Gets the basic members of this Group object. * * @return The basic members of this Group object, or null if this * Group object does not contain any basic members. */ public Role[] getMembers(); /** * Gets the required members of this Group object. * * @return The required members of this Group object, or null if this * Group object does not contain any required members. */ public Role[] getRequiredMembers(); }