See: Description
Interface | Description |
---|---|
Authorization |
An Authorization is a mapping among an actor, a
Function
and a Qualifier. |
AuthorizationAdminSession |
This session creates, updates, and deletes
Authorizations. |
AuthorizationCondition |
An authorization condition interface.
|
AuthorizationForm |
This is the form for creating and updating
Authorizations. |
AuthorizationList |
Like all
OsidLists, AuthorizationList
provides a means for accessing Authorization elements
sequentially either one at a time or many at a time. |
AuthorizationLookupSession |
This session defines methods to search and retrieve
Authorization mappings. |
AuthorizationManager |
The authorization manager provides access to authorization sessions and
provides interoperability tests for various aspects of this service.
|
AuthorizationNotificationSession |
This session defines methods to receive asynchronous notifications on
adds/changes to
Authorizations. |
AuthorizationProfile |
The
AuthorizationProfile describes the interoperability
among authorization services. |
AuthorizationProxyManager |
The authorization manager provides access to authorization sessions and
provides interoperability tests for various aspects of this service.
|
AuthorizationQuery |
The query for authorizations.
|
AuthorizationQueryInspector |
The query inspector for examining authorization queries.
|
AuthorizationQuerySession |
This session provides methods for searching
Authorization
objects. |
AuthorizationReceiver |
The authorization receiver is the consumer supplied interface for
receiving notifications pertaining to new, updated or deleted
Authorizations. |
AuthorizationSearch |
AuthorizationSearch defines the interface for specifying
authorization search options. |
AuthorizationSearchOrder |
An interface for specifying the ordering of search results.
|
AuthorizationSearchResults |
This interface provides a means to capture results of a search.
|
AuthorizationSearchSession |
This session provides methods for searching
Authorization
objects. |
AuthorizationSession |
This is the basic session for verifying authorizations.
|
AuthorizationSmartVaultSession |
This session manages queries and sequencing to create "smart" dynamic
catalogs.
|
AuthorizationVaultAssignmentSession |
This session provides methods to re-assign
Authorizations
to Vault. |
AuthorizationVaultSession |
This session provides methods to retrieve
Authorization
to Vault mappings. |
Function |
A
Function represents an authenticatable identity. |
FunctionAdminSession |
This session creates, updates, and deletes
Functions. |
FunctionForm |
This is the form for creating and updating
Functions. |
FunctionList |
Like all
OsidLists, FunctionList provides
a means for accessing Function elements sequentially either
one at a time or many at a time. |
FunctionLookupSession |
This session provides methods for retrieving
Function
objects. |
FunctionNotificationSession |
This session defines methods to receive asynchronous notifications on
adds/changes to
Function objects. |
FunctionQuery |
This is the query for searching functions.
|
FunctionQueryInspector |
This is the query inspector for examining function queries.
|
FunctionQuerySession |
This session provides methods for searching
Function
objects. |
FunctionReceiver |
The function receiver is the consumer supplied interface for receiving
notifications pertaining to new, updated or deleted
Functions. |
FunctionSearch |
FunctionSearch defines the interface for specifying
function search options. |
FunctionSearchOrder |
An interface for specifying the ordering of search results.
|
FunctionSearchResults |
This interface provides a means to capture results of a search.
|
FunctionSearchSession |
This session provides methods for searching
Function
objects. |
FunctionSmartVaultSession |
This session manages queries and sequencing to create "smart" dynamic
catalogs.
|
FunctionVaultAssignmentSession |
This session provides methods to re-assign
Functions to
Vaults. |
FunctionVaultSession |
This session provides methods to retrieve
Function to
Vault mappings. |
Qualifier |
A
Qualifier represents an authenticatable identity. |
QualifierAdminSession |
This session creates, updates, and deletes
Qualifiers. |
QualifierForm |
This is the form for creating and updating
Qualifiers. |
QualifierHierarchyDesignSession |
This session defines methods for managing a hierarchy of
Qualifier objects. |
QualifierHierarchySession |
This session defines methods for traversing a hierarchy of
Qualifier objects. |
QualifierList |
Like all
OsidLists, QualifierList
provides a means for accessing Qualifier elements
sequentially either one at a time or many at a time. |
QualifierLookupSession |
This session defines methods for retrieving qualifiers.
|
QualifierNode |
This interface is a container for a partial hierarchy retrieval.
|
QualifierNodeList |
Like all
OsidLists, QualifierNodeList
provides a means for accessing QualifierNode elements
sequentially either one at a time or many at a time. |
QualifierNotificationSession |
This session defines methods to receive notifications on adds/changes
to
Qualifier objects in this Vault. |
QualifierQuery |
This is the query for searching qualifiers.
|
QualifierQueryInspector |
This is the query inspector for examining qualifiers queries.
|
QualifierQuerySession |
This session provides methods for searching among
Qualifier
objects. |
QualifierReceiver |
The qualifier receiver is the consumer supplied interface for receiving
notifications pertaining to new, updated or deleted
Qualifier
objects. |
QualifierSearch |
QualifierSearch defines the interface for specifying
qualifier search options. |
QualifierSearchOrder |
An interface for specifying the ordering of search results.
|
QualifierSearchResults |
This interface provides a means to capture results of a search.
|
QualifierSearchSession |
This session provides methods for searching among
Qualifier
objects. |
QualifierSmartVaultSession |
This session manages queries and sequencing to create "smart" dynamic
catalogs.
|
QualifierVaultAssignmentSession |
This session provides methods to re-assign
Qualifiers to
Vaults. |
QualifierVaultSession |
This session provides methods to retrieve
Qualifier to
Vault mappings. |
Vault |
A vault defines a collection of authorizations and functions.
|
VaultAdminSession |
This session creates, updates, and deletes
Vaults. |
VaultForm |
This is the form for creating and updating vaults.
|
VaultHierarchyDesignSession |
This session defines methods for managing a hierarchy of
Vault
objects. |
VaultHierarchySession |
This session defines methods for traversing a hierarchy of
Vault
objects. |
VaultList |
Like all
OsidLists, VaultList provides a
means for accessing Vault elements sequentially either one
at a time or many at a time. |
VaultLookupSession |
This session provides methods for retrieving
Vault
objects. |
VaultNode |
This interface is a container for a partial hierarchy retrieval.
|
VaultNodeList |
Like all
OsidLists, VaultNodeList
provides a means for accessing VaultNode elements
sequentially either one at a time or many at a time. |
VaultNotificationSession |
This session defines methods to receive notifications on adds/changes
to
Vault objects. |
VaultQuery |
This is the query for searching vaults.
|
VaultQueryInspector |
This is the query inspector for examining vault queries.
|
VaultQuerySession |
This session provides methods for searching among
Vault
objects. |
VaultReceiver |
The vault receiver is the consumer supplied interface for receiving
notifications pertaining to new, updated or deleted
Vault
objects. |
VaultSearch |
The interface for governing vault searches.
|
VaultSearchOrder |
An interface for specifying the ordering of search results.
|
VaultSearchResults |
This interface provides a means to capture results of a search.
|
VaultSearchSession |
This session provides methods for searching among
Vault
objects. |
The Open Service Interface Definitions for the org.osid.authorization service.
The Authorization OSID manages and queries authorizations.
An Authorization
is an OsidRelationship
that defines who can do what to what. The grammar of an authorization
incluides the subject or the actor (who), the action or verb (do what), and
the object or context (to what). All three of these components must exist
in an authorization for it to have any explicit meaning. An
Authorization
is a mapping among these three components.
Agent:
the actor (eg: tom@coppeto.org) Function:
the action (eg: create purchase order)
Qualifier:
the object or context within a Function
(eg: on account 1967) This tuple in essence defines a role. "Instructor" is not a role and is not suitable for making an authorization decision. "Instructs Physics 101", both the function and qualifier, defines the complete role (within the context of a particular college) that can be used for an authorization decision.
The basic service of the Authorization OSID is to provide a means for
asking whether a given Agent
is authorized to perform a
Function
with a Qualifier,
in other words, if
such a mapping exists. The Agent will generally be obtained from an
Authentication service and the Function
and Qualifier
generally known to the consuming application (a server process
needing to protect some resource).
Authentication auth = authNValidationSession.authenticate(creds); AuthorizationSession session = authZManager.getAuthorizationSession(); boolean authorized = session.isAuthorized(auth.getAgentId(), functionId, qualifierId);
The rest of the Authorization OSID is concerned with managing authorizations.
Authorizations can be explcit or implcit. Explicit authorizations are
managed while implcit authorizations are derived from Resources,
Function
and Qualifier
hierrachies.
Examples of implcit authorizations:
Resource
in
lieu of an Agent
as the actor so a Person, Group or
Organization may be used to specify an authorization. In this case, the
explicit authorization is the one containing the Resource
and an implicit authorization exists for each Agent.
Qualifiers
only exist as Hierarchy Nodes since the
Authorization OSID does not manage the objects used as qualifiers but
may manage directly, or have access to, a Hierarchy service to obtain
the identity and relationship among these objects. An explicit
authorization for a given Qualifier
creates an implcit
authorization for every child of that Qualifier.
The Authorization OSID manages Functions
directly
through its owned defined sessions and exposes actors via the Resource
OSID. Qualifiers
are only exposed through the Hierarchy
service as the Authorization service doesn't have anything to say about the
objects represented by the Qualifiers.
Authorizations, Functions
and Qualifiers
may be organized into one or many Vaults.
This serves to
categorize authorizatiion data for the purpose of browsing or auditing.
Vaults
are hierarchical where each node includes all the
authorization data of its children. A single root node will make available
all known authorizations and is a reasonable choice for a default
Vault
for a non-federated aware consumer. A federated authorization
scheme is one in which Vaults
are available for selection.
Certain consumers may wish to be notified of changes within the
service. Authorization supports notifications via
AuthorizatioNotificationSession,
FunctionNotificationSession
and VaultNotificationSession.
if (manager.supportsAuthorizationNotification()) { AuthorizationNotificationSession ans = manager.getAuthorizationNotificationSession(receiver); ans.registerForDeletedAuthorizations(); } AuthorizationReceiver receiver { newAuthorization(Authorization a) {print("authorization created");} deletedAuthorization(Authorization a) {print("authorization removed");} }
The Authorization OSID includes an Authorization Rules OSID for
managing the effectiveness of Authorizations.
Copyright © 2002-2004, 2007-2008 Massachusetts Institute of Technology.
Copyright © 2009-2010 Ingenescus. All Rights Reserved.
This Work is being provided by the copyright holder(s) subject to the following license. By obtaining, using and/or copying this Work, you agree that you have read, understand, and will comply with the following terms and conditions.
Permission to use, copy and distribute unmodified versions of this Work, for any purpose, without fee or royalty is hereby granted, provided that you include the above copyright notices and the terms of this license on ALL copies of the Work or portions thereof.
You may modify or create Derivatives of this Work only for your internal purposes. You shall not distribute or transfer any such Derivative of this Work to any location or to any third party. For the purposes of this license, "Derivative" shall mean any derivative of the Work as defined in the United States Copyright Act of 1976, such as a translation or modification.
This Work and the information contained herein is provided on an "AS IS" basis WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS IN THE WORK.
The export of software employing encryption technology may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting this Work.