Package org.osid.authorization

package org.osid.authorization

The Open Service Interface Definitions for the org.osid.authorization service.

The Authorization OSID manages and queries authorizations.

Authorizations

An Authorization is an OsidRelationship that defines who can do what to what. The grammar of an authorization incluides the subject or the actor (who), the action or verb (do what), and the object or context (to what). All three of these components must exist in an authorization for it to have any explicit meaning. An Authorization is a mapping among these three components.

• Agent : the actor (eg: tom@coppeto.org)
• Function : the action (eg: create purchase order)
• Qualifier : the object or context within a Function (eg: on account 1967)

This tuple in essence defines a role. "Instructor" is not a role and is not suitable for making an authorization decision. "Instructs Physics 101", both the function and qualifier, defines the complete role (within the context of a particular college) that can be used for an authorization decision.

The basic service of the Authorization OSID is to provide a means for asking whether a given Agent is authorized to perform a Function with a Qualifier , in other words, if such a mapping exists. The Agent will generally be obtained from an Authentication service and the Function and Qualifier generally known to the consuming application (a server process needing to protect some resource).

Example

Authentication auth = authNValidationSession.authenticate(creds);

AuthorizationSession session = authZManager.getAuthorizationSession();
boolean authorized = session.isAuthorized(auth.getAgentId(), functionId, qualifierId);        
 

The rest of the Authorization OSID is concerned with managing authorizations.

Explicit/Implicit Authorizations

Authorizations can be explcit or implcit. Explicit authorizations are managed while implcit authorizations are derived from Resources , Function and Qualifier hierrachies. Examples of implcit authorizations:

• The Authorization OSID can accept a Resource in lieu of an Agent as the actor so a Person, Group or Organization may be used to specify an authorization. In this case, the explicit authorization is the one containing the Resource and an implicit authorization exists for each Agent .
• Qualifiers only exist as Hierarchy Nodes since the Authorization OSID does not manage the objects used as qualifiers but may manage directly, or have access to, a Hierarchy service to obtain the identity and relationship among these objects. An explicit authorization for a given Qualifier creates an implcit authorization for every child of that Qualifier .

The Authorization OSID manages Functions directly through its owned defined sessions and exposes actors via the Resource OSID. Qualifiers are only exposed through the Hierarchy service as the Authorization service doesn't have anything to say about the objects represented by the Qualifiers .

Vault Cataloging

Authorizations, Functions and Qualifiers may be organized into one or many Vaults . This serves to categorize authorizatiion data for the purpose of browsing or auditing. Vaults are hierarchical where each node includes all the authorization data of its children. A single root node will make available all known authorizations and is a reasonable choice for a default Vault for a non-federated aware consumer. A federated authorization scheme is one in which Vaults are available for selection.

Notifications

Certain consumers may wish to be notified of changes within the service. Authorization supports notifications via AuthorizatioNotificationSession , FunctionNotificationSession and VaultNotificationSession .

if (manager.supportsAuthorizationNotification()) {
    AuthorizationNotificationSession ans = manager.getAuthorizationNotificationSession(receiver);
    ans.registerForDeletedAuthorizations();
}

AuthorizationReceiver receiver {
    newAuthorization(Authorization a) {print("authorization created");}
    deletedAuthorization(Authorization a) {print("authorization removed");}
}        
 

Sub Packages

The Authorization OSID includes an Authorization Rules OSID for managing the effectiveness of Authorizations .

Copyright © 2002-2004, 2007-2008 Massachusetts Institute of Technology.

Copyright © 2009-2010 Ingenescus. All Rights Reserved.

This Work is being provided by the copyright holder(s) subject to the following license. By obtaining, using and/or copying this Work, you agree that you have read, understand, and will comply with the following terms and conditions.

Permission to use, copy and distribute unmodified versions of this Work, for any purpose, without fee or royalty is hereby granted, provided that you include the above copyright notices and the terms of this license on ALL copies of the Work or portions thereof.

You may modify or create Derivatives of this Work only for your internal purposes. You shall not distribute or transfer any such Derivative of this Work to any location or to any third party. For the purposes of this license, "Derivative" shall mean any derivative of the Work as defined in the United States Copyright Act of 1976, such as a translation or modification.

This Work and the information contained herein is provided on an "AS IS" basis WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS IN THE WORK.

The export of software employing encryption technology may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting this Work.

Related Packages

Package	Description
org.osid	The Open Service Interface Definitions for the org.osid service.
org.osid.authorization.batch	The Open Service Interface Definitions for the org.osid.authorization.batch service.
org.osid.authorization.records
org.osid.authorization.rules	The Open Service Interface Definitions for the org.osid.authorization.rules service.

Interfaces

Class	Description
Authorization	An Authorization is a mapping among an actor, a Function and a Qualifier .
AuthorizationAdminSession	This session creates, updates, and deletes Authorizations .
AuthorizationCondition	An authorization condition.
AuthorizationForm	This is the form for creating and updating Authorizations .
AuthorizationList	Like all OsidLists , AuthorizationList provides a means for accessing Authorization elements sequentially either one at a time or many at a time.
AuthorizationLookupSession	This session defines methods to search and retrieve Authorization mappings.
AuthorizationManager	The authorization manager provides access to authorization sessions and provides interoperability tests for various aspects of this service.
AuthorizationNotificationSession	This session defines methods to receive asynchronous notifications on adds/changes to Authorizations .
AuthorizationProfile	The AuthorizationProfile describes the interoperability among authorization services.
AuthorizationProxyManager	The authorization manager provides access to authorization sessions and provides interoperability tests for various aspects of this service.
AuthorizationQuery	The query for authorizations.
AuthorizationQueryInspector	The query inspector for examining authorization queries.
AuthorizationQuerySession	This session provides methods for searching Authorization objects.
AuthorizationReceiver	The authorization receiver is the consumer supplied interface for receiving notifications pertaining to new, updated or deleted Authorizations .
AuthorizationSearch	AuthorizationSearch defines the interface for specifying authorization search options.
AuthorizationSearchOrder	An interface for specifying the ordering of search results.
AuthorizationSearchResults	This interface provides a means to capture results of a search.
AuthorizationSearchSession	This session provides methods for searching Authorization objects.
AuthorizationSession	This is the basic session for verifying authorizations.
AuthorizationSmartVaultSession	This session manages queries and sequencing to create "smart" dynamic catalogs.
AuthorizationVaultAssignmentSession	This session provides methods to re-assign Authorizations to Vault .
AuthorizationVaultSession	This session provides methods to retrieve Authorization to Vault mappings.
Function	A Function represents an authenticatable identity.
FunctionAdminSession	This session creates, updates, and deletes Functions .
FunctionForm	This is the form for creating and updating Functions .
FunctionList	Like all OsidLists , FunctionList provides a means for accessing Function elements sequentially either one at a time or many at a time.
FunctionLookupSession	This session provides methods for retrieving Function objects.
FunctionNotificationSession	This session defines methods to receive asynchronous notifications on adds/changes to Function objects.
FunctionQuery	This is the query for searching functions.
FunctionQueryInspector	This is the query inspector for examining function queries.
FunctionQuerySession	This session provides methods for searching Function objects.
FunctionReceiver	The function receiver is the consumer supplied interface for receiving notifications pertaining to new, updated or deleted Functions .
FunctionSearch	FunctionSearch defines the interface for specifying function search options.
FunctionSearchOrder	An interface for specifying the ordering of search results.
FunctionSearchResults	This interface provides a means to capture results of a search.
FunctionSearchSession	This session provides methods for searching Function objects.
FunctionSmartVaultSession	This session manages queries and sequencing to create "smart" dynamic catalogs.
FunctionVaultAssignmentSession	This session provides methods to re-assign Functions to Vaults .
FunctionVaultSession	This session provides methods to retrieve Function to Vault mappings.
Qualifier	A Qualifier represents an authenticatable identity.
QualifierAdminSession	This session creates, updates, and deletes Qualifiers .
QualifierForm	This is the form for creating and updating Qualifiers .
QualifierHierarchyDesignSession	This session defines methods for managing a hierarchy of Qualifier objects.
QualifierHierarchySession	This session defines methods for traversing a hierarchy of Qualifier objects.
QualifierList	Like all OsidLists , QualifierList provides a means for accessing Qualifier elements sequentially either one at a time or many at a time.
QualifierLookupSession	This session defines methods for retrieving qualifiers.
QualifierNode	This interface is a container for a partial hierarchy retrieval.
QualifierNodeList	Like all OsidLists , QualifierNodeList provides a means for accessing QualifierNode elements sequentially either one at a time or many at a time.
QualifierNotificationSession	This session defines methods to receive notifications on adds/changes to Qualifier objects in this Vault .
QualifierQuery	This is the query for searching qualifiers.
QualifierQueryInspector	This is the query inspector for examining qualifiers queries.
QualifierQuerySession	This session provides methods for searching among Qualifier objects.
QualifierReceiver	The qualifier receiver is the consumer supplied interface for receiving notifications pertaining to new, updated or deleted Qualifier objects.
QualifierSearch	QualifierSearch defines the interface for specifying qualifier search options.
QualifierSearchOrder	An interface for specifying the ordering of search results.
QualifierSearchResults	This interface provides a means to capture results of a search.
QualifierSearchSession	This session provides methods for searching among Qualifier objects.
QualifierSmartVaultSession	This session manages queries and sequencing to create "smart" dynamic catalogs.
QualifierVaultAssignmentSession	This session provides methods to re-assign Qualifiers to Vaults .
QualifierVaultSession	This session provides methods to retrieve Qualifier to Vault mappings.
Vault	A vault defines a collection of authorizations and functions.
VaultAdminSession	This session creates, updates, and deletes Vaults .
VaultForm	This is the form for creating and updating vaults.
VaultHierarchyDesignSession	This session defines methods for managing a hierarchy of Vault objects.
VaultHierarchySession	This session defines methods for traversing a hierarchy of Vault objects.
VaultList	Like all OsidLists , VaultList provides a means for accessing Vault elements sequentially either one at a time or many at a time.
VaultLookupSession	This session provides methods for retrieving Vault objects.
VaultNode	This interface is a container for a partial hierarchy retrieval.
VaultNodeList	Like all OsidLists , VaultNodeList provides a means for accessing VaultNode elements sequentially either one at a time or many at a time.
VaultNotificationSession	This session defines methods to receive notifications on adds/changes to Vault objects.
VaultQuery	This is the query for searching vaults.
VaultQueryInspector	This is the query inspector for examining vault queries.
VaultQuerySession	This session provides methods for searching among Vault objects.
VaultReceiver	The vault receiver is the consumer supplied interface for receiving notifications pertaining to new, updated or deleted Vault objects.
VaultSearch	The interface for governing vault searches.
VaultSearchOrder	An interface for specifying the ordering of search results.
VaultSearchResults	This interface provides a means to capture results of a search.
VaultSearchSession	This session provides methods for searching among Vault objects.