Permissions: Principles Locate
Permissions in BEA AquaLogic Service Registry were developed so that administrators might exercise control over users. Permissions:
Provide a simple mechanism for the management of users' rights in BEA AquaLogic Service Registry.
Allow the administrator to manage or make available different parts of the registry to different users.
Help BEA AquaLogic Service Registry better reflect the real world where there are many roles with different responsibilities.
This chapter describes permissions in detail with some examples and a description of permission configuration.
Permission is defined as the right to perform an action on some interface. Put another way: permission is the ability to process some method on some interface. Permissions are very different from the other mechanism for rights in BEA AquaLogic Service Registry, the Access Control List.
Access Control enables the user to control access to the basic UDDI data structures (businessEntity, businessService, bindingTemplate, and tModel). Access Control on BEA AquaLogic Service Registry is provided by the Access Control List (ACL). The ACL is based on permissions given to a user or group. In the context of ACL, this means that a given user can access only that information in BEA AquaLogic Service Registry made available to the user by the registry administrator or other users. For more information about the Access Control List, see the Access Control chapter in the User's guide.
Access Control Lists limit the visibility of entities and so restrict the access to data in BEA AquaLogic Service Registry. Permissions on the other hand restrict access to interfaces. The ACLs restrain users by the restricting the visibility of UDDI structures. Permissions limit users through the visibility of interfaces.
Permissions Definitions Locate
There are two basic kinds of permission:
The first, consisting of ApiUserPermission and ApiManagerPermission, is used to restrict access for some users on some interfaces.
The second, ConfigurationManagerPermission, is used to restrict the ability to change configurations in BEA AquaLogic Service Registry.
- ApiUserPermission
ApiUserPermission consists of the interface's name and method from the given interface. This permission provides the user common access to the specified method on the given API. ApiUserPermission enables the user to call methods on an interface as a common user. Users usually must have this permission to perform any call.
- ApiManagerPermission
ApiManagerPermission also consists of the names of an interface and of a method. This permission allows the user to call a determined method on the given API. It is very similar to ApiUserPermission. The only difference is in the user's significance. If a user has ApiManagerPermission, that user is considered to be a privileged user. There are many API calls where the result depends on user's importance.
- ConfigurationManagerPermission
ConfigurationManagerPermission consists of configuration files and a method's name. The name of the method is either get or set. The ConfigurationManagerPermission combined with the get method allows user to read (get) data from the configuration file. On the other hand, the ConfigurationManagerPermission combined with the set method enables the user to write to the configuration.
BEA AquaLogic Service Registry Permission Rules Locate
The following permissions' rules are always valid:
Permission is the ability to process a method on an API.
Permission contains the type of permission (ApiUserPermission, ApiManagerPermission, ConfigurationManagerPermission), the name (interface's or config's name) and an action (method's name).
You are allowed to use the asterisk wildcard (*) to substitute all names - names of interfaces, configurations, or actions.
There is no hierarchy in permissions. The ability to set permission for users is also a permission (for some methods on PermissionApi).
The BEA AquaLogic Service Registry administrator has all permissions for all methods on all APIs.
Permissions are always positive. This means that permissions say what is possible or allowed. Permissions allow user to perform an action (some method on some API). Any action that is not expressly permitted is denied.
Permissions can be set for an individual user or for a group of members. Each user is member of the group system#everyone, therefore every user has the default permissions associated with this group.
For more information, see Data Access Control: Principles
Setting Permissions Locate
This section describes the configuration of permissions. The setting of permissions is written from the administrator's point of view.
There are three basic ways to set permissions for a user:
By performing methods on PermissionApi. A user can call these methods only if that user has the appropriate permissions.
By calling methods via SOAP or via the Registry Console.
By changing permissions directly in the configuration file.
The PermissionApi contains several methods for managing permissions. These methods are described below:
- get_permission
Used for obtaining all of a user's permissions. A user possessing the ApiManagerPermission can obtain permissions of other users. A user with only ApiUserPermission, can only discover his or her own permissions.
Note that users who have neither ApiUserPermission nor ApiManagerPermission for a method on PermissionApi, cannot call this method.
- set_permission
Provides users the ability to set permissions for other users. It is necessary to possess ApiManagerPermission for this call.
- get_permissionDetail
Similar to get_permission, this method can be called for more than one user at a time.
get_permission takes a principal as the input parameter. On the other hand, get_permissionDetail takes an array of principals as the input parameter. If you want to find out the permissions of three users, you can call get_permission three times or you can call get_permissionDetail once.
- who_hasPermission
Enables a user to find out who owns a given permission.
![[Important]](../images/important.gif) | Important |
|---|---|
It is not recommended to change permissions directly in the configuration file. However, if the administrator wants to change default permissions for new users (meaning changing permissions for the group system#everyone), there is no other possibility. Before making any changes to these permissions, we strongly recommend making a reserve copy of the configuration. The permissions for special users or groups are stored in the file permission_list.xml. | |
Permissions and User Roles Locate
Many systems use user roles in addition to permissions. A user role is usually a set of permissions; it can be predefined in the system or be user-defined. In BEA AquaLogic Service Registry, the user roles mechanism is implemented by groups. The administrator is allowed to set permissions not only for individual users but also for groups. Instead of restricting the relationship to users and roles, it is possible to create groups, set permissions for them and then add users into these groups. This "group" mechanism in BEA AquaLogic Service Registry is nearly the same as user role mechanism and it is used instead of user roles. For more information, see Group Management.
ApiManagerPermission Reference Locate
ApiManagerPermission allow user to use operation in a privileged mode. The following tables explain what does it mean for certain APIs and operations.
Table 2. Account API (org.systinet.uddi.account.AccountApi)
| operation (action) | Description |
|---|---|
| find_userAccount | Not used. |
| get_userAccount | Allows to get foreign account. |
| save_userAccount | Allows to save/update any account. Allows to set up non default limits. Allows to skip mail confirmation (if it is required). |
| delete_userAccount | Allows to delete any account. |
| enable_userAccount | Not used. |
Table 3. Admin Utils API (org.systinet.uddi.admin.AdministrationUtilsApi)
| operation (action) | Description |
|---|---|
| deleteTModel | Allows to call the deleteTModel operation. (ApiUserPermission is not sufficient to call the operation.) |
| replaceKey | Allows to call the replaceKey operation. (ApiUserPermission is not sufficient to call the operation.) |
| cleanSubscriptionHistory | Allows to call the cleanSubscriptionHistory operation. (ApiUserPermission is not sufficient to call the operation.) |
| resetDiscoveryURLs | Allows to call the resetDiscoveryURLs operation. (ApiUserPermission is not sufficient to call the operation.) |
| transform_keyedReferences | Allows to call the transform_keyedReferences operation. (ApiUserPermission is not sufficient to call the operation.) |
| rebuild_cache | Allows to call the rebuild_cache operation. (ApiUserPermission is not sufficient to call the operation.) |
| replaceURL | Allows to call the replaceURL operation. (ApiUserPermission is not sufficient to call the operation.) |
Table 4. Category API (org.systinet.uddi.client.category.v3.CategoryApi)
| operation (action) | Description |
|---|---|
| set_category | Allows to call the set_category operation. (ApiUserPermission is not sufficient to call the operation.) |
| add_category | Allows to call the add_category operation. (ApiUserPermission is not sufficient to call the operation.) |
| move_category | Allows to call the move_category operation. (ApiUserPermission is not sufficient to call the operation.) |
| delete_category | Allows to call the delete_category operation. (ApiUserPermission is not sufficient to call the operation.) |
| find_category | Not used. |
| get_category | Not used. |
| get_rootCategory | Not used. |
| get_rootPath | Not used. |
Table 5. Custody API (org.systinet.uddi.client.custody.v3.UDDI_CustodyTransfer_PortType)
| operation (action) | Description |
|---|---|
| get_transferToken | Allows to call the get_transferToken operation on foreign entities. |
| discard_transferToken | Allows to call the discard_transferToken operation on foreign tokens. |
Table 6. Group API (org.systinet.uddi.group.GroupApi)
| operation (action) | Description |
|---|---|
| find_group | Allows to find foreign private groups. |
| get_group | Allows to get foreign private groups. |
| save_group | Allows to save/update foreign groups. |
| delete_group | Allows to delete foreign groups. |
| where_amI | Not used. |
| find_user | Not used. |
| add_user | Not used. |
| remove_user | Not used. |
Table 7. Inquiry V1 API (org.systinet.uddi.client.v1.InquireSoap)
| operation (action) | Description |
|---|---|
| find_binding | Allows to find all bindingTemplates despite ACL rights. |
| find_business | Allows to find all businessEntities despite ACL rights. |
| find_services | Allows to find all services despite ACL rights. |
| find_tModel | Allows to find all tModels despite ACL rights. |
| get_bindingDetail | Allows to get any bindingTemplate despite ACL rights. |
| get_businessDetail | Allows to get any businessEntity despite ACL rights. |
| get_businessDetailExt | Not used. |
| get_serviceDetail | Allows to get any businessService despite ACL rights. |
| get_tModelDetail | Allows to get any tModel despite ACL rights. |
Table 8. Inquiry V2 API (org.systinet.uddi.client.v2.Inquire)
| operation (action) | Description |
|---|---|
| find_binding | Allows to find all bindingTemplates despite ACL rights. |
| find_business | Allows to find all businessEntities despite ACL rights. |
| find_relatedBusinesses | Allows to find all related businessEntities despite ACL rights. |
| find_services | Allows to find all services despite ACL rights. |
| find_tModel | Allows to find all tModels despite ACL rights. |
| get_bindingDetail | Allows to get any bindingTemplate despite ACL rights. |
| get_businessDetail | Allows to get any businessEntity despite ACL rights. |
| get_businessDetailExt | Not used. |
| get_serviceDetail | Allows to get any businessService despite ACL rights. |
| get_tModelDetail | Allows to get any tModel despite ACL rights. |
Table 9. Inquiry V3 API (org.systinet.uddi.client.v3.UDDI_Inquiry_PortType)
| operation (action) | Description |
|---|---|
| find_binding | Allows to find all bindingTemplates despite ACL rights. |
| find_business | Allows to find all businessEntities despite ACL rights. |
| find_relatedBusinesses | Allows to find all related businessEntities despite ACL rights. |
| find_services | Allows to find all services despite ACL rights. |
| find_tModel | Allows to find all tModels despite ACL rights. |
| get_bindingDetail | Allows to get any bindingTemplate despite ACL rights. |
| get_businessDetail | Allows to get any businessEntity despite ACL rights. |
| get_operationalInfo | Not used. |
| get_serviceDetail | Allows to get any businessService despite ACL rights. |
| get_tModelDetail | Allows to get any tModel despite ACL rights. |
Table 10. Permission API (org.systinet.uddi.permission.PermissionApi)
| operation (action) | Description |
|---|---|
| get_permission | Allows to call the get_permission operation on foreign accounts and groups. |
| set_permission | Allows to call the set_permission operation. (ApiUserPermission is not sufficient to call the operation.) |
| who_hasPermission | Allows to call the who_hasPermission operation. (ApiUserPermission is not sufficient to call the operation.) |
| find_principal | Allows to call the find_principal operation. (ApiUserPermission is not sufficient to call the operation.) |
Table 11. Publishing V1 API (org.systinet.uddi.client.v1.PublishSoap)
| operation (action) | Description |
|---|---|
| delete_binding | Allows deletion of any bindingTemplate despite ACL rights. |
| delete_business | Allows deletion of any businessEntity despite ACL rights |
| delete_service | Allows deletion of any businessService despite ACL rights |
| delete_tModel | Allows deletion of any tModel despite ACL rights |
| save_binding | * Allows to update any bindingTemplate or create new bindingTemplate in any businessService despite ACL rights. * Skips bindings limit checking. |
| save_business | * Allows to update any businessEntity despite ACL rights. * Skips businesses limit checking. |
| save_service | * Allows to update any businessService or create new businessService in any businessEntity despite ACL rights. * Skips services limit checking. |
| save_tModel | * Allows to update any tModel despite ACL rights. * Skips tModels limit checking. |
| get_authToken | Not used. |
| discard_authToken | Not used. |
| get_registeredInfo | Not used. |
| validate_categorization | Not used. |
Table 12. Publishing V2 API (org.systinet.uddi.client.v2.Publish)
| operation (action) | Description |
|---|---|
| delete_binding | Allows deletion of any bindingTemplate despite ACL rights. |
| delete_business | Allows deletion of any businessEntity despite ACL rights |
| delete_service | Allows deletion of any businessService despite ACL rights |
| delete_tModel | Allows deletion of any tModel despite ACL rights |
| save_binding | * Allows to update any bindingTemplate or create new bindingTemplate in any businessService despite ACL rights. * Skips bindings limit checking. |
| save_business | * Allows to update any businessEntity despite ACL rights. * Skips businesses limit checking. |
| save_service | * Allows to update any businessService or create new businessService in any businessEntity despite ACL rights. * Skips services limit checking. |
| save_tModel | * Allows to update any tModel despite ACL rights. * Skips tModels limit checking. |
| add_publisherAssertions | Skips assertions limit checking in add_publisherAssertions operation. |
| set_publisherAssertions | Skips assertions limit checking in set_publisherAssertions operation. |
| delete_publisherAssertions | Not used. |
| get_publisherAssertions | Not used. |
| get_assertionStatusReport | Not used. |
| get_authToken | Not used. |
| discard_authToken | Not used. |
| get_registeredInfo | Not used. |
Table 13. Publishing V3 API (org.systinet.uddi.client.v3.UDDI_Publication_PortType)
| operation (action) | Description |
|---|---|
| delete_binding | Allows deletion of any bindingTemplate despite ACL rights. |
| delete_business | Allows deletion of any businessEntity despite ACL rights |
| delete_service | Allows deletion of any businessService despite ACL rights |
| delete_tModel | Allows deletion of any tModel despite ACL rights |
| save_binding | * Allows to update any bindingTemplate or create new bindingTemplate in any businessService despite ACL rights. * Skips bindings limit checking. |
| save_business | * Allows to update any businessEntity despite ACL rights. * Skips businesses limit checking. |
| save_service | * Allows to update any businessService or create new businessService in any businessEntity despite ACL rights. * Skips services limit checking. |
| save_tModel | * Allows to update any tModel despite ACL rights. * Skips tModels limit checking. |
| add_publisherAssertions | Skips assertions limit checking in add_publisherAssertions operation. |
| set_publisherAssertions | Skips assertions limit checking in set_publisherAssertions operation. |
| delete_publisherAssertions | Not used. |
| get_publisherAssertions | Not used. |
| get_assertionStatusReport | Not used. |
| get_registeredInfo | Not used. |
Table 14. Replication V3 API (org.systinet.uddi.replication.v3.ReplicationApi)
| operation (action) | Description |
|---|---|
| replicate | Allows to call the replicate operation. (ApiUserPermission is not sufficient to call the operation.) |
Table 15. Statistics API (org.systinet.uddi.statistics.StatisticsApi)
| operation (action) | Description |
|---|---|
| get_accessStatistics | Allows to call the get_accessStatistics operation. (ApiUserPermission is not sufficient to call the operation.) |
| reset_accessStatistics | Allows to call the reset_accessStatistics operation. (ApiUserPermission is not sufficient to call the operation.) |
| get_structureStatistics | Allows to call the get_structureStatistics operation. (ApiUserPermission is not sufficient to call the operation.) |
Table 16. Subscription V3 API (org.systinet.uddi.client.subscription.v3.UDDI_Subscription_PortType)
| operation (action) | Description |
|---|---|
| delete_subscription | Allows to delete any subscription despite the caller is not a subscription owner. |
| save_subscription | * Allows to update any subscription despite the caller is not a subscription owner. * Skips subscription limit checking. |
| get_subscriptionResults | Allows to get result of any subscription despite the caller is not a subscription owner. |
| get_subscriptions | Allows to get any subscription despite the caller is not a subscription owner. |
Table 17. Taxonomy API (com.systinet.uddi.taxonomy.v3.TaxonomyApi)
| operation (action) | Description |
|---|---|
| get_taxonomy | Allows to obtain all categories in the taxonomy. |
| find_taxonomy | Not used. |
| save_taxonomy | Allows to call the save_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.) |
| delete_taxonomy | Allows to call the delete_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.) |
| download_taxonomy | Allows to call the download_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.) |
| upload_taxonomy | Allows to call the upload_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.) |