Authorization permission checks
The table in this section describes administrative operations and corresponding authorization permissions.
- No ACLs are added on delegation protected objects under /Management/Groups without taking advantage of delegated user and group management.
- All delegation protected objects under /Management/Groups inherit the same ACL that /Management/Groups uses.
You do not have to verify whether each group has protected objects that are associated with it. Verifying /Management/Groups is sufficient.
adminidas the account that is requesting administration operation.
| Administrative operations | Permission | Verification of permissions |
|---|---|---|
RgyRegistry.createUser({groups}) |
“N” | If no group exists, check permission on /Management/Users. Otherwise, check permission on /Management/Groups. |
RgyUser.importNativeUser({group}) |
“N” | If the specified group {group} does not exist check the permission on /Management/Users. Otherwise, check the permission on /Management/Groups. |
RgyUser.attributeAdd()
RgyUser.attributeDelete()
|
“m” | Check permission on /Management/Groups if not permitted. If the user does not have group membership, deny access and check permission on /Management/Groups. |
RgyUser.attributeAdd() RgyUser.attributeDelete()
|
“m” | If the {userid} is the same as {adminid} deny access. Otherwise, check permission on /Management/Users. If {userid} has no group membership, deny access. Otherwise, check permission on /Management/Groups. |
RgyUser.setPassword() for user {userid} |
“W” | If the {userid} is the same as {adminid} permit access. Otherwise, check permissions on /Management/Users. If {userid} has no group membership, deny access. Otherwise, check permission on /Management/Groups. |
RgyRegistry.deleteUser({userid}) |
“d” | If the {userid} is the same as {adminid} deny access. Otherwise, check permissions on /Management/Users. If {userid} has no group membership, deny access. otherwise, check permission on /Management/Groups. |
RgyUser.listGroups() RgyUser.listNativeGroups() |
The permission check that is performed for RgyRegistry.getUser() was sufficient. Permit access. |
|
RgyRegistry.getUser({userid}) |
“v” | If the {userid} is the same as {adminid} permit access. Otherwise, check permission on /Management/Users. If {userid} does not belong to a group, deny permission. Otherwise, check permission on /Management/Users. |
RgyRegistry.getNativeUser({dn}) |
“v” | Map the distinguished name {dn} to the group {groupid}. If mapping does not exists, permit. If a mapping exists, then check permission on /Management/Users. If {userid} does not have any group, check permission on the /Management/Users. |
RgyUser.getAttributeValues() RgyUser.getOneAttributeValue() for all non-policy attributes. |
The permission check done for RgyRegistry.getUser() was sufficient. Permit access. |
|
RgyRegistry.listUsers() RgyRegistry.listNativeUsers() |
There are delegation effects on the operation results in the follow-up table. | |
RgyRegistry.createGroup() |
“N” | Check permission on /Management/Groups. |
RgyRegistry.deleteGroup() |
“d” | Check permission on /Management/Groups. |
RgyGroup.importNativeGroup() |
“N” | Check permission on /Management/Groups. |
RgyRegistry.listGroups() RgyRegistry.listNativeGroups() |
Permit (there are delegation effects on the operation results in the follow-up table). | |
RgyGroup.addMembers() |
“A” | Check permission on /Management/Groups. |
group modify {groupid} description |
“m” | Check permission on /Management/Groups. |
RgyGroup.removeMembers() |
“A” | Check permission on /Management/Groups. |
RgyRegistry.getGroup() |
“v” | Check permission on /Management/Groups. |
RgyRegistry.getNativeGroup({dn}) |
“v” | Map the distinguished name {dn} to the group {groupid}. If no mapping exists, permit. Otherwise, check permission on /Management/Groups. |
|
|
“v” | Check permission on /Management/Groups. |
|
|
This differs from the permission check performed by the regular Verify Identity Access API. The regular Verify Identity Access API checks for the permission IVACTION_VIEW “v” on /Management/Policy. This API does not perform any additional permission checks. It completes permission check when fetching the user using |
|
|
|
“m” | Check permission on /Management/Groups. |
When you use the Registry Direct Java API, you must fetch the user before you modify the user. Assign view permission (v) and modify permission (m ) for the administrator to modify either a user or a group.