Package com.evolveum.midpoint.security.enforcer.api

Interface ItemSecurityConstraints

All Superinterfaces:
DebugDumpable
public interface ItemSecurityConstraints extends DebugDumpable
Compiled security constraints for a given prism value (usually containerable) and operation, at the granularity of individual contained items. Basically, it can answer questions whether the operation is allowed for given item (with children) or all item paths. Contained in ObjectSecurityConstraints. However, the latter contains information about multiple operations and phases. This one does not.
Author:
semancik

  • Method Details

    • findAllItemsDecision

      @Nullable @Nullable AuthorizationDecisionType findAllItemsDecision()
      Returns the explicit allow-deny decision (if present) that is common to all paths in the value. - `DENY` means that the access to all items in the value is explicitly _denied_. - `ALLOW` means that the access to all items in the value is explicitly _allowed_. (But beware, some of the items inside may still be explicitly denied, which then takes precedence over being allowed.) - `null` means that neither of the above is the case.

    • findItemDecision

      @Nullable @Nullable AuthorizationDecisionType findItemDecision(@NotNull @NotNull ItemPath nameOnlyItemPath)
      Returns the explicit allow-deny decision (if present) for the particular item and all its sub-items. - `DENY` means that the access to this item and all its sub-items is explicitly _denied_. - `ALLOW` means that the access to this item and all its sub-items is explicitly _allowed_. (But beware, some of the sub-items may still be explicitly denied, which then takes precedence over being allowed.) - `null` means that the access to this item is neither explicitly denied nor allowed. For structured items this means that individual children may still be denied or allowed.