com.tivoli.mts
Class PDPermission

java.lang.Object
  java.security.Permission
      com.ibm.IBMPermission
          com.tivoli.mts.PDPermission

All Implemented Interfaces:

java.io.Serializable, java.security.Guard

public class PDPermission
extends com.ibm.IBMPermission

This class represents an authorization permission for accessing a resource object in the protected domain defined by Policy Director.

PDPermission allows usage of Policy Director as the authorization backend for normal Java 2 permission checks. In PD 3.7, ivacld offers an SSL-based access mode for remote ACL checking. Permission check is done by implies() method which sets up an SSL-based connection to a remote ivacld server for the authorization check.

Permissions are created with resource name and actions. They are immutable once they are created.

The actions must correspond to one of the operations for which a Policy Director permission has been defined. The actions strings use this format: [action group name]action list. Action group name is optional. Action list consists of action names which are one character in length. Examples of valid actions strings are: "[primary]rwc" "rw" "[java]rc[primary]rwx". The following is a list of action names defined and used in Policy Director.

• A add
• B bypasstod operation
• C connect
• D chdir
• G surrogate
• I integrity
• K kill
• L login
• N create
• P privacy
• R rename
• T traverse operation
• U utime
• W password
• X alias
• a attach operation
• b browse operation
• c control operation
• d deletion
• f forward
• g delegation
• l list directory
• m modification
• o chown
• p chmod
• r read operation
• s server admintration
• v azn_operation_view
• w write
• x execution

The requested resource to query for must correspond to a resource that has been defined as a protected object within Policy Director's protected object namespace. NOTE: As of IBM Tivoli Access Manager for e-business v5.1, this entire class is deprecated. Equivalent function is in the com.tivoli.pd.jazn.PDPermission class.

See Also:

PDPermission, Serialized Form

Constructor Summary

PDPermission(java.lang.String rname, java.lang.String actions)
Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this constructor is replaced by the equivalent constructor in the PDPermission class.

Method Summary

boolean	equals(java.lang.Object obj) Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.
java.lang.String	getActions() Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.
PDMessages	getPDMessages() Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.
int	hashCode() Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.
boolean	implies(PDPrincipal princ) Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.
boolean	implies(PDPrincipal princ, PDAttrs inputList, PDAttrs outputList) Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.
boolean	implies(java.security.Permission p) Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Methods inherited from class java.security.Permission

checkGuard, getName, newPermissionCollection, toString

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

PDPermission

public PDPermission(java.lang.String rname,
                    java.lang.String actions)

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this constructor is replaced by the equivalent constructor in the PDPermission class.

Creates a new PDPermission object with the specified actions and resource.

Action names can only be one character in length. Policy Director 3.6 supported the following actions:

• a attach
• B bypasstod
• b browse
• c control
• T traverse
• g delegation
• v view
• m modify
• d delete
• s server administration
• I integrity
• P privacy
• r read
• x execute
• l list_directory
• C connect
• f forward
• A add

Policy Director 3.7 adds some more extended operations:

• w write
• N create
• o chown
• p chmod
• D chdir
• R rename
• U utime
• K kill
• X alias
• L login
• G surrogate
• W password

Administrators may add additional action groups and additional permissions.

Parameters:

rname - name of the target resource object.

actions - name of the requested operations. The actions can be concatenated together to form complex operation strings. The format is "[""]"< action-name>.. "[""]".... Example action strings for the AznAPI would be: "[primary]rwc" "rw" "[java]rc[primary]rwx". "primary" is the default action group if an action group name is not specified.

Method Detail

implies

public boolean implies(java.security.Permission p)

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Checks to see if Policy Director grants the specified permission.

More specifically, this method returns true if:

• p is an instanceof PDPermission,

• p's actions are a proper subset of this object's action map, and

• p is a permission granted by pdacld to the PDPrincipal in the current Subject

Specified by:

implies in class com.ibm.IBMPermission

Parameters:

p - the permission to check.

Returns:

true if the specified permission is granted by Policy Director,false if not.

implies

public boolean implies(PDPrincipal princ)

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Checks if Policy Director grants the specified permissions to the PDPrincipal.

More specifically, this method returns true if:

• princ is nonnull

• this PDPermission's actions are a proper subset of this object's action map, and

• the specified actions are allowed by ivacld for the specified principal

Parameters:

princ - the PDPrincipal whose permissions will be checked.

Returns:

true if the specified permission is implied by this object, false if not.

implies

public boolean implies(PDPrincipal princ,
                       PDAttrs inputList,
                       PDAttrs outputList)

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Checks if Policy Director grants the specified permissions to the PDPrincipal.

More specifically, this method returns true if:

• princ is nonnull

• this PDPermission's actions are a proper subset of this object's action map, and

• the specified actions are allowed by Policy Director for the specified principal

Parameters:

princ - the PDPrincipal whose permissions will be checked.

inputList - the input attribute list passed to server.

outputList - the output attribute list received from server.

Returns:

true if the specified permission is implied by this object, false if not.

equals

public boolean equals(java.lang.Object obj)

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Checks two PDPermission objects for equality. Checks that obj is a PDPermission, and has the same name and actions as this object.

Specified by:

equals in class com.ibm.IBMPermission

Parameters:

obj - the object we are testing for equality with this object.

Returns:

true if obj is a PDPermission, and has the same name and actions as this PDPermission object.

getActions

public java.lang.String getActions()

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Returns the canonical string representation of the actions.

Specified by:

getActions in class java.security.Permission

Returns:

the canonical string representation of the actions.

hashCode

public int hashCode()

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Returns the hash code value for this object.

Specified by:

hashCode in class com.ibm.IBMPermission

Returns:

a hash code value for this object.

getPDMessages

public PDMessages getPDMessages()

Deprecated. As of IBM Tivoli Access Manager for e-business v5.1, this method is replaced by the equivalent method in the PDPermission class.

Converts any error codes received on the last implies() call into a PDMessages object and returns it. If no error codes were returned, null is returned.

Returns:

a PDMessages object describing errors on the last implies() call, or null.