Consider, for instance, the following security policy:
Consider also a user belonging to both admin and manager roles.
What does the following call return?
boolean result = authzManager.authorize(perspective1, user);
This is a conflictive scenario wich requires to understand how the permission resolution mechanism works.
The AuthorizationManager interface provides different voting strategies. A voting strategy is a very simple algorithm that given a partial list of results chooses a winner. There exists 4 available strategies:
|AFFIRMATIVE||It is the most lenient strategy. Only a single positive vote is required|
|CONSENSUS||It is based on general agreement. It requires a majority of positive votes|
|UNANIMOUS||It is the least lenient strategy. It requires a 100% of positive votes|
|PRIORITY||It is based on role/group priorities. The highest priority result wins|
The voting strategy can be passed as a parameter to any of the methods provided by the AuthorizationManager. For example:
boolean result = authzManager.authorize(perspective1, user, VotingStrategy.AFFIRMATIVE);
Given the example at the beginning of this section, the answer to the question varies depending on the strategy chosen:
|PRIORITY||(Role priority, see below)|
When no voting strategy is passed as a parameter then the system's default voting strategy is used, which can be read or changed as follows:
@Inject PermissionManager permissionManager; int defaultStrategy = permissionManager.getDefaultVotingStrategy(); permissionManager.setDefaultVotingStrategy(VotingStrategy.AFFIRMATIVE);
Notice, the system is configured by default to use the VotingStrategy.PRIORITY
PRIORITY based strategy is a bit special since it requires to
set a priority level for each role within the security policy. If no priority is defined then the value 0 is taken.
Given so, the answer to the question at the initial of this section would be
true since the two roles have priority=0, in such case the first role (admin) is taken, which means result=true.
Now consider the following changes to the policy:
role.admin.priority=1 role.manager.priority=2 role.admin.permission.perspective.read=true role.manager.permission.perspective.read=false
In this case the result would be false since the manager role has higher priority.