Permission Resolution
Consider, for instance, the following security policy:
role.admin.permission.perspective.read=true
role.manager.permission.perspective.read=false
Consider also a user belonging to both admin and manager roles.
What does the following call return?
boolean result = authzManager.authorize(perspective1, user);
This is a conflictive scenario wich requires to understand how the permission resolution mechanism works.
Voting strategy
The AuthorizationManager interface provides different voting strategies. A voting strategy is a very simple algorithm that given a partial list of results chooses a winner. There exists 4 available strategies:
| Strategy | Description |
|---|---|
| AFFIRMATIVE | It is the most lenient strategy. Only a single positive vote is required |
| CONSENSUS | It is based on general agreement. It requires a majority of positive votes |
| UNANIMOUS | It is the least lenient strategy. It requires a 100% of positive votes |
| PRIORITY | It is based on role/group priorities. The highest priority result wins |
The voting strategy can be passed as a parameter to any of the methods provided by the AuthorizationManager. For example:
boolean result = authzManager.authorize(perspective1, user, VotingStrategy.AFFIRMATIVE);
Given the example at the beginning of this section, the answer to the question varies depending on the strategy chosen:
| Strategy | Result |
|---|---|
| AFFIRMATIVE | true |
| CONSENSUS | false |
| UNANIMOUS | false |
| PRIORITY | (Role priority, see below) |
When no voting strategy is passed as a parameter then the system's default voting strategy is used, which can be read or changed as follows:
@Inject
PermissionManager permissionManager;
int defaultStrategy = permissionManager.getDefaultVotingStrategy();
permissionManager.setDefaultVotingStrategy(VotingStrategy.AFFIRMATIVE);
Notice, the system is configured by default to use the VotingStrategy.PRIORITY
Role priority
The PRIORITY based strategy is a bit special since it requires to
set a priority level for each role within the security policy. If no priority is defined then the value 0 is taken.
Given so, the answer to the question at the initial of this section would be true since the two roles have priority=0, in such case the first role (admin) is taken, which means result=true.
Now consider the following changes to the policy:
role.admin.priority=1
role.manager.priority=2
role.admin.permission.perspective.read=true
role.manager.permission.perspective.read=false
In this case the result would be false since the manager role has higher priority.