Package org.keycloak.services.resources.admin.permissions

Interface UserPermissionEvaluator

public interface UserPermissionEvaluator

Version:

$Revision: 1 $

Author:

Bill Burke

Method Summary

Modifier and Type	Method	Description
boolean	canImpersonate()	Returns true if the caller has the ImpersonationConstants.IMPERSONATION_ROLE.
boolean	canImpersonate(UserModel user, ClientModel requester)	Returns true if the caller has the ImpersonationConstants.IMPERSONATION_ROLE.
boolean	canManage()	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canManage(UserModel user)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canManageGroupMembership(UserModel user)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canMapRoles(UserModel user)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canQuery()	Returns true if the caller has at least one of AdminRoles.QUERY_USERS, AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
boolean	canView()	Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
boolean	canView(UserModel user)	Returns true if the caller has at least one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
Map<String,Boolean>	getAccess(UserModel user)	Returns Map with information what access the caller for the provided user has.
void	grantIfNoPermission(boolean grantIfNoPermission)
boolean	isImpersonatable(UserModel user, ClientModel requester)	Deprecated.
void	requireImpersonate(UserModel user)	Throws ForbiddenException if canImpersonate(UserModel, ClientModel) returns false.
void	requireManage()	Throws ForbiddenException if canManage() returns false.
void	requireManage(UserModel user)	Throws ForbiddenException if canManage(UserModel) returns false.
void	requireManageGroupMembership(UserModel user)	Throws ForbiddenException if canManageGroupMembership(UserModel) returns false.
void	requireMapRoles(UserModel user)	Throws ForbiddenException if canMapRoles(UserModel) returns false.
void	requireQuery()	Throws ForbiddenException if canQuery() returns false.
void	requireView()	Throws ForbiddenException if canView() returns false.
void	requireView(UserModel user)	Throws ForbiddenException if canView(UserModel) returns false.

Method Details

requireManage

void requireManage()

Throws ForbiddenException if canManage() returns false.

requireManage

void requireManage(UserModel user)

Throws ForbiddenException if canManage(UserModel) returns false.

canManage

boolean canManage()

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE users.

canManage

boolean canManage(UserModel user)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE the user.

Or if it has a permission to AdminPermissionsSchema.MANAGE_MEMBERS of the group chain the user is associated with.

requireQuery

void requireQuery()

Throws ForbiddenException if canQuery() returns false.

canQuery

boolean canQuery()

Returns true if the caller has at least one of AdminRoles.QUERY_USERS, AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE users.

requireView

void requireView()

Throws ForbiddenException if canView() returns false.

requireView

void requireView(UserModel user)

Throws ForbiddenException if canView(UserModel) returns false.

canView

boolean canView()

Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE users.

canView

boolean canView(UserModel user)

Returns true if the caller has at least one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW or AdminPermissionsSchema.MANAGE the user.

Or if it has a permission to AdminPermissionsSchema.VIEW_MEMBERS of the group chain the user is associated with.

requireImpersonate

void requireImpersonate(UserModel user)

Throws ForbiddenException if canImpersonate(UserModel, ClientModel) returns false.

canImpersonate

boolean canImpersonate()

Returns true if the caller has the ImpersonationConstants.IMPERSONATION_ROLE.

Or if it has a permission to AdminPermissionsSchema.IMPERSONATE users.

canImpersonate

boolean canImpersonate(UserModel user,
 ClientModel requester)

Returns true if the caller has the ImpersonationConstants.IMPERSONATION_ROLE.

NOTE: If requester is provided, it's clientId is added to evaluation context.

Or if it has a permission to AdminPermissionsSchema.IMPERSONATE the user.

getAccess

Map<String,Boolean> getAccess(UserModel user)

Returns Map with information what access the caller for the provided user has.

requireMapRoles

void requireMapRoles(UserModel user)

Throws ForbiddenException if canMapRoles(UserModel) returns false.

canMapRoles

boolean canMapRoles(UserModel user)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE the user or AdminPermissionsSchema.MAP_ROLES of the user.

Or if it has a permission to AdminPermissionsSchema.MANAGE_MEMBERS of the group chain the user is associated with.

requireManageGroupMembership

void requireManageGroupMembership(UserModel user)

Throws ForbiddenException if canManageGroupMembership(UserModel) returns false.

canManageGroupMembership

boolean canManageGroupMembership(UserModel user)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE the user or AdminPermissionsSchema.MANAGE_GROUP_MEMBERSHIP of the user.

Or if it has a permission to AdminPermissionsSchema.MANAGE_MEMBERS of the group chain the user is associated with.

isImpersonatable

@Deprecated
boolean isImpersonatable(UserModel user,
 ClientModel requester)

Deprecated.

grantIfNoPermission

void grantIfNoPermission(boolean grantIfNoPermission)