Programming Guides › Programming Guide for Java › Managed Objects › Access to Objects in the Data Store › Attribute and Permission Requests › Permission Request Rules

Permission Request Rules

CA Identity Manager calculates the access permission for a particular attribute based upon information in the current task context and information stored on the server, namely, upon the attribute’s permissions for all roles that contain the current task and that involve the current administrator and operation.

If a permission request specified in AttributeRightsCollection differs from the calculated permission for a given attribute, the following rules apply:

• If a permission request is more restrictive than the calculated permission, the requested permission applies to the attribute. For example, if you pass in a READONLY request for a READWRITE attribute, the READONLY permission is used.

  The requested permission applies over the calculated permission only in the current instance of the managed object.

• If a permission request is less restrictive than the calculated permission, the calculated permission is used.