com.netegrity.llsdk6.imsapi.provider
Interface SecurityProvider

public interface SecurityProvider

Provides security information for the current Identity Manager environment, such as the operations that an administrator can perform in the environment, and the objects that are in an administrator's scope.

An object that is "in scope" is an object that can be managed.

This and all Identity Manager providers are retrieved through ProviderAccessor.

Since:

Identity Manager 8.1

Method Summary

OrgScopeConstraint	buildOrgScopeConstraint(TSContext ctx, ObjectType type) Retrieves all the scope rules associated with the specified object type for the administrator and task in the current task context.
boolean	canAdminAssignRole(TSContext tsCtx, java.util.Vector roles) Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminMakePrimaryObjectMemberOfRoles().
boolean	canAdminExecuteTask(User admin, java.lang.String taskTag) This call verifies that the administrator has some role that allows him/her to perform the task specified by task tag.
boolean	canAdminExecuteTask(User admin, Task task) Verifies whether the specified administrator is assigned to a role that allows him to perform the specified task.
boolean	canAdminExecuteTaskOnObject(TSContext tsCtx, ManagedObject obj) Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminExecuteTaskOnObjects(), which passes a Vector of objects.
boolean	canAdminExecuteTaskOnObjects(TSContext tsCtx, java.util.Vector objs) Determines if the specified objects are in scope for the current administrator in the current task.
java.util.Vector	canAdminExecuteTaskOnObjectsDetailed(TSContext tsCtx, java.util.Vector objs) Determines if the specified objects are in scope for the current administrator in the current task.
boolean	canAdminExecuteTaskOnObjectsEx(TSContext tsCtx, java.util.Vector objs) Determines if the specified objects can be used as subjects for the current administrator in the current task.
boolean	canAdminGrantAdmin(TSContext tsCtx, java.util.Vector users) Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminMakeUsersRoleAdministrators().
boolean	canAdminMakePrimaryObjectAdministratorOfRoles(TSContext tsCtx, java.util.Vector roles) Determines whether the subject of the task is an assignable object, and if so, whether the object can be assigned or removed as administrator for the specified roles.
boolean	canAdminMakePrimaryObjectMemberOfRoles(TSContext tsCtx, java.util.Vector roles) Determines whether the subject of the task is an assignable object, and if so, whether the object can be assigned or removed as a member of the specified roles.
boolean	canAdminMakeRoleMembers(TSContext tsCtx, java.util.Vector Users) Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminMakeUsersRoleMembers().
boolean	canAdminMakeUsersRoleAdministrators(TSContext tsCtx, java.util.Vector users) Determines if the current administrator can assign the specified users as administrators for the current role.
boolean	canAdminMakeUsersRoleAdministrators(TSContext tsCtx, java.util.Vector users, java.util.Vector allowed, java.util.Vector rejected) Determines if the current administrator can assign the specified users as administrators for the current role.
boolean	canAdminMakeUsersRoleMembers(TSContext tsCtx, java.util.Vector Users) Determines if the current administrator can assign the specified users to roles.
boolean	canAdminMakeUsersRoleMembers(TSContext tsCtx, java.util.Vector Users, java.util.Vector allowed, java.util.Vector rejected) Determines if the current administrator can assign the specified users to roles.
boolean	canAdminManageRoleAdministration(TSContext ctx) Determines whether the current administrator can assign and remove administrators for the current role.
boolean	canAdminManageRoleMembership(TSContext ctx) Determines whether the current administrator can add and remove members of the current role.
boolean	canEntityPerformAccessTask(AssignableObject user, AccessTask task) Determines if the specified AssignableObject (typically a user) is allowed to perform the specified access task.
boolean	canEntityPerformAdminTask(AssignableObject user, AdminTask task) Determines if the specified AssignableObject (typically a user) is allowed to perform the specified administrative task.
boolean	canUserAdministerGroup(User user, Group group) Determines if the user is allowed to administer the specified group.
boolean	canUserAdministerGroup(User user, Group group, GroupAdministratorType adminType) Determines if the user is allowed to administer the specified group.
boolean	canUserAdministerGroups(User user, java.util.Vector groups) Determines if the user is allowed to administer the specified groups.
boolean	canUserAdministerGroups(User user, java.util.Vector groups, GroupAdministratorType adminType) Determines if the user is allowed to administer the specified groups.
java.util.Vector	filterUsersAdminCanMakeRoleAdministrators(TSContext tsCtx, java.util.Vector users) Retrieves the role administrators that the current administrator can manage.
java.util.Vector	filterUsersAdminCanMakeRoleMembers(TSContext tsCtx, java.util.Vector users) Retrieves the role members that the current administrator can manage.
java.util.Vector	findAdministratorsAdminCanManage(TSContext tsCtx, UserFilter search, OrgScopeConstraint orgs, AttributeRightsCollection attrs) Retrieves the administrators of the current role that the current administrator can manage.
java.util.Vector	findAdminTasksAdminCanExecuteOnObject(User admin, ManagedObject obj) Determines the set of admin tasks the admin has for which the specified object is in scope
java.util.Vector	findApplicableScopeRules(TSContext tsCtx, ObjectType o, ScopePurpose purpose) Return a vector of ScopeRules objects that apply to the current user and task, for a given object type and purpose.
java.util.Map	findApplicableScopeRules(TSContext tsCtx, java.util.Set objectTypes, ScopePurpose purpose) Return a map of ScopeRules objects that apply to the current user and task, for a given object type set and purpose.
java.util.Vector	findGroupAdministratorsInScope(TSContext tsCtx, AttributeRightsCollection attribs) Retrieves the users who are in scope for the current admin task, and who are also administrators of the current group.
java.util.Vector	findGroupMembersInScope(TSContext tsCtx, ObjectType type, AttributeRightsCollection attribs) Retrieves the members who are in scope for the current admin task, and who are also members of the current group.
java.util.Vector	findGroupsAdminCanManageInScope(TSContext tsCtx, GroupFilter filter, Organization searchTop, OrgScopeConstraint orgs, SearchDepthType searchDepth, AttributeRightsCollection attribs) Retrieves the groups in scope, matching an attribute filter and an organization scoping constraint, for the current admin/task that also exist within the specified organizational hierarchy, for which the current admin from the context is a group administrator.
java.util.Vector	findManagedObjectsInScope(TSContext tsCtx, ObjectType o, ScopePurpose purpose, GenericAttributeFilter additionalFilter, AttributeRightsCollection attrs) Find all the objects of type o that are in scope for the current admin and task, which also meet the specified additional filter.
java.util.Vector	findMembersAdminCanManage(TSContext tsCtx, UserFilter search, OrgScopeConstraint orgs, AttributeRightsCollection attrs) Retrieves the members of the current role that the current administrator can manage.
java.util.Vector	findUsersAdminCanMakeGroupMemberOrAdmin(TSContext ctx, UserFilter filt, OrgScopeConstraint orgs, AttributeRightsCollection atts) Retrieves the users that the current administrator can make members or administrators of the current groups.
java.util.Vector	findUsersAdminCanMakeRoleAdministrators(TSContext tsCtx, UserFilter search, OrgScopeConstraint orgs, AttributeRightsCollection attrs) Retrieves the users that the current administrator can assign to the current role as role administrators.
java.util.Vector	findUsersAdminCanMakeRoleMembers(TSContext tsCtx, UserFilter search, OrgScopeConstraint orgs, AttributeRightsCollection attrs) Retrieves the users that the current administrator can assign to the current role.
java.util.Vector	getGroupsAdminCanManageInScope(TSContext tsCtx, Organization searchTop, SearchDepthType searchDepth, AttributeRightsCollection attribs) Retrieves the groups in scope for the current admin/task that also exist within the specified organizational hierarchy, for which the current admin from the context is a group administrator.
java.util.Vector	getGroupsUserCanAdminister(User admin, Organization searchTop, SearchDepthType searchDepth, java.util.Enumeration attribs) Retrieves the groups that exist within the specified organizational hierarchy for which the administrator is a group administrator.
java.util.Vector	getGroupsUserCanAdminister(User admin, Organization searchTop, SearchDepthType searchDepth, java.util.Enumeration attribs, GroupReturnType groupReturnType) Retrieves the groups that exist within the specified organizational hierarchy for which the administrator is a group administrator.

Method Detail

canEntityPerformAdminTask

boolean canEntityPerformAdminTask(AssignableObject user,
                                  AdminTask task)
                                  throws SmApiException

Determines if the specified AssignableObject (typically a user) is allowed to perform the specified administrative task.

This call verifies that the administrator is assigned to a role that allows him to perform the specified task. The call is typically made when the task session is created and there is no task subject yet.

Parameters:

user - The object performing the task.

task - The admin task to perform.

Returns:

The result of the request.

Throws:

SmApiException

canEntityPerformAccessTask

boolean canEntityPerformAccessTask(AssignableObject user,
                                   AccessTask task)
                                   throws SmApiException

Determines if the specified AssignableObject (typically a user) is allowed to perform the specified access task.

This call verifies that the administrator is assigned to a role that allows him to perform the specified task.

Parameters:

user - The object performing the task.

task - The access task to perform.

Returns:

The result of the request.

Throws:

SmApiException

canUserAdministerGroup

boolean canUserAdministerGroup(User user,
                               Group group)
                               throws SmApiException

Determines if the user is allowed to administer the specified group.

Parameters:

user - The user performing the task.

group - The group in question.

Returns:

The result of the request.

Throws:

SmApiException

canUserAdministerGroup

boolean canUserAdministerGroup(User user,
                               Group group,
                               GroupAdministratorType adminType)
                               throws SmApiException

Determines if the user is allowed to administer the specified group.

Parameters:

user - The user performing the task.

group - The group in question.

adminType - The type of the groups could be NONE or ALL for nested groups.

Returns:

The result of the request.

Throws:

SmApiException

canUserAdministerGroups

boolean canUserAdministerGroups(User user,
                                java.util.Vector groups)
                                throws SmApiException

Determines if the user is allowed to administer the specified groups.

Parameters:

user - The user performing the task.

groups - A Vector of Group objects.

Returns:

true if the user can administer all specified groups, else false.

Throws:

SmApiException

canUserAdministerGroups

boolean canUserAdministerGroups(User user,
                                java.util.Vector groups,
                                GroupAdministratorType adminType)
                                throws SmApiException

Determines if the user is allowed to administer the specified groups.

Parameters:

user - The user performing the task.

groups - A Vector of Group objects.

adminType - The type of the groups could be NONE or ALL for nested groups.

Returns:

True if the user can administer all specified groups, else false.

Throws:

SmApiException

findUsersAdminCanMakeGroupMemberOrAdmin

java.util.Vector findUsersAdminCanMakeGroupMemberOrAdmin(TSContext ctx,
                                                         UserFilter filt,
                                                         OrgScopeConstraint orgs,
                                                         AttributeRightsCollection atts)
                                                         throws SmApiException

Retrieves the users that the current administrator can make members or administrators of the current groups. The users, administrator, and groups are all within the current task context.

Parameters:

ctx - Task context containing administrators and groups.

filt - User attribute filter for the search. If no filter is specified, all users matching the other criteria will be returned.

orgs - Organization scope to search. If no constraint is specified, the search will occur within all organizations in the task context.

atts - A collection of AttributeRight objects, each containing an attribute name and a permission request. The returned user objects contain these attributes and permissions.

Returns:

A Vector of User objects containing the attributes specified in attrs and the associated permissions.

Throws:

SmApiException

getGroupsUserCanAdminister

java.util.Vector getGroupsUserCanAdminister(User admin,
                                            Organization searchTop,
                                            SearchDepthType searchDepth,
                                            java.util.Enumeration attribs)
                                            throws SmApiException

Retrieves the groups that exist within the specified organizational hierarchy for which the administrator is a group administrator.

Parameters:

admin - The administrator in question.

searchTop - The organization where the search begins.

searchDepth - The lowest organization in the branch to search.

attribs - An Enumeration of Strings containing names of the attributes to include in the retrieved objects. If you pass an empty Enumeration, no attributes are included. If you pass null, all attributes are included.

Returns:

A Vector of Group objects for which the user is an administrator.

Throws:

SmApiException

getGroupsUserCanAdminister

java.util.Vector getGroupsUserCanAdminister(User admin,
                                            Organization searchTop,
                                            SearchDepthType searchDepth,
                                            java.util.Enumeration attribs,
                                            GroupReturnType groupReturnType)
                                            throws SmApiException

Retrieves the groups that exist within the specified organizational hierarchy for which the administrator is a group administrator.

Parameters:

admin - The administrator in question.

searchTop - The organization where the search begins.

searchDepth - The lowest organization in the branch to search.

attribs - An Enumeration of Strings containing names of the attributes to include in the retrieved objects. If you pass an empty Enumeration, no attributes are included. If you pass null, all attributes are included.

Returns:

A Vector of groups for which the user is an administrator.

Throws:

SmApiException

getGroupsAdminCanManageInScope

java.util.Vector getGroupsAdminCanManageInScope(TSContext tsCtx,
                                                Organization searchTop,
                                                SearchDepthType searchDepth,
                                                AttributeRightsCollection attribs)
                                                throws SmApiException

Retrieves the groups in scope for the current admin/task that also exist within the specified organizational hierarchy, for which the current admin from the context is a group administrator.

Parameters:

tsCtx - A context with admin and task filled in.

searchTop - The organization where the search begins.

searchDepth - The lowest organization in the branch to search.

attribs - Specifies attributes and permission requests to include in returned groups

Returns:

A Vector of Group objects that are in scope and for which the user is an administrator.

Throws:

SmApiException

findGroupMembersInScope

java.util.Vector findGroupMembersInScope(TSContext tsCtx,
                                         ObjectType type,
                                         AttributeRightsCollection attribs)
                                         throws SmApiException

Retrieves the members who are in scope for the current admin task, and who are also members of the current group. The current group is the subject of the current admin task.

Parameters:

tsCtx - The current task context. The subject of the task must be the group in question.

attribs - The attributes and permission requests to include in the retrieved managed objects.

Returns:

The managed objects that are in scope for the current admin task and that are members of the current group.

Throws:

SmApiException

findGroupAdministratorsInScope

java.util.Vector findGroupAdministratorsInScope(TSContext tsCtx,
                                                AttributeRightsCollection attribs)
                                                throws SmApiException

Retrieves the users who are in scope for the current admin task, and who are also administrators of the current group. The current group is the subject of the current admin task.

Parameters:

tsCtx - The current task context. The subject of the task must be the group in question.

attribs - The attributes and permission requests to include in the retrieved user objects.

Returns:

The user objects that are in scope for the current admin task and that are administrators of the current group.

Throws:

SmApiException

canAdminExecuteTask

boolean canAdminExecuteTask(User admin,
                            Task task)
                            throws SmApiException

Verifies whether the specified administrator is assigned to a role that allows him to perform the specified task.

This method is typically called when the task session is created and there is no task subject yet.

Parameters:

admin - The administrator performing the task.

task - The task to perform.

Returns:

The result of the request.

Throws:

SmApiException

canAdminExecuteTask

boolean canAdminExecuteTask(User admin,
                            java.lang.String taskTag)
                            throws SmApiException

This call verifies that the administrator has some role that allows him/her to perform the task specified by task tag.

Parameters:

user -

taskTag -

Returns:

Throws:

SmApiException

canAdminExecuteTaskOnObject

boolean canAdminExecuteTaskOnObject(TSContext tsCtx,
                                    ManagedObject obj)
                                    throws SmApiException

Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminExecuteTaskOnObjects(), which passes a Vector of objects.

Determines if the specified object is in scope for the current administrator in the current task.

Parameters:

tsCtx - The current task context.

obj - The object in question.

Returns:

The result of the request.

Throws:

SmApiException

canAdminExecuteTaskOnObjects

boolean canAdminExecuteTaskOnObjects(TSContext tsCtx,
                                     java.util.Vector objs)
                                     throws SmApiException

Determines if the specified objects are in scope for the current administrator in the current task.

Parameters:

tsCtx - The current task context.

objs - The managed objects in question.

Returns:

The result of the request.

Throws:

SmApiException

canAdminExecuteTaskOnObjectsDetailed

java.util.Vector canAdminExecuteTaskOnObjectsDetailed(TSContext tsCtx,
                                                      java.util.Vector objs)
                                                      throws SmApiException

Determines if the specified objects are in scope for the current administrator in the current task.

Parameters:

tsCtx - The current task context.

objs - The managed objects in question.

Returns:

The result of the request.

Throws:

SmApiException

canAdminMakePrimaryObjectMemberOfRoles

boolean canAdminMakePrimaryObjectMemberOfRoles(TSContext tsCtx,
                                               java.util.Vector roles)
                                               throws SmApiException

Determines whether the subject of the task is an assignable object, and if so, whether the object can be assigned or removed as a member of the specified roles.

Parameters:

tsCtx - The current task context.

roles - The roles in question.

Returns:

true if both conditions apply.

Throws:

SmApiException

canAdminMakePrimaryObjectAdministratorOfRoles

boolean canAdminMakePrimaryObjectAdministratorOfRoles(TSContext tsCtx,
                                                      java.util.Vector roles)
                                                      throws SmApiException

Determines whether the subject of the task is an assignable object, and if so, whether the object can be assigned or removed as administrator for the specified roles.

Parameters:

tsCtx - The current task context.

roles - The roles in question.

Returns:

true if both conditions apply.

Throws:

SmApiException

canAdminAssignRole

boolean canAdminAssignRole(TSContext tsCtx,
                           java.util.Vector roles)
                           throws SmApiException

Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminMakePrimaryObjectMemberOfRoles().

Determines if the current administrator can make the subject of the task a member of the specified roles.

This method does not check whether the user can be managed.

This method validates role membership assignments. The administrator has added the user as a member of one or more roles. This call must confirm that the administrator can add the user to each of these roles.

Parameters:

tsCtx - The current task context.

roles - The roles in question.

Returns:

true if the administrator can make the subject a member of the specified roles.

Throws:

SmApiException

canAdminGrantAdmin

boolean canAdminGrantAdmin(TSContext tsCtx,
                           java.util.Vector users)
                           throws SmApiException

Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminMakeUsersRoleAdministrators().

Determines if the current administrator can make the subject of the task an administrator for the specified roles.

This method does not check whether the user can be managed.

This method validates role administration assignments. The administrator has added the user as a role administrator for one or more roles. This call must confirm that the administrator can add the user as an administrator for each of these roles.

Parameters:

tsCtx - The current task context.

users - The roles in question.

Returns:

true if the administrator can assign the subject as an administrator for the specified roles.

Throws:

SmApiException

canAdminMakeUsersRoleAdministrators

boolean canAdminMakeUsersRoleAdministrators(TSContext tsCtx,
                                            java.util.Vector users)
                                            throws SmApiException

Determines if the current administrator can assign the specified users as administrators for the current role. The subject of the current task must be a role.

This method does not check whether the role can be managed.

This method validates role administration assignments. The administrator has added the users as role administrator for the current role. This call must confirm that the administrator can add each user as an administrator for the role.

Parameters:

tsCtx - The current task context.

users - The users in question.

Returns:

true if the administrator can assign the users as administrators for the current role.

Throws:

SmApiException

canAdminMakeUsersRoleAdministrators

boolean canAdminMakeUsersRoleAdministrators(TSContext tsCtx,
                                            java.util.Vector users,
                                            java.util.Vector allowed,
                                            java.util.Vector rejected)
                                            throws SmApiException

Determines if the current administrator can assign the specified users as administrators for the current role. The subject of the current task must be a role.

This method does not check whether the role can be managed.

This method validates role administration assignments. The administrator has added the users as role administrator for the current role. This call must confirm that the administrator can add each user as an administrator for the role.

Parameters:

tsCtx - The current task context.

users - The users in question.

allowed - The users that the admin can manage/assign as role admins.

rejected - The users that the admin can't manage/assign as role admins.

Returns:

true if the administrator can assign the users as administrators for the current role.

Throws:

SmApiException

canAdminMakeRoleMembers

boolean canAdminMakeRoleMembers(TSContext tsCtx,
                                java.util.Vector Users)
                                throws SmApiException

Deprecated. Deprecated in IdentityMinder 6.0. Use canAdminMakeUsersRoleMembers().

Determines if the current administrator can assign the specified users to roles.

Parameters:

tsCtx - The current task context.

Users - The users in question.

Returns:

true if the administrator can assign the specified users to roles.

Throws:

SmApiException

canAdminMakeUsersRoleMembers

boolean canAdminMakeUsersRoleMembers(TSContext tsCtx,
                                     java.util.Vector Users)
                                     throws SmApiException

Determines if the current administrator can assign the specified users to roles.

Parameters:

tsCtx - The current task context.

Users - The users in question.

Returns:

true if the administrator can assign the specified users to roles.

Throws:

SmApiException

canAdminMakeUsersRoleMembers

boolean canAdminMakeUsersRoleMembers(TSContext tsCtx,
                                     java.util.Vector Users,
                                     java.util.Vector allowed,
                                     java.util.Vector rejected)
                                     throws SmApiException

Determines if the current administrator can assign the specified users to roles.

Parameters:

tsCtx - The current task context.

Users - The users in question.

allowed - The users that the admin can manage as role members.

rejected - The users that the admin can't manage as role members.

Returns:

true if the administrator can assign the specified users to roles.

Throws:

SmApiException

filterUsersAdminCanMakeRoleMembers

java.util.Vector filterUsersAdminCanMakeRoleMembers(TSContext tsCtx,
                                                    java.util.Vector users)
                                                    throws SmApiException

Retrieves the role members that the current administrator can manage. The users, administrator, and role are all within the current task context.

Parameters:

tsCtx - The current task context.

Users - The users in question.

Returns:

Vector List of Role members the administrator can manage.

Throws:

SmApiException

filterUsersAdminCanMakeRoleAdministrators

java.util.Vector filterUsersAdminCanMakeRoleAdministrators(TSContext tsCtx,
                                                           java.util.Vector users)
                                                           throws SmApiException

Retrieves the role administrators that the current administrator can manage. The users, administrator, and role are all within the current task context.

Parameters:

tsCtx - The current task context.

Users - The users in question.

Returns:

Vector List of Role administrators the administrator can manage.

Throws:

SmApiException

findUsersAdminCanMakeRoleMembers

java.util.Vector findUsersAdminCanMakeRoleMembers(TSContext tsCtx,
                                                  UserFilter search,
                                                  OrgScopeConstraint orgs,
                                                  AttributeRightsCollection attrs)
                                                  throws SmApiException

Retrieves the users that the current administrator can assign to the current role. The users, administrator, and role are all within the current task context.

Parameters:

tsCtx - Task context containing the role and administrators.

search - User attribute filter for the search. If no filter is specified, all users matching the other criteria will be returned.

orgs - Organization scope to search. If no constraint is specified, the search will occur within all organizations in the task context.

attrs - A collection of AttributeRight objects, each containing an attribute name and a permission request. The returned user objects contain these attributes and permissions.

Returns:

a Vector of User objects containing the attributes specified in attrs and the associated permissions.

Throws:

SmApiException

findUsersAdminCanMakeRoleAdministrators

java.util.Vector findUsersAdminCanMakeRoleAdministrators(TSContext tsCtx,
                                                         UserFilter search,
                                                         OrgScopeConstraint orgs,
                                                         AttributeRightsCollection attrs)
                                                         throws SmApiException

Retrieves the users that the current administrator can assign to the current role as role administrators. The users, administrator, and role are all within the current task context.

Parameters:

tsCtx - Task context containing the role and administrators.

search - User attribute filter for the search. If no filter is specified, all users matching the other criteria will be returned.

orgs - Organization scope to search. If no constraint is specified, the search will occur within all organizations in the task context.

attrs - A collection of AttributeRight objects, each containing an attribute name and a permission request. The returned user objects contain these attributes and permissions.

Returns:

a Vector of User objects containing the attributes specified in attrs and the associated permissions.

Throws:

SmApiException

findMembersAdminCanManage

java.util.Vector findMembersAdminCanManage(TSContext tsCtx,
                                           UserFilter search,
                                           OrgScopeConstraint orgs,
                                           AttributeRightsCollection attrs)
                                           throws SmApiException

Retrieves the members of the current role that the current administrator can manage. The users, administrator, and role are all within the current task context.

Parameters:

tsCtx - Task context containing the role and administrators.

search - User attribute filter for the search. If no filter is specified, all users matching the other criteria will be returned.

orgs - Organization scope to search. If no constraint is specified, the search will occur within all organizations in the task context.

attrs - A collection of AttributeRight objects, each containing an attribute name and a permission request. The returned user objects contain these attributes and permissions.

Returns:

a Vector of User objects containing the attributes specified in attrs and the associated permissions.

Throws:

SmApiException

findAdministratorsAdminCanManage

java.util.Vector findAdministratorsAdminCanManage(TSContext tsCtx,
                                                  UserFilter search,
                                                  OrgScopeConstraint orgs,
                                                  AttributeRightsCollection attrs)
                                                  throws SmApiException

Retrieves the administrators of the current role that the current administrator can manage. The administrators and role are all within the current task context.

Parameters:

tsCtx - Task context containing the role and administrators.

search - User attribute filter for the search. If no filter is specified, all users matching the other criteria will be returned.

orgs - Organization scope to search. If no constraint is specified, the search will occur within all organizations in the task context.

attrs - A collection of AttributeRight objects, each containing an attribute name and a permission request. The returned user objects contain these attributes and permissions.

Returns:

a Vector of User objects containing the attributes specified in attrs and the associated permissions.

Throws:

SmApiException

findGroupsAdminCanManageInScope

java.util.Vector findGroupsAdminCanManageInScope(TSContext tsCtx,
                                                 GroupFilter filter,
                                                 Organization searchTop,
                                                 OrgScopeConstraint orgs,
                                                 SearchDepthType searchDepth,
                                                 AttributeRightsCollection attribs)
                                                 throws SmApiException

Retrieves the groups in scope, matching an attribute filter and an organization scoping constraint, for the current admin/task that also exist within the specified organizational hierarchy, for which the current admin from the context is a group administrator.

Parameters:

tsCtx - A context with admin and task filled in.

filter - Attribute filter for search. If no filter is specified, all groups in the orgs specified will be returned.

searchTop - The organization where the search begins.

orgs - Org constraint for the search. If no constraint is specified search will be within all orgs

searchDepth - The lowest organization in the branch to search.

attribs - Specifies attributes to include in returned groups

Returns:

A Vector of groups for which the user is an administrator, that are in scope.

Throws:

SmApiException

buildOrgScopeConstraint

OrgScopeConstraint buildOrgScopeConstraint(TSContext ctx,
                                           ObjectType type)
                                           throws SmApiException

Retrieves all the scope rules associated with the specified object type for the administrator and task in the current task context.

This method constructs an OrgScopeConstraint object that represents the full set of organizations to which the scope rules give access.

If any of the rules has no organization scope constraint (that is, if any of the rules is unrestricted by organization), the resulting OrgScopeConstraint object represents all the organizations in the hierarchy.

Parameters:

ctx - The current task context. The subject of the task must be a role.

type - The type of object constrained by the scope rules.

Returns:

A object containing the scope rules for the specified object type.

Throws:

SmApiException

canAdminManageRoleMembership

boolean canAdminManageRoleMembership(TSContext ctx)
                                     throws SmApiException

Determines whether the current administrator can add and remove members of the current role. The current role is the role that is the subject of the current task.

Parameters:

ctx - The current task context. The subject of the task must be a role.

Returns:

true if the administrator can manage membership for the subject role in the current task. This method returns false if the role's configuration is not set to allow members to be added or removed.

Throws:

SmApiException

canAdminManageRoleAdministration

boolean canAdminManageRoleAdministration(TSContext ctx)
                                         throws SmApiException

Determines whether the current administrator can assign and remove administrators for the current role. The current role is the role that is the subject of the current task.

Parameters:

ctx - The current task context. The subject of the task must be a role.

Returns:

true if the administrator can manage administrators for the subject role in the current task. This method returns false if the role's configuration is not set to allow administrators to be assigned or removed.

Throws:

SmApiException

findAdminTasksAdminCanExecuteOnObject

java.util.Vector findAdminTasksAdminCanExecuteOnObject(User admin,
                                                       ManagedObject obj)
                                                       throws SmApiException

Determines the set of admin tasks the admin has for which the specified object is in scope

Parameters:

admin - The User at the console.

obj - The object in question.

Returns:

a Vector of AdminTask objects. The Vector may be empty if no Tasks match..

Throws:

SmApiException

canAdminExecuteTaskOnObjectsEx

boolean canAdminExecuteTaskOnObjectsEx(TSContext tsCtx,
                                       java.util.Vector objs)
                                       throws SmApiException

Determines if the specified objects can be used as subjects for the current administrator in the current task. Answer is based on the scope security type of the task, and the appropriate security checks on the admin and subject. If any one item in objs fails the check, the result is false.

Parameters:

tsCtx - The current task context.

objs - The managed objects in question.

Returns:

The result of the request.

Throws:

SmApiException

findManagedObjectsInScope

java.util.Vector findManagedObjectsInScope(TSContext tsCtx,
                                           ObjectType o,
                                           ScopePurpose purpose,
                                           GenericAttributeFilter additionalFilter,
                                           AttributeRightsCollection attrs)
                                           throws SmApiException

Find all the objects of type o that are in scope for the current admin and task, which also meet the specified additional filter. Note that the object type of the specified additional filter must match o. Objects will be returned with attributes filled according to the specified attribute rights collection.

Parameters:

tsCtx - - curren task context, used to determine current admin & task, as well as providing info required by some scope constraints. Must not be null.

o - - The ObjectType that we are searching for. Must not be null.

purpose - - An additional parameter used to distinguish between scope rules used for different purposes.

additionalFilter - - a ScopeRule (of the same object type as o) that is used as additional filter. May be null.

attrs - - an attribute rights collection used to populate attributes of returned objects. May be null.

Returns:

A Vector of objects of type o

Throws:

SmApiException

findApplicableScopeRules

java.util.Vector findApplicableScopeRules(TSContext tsCtx,
                                          ObjectType o,
                                          ScopePurpose purpose)
                                          throws SmApiException

Return a vector of ScopeRules objects that apply to the current user and task, for a given object type and purpose.

Parameters:

tsCtx - The current task session context

o - An object type filter scope ules

purpose - A ScopePurpose to filter scope rules

Returns:

A Vector of ScopeRule objects

Throws:

SmApiException

findApplicableScopeRules

java.util.Map findApplicableScopeRules(TSContext tsCtx,
                                       java.util.Set objectTypes,
                                       ScopePurpose purpose)
                                       throws SmApiException

Return a map of ScopeRules objects that apply to the current user and task, for a given object type set and purpose.

Parameters:

tsCtx - The current task session context

objectTypes - object type set for which to retrieve scope rules

purpose - A ScopePurpose to filter scope rules

Returns:

Map of ObjectType to Vector of ScopeRule objects

Throws:

com.netegrity.sdk.apiutil.SmApiException

SmApiException