Class RolePermissionsV2
java.lang.Object
org.keycloak.services.resources.admin.permissions.RolePermissionsV2
- All Implemented Interfaces:
RolePermissionEvaluator,RolePermissionManagement
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected final AuthorizationProviderprotected final PolicyStoreprotected final RealmModelprotected final ResourceStoreprotected final org.keycloak.services.resources.admin.permissions.MgmtPermissionsprotected final KeycloakSessionFields inherited from interface org.keycloak.services.resources.admin.permissions.RolePermissionManagement
MAP_ROLE_CLIENT_SCOPE_SCOPE, MAP_ROLE_COMPOSITE_SCOPE, MAP_ROLE_SCOPE -
Method Summary
Modifier and TypeMethodDescriptionbooleancanList(RoleContainerModel container) booleancanManage(RoleContainerModel container) If the role is a realm role, it returnstrueifRealmPermissionEvaluator.canManageRealm()returnstrue.booleanIf the role is a realm role, it returnstrueifRealmPermissionEvaluator.canManageRealm()returnstrue.booleancanManageDefault(RoleModel role) booleancanMapClientScope(RoleModel role) ReturnstrueifClientPermissions.canManageClientsDefault()returnstrue.booleancanMapComposite(RoleModel role) ReturnstrueifRolePermissions.canManageDefault(RoleModel)andRolePermissions.checkAdminRoles(RoleModel)returnstrue.booleancanMapRole(RoleModel role) Is admin allowed to map this role?booleancanView(RoleContainerModel container) If the role is a realm role, it returnstrueifRealmPermissionEvaluator.canViewRealm()returnstrue.booleanIf the role is a realm role, it returnstrueifRealmPermissionEvaluator.canViewRealm()returnstrue.getPermissions(RoleModel role) getRoleIdsByScope(String scope) Returns the IDs of the roles that the current user can perform based onscope.booleanmanageUsersPolicy(ResourceServer server) mapRolePermission(RoleModel role) voidrequireList(RoleContainerModel container) Throws ForbiddenException ifRolePermissionEvaluator.canList(RoleContainerModel)returnsfalse.voidrequireManage(RoleContainerModel container) Throws ForbiddenException ifRolePermissionEvaluator.canManage(RoleContainerModel)returnsfalse.voidrequireManage(RoleModel role) Throws ForbiddenException ifRolePermissionEvaluator.canManage(RoleModel)returnsfalse.voidThrows ForbiddenException ifRolePermissionEvaluator.canMapClientScope(RoleModel)returnsfalse.voidrequireMapComposite(RoleModel role) Throws ForbiddenException ifRolePermissionEvaluator.canMapComposite(RoleModel)returnsfalse.voidrequireMapRole(RoleModel role) Throws ForbiddenException ifRolePermissionEvaluator.canMapRole(RoleModel)returnsfalse.voidrequireView(RoleContainerModel container) Throws ForbiddenException ifRolePermissionEvaluator.canView(RoleContainerModel)returnsfalse.voidrequireView(RoleModel role) Throws ForbiddenException ifRolePermissionEvaluator.canView(RoleModel)returnsfalse.resourceServer(RoleModel role) rolePolicy(ResourceServer server, RoleModel role) voidsetPermissionsEnabled(RoleModel role, boolean enable) viewUsersPolicy(ResourceServer server)
-
Field Details
-
session
-
realm
-
authz
-
root
protected final org.keycloak.services.resources.admin.permissions.MgmtPermissions root -
resourceStore
-
policyStore
-
-
Method Details
-
canMapClientScope
Description copied from interface:RolePermissionEvaluatorReturnstrueifClientPermissions.canManageClientsDefault()returnstrue. Or if the role is a client role andClientPermissionEvaluator.canMapClientScopeRoles(ClientModel)returnstrue. Or if the caller has permission toRolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE. For V2 only: Also if the caller has a permission toRolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPEall roles.- Specified by:
canMapClientScopein interfaceRolePermissionEvaluator
-
canMapComposite
Description copied from interface:RolePermissionEvaluatorReturnstrueifRolePermissions.canManageDefault(RoleModel)andRolePermissions.checkAdminRoles(RoleModel)returnstrue. Or if the role is a client role andClientPermissionEvaluator.canMapCompositeRoles(ClientModel)returnstrue. Or if the caller has permission toRolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPEandRolePermissions.checkAdminRoles(RoleModel)returnstrue. For V2 only: Also if the caller has a permission toRolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPEall roles.- Specified by:
canMapCompositein interfaceRolePermissionEvaluator
-
canMapRole
Is admin allowed to map this role?- Specified by:
canMapRolein interfaceRolePermissionEvaluator
-
getRoleIdsByScope
Description copied from interface:RolePermissionEvaluatorReturns the IDs of the roles that the current user can perform based onscope.- Specified by:
getRoleIdsByScopein interfaceRolePermissionEvaluator- Returns:
- Stream of IDs of roles with
scopepermission.
-
isPermissionsEnabled
- Specified by:
isPermissionsEnabledin interfaceRolePermissionManagement
-
setPermissionsEnabled
- Specified by:
setPermissionsEnabledin interfaceRolePermissionManagement
-
getPermissions
- Specified by:
getPermissionsin interfaceRolePermissionManagement
-
mapRolePermission
- Specified by:
mapRolePermissionin interfaceRolePermissionManagement
-
mapCompositePermission
- Specified by:
mapCompositePermissionin interfaceRolePermissionManagement
-
mapClientScopePermission
- Specified by:
mapClientScopePermissionin interfaceRolePermissionManagement
-
resource
- Specified by:
resourcein interfaceRolePermissionManagement
-
resourceServer
- Specified by:
resourceServerin interfaceRolePermissionManagement
-
manageUsersPolicy
- Specified by:
manageUsersPolicyin interfaceRolePermissionManagement
-
viewUsersPolicy
- Specified by:
viewUsersPolicyin interfaceRolePermissionManagement
-
rolePolicy
- Specified by:
rolePolicyin interfaceRolePermissionManagement
-
requireMapRole
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canMapRole(RoleModel)returnsfalse.- Specified by:
requireMapRolein interfaceRolePermissionEvaluator
-
canList
Description copied from interface:RolePermissionEvaluatorReturnstrueifRolePermissionEvaluator.canView(RoleContainerModel)returnstrue. Or if the role is a realm role, then it returnstrueifRealmPermissionEvaluator.canViewRealm()returns true or if the caller has at least one of theAdminRoles.QUERY_USERS,AdminRoles.QUERY_USERS,AdminRoles.QUERY_CLIENTS,AdminRoles.QUERY_REALMS,AdminRoles.QUERY_GROUPSroles.- Specified by:
canListin interfaceRolePermissionEvaluator
-
requireList
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canList(RoleContainerModel)returnsfalse.- Specified by:
requireListin interfaceRolePermissionEvaluator
-
canManage
Description copied from interface:RolePermissionEvaluatorIf the role is a realm role, it returnstrueifRealmPermissionEvaluator.canManageRealm()returnstrue. If the role is a client role, it returnstrueifClientPermissionEvaluator.canConfigure(ClientModel)returnstrue.- Specified by:
canManagein interfaceRolePermissionEvaluator
-
requireManage
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canManage(RoleContainerModel)returnsfalse.- Specified by:
requireManagein interfaceRolePermissionEvaluator
-
canView
Description copied from interface:RolePermissionEvaluatorIf the role is a realm role, it returnstrueifRealmPermissionEvaluator.canViewRealm()returnstrue. If the role is a client role, it returnstrueifClientPermissionEvaluator.canView(ClientModel)returnstrue.- Specified by:
canViewin interfaceRolePermissionEvaluator
-
requireView
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canView(RoleContainerModel)returnsfalse.- Specified by:
requireViewin interfaceRolePermissionEvaluator
-
requireMapComposite
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canMapComposite(RoleModel)returnsfalse.- Specified by:
requireMapCompositein interfaceRolePermissionEvaluator
-
requireMapClientScope
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canMapClientScope(RoleModel)returnsfalse.- Specified by:
requireMapClientScopein interfaceRolePermissionEvaluator
-
canManage
Description copied from interface:RolePermissionEvaluatorIf the role is a realm role, it returnstrueifRealmPermissionEvaluator.canManageRealm()returnstrue. If the role is a client role, it returnstrueifClientPermissionEvaluator.canConfigure(ClientModel)returnstrue.- Specified by:
canManagein interfaceRolePermissionEvaluator
-
canManageDefault
-
requireManage
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canManage(RoleModel)returnsfalse.- Specified by:
requireManagein interfaceRolePermissionEvaluator
-
canView
Description copied from interface:RolePermissionEvaluatorIf the role is a realm role, it returnstrueifRealmPermissionEvaluator.canViewRealm()returnstrue. If the role is a client role, it returnstrueifClientPermissionEvaluator.canView(ClientModel)returnstrue.- Specified by:
canViewin interfaceRolePermissionEvaluator
-
requireView
Description copied from interface:RolePermissionEvaluatorThrows ForbiddenException ifRolePermissionEvaluator.canView(RoleModel)returnsfalse.- Specified by:
requireViewin interfaceRolePermissionEvaluator
-