Package org.keycloak.services.resources.admin.fgap

Interface UserPermissionEvaluator

public interface UserPermissionEvaluator

Version:

$Revision: 1 $

Author:

Bill Burke

Method Summary

Modifier and Type	Method	Description
boolean	canImpersonate()	Returns true if the caller has the ImpersonationConstants#IMPERSONATION_ROLE.
boolean	canImpersonate(UserModel user, ClientModel requester)	Returns true if the caller has the ImpersonationConstants#IMPERSONATION_ROLE.
boolean	canManage()	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canManage(UserModel user)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canManageGroupMembership(UserModel user)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canMapRoles(UserModel user)	Returns true if the caller has AdminRoles.MANAGE_USERS role.
boolean	canQuery()	Returns true if the caller has at least one of AdminRoles.QUERY_USERS, AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
default boolean	canResetPassword(UserModel user)	Returns true if the caller has permission to AdminPermissionsSchema.RESET_PASSWORD for the given user.
boolean	canView()	Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
boolean	canView(UserModel user)	Returns true if the caller has at least one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.
Map<String,Boolean>	getAccess(UserModel user)	Returns Map with information what access the caller for the provided user has.
Map<String,Boolean>	getAccessForListing(UserModel user)	Returns Map with information what access the caller for the provided user has when listing users.
void	grantIfNoPermission(boolean grantIfNoPermission)	Deprecated.
boolean	isImpersonatable(UserModel user, ClientModel requester)	Deprecated.
void	requireImpersonate(UserModel user)	Throws ForbiddenException if canImpersonate(UserModel, ClientModel) returns false.
void	requireManage()	Throws ForbiddenException if canManage() returns false.
void	requireManage(UserModel user)	Throws ForbiddenException if canManage(UserModel) returns false.
void	requireManageGroupMembership(UserModel user)	Throws ForbiddenException if canManageGroupMembership(UserModel) returns false.
void	requireMapRoles(UserModel user)	Throws ForbiddenException if canMapRoles(UserModel) returns false.
void	requireQuery()	Throws ForbiddenException if canQuery() returns false.
default void	requireResetPassword(UserModel user)	Throws ForbiddenException if canResetPassword(UserModel) returns false.
void	requireView()	Throws ForbiddenException if canView() returns false.
void	requireView(UserModel user)	Throws ForbiddenException if canView(UserModel) returns false.

Method Details

requireManage

void requireManage()

Throws ForbiddenException if canManage() returns false.

requireManage

void requireManage(UserModel user)

Throws ForbiddenException if canManage(UserModel) returns false.

canManage

boolean canManage()

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE users.

canManage

boolean canManage(UserModel user)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE the user.

Or if it has a permission to AdminPermissionsSchema.MANAGE_MEMBERS of the group chain the user is associated with.

requireResetPassword

default void requireResetPassword(UserModel user)

Throws ForbiddenException if canResetPassword(UserModel) returns false.

canResetPassword

default boolean canResetPassword(UserModel user)

Returns true if the caller has permission to AdminPermissionsSchema.RESET_PASSWORD for the given user. Default implementation falls back to canManage(UserModel) for backward compatibility.

requireQuery

void requireQuery()

Throws ForbiddenException if canQuery() returns false.

canQuery

boolean canQuery()

Returns true if the caller has at least one of AdminRoles.QUERY_USERS, AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW users.

requireView

void requireView()

Throws ForbiddenException if canView() returns false.

requireView

void requireView(UserModel user)

Throws ForbiddenException if canView(UserModel) returns false.

canView

boolean canView()

Returns true if the caller has one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW users.

canView

boolean canView(UserModel user)

Returns true if the caller has at least one of AdminRoles.MANAGE_USERS or AdminRoles.VIEW_USERS roles.

Or if it has a permission to AdminPermissionsSchema.VIEW the user.

Or if it has a permission to AdminPermissionsSchema.VIEW_MEMBERS of the group chain the user is associated with.

requireImpersonate

void requireImpersonate(UserModel user)

Throws ForbiddenException if canImpersonate(UserModel, ClientModel) returns false.

canImpersonate

boolean canImpersonate()

Returns true if the caller has the ImpersonationConstants#IMPERSONATION_ROLE.

Or if it has a permission to AdminPermissionsSchema.IMPERSONATE users.

canImpersonate

boolean canImpersonate(UserModel user,
 ClientModel requester)

Returns true if the caller has the ImpersonationConstants#IMPERSONATION_ROLE.

NOTE: If requester is provided, it's clientId is added to evaluation context.

Or if it has a permission to AdminPermissionsSchema.IMPERSONATE the user.

getAccess

Map<String,Boolean> getAccess(UserModel user)

Returns Map with information what access the caller for the provided user has.

getAccessForListing

Map<String,Boolean> getAccessForListing(UserModel user)

Returns Map with information what access the caller for the provided user has when listing users.

requireMapRoles

void requireMapRoles(UserModel user)

Throws ForbiddenException if canMapRoles(UserModel) returns false.

canMapRoles

boolean canMapRoles(UserModel user)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MAP_ROLES of the user.

requireManageGroupMembership

void requireManageGroupMembership(UserModel user)

Throws ForbiddenException if canManageGroupMembership(UserModel) returns false.

canManageGroupMembership

boolean canManageGroupMembership(UserModel user)

Returns true if the caller has AdminRoles.MANAGE_USERS role.

Or if it has a permission to AdminPermissionsSchema.MANAGE_GROUP_MEMBERSHIP of the user.

isImpersonatable

@Deprecated
boolean isImpersonatable(UserModel user,
 ClientModel requester)

Deprecated.

grantIfNoPermission

@Deprecated
void grantIfNoPermission(boolean grantIfNoPermission)

Deprecated.