CEPM Java Developer Guide - PEP API Reference Guide [Cisco Policy Administration Point]

Table Of Contents

PEP API Reference Guide

Method isUserAccessAllowed

Method isUserAccessAllowed

Method isUserAccessAllowed

Method isUserAccessAllowed

Method isUserAccessAllowed

Method getPermissibleResourcesForUser

Method getPermissibleResourcesForRoles

Method getPermissibleResourcesForGroups

Method getPermissibleActionsByResource

Method getPermissibleActionsByResource

Method isRoleAccessAllowed

Method isGroupAccessAllowed

Method isUserInRoleAccessAllowed

Method isUserInGroupAccessAllowed

Method getRolesAllowedForResource

Method getGroupsAllowedForResource

Method getUsersAllowedForResource

Method getDecisionForUsers

Method getDecisions

Method getDecisionsByResourceType

Method getDecisionsByResourceType

Method getDecisionsByResourceType

Method getDecisionsByResourceType

Method getDecisionsByResourceTypeForAnyAction

Method getRoles

Method getUsersForGroup

Method getUsersForRole

Method getDecisionforResources

Method getDecisionsWithRoles

Method getGroups

PEP API Reference Guide

The Policy Enforcement Point (PEP) provides the methods for determining whether a user is entitled to access a given resource/action. These methods provide the following services:

•Determining the access to a given resource/action for a particular user by passing subject, resource, or action

•Determining the access to a given resource/action for a particular user by passing subject, resource, action, attributeMap (when the custom attributes are passed), RoleBundles, and Contexts

•Getting a list of permissible resources for a given user

•Getting a list of permissible actions for a given resource

•Getting a list of roles for a given resource

Following are the commonly used methods supported by PEP:

Method isUserAccessAllowed

This method is used to check whether the user is authorized to access the specified resource. This method supports caching. The following parameters need to be passed within this method:

•username: Name of the user for whom accessibility to the specified resource needs to be checked.

•resource: Fully qualified name of the resource on which the specified user accessibility needs to be checked.

•action: Name of action on which the specified user accessibility needs to be checked. In case of no specific action, any must be passed as the default action name.

This returns a boolean, true if the user is permitted to the specified resource else false.

Method isUserAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles passed in the request in a given context. This method does not support caching.The following parameters need to be passed within this method:

•username: Name of the user for which access to the specified resource is being determined.

•resource: Name of the resource to which access is being determined for the specified user.

•action: Name of the action that the specified user is performing on the resource.

•attMap: Name of the different user attributes.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a Boolean whether the user has access to the resource.

Note When PEP sends a request consisting of a context along with other parameters, the PDP will search for the policy under that particular context level. If no policy is found under that specified context, then the PDP will search for its parent level. If the parent level has a policy on the said resource, it will send the decision accordingly. If not, the PDP will extend the search to one more level above the current level. In this way, the search can be extended till it reaches the global level and appropriate decision will be communicated.

Method isUserAccessAllowed

This method is used to determine whether the user, who has `dynamic separation of duties' with another user, is authorized to access the specified resource without cache and with TTL Cache on the basis of the RoleBundles passed in the request in a given context. This method does not support caching.The following parameters need to be passed within this method:

•fromUser: Name of the user whose role has a DSoD role with another user (toUser) with a different role.

•toUser: Name of the user to whom the DSoD role is assigned.

•resource: Name of the resource to which access is being determined for the specified user.

•action: Name of the action that the specified user is performing on the resource.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a Boolean whether the user has access to the resource.

Method isUserAccessAllowed

This method is used to check whether the user is authorized to access the given array of resources and actions. This method supports caching. If caching is enabled, this method will cache all relevant data of the resources including the permissions, attributes and data of its child hierarchy. Following parameters need to be passed within this method:

•subject: Name of the user for whom accessibility to the specified resources needs to be checked.

•resources[]: Array of resource names (fully qualified names) on which the specified user accessibility needs to be checked.

•actions[]: Array of action names on which the specified user accessibility needs to be checked.

•attMap: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes.

This returns a Boolean whether the user has an access to the specified resources and actions.

Method isUserAccessAllowed

This method is used to determine whether the user has access to the bunch of resources with their corresponding actions on the basis of the RoleBundles passed in the request in a given context. This method supports caching.The following parameters need to be passed within this method:

•subject: Name of the user for which access to the specified resource is being determined.

•resources[]: Names of the resources to which access is being determined for the specified user.

•actions[]: Names of the actions that the specified user is performing on the resource.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a Boolean whether the user has access to the resource.

Method getPermissibleResourcesForUser

This method gives the list of permissible resources for a user on the basis of the RoleBundles passed in the request. This method supports caching. The following parameters need to be passed within this method:

•subject: Name of the user for which access to the specified resource is being determined.

•resource: Name of the parent resource, the subresources of which are returned if they are accessible to the specified subject.

•map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes.

•roleBundles[]: Name of the roleBundles under which this permitted resources need to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible resources available for specified user.

Method getPermissibleResourcesForRoles

This method gives the list of permissible resources for roles on the basis of the RoleBundles passed in the request in a given context. This method supports caching.The following parameters need to be passed within this method:

•roles: Name of the roles for which the resources available is being determined.

•resource: Name of the parent resource, the subresources of which are returned if they are accessible to the specified role.

•map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes.

•roleBundles[]: Name of the roleBundles under which the permissible resources for the given roles is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible resources available for specified roles.

Method getPermissibleResourcesForGroups

This method gives the list of permissible resources for groups on the basis of the RoleBundles passed in the request in a given context. This method supports caching.The following parameters need to be passed within this method:

•groups: Fully Qualified Names (FQN) of the groups for which the list of permissible resources is sought.

•resource: Fully qualified name of the resource of which the permitted subresources for the specified groups need to be retrieved.

•map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes.

•roleBundles[]: Name of the roleBundles under which the permissible resources for the given roles is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible resources available for specified groups.

Method getPermissibleActionsByResource

This method gives the list of permissible actions by resource on the basis of the RoleBundles passed in the request. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed within this method:

•subject: Name of the user for whom the list of permissible actions is sought.

•resource: Fully qualified name of the resource of which the permitted actions for the specified user is retrieved.

•roleBundles[]: Name of the roleBundles under which the permissible actions for the given user is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name.

This returns a list of permissible actions by the specified resource accessible by the subject.

Method getPermissibleActionsByResource

This method gives the list of permissible actions by resource on the basis of the RoleBundles passed in the request in a given context. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

Following parameters need to be passed within this method:

•subject: Name of the user for whom the list of permissible actions is sought.

•resource: Fully qualified name of the resource of which the permitted actions for the specified user is retrieved.

•map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes.

•roleBundles[]: Name of the roleBundles under which the permissible actions for the given user is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible actions by the specified resource accessible by the subject.

Method isRoleAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles passed in the request. The following parameters need to be passed in this method:

•roleNames[]: Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked.

•resource: Fully qualified name of the resource on which accessibility for the specified roles need to be checked.

•action: Name of action on which accessibility for the specified roles need to be checked. In case of no specific action, any must be passed as the default action name.

•map: The environment attributes need to be passed as a HashMap. This can include Xpath and MessageAttributes.

•RoleBundles[]: Name of the roleBundles under which the role accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•level: Integer that refers to the number of resource level up to which the search shall be extended.

This returns a XacmlResponse regarding the decision and obligation about the policy created for the specified role. If there is no response from the PDP, you get null.
Sample code:
      isRoleAccessAllowed(java.lang.String[] roleNames,java.lang.String resource,
                          java.lang.String action,java.util.Map envMap,
                          java.lang.String[] roleBundles,java.lang.String context,int 
level)
   	
      String[] roleBundles = new String[1];
      roleBundles[0] = "Default";
      String[] roles  = new String[2];
      roles[0] = "Prime group:Prime portal:Internal Dev:Internal Dev Tokyo";
      roles[1] = "Prime group:Prime portal:Internal Dev:Internal Dev NY";
      Map map = new HashMap();
      map.put("sum","10");
      mgr.isRoleAccessAllowed(roles,"Prime group:Prime portal:View 
Reports","any",map,roleBundles,"Global Context:Global Context",-1);
Method isGroupAccessAllowed

This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be passed in this method:

•groupNames: Fully Qualified Names of the groups for which accessibility to the specified resource needs to be checked.

•resource: Fully qualified name of the resource on which accessibility for the specified groups need to be checked.

•action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name.

•attMap: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc.

•roleBundles[]: Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•level: Integer that refers to the number of resource level up to which the search shall be extended.

This returns {@link net.securent.kernel.XacmlResponse} object from which you can get decision, obligations and attributes. If there is no response from PDP, you will get null.

Method isUserInRoleAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes under the given RoleBundles and Context. The following parameters need to be passed in this method:

•subject: Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles the User is mapped.

•rolenames: Fully qualified names of the roles associated with the specified user must be passed.

•resource: Fully qualified name of the resource need to be passed to check whether the user with given roles has an access with respect to the role names passed.

•action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a XacmlResponse regarding decision and obligations related to the specified subject. If any of the role is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from the PDP, you will get null.

Method isUserInGroupAccessAllowed

This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups under given RoleBundles and context. It will consider all groups passed in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be passed in this method:

•subject: Name of the user for whom accessibility to the specified resource needs to be checked.

•groupnames: Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked.

•resource: Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name.

•roleBundles[]: Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns {@link net.securent.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get null.

Method getRolesAllowedForResource

This method is used to get the list of permissible roles by resource on the basis of the RoleBundles passed in the request. This method support caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed in this method:

•resource: Fully qualified name of the resource for which the permissible roles need to be checked.

•roleBundles[]: Name of the roleBundles under which the roles for the specified resource is being retrieved. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•map: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc.

This returns an array of permitted Roles for the specified resource. The list of roles shall include only Static Roles and not Dynamic Roles entitled with the specified resource.

Method getGroupsAllowedForResource

This method retrieves the list of permissible groups for a given resource under specified roleBundles. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameter needs to be passed in this method:

•resource: Name of the resource to which access is being determined for the specified user.

•roleBundles[]: Name of the roleBundles under which the groups for the specified resource is being retrieved. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•map: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc.

This returns an array of permitted groups for the specified resource.

Method getUsersAllowedForResource

This method retrieves the list of permissible users for a given resource under specified roleBundles. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameter needs to be passed in this method:

•resource: Fully qualified name of the resource for which the permissible roles need to be checked.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, 'Default' must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•map: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc.

This returns an array of permitted users for the specified resource.

Method getDecisionForUsers

This method is used to check whether the given users are authorized to access any specified resource under given roleBundles and context. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be passed in this method:

•subjects: Names of the users for whom accessibility to the specified resource need to be checked.

•resource: Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name.

•roleBundles[]: Name of the roleBundles under which the decision is sought. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a UserContext Object from where you may get decision and obligation for the specified user.

Method getDecisions

This method is used to get decision on the requested resource by a XacmlResponse on the basis of the RoleBundles passed in the request in a given context. It returns the decisions of the requested resource as well as its subresources in a Xacml format. The following parameters need to be passed in this method:

•subject: Name of the user for which access to the specified resource is being determined.

•resource: Name of the resource to which access is being determined for the specified user.

•action: Name of the action that the specified user is performing on the resource.

•envMap: Different user attributes, for example, obligations, enumerations and other environmental variables.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•level: Integer that refers to the number of resource level up to which the search shall be extended.

This returns a XacmlResponse regarding the decision and obligation about the policy created for the specified Group. If there is no response from the PDP, you will get null.

Method getDecisionsByResourceType

This method is used to get decisions (both permit and deny) for all resources of a given application based on specified ResourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed in this method:

•subject: Name of the user for whom decisions on the given resource is sought.

•resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given.

•applicationName: Fully qualified name of the application for which decision is being given.

This returns a XacmlResponse containing the obligations and attributes of resources which are created using the specified resourcetype.

Method getDecisionsByResourceType

This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed in this method:

•subject: Name of the user for whom decisions on the given resource is sought.

•roleNames: Fully qualified name of the roles based on which the decision is being given.

•resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given.

•applicationName: Fully qualified name of the application for which decision is being given.

This returns XacmlResponse containing the obligation and resourceAttributes of all resources created under the specified application using the specified resourceType and are having the specified action.

Method getDecisionsByResourceType

This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed in this method:

•subject: Name of the user for whom decisions on the given resource is sought.

•resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given.

•applicationName: Fully qualified name of the application for which decision is being given.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns XacmlResponse containing the obligation and resourceAttributes of all resources created under the specified application using the specified resourceType and are having the specified action.

Method getDecisionsByResourceType

This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed in this method:

•subject: Name of the user for whom decisions on the given resource is sought.

•resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given.

•applicationName: Fully qualified name of the application for which decision is being given.

•action: Name of action for which decision is being given. In case of no specific action, any must be passed as the default action name.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns XacmlResponse containing the obligation and resourceAttributes of all resources created under the specified application using the specified resourceType and are having the specified action.

Method getDecisionsByResourceTypeForAnyAction

This method is used to get decisions (both permit and deny) of all resources created using the given resourceType notwithstanding the actions they are having. This method takes all actions of the resources having the specified resourceType. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching.

Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files.

The following parameters need to be passed in this method:

•subject: Name of the user for whom decisions on the given resource is sought.

•resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given.

•applicationName: Fully qualified name of the application for which decision is being given.

This returns a XacmlResponse containing the obligations and attributes of the resources which are created using the specified resourcetype on the basis of the permission given for its action.

Method getRoles

This method is used to get all roles assigned to a user on the specified application. Following parameters need to be passed in this method:

•subject: Name of the user for which access to the specified resource is being determined.

•applicationName: Name of the application.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

•envMap: Different key values, for example, xpath etc.

This returns an array of roles (both Static the Dynamic Roles) assigned to the specified user under the given application.

Method getUsersForGroup

This method is used to get all users mapped with a given dynamic group. Following parameters need to be passed in this method:

•groupFQN: Fully qualified name of the dynamic group for which you need to get the users mapped to it.

This returns an array of users directly mapped with the specified dynamic group. This also returns the users mapped to its immediate parent group (which is a static group) only if the rule configured on the specified dynamic group is satisfied.

Method getUsersForRole

This method is used to get all users mapped with a given dynamic role. Following parameters need to be passed in this method:

•roleFQN: Fully qualified name of the dynamic role for which you need to get all the users mapped to it.

This returns an array of users directly mapped with the specified dynamic role. This also returns the users mapped to its immediate parent role (which is a static role) only if the rule configured on the specified dynamic role is satisfied.

Method getDecisionforResources

The method is same as that of getDecisions(username,resourceName,action,envMap,level) but it gives the decisions for multiple resources with actions. Following parameters need to be passed in this method:

•subject: Name of the user for which decision is sought.

•resourceNames[]: Fully qualified name of the resources. You can pass multiple resources at a time.

•action[]: Name of the actions to be passed in the request.

•envMap: Different attributes, for example, obligations, enumerations and other environmental variables.

•level: an integer which refers the level of the resource up to which the PDP will extend its decision.

This returns a XacmlResponse containing the obligations and attributes of multiple resources with actions as specified in the request.

Method getDecisionsWithRoles

This method is used to give the users decisions for resources, actions and also returns the roleNames for the corresponding resource and its obligations. This method doesn't support caching. Following parameters need to be passed in this method:

•subject: F Name of the user for which decision is sought.

•resource: Fully qualified name of the resource

•action: Name of the action to be passed in the request. If there is no specific action you can pass `Any'.

•envMap: Different attributes, for example, obligations, enumerations and other environmental variables.

•level: an integer which refers the level of the resource up to which the PDP will extend its decision.

This returns a XacmlResponse containing the obligations and attributes of multiple resources along with roles created under that resource and the specified user is mapped to those roles. The PDP returns both static and dynamic roles.

Method getGroups

This method is used to get all groups assigned to a user on the specified application. Following parameters need to be passed in this method:

•subject: Name of the user

•appplicationName: Fully qualified name of the application

•envMap: Different attributes, for example, obligations, enumerations and other environmental variables.

•roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name.

•context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns the groupName FQN to which the user belongs with respect to the applicationName after group condition evaluation.

	CEPM Java Developer Guide
	PEP API Reference Guide
CEPM Java Developer Guide Preface Introduction PEP API Quick Start Guide Using Old PAP APIs Using New PAP APIs Using PDP WSDL PEP Tag Library Quick Start Guide PEP API Reference Guide PAP API Implementation	Download this chapter PEP API Reference Guide Download the complete book CEPM Java Developer Guide (PDF - 2 MB) Feedback Table Of Contents PEP API Reference Guide Method isUserAccessAllowed Method isUserAccessAllowed Method isUserAccessAllowed Method isUserAccessAllowed Method isUserAccessAllowed Method getPermissibleResourcesForUser Method getPermissibleResourcesForRoles Method getPermissibleResourcesForGroups Method getPermissibleActionsByResource Method getPermissibleActionsByResource Method isRoleAccessAllowed Method isGroupAccessAllowed Method isUserInRoleAccessAllowed Method isUserInGroupAccessAllowed Method getRolesAllowedForResource Method getGroupsAllowedForResource Method getUsersAllowedForResource Method getDecisionForUsers Method getDecisions Method getDecisionsByResourceType Method getDecisionsByResourceType Method getDecisionsByResourceType Method getDecisionsByResourceType Method getDecisionsByResourceTypeForAnyAction Method getRoles Method getUsersForGroup Method getUsersForRole Method getDecisionforResources Method getDecisionsWithRoles Method getGroups PEP API Reference Guide The Policy Enforcement Point (PEP) provides the methods for determining whether a user is entitled to access a given resource/action. These methods provide the following services: •Determining the access to a given resource/action for a particular user by passing subject, resource, or action •Determining the access to a given resource/action for a particular user by passing subject, resource, action, attributeMap (when the custom attributes are passed), RoleBundles, and Contexts •Getting a list of permissible resources for a given user •Getting a list of permissible actions for a given resource •Getting a list of roles for a given resource Following are the commonly used methods supported by PEP: Method isUserAccessAllowed This method is used to check whether the user is authorized to access the specified resource. This method supports caching. The following parameters need to be passed within this method: •username: Name of the user for whom accessibility to the specified resource needs to be checked. •resource: Fully qualified name of the resource on which the specified user accessibility needs to be checked. •action: Name of action on which the specified user accessibility needs to be checked. In case of no specific action, any must be passed as the default action name. This returns a boolean, true if the user is permitted to the specified resource else false. Method isUserAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles passed in the request in a given context. This method does not support caching.The following parameters need to be passed within this method: •username: Name of the user for which access to the specified resource is being determined. •resource: Name of the resource to which access is being determined for the specified user. •action: Name of the action that the specified user is performing on the resource. •attMap: Name of the different user attributes. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a Boolean whether the user has access to the resource. Note When PEP sends a request consisting of a context along with other parameters, the PDP will search for the policy under that particular context level. If no policy is found under that specified context, then the PDP will search for its parent level. If the parent level has a policy on the said resource, it will send the decision accordingly. If not, the PDP will extend the search to one more level above the current level. In this way, the search can be extended till it reaches the global level and appropriate decision will be communicated. Method isUserAccessAllowed This method is used to determine whether the user, who has `dynamic separation of duties' with another user, is authorized to access the specified resource without cache and with TTL Cache on the basis of the RoleBundles passed in the request in a given context. This method does not support caching.The following parameters need to be passed within this method: •fromUser: Name of the user whose role has a DSoD role with another user (toUser) with a different role. •toUser: Name of the user to whom the DSoD role is assigned. •resource: Name of the resource to which access is being determined for the specified user. •action: Name of the action that the specified user is performing on the resource. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a Boolean whether the user has access to the resource. Method isUserAccessAllowed This method is used to check whether the user is authorized to access the given array of resources and actions. This method supports caching. If caching is enabled, this method will cache all relevant data of the resources including the permissions, attributes and data of its child hierarchy. Following parameters need to be passed within this method: •subject: Name of the user for whom accessibility to the specified resources needs to be checked. •resources[]: Array of resource names (fully qualified names) on which the specified user accessibility needs to be checked. •actions[]: Array of action names on which the specified user accessibility needs to be checked. •attMap: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes. This returns a Boolean whether the user has an access to the specified resources and actions. Method isUserAccessAllowed This method is used to determine whether the user has access to the bunch of resources with their corresponding actions on the basis of the RoleBundles passed in the request in a given context. This method supports caching.The following parameters need to be passed within this method: •subject: Name of the user for which access to the specified resource is being determined. •resources[]: Names of the resources to which access is being determined for the specified user. •actions[]: Names of the actions that the specified user is performing on the resource. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a Boolean whether the user has access to the resource. Method getPermissibleResourcesForUser This method gives the list of permissible resources for a user on the basis of the RoleBundles passed in the request. This method supports caching. The following parameters need to be passed within this method: •subject: Name of the user for which access to the specified resource is being determined. •resource: Name of the parent resource, the subresources of which are returned if they are accessible to the specified subject. •map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes. •roleBundles[]: Name of the roleBundles under which this permitted resources need to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible resources available for specified user. Method getPermissibleResourcesForRoles This method gives the list of permissible resources for roles on the basis of the RoleBundles passed in the request in a given context. This method supports caching.The following parameters need to be passed within this method: •roles: Name of the roles for which the resources available is being determined. •resource: Name of the parent resource, the subresources of which are returned if they are accessible to the specified role. •map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes. •roleBundles[]: Name of the roleBundles under which the permissible resources for the given roles is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible resources available for specified roles. Method getPermissibleResourcesForGroups This method gives the list of permissible resources for groups on the basis of the RoleBundles passed in the request in a given context. This method supports caching.The following parameters need to be passed within this method: •groups: Fully Qualified Names (FQN) of the groups for which the list of permissible resources is sought. •resource: Fully qualified name of the resource of which the permitted subresources for the specified groups need to be retrieved. •map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes. •roleBundles[]: Name of the roleBundles under which the permissible resources for the given roles is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible resources available for specified groups. Method getPermissibleActionsByResource This method gives the list of permissible actions by resource on the basis of the RoleBundles passed in the request. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed within this method: •subject: Name of the user for whom the list of permissible actions is sought. •resource: Fully qualified name of the resource of which the permitted actions for the specified user is retrieved. •roleBundles[]: Name of the roleBundles under which the permissible actions for the given user is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name. This returns a list of permissible actions by the specified resource accessible by the subject. Method getPermissibleActionsByResource This method gives the list of permissible actions by resource on the basis of the RoleBundles passed in the request in a given context. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. Following parameters need to be passed within this method: •subject: Name of the user for whom the list of permissible actions is sought. •resource: Fully qualified name of the resource of which the permitted actions for the specified user is retrieved. •map: The custom attributes need to be passed as a HashMap in java.util.Map. This can include Xpath and MessageAttributes. •roleBundles[]: Name of the roleBundles under which the permissible actions for the given user is retrieved. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible actions by the specified resource accessible by the subject. Method isRoleAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles passed in the request. The following parameters need to be passed in this method: •roleNames[]: Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked. •resource: Fully qualified name of the resource on which accessibility for the specified roles need to be checked. •action: Name of action on which accessibility for the specified roles need to be checked. In case of no specific action, any must be passed as the default action name. •map: The environment attributes need to be passed as a HashMap. This can include Xpath and MessageAttributes. •RoleBundles[]: Name of the roleBundles under which the role accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •level: Integer that refers to the number of resource level up to which the search shall be extended. This returns a XacmlResponse regarding the decision and obligation about the policy created for the specified role. If there is no response from the PDP, you get null. Sample code: isRoleAccessAllowed(java.lang.String[] roleNames,java.lang.String resource, java.lang.String action,java.util.Map envMap, java.lang.String[] roleBundles,java.lang.String context,int level) String[] roleBundles = new String[1]; roleBundles[0] = "Default"; String[] roles = new String[2]; roles[0] = "Prime group:Prime portal:Internal Dev:Internal Dev Tokyo"; roles[1] = "Prime group:Prime portal:Internal Dev:Internal Dev NY"; Map map = new HashMap(); map.put("sum","10"); mgr.isRoleAccessAllowed(roles,"Prime group:Prime portal:View Reports","any",map,roleBundles,"Global Context:Global Context",-1); Method isGroupAccessAllowed This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be passed in this method: •groupNames: Fully Qualified Names of the groups for which accessibility to the specified resource needs to be checked. •resource: Fully qualified name of the resource on which accessibility for the specified groups need to be checked. •action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name. •attMap: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc. •roleBundles[]: Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •level: Integer that refers to the number of resource level up to which the search shall be extended. This returns {@link net.securent.kernel.XacmlResponse} object from which you can get decision, obligations and attributes. If there is no response from PDP, you will get null. Method isUserInRoleAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes under the given RoleBundles and Context. The following parameters need to be passed in this method: •subject: Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles the User is mapped. •rolenames: Fully qualified names of the roles associated with the specified user must be passed. •resource: Fully qualified name of the resource need to be passed to check whether the user with given roles has an access with respect to the role names passed. •action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a XacmlResponse regarding decision and obligations related to the specified subject. If any of the role is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from the PDP, you will get null. Method isUserInGroupAccessAllowed This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups under given RoleBundles and context. It will consider all groups passed in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be passed in this method: •subject: Name of the user for whom accessibility to the specified resource needs to be checked. •groupnames: Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked. •resource: Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name. •roleBundles[]: Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns {@link net.securent.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get null. Method getRolesAllowedForResource This method is used to get the list of permissible roles by resource on the basis of the RoleBundles passed in the request. This method support caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed in this method: •resource: Fully qualified name of the resource for which the permissible roles need to be checked. •roleBundles[]: Name of the roleBundles under which the roles for the specified resource is being retrieved. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •map: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc. This returns an array of permitted Roles for the specified resource. The list of roles shall include only Static Roles and not Dynamic Roles entitled with the specified resource. Method getGroupsAllowedForResource This method retrieves the list of permissible groups for a given resource under specified roleBundles. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameter needs to be passed in this method: •resource: Name of the resource to which access is being determined for the specified user. •roleBundles[]: Name of the roleBundles under which the groups for the specified resource is being retrieved. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •map: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc. This returns an array of permitted groups for the specified resource. Method getUsersAllowedForResource This method retrieves the list of permissible users for a given resource under specified roleBundles. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameter needs to be passed in this method: •resource: Fully qualified name of the resource for which the permissible roles need to be checked. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, 'Default' must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •map: The environment attributes need to be passed as a HashMap. This can include Xpath, MessageAttributes etc. This returns an array of permitted users for the specified resource. Method getDecisionForUsers This method is used to check whether the given users are authorized to access any specified resource under given roleBundles and context. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be passed in this method: •subjects: Names of the users for whom accessibility to the specified resource need to be checked. •resource: Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action: Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be passed as the default action name. •roleBundles[]: Name of the roleBundles under which the decision is sought. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a UserContext Object from where you may get decision and obligation for the specified user. Method getDecisions This method is used to get decision on the requested resource by a XacmlResponse on the basis of the RoleBundles passed in the request in a given context. It returns the decisions of the requested resource as well as its subresources in a Xacml format. The following parameters need to be passed in this method: •subject: Name of the user for which access to the specified resource is being determined. •resource: Name of the resource to which access is being determined for the specified user. •action: Name of the action that the specified user is performing on the resource. •envMap: Different user attributes, for example, obligations, enumerations and other environmental variables. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •level: Integer that refers to the number of resource level up to which the search shall be extended. This returns a XacmlResponse regarding the decision and obligation about the policy created for the specified Group. If there is no response from the PDP, you will get null. Method getDecisionsByResourceType This method is used to get decisions (both permit and deny) for all resources of a given application based on specified ResourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed in this method: •subject: Name of the user for whom decisions on the given resource is sought. •resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given. •applicationName: Fully qualified name of the application for which decision is being given. This returns a XacmlResponse containing the obligations and attributes of resources which are created using the specified resourcetype. Method getDecisionsByResourceType This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed in this method: •subject: Name of the user for whom decisions on the given resource is sought. •roleNames: Fully qualified name of the roles based on which the decision is being given. •resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given. •applicationName: Fully qualified name of the application for which decision is being given. This returns XacmlResponse containing the obligation and resourceAttributes of all resources created under the specified application using the specified resourceType and are having the specified action. Method getDecisionsByResourceType This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed in this method: •subject: Name of the user for whom decisions on the given resource is sought. •resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given. •applicationName: Fully qualified name of the application for which decision is being given. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns XacmlResponse containing the obligation and resourceAttributes of all resources created under the specified application using the specified resourceType and are having the specified action. Method getDecisionsByResourceType This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be taken into consideration. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed in this method: •subject: Name of the user for whom decisions on the given resource is sought. •resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given. •applicationName: Fully qualified name of the application for which decision is being given. •action: Name of action for which decision is being given. In case of no specific action, any must be passed as the default action name. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns XacmlResponse containing the obligation and resourceAttributes of all resources created under the specified application using the specified resourceType and are having the specified action. Method getDecisionsByResourceTypeForAnyAction This method is used to get decisions (both permit and deny) of all resources created using the given resourceType notwithstanding the actions they are having. This method takes all actions of the resources having the specified resourceType. This method works only for Oracle and does not support MSSQL or DB2. This method supports caching. Note Caching will not work for this method when you set "decisionCacheOnly=true" in the PEP and PDP config files. The following parameters need to be passed in this method: •subject: Name of the user for whom decisions on the given resource is sought. •resourceTypeName: Fully qualified name of the resourceType on the basis of which the decision is being given. •applicationName: Fully qualified name of the application for which decision is being given. This returns a XacmlResponse containing the obligations and attributes of the resources which are created using the specified resourcetype on the basis of the permission given for its action. Method getRoles This method is used to get all roles assigned to a user on the specified application. Following parameters need to be passed in this method: •subject: Name of the user for which access to the specified resource is being determined. •applicationName: Name of the application. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. •envMap: Different key values, for example, xpath etc. This returns an array of roles (both Static the Dynamic Roles) assigned to the specified user under the given application. Method getUsersForGroup This method is used to get all users mapped with a given dynamic group. Following parameters need to be passed in this method: •groupFQN: Fully qualified name of the dynamic group for which you need to get the users mapped to it. This returns an array of users directly mapped with the specified dynamic group. This also returns the users mapped to its immediate parent group (which is a static group) only if the rule configured on the specified dynamic group is satisfied. Method getUsersForRole This method is used to get all users mapped with a given dynamic role. Following parameters need to be passed in this method: •roleFQN: Fully qualified name of the dynamic role for which you need to get all the users mapped to it. This returns an array of users directly mapped with the specified dynamic role. This also returns the users mapped to its immediate parent role (which is a static role) only if the rule configured on the specified dynamic role is satisfied. Method getDecisionforResources The method is same as that of getDecisions(username,resourceName,action,envMap,level) but it gives the decisions for multiple resources with actions. Following parameters need to be passed in this method: •subject: Name of the user for which decision is sought. •resourceNames[]: Fully qualified name of the resources. You can pass multiple resources at a time. •action[]: Name of the actions to be passed in the request. •envMap: Different attributes, for example, obligations, enumerations and other environmental variables. •level: an integer which refers the level of the resource up to which the PDP will extend its decision. This returns a XacmlResponse containing the obligations and attributes of multiple resources with actions as specified in the request. Method getDecisionsWithRoles This method is used to give the users decisions for resources, actions and also returns the roleNames for the corresponding resource and its obligations. This method doesn't support caching. Following parameters need to be passed in this method: •subject: F Name of the user for which decision is sought. •resource: Fully qualified name of the resource •action: Name of the action to be passed in the request. If there is no specific action you can pass `Any'. •envMap: Different attributes, for example, obligations, enumerations and other environmental variables. •level: an integer which refers the level of the resource up to which the PDP will extend its decision. This returns a XacmlResponse containing the obligations and attributes of multiple resources along with roles created under that resource and the specified user is mapped to those roles. The PDP returns both static and dynamic roles. Method getGroups This method is used to get all groups assigned to a user on the specified application. Following parameters need to be passed in this method: •subject: Name of the user •appplicationName: Fully qualified name of the application •envMap: Different attributes, for example, obligations, enumerations and other environmental variables. •roleBundles[]: Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be passed as the rolebundle name. •context: Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns the groupName FQN to which the user belongs with respect to the applicationName after group condition evaluation.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks