CEPM Dotnet Developers Guide V 3.3.1.0 - PEP API Reference Guide [Cisco Policy Administration Point]

Table Of Contents

PEP API Reference Guide

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

isUserAccessAllowed Method

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method IsUserAccessAllowed

Method GetPermissibleResourcesForUser

Method GetPermissibleResourcesForUser

Method GetPermissibleResourcesForUser

Method GetPermissibleResourcesForRoles

Method GetPermissibleResourcesForRoles

Method GetPermissibleResourcesForRoles

Method GetPermissibleResourcesForGroups

Method GetPermissibleResourcesForGroups

Method GetPermissibleResourcesForGroups

Method GetPermissibleActionsByResource

Method GetPermissibleActionsByResource

Method GetPermissibleActionsByResource

Method IsRoleAccessAllowed

Method IsRoleAccessAllowed

Method IsRoleAccessAllowed

Method IsRoleAccessAllowed

Method IsGroupAccessAllowed

Method IsGroupAccessAllowed

Method IsGroupAccessAllowed

Method IsGroupAccessAllowed

Method IsUserInRoleAccessAllowed

Method IsUserInRoleAccessAllowed

Method IsUserInRoleAccessAllowed

Method IsUserInGroupAccessAllowed

Method IsUserInGroupAccessAllowed

Method IsUserInGroupAccessAllowed

Method GetRolesAllowedForResource

Method GetRolesAllowedForResource

Method GetGroupsAllowedForResource

Method GetGroupsAllowedForResource

Method GetUsersAllowedForResource

Method GetUsersAllowedForResource

Method GetDecisionForUsers

Method GetDecisionForUsers

Method GetDecisionForUsers

Method GetDecisions

Method GetDecisions

Method GetDecisions

Method GetDecisions

Method GetDecisions

Method GetDecisions

Method GetDecisions

Method GetDecisionsByResourceType

Method GetDecisionsByResourceType

Method GetDecisionsByResourceTypeForAnyAction

Method GetRoles

Method GetUsersForGroup

Method GetUsersForRole

Method GetDecisionforResources

Method GetDecisionsWithRoles

Method GetGroups

PEP API Reference Guide

The Policy Enforcement Point (PEP) interface provides the methods for determining whether a user is entitled to access a specific resource or action in the PEP. Requests to verify access are sent to the Policy Decision Point (PDP). This interface also provides two utility methods, which return back a list of permissible resources for a specific user and a list of permissible actions for a specified resource.

This interface provides the following services:

•Determining the access to a specified resource or action for a specific user by passing subject, resource, or action.

•Determining the access to a specified resource or action for a specific user by passing subject, resource, action, attributeMap (when the custom attributes are implemented), RoleBundles, and Contexts

•Obtaining a list of permissible resources for a specific user

•Obtaining a list of permissible actions for a specific resource

•Obtaining a list of roles for a specified resource

The PEP interface provides the methods described in this appendix.

Method IsUserAccessAllowed

This method is used to check whether the user is authorized to access the specified resource. This method supports caching. The following parameters need to be implemented within this method:

•username—Name of the user for whose access to the specified resource needs to be checked.

•resource—Fully qualified name of the resource for which the specified user accessibility needs to be checked.

•action—Name of action for which the specified user access needs to be checked. In the specific action is not specified any must be used as the default action name.

This returns a Boolean value. The value is True if the user is permitted, else it is False.

Method IsUserAccessAllowed

This method is used to check whether the user,who is conflicting with another user. Users that are mapped with two different roles which are DSOD with each other), is authorized to access the specified resource. This method does not support caching. The following parameters must be implemented implemented within this method:

•fromUser—Name of the user for whose access to the specified resource needs to be checked.

•toUser—Name of the user to who the DSoD role is assigned.

•resource—Fully qualified name of the resource for which the specified user access needs to be checked.

•action—Name for action on which the specified user accessibility needs to be checked. If the specific action is not specified, any must be used as the default action name.

This returns a Boolean value, The value is True if the user is permitted to the specified resource, else it is False.

Example:

Consider two users, Mary and John, who are mapped with Test Role1 and TestRole2. If the PEP sends a request in the following order:
mgr.IsUserAccessAllowed("Mary","Tom","Prime group:Prime portal:Send Trades", "any")
and if Mary has conflict of interest with Tom (that is, Mary's Roles has DSOD with Tom's Role), this method will return False, else it will return true.

Method IsUserAccessAllowed

This method is used to check if the user is authorized to access the specified resource with custom attributes. This method supports caching. The following parameters need to be implemented within this method:

•username—Name of the user whose access to the specified resource needs to be checked.

•resource—Fully qualified name of the resource for which the specified user accessibility needs to be checked.

•action—Name of action for which the specified user accessibility needs to be checked. If the specific action is not specified, any must be used as the default action name.

•attMap—The custom attributes need to be implemented as a HashTable. This can include Xpath and MessageAttributes.

If a user has the permission to access the resource, this method will return True, else it will return False. The decision will be given after evaluating the PIP rule based upon the specified mapping attributes.

Method IsUserAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•username—Name of the user for whom accessibility to the specified resource needs to be checked.

•resource—Fully qualified name of the resource for which the specified user accessibility needs to be checked.

•action—Name of action for which the specified user accessibility needs to be checked. If there is no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a Boolean value specifying if the user has access to the resource.

Method IsUserAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource without cache and with TTL Cache on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•fromUser—Name of the user whose role has a DSoD role with another user of a different role.

•toUser—Name of the user to which the DSoD role is assigned.

•resource—Name of the resource to which access is being determined for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a Boolean value specifying if the the user has access to the resource.

isUserAccessAllowed Method

This method is used to determine whether the user is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•username—Name of the user for which access to the specified resource is being determined.

•resource—Name of the resource to which access is being checked for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•attMap—Name of the different user attributes.

•roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a Boolean value specifying if the user has access to the resource.

Method IsUserAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes based on the RoleBundles implemented for in the request for the specified context. The following parameters need to be implemented within this method:

•username—Name of the user for which access to the specified resource is being checked.

•resource—Name of the resource to which access is being checked for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•attMap—Name of the different user attributes.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected when sending the request. If the context is not specified in the request, the PDP considers the Global context by default.

This returns a Boolean value specifying if the user has access to the resource.

Note When PEP sends a request consisting of a context along with other parameters, the PDP searches for the policy under the specified context level. If the policy is not found under that specified context, it sends the decision or the PDP will extend the search to one more level above the current level. In this way, the search can be extended till it reaches the global level and the specific decision is communicated.

Method IsUserAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented within this method:

•username—Name of the user for which access to the specified resource is being checked.

•resource—Name of the resource to which access is being checked for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected when sending the request. If the context is not specified in the request, the PDP considers the Global context by default.

•This returns a Boolean value specifying if the user has access to the resource.

This returns a Boolean value specifying if the user has access to the resource.

Method IsUserAccessAllowed

This method is used to determine whether a user with dynamic separation of duties with another user, is authorized to access the specified resource without cache and with TTL Cache based on the RoleBundles implemented in the request for the specified context. The following parameters need to be implemented within this method:

•fromUser—Name of the user whose role has a DSoD role with another user of a different role.

•toUser—Name of the user to which the DSoD role is assigned.

•resource—Name of the resource to which access is being determined for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a Boolean value specifying if the the user has access to the resource.

Method IsUserAccessAllowed

This method is used to check whether the user is authorized to access the specified array of resources and actions. This method supports caching. If caching is enabled, this method will cache all relevant data of the resources including the permissions, attributes, and data of its child hierarchy. The following parameters need to be implemented within this method:

•subject—Name of the user for which access to the specified resources needs to be checked.

•resources [ ]—Array of resource names (fully qualified names) on which the specified user access needs to be checked.

•actions [ ]—Array of action names on which the specified user access needs to be checked.

This returns a Boolean value specifying if the user has access to the specified resources and actions.

Method IsUserAccessAllowed

This method is used to determine whether the user has access to the bunch of resources with their corresponding actions based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•subject—Name of the user for which access to the specified resources needs to be checked.

•resources [ ]—Array of resource names (fully qualified names) on which the specified user access needs to be checked.

•actions [ ]—Array of action names on which the specified user access needs to be checked.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a Boolean value specifying if the the user has access to the resource.

Method IsUserAccessAllowed

This method is used to determine whether the user has access to the bunch of resources with their corresponding actions on the basis of the RoleBundles implemented for the specified context. The following parameters need to be implemented within this method:

•subject—Name of the user for which access to the specified resource is being checked.

•Resources [ ]—Names of the resources to which access is being checked for the specified user.

•Actions [ ]—Names of the actions that the specified user is performing on the resource.

•roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a Boolean value specifying if the the user has access to the resource.

Method GetPermissibleResourcesForUser

This method retrieves a list of permissible subresources for a specified resource for a user. This method does not support caching. The following parameters need to be implemented within this method:

•subject—Name of the user for which the list of permissible resources is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified user need to be retrieved.

This returns an array of permissible resources available for specified user.

Method GetPermissibleResourcesForUser

This method gives the list of permissible resources for a user based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•subject—Name of the user for which access to the specified resource is being checked.

•resource—Name of the parent resource and subresources which are returned if they can access the specified subject.

•roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a list of permissible resources available for the specified user.

Method GetPermissibleResourcesForUser

This method gives the list of permissible resources for a user on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented within this method:

•subject—Name of the user for which access to the specified resource is being checked.

•resource—Name of the parent resource and subresources which are returned if they can access the specified subject.

•roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible resources available for the specified user.

Method GetPermissibleResourcesForRoles

This method retrieves a list of permissible subresources for a specified resource for the specified roles. This method does not support caching. The following parameters need to be implemented within this method:

•roles—Fully Qualified Names (FQN) of the roles for which the list of permissible resources is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified roles is retrieved.

This returns an array of permissible resources for the specified roles.

Method GetPermissibleResourcesForRoles

This method gives the list of permissible resources for roles based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•roles—Name of the roles for which the resources available is being checked.

•resource—Name of the parent resource and subresources which are returned if they can access the specified subject.

•roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a list of permissible resources available for the specified roles.

Method GetPermissibleResourcesForRoles

This method gives the list of permissible resources for roles on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented within this method:

•roles—Name of the roles for which the resources available is being checked.

•resource—Name of the parent resource and subresources which are returned if they can access the specified subject.

•roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible resources available for the specified roles.

Method GetPermissibleResourcesForGroups

This method retrieves a list of permissible subresources of a specified resource for the given group(s). This method does not support caching. The following parameters need to be implemented within this method:

•groups—Fully Qualified Names (FQN) of the groups for which the list of permissible resources is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved.

This returns an array of permissible resources for the given groups.

Method GetPermissibleResourcesForGroups

This method gives the list of permissible resources for groups on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•groups—Fully Qualified Names (FQN) of the groups for which the list of permissible resources is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved.

•roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a list of permissible resources available for the specified groups.

Method GetPermissibleResourcesForGroups

This method gives the list of permissible resources for groups based on the RoleBundles implemented in the request for the specified context. The following parameters need to be implemented within this method:

•groups—Fully Qualified Names (FQN) of the groups for which the list of permissible resources is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved.

•roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible resources available for the specified groups.

Method GetPermissibleActionsByResource

This method retrieves a list of permissible actions for a specified resource for a user. This method does not support caching. The following parameters need to be implemented within this method:

•subject—Name of the user for which the list of permissible actions is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved.

This returns an array of permissible actions for the specified resource.

Method GetPermissibleActionsByResource

This method gives the list of permissible actions by resource based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method:

•subject—Name of the user for which the list of permissible actions is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved.

•roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a list of permissible actions for the specified resource accessible by the subject.

Method GetPermissibleActionsByResource

This method gives the list of permissible actions by resource on the basis of the RoleBundles implemented in the request in a given context. Following parameters need to be implemented within this method:

•subject—Name of the user for which the list of permissible actions is checked.

•resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved.

•roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default.

This returns a list of permissible actions for the specified resource accessible by the subject.

Method IsRoleAccessAllowed

This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be implemented in this method:

•roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked.

•action—Name of action on which accessibility for the specified roles need to be checked. If a specific action is not specified, any must be used as the default action name.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations, and attributes. If there is no response from the PDP, you will get a null value.

Method IsRoleAccessAllowed

This method is used to check whether the given roles are authorized to access the specified resource with Custom Attributes. This method does not support caching. The following parameters need to be implemented in this method:

•roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked.

•action—Name of action on which accessibility for the specified roles need to be checked. If a specific action is not specified, any must be used as the default action name.

•attMap—The environment attributes need to be implemented as a HashTable. This can include Xpath and MessageAttributes.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get the decisions, obligations, and attributes. If there is no response from the PDP, you will get a null value.

Method IsRoleAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request. The following parameters need to be implemented in this method:

•roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked.

•action—Name of action on which accessibility for the specified roles need to be checked. If a specific action is not specified, any must be used as the default action name.

•RoleBundles[ ]—Name of the roleBundles under which the role access needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name.

This returns a XacmlResponse for the decision and obligation on the policy created for the specified role. If there is no response from the PDP, you will get a null value.

Method IsRoleAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented in this method:

•roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked.

•action—Name of action the specified user is performing on the resource.

•RoleBundles[ ]—Name of the roleBundles under which the role access needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name.

•context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default.

This returns an XacmlResponse for the decision and obligation on the policy created for the specified role. If there is no response from the PDP, you will get a null value.

Method IsGroupAccessAllowed

This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be implemented in this method:

•groupNames—Fully Qualified Names of the groups for which access to the specified resource needs to be checked.

•resource—Fully qualified name of the resource for which accessibility for the specified groups need to be checked.

•action—Name of action for which accessibility for the specified groups need to be checked. If the specific action is not specified, any must be used as the default action name.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations, and attributes. If there is no response from PDP, you will get a null value.

Method IsGroupAccessAllowed

This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be implemented in this method:

•groupNames—Fully Qualified Names of the groups for which access to the specified resource needs to be checked.

•resource—Fully qualified name of the resource for which accessibility for the specified groups need to be checked.

•action—Name of action for which accessibility for the specified groups need to be checked. If the specific action is not specified, any must be used as the default action name.

•attMap—The environment attributes need to be implemented as a HashTable. This can include Xpath, MessageAttributes and so on.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can obtain the decision, obligations and attributes. If there is no response from PDP, you will get a null value.

Method IsGroupAccessAllowed

This method is used to determine whether the user group is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request. The following parameters need to be implemented in this method:

•groupNames—Fully Qualified Names of the groups for which access to the specified resource needs to be checked.

•resource—Fully qualified name of the resource for which access for the specified groups need to be checked.

•action—Name of action for which accessibility for the specified groups need to be checked. If the specific action is not specified, any must be used as the default action name.

•roleBundles[]—Name of the roleBundles under which the group access needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name.

This returns an XacmlResponse or the decision and obligation on the policy created for the specified group. If there is no response from the PDP, you will get a null value.

Method IsGroupAccessAllowed

This method is used to determine whether the user group is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request for a specified context. The following parameters need to be implemented in this method:

•groupNames—Fully Qualified Names of the groups for which accessibility to the specified resource needs to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified groups need to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a XacmlResponse for the decision and obligation on the policy created for the specified group. If there is no response from the PDP, you will get a null value.

Method IsUserInRoleAccessAllowed

This method is used to check whether the user is authorized to access the specified resource for the specified set of roles. It will accept all roles implemented in the input array. If any one role has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles the User is mapped.

•rolenames—Fully qualified names of the roles associated with the specified user must be implemented.

•resource—Fully qualified name of the resource need to be implemented to check whether the user with given roles has an access with respect to the role names implemented.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and attributes. If any of the role is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP you will a get null value.

Method IsUserInRoleAccessAllowed

This method is used to check whether the user is authorized to access the specified resource with respect to a given set of roles. It will accept all roles implemented in the input array. If any one role has Deny policy for the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles mapped to the user.

•rolenames—Fully qualified names of the roles associated with the specified user must be implemented.

•resource—Fully qualified name of the resource that need to be implemented to check whether the user with the given roles has an access to the role names implemented.

•action—Name of the action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a XacmlResponse regarding decision and obligations related to the specified subject. If any of the role are not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from the PDP, you will get null.

Method IsUserInRoleAccessAllowed

This method is used to determine whether the user is authorized to access the specified resource with custom attributes under the given RoleBundles and Context. The following parameters need to be implemented in this method:

•subject—Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles mapped to the user.

•rolenames—Fully qualified names of the roles associated with the specified user must be implemented.

•resource—Fully qualified name of the resource need to be implemented to check whether the user with given roles has an access with respect to the role names implemented.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a XacmlResponse regarding decision and obligations related to the specified subject. If no role is mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from the PDP, you will get null.

Method IsUserInGroupAccessAllowed

This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups. It will consider all groups implemented in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for whom accessibility to the specified resource needs to be checked.

•groupnames—Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked.

•resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get null.

Method IsUserInGroupAccessAllowed

This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups under given RoleBundles. It will consider all groups implemented in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for whom accessibility to the specified resource needs to be checked.

•groupnames—Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked.

•resource—Fully qualified name of the resource for which accessibility for the specified user needs to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get a null value.

Method IsUserInGroupAccessAllowed

This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups under given RoleBundles and context. It will consider all groups implemented in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for whom accessibility to the specified resource needs to be checked.

•groupnames—Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked.

•resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get a null value.

Method GetRolesAllowedForResource

This method retrieves the list of permissible roles for a given resource. This method does not support caching. The following parameter need to be implemented in this method:

•resource—Fully Qualified Name of the resource, for which the list of permissible roles is checked, needs to be implemented.

This returns an array of permitted Roles for the specified resource. The list of roles shall include only Static Roles and not Dynamic Roles entitled with the specified resource.

Method GetRolesAllowedForResource

This method is used to get the list of permissible roles by resource on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented in this method:

•resource—Fully qualified name of the resource for which the permissible roles need to be checked.

•roleBundles[]—Name of the roleBundles under which the roles for the specified resource is being retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns an array of permitted Roles for the specified resource. The list of roles shall include only Static Roles and not Dynamic Roles entitled with the specified resource.

Method GetGroupsAllowedForResource

This method retrieves the list of permissible groups for a given resource. This method does not support caching. The following parameter needs to be implemented in this method:

•resource—Fully Qualified Name of the resource, for which the list of permissible groups is checked, needs to be implemented.

This returns an array of permitted groups for the specified resource.

Method GetGroupsAllowedForResource

This method retrieves the list of permissible groups for a given resource under specified roleBundles. This method does not support caching. The following parameter needs to be implemented in this method:

•resource—Name of the resource to which access is being determined for the specified user.

•roleBundles[]—Name of the roleBundles under which the groups for the specified resource is being retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns an array of permitted groups for the specified resource.

Method GetUsersAllowedForResource

This method retrieves the list of permissible users for a given resource. This method does not support caching. The following parameter needs to be implemented in this method:

•resource—Fully qualified name of the resource for which the permissible roles need to be checked.

This returns an array of users who are permitted to the specified resource.

Method GetUsersAllowedForResource

This method retrieves the list of permissible users for a given resource under specified roleBundles. This method does not support caching. The following parameter needs to be implemented in this method:

•resource—Fully qualified name of the resource for which the permissible roles need to be checked.

•roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, 'Default' must be implemented as the rolebundle name.

This returns an array of permitted users for the specified resource.

Method GetDecisionForUsers

This method is used to check whether the given users are authorized to access any specified resource. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be implemented in this method:

•subjects—Names of the users for whom accessibility to the specified resource need to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

This returns {@link net.cepm.pdp.user.UserContext} object from this you can get decision and obligations for individual user.

Method GetDecisionForUsers

This method is used to check whether the given users are authorized to access any specified resource under given roleBundles. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be implemented in this method:

•subjects—Names of the users for whom accessibility to the specified resource need to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

This returns a UserContext Object from where you may get decision and obligation for the specified user.

Method GetDecisionForUsers

This method is used to check whether the given users are authorized to access any specified resource under given roleBundles and context. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be implemented in this method:

•subjects—Names of the users for whom accessibility to the specified resource need to be checked.

•resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked.

•action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default.

This returns a UserContext Object from where you may get decision and obligation for the specified user.

Method GetDecisions

This method is used to obtain all decisions of the resource and its child resources when caching is disabled. This method supports caching. When caching is enabled, this method will cache all relevant data of the resource including the permissions, attributes but not the data of its child hierarchy. The following parameters need to be implemented in this method:

•userName—Name of the user for which decisions on a given resource is checked.

•resource—Fully qualified name of the resource for which decision is being given.

•action—Name of action for which decision is being given. In case of no specific action, any must be implemented as the default action name.

This returns a XacmlResponse which contains the decision (both allow and deny), obligations and dependent attributes of the given resource and its child resources.

Method GetDecisions

This method is used to obtain all decisions of the resource and its child resources under the given roleBundles when caching is disabled. This method supports caching. When caching is enabled, this method will cache all relevant data of the resource including the permissions, attributes but not the data of its child hierarchy. The following parameters need to be implemented in this method:

•userName—Name of the user for which decisions on a given resource is checked.

•resource—Fully qualified name of the resource for which decision is being given.

•action—Name of action for which decision is being given. In case of no specific action, any must be implemented as the default action name.

•roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be used as the rolebundle name.

This returns a XacmlResponse containing the decision, obligations, and dependent attributes.

Method GetDecisions

This method is used to get all decisions of the resource and its child resources under the given roleBundles and context when caching is disabled. This method supports caching. When caching is enabled, this method will cache all relevant data of the resource including the permissions, attributes but not the data of its child hierarchy. The following parameters need to be implemented in this method:

•userName—Name of the user for which decisions on a given resource is checked.

•resource—Fully qualified name of the resource for which decision is being given.

•action—Name of action for which decision is being given. If the specific action is not specified, any must be used as the default action name.

•roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be implemented as the rolebundle name.

•context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default.

This returns a XacmlResponse containing the decision, obligations, and dependent attributes.

Method GetDecisions

This method is used to obtain the decision for the requested resource by an XacmlResponse. It returns the decisions for the requested resource and its subresources in a Xacml format. The following parameters need to be implemented in this method:

•userName—Name of the user for which access to the specified resource is being determined.

•resource—Name of the resource to which access is being determined for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•level—Integer that refers to the number of resource level up to which the search shall be extended.

This returns a XacmlResponse containing the decision, obligations, and dependent attributes up to the specified level of resources.

Method GetDecisions

This method is used to obtain a decision for the requested resource by an XacmlResponse. It returns the decisions of the requested resource and its subresources in an Xacml format. The following parameters need to be implemented in this method:

•subject—Name of the user for which access to the specified resource is being checked.

•resource—Name of the resource to which access is being checked for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•envMap—Different user attributes, such as obligations, enumerations, and other environmental variables.

This returns an XacmlResponse regarding the decision and obligation on the policy created for the specified Group. If there is no response from the PDP, you will get a null value.

Method GetDecisions

This method is used to obtain a decision for the requested resource by an XacmlResponse based on the RoleBundles implemented in the request. It returns the decisions for the requested resource as well as its child resources in an Xacml format. The following parameters need to be implemented in this method:

•subject—Name of the user for which access to the specified resource is being checked.

•resource—Name of the resource to which access is being checked for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•envMap—Different user attributes, such as obligations, enumerations, and other environmental variables.

•roleBundles[]—Names of the RoleBundles implemented in the request.

This returns a XacmlResponse for the decision and obligation on the policy created for the specified group. If there is no response from the PDP, you will get a null value.

Method GetDecisions

This method is used to get decision on the requested resource by a XacmlResponse on the basis of the RoleBundles implemented in the request in a given context. It returns the decisions of the requested resource as well as its subresources in a Xacml format. The following parameters need to be implemented in this method:

•subject—Name of the user for which access to the specified resource is being checked.

•resource—Name of the resource to which access is being checked for the specified user.

•action—Name of the action that the specified user is performing on the resource.

•envMap—Different user attributes, such as obligations, enumerations, and other environmental variables.

•roleBundles[]—Names of the RoleBundles implemented in the request.

•context—Name of the context level to be selected while sending the request. If the context is not specified in the request, the PDP considers the Global context by default.

This returns an XacmlResponse for the decision and obligation on the policy created for the specified Group. If there is no response from the PDP, you will get a null value.

Method GetDecisionsByResourceType

This method is used to get decisions (both permit and deny) for all resources of a specific application based on specified ResourceType. Resources which are created using the specified resourceType will be accepted. This method supports only Oracle and does not support MSSQL or DB2. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for which decisions on the given resource is checked.

•resourceTypeName—Fully qualified name of the resourceType based on which the decision is given.

•applicationName—Fully qualified name of the application for which the decision is given.

This returns an XacmlResponse containing the obligations and attributes of resources which are created using the specified resourcetype.

Method GetDecisionsByResourceType

This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be accepted. This method supports only Oracle and does not support MSSQL or DB2. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for which decisions on the s;pecified resource is checked.

•resourceTypeName—Fully qualified name of the resourceType based on which the decision is given.

•applicationName—Fully qualified name of the application for which the decision is given.

•action—Name of action for which decision the decision is given. If the specific action is not specified, any must be implemented as the default action name.

This returns an XacmlResponse containing the obligation and resourceAttributes of all resources created for the specified application which were created using the resourceType and has the specified action.

Method GetDecisionsByResourceTypeForAnyAction

This method is used to get decisions (both permit and deny) of all resources created using the given resourceType notwithstanding the actions they are having. This method takes all actions of the resources having the specified resourceType. This method supports only Oracle and does not support MSSQL or DB2. This method does not support caching. The following parameters need to be implemented in this method:

•subject—Name of the user for which decisions on the specified resource is checked.

•resourceTypeName—Fully qualified name of the resourceType based on which the decision is given.

•applicationName—Fully qualified name of the application for which decision is given.

This returns an XacmlResponse containing the obligations and attributes of the resources which are created using the specified resourcetype on the based on the permission given for its action.

Method GetRoles

This method is used to get all roles assigned to a user on the specified application. The following parameters need to be implemented in this method:

•subject—Name of the user for which access to the specified resource is being verified.

•applicationName—Name of the application.

•roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name.

•context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default.

•envMap—Different key values, such as xpath etc.

This returns an array of roles (both Static the Dynamic Roles) assigned to the specified user for the specific application.

Method GetUsersForGroup

This method is used to get all users mapped with a specific dynamic group. The following parameters need to be implemented in this method:

•groupFQN—Fully qualified name of the dynamic group to which you need to map all users.

This returns an array of users directly mapped with the specified dynamic group. This also returns the users mapped to its immediate parent group (which is a static group) only if the rule configured on the specified dynamic group is satisfied.

Method GetUsersForRole

This method is used to get all users mapped with a specific dynamic role. The following parameters need to be implemented in this method:

•roleFQN—Fully qualified name of the dynamic role to which you need to map all users.

This returns an array of users directly mapped with the specified dynamic role. This also returns the users mapped to its immediate parent role (which is a static role) only if the rule configured on the specified dynamic role is satisfied.

Method GetDecisionforResources

The method is same as that of getDecisions (username, resourceName, action, envMap, level) but it gives the decisions for multiple resources with actions. The following parameters need to be implemented in this method:

•subject—Name of the user for which the decision is checked.

•resourceNames—Fully qualified name of the resources. You can implement multiple resources at a time.

•action—Name of the action to be implemented in the request. If the specific action is not specified you can use Any.

•envMap—Different attributes such as, obligations, enumerations, and other environmental variables.

•level—An integer which refers to the level of the resource up to which the PDP will extend its decision.

This returns an XacmlResponse containing the obligations and attributes of multiple resources with actions as specified in the request.

Method GetDecisionsWithRoles

The method is same as that of GetDecisions(username,resourceName,action,envMap,level) but it gives the decisions for multiple resources with actions. Following parameters need to be implemented in this method:

•subject—Name of the user for which decision is checked.

•resource—Fully qualified name of the resource

•action—Name of the action to be implemented in the request. If the specific action is not specified you can use Any.

•envMap—Different attributes, for example, obligations, enumerations, and other environmental variables.

•level—An integer which refers the level of the resource up to which the PDP will extend its decision.

This returns an XacmlResponse containing the obligations and attributes of multiple resources along with roles created under that resource and the specified user is mapped to those roles. The PDP returns both static and dynamic roles.

Method GetGroups

This method is similar to the GetDecisions(username, resourceName, action, envMap, level) method but it gives the decisions for multiple resources with actions. The following parameters need to be implemented in this method:

•subject—Name of the user.

•appplicationName—Fully qualified name of the application.

•action—Name of the action to be implemented in the request. If the specific action is not specified you can use Any.

•envMap—Different attributes, for example, obligations, enumerations, and other environmental variables.

•level—An integer which refers the level of the resource up to which the PDP will extend its decision.

This returns the groupName FQN to which the user belongs with respect to the applicationName after the group condition evaluation.

	CEPM Dotnet Developers Guide V 3.3.1.0
	PEP API Reference Guide
CEPM Dotnet Developers Guide V 3.3.1.0 Preface Introduction PEP API Quick Start Guide PAP API Quickstart Guide PEP API Reference Guide	Download this chapter PEP API Reference Guide Download the complete book CEPM DotNet Developer Guide (PDF - 1 MB) Feedback Table Of Contents PEP API Reference Guide Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed isUserAccessAllowed Method Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed Method IsUserAccessAllowed Method GetPermissibleResourcesForUser Method GetPermissibleResourcesForUser Method GetPermissibleResourcesForUser Method GetPermissibleResourcesForRoles Method GetPermissibleResourcesForRoles Method GetPermissibleResourcesForRoles Method GetPermissibleResourcesForGroups Method GetPermissibleResourcesForGroups Method GetPermissibleResourcesForGroups Method GetPermissibleActionsByResource Method GetPermissibleActionsByResource Method GetPermissibleActionsByResource Method IsRoleAccessAllowed Method IsRoleAccessAllowed Method IsRoleAccessAllowed Method IsRoleAccessAllowed Method IsGroupAccessAllowed Method IsGroupAccessAllowed Method IsGroupAccessAllowed Method IsGroupAccessAllowed Method IsUserInRoleAccessAllowed Method IsUserInRoleAccessAllowed Method IsUserInRoleAccessAllowed Method IsUserInGroupAccessAllowed Method IsUserInGroupAccessAllowed Method IsUserInGroupAccessAllowed Method GetRolesAllowedForResource Method GetRolesAllowedForResource Method GetGroupsAllowedForResource Method GetGroupsAllowedForResource Method GetUsersAllowedForResource Method GetUsersAllowedForResource Method GetDecisionForUsers Method GetDecisionForUsers Method GetDecisionForUsers Method GetDecisions Method GetDecisions Method GetDecisions Method GetDecisions Method GetDecisions Method GetDecisions Method GetDecisions Method GetDecisionsByResourceType Method GetDecisionsByResourceType Method GetDecisionsByResourceTypeForAnyAction Method GetRoles Method GetUsersForGroup Method GetUsersForRole Method GetDecisionforResources Method GetDecisionsWithRoles Method GetGroups PEP API Reference Guide The Policy Enforcement Point (PEP) interface provides the methods for determining whether a user is entitled to access a specific resource or action in the PEP. Requests to verify access are sent to the Policy Decision Point (PDP). This interface also provides two utility methods, which return back a list of permissible resources for a specific user and a list of permissible actions for a specified resource. This interface provides the following services: •Determining the access to a specified resource or action for a specific user by passing subject, resource, or action. •Determining the access to a specified resource or action for a specific user by passing subject, resource, action, attributeMap (when the custom attributes are implemented), RoleBundles, and Contexts •Obtaining a list of permissible resources for a specific user •Obtaining a list of permissible actions for a specific resource •Obtaining a list of roles for a specified resource The PEP interface provides the methods described in this appendix. Method IsUserAccessAllowed This method is used to check whether the user is authorized to access the specified resource. This method supports caching. The following parameters need to be implemented within this method: •username—Name of the user for whose access to the specified resource needs to be checked. •resource—Fully qualified name of the resource for which the specified user accessibility needs to be checked. •action—Name of action for which the specified user access needs to be checked. In the specific action is not specified any must be used as the default action name. This returns a Boolean value. The value is True if the user is permitted, else it is False. Method IsUserAccessAllowed This method is used to check whether the user,who is conflicting with another user. Users that are mapped with two different roles which are DSOD with each other), is authorized to access the specified resource. This method does not support caching. The following parameters must be implemented implemented within this method: •fromUser—Name of the user for whose access to the specified resource needs to be checked. •toUser—Name of the user to who the DSoD role is assigned. •resource—Fully qualified name of the resource for which the specified user access needs to be checked. •action—Name for action on which the specified user accessibility needs to be checked. If the specific action is not specified, any must be used as the default action name. This returns a Boolean value, The value is True if the user is permitted to the specified resource, else it is False. Example: Consider two users, Mary and John, who are mapped with Test Role1 and TestRole2. If the PEP sends a request in the following order: mgr.IsUserAccessAllowed("Mary","Tom","Prime group:Prime portal:Send Trades", "any") and if Mary has conflict of interest with Tom (that is, Mary's Roles has DSOD with Tom's Role), this method will return False, else it will return true. Method IsUserAccessAllowed This method is used to check if the user is authorized to access the specified resource with custom attributes. This method supports caching. The following parameters need to be implemented within this method: •username—Name of the user whose access to the specified resource needs to be checked. •resource—Fully qualified name of the resource for which the specified user accessibility needs to be checked. •action—Name of action for which the specified user accessibility needs to be checked. If the specific action is not specified, any must be used as the default action name. •attMap—The custom attributes need to be implemented as a HashTable. This can include Xpath and MessageAttributes. If a user has the permission to access the resource, this method will return True, else it will return False. The decision will be given after evaluating the PIP rule based upon the specified mapping attributes. Method IsUserAccessAllowed This method is used to determine whether the user is authorized to access the specified resource on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •username—Name of the user for whom accessibility to the specified resource needs to be checked. •resource—Fully qualified name of the resource for which the specified user accessibility needs to be checked. •action—Name of action for which the specified user accessibility needs to be checked. If there is no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a Boolean value specifying if the user has access to the resource. Method IsUserAccessAllowed This method is used to determine whether the user is authorized to access the specified resource without cache and with TTL Cache on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •fromUser—Name of the user whose role has a DSoD role with another user of a different role. •toUser—Name of the user to which the DSoD role is assigned. •resource—Name of the resource to which access is being determined for the specified user. •action—Name of the action that the specified user is performing on the resource. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a Boolean value specifying if the the user has access to the resource. isUserAccessAllowed Method This method is used to determine whether the user is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •username—Name of the user for which access to the specified resource is being determined. •resource—Name of the resource to which access is being checked for the specified user. •action—Name of the action that the specified user is performing on the resource. •attMap—Name of the different user attributes. •roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a Boolean value specifying if the user has access to the resource. Method IsUserAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes based on the RoleBundles implemented for in the request for the specified context. The following parameters need to be implemented within this method: •username—Name of the user for which access to the specified resource is being checked. •resource—Name of the resource to which access is being checked for the specified user. •action—Name of the action that the specified user is performing on the resource. •attMap—Name of the different user attributes. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected when sending the request. If the context is not specified in the request, the PDP considers the Global context by default. This returns a Boolean value specifying if the user has access to the resource. Note When PEP sends a request consisting of a context along with other parameters, the PDP searches for the policy under the specified context level. If the policy is not found under that specified context, it sends the decision or the PDP will extend the search to one more level above the current level. In this way, the search can be extended till it reaches the global level and the specific decision is communicated. Method IsUserAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented within this method: •username—Name of the user for which access to the specified resource is being checked. •resource—Name of the resource to which access is being checked for the specified user. •action—Name of the action that the specified user is performing on the resource. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected when sending the request. If the context is not specified in the request, the PDP considers the Global context by default. •This returns a Boolean value specifying if the user has access to the resource. This returns a Boolean value specifying if the user has access to the resource. Method IsUserAccessAllowed This method is used to determine whether a user with dynamic separation of duties with another user, is authorized to access the specified resource without cache and with TTL Cache based on the RoleBundles implemented in the request for the specified context. The following parameters need to be implemented within this method: •fromUser—Name of the user whose role has a DSoD role with another user of a different role. •toUser—Name of the user to which the DSoD role is assigned. •resource—Name of the resource to which access is being determined for the specified user. •action—Name of the action that the specified user is performing on the resource. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a Boolean value specifying if the the user has access to the resource. Method IsUserAccessAllowed This method is used to check whether the user is authorized to access the specified array of resources and actions. This method supports caching. If caching is enabled, this method will cache all relevant data of the resources including the permissions, attributes, and data of its child hierarchy. The following parameters need to be implemented within this method: •subject—Name of the user for which access to the specified resources needs to be checked. •resources [ ]—Array of resource names (fully qualified names) on which the specified user access needs to be checked. •actions [ ]—Array of action names on which the specified user access needs to be checked. This returns a Boolean value specifying if the user has access to the specified resources and actions. Method IsUserAccessAllowed This method is used to determine whether the user has access to the bunch of resources with their corresponding actions based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •subject—Name of the user for which access to the specified resources needs to be checked. •resources [ ]—Array of resource names (fully qualified names) on which the specified user access needs to be checked. •actions [ ]—Array of action names on which the specified user access needs to be checked. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a Boolean value specifying if the the user has access to the resource. Method IsUserAccessAllowed This method is used to determine whether the user has access to the bunch of resources with their corresponding actions on the basis of the RoleBundles implemented for the specified context. The following parameters need to be implemented within this method: •subject—Name of the user for which access to the specified resource is being checked. •Resources [ ]—Names of the resources to which access is being checked for the specified user. •Actions [ ]—Names of the actions that the specified user is performing on the resource. •roleBundles[]—Name of the roleBundles under which the user access needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a Boolean value specifying if the the user has access to the resource. Method GetPermissibleResourcesForUser This method retrieves a list of permissible subresources for a specified resource for a user. This method does not support caching. The following parameters need to be implemented within this method: •subject—Name of the user for which the list of permissible resources is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified user need to be retrieved. This returns an array of permissible resources available for specified user. Method GetPermissibleResourcesForUser This method gives the list of permissible resources for a user based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •subject—Name of the user for which access to the specified resource is being checked. •resource—Name of the parent resource and subresources which are returned if they can access the specified subject. •roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a list of permissible resources available for the specified user. Method GetPermissibleResourcesForUser This method gives the list of permissible resources for a user on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented within this method: •subject—Name of the user for which access to the specified resource is being checked. •resource—Name of the parent resource and subresources which are returned if they can access the specified subject. •roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible resources available for the specified user. Method GetPermissibleResourcesForRoles This method retrieves a list of permissible subresources for a specified resource for the specified roles. This method does not support caching. The following parameters need to be implemented within this method: •roles—Fully Qualified Names (FQN) of the roles for which the list of permissible resources is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified roles is retrieved. This returns an array of permissible resources for the specified roles. Method GetPermissibleResourcesForRoles This method gives the list of permissible resources for roles based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •roles—Name of the roles for which the resources available is being checked. •resource—Name of the parent resource and subresources which are returned if they can access the specified subject. •roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a list of permissible resources available for the specified roles. Method GetPermissibleResourcesForRoles This method gives the list of permissible resources for roles on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented within this method: •roles—Name of the roles for which the resources available is being checked. •resource—Name of the parent resource and subresources which are returned if they can access the specified subject. •roleBundles[]—Name of the roleBundles under which the permitted resources need to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible resources available for the specified roles. Method GetPermissibleResourcesForGroups This method retrieves a list of permissible subresources of a specified resource for the given group(s). This method does not support caching. The following parameters need to be implemented within this method: •groups—Fully Qualified Names (FQN) of the groups for which the list of permissible resources is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved. This returns an array of permissible resources for the given groups. Method GetPermissibleResourcesForGroups This method gives the list of permissible resources for groups on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •groups—Fully Qualified Names (FQN) of the groups for which the list of permissible resources is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved. •roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a list of permissible resources available for the specified groups. Method GetPermissibleResourcesForGroups This method gives the list of permissible resources for groups based on the RoleBundles implemented in the request for the specified context. The following parameters need to be implemented within this method: •groups—Fully Qualified Names (FQN) of the groups for which the list of permissible resources is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved. •roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible resources available for the specified groups. Method GetPermissibleActionsByResource This method retrieves a list of permissible actions for a specified resource for a user. This method does not support caching. The following parameters need to be implemented within this method: •subject—Name of the user for which the list of permissible actions is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved. This returns an array of permissible actions for the specified resource. Method GetPermissibleActionsByResource This method gives the list of permissible actions by resource based on the RoleBundles implemented in the request. The following parameters need to be implemented within this method: •subject—Name of the user for which the list of permissible actions is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved. •roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a list of permissible actions for the specified resource accessible by the subject. Method GetPermissibleActionsByResource This method gives the list of permissible actions by resource on the basis of the RoleBundles implemented in the request in a given context. Following parameters need to be implemented within this method: •subject—Name of the user for which the list of permissible actions is checked. •resource—Fully qualified name of the resource for which the permitted subresources for the specified groups need to be retrieved. •roleBundles[]—Name of the roleBundles under which the permissible resources for the given groups is retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default. This returns a list of permissible actions for the specified resource accessible by the subject. Method IsRoleAccessAllowed This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be implemented in this method: •roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked. •action—Name of action on which accessibility for the specified roles need to be checked. If a specific action is not specified, any must be used as the default action name. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations, and attributes. If there is no response from the PDP, you will get a null value. Method IsRoleAccessAllowed This method is used to check whether the given roles are authorized to access the specified resource with Custom Attributes. This method does not support caching. The following parameters need to be implemented in this method: •roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked. •action—Name of action on which accessibility for the specified roles need to be checked. If a specific action is not specified, any must be used as the default action name. •attMap—The environment attributes need to be implemented as a HashTable. This can include Xpath and MessageAttributes. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get the decisions, obligations, and attributes. If there is no response from the PDP, you will get a null value. Method IsRoleAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request. The following parameters need to be implemented in this method: •roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked. •action—Name of action on which accessibility for the specified roles need to be checked. If a specific action is not specified, any must be used as the default action name. •RoleBundles[ ]—Name of the roleBundles under which the role access needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name. This returns a XacmlResponse for the decision and obligation on the policy created for the specified role. If there is no response from the PDP, you will get a null value. Method IsRoleAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes on the basis of the RoleBundles implemented in the request in a given context. The following parameters need to be implemented in this method: •roleNames[ ]—Fully Qualified Names of the roles for which accessibility to the specified resource needs to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified roles need to be checked. •action—Name of action the specified user is performing on the resource. •RoleBundles[ ]—Name of the roleBundles under which the role access needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name. •context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default. This returns an XacmlResponse for the decision and obligation on the policy created for the specified role. If there is no response from the PDP, you will get a null value. Method IsGroupAccessAllowed This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be implemented in this method: •groupNames—Fully Qualified Names of the groups for which access to the specified resource needs to be checked. •resource—Fully qualified name of the resource for which accessibility for the specified groups need to be checked. •action—Name of action for which accessibility for the specified groups need to be checked. If the specific action is not specified, any must be used as the default action name. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations, and attributes. If there is no response from PDP, you will get a null value. Method IsGroupAccessAllowed This method is used to check whether the given roles are authorized to access the specified resource. This method does not support caching. The following parameters need to be implemented in this method: •groupNames—Fully Qualified Names of the groups for which access to the specified resource needs to be checked. •resource—Fully qualified name of the resource for which accessibility for the specified groups need to be checked. •action—Name of action for which accessibility for the specified groups need to be checked. If the specific action is not specified, any must be used as the default action name. •attMap—The environment attributes need to be implemented as a HashTable. This can include Xpath, MessageAttributes and so on. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can obtain the decision, obligations and attributes. If there is no response from PDP, you will get a null value. Method IsGroupAccessAllowed This method is used to determine whether the user group is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request. The following parameters need to be implemented in this method: •groupNames—Fully Qualified Names of the groups for which access to the specified resource needs to be checked. •resource—Fully qualified name of the resource for which access for the specified groups need to be checked. •action—Name of action for which accessibility for the specified groups need to be checked. If the specific action is not specified, any must be used as the default action name. •roleBundles[]—Name of the roleBundles under which the group access needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name. This returns an XacmlResponse or the decision and obligation on the policy created for the specified group. If there is no response from the PDP, you will get a null value. Method IsGroupAccessAllowed This method is used to determine whether the user group is authorized to access the specified resource with custom attributes based on the RoleBundles implemented in the request for a specified context. The following parameters need to be implemented in this method: •groupNames—Fully Qualified Names of the groups for which accessibility to the specified resource needs to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified groups need to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a XacmlResponse for the decision and obligation on the policy created for the specified group. If there is no response from the PDP, you will get a null value. Method IsUserInRoleAccessAllowed This method is used to check whether the user is authorized to access the specified resource for the specified set of roles. It will accept all roles implemented in the input array. If any one role has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles the User is mapped. •rolenames—Fully qualified names of the roles associated with the specified user must be implemented. •resource—Fully qualified name of the resource need to be implemented to check whether the user with given roles has an access with respect to the role names implemented. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and attributes. If any of the role is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP you will a get null value. Method IsUserInRoleAccessAllowed This method is used to check whether the user is authorized to access the specified resource with respect to a given set of roles. It will accept all roles implemented in the input array. If any one role has Deny policy for the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles mapped to the user. •rolenames—Fully qualified names of the roles associated with the specified user must be implemented. •resource—Fully qualified name of the resource that need to be implemented to check whether the user with the given roles has an access to the role names implemented. •action—Name of the action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a XacmlResponse regarding decision and obligations related to the specified subject. If any of the role are not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from the PDP, you will get null. Method IsUserInRoleAccessAllowed This method is used to determine whether the user is authorized to access the specified resource with custom attributes under the given RoleBundles and Context. The following parameters need to be implemented in this method: •subject—Name of the user for whom accessibility to the specified resource needs to be checked with respect to the roles mapped to the user. •rolenames—Fully qualified names of the roles associated with the specified user must be implemented. •resource—Fully qualified name of the resource need to be implemented to check whether the user with given roles has an access with respect to the role names implemented. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a XacmlResponse regarding decision and obligations related to the specified subject. If no role is mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from the PDP, you will get null. Method IsUserInGroupAccessAllowed This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups. It will consider all groups implemented in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for whom accessibility to the specified resource needs to be checked. •groupnames—Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked. •resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get null. Method IsUserInGroupAccessAllowed This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups under given RoleBundles. It will consider all groups implemented in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for whom accessibility to the specified resource needs to be checked. •groupnames—Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked. •resource—Fully qualified name of the resource for which accessibility for the specified user needs to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get a null value. Method IsUserInGroupAccessAllowed This method is used to check whether the user is authorized to access the specified resource with respect to a given set of groups under given RoleBundles and context. It will consider all groups implemented in the input array of roles. If any one group has Deny policy on the specified resource, then the user will not be allowed to access the resource. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for whom accessibility to the specified resource needs to be checked. •groupnames—Fully qualified names of the user groups with respect to which the user accessibility to the specified resource is checked. •resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the group accessibility needs to be checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns {@link net.cepm.kernel.XacmlResponse} object from which you can get decision, obligations and environmental attributes. If any of the group is not mapped to the specified user or has a deny policy on the specified resource, the decision will be given as Deny. If there is no response from PDP, you will get a null value. Method GetRolesAllowedForResource This method retrieves the list of permissible roles for a given resource. This method does not support caching. The following parameter need to be implemented in this method: •resource—Fully Qualified Name of the resource, for which the list of permissible roles is checked, needs to be implemented. This returns an array of permitted Roles for the specified resource. The list of roles shall include only Static Roles and not Dynamic Roles entitled with the specified resource. Method GetRolesAllowedForResource This method is used to get the list of permissible roles by resource on the basis of the RoleBundles implemented in the request. The following parameters need to be implemented in this method: •resource—Fully qualified name of the resource for which the permissible roles need to be checked. •roleBundles[]—Name of the roleBundles under which the roles for the specified resource is being retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns an array of permitted Roles for the specified resource. The list of roles shall include only Static Roles and not Dynamic Roles entitled with the specified resource. Method GetGroupsAllowedForResource This method retrieves the list of permissible groups for a given resource. This method does not support caching. The following parameter needs to be implemented in this method: •resource—Fully Qualified Name of the resource, for which the list of permissible groups is checked, needs to be implemented. This returns an array of permitted groups for the specified resource. Method GetGroupsAllowedForResource This method retrieves the list of permissible groups for a given resource under specified roleBundles. This method does not support caching. The following parameter needs to be implemented in this method: •resource—Name of the resource to which access is being determined for the specified user. •roleBundles[]—Name of the roleBundles under which the groups for the specified resource is being retrieved. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns an array of permitted groups for the specified resource. Method GetUsersAllowedForResource This method retrieves the list of permissible users for a given resource. This method does not support caching. The following parameter needs to be implemented in this method: •resource—Fully qualified name of the resource for which the permissible roles need to be checked. This returns an array of users who are permitted to the specified resource. Method GetUsersAllowedForResource This method retrieves the list of permissible users for a given resource under specified roleBundles. This method does not support caching. The following parameter needs to be implemented in this method: •resource—Fully qualified name of the resource for which the permissible roles need to be checked. •roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, 'Default' must be implemented as the rolebundle name. This returns an array of permitted users for the specified resource. Method GetDecisionForUsers This method is used to check whether the given users are authorized to access any specified resource. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be implemented in this method: •subjects—Names of the users for whom accessibility to the specified resource need to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. This returns {@link net.cepm.pdp.user.UserContext} object from this you can get decision and obligations for individual user. Method GetDecisionForUsers This method is used to check whether the given users are authorized to access any specified resource under given roleBundles. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be implemented in this method: •subjects—Names of the users for whom accessibility to the specified resource need to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be implemented as the rolebundle name. This returns a UserContext Object from where you may get decision and obligation for the specified user. Method GetDecisionForUsers This method is used to check whether the given users are authorized to access any specified resource under given roleBundles and context. This method supports caching. If caching is enabled, all relevant data of the specified resource including the permissions, attributes and data of its child resources will be cached. The following parameters need to be implemented in this method: •subjects—Names of the users for whom accessibility to the specified resource need to be checked. •resource—Fully qualified name of the resource on which accessibility for the specified user needs to be checked. •action—Name of action on which accessibility for the specified groups need to be checked. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level to be selected while sending the request. If no context is mentioned in the request, the PDP considers the Global context by default. This returns a UserContext Object from where you may get decision and obligation for the specified user. Method GetDecisions This method is used to obtain all decisions of the resource and its child resources when caching is disabled. This method supports caching. When caching is enabled, this method will cache all relevant data of the resource including the permissions, attributes but not the data of its child hierarchy. The following parameters need to be implemented in this method: •userName—Name of the user for which decisions on a given resource is checked. •resource—Fully qualified name of the resource for which decision is being given. •action—Name of action for which decision is being given. In case of no specific action, any must be implemented as the default action name. This returns a XacmlResponse which contains the decision (both allow and deny), obligations and dependent attributes of the given resource and its child resources. Method GetDecisions This method is used to obtain all decisions of the resource and its child resources under the given roleBundles when caching is disabled. This method supports caching. When caching is enabled, this method will cache all relevant data of the resource including the permissions, attributes but not the data of its child hierarchy. The following parameters need to be implemented in this method: •userName—Name of the user for which decisions on a given resource is checked. •resource—Fully qualified name of the resource for which decision is being given. •action—Name of action for which decision is being given. In case of no specific action, any must be implemented as the default action name. •roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be used as the rolebundle name. This returns a XacmlResponse containing the decision, obligations, and dependent attributes. Method GetDecisions This method is used to get all decisions of the resource and its child resources under the given roleBundles and context when caching is disabled. This method supports caching. When caching is enabled, this method will cache all relevant data of the resource including the permissions, attributes but not the data of its child hierarchy. The following parameters need to be implemented in this method: •userName—Name of the user for which decisions on a given resource is checked. •resource—Fully qualified name of the resource for which decision is being given. •action—Name of action for which decision is being given. If the specific action is not specified, any must be used as the default action name. •roleBundles[]—Name of the roleBundles under which the decision is checked. If there is no roleBundle, Default must be implemented as the rolebundle name. •context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default. This returns a XacmlResponse containing the decision, obligations, and dependent attributes. Method GetDecisions This method is used to obtain the decision for the requested resource by an XacmlResponse. It returns the decisions for the requested resource and its subresources in a Xacml format. The following parameters need to be implemented in this method: •userName—Name of the user for which access to the specified resource is being determined. •resource—Name of the resource to which access is being determined for the specified user. •action—Name of the action that the specified user is performing on the resource. •level—Integer that refers to the number of resource level up to which the search shall be extended. This returns a XacmlResponse containing the decision, obligations, and dependent attributes up to the specified level of resources. Method GetDecisions This method is used to obtain a decision for the requested resource by an XacmlResponse. It returns the decisions of the requested resource and its subresources in an Xacml format. The following parameters need to be implemented in this method: •subject—Name of the user for which access to the specified resource is being checked. •resource—Name of the resource to which access is being checked for the specified user. •action—Name of the action that the specified user is performing on the resource. •envMap—Different user attributes, such as obligations, enumerations, and other environmental variables. This returns an XacmlResponse regarding the decision and obligation on the policy created for the specified Group. If there is no response from the PDP, you will get a null value. Method GetDecisions This method is used to obtain a decision for the requested resource by an XacmlResponse based on the RoleBundles implemented in the request. It returns the decisions for the requested resource as well as its child resources in an Xacml format. The following parameters need to be implemented in this method: •subject—Name of the user for which access to the specified resource is being checked. •resource—Name of the resource to which access is being checked for the specified user. •action—Name of the action that the specified user is performing on the resource. •envMap—Different user attributes, such as obligations, enumerations, and other environmental variables. •roleBundles[]—Names of the RoleBundles implemented in the request. This returns a XacmlResponse for the decision and obligation on the policy created for the specified group. If there is no response from the PDP, you will get a null value. Method GetDecisions This method is used to get decision on the requested resource by a XacmlResponse on the basis of the RoleBundles implemented in the request in a given context. It returns the decisions of the requested resource as well as its subresources in a Xacml format. The following parameters need to be implemented in this method: •subject—Name of the user for which access to the specified resource is being checked. •resource—Name of the resource to which access is being checked for the specified user. •action—Name of the action that the specified user is performing on the resource. •envMap—Different user attributes, such as obligations, enumerations, and other environmental variables. •roleBundles[]—Names of the RoleBundles implemented in the request. •context—Name of the context level to be selected while sending the request. If the context is not specified in the request, the PDP considers the Global context by default. This returns an XacmlResponse for the decision and obligation on the policy created for the specified Group. If there is no response from the PDP, you will get a null value. Method GetDecisionsByResourceType This method is used to get decisions (both permit and deny) for all resources of a specific application based on specified ResourceType. Resources which are created using the specified resourceType will be accepted. This method supports only Oracle and does not support MSSQL or DB2. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for which decisions on the given resource is checked. •resourceTypeName—Fully qualified name of the resourceType based on which the decision is given. •applicationName—Fully qualified name of the application for which the decision is given. This returns an XacmlResponse containing the obligations and attributes of resources which are created using the specified resourcetype. Method GetDecisionsByResourceType This method is used to get the decisions of all resources with a given action and created under a given application using a given resourceType. Only those resources which are created using the specified resourceType will be accepted. This method supports only Oracle and does not support MSSQL or DB2. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for which decisions on the s;pecified resource is checked. •resourceTypeName—Fully qualified name of the resourceType based on which the decision is given. •applicationName—Fully qualified name of the application for which the decision is given. •action—Name of action for which decision the decision is given. If the specific action is not specified, any must be implemented as the default action name. This returns an XacmlResponse containing the obligation and resourceAttributes of all resources created for the specified application which were created using the resourceType and has the specified action. Method GetDecisionsByResourceTypeForAnyAction This method is used to get decisions (both permit and deny) of all resources created using the given resourceType notwithstanding the actions they are having. This method takes all actions of the resources having the specified resourceType. This method supports only Oracle and does not support MSSQL or DB2. This method does not support caching. The following parameters need to be implemented in this method: •subject—Name of the user for which decisions on the specified resource is checked. •resourceTypeName—Fully qualified name of the resourceType based on which the decision is given. •applicationName—Fully qualified name of the application for which decision is given. This returns an XacmlResponse containing the obligations and attributes of the resources which are created using the specified resourcetype on the based on the permission given for its action. Method GetRoles This method is used to get all roles assigned to a user on the specified application. The following parameters need to be implemented in this method: •subject—Name of the user for which access to the specified resource is being verified. •applicationName—Name of the application. •roleBundles[]—Name of the roleBundles under which the user accessibility needs to be checked. If there is no roleBundle, Default must be used as the rolebundle name. •context—Name of the context level that must be selected when sending the request. If the context is not mentioned in the request, the PDP considers the Global context by default. •envMap—Different key values, such as xpath etc. This returns an array of roles (both Static the Dynamic Roles) assigned to the specified user for the specific application. Method GetUsersForGroup This method is used to get all users mapped with a specific dynamic group. The following parameters need to be implemented in this method: •groupFQN—Fully qualified name of the dynamic group to which you need to map all users. This returns an array of users directly mapped with the specified dynamic group. This also returns the users mapped to its immediate parent group (which is a static group) only if the rule configured on the specified dynamic group is satisfied. Method GetUsersForRole This method is used to get all users mapped with a specific dynamic role. The following parameters need to be implemented in this method: •roleFQN—Fully qualified name of the dynamic role to which you need to map all users. This returns an array of users directly mapped with the specified dynamic role. This also returns the users mapped to its immediate parent role (which is a static role) only if the rule configured on the specified dynamic role is satisfied. Method GetDecisionforResources The method is same as that of getDecisions (username, resourceName, action, envMap, level) but it gives the decisions for multiple resources with actions. The following parameters need to be implemented in this method: •subject—Name of the user for which the decision is checked. •resourceNames—Fully qualified name of the resources. You can implement multiple resources at a time. •action—Name of the action to be implemented in the request. If the specific action is not specified you can use Any. •envMap—Different attributes such as, obligations, enumerations, and other environmental variables. •level—An integer which refers to the level of the resource up to which the PDP will extend its decision. This returns an XacmlResponse containing the obligations and attributes of multiple resources with actions as specified in the request. Method GetDecisionsWithRoles The method is same as that of GetDecisions(username,resourceName,action,envMap,level) but it gives the decisions for multiple resources with actions. Following parameters need to be implemented in this method: •subject—Name of the user for which decision is checked. •resource—Fully qualified name of the resource •action—Name of the action to be implemented in the request. If the specific action is not specified you can use Any. •envMap—Different attributes, for example, obligations, enumerations, and other environmental variables. •level—An integer which refers the level of the resource up to which the PDP will extend its decision. This returns an XacmlResponse containing the obligations and attributes of multiple resources along with roles created under that resource and the specified user is mapped to those roles. The PDP returns both static and dynamic roles. Method GetGroups This method is similar to the GetDecisions(username, resourceName, action, envMap, level) method but it gives the decisions for multiple resources with actions. The following parameters need to be implemented in this method: •subject—Name of the user. •appplicationName—Fully qualified name of the application. •action—Name of the action to be implemented in the request. If the specific action is not specified you can use Any. •envMap—Different attributes, for example, obligations, enumerations, and other environmental variables. •level—An integer which refers the level of the resource up to which the PDP will extend its decision. This returns the groupName FQN to which the user belongs with respect to the applicationName after the group condition evaluation.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks