I want to check (from within a program) whether a certain MWS role (configured in MWS via user management) is allowed to see a certain page (specified by its alias). I.e. I’d need a function like this:
While at it, I’d also be very interested in how to check whether a role (or some other principal) is allowed to see instances of a certain process model.
Here is a snippet that demonstrates how to check access in MWS:
/**
* Check access test driver
*/
public void checkAccessTest() throws PortalException {
boolean granted = checkAccessToPage("Administrator", "folder.system");
}
/**
* Check the access on a page/thing for a specific principal
*/
public boolean checkAccessToPage( String principalID, String pageAlias ) throws PortalException {
// get the various managers we'll need
IContext context = ContextFactory.acquireContext(true);
IBizPolicyManager bizPolicyManager = (IBizPolicyManager) PortalSystem.getComponentProvider(IComponentNames.BIZPOLICY);
IAccessPolicy accessPolicy = (IAccessPolicy) bizPolicyManager.getComponent(IBizPolicyNames.ACCESS);
// get the thingID of the page/thing to check
IThingID pageThingID = (IThingID)PortalSystem.getPortalSystem().acquireURI(pageAlias);
// resolve the user to a principal URI
PrincipalModel principalModel = (PrincipalModel)PrincipalModelFactory.createPrincipalModelFromID(principalID);
IURI principalURI = principalModel.getPrincipalURI();
// get the principal's access to the page
Collection<Integer> rightsSet= accessPolicy.getAccessEx(context, pageThingID, principalURI);
// check if the READ right is granted
boolean canAccess = rightsSet.contains(IAccessRight.READ_RIGHT);
return canAccess;
}
Thank you for this code fragment! Interestingly, it uses other classes than the code from the sample (IAclManager etc.), but (hopefully) does the same.
Is there a description (official or unofficial, maybe from some internal SAG forums) of the MWS security model and how it’s covered by the API?
As for the processes: I understand that the process models are not stored in MWS. But are the acces rights also stored there (i.e. not in MWS)? If they are stored at the same location as the models, then it should be the PRT or the Process Monitor, right? Should I dig there?
What confuses me is the fact that these rights are configured from the MWS UI: you first have a list of all roles, then you can select a role and choose process models that the role is allowed to see. Hence I conclude that the process models are also entities for the MWS. I tried to get it from the links (URLs) the roles point to, but they don’t tell me much.
I’d be grateful if you could talk to some guys from the appropriate team.
The AccessPolicy API is a better approach, as it is the API used internally to determine access to an item. It encompasses several security levels, including role membership and security realms as well as simple ACLs.
I have another little question. Should the code you provided also work directly in IS (I think all the needed Java libraries could be made accessible there if they are not already)? Or is it only for running withing the MWS server?
It’s very simple. We have some test cases, implemented as IS services, that verify our system setup/deployment. One of the things we’d like to check is whether some roles have access to certain pages in MWS.
May I ask you to provide a code snippet that would check whether the specified MWS role is subscribed to notification mails for/from the task with the specified task type id? I.e. for the method
Two things, because this is a topic near and dear to my heart
Will those internal MWS APIs change without warning?
I’ve struggled in the past to find a way to get a list of roles that can access a task. This would be an amazing building block in the quest for one universal inbox (I want to use it to constrain the Delegate button, which currently allows delegation to the CEO if the user wishes ). Any thoughts?
