Versions Compared

Old Version 26

changes.mady.by.user Tom Coppeto

Saved on

compared with

New Version 27

changes.mady.by.user Tom Coppeto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Gliffy
size500
nameAuthorization Model

 

...

Again, the mappings for the Authorization check are:

  • Agent: the authenticated entity
  • Function: "can create Hold" "can update Hold" "can delete Hold"
  • Qualifier: Issue for create, Hold for update and delete

The Qualifier as an Organization

The service architect has seen Qualifier hierarchies based on organizations. She attempts to map these two kinds of Qualifiers and jots down some pseudo-code in an Authorization OSID Adapter:

Code Block
boolean isAuthorized(org.osid.id.Id agentId, org.osid.id.Id functionId, org.osid.id.Id qualifierId) {
    org.osid.id.Id issueId;
    if (functionId.equals(CREATEHOLD_FUNCTION_ID)) {
        issueId = qualifierid;
    } else if (functionId.equals(UPDATEHOLD_FUNCTION_ID)) {
        org.osid.hold.Hold hold = holdLookupSession.getHold(qualifierId);
        issueId = hold.getIssueId();
    } else {
        return (underlyingAuthorizationProvider.isAuthorized(agentId, functionId, qualfiierId));
    }
 
    org.osid.id.Id resourceId = resourceAgentSession.getResourceIdByAgent(agentId);
    org.osid.hold.Issue issue = issueLookupSession.getIssue(issueId);
    OrganizationIssueRecord record = (OrganizationIssueRecord) issue.getIssueRecord(ORGANIZATION_ISSUE_RECORD_TYPE);
    org.osid.id.IdList organizationIds;
 
    if (functionId.equals(CREATEHOLD_FUNCTION_ID)) {
        organizationIds = record.getHoldCreatorOrganizationIds();
    } else if (functionId.equals(UPDATEHOLD_FUNCTION_ID)) {
        organizationIds = record.getHoldUpdaterOrganizationIds();
    }
 
    try {
        while (organizationIds.hasNext()) {
            org.osid.id.Id orgId = orgIds.getNextId();
            try (org.osid.personnel.PositionList positions = positionLookupSession.getPositionsForOrganization(orgId)) {
                while (positions.hasNext()) {
                    org.osid.personnel.Position position = positions.getNextPosition();
                    try (org.osid.personnel.AppintmentList appointments = appointmentLookupSession.getAppointmentsForPersonAndPosition(resourceId, position.getNextId()) {
                         if (appointments.hasNext()) {
                            return (true);
                        }
                    }
                }
            }
        }
 
        return (false);
    } finally {
        organizationIds.close();
    }
}

What's been accomplished to is to bury both the organizational affiliations and the mappings from Issues & Holds to the Organizations. It's certainly encapsulated but that's all this solution has going for it. It's hairy, has lots of service dependencies, and is probably slow. Also, this solution deals with only one aspect of authorization. In order to be able to audit who has access to what this logic would have to be replicated in such a way to support the return of implicit authorizations. 

The Authorization Two-Step