...
Overview
This page describes algorithms that are used to assign capabilities to a user and role, capability sets to a user, and role.
Capability Relation Management
Capability assignment to a role
safeCreate flag is used only internally, for outside requests a user must always assign a set of new capability ids, if not - an update operation allows the creation and delete capabilities in a single request
...
| Expand |
|---|
| title | Role-Capability assignment PlantUML |
|---|
|
| Code Block |
|---|
@startuml
!theme mono
!pragma useVerticalIf on
skinparam conditionStyle inside
skinparam defaultTextAlignment center
skinparam defaultFontSize 12
<style>
activityDiagram {
activity {
MaximumWidth 600
backgroundColor #f0f0f0
LineColor DimGrey
}
diamond {
HorizontalAlignment center
}
group {
LineColor LightGrey
FontSize 10
}
}
</style>
group RoleCapabilityServiceImpl {
:get role by id;<<input>>
:get ""roleCapabilities"" by ""roleId"";<<task>>
:extract existing ""capabilityIds"" from ""roleCapabilities"";<<task>>
if (not ""safeCreate"" AND ""capabilityIds"" not empty)) then (yes)
:throw EntityExistsException;<<output>>
end
else (no)
:store difference between new and existing "capabilityIds" sets;<<input>>
end if
group assignCapabilities {
:store assigned capabilities through capability sets as ""assignedCapabilityIds"";<<input>>
:store union of ""assignedCapabilityIds"" and ""assignedIds"" as ""assignedCapabilityIds"";<<task>>
group #LightSteelBlue CapabilityEndpointService.getByCapabilityIds {
:get difference with ""newCapabilityIds"" and """assignedIds"" as ""changedIdentifiers"";<<input>>
:get changed capability endpoints by querying capabilities by ""changedIdentifiers""
and extracting distinct list of assigned endpoints and store it as ""changedCapabilityEndpoints"";<<task>>
:get assigned capability endpoints by querying capabilities by ""assignedIds""
and extracting distinct list of assigned endpoints and store it as ""assignedCapabilityEndpoints"";<<task>>
:return subtraction ""assignedCapabilityEndpoints"" from ""changedCapabilityEndpoints"";<<output>>
}
:rolePermissionsService.createPermissions for ""roleId"" and ""endpoints"";<<task>>
group #LightSteelBlue CapabilityEndpointService.getByCapabilityIds {
if (""endpoints"" are empty) then (yes)
:do nothing;<<output>>
else (no)
:get role by ""roleId"";<<input>>
:generate policy name for ""role"";<<input>>
:getOrCreate role policy by name
//Policy name template:// ""Policy for role: {{roleId}}"";<<task>>
:create permissions in Keycloak with role policy, list of endpoint and using permissionNameGenerator
//Permission name template:// ""{{httpMethod}} access for role '{{roleId}}' to '{{path}}'"";
end if
}
:generate RoleCapabilityEntity for ""newIds"" and store them as ""entities"";<<task>>
:upsert entities to table ""role_capability"" in database;<<output>>
:convert ""RoleCapabilityEntity"" to ""RoleCapability"" and return them as ""PageResult"";<<output>>
}
}
@enduml |
|
...
Capability assignment to a user
safeCreate flag is used only internally, for outside requests a user must always assign a set of new capability ids, if not - an update operation allows the creation and delete capabilities in a single request
...
| Expand |
|---|
| title | User-Capability assignment PlantUML |
|---|
|
| Code Block |
|---|
@startuml
!theme mono
!pragma useVerticalIf on
skinparam conditionStyle inside
skinparam defaultTextAlignment center
skinparam defaultFontSize 12
<style>
activityDiagram {
activity {
MaximumWidth 600
backgroundColor #f0f0f0
LineColor DimGrey
}
diamond {
HorizontalAlignment center
}
group {
LineColor LightGrey
FontSize 10
}
}
</style>
group UserCapabilityServiceImpl {
:get keycloak user by Folio user id;<<input>>
:create keycloakUser If not exists by calling ""mod-users-keycloak"" API;<<task>>
:extract existing ""capabilityIds"" from ""userCapabilities"";<<task>>
if (not ""safeCreate"" AND ""capabilityIds"" not empty)) then (yes)
:throw EntityExistsException;<<output>>
end
else (no)
:store difference between new and existing "capabilityIds" sets;<<input>>
end if
group assignCapabilities {
:store assigned capabilities through capability sets as ""assignedCapabilityIds"";<<input>>
:store union of ""assignedCapabilityIds"" and ""assignedIds"" as ""assignedCapabilityIds"";<<task>>
group #PaleGreen CapabilityEndpointService.getByCapabilityIds {
:get difference with ""newCapabilityIds"" and """assignedIds"" as ""changedIdentifiers"";<<input>>
:get changed capability endpoints by querying capabilities by ""changedIdentifiers""
and extracting distinct list of assigned endpoints and store it as ""changedCapabilityEndpoints"";<<task>>
:get assigned capability endpoints by querying capabilities by ""assignedIds""
and extracting distinct list of assigned endpoints and store it as ""assignedCapabilityEndpoints"";<<task>>
:return subtraction ""assignedCapabilityEndpoints"" from ""changedCapabilityEndpoints"";<<output>>
}
:userPermissionsService.createPermissions for ""userId"" and ""endpoints"";<<task>>
group #PaleGreen CapabilityEndpointService.getByCapabilityIds {
if (""endpoints"" are empty) then (yes)
:do nothing;<<output>>
else (no)
:get keycloak user by Folio ""userId"";<<input>>
:generate policy name for ""user"";<<input>>
:getOrCreate user policy by name
//Policy name template:// ""Policy for user: {{userId}}"";<<task>>
:create permissions in Keycloak with user policy, list of endpoint and using permissionNameGenerator
//Permission name template:// ""{{httpMethod}} access for user '{{userId}}' to '{{path}}'"";
end if
}
:generate UserCapabilityEntity for ""newIds"" and store them as ""entities"";<<task>>
:upsert entities to table ""user_capability"" in database;<<output>>
:convert ""UserCapabilityEntity"" to ""UserCapability"" and return them as ""PageResult"";<<output>>
}
}
@enduml |
|
Link management between Capability sets and Roles
...
Capability set assignment to a role
Capability set assignment to a user