Authorization Open Service Interface Definitions authorization version 3.0.0

The Authorization OSID manages and queries authorizations.

Authorizations

An Authorization is an OsidRelationship that defines who can do what to what. The grammar of an authorization incluides the subject or the actor (who), the action or verb (do what), and the object or context (to what). All three of these components must exist in an authorization for it to have any explicit meaning. An Authorization is a mapping among these three components.

• Agent: the actor (eg: tom@coppeto.org)
• Function: the action (eg: create purchase order)
• Qualifier: the object or context within a Function (eg: on account 1967)

This tuple in essence defines a role. “Instructor” is not a role and is not suitable for making an authorization decision. “Instructs Physics 101”, both the function and qualifier, defines the complete role (within the context of a particular college) that can be used for an authorization decision.

The basic service of the Authorization OSID is to provide a means for asking whether a given Agent is authorized to perform a Function with a Qualifier, in other words, if such a mapping exists. The Agent will generally be obtained from an Authentication service and the Function and Qualifier generally known to the consuming application (a server process needing to protect some resource).

Example

Authentication auth = authNValidationSession.authenticate(creds);

AuthorizationSession session = authZManager.getAuthorizationSession(); boolean authorized = session.isAuthorized(auth.getAgentId(), functionId, qualifierId);

The rest of the Authorization OSID is concerned with managing authorizations.

Explicit/Implicit Authorizations

Authorizations can be explcit or implcit. Explicit authorizations are managed while implcit authorizations are derived from Resources, Function and Qualifier hierrachies. Examples of implcit authorizations:

• The Authorization OSID can accept a Resource in lieu of an Agent as the actor so a Person, Group or Organization may be used to specify an authorization. In this case, the explicit authorization is the one containing the Resource and an implicit authorization exists for each Agent.
• Qualifiers only exist as Hierarchy Nodes since the Authorization OSID does not manage the objects used as qualifiers but may manage directly, or have access to, a Hierarchy service to obtain the identity and relationship among these objects. An explicit authorization for a given Qualifier creates an implcit authorization for every child of that Qualifier.

The Authorization OSID manages Functions directly through its owned defined sessions and exposes actors via the Resource OSID. Qualifiers are only exposed through the Hierarchy service as the Authorization service doesn’t have anything to say about the objects represented by the Qualifiers.

Vault Cataloging

Authorizations, Functions and Qualifiers may be organized into one or many Vaults. This serves to categorize authorizatiion data for the purpose of browsing or auditing. Vaults are hierarchical where each node includes all the authorization data of its children. A single root node will make available all known authorizations and is a reasonable choice for a default Vault for a non-federated aware consumer. A federated authorization scheme is one in which Vaults are available for selection.

Notifications

Certain consumers may wish to be notified of changes within the service. Authorization supports notifications via AuthorizatioNotificationSession, FunctionNotificationSession and VaultNotificationSession.

if (manager.supportsAuthorizationNotification()) {

AuthorizationNotificationSession ans = manager.getAuthorizationNotificationSession(receiver); ans.registerForDeletedAuthorizations();

}

AuthorizationReceiver receiver {

newAuthorization(Authorization a) {print(“authorization created”);} deletedAuthorization(Authorization a) {print(“authorization removed”);}

}

Sub Packages

The Authorization OSID includes an Authorization Rules OSID for managing the effectiveness of Authorizations.

Service Managers

Authorization Profile

class dlkit.services.authorization.AuthorizationProfile

Bases: dlkit.osid.managers.OsidProfile

The AuthorizationProfile describes the interoperability among authorization services.

supports_authorization()

Tests for the availability of an authorization service which is the basic service for checking authorizations.

Returns:true if authorization is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

supports_authorization_lookup()

Tests if an authorization lookup service is supported.

An authorization lookup service defines methods to access authorizations.

Returns:true if authorization lookup is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

supports_authorization_query()

Tests if an authorization query service is supported.

Returns:true if authorization query is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

supports_authorization_admin()

Tests if an authorization administrative service is supported.

Returns:true if authorization admin is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

supports_vault_lookup()

Tests if a vault lookup service is supported.

A vault lookup service defines methods to access authorization vaults.

Returns:true if function lookup is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

supports_vault_query()

Tests if a vault query service is supported.

Returns:true if vault query is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

supports_vault_admin()

Tests if a vault administrative service is supported.

Returns:true if vault admin is supported, false otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

authorization_record_types

Gets the supported Authorization record types.

Returns:a list containing the supported authorization record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

authorization_search_record_types

Gets the supported Authorization search record types.

Returns:a list containing the supported authorization search record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

function_record_types

Gets the supported Function record types.

Returns:a list containing the supported Function record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

function_search_record_types

Gets the supported Function search record types.

Returns:a list containing the supported Function search record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

qualifier_record_types

Gets the supported Qualifier record types.

Returns:a list containing the supported Qualifier record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

qualifier_search_record_types

Gets the supported Qualifier search record types.

Returns:a list containing the supported Qualifier search record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

vault_record_types

Gets the supported Vault record types.

Returns:a list containing the supported Vault record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

vault_search_record_types

Gets the supported vault search record types.

Returns:a list containing the supported Vault search record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

authorization_condition_record_types

Gets the supported AuthorizationCondition record types.

Returns:a list containing the supported AuthorizationCondition record types Return type:osid.type.TypeList

compliance: mandatory – This method must be implemented.

Authorization Manager

class dlkit.services.authorization.AuthorizationManager(proxy=None)

Bases: dlkit.osid.managers.OsidManager, dlkit.osid.sessions.OsidSession, dlkit.services.authorization.AuthorizationProfile

The authorization manager provides access to authorization sessions and provides interoperability tests for various aspects of this service.

The sessions included in this manager are:

• AuthorizationSession: a session to performs authorization checks
• AuthorizationLookupSession: a session to look up Authorizations
• AuthorizationQuerySession: a session to query Authorizations
• AuthorizationSearchSession: a session to search Authorizations
• AuthorizationAdminSession: a session to create, modify and delete Authorizations
• AuthorizationNotificationSession: a session to receive messages pertaining to Authorization changes
• AuthorizationVaultSession: a session to look up authorization to vault mappings
• AuthorizationVaultAssignmentSession: a session to manage authorization to vault mappings
• AuthorizationSmartVaultSession: a session to manage smart authorization vaults
• FunctionLookupSession: a session to look up Functions
• FunctionQuerySession: a session to query Functions
• FunctionSearchSession: a session to search Functions
• FunctionAdminSession: a session to create, modify and delete Functions
• FunctionNotificationSession: a session to receive messages pertaining to Function changes
• FunctionVaultSession: a session for looking up function and vault mappings
• FunctionVaultAssignmentSession: a session for managing function and vault mappings
• FunctionSmartVaultSession: a session to manage dynamic function vaults
• QualifierLookupSession: a session to look up Qualifiers
• QualifierQuerySession: a session to query Qualifiers
• QualifierSearchSession: a session to search Qualifiers
• QualifierAdminSession: a session to create, modify and delete Qualifiers
• QualifierNotificationSession: a session to receive messages pertaining to Qualifier changes
• QualifierHierarchySession: a session for traversing qualifier hierarchies
• QualifierHierarchyDesignSession: a session for managing qualifier hierarchies
• QualifierVaultSession: a session for looking up qualifier and vault mappings
• QualifierVaultAssignmentSession: a session for managing qualifier and vault mappings
• QualifierSmartVaultSession: a session to manage dynamic qualifier vaults
• VaultLookupSession: a session to lookup vaults
• VaultQuerySession: a session to query Vaults
• VaultSearchSession : a session to search vaults
• VaultAdminSession : a session to create, modify and delete vaults
• VaultNotificationSession : a session to receive messages pertaining to Vault changes
• VaultHierarchySession : a session to traverse the Vault hierarchy
• VaultHierarchyDesignSession : a session to manage the Vault hierarchy

authorization_batch_manager

Gets an AuthorizationBatchManager.

Returns:an AuthorizationBatchManager Return type:osid.authorization.batch.AuthorizationBatchManager Raise:OperationFailed – unable to complete request Raise:Unimplemented – supports_authorization_batch() is false

compliance: optional – This method must be implemented if ``supports_authorization_batch()`` is true.

authorization_rules_manager

Gets an AuthorizationRulesManager.

Returns:an AuthorizationRulesManager Return type:osid.authorization.rules.AuthorizationRulesManager Raise:OperationFailed – unable to complete request Raise:Unimplemented – supports_authorization_rules() is false

compliance: optional – This method must be implemented if ``supports_authorization_rules()`` is true.

Vault Lookup Methods

AuthorizationManager.can_lookup_vaults()

Tests if this user can perform Vault lookups.

A return of true does not guarantee successful authorization. A return of false indicates that it is known all methods in this session will result in a PermissionDenied. This is intended as a hint to an application that may opt not to offer lookup operations to unauthorized users.

Returns:false if lookup methods are not authorized, true otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

AuthorizationManager.use_comparative_vault_view()

The returns from the lookup methods may omit or translate elements based on this session, such as authorization, and not result in an error.

This view is used when greater interoperability is desired at the expense of precision.

compliance: mandatory – This method is must be implemented.

AuthorizationManager.use_plenary_vault_view()

A complete view of the Vault returns is desired.

Methods will return what is requested or result in an error. This view is used when greater precision is desired at the expense of interoperability.

compliance: mandatory – This method is must be implemented.

AuthorizationManager.get_vault(vault_id)

Gets the Vault specified by its Id.

In plenary mode, the exact Id is found or a NotFound results. Otherwise, the returned Vault may have a different Id than requested, such as the case where a duplicate Id was assigned to a Vault and retained for compatibility.

Parameters:vault_id (osid.id.Id) – Id of the Vault Returns:the vault Return type:osid.authorization.Vault Raise:NotFound – vault_id not found Raise:NullArgument – vault_id is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method is must be implemented.

AuthorizationManager.get_vaults_by_ids(vault_ids)

Gets a VaultList corresponding to the given IdList.

In plenary mode, the returned list contains all of the vaults specified in the Id list, in the order of the list, including duplicates, or an error results if an Id in the supplied list is not found or inaccessible. Otherwise, inaccessible Vault objects may be omitted from the list and may present the elements in any order including returning a unique set.

Parameters:vault_ids (osid.id.IdList) – the list of Ids to retrieve Returns:the returned Vault list Return type:osid.authorization.VaultList Raise:NotFound – an Id was not found Raise:NullArgument – vault_ids is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vaults_by_genus_type(vault_genus_type)

Gets a VaultList corresponding to the given vault genus Type which does not include vaults of types derived from the specified Type.

In plenary mode, the returned list contains all known vaults or an error results. Otherwise, the returned list may contain only those vaults that are accessible through this session.

Parameters:vault_genus_type (osid.type.Type) – a vault genus type Returns:the returned Vault list Return type:osid.authorization.VaultList Raise:NullArgument – vault_genus_type is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vaults_by_parent_genus_type(vault_genus_type)

Gets a VaultList corresponding to the given vault genus Type and include any additional vaults with genus types derived from the specified Type.

In plenary mode, the returned list contains all known vaults or an error results. Otherwise, the returned list may contain only those vaults that are accessible through this session.

Parameters:vault_genus_type (osid.type.Type) – a vault genus type Returns:the returned Vault list Return type:osid.authorization.VaultList Raise:NullArgument – vault_genus_type is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vaults_by_record_type(vault_record_type)

Gets a VaultList containing the given vault record Type.

In plenary mode, the returned list contains all known vaults or an error results. Otherwise, the returned list may contain only those vaults that are accessible through this session.

Parameters:vault_record_type (osid.type.Type) – a vault record type Returns:the returned Vault list Return type:osid.authorization.VaultList Raise:NullArgument – vault_record_type is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vaults_by_provider(resource_id)

Gets a VaultList from the given provider ````.

In plenary mode, the returned list contains all known vaults or an error results. Otherwise, the returned list may contain only those vaults that are accessible through this session.

Parameters:resource_id (osid.id.Id) – a resource Id Returns:the returned Vault list Return type:osid.authorization.VaultList Raise:NullArgument – resource_id is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.vaults

Gets all Vaults.

In plenary mode, the returned list contains all known vaults or an error results. Otherwise, the returned list may contain only those vaults that are accessible through this session.

Returns:a VaultList Return type:osid.authorization.VaultList Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

Vault Query Methods

AuthorizationManager.can_search_vaults()

Tests if this user can perform Vault searches.

A return of true does not guarantee successful authorization. A return of false indicates that it is known all methods in this session will result in a PermissionDenied. This is intended as a hint to an application that may opt not to offer search operations to unauthorized users.

Returns:false if search methods are not authorized, true otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

AuthorizationManager.vault_query

Gets a vault query.

Returns:a vault query Return type:osid.authorization.VaultQuery

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vaults_by_query(vault_query)

Gets a list of Vault objects matching the given search.

Parameters:vault_query (osid.authorization.VaultQuery) – the vault query Returns:the returned VaultList Return type:osid.authorization.VaultList Raise:NullArgument – vault_query is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure Raise:Unsupported – vault_query is not of this service

compliance: mandatory – This method must be implemented.

Vault Admin Methods

AuthorizationManager.can_create_vaults()

Tests if this user can create Vaults.

A return of true does not guarantee successful authorization. A return of false indicates that it is known creating a Vault will result in a PermissionDenied. This is intended as a hint to an application that may not wish to offer create operations to unauthorized users.

Returns:false if Vault creation is not authorized, true otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

AuthorizationManager.can_create_vault_with_record_types(vault_record_types)

Tests if this user can create a single Vault using the desired record types.

While AuthorizationManager.getVaultRecordTypes() can be used to examine which records are supported, this method tests which record(s) are required for creating a specific Vault. Providing an empty array tests if a Vault can be created with no records.

Parameters:vault_record_types (osid.type.Type[]) – array of vault record types Returns:true if Vault creation using the specified Types is supported, false otherwise Return type:boolean Raise:NullArgument – vault_record_types is null

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vault_form_for_create(vault_record_types)

Gets the vault form for creating new vaults.

A new form should be requested for each create transaction.

Parameters:vault_record_types (osid.type.Type[]) – array of vault record types Returns:the vault form Return type:osid.authorization.VaultForm Raise:NullArgument – vault_record_types is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure Raise:Unsupported – unable to get form qith requested record types

compliance: mandatory – This method must be implemented.

AuthorizationManager.create_vault(vault_form)

Creates a new Vault.

Parameters:vault_form (osid.authorization.VaultForm) – the form for this Vault Returns:the new Vault Return type:osid.authorization.Vault Raise:IllegalState – vault_form already used in a create transaction Raise:InvalidArgument – one or more of the form elements is invalid Raise:NullArgument – vault_form is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure Raise:Unsupported – vault_form did not originate from get_vault_form_for_create()

compliance: mandatory – This method must be implemented.

AuthorizationManager.can_update_vaults()

Tests if this user can update Vaults.

A return of true does not guarantee successful authorization. A return of false indicates that it is known updating a Vault will result in a PermissionDenied. This is intended as a hint to an application that may not wish to offer update operations to unauthorized users.

Returns:false if Vault modification is not authorized, true otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

AuthorizationManager.get_vault_form_for_update(vault_id)

Gets the vault form for updating an existing vault.

A new vault form should be requested for each update transaction.

Parameters:vault_id (osid.id.Id) – the Id of the Vault Returns:the vault form Return type:osid.authorization.VaultForm Raise:NotFound – vault_id is not found Raise:NullArgument – vault_id is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.update_vault(vault_form)

Updates an existing vault.

Parameters:vault_form (osid.authorization.VaultForm) – the form containing the elements to be updated Raise:IllegalState – vault_form already used in an update transaction Raise:InvalidArgument – the form contains an invalid value Raise:NullArgument – vault_form is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure Raise:Unsupported – vault_form did not originate from get_vault_form_for_update()

compliance: mandatory – This method must be implemented.

AuthorizationManager.can_delete_vaults()

Tests if this user can delete vaults.

A return of true does not guarantee successful authorization. A return of false indicates that it is known deleting a Vault will result in a PermissionDenied. This is intended as a hint to an application that may not wish to offer delete operations to unauthorized users.

Returns:false if Vault deletion is not authorized, true otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

AuthorizationManager.delete_vault(vault_id)

Deletes a Vault.

Parameters:vault_id (osid.id.Id) – the Id of the Vault to remove Raise:NotFound – vault_id not found Raise:NullArgument – vault_id is null Raise:OperationFailed – unable to complete request Raise:PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.

AuthorizationManager.can_manage_vault_aliases()

Tests if this user can manage Id aliases for Vaults.

A return of true does not guarantee successful authorization. A return of false indicates that it is known changing an alias will result in a PermissionDenied. This is intended as a hint to an application that may opt not to offer alias operations to an unauthorized user.

Returns:false if Vault aliasing is not authorized, true otherwise Return type:boolean

compliance: mandatory – This method must be implemented.

AuthorizationManager.alias_vault(vault_id, alias_id)

Adds an Id to a Vault for the purpose of creating compatibility.

The primary Id of the Vault is determined by the provider. The new Id performs as an alias to the primary Id. If the alias is a pointer to another vault it is reassigned to the given vault Id.

Parameters:

• vault_id (osid.id.Id) – the Id of a Vault
• alias_id (osid.id.Id) – the alias Id

Raise:

AlreadyExists – alias_id is already assigned

Raise:

NotFound – vault_id not found

Raise:

NullArgument – vault_id or alias_id is null

Raise:

OperationFailed – unable to complete request

Raise:

PermissionDenied – authorization failure

compliance: mandatory – This method must be implemented.