Permissions: Principles  Locate

Permissions in Oracle Service Registry were developed so that administrators might exercise control over users. Permissions:

This chapter describes permissions in detail with some examples and a description of permission configuration.

Permission is defined as the right to perform an action on some interface. Put another way: permission is the ability to process some method on some interface. Permissions are very different from the other mechanism for rights in Oracle Service Registry, the Access Control List.

Access Control enables the user to control access to the basic UDDI data structures (businessEntity, businessService, bindingTemplate, and tModel). Access Control on Oracle Service Registry is provided by the Access Control List (ACL). The ACL is based on permissions given to a user or group. In the context of ACL, this means that a given user can access only that information in Oracle Service Registry made available to the user by the registry administrator or other users. For more information about the Access Control List, see the Access Control chapter in the User's guide.

Access Control Lists limit the visibility of entities and so restrict the access to data in Oracle Service Registry. Permissions on the other hand restrict access to interfaces. The ACLs restrain users by the restricting the visibility of UDDI structures. Permissions limit users through the visibility of interfaces.

Permissions Definitions  Locate

There are two basic kinds of permission:

ApiUserPermission

ApiUserPermission consists of the interface's name and method from the given interface. This permission provides the user common access to the specified method on the given API. ApiUserPermission enables the user to call methods on an interface as a common user. Users usually must have this permission to perform any call.

ApiManagerPermission

ApiManagerPermission also consists of the names of an interface and of a method. This permission allows the user to call a determined method on the given API. It is very similar to ApiUserPermission. The only difference is in the user's significance. If a user has ApiManagerPermission, that user is considered to be a privileged user. There are many API calls where the result depends on user's importance.

ConfigurationManagerPermission

ConfigurationManagerPermission consists of configuration files and a method's name. The name of the method is either get or set. The ConfigurationManagerPermission combined with the get method allows user to read (get) data from the configuration file. On the other hand, the ConfigurationManagerPermission combined with the set method enables the user to write to the configuration.

Oracle Service Registry Permission Rules  Locate

The following permissions' rules are always valid:

  • Permission is the ability to process a method on an API.

  • Permission contains the type of permission (ApiUserPermission, ApiManagerPermission, ConfigurationManagerPermission), the name (interface's or config's name) and an action (method's name).

    You are allowed to use the asterisk wildcard (*) to substitute all names - names of interfaces, configurations, or actions.

  • There is no hierarchy in permissions. The ability to set permission for users is also a permission (for some methods on PermissionApi).

  • The Oracle Service Registry administrator has all permissions for all methods on all APIs.

  • Permissions are always positive. This means that permissions say what is possible or allowed. Permissions allow user to perform an action (some method on some API). Any action that is not expressly permitted is denied.

  • Permissions can be set for an individual user or for a group of members. Each user is member of the group system#everyone, therefore every user has the default permissions associated with this group.

For more information, see Data Access Control: Principles

Setting Permissions  Locate

This section describes the configuration of permissions. The setting of permissions is written from the administrator's point of view.

There are three basic ways to set permissions for a user:

  • By performing methods on PermissionApi. A user can call these methods only if that user has the appropriate permissions.

  • By calling methods via SOAP or via the Registry Control.

  • By changing permissions directly in the configuration file.

The PermissionApi contains several methods for managing permissions. These methods are described below:

get_permission

Used for obtaining all of a user's permissions. A user possessing the ApiManagerPermission can obtain permissions of other users. A user with only ApiUserPermission, can only discover his or her own permissions.

Note that users who have neither ApiUserPermission nor ApiManagerPermission for a method on PermissionApi, cannot call this method.

set_permission

Provides users the ability to set permissions for other users. It is necessary to possess ApiManagerPermission for this call.

get_permissionDetail

Similar to get_permission, this method can be called for more than one user at a time.

get_permission takes a principal as the input parameter. On the other hand, get_permissionDetail takes an array of principals as the input parameter. If you want to find out the permissions of three users, you can call get_permission three times or you can call get_permissionDetail once.

who_hasPermission

Enables a user to find out who owns a given permission.

[Important]Important

It is not recommended to change permissions directly in the configuration file. However, if the administrator wants to change default permissions for new users (meaning changing permissions for the group system#everyone), there is no other possibility. Before making any changes to these permissions, we strongly recommend making a reserve copy of the configuration. The permissions for special users or groups are stored in the file permission_list.xml.

Permissions and User Roles  Locate

Many systems use user roles in addition to permissions. A user role is usually a set of permissions; it can be predefined in the system or be user-defined. In Oracle Service Registry, the user roles mechanism is implemented by groups. The administrator is allowed to set permissions not only for individual users but also for groups. Instead of restricting the relationship to users and roles, it is possible to create groups, set permissions for them and then add users into these groups. This "group" mechanism in Oracle Service Registry is nearly the same as user role mechanism and it is used instead of user roles. For more information, see Group Management.

ApiManagerPermission Reference  Locate

ApiManagerPermission allow user to use operation in a privileged mode. The following tables explain what does it mean for certain APIs and operations.

Table 4. Account API (org.systinet.uddi.account.AccountApi)

operation (action)Description
find_userAccountNot used.
get_userAccountAllows to get foreign account.
save_userAccountAllows to save/update any account. Allows to set up non default limits. Allows to skip mail confirmation (if it is required).
delete_userAccountAllows to delete any account.
enable_userAccountNot used.

Table 5. Admin Utils API (org.systinet.uddi.admin.AdministrationUtilsApi)

operation (action)Description
deleteTModelAllows to call the deleteTModel operation. (ApiUserPermission is not sufficient to call the operation.)
replaceKeyAllows to call the replaceKey operation. (ApiUserPermission is not sufficient to call the operation.)
cleanSubscriptionHistoryAllows to call the cleanSubscriptionHistory operation. (ApiUserPermission is not sufficient to call the operation.)
resetDiscoveryURLsAllows to call the resetDiscoveryURLs operation. (ApiUserPermission is not sufficient to call the operation.)
transform_keyedReferencesAllows to call the transform_keyedReferences operation. (ApiUserPermission is not sufficient to call the operation.)
rebuild_cacheAllows to call the rebuild_cache operation. (ApiUserPermission is not sufficient to call the operation.)
replaceURLAllows to call the replaceURL operation. (ApiUserPermission is not sufficient to call the operation.)

Table 6. Category API (org.systinet.uddi.client.category.v3.CategoryApi)

operation (action)Description
set_categoryAllows to call the set_category operation. (ApiUserPermission is not sufficient to call the operation.)
add_categoryAllows to call the add_category operation. (ApiUserPermission is not sufficient to call the operation.)
move_categoryAllows to call the move_category operation. (ApiUserPermission is not sufficient to call the operation.)
delete_categoryAllows to call the delete_category operation. (ApiUserPermission is not sufficient to call the operation.)
find_categoryNot used.
get_categoryNot used.
get_rootCategoryNot used.
get_rootPathNot used.

Table 7. Custody API (org.systinet.uddi.client.custody.v3.UDDI_CustodyTransfer_PortType)

operation (action)Description
get_transferTokenAllows to call the get_transferToken operation on foreign entities.
discard_transferTokenAllows to call the discard_transferToken operation on foreign tokens.

Table 8. Group API (org.systinet.uddi.group.GroupApi)

operation (action)Description
find_groupAllows to find foreign private groups.
get_groupAllows to get foreign private groups.
save_groupAllows to save/update foreign groups.
delete_groupAllows to delete foreign groups.
where_amINot used.
find_userNot used.
add_userNot used.
remove_userNot used.

Table 9. Inquiry V1 API (org.systinet.uddi.client.v1.InquireSoap)

operation (action)Description
find_bindingAllows to find all bindingTemplates despite ACL rights.
find_businessAllows to find all businessEntities despite ACL rights.
find_servicesAllows to find all services despite ACL rights.
find_tModelAllows to find all tModels despite ACL rights.
get_bindingDetailAllows to get any bindingTemplate despite ACL rights.
get_businessDetailAllows to get any businessEntity despite ACL rights.
get_businessDetailExtNot used.
get_serviceDetailAllows to get any businessService despite ACL rights.
get_tModelDetailAllows to get any tModel despite ACL rights.

Table 10. Inquiry V2 API (org.systinet.uddi.client.v2.Inquire)

operation (action)Description
find_bindingAllows to find all bindingTemplates despite ACL rights.
find_businessAllows to find all businessEntities despite ACL rights.
find_relatedBusinessesAllows to find all related businessEntities despite ACL rights.
find_servicesAllows to find all services despite ACL rights.
find_tModelAllows to find all tModels despite ACL rights.
get_bindingDetailAllows to get any bindingTemplate despite ACL rights.
get_businessDetailAllows to get any businessEntity despite ACL rights.
get_businessDetailExtNot used.
get_serviceDetailAllows to get any businessService despite ACL rights.
get_tModelDetailAllows to get any tModel despite ACL rights.

Table 11. Inquiry V3 API (org.systinet.uddi.client.v3.UDDI_Inquiry_PortType)

operation (action)Description
find_bindingAllows to find all bindingTemplates despite ACL rights.
find_businessAllows to find all businessEntities despite ACL rights.
find_relatedBusinessesAllows to find all related businessEntities despite ACL rights.
find_servicesAllows to find all services despite ACL rights.
find_tModelAllows to find all tModels despite ACL rights.
get_bindingDetailAllows to get any bindingTemplate despite ACL rights.
get_businessDetailAllows to get any businessEntity despite ACL rights.
get_operationalInfoNot used.
get_serviceDetailAllows to get any businessService despite ACL rights.
get_tModelDetailAllows to get any tModel despite ACL rights.

Table 12. Permission API (org.systinet.uddi.permission.PermissionApi)

operation (action)Description
get_permissionAllows to call the get_permission operation on foreign accounts and groups.
set_permissionAllows to call the set_permission operation. (ApiUserPermission is not sufficient to call the operation.)
who_hasPermissionAllows to call the who_hasPermission operation. (ApiUserPermission is not sufficient to call the operation.)
find_principalAllows to call the find_principal operation. (ApiUserPermission is not sufficient to call the operation.)

Table 13. Publishing V1 API (org.systinet.uddi.client.v1.PublishSoap)

operation (action)Description
delete_bindingAllows deletion of any bindingTemplate despite ACL rights.
delete_businessAllows deletion of any businessEntity despite ACL rights
delete_serviceAllows deletion of any businessService despite ACL rights
delete_tModelAllows deletion of any tModel despite ACL rights
save_binding * Allows to update any bindingTemplate or create new bindingTemplate in any businessService despite ACL rights. * Skips bindings limit checking.
save_business * Allows to update any businessEntity despite ACL rights. * Skips businesses limit checking.
save_service * Allows to update any businessService or create new businessService in any businessEntity despite ACL rights. * Skips services limit checking.
save_tModel * Allows to update any tModel despite ACL rights. * Skips tModels limit checking.
get_authToken Not used.
discard_authToken Not used.
get_registeredInfo Not used.
validate_categorization Not used.

Table 14. Publishing V2 API (org.systinet.uddi.client.v2.Publish)

operation (action)Description
delete_bindingAllows deletion of any bindingTemplate despite ACL rights.
delete_businessAllows deletion of any businessEntity despite ACL rights
delete_serviceAllows deletion of any businessService despite ACL rights
delete_tModelAllows deletion of any tModel despite ACL rights
save_binding * Allows to update any bindingTemplate or create new bindingTemplate in any businessService despite ACL rights. * Skips bindings limit checking.
save_business * Allows to update any businessEntity despite ACL rights. * Skips businesses limit checking.
save_service * Allows to update any businessService or create new businessService in any businessEntity despite ACL rights. * Skips services limit checking.
save_tModel * Allows to update any tModel despite ACL rights. * Skips tModels limit checking.
add_publisherAssertions Skips assertions limit checking in add_publisherAssertions operation.
set_publisherAssertions Skips assertions limit checking in set_publisherAssertions operation.
delete_publisherAssertions Not used.
get_publisherAssertions Not used.
get_assertionStatusReport Not used.
get_authToken Not used.
discard_authToken Not used.
get_registeredInfo Not used.

Table 15. Publishing V3 API (org.systinet.uddi.client.v3.UDDI_Publication_PortType)

operation (action)Description
delete_bindingAllows deletion of any bindingTemplate despite ACL rights.
delete_businessAllows deletion of any businessEntity despite ACL rights
delete_serviceAllows deletion of any businessService despite ACL rights
delete_tModelAllows deletion of any tModel despite ACL rights
save_binding * Allows to update any bindingTemplate or create new bindingTemplate in any businessService despite ACL rights. * Skips bindings limit checking.
save_business * Allows to update any businessEntity despite ACL rights. * Skips businesses limit checking.
save_service * Allows to update any businessService or create new businessService in any businessEntity despite ACL rights. * Skips services limit checking.
save_tModel * Allows to update any tModel despite ACL rights. * Skips tModels limit checking.
add_publisherAssertions Skips assertions limit checking in add_publisherAssertions operation.
set_publisherAssertions Skips assertions limit checking in set_publisherAssertions operation.
delete_publisherAssertions Not used.
get_publisherAssertions Not used.
get_assertionStatusReport Not used.
get_registeredInfo Not used.

Table 16. Replication V3 API (org.systinet.uddi.replication.v3.ReplicationApi)

operation (action)Description
replicateAllows to call the replicate operation. (ApiUserPermission is not sufficient to call the operation.)

Table 17. Statistics API (org.systinet.uddi.statistics.StatisticsApi)

operation (action)Description
get_accessStatisticsAllows to call the get_accessStatistics operation. (ApiUserPermission is not sufficient to call the operation.)
reset_accessStatisticsAllows to call the reset_accessStatistics operation. (ApiUserPermission is not sufficient to call the operation.)
get_structureStatisticsAllows to call the get_structureStatistics operation. (ApiUserPermission is not sufficient to call the operation.)

Table 18. Subscription V3 API (org.systinet.uddi.client.subscription.v3.UDDI_Subscription_PortType)

operation (action)Description
delete_subscriptionAllows to delete any subscription despite the caller is not a subscription owner.
save_subscription * Allows to update any subscription despite the caller is not a subscription owner. * Skips subscription limit checking.
get_subscriptionResultsAllows to get result of any subscription despite the caller is not a subscription owner.
get_subscriptionsAllows to get any subscription despite the caller is not a subscription owner.

Table 19. Taxonomy API (com.systinet.uddi.taxonomy.v3.TaxonomyApi)

operation (action)Description
get_taxonomyAllows to obtain all categories in the taxonomy.
find_taxonomyNot used.
save_taxonomyAllows to call the save_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.)
delete_taxonomyAllows to call the delete_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.)
download_taxonomyAllows to call the download_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.)
upload_taxonomyAllows to call the upload_taxonomy operation. (ApiUserPermission is not sufficient to call the operation.)