AbstractDmnBasedPermissionHelper (Flowable Work 3.10.0)

java.lang.Object
- com.flowable.platform.service.permission.AbstractDmnBasedPermissionHelper<T>

Type Parameters:

T - the type of the scoped object this permission helper is implemented for (e.g. a conversation, a user or a case, etc)

Direct Known Subclasses:

UserPermissionServiceImpl
```
public abstract class AbstractDmnBasedPermissionHelper<T>
extends Object
```
An abstract based class for DMN based permission helpers where the evaluation of permissions is based on the execution of DMN models. There are two possible ways to implement such a helper: based on a default and detailed DMN permission model or simply based on one only. If based on two models, implement getDecisionKeyDefaultPermissions() and return the DMN key of the default permission model, otherwise return null instead. The idea of the default model is around execution speed where the commonly used use cases should already be covered by executing the default model and the details should only be needed for deeper testing or not so common use cases.

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`NONE_VALUE`
`static String`	`OUTPUT_KEY_ERROR_MESSAGE`
`static String`	`OUTPUT_KEY_ERROR_MESSAGE_CODE`
`static String`	`OUTPUT_KEY_GROUP_NEEDED`
`static String`	`OUTPUT_KEY_PERMISSION`

Constructor Summary

Constructors
Constructor and Description

AbstractDmnBasedPermissionHelper()

Constructors
Constructor and Description
`AbstractDmnBasedPermissionHelper()`

Method Summary

All Methods Instance Methods Abstract Methods Concrete Methods
Modifier and Type	Method and Description
`protected abstract Map<String,Object>`	`createRuleInputForDefaultModel(String userId, AuthorizedAction action, T scopedObject, Map<String,Object> detailedRuleInput, CommandContext commandContext)` If `getDecisionKeyDefaultPermissions()` returns a non-null value, this method must be implemented in order to create the rule input data for evaluating the default permission model.
`protected PermissionEvaluationResult`	`evaluateDefaultPermissionOutput(String userId, Collection<String> userGroupKeys, String userTenantId, String tenantId, AuthorizedAction action, T scopedObject, Map<String,Object> detailedRuleInput, CommandContext commandContext)` Evaluates the basic permissions for a given action within the scoped object for a specific user based on the default permission DMN model.
`protected PermissionEvaluationResult`	`evaluatePermissionRuleOutput(String userId, Collection<String> userGroupKeys, String userTenantId, Map<String,Object> outputValues, CommandContext commandContext)` Further evaluates the permission output as retrieved from executing the DMN model.
`protected Optional<String>`	`evaluatePermissionsAndProcessResult(String userId, Collection<String> userGroupKeys, String userTenantId, String tenantId, AuthorizedAction action, T scopedObject, Map<String,Object> ruleInput, String decisionModelKey, String globalErrorMessageCode, CommandContext commandContext)` Evaluates default permissions first using the default DMN rule model and depending on the outcome, evaluates the detail DMN rule model according the provided action and decision key and finally processes the outcome accordingly resulting in an optional error message, if permissions have been denied.
`protected Map<String,Object>`	`executeAndLogPermissionModel(CommandContext commandContext, String decisionModelKey, String tenantId, Map<String,Object> ruleInput)` Executes a DMN model based on the given input and decision model key with optional logging and returns the output as a single result.
`protected abstract String`	`getDecisionKeyDefaultPermissions()` If the permission helper is based on a default and detail DMN permission rule mechanism, this method must return the DMN key of the default permission rule model to execute.
`protected List<String>`	`getEmptyListOnNullValue(List<String> list)`
`protected List<PlatformGroup>`	`getGroups(String userId, CommandContext commandContext)`
`protected abstract String`	`getTenantId(T scopedObject)`
`protected boolean`	`isGroupMember(String userId, Collection<String> memberGroups, String identityType, List<IdentityLinkEntity> identityLinks)`
`protected boolean`	`isUserMemberOfGroup(List<PlatformGroup> groups, String groupKey)`
`protected boolean`	`isUserType(String userId, String identityType, List<IdentityLinkEntity> identityLinks)`
`protected Optional<String>`	`processErrorMessage(String tenantId, PermissionEvaluationResult evaluationResult, String globalErrorMessageCode, Map<String,Object> ruleInput)` Processes and returns the error code according the available error message or error message code within the given evaluation result.
`protected String`	`renderErrorMessage(String tenantId, String errorCode, Map<String,Object> payload)` Creates a permission error message based on the provided error code and payload.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- NONE_VALUE
```
public static final String NONE_VALUE
```
  See Also:
  
  Constant Field Values
- OUTPUT_KEY_PERMISSION
```
public static final String OUTPUT_KEY_PERMISSION
```
  See Also:
  
  Constant Field Values
- OUTPUT_KEY_GROUP_NEEDED
```
public static final String OUTPUT_KEY_GROUP_NEEDED
```
  See Also:
  
  Constant Field Values
- OUTPUT_KEY_ERROR_MESSAGE
```
public static final String OUTPUT_KEY_ERROR_MESSAGE
```
  See Also:
  
  Constant Field Values
- OUTPUT_KEY_ERROR_MESSAGE_CODE
```
public static final String OUTPUT_KEY_ERROR_MESSAGE_CODE
```
  See Also:
  
  Constant Field Values

Constructor Detail
- AbstractDmnBasedPermissionHelper
```
public AbstractDmnBasedPermissionHelper()
```

Method Detail

evaluatePermissionsAndProcessResult

protected Optional<String> evaluatePermissionsAndProcessResult(String userId,
                                                               Collection<String> userGroupKeys,
                                                               String userTenantId,
                                                               String tenantId,
                                                               AuthorizedAction action,
                                                               T scopedObject,
                                                               Map<String,Object> ruleInput,
                                                               String decisionModelKey,
                                                               String globalErrorMessageCode,
                                                               CommandContext commandContext)

Evaluates default permissions first using the default DMN rule model and depending on the outcome, evaluates the detail DMN rule model according the provided action and decision key and finally processes the outcome accordingly resulting in an optional error message, if permissions have been denied.

Parameters:: userId - the id of the user to test for permissions; userGroupKeys - the group keys of the user to check the permissions for; userTenantId - the tenant id of the user to check the permissions for; tenantId - the id of the tenant that will be used for lookup of the dmn definition; action - the action to be tested; scopedObject - the scoped object in which context the permissions should be checked; ruleInput - the map containing the necessary input values for executing the detailed DMN rule model; decisionModelKey - the key of the detailed DMN decision model; globalErrorMessageCode - the error message code to be used for error message rendering, if permissions are denied but no detailed error message was provided; commandContext - the command context to execute commands or request additional services and information
Returns:: the optional error message if permissions are denied, for granted access, an Optional.empty is returned

processErrorMessage
```
protected Optional<String> processErrorMessage(String tenantId,
                                               PermissionEvaluationResult evaluationResult,
                                               String globalErrorMessageCode,
                                               Map<String,Object> ruleInput)
```
Processes and returns the error code according the available error message or error message code within the given evaluation result. If none is provided, the general error message will be returned instead.

Parameters:

evaluationResult - the result from the DMN permission model evaluation

globalErrorMessageCode - the global error message code to be used if not a specific one is provided

ruleInput - the map with the input values to the DMN model

Returns:

the error message

evaluateDefaultPermissionOutput

protected PermissionEvaluationResult evaluateDefaultPermissionOutput(String userId,
                                                                     Collection<String> userGroupKeys,
                                                                     String userTenantId,
                                                                     String tenantId,
                                                                     AuthorizedAction action,
                                                                     T scopedObject,
                                                                     Map<String,Object> detailedRuleInput,
                                                                     CommandContext commandContext)

Evaluates the basic permissions for a given action within the scoped object for a specific user based on the default permission DMN model. The output might directly grant or deny access to the action or there is the need to test the action with the particular detailed DMN model for that action.

Parameters:: userId - the id of the user to test for action permission; userGroupKeys - the group keys of the user to check the permissions for; userTenantId - the tenant id of the user to check the permissions for; action - the action to test privileges; scopedObject - the optional scoped object for which the action should be checked; commandContext - the command context used for execution or access to further services

createRuleInputForDefaultModel
```
protected abstract Map<String,Object> createRuleInputForDefaultModel(String userId,
                                                                     AuthorizedAction action,
                                                                     T scopedObject,
                                                                     Map<String,Object> detailedRuleInput,
                                                                     CommandContext commandContext)
```
If getDecisionKeyDefaultPermissions() returns a non-null value, this method must be implemented in order to create the rule input data for evaluating the default permission model. The easiest way is by just returning the same rule input as being used for the detailed rule model, but in some cases, the rule input data is different for the default DMN model.

Parameters:

userId - the id of the user to test for action permissions

action - the action to test privileges

scopedObject - the optional scoped object for which the action should be checked

detailedRuleInput - the rule input as provided and used for the detailed rule model execution

commandContext - the command context used for execution or access to further services

Returns:

the rule input data used for executing the default DMN permission model

getDecisionKeyDefaultPermissions
```
protected abstract String getDecisionKeyDefaultPermissions()
```
If the permission helper is based on a default and detail DMN permission rule mechanism, this method must return the DMN key of the default permission rule model to execute.

Returns:

the optional key of the default DMN permission model, null, if none needed

executeAndLogPermissionModel

protected Map<String,Object> executeAndLogPermissionModel(CommandContext commandContext,
                                                          String decisionModelKey,
                                                          String tenantId,
                                                          Map<String,Object> ruleInput)

Executes a DMN model based on the given input and decision model key with optional logging and returns the output as a single result.

Parameters:: commandContext - the command context used to execute the DMN model; decisionModelKey - the key of the DMN model to be executed; tenantId - the id of the tenant used to lookup the dmn definition; ruleInput - the input values used for executing the DMN model
Returns:: the single output result

evaluatePermissionRuleOutput

protected PermissionEvaluationResult evaluatePermissionRuleOutput(String userId,
                                                                  Collection<String> userGroupKeys,
                                                                  String userTenantId,
                                                                  Map<String,Object> outputValues,
                                                                  CommandContext commandContext)

Further evaluates the permission output as retrieved from executing the DMN model. Depending on the output permission, it further checks whether the user is a member of a certain required group and returns the evaluated permission accordingly.

Parameters:: userId - the id of the user to check the permissions for; userGroupKeys - the group keys of the user to check the permissions for; userTenantId - the tenant id of the user to check the permissions for; outputValues - the output values as being retrieved by executing the DMN model; commandContext - the command context for retrieving further values
Returns:: the final evaluated permission

renderErrorMessage
```
protected String renderErrorMessage(String tenantId,
                                    String errorCode,
                                    Map<String,Object> payload)
```
Creates a permission error message based on the provided error code and payload. The payload must at least contain the necessary parameters as being defined within the TemplateVariationModel. This one uses english as the default language.

Parameters:

tenantId - the if of the tenant that should be used when preparing the message

errorCode - the error code to choose the template variation for

payload - the optional payload containing the necessary parameters (if any needed by the template)

Returns:

the rendered permission error message

getEmptyListOnNullValue

protected List<String> getEmptyListOnNullValue(List<String> list)

isUserMemberOfGroup

protected boolean isUserMemberOfGroup(List<PlatformGroup> groups,
                                      String groupKey)

getGroups

protected List<PlatformGroup> getGroups(String userId,
                                        CommandContext commandContext)

isUserType

protected boolean isUserType(String userId,
                             String identityType,
                             List<IdentityLinkEntity> identityLinks)

isGroupMember

protected boolean isGroupMember(String userId,
                                Collection<String> memberGroups,
                                String identityType,
                                List<IdentityLinkEntity> identityLinks)

getTenantId

protected abstract String getTenantId(T scopedObject)

Class AbstractDmnBasedPermissionHelper<T>

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

NONE_VALUE

OUTPUT_KEY_PERMISSION

OUTPUT_KEY_GROUP_NEEDED

OUTPUT_KEY_ERROR_MESSAGE

OUTPUT_KEY_ERROR_MESSAGE_CODE

Constructor Detail

AbstractDmnBasedPermissionHelper