Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-5339

Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM

    Details

    • Type: Task Task
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0.0-b6, 2.0
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Similar issues:
      KULRICE-14090Make improvements to KIM integration performance
      KULRICE-11725Finish KIM RoleDao conversion for JPA
      KULRICE-4494Integrate Document Search security with KIM
      KULRICE-2121Fix and finish Ignored KIM tests
      KULRICE-9157DataDictionaryTypeServiceHelper should check for a null control
      KULRICE-7185Optimization of KIM Permission Checks
      KULRICE-3946Check KIM relationships for lazy loading
      KULRICE-4667Evaluate remote KIM services: analysis & decision
      KULRICE-6053Add documentation on "Integrating KIM with other IDM services" to the KIM technical docs
      KULRICE-5046Add support for KIM authorization checks to WorkflowFunctions in eDocLite
    • Rice Module:
      KRAD
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required

      Description

      AttributeSecurity needs to check against KIM to determine whether
      whether the security should be applied for the user (mask, partial mask, hidden, readOnly). This needs to integrate with the authorizer.

      Here are some tips for finishing the authorization integration:

      See BusinessObjectAuthorizationServiceImpl#getMaintenanceDocumentRestrictions and other methods

      ----------------------

      Create ViewAuthorizationService

      Create method #invokeAuthorizerPresentationController in ViewAuthorizationService

      1) Invoke Presentation controller to get set of conditionally hidden property names, readonly property names, required property names,
      readonly group ids, and hidden group ids

      2) Invoke Authorizer to get set of security readonly group ids and hidden group ids, then iterate over each and evaluate the KIM permission. If permission
      fails add the group id to the corresponding set found in step 1

      3) Apply restrictions to view

      Assume the restricted property name is on the object path of the fields binding info, or if blank the view's default object binding path, unless
      the property name starts with UifConstants.NO_BIND_ADJUST_PREFIX

      Property name can contain a collection name and then a field, in which case the restriction should apply to all fields in the collection with that name

      Note only set the corresponding property on the AttributeField is the restiction is enabled, not otherwise (this is so any expression will remain and
      still evaluate)

      if read only restriction - field.setReadOnly(true)
      if hidden restriction - field.setRender(false)
      if mask restriction - field.setReadOnly(true) and field.setMasked(true)
      if partial mask restriction - field.setReadOnly(true) and field.setPartialMasked(true)
      if group hidden - get all attribute fields for group and set field.setRender(false)
      if group read only - get all attribute fields for group and set field.setReadOnly(true)

      1. Also, move contents from ViewHelperServiceImpl#invokeAuthorizerPresentationController to new method and move call in performApplyModel
        to after the call to performComponentApplyModel

      Create method #checkFieldAttributeSecurity in ViewAuthorizationService

      1) Check following

      • if attributeSecurity.isMask() : check field unmask authorization (use dictionaryObjectEntry as data object and dictionaryAttributeName and attribute name)
      • if attributeSecurity.isPartialMask() : check field partial unmask authorization
      • if attributeSecurity.isHide() : check field view authorization
      • if attributeSecurity.isReadonly() : check field modify authorization

      Note: Use the dictoinaryObjectEntry for the data object and the dictionaryAttributeName as the attribute name. If not set, use the object given by the view's default
      binding path and the property name of the attribute field

      Checks should go through the corresponding authorizer

      Note special handling needs to be done for collection fields (calling to get additional details)

      1. Invoke in performComponentApplyModel after runComponentModifiers call

      --------------------

      Note the presentation/authorizer classes we are working with in krad are located in uif/authorization. The KNS version are located in document.authorization, bo.authorization, and some other packages.

      Needs more analysis. In particular for other presentation/authorizer methods and button permissions.

      Document well and apply formatting

        Issue Links

          Activity

          Venkat PremChandran (Inactive) made changes -
          Field Original Value New Value
          Link This issue relates to KULRICE-5183 [ KULRICE-5183 ]
          Jerry Neal (Inactive) made changes -
          Summary AttributeSecurity needs to check against KIM Finish integration with presentation controller/authorizer/AttributeSecurity checking KIM
          Assignee Jerry Neal [ jkneal ] Venkat PremChandran [ vpremcha ]
          Affects Version/s 2.0 [ 14190 ]
          Description AttributeSecurity needs to check against KIM to determine whether
          whether the security should be applied for the user (mask, partial mask, hidden, readOnly). This needs to integrate with the authorizer.
          AttributeSecurity needs to check against KIM to determine whether
          whether the security should be applied for the user (mask, partial mask, hidden, readOnly). This needs to integrate with the authorizer.

          Here are some tips for finishing the authorization integration:

          See BusinessObjectAuthorizationServiceImpl#getMaintenanceDocumentRestrictions and other methods

          ----------------------

          Create ViewAuthorizationService

          Create method #invokeAuthorizerPresentationController in ViewAuthorizationService

          1) Invoke Presentation controller to get set of conditionally hidden property names, readonly property names, required property names,
          readonly group ids, and hidden group ids

          2) Invoke Authorizer to get set of security readonly group ids and hidden group ids, then iterate over each and evaluate the KIM permission. If permission
          fails add the group id to the corresponding set found in step 1

          3) Apply restrictions to view

          Assume the restricted property name is on the object path of the fields binding info, or if blank the view's default object binding path, unless
          the property name starts with UifConstants.NO_BIND_ADJUST_PREFIX

          Property name can contain a collection name and then a field, in which case the restriction should apply to all fields in the collection with that name

          Note only set the corresponding property on the AttributeField is the restiction is enabled, not otherwise (this is so any expression will remain and
          still evaluate)

          if read only restriction - field.setReadOnly(true)
          if hidden restriction - field.setRender(false)
          if mask restriction - field.setReadOnly(true) and field.setMasked(true)
          if partial mask restriction - field.setReadOnly(true) and field.setPartialMasked(true)
          if group hidden - get all attribute fields for group and set field.setRender(false)
          if group read only - get all attribute fields for group and set field.setReadOnly(true)

          # Also, move contents from ViewHelperServiceImpl#invokeAuthorizerPresentationController to new method and move call in performApplyModel
           to after the call to performComponentApplyModel

          Create method #checkFieldAttributeSecurity in ViewAuthorizationService

          1) Check following

            - if attributeSecurity.isMask() : check field unmask authorization (use dictionaryObjectEntry as data object and dictionaryAttributeName and attribute name)
            - if attributeSecurity.isPartialMask() : check field partial unmask authorization
            - if attributeSecurity.isHide() : check field view authorization
            - if attributeSecurity.isReadonly() : check field modify authorization
            
          Note: Use the dictoinaryObjectEntry for the data object and the dictionaryAttributeName as the attribute name. If not set, use the object given by the view's default
          binding path and the property name of the attribute field

          Checks should go through the corresponding authorizer

          Note special handling needs to be done for collection fields (calling to get additional details)

          # Invoke in performComponentApplyModel after runComponentModifiers call

          --------------------


          Note the presentation/authorizer classes we are working with in krad are located in uif/authorization. The KNS version are located in document.authorization, bo.authorization, and some other packages.

          Needs more analysis. In particular for other presentation/authorizer methods and button permissions.

          Document well and apply formatting
          Scott Gibson (Inactive) made changes -
          Fix Version/s 2.0.0-m7 [ 16314 ]
          Fix Version/s 2.0 [ 14190 ]
          Scott Gibson (Inactive) made changes -
          Start Date
          Fix Date 2011-08-08 [ set to sprint end date ]
          Scott Gibson (Inactive) made changes -
          Start Date
          Fix Date 2011-09-06 [ set to sprint end date ]
          Jessica Coltrin (Inactive) made changes -
          Fix Version/s 2.0.0-m8 [ 16326 ]
          Fix Version/s 2.0.0-m7 [ 16314 ]
          Jessica Coltrin (Inactive) made changes -
          Start Date
          Fix Date 2011-09-06 2011-09-05 [ set to sprint end date ]
          Venkat PremChandran (Inactive) made changes -
          Assignee Venkat PremChandran [ vpremcha ] Jerry Neal [ jkneal ]
          Scott Gibson (Inactive) made changes -
          Fix Version/s 2.0.0-m9 [ 16327 ]
          Fix Version/s 2.0.0-m8 [ 16326 ]
          Scott Gibson (Inactive) made changes -
          Start Date
          Fix Date 2011-09-05 2011-10-10 [ set to sprint end date ]
          Jerry Neal (Inactive) made changes -
          Priority Major [ 3 ] Blocker [ 1 ]
          Jessica Coltrin (Inactive) made changes -
          Rice Lead sgibson
          Jessica Coltrin (Inactive) made changes -
          Fix Version/s 2.0.0-b1 [ 16315 ]
          Fix Version/s 2.0.0-m9 [ 16327 ]
          Jessica Coltrin (Inactive) made changes -
          Start Date
          Fix Date 2011-10-10 2011-11-07 [ set to sprint end date ]
          Jessica Coltrin (Inactive) made changes -
          Fix Version/s 2.0.0-b2 [ 16371 ]
          Fix Version/s 2.0.0-b1 [ 16315 ]
          Jessica Coltrin (Inactive) made changes -
          Start Date
          Fix Date 2011-11-07 2011-11-21 [ set to sprint end date ]
          Eric Westfall made changes -
          Fix Version/s 2.0.0-b2 [ 16371 ]
          Jerry Neal (Inactive) made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Jessica Coltrin (Inactive) made changes -
          Fix Version/s 2.0.0-b3 [ 16375 ]
          Jessica Coltrin (Inactive) made changes -
          Start Date
          Fix Date 2011-11-21 2011-12-05 [ set to sprint end date ]
          Jessica Coltrin (Inactive) made changes -
          Fix Version/s 2.0.0-b4 [ 16376 ]
          Fix Version/s 2.0.0-b3 [ 16375 ]
          Jessica Coltrin (Inactive) made changes -
          Start Date
          Fix Date 2011-12-05 2011-12-19 [ set to sprint end date ]
          Scott Gibson (Inactive) made changes -
          Fix Version/s 2.0.0-b5 [ 16377 ]
          Fix Version/s 2.0.0-b4 [ 16376 ]
          Scott Gibson (Inactive) made changes -
          Start Date
          Fix Date 2011-12-19 2012-01-09 [ set to sprint end date ]
          Jerry Neal (Inactive) made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Jessica Coltrin (Inactive) made changes -
          Priority Blocker [ 1 ] Critical [ 2 ]
          Jerry Neal (Inactive) made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Jessica Coltrin (Inactive) made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Shem Patterson (Inactive) made changes -
          Workflow custom [ 98926 ] Copy of custom for rice [ 212840 ]
          Shem Patterson (Inactive) made changes -
          Workflow Copy of custom for rice [ 212840 ] custom [ 222588 ]
          Shem Patterson (Inactive) made changes -
          Workflow custom [ 222588 ] Rice Workflow [ 232336 ]

            People

            • Assignee:
              Jerry Neal (Inactive)
              Reporter:
              Jerry Neal (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Structure Helper Panel