2 Replies Latest reply on Nov 7, 2013 4:30 PM by Pedro Igor

    How to check privileges of user in a group

    Amrullah Amrullah Newbie

      Hi,

       

      I am new to Picketlink. I would like to create a group called 'staff' and then assigned it with 'create-article' privilege. Afterwards 'john' user are added to 'staff' group. But when I log in as 'john', I don't have 'create-article' privilege?

       

      This is what I did:

      1. create 'staff' group:

          Group staff = new Group("staff");

          identityManager.add(staff);

       

      2. create 'create-article' role

          Role roleCreateArticle = new Role("create-article");

          identityManager.add(roleCreateArticle);

       

      3. Assign 'create-article' to 'staff'

          BasicModel.grantRole(relationshipManager, staff, roleCreateArticle);

       

      4. Create 'john' user

          User john = new User("john");

          john.setEmail("john@panemu.com");

          john.setFirstName("john");

          john.setLastName("Syadzili");

          identityManager.add(john);

          identityManager.updateCredential(john, new Password("john"));

       

      5. Add 'john' to 'staff' group

         BasicModel.addToGroup(relationshipManager, john, staff);

       

      6. Check 'john' privelege after login

          Role role = getRole(this.identityManager, 'create-article');

          boolean result = hasRole(this.relationshipManager, this.identity.getAccount(), role);

       

      Why the result is false?

       

      Thank you

        • 1. Re: How to check privileges of user in a group
          Pedro Igor Master

          Hi,

           

              The BasicModel provides a tiny abstraction on top of PicketLink IDM API. It provides some basic validations and more meaningful methods to work with the basic model we provide (User, Role, Group, Grant, etc). See our docs for more details on this:

           

                      PicketLink Reference Documentation

           

              This validation in specific (that a role is granted to an user if it was granted to a group he belongs) is something that is not provided OOTB by the the BasicModel class. But you can always provide your own implementations with your own business logic.

           

              Please note that PL is not only the BasicModel, you can always provide your own identity model (and map it to any of the available identity stores) to better fit your requirements.

           

          Regards.

          • 2. Re: How to check privileges of user in a group
            Pedro Igor Master

            Hi Amrullah,

             

                After some internal discussion around this topic, we decided to provide this validation OOTB. You can check the JIRA here:

             

                    https://issues.jboss.org/browse/PLINK-322

             

                If you have any addition consideration, please fell free to add a comment to the issue above.

             

            Thanks.     

            1 of 1 people found this helpful