|Authorization (ISecurity Interface)|
|Calling the Server Interface|
The ISecurity interface is called by connecting to the SAS Metadata Server and obtaining a handle to the ISecurity server interface.
A SAS Java Metadata Interface client accesses the ISecurity server interface by importing the appropriate packages, instantiating an object factory, and connecting to the SAS Metadata Server with a handle to the interface that is appropriate for the task that it wants to perform.
The ISecurity server interface is provided in the sas.oma.omi.jar file in the SAS 9.2 Platform VJR. A Java client accesses the ISecurity server interface by importing the appropriate com.sas.meta.SASOMI packages.
The ISecurity interface versions are designed so that existing SAS clients can continue to work unchanged.
To use SAS 9.1 methods, import com.sas.meta.SASOMI.ISecurity and com.sas.meta.SASOMI.ISecurityPackage.
To use SAS 9.2 methods, import com.sas.meta.SASOMI.ISecurity_1_1 and com.sas.meta.SASOMI.ISecurity_1_1Package.
The SAS 9.2 Java Metadata Interface provides the MdFactory interface to instantiate an object factory for the SAS Metadata Server and the MdOMRConnection interface for connecting to the SAS Metadata Server. Use the MdOMRConnection interface's makeISecurityConnection method to connect to the server with the ISecurity server interface.
|Identifying Resources to ISecurity Methods|
Many ISecurity methods have a resource parameter. A resource is a metadata object that represents the entity on which authorization or another action is requested.
A resource is identified by a URN in one of two forms:
OMSOBJ indicates that the request is to the SAS namespace of the SAS Metadata Model. The SAS namespace contains metadata types that describe application elements. MetadataType is one of the SAS namespace metadata types. For a list of supported metadata types, see the SAS Metadata Model documentation. ObjectId is the requested object's 17-character metadata object identifier. The first eight characters of the object identifier are a repository identifier; the remaining eight characters are the unique object instance identifier.
REPOSID indicates the request is to the REPOS namespace of the SAS Metadata Model. The REPOS namespaces contains metadata types that describe a repository. The first eight characters of a repository ID are the SAS Repository Manager identifier A0000001, which is the same for all repositories. Therefore, you need specify only a repository's unique 8-character object instance identifier in _reposID.
The SAS Metadata Server supports user identities of metadata type Person, IdentityGroup, and in SAS 9.2, Role.
Most ISecurity methods accept a credential handle or use the user ID of the calling user to identify the identity for which to return an authorization or information. A credential handle is a token representing an identity's authorizations on the SAS Metadata Server . A handle is obtained with the GetCredentials method.
The following methods support additional ways to specify the identity for which to process a request:
The GetApplicationActionsAuthorizations method supports submission of the string ROLE_rolename to specify a Role. For more information, see GetApplicationActionsAuthorizations.
The GetIdentity method supports submission of the string LOGINID: userid to identity a Person or IdentityGroup. For more information, see GetIdentity.
The GetInfo method supports the submission of an identity resource identifier in the form IdentityType: Name, where IdentityType can be Person, IdentityGroup, or Role. For more information, see GetInfo.
Methods that create and manage internal user accounts use a different convention to identify a user. Internal user accounts are supported only for identities of metadata type Person. These accounts rely on the Person object's Name= value to identify the account. Therefore, methods that create and operate on internal user accounts require you to identify the internal user by name. For more information, see SetInternalPassword, SetInternalLoginUserOptions, GetInternalLoginUserInfo, and DeleteInternalLogin.
|Understanding the ISecurity 1.0 Interface|
The ISecurity 1.0 interface includes the following authorization methods:
Returns a handle to a provider-specific credential.
Frees the handle returned by GetCredentials.
Gets authorization information for a resource, depending on the type of authorization requested.
Gets identity metadata for the specified user.
Determines whether an authenticated user is authorized to access a resource with a specific permission.
|Understanding the ISecurity 1.1 Interface|
The ISecurity 1.1 interface contains three categories of methods:
ISecurity 1.0 authorization methods that were updated for the SAS 9.2 environment
Internal authentication methods
Generalized authorization methods
The SAS 9.2 methods support internal SAS Metadata Server authentication when new internal user accounts are used, in addition to the traditional external authentication.
In order of use, the internal authentication methods are the following:
Returns the active server-level internal authentication policies.
Creates an InternalLogin object for the specified user.
Customizes internal authentication policies for the specified user.
Gets availability information and internal authentication settings for the specified user.
Deletes the InternalLogin object that is associated with the specified user.
In alphabetical order, the generalized authorization methods are the following:
Returns authorizations for ApplicationActions in a SoftwareComponent object.
Gets authorizations for a specified set of objects and permissions.
Retrieves identity information, depending on the value in the INFOTYPE parameter, including the origin of a specified identity's privileges, the value of active enterprise policies, and so on.
Retrieves the logins for the connected user for the specified authentication domain in order of identity precedence.
Returns the TRUE value when the user specified in CREDHANDLE is in a role.
For more information, see the documentation for the individual methods.