Previous Page | Next Page

Authorization (ISecurity Interface)

Using the ISecurity Server Interface

Calling the Server Interface

The ISecurity interface is called by connecting to the SAS Metadata Server and obtaining a handle to the ISecurity server interface.

A SAS Java Metadata Interface client accesses the ISecurity server interface by importing the appropriate packages, instantiating an object factory, and connecting to the SAS Metadata Server with a handle to the interface that is appropriate for the task that it wants to perform.

The ISecurity server interface is provided in the sas.oma.omi.jar file in the SAS 9.2 Platform VJR. A Java client accesses the ISecurity server interface by importing the appropriate com.sas.meta.SASOMI packages.

The ISecurity interface versions are designed so that existing SAS clients can continue to work unchanged.

The SAS 9.2 Java Metadata Interface provides the MdFactory interface to instantiate an object factory for the SAS Metadata Server and the MdOMRConnection interface for connecting to the SAS Metadata Server. Use the MdOMRConnection interface's makeISecurityConnection method to connect to the server with the ISecurity server interface.

Identifying Resources to ISecurity Methods

Many ISecurity methods have a resource parameter. A resource is a metadata object that represents the entity on which authorization or another action is requested.

A resource is identified by a URN in one of two forms: 

OMSOBJ:MetadataType/ObjectId 

REPOSID:_reposID

OMSOBJ indicates that the request is to the SAS namespace of the SAS Metadata Model. The SAS namespace contains metadata types that describe application elements. MetadataType is one of the SAS namespace metadata types. For a list of supported metadata types, see the SAS Metadata Model documentation. ObjectId is the requested object's 17-character metadata object identifier. The first eight characters of the object identifier are a repository identifier; the remaining eight characters are the unique object instance identifier.

REPOSID indicates the request is to the REPOS namespace of the SAS Metadata Model. The REPOS namespaces contains metadata types that describe a repository. The first eight characters of a repository ID are the SAS Repository Manager identifier A0000001, which is the same for all repositories. Therefore, you need specify only a repository's unique 8-character object instance identifier in _reposID.

Identifying Users

The SAS Metadata Server supports user identities of metadata type Person, IdentityGroup, and in SAS 9.2, Role.

Most ISecurity methods accept a credential handle or use the user ID of the calling user to identify the identity for which to return an authorization or information. A credential handle is a token representing an identity's authorizations on the SAS Metadata Server . A handle is obtained with the GetCredentials method.

The following methods support additional ways to specify the identity for which to process a request:

Methods that create and manage internal user accounts use a different convention to identify a user. Internal user accounts are supported only for identities of metadata type Person. These accounts rely on the Person object's Name= value to identify the account. Therefore, methods that create and operate on internal user accounts require you to identify the internal user by name. For more information, see SetInternalPassword, SetInternalLoginUserOptions, GetInternalLoginUserInfo, and DeleteInternalLogin.

Understanding the ISecurity 1.0 Interface

The ISecurity 1.0 interface includes the following authorization methods:

GetCredentials

Returns a handle to a provider-specific credential.

FreeCredentials

Frees the handle returned by GetCredentials.

GetAuthorizations

Gets authorization information for a resource, depending on the type of authorization requested.

GetIdentity

Gets identity metadata for the specified user.

IsAuthorized

Determines whether an authenticated user is authorized to access a resource with a specific permission.

Understanding the ISecurity 1.1 Interface

The ISecurity 1.1 interface contains three categories of methods:

The SAS 9.2 methods support internal SAS Metadata Server authentication when new internal user accounts are used, in addition to the traditional external authentication.

In order of use, the internal authentication methods are the following:

GetInternalLoginSitePolicies

Returns the active server-level internal authentication policies.

SetInternalPassword

Creates an InternalLogin object for the specified user.

SetInternalLoginUserOptions

Customizes internal authentication policies for the specified user.

GetInternalLoginUserInfo

Gets availability information and internal authentication settings for the specified user.

DeleteInternalLogin

Deletes the InternalLogin object that is associated with the specified user.

In alphabetical order, the generalized authorization methods are the following:

GetApplicationActionsAuthorizations

Returns authorizations for ApplicationActions in a SoftwareComponent object.

GetAuthorizationsforObjects

Gets authorizations for a specified set of objects and permissions.

GetInfo

Retrieves identity information, depending on the value in the INFOTYPE parameter, including the origin of a specified identity's privileges, the value of active enterprise policies, and so on.

GetLoginsforAuthDomain

Retrieves the logins for the connected user for the specified authentication domain in order of identity precedence.

IsInRole

Returns the TRUE value when the user specified in CREDHANDLE is in a role.

For more information, see the documentation for the individual methods.

Previous Page | Next Page | Top of Page

Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.