Module io.automatiko.engine.api
Package io.automatiko.engine.api.auth

Interface AccessPolicy<T>

Type Parameters:
T - type of the items the policy apply to
All Known Subinterfaces:
NamedAccessPolicy<T>
public interface AccessPolicy<T>
Access policy that drives the access to individual instances based on identity. Enforces if given identity (that is usually representing a user) can access given instance on various levels.

  • Method Details

    • canCreateInstance

      boolean canCreateInstance(IdentityProvider identityProvider)
      Determines if given identity is allowed to create new instances of item this policy is attached to e.g. creating new process instances
      Parameters:
      identityProvider - provider that delivers identity information such as name, roles
      Returns:
      true if given identity is allowed to create new instance

    • canReadInstance

      boolean canReadInstance(IdentityProvider identityProvider, T instance)
      Determines if given identity is allowed to read (view) given instance
      Parameters:
      identityProvider - provider that delivers identity information such as name, roles
      instance - actual instance to apply access policy to
      Returns:
      true if given identity is allowed to read instance

    • canUpdateInstance

      boolean canUpdateInstance(IdentityProvider identityProvider, T instance)
      Determines if given identity is allowed to update given instance
      Parameters:
      identityProvider - provider that delivers identity information such as name, roles
      instance - actual instance to apply access policy to
      Returns:
      true if given identity is allowed to update given instance

    • canDeleteInstance

      boolean canDeleteInstance(IdentityProvider identityProvider, T instance)
      Determines if given identity is allowed to delete given instance
      Parameters:
      identityProvider - provider that delivers identity information such as name, roles
      instance - actual instance to apply access policy to
      Returns:
      true if given identity is allowed to delete given instance

    • canSignalInstance

      boolean canSignalInstance(IdentityProvider identityProvider, T instance)
      Determines if given identity is allowed to signal given instance
      Parameters:
      identityProvider - provider that delivers identity information such as name, roles
      instance - actual instance to apply access policy to
      Returns:
      true if given identity is allowed to signal given instance

    • visibleTo

      Set<String> visibleTo(ProcessInstance<?> instance)
      Returns currently available users and groups that have read access to the given instance. In case there are no restrictions then this method return null.
      Parameters:
      instance - actual instance to apply access policy to
      Returns:
      set of users and groups that can access the given instance