org.keycloak.services.resources.admin.permissions.UserPermissions の継承関係図

org.keycloak.services.resources.admin.permissions.UserPermissions 連携図

クラス
interface	EvaluateGroup

公開メンバ関数
	UserPermissions (KeycloakSession session, RealmModel realm, AuthorizationProvider authz, MgmtPermissions root)

Map< String, String >	getPermissions ()

boolean	isPermissionsEnabled ()

void	setPermissionsEnabled (boolean enable)

boolean	canManageDefault ()

Resource	resource ()

Policy	managePermission ()

Policy	viewPermission ()

Policy	manageGroupMembershipPermission ()

Policy	mapRolesPermission ()

Policy	adminImpersonatingPermission ()

Policy	userImpersonatedPermission ()

boolean	canManage ()

void	requireManage ()

boolean	canManage (UserModel user)

void	requireManage (UserModel user)

boolean	canViewDefault ()

boolean	canQuery ()

void	requireQuery ()

boolean	canQuery (UserModel user)

void	requireQuery (UserModel user)

boolean	canView ()

boolean	canView (UserModel user)

void	requireView (UserModel user)

void	requireView ()

boolean	canClientImpersonate (ClientModel client, UserModel user)

boolean	canImpersonate (UserModel user)

boolean	isImpersonatable (UserModel user)

boolean	canImpersonate ()

void	requireImpersonate (UserModel user)

Map< String, Boolean >	getAccess (UserModel user)

boolean	canMapRoles (UserModel user)

void	requireMapRoles (UserModel user)

boolean	canManageGroupMembership (UserModel user)

void	requireManageGroupMembership (UserModel user)

静的公開変数類
static final String	MAP_ROLES_SCOPE ="map-roles"

static final String	IMPERSONATE_SCOPE ="impersonate"

static final String	USER_IMPERSONATED_SCOPE ="user-impersonated"

static final String	MANAGE_GROUP_MEMBERSHIP_SCOPE ="manage-group-membership"

static final String	MAP_ROLES_PERMISSION_USERS = "map-roles.permission.users"

static final String	ADMIN_IMPERSONATING_PERMISSION = "admin-impersonating.permission.users"

static final String	USER_IMPERSONATED_PERMISSION = "user-impersonated.permission.users"

static final String	MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS = "manage-group-membership.permission.users"

static final String	MANAGE_PERMISSION_USERS = "manage.permission.users"

static final String	VIEW_PERMISSION_USERS = "view.permission.users"

static final String	USERS_RESOURCE = "Users"

限定公開メンバ関数
boolean	canImpersonate (EvaluationContext context)

限定公開変数類
final KeycloakSession	session

final RealmModel	realm

final AuthorizationProvider	authz

final MgmtPermissions	root

非公開メンバ関数
void	initialize ()

void	deletePermissionSetup ()

boolean	evaluateGroups (UserModel user, EvaluateGroup eval)

boolean	evaluateHierarchy (UserModel user, EvaluateGroup eval)

boolean	evaluateHierarchy (EvaluateGroup eval, GroupModel group, Set< GroupModel > visited)

boolean	canManageByGroup (UserModel user)

boolean	canViewByGroup (UserModel user)

boolean	hasViewPermission ()

静的非公開変数類
static final Logger	logger = Logger.getLogger(UserPermissions.class)

詳解

Manages default policies for all users.

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ UserPermissions()

org.keycloak.services.resources.admin.permissions.UserPermissions.UserPermissions	(	KeycloakSession	session,
		RealmModel	realm,
		AuthorizationProvider	authz,
		MgmtPermissions	root
	)

inline

                                                                                                                          {
         this.session = session;
         this.realm = realm;
         this.authz = authz;
         this.root = root;
     }

関数詳解

◆ adminImpersonatingPermission()

Policy org.keycloak.services.resources.admin.permissions.UserPermissions.adminImpersonatingPermission ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                                  {
         ResourceServer server = root.realmResourceServer();
         return authz.getStoreFactory().getPolicyStore().findByName(ADMIN_IMPERSONATING_PERMISSION, server.getId());
     }

◆ canClientImpersonate()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canClientImpersonate	(	ClientModel	client,
		UserModel	user
	)

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                                                             {
         ClientModelIdentity identity = new ClientModelIdentity(session, client);
         EvaluationContext context = new DefaultEvaluationContext(identity, session) {
             @Override
             public Map<String, Collection<String>> getBaseAttributes() {
                 Map<String, Collection<String>> attributes = super.getBaseAttributes();
                 attributes.put("kc.client.id", Arrays.asList(client.getClientId()));
                 return attributes;
             }
 
         };
         return canImpersonate(context) && isImpersonatable(user);
 
     }

◆ canImpersonate() [1/3]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canImpersonate ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                   {
         if (!canImpersonate()) {
             return false;
         }
 
         return isImpersonatable(user);
     }

◆ canImpersonate() [2/3]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canImpersonate ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                     {
         if (root.hasOneAdminRole(ImpersonationConstants.IMPERSONATION_ROLE)) return true;
 
         Identity identity = root.identity;
 
         if (!root.isAdminSameRealm()) {
             return false;
         }
 
         EvaluationContext context = new DefaultEvaluationContext(identity, session);
         return canImpersonate(context);
     }

◆ canImpersonate() [3/3]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canImpersonate ( EvaluationContext context )

inlineprotected

                                                                 {
 
         ResourceServer server = root.realmResourceServer();
         if (server == null) return false;
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(ADMIN_IMPERSONATING_PERMISSION, server.getId());
         if (policy == null) {
             return false;
         }
 
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
         // if no policies attached to permission then just do default behavior
         if (associatedPolicies == null || associatedPolicies.isEmpty()) {
             return false;
         }
 
         Scope scope = root.realmScope(IMPERSONATE_SCOPE);
         return root.evaluatePermission(resource, scope, server, context);
     }

◆ canManage() [1/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canManage ( )

inline

Is admin allowed to manage all users? In Authz terms, does the admin have the "manage" scope for the Users Authz resource?

This method will follow the old default behavior (does the admin have the manage-users role) if any of these conditions are met.:

The admin is from the master realm managing a different realm
If the Authz objects are not set up correctly for the Users resource in Authz
The "manage" permission for the Users resource has an empty associatedPolicy list.

Otherwise, it will use the Authz policy engine to resolve this answer.

戻り値

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                {
         if (canManageDefault()) return true;
         if (!root.isAdminSameRealm()) {
             return false;
         }
 
         ResourceServer server = root.realmResourceServer();
         if (server == null) return false;
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
         if (policy == null) {
             return false;
         }
 
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
         // if no policies attached to permission then just do default behavior
         if (associatedPolicies == null || associatedPolicies.isEmpty()) {
             return false;
         }
 
         Scope scope = root.realmManageScope();
         return root.evaluatePermission(resource, scope, server);
 
     }

◆ canManage() [2/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canManage ( UserModel user )

inline

Does current admin have manage permissions for this particular user?

引数

user

戻り値

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                              {
         return canManage() || canManageByGroup(user);
     }

◆ canManageByGroup()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canManageByGroup ( UserModel user )

inlineprivate

                                                      {
         /* no inheritance
         return evaluateGroups(user,
                 (group) -> root.groups().canViewMembers(group)
         );
         */
 
         /* inheritance
         */
         return evaluateHierarchy(user, (group) -> root.groups().canManageMembers(group));
 
     }

◆ canManageDefault()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canManageDefault ( )

inline

                                       {
         return root.hasOneAdminRole(AdminRoles.MANAGE_USERS);
     }

◆ canManageGroupMembership()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canManageGroupMembership ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                             {
         if (canManage(user)) return true;
 
         if (!root.isAdminSameRealm()) {
             return false;
         }
 
         ResourceServer server = root.realmResourceServer();
         if (server == null) return false;
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, server.getId());
         if (policy == null) {
             return false;
         }
 
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
         // if no policies attached to permission then just do default behavior
         if (associatedPolicies == null || associatedPolicies.isEmpty()) {
             return false;
         }
 
         Scope scope = root.realmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE);
         return root.evaluatePermission(resource, scope, server);
 
     }

◆ canMapRoles()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canMapRoles ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                {
         if (canManage(user)) return true;
 
         if (!root.isAdminSameRealm()) {
             return false;
         }
 
         ResourceServer server = root.realmResourceServer();
         if (server == null) return false;
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MAP_ROLES_PERMISSION_USERS, server.getId());
         if (policy == null) {
             return false;
         }
 
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
         // if no policies attached to permission then just do default behavior
         if (associatedPolicies == null || associatedPolicies.isEmpty()) {
             return false;
         }
 
         Scope scope = root.realmScope(MAP_ROLES_SCOPE);
         return root.evaluatePermission(resource, scope, server);
 
     }

◆ canQuery() [1/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canQuery ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                               {
         return canView() || root.hasOneAdminRole(AdminRoles.QUERY_USERS);
     }

◆ canQuery() [2/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canQuery ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                             {
         return canView(user);
     }

◆ canView() [1/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canView ( )

inline

Is admin allowed to view all users? In Authz terms, does the admin have the "view" scope for the Users Authz resource?

This method will follow the old default behavior (does the admin have the view-users role) if any of these conditions are met.:

The admin is from the master realm managing a different realm
If the Authz objects are not set up correctly for the Users resource in Authz
The "view" permission for the Users resource has an empty associatedPolicy list.

Otherwise, it will use the Authz policy engine to resolve this answer.

戻り値

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                              {
         if (canViewDefault()) return true;
         if (!root.isAdminSameRealm()) {
             return false;
         }
 
         return hasViewPermission() || canManage();
     }

◆ canView() [2/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canView ( UserModel user )

inline

Does current admin have view permissions for this particular user?

Evaluates in this order. If any true, return true:

canViewUsers
canManageUsers

引数

user

戻り値

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                            {
         return canView() || canViewByGroup(user);
     }

◆ canViewByGroup()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canViewByGroup ( UserModel user )

inlineprivate

                                                    {
         /* no inheritance
         return evaluateGroups(user,
                 (group) -> root.groups().canViewMembers(group)
         );
         */
 
         /* inheritance
         */
         return evaluateHierarchy(user, (group) -> root.groups().canViewMembers(group));
     }

◆ canViewDefault()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.canViewDefault ( )

inline

                                     {
         return root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS);
     }

◆ deletePermissionSetup()

void org.keycloak.services.resources.admin.permissions.UserPermissions.deletePermissionSetup ( )

inlineprivate

                                          {
         ResourceServer server = root.realmResourceServer();
         if (server == null) return;
         Policy policy = managePermission();
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = viewPermission();
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = mapRolesPermission();
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = manageGroupMembershipPermission();
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = adminImpersonatingPermission();
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = userImpersonatedPermission();
         if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (usersResource != null) {
             authz.getStoreFactory().getResourceStore().delete(usersResource.getId());
         }
     }

◆ evaluateGroups()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.evaluateGroups	(	UserModel	user,
		EvaluateGroup	eval
	)

inlineprivate

                                                                        {
         for (GroupModel group : user.getGroups()) {
             if (eval.evaluate(group)) return true;
         }
         return false;
     }

◆ evaluateHierarchy() [1/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.evaluateHierarchy	(	UserModel	user,
		EvaluateGroup	eval
	)

inlineprivate

                                                                           {
         Set<GroupModel> visited = new HashSet<>();
         for (GroupModel group : user.getGroups()) {
             if (evaluateHierarchy(eval, group, visited)) return true;
         }
         return false;
     }

◆ evaluateHierarchy() [2/2]

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.evaluateHierarchy	(	EvaluateGroup	eval,
		GroupModel	group,
		Set< GroupModel >	visited
	)

inlineprivate

                                                                                                      {
         if (visited.contains(group)) return false;
         if (eval.evaluate(group)) {
             return true;
         }
         visited.add(group);
         if (group.getParent() == null) return false;
         return evaluateHierarchy(eval, group.getParent(), visited);
     }

◆ getAccess()

Map<String, Boolean> org.keycloak.services.resources.admin.permissions.UserPermissions.getAccess ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                           {
         Map<String, Boolean> map = new HashMap<>();
         map.put("view", canView(user));
         map.put("manage", canManage(user));
         map.put("mapRoles", canMapRoles(user));
         map.put("manageGroupMembership", canManageGroupMembership(user));
         map.put("impersonate", canImpersonate(user));
         return map;
     }

◆ getPermissions()

Map<String, String> org.keycloak.services.resources.admin.permissions.UserPermissions.getPermissions ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                                 {
         initialize();
         Map<String, String> scopes = new LinkedHashMap<>();
         scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());
         scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
         scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId());
         scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
         scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
         scopes.put(USER_IMPERSONATED_SCOPE, userImpersonatedPermission().getId());
         return scopes;
     }

◆ hasViewPermission()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.hasViewPermission ( )

inlineprivate

                                         {
         ResourceServer server = root.realmResourceServer();
         if (server == null) return canViewDefault();
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return canViewDefault();
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(VIEW_PERMISSION_USERS, server.getId());
         if (policy == null) {
             return canViewDefault();
         }
 
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
         // if no policies attached to permission then just do default behavior
         if (associatedPolicies == null || associatedPolicies.isEmpty()) {
             return canViewDefault();
         }
 
         Scope scope = root.realmViewScope();
         return root.evaluatePermission(resource, scope, server);
     }

◆ initialize()

void org.keycloak.services.resources.admin.permissions.UserPermissions.initialize ( )

inlineprivate

                               {
         root.initializeRealmResourceServer();
         root.initializeRealmDefaultScopes();
         ResourceServer server = root.realmResourceServer();
         Scope manageScope = root.realmManageScope();
         Scope viewScope = root.realmViewScope();
         Scope mapRolesScope = root.initializeRealmScope(MAP_ROLES_SCOPE);
         Scope impersonateScope = root.initializeRealmScope(IMPERSONATE_SCOPE);
         Scope userImpersonatedScope = root.initializeRealmScope(USER_IMPERSONATED_SCOPE);
         Scope manageGroupMembershipScope = root.initializeRealmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE);
 
         Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (usersResource == null) {
             usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getId());
             Set<Scope> scopeset = new HashSet<>();
             scopeset.add(manageScope);
             scopeset.add(viewScope);
             scopeset.add(mapRolesScope);
             scopeset.add(impersonateScope);
             scopeset.add(manageGroupMembershipScope);
             scopeset.add(userImpersonatedScope);
             usersResource.updateScopes(scopeset);
         }
         Policy managePermission = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
         if (managePermission == null) {
             Helper.addEmptyScopePermission(authz, server, MANAGE_PERMISSION_USERS, usersResource, manageScope);
         }
         Policy viewPermission = authz.getStoreFactory().getPolicyStore().findByName(VIEW_PERMISSION_USERS, server.getId());
         if (viewPermission == null) {
             Helper.addEmptyScopePermission(authz, server, VIEW_PERMISSION_USERS, usersResource, viewScope);
         }
         Policy mapRolesPermission = authz.getStoreFactory().getPolicyStore().findByName(MAP_ROLES_PERMISSION_USERS, server.getId());
         if (mapRolesPermission == null) {
             Helper.addEmptyScopePermission(authz, server, MAP_ROLES_PERMISSION_USERS, usersResource, mapRolesScope);
         }
         Policy membershipPermission = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, server.getId());
         if (membershipPermission == null) {
             Helper.addEmptyScopePermission(authz, server, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, usersResource, manageGroupMembershipScope);
         }
         Policy impersonatePermission = authz.getStoreFactory().getPolicyStore().findByName(ADMIN_IMPERSONATING_PERMISSION, server.getId());
         if (impersonatePermission == null) {
             Helper.addEmptyScopePermission(authz, server, ADMIN_IMPERSONATING_PERMISSION, usersResource, impersonateScope);
         }
         impersonatePermission = authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, server.getId());
         if (impersonatePermission == null) {
             Helper.addEmptyScopePermission(authz, server, USER_IMPERSONATED_PERMISSION, usersResource, userImpersonatedScope);
         }
     }

◆ isImpersonatable()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.isImpersonatable ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                     {
         Identity userIdentity = new UserModelIdentity(root.realm, user);
 
         ResourceServer server = root.realmResourceServer();
         if (server == null) return true;
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return true;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, server.getId());
         if (policy == null) {
             return true;
         }
 
         Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
         // if no policies attached to permission then just do default behavior
         if (associatedPolicies == null || associatedPolicies.isEmpty()) {
             return true;
         }
 
         Scope scope = root.realmScope(USER_IMPERSONATED_SCOPE);
         return root.evaluatePermission(resource, scope, server, userIdentity);
     }

◆ isPermissionsEnabled()

boolean org.keycloak.services.resources.admin.permissions.UserPermissions.isPermissionsEnabled ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                           {
         ResourceServer server = root.realmResourceServer();
         if (server == null) return false;
 
         Resource resource =  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
         if (resource == null) return false;
 
         Policy policy = managePermission();
 
         return policy != null;
     }

◆ manageGroupMembershipPermission()

Policy org.keycloak.services.resources.admin.permissions.UserPermissions.manageGroupMembershipPermission ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                                     {
         ResourceServer server = root.realmResourceServer();
         return authz.getStoreFactory().getPolicyStore().findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, server.getId());
     }

◆ managePermission()

Policy org.keycloak.services.resources.admin.permissions.UserPermissions.managePermission ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                      {
         ResourceServer server = root.realmResourceServer();
         return authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
     }

◆ mapRolesPermission()

Policy org.keycloak.services.resources.admin.permissions.UserPermissions.mapRolesPermission ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                        {
         ResourceServer server = root.realmResourceServer();
         return authz.getStoreFactory().getPolicyStore().findByName(MAP_ROLES_PERMISSION_USERS, server.getId());
     }

◆ requireImpersonate()

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireImpersonate ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                    {
         if (!canImpersonate(user)) {
             throw new ForbiddenException();
         }
     }

◆ requireManage() [1/2]

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireManage ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                 {
         if (!canManage()) {
             throw new ForbiddenException();
         }
     }

◆ requireManage() [2/2]

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireManage ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                               {
         if (!canManage(user)) {
             throw new ForbiddenException();
         }
     }

◆ requireManageGroupMembership()

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireManageGroupMembership ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                              {
         if (!canManageGroupMembership(user)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireMapRoles()

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireMapRoles ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                                 {
         if (!canMapRoles(user)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireQuery() [1/2]

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireQuery ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                {
         if (!canQuery()) {
             throw new ForbiddenException();
         }
     }

◆ requireQuery() [2/2]

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireQuery ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                              {
         if (!canQuery(user)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireView() [1/2]

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireView ( UserModel user )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                                             {
         if (!canView(user)) {
             throw new ForbiddenException();
         }
     }

◆ requireView() [2/2]

void org.keycloak.services.resources.admin.permissions.UserPermissions.requireView ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionEvaluatorを実装しています。

                               {
         if (!(canView())) {
             throw new ForbiddenException();
         }
     }

◆ resource()

Resource org.keycloak.services.resources.admin.permissions.UserPermissions.resource ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                {
         ResourceServer server = root.realmResourceServer();
         if (server == null) return null;
 
         return  authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
     }

◆ setPermissionsEnabled()

void org.keycloak.services.resources.admin.permissions.UserPermissions.setPermissionsEnabled ( boolean enable )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                                       {
         if (enable) {
             initialize();
         } else {
             deletePermissionSetup();
         }
     }

◆ userImpersonatedPermission()

Policy org.keycloak.services.resources.admin.permissions.UserPermissions.userImpersonatedPermission ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                                {
         ResourceServer server = root.realmResourceServer();
         return authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, server.getId());
     }

◆ viewPermission()

Policy org.keycloak.services.resources.admin.permissions.UserPermissions.viewPermission ( )

inline

org.keycloak.services.resources.admin.permissions.UserPermissionManagementを実装しています。

                                    {
         ResourceServer server = root.realmResourceServer();
         return authz.getStoreFactory().getPolicyStore().findByName(VIEW_PERMISSION_USERS, server.getId());
     }

static

◆ VIEW_PERMISSION_USERS

final String org.keycloak.services.resources.admin.permissions.UserPermissions.VIEW_PERMISSION_USERS = "view.permission.users"

static

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java

クラス

公開メンバ関数

静的公開変数類

限定公開メンバ関数

限定公開変数類

非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ UserPermissions()

関数詳解

◆ adminImpersonatingPermission()

◆ canClientImpersonate()

◆ canImpersonate() [1/3]

◆ canImpersonate() [2/3]

◆ canImpersonate() [3/3]

◆ canManage() [1/2]

◆ canManage() [2/2]

◆ canManageByGroup()

◆ canManageDefault()

◆ canManageGroupMembership()

◆ canMapRoles()

◆ canQuery() [1/2]

◆ canQuery() [2/2]

◆ canView() [1/2]

◆ canView() [2/2]

◆ canViewByGroup()

◆ canViewDefault()

◆ deletePermissionSetup()

◆ evaluateGroups()

◆ evaluateHierarchy() [1/2]

◆ evaluateHierarchy() [2/2]

◆ getAccess()

◆ getPermissions()

◆ hasViewPermission()

◆ initialize()

◆ isImpersonatable()

◆ isPermissionsEnabled()

◆ manageGroupMembershipPermission()

◆ managePermission()

◆ mapRolesPermission()

◆ requireImpersonate()

◆ requireManage() [1/2]

◆ requireManage() [2/2]

◆ requireManageGroupMembership()

◆ requireMapRoles()

◆ requireQuery() [1/2]

◆ requireQuery() [2/2]

◆ requireView() [1/2]

◆ requireView() [2/2]

◆ resource()

◆ setPermissionsEnabled()

◆ userImpersonatedPermission()

◆ viewPermission()

メンバ詳解

◆ ADMIN_IMPERSONATING_PERMISSION

◆ authz

◆ IMPERSONATE_SCOPE

◆ logger

◆ MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS

◆ MANAGE_GROUP_MEMBERSHIP_SCOPE

◆ MANAGE_PERMISSION_USERS

◆ MAP_ROLES_PERMISSION_USERS

◆ MAP_ROLES_SCOPE

◆ realm

◆ root

◆ session

◆ USER_IMPERSONATED_PERMISSION

◆ USER_IMPERSONATED_SCOPE

◆ USERS_RESOURCE

◆ VIEW_PERMISSION_USERS