Authorization

This section describes the API authorization configuration.

The API authorization cannot fully emulate the authorization performed by the Policy Server (pdmgrd). The group and user delegation cannot be emulated and the API assumes the functionality is not being used.

We can configure the Registry Direct Java™ API to not support delegated user and group administration. By default, the API does not support ACLs placed on child objects of /Management/Groups. Unlike the Security Verify Access Java API, the Registry Direct Java API does not create and delete protected objects under /Management/Groups. But the registry API affects authorization operations.

No ACLs are placed on child objects of /Management/Groups.

• Authorization permission checks
  The table in this section describes administrative operations and corresponding authorization permissions.
• Residual effects of delegated administration on admin results
  If operations are permitted, additional permissions can be verified by the API to determine if a different subset of result must be returned. The permission check in this case does not permit or deny the whole operation. It affects only the result set returned, instead.

Parent topic: Registry Direct Java API