Package org.forgerock.opendj.server.config.client

Interface GlobalAccessControlPolicyCfgClient

All Superinterfaces:
ConfigurationClient
public interface GlobalAccessControlPolicyCfgClient extends ConfigurationClient
A client-side interface for reading and modifying Global Access Control Policy settings.

Provides coarse grained access control for all operations, regardless of whether they are destined for local or proxy backends. Global access control policies are applied in addition to ACIs and privileges.

  • Method Details

    • definition

      ManagedObjectDefinition<? extends GlobalAccessControlPolicyCfgClient,? extends GlobalAccessControlPolicyCfg> definition()
      Get the configuration definition associated with this Global Access Control Policy.
      Specified by:
      definition in interface ConfigurationClient
      Returns:
      Returns the configuration definition associated with this Global Access Control Policy.

    • getAllowedAttribute

      SortedSet<ValueOrExpression<String>> getAllowedAttribute()
      Gets the "allowed-attribute" property.

      Allows clients to read or write the specified attributes, along with their sub-types.

      Attributes that are subtypes of listed attributes are implicitly included. In addition, the list of attributes may include the wild-card '*', which represents all user attributes, or the wild-card '+', which represents all operational attributes, or the name of an object class prefixed with '@' to include all attributes defined by the object class.

      Default value is undefined

      Returns:
      Returns the values of the "allowed-attribute" property.

    • setAllowedAttribute

      void setAllowedAttribute(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "allowed-attribute" property.

      Allows clients to read or write the specified attributes, along with their sub-types.

      Attributes that are subtypes of listed attributes are implicitly included. In addition, the list of attributes may include the wild-card '*', which represents all user attributes, or the wild-card '+', which represents all operational attributes, or the name of an object class prefixed with '@' to include all attributes defined by the object class.

      Parameters:
      values - The values of the "allowed-attribute" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getAllowedAttributeException

      SortedSet<ValueOrExpression<String>> getAllowedAttributeException()
      Gets the "allowed-attribute-exception" property.

      Specifies zero or more attributes which, together with their sub-types, should not be included in the list of allowed attributes.

      This property is typically used when the list of attributes specified by the allowed-attribute property is too broad. It is especially useful when creating policies which grant access to all user attributes (*) except certain sensitive attributes, such as userPassword.

      Default value is undefined

      Returns:
      Returns the values of the "allowed-attribute-exception" property.

    • setAllowedAttributeException

      void setAllowedAttributeException(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "allowed-attribute-exception" property.

      Specifies zero or more attributes which, together with their sub-types, should not be included in the list of allowed attributes.

      This property is typically used when the list of attributes specified by the allowed-attribute property is too broad. It is especially useful when creating policies which grant access to all user attributes (*) except certain sensitive attributes, such as userPassword.

      Parameters:
      values - The values of the "allowed-attribute-exception" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getAllowedControl

      SortedSet<ValueOrExpression<String>> getAllowedControl()
      Gets the "allowed-control" property.

      Allows clients to use the specified LDAP controls.

      Default value is undefined

      Returns:
      Returns the values of the "allowed-control" property.

    • setAllowedControl

      void setAllowedControl(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "allowed-control" property.

      Allows clients to use the specified LDAP controls.

      Parameters:
      values - The values of the "allowed-control" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getAllowedExtendedOperation

      SortedSet<ValueOrExpression<String>> getAllowedExtendedOperation()
      Gets the "allowed-extended-operation" property.

      Allows clients to use the specified LDAP extended operations.

      Default value is undefined

      Returns:
      Returns the values of the "allowed-extended-operation" property.

    • setAllowedExtendedOperation

      void setAllowedExtendedOperation(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "allowed-extended-operation" property.

      Allows clients to use the specified LDAP extended operations.

      Parameters:
      values - The values of the "allowed-extended-operation" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • isAuthenticationRequired

      ValueOrExpression<Boolean> isAuthenticationRequired()
      Gets the "authentication-required" property.

      Restricts the scope of the policy so that it only applies to authenticated users.

      Default value: false

      Returns:
      Returns the value of the "authentication-required" property.

    • setAuthenticationRequired

      void setAuthenticationRequired(ValueOrExpression<Boolean> value) throws PropertyException
      Sets the "authentication-required" property.

      Restricts the scope of the policy so that it only applies to authenticated users.

      Parameters:
      value - The value of the "authentication-required" property.
      Throws:
      PropertyException - If the new value is invalid.

    • getConnectionClientAddressEqualTo

      SortedSet<ValueOrExpression<AddressMask>> getConnectionClientAddressEqualTo()
      Gets the "connection-client-address-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections which match at least one of the specified client host names or address masks.

      Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.

      Default value is undefined

      Returns:
      Returns the values of the "connection-client-address-equal-to" property.

    • setConnectionClientAddressEqualTo

      void setConnectionClientAddressEqualTo(Collection<ValueOrExpression<AddressMask>> values) throws PropertyException
      Sets the "connection-client-address-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections which match at least one of the specified client host names or address masks.

      Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.

      Parameters:
      values - The values of the "connection-client-address-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getConnectionClientAddressNotEqualTo

      SortedSet<ValueOrExpression<AddressMask>> getConnectionClientAddressNotEqualTo()
      Gets the "connection-client-address-not-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections which match none of the specified client host names or address masks.

      Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.

      Default value is undefined

      Returns:
      Returns the values of the "connection-client-address-not-equal-to" property.

    • setConnectionClientAddressNotEqualTo

      void setConnectionClientAddressNotEqualTo(Collection<ValueOrExpression<AddressMask>> values) throws PropertyException
      Sets the "connection-client-address-not-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections which match none of the specified client host names or address masks.

      Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a sub-network with sub-network mask.

      Parameters:
      values - The values of the "connection-client-address-not-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getConnectionMinimumSsf

      ValueOrExpression<Integer> getConnectionMinimumSsf()
      Gets the "connection-minimum-ssf" property.

      Restricts the scope of the policy so that it only applies to connections having the specified minimum security strength factor.

      The security strength factor (ssf) pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have a cipher strength of at least 256 bits, specify a value of 256.

      Default value: 0

      Returns:
      Returns the value of the "connection-minimum-ssf" property.

    • setConnectionMinimumSsf

      void setConnectionMinimumSsf(ValueOrExpression<Integer> value) throws PropertyException
      Sets the "connection-minimum-ssf" property.

      Restricts the scope of the policy so that it only applies to connections having the specified minimum security strength factor.

      The security strength factor (ssf) pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have a cipher strength of at least 256 bits, specify a value of 256.

      Parameters:
      value - The value of the "connection-minimum-ssf" property.
      Throws:
      PropertyException - If the new value is invalid.

    • getConnectionPortEqualTo

      SortedSet<ValueOrExpression<Integer>> getConnectionPortEqualTo()
      Gets the "connection-port-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections to any of the specified ports, for example 1389.

      Default value is undefined

      Returns:
      Returns the values of the "connection-port-equal-to" property.

    • setConnectionPortEqualTo

      void setConnectionPortEqualTo(Collection<ValueOrExpression<Integer>> values) throws PropertyException
      Sets the "connection-port-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections to any of the specified ports, for example 1389.

      Parameters:
      values - The values of the "connection-port-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getConnectionProtocolEqualTo

      SortedSet<ValueOrExpression<String>> getConnectionProtocolEqualTo()
      Gets the "connection-protocol-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections which match any of the specified protocols.

      Default value is undefined

      Returns:
      Returns the values of the "connection-protocol-equal-to" property.

    • setConnectionProtocolEqualTo

      void setConnectionProtocolEqualTo(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "connection-protocol-equal-to" property.

      Restricts the scope of the policy so that it only applies to connections which match any of the specified protocols.

      Parameters:
      values - The values of the "connection-protocol-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getPermission

      SortedSet<ValueOrExpression<GlobalAccessControlPolicyCfgDefn.Permission>> getPermission()
      Gets the "permission" property.

      Specifies the type of access allowed by this policy.

      Returns:
      Returns the values of the "permission" property.

    • setPermission

      void setPermission(Collection<ValueOrExpression<GlobalAccessControlPolicyCfgDefn.Permission>> values) throws PropertyException
      Sets the "permission" property.

      Specifies the type of access allowed by this policy.

      Parameters:
      values - The values of the "permission" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getRequestTargetDnEqualTo

      SortedSet<ValueOrExpression<String>> getRequestTargetDnEqualTo()
      Gets the "request-target-dn-equal-to" property.

      Restricts the scope of the policy so that it only applies to requests which target entries matching at least one of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Default value is undefined

      Returns:
      Returns the values of the "request-target-dn-equal-to" property.

    • setRequestTargetDnEqualTo

      void setRequestTargetDnEqualTo(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "request-target-dn-equal-to" property.

      Restricts the scope of the policy so that it only applies to requests which target entries matching at least one of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Parameters:
      values - The values of the "request-target-dn-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • isRequestTargetDnEqualToUserDn

      ValueOrExpression<Boolean> isRequestTargetDnEqualToUserDn()
      Gets the "request-target-dn-equal-to-user-dn" property.

      Restricts the scope of the policy so that it only applies to requests sent by authenticated users where the request's target DN is the same as the DN of the authorized user.

      Default value: false

      Returns:
      Returns the value of the "request-target-dn-equal-to-user-dn" property.

    • setRequestTargetDnEqualToUserDn

      void setRequestTargetDnEqualToUserDn(ValueOrExpression<Boolean> value) throws PropertyException
      Sets the "request-target-dn-equal-to-user-dn" property.

      Restricts the scope of the policy so that it only applies to requests sent by authenticated users where the request's target DN is the same as the DN of the authorized user.

      Parameters:
      value - The value of the "request-target-dn-equal-to-user-dn" property.
      Throws:
      PropertyException - If the new value is invalid.

    • getRequestTargetDnNotEqualTo

      SortedSet<ValueOrExpression<String>> getRequestTargetDnNotEqualTo()
      Gets the "request-target-dn-not-equal-to" property.

      Restricts the scope of the policy so that it only applies to requests which target entries matching none of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Default value is undefined

      Returns:
      Returns the values of the "request-target-dn-not-equal-to" property.

    • setRequestTargetDnNotEqualTo

      void setRequestTargetDnNotEqualTo(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "request-target-dn-not-equal-to" property.

      Restricts the scope of the policy so that it only applies to requests which target entries matching none of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Parameters:
      values - The values of the "request-target-dn-not-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getUserDnEqualTo

      SortedSet<ValueOrExpression<String>> getUserDnEqualTo()
      Gets the "user-dn-equal-to" property.

      Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches at least one of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Default value is undefined

      Returns:
      Returns the values of the "user-dn-equal-to" property.

    • setUserDnEqualTo

      void setUserDnEqualTo(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "user-dn-equal-to" property.

      Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches at least one of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Parameters:
      values - The values of the "user-dn-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.

    • getUserDnNotEqualTo

      SortedSet<ValueOrExpression<String>> getUserDnNotEqualTo()
      Gets the "user-dn-not-equal-to" property.

      Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches none of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Default value is undefined

      Returns:
      Returns the values of the "user-dn-not-equal-to" property.

    • setUserDnNotEqualTo

      void setUserDnNotEqualTo(Collection<ValueOrExpression<String>> values) throws PropertyException
      Sets the "user-dn-not-equal-to" property.

      Restricts the scope of the policy so that it only applies to authenticated users whose authorization DN matches none of the specified DN patterns.

      Valid DN filters are strings composed of zero or more wildcards and RDN components. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

      Parameters:
      values - The values of the "user-dn-not-equal-to" property.
      Throws:
      PropertyException - If one or more of the new values are invalid.