Skip to Content
author's profile photo Former Member
Former Member

UME authorization on object level


I understand the concept of roles / actions / permissions in the UME, but this only means you have a permission or you don't have a permission.

What if (and thats the common case in my mind) I need object level permissions, like I have a hierarchy of application objects and the user only should have access to a branch of the object tree?

Is the application developer supposed to implement this solely himself or does UME support such scenarios when it comes to "how do I setup those permissions?" and "where are those permissions stored?" or in other words: Do I have to create a configuration UI in the application and store the permission data in our own database tables with saving the user id?



Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Nov 17, 2004 at 12:53 PM


    Take a look at* -- it contains necessary APIs backed with corresponding implementation for managing ACLs and verifying instance-based permissions.

    Sure, this is only basic ACL stuff, the following tasks should be carried out by developer:

    1. Invoking permissions checks in business methods.

    2. Applying security to search-like operations (finders, relation traversal) on business objects (i.e. search result does not contains objects for which user has no at least "read" permission)

    3. UI for maintaining own permissions hierarchy & manipulating ACL entries

    All this stuff (and much more) already implemented within CAF framework, search corresponding SDN section(s).



    P.S. I'm not sure exactly, but it seems that "roles/actions/permissions" model and ACL model completely disconnected. For example, permissions from first model has nothing to do with permissions defined in ACL manager. The only thing they have in common is that both work against the same UME principals. Seems, that both was designed by separate architects these have no way to contact each other << END_OF_RANT

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Nov 18, 2004 at 02:54 PM

    Hi Bruno

    To give object level permissions,

    0.Include the security API in your java build path.

    1. you need to create a permission class which extends NamePermission for each object. Ex: Button B1. Have a permisson class for Button B1 in any of the package.

    2. Create the UI elements and set the visibility property to a context attribute so that you can set the property at run time.

    3. Get the user information in you view as follows

    IWDClientUser user = null;


    user = WDClientUser.getCurrentUser();

    }catch(WDUMException e){



    4. Now check whether the user has a permisson as follows

    if (user.hasPermission(new ButtonB1("But1View")))




    5. Now create a XML file with permission as follows.

    <!-- $Id: //shared_tc/ $ -->


    <DESCRIPTION LOCALE="en" VALUE="Access Management Engine"/>

    <!-- Business Service Actions -->

    <ACTION NAME="But1_Admin" >

    <DESCRIPTION LOCALE="en" VALUE="Button 1 Permission" />

    <PERMISSION CLASS="temp.authorization.perm.ButtonB1"

    NAME="But1View" VALUE="*" />



    6. Deploy the XML File in the Visual administrator in services/Configuration Adapter/cluser-data/server/persistent/

    7. Restart the J2EE engine

    8. Log on to UME Engine and try creating a role. There you can see the action you created in the XML file.

    Assing the action to the role and assign the role to the user

    9. Now only those users where the role you created is assined will be able to see the button.



    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Dec 11, 2004 at 01:58 PM

    Hi Bruno,

    I was just looking for the same topic - did you by now find out whether UME provides such a feature or not?



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.