
[[req_perms]]
APPENDIX - permission requirements
----------------------------------

This appendix lists all permissions and other rules that are required to invoke UVOS functions. 
The column "Required permissions" lists the names of permissions needed in the
scope of the group to invoke a specified  function. If there is no group involved 
or if there are any other restrictions an explanation is given in the 
"Other authorization rules" column. The label [Self Access] means that the function
operates on an identity and if this identity is the same as the caller's identity
then selfAccess authorization policy designator is valid. 

[width="100%",cols="<m,<,<,<",frame="topbot",options="header"]
|===========================================================
|Function            |Short description     |Required permissions       |Other authorization rules
4+^e|Query functions
|isMember(Identity who, Group group, boolean effective) | Checks if the given identity is a member of the given group.| read | [Self Access] 
|getAllGroups(Identity who, boolean implied)|Gets all groups , which the given identity is a member of.|read|[Self Access] Global permission is needed.
|areEquivalent(Identity i1,Identity i2)|Checks if two identities represent the same entity.|identityCtl|[Self Access] Global permission is needed.
|getAttributes(Element owner, String attribute, boolean effective,boolean includeScoped, boolean includeImplied)|Retrieves attributes for the given element (i.e. identity, group or   identity in a group scope).|read|[Self Access] Without global read perm attributes valid in groups where caller has no read perm are filtered out.
|getAllEquivalents(Identity who)|Retrieves all identities  equivalent to  the one given as a parameter.|identityCtl|[Self Access]Global permission is needed.
|getGroupContent(Group group)|Retrieves the group contents.|read|Everybody can get the root's ('/') contents.
|getAllIdentities()|Retrieves all identities stored in the database.|read|Global permission is needed.
4+^d|_Query history functions_

Those offer the same features as normal query function but in the past (time is specified as additional
argument). Always fullRead permission in global scope is needed and in case of getAllEquivalents and
areEquivalent identityCtl too.
4+^e|Management functions
|addGroup(Group parent, String name)|Adds a new group.|write |
|removeGroup(Group toRemove, boolean recursive)|Removes the given group.|write|Write permission is required for the removed group, all its subgroups and its parent group.
|copyGroup(Group toCopy, Group newParent, String newName,boolean deleteOriginal)|Copies or moves the given group to the content of a different group.|write|Write permission is required for the copied group, all its  subgroups, its old  and new parents groups.
|addIdentity(Identity toAdd)|Adds a new identity.|identityCtl OR write|Required permission must be valid globally.
|addIdentity(Identity toAdd, Identity equivalentIdentity)|Adds a new identity, which represents the same entity as the one given as a parameter.|see ->|Requires either global write perm or (global identityCtl perm + write perm for every group equivalent identity is a member of + the same or better global permissions as equivalent identity has).
|removeIdentity(Identity toRemove)|Deletes an identity.|see ->|Requires global write perm or (global identityCtl and write perm for every group toRemove is a member of + the same or better global permissions as equivalentIdentity).
|setAttribute(Element whom, Attribute toAdd, boolean update)|Adds a new attribute.|write|For global attributes global permission is needed.
|removeAttribute(Element whom, String toRemove)|Removes the attribute.|write|For global attributes global permission is needed.
|addToGroup(Identity toAdd, Group group)|Adds the given identity to a group.|write|
|removeFromGroup(Identity toRemove, Group group)|Removes the given identity from the given group.|write|
|setIdentityLabel(Identity toChange, String label|Changes the label of the identity.|see ->|Requires global write perm or (global identityCtl perm + write perm for all groups toChange is a member of + the same or better global permissions as equivalentIdentity).
|getAttributeTypes()|Returns a list of all types of attributes.|-|
|getIdentityTypes()|Returns a list of all types of identities.|-|
|updateAttributeTypes(List<AttributeType> toUpdate,boolean clear)|Updates a list of attribute's types.|write|Requires no perm to add a new attribute type and global write otherwise.
|disableAttribute(Element whose, String toDisable, String valueToDisable)|Temporary disables the given attribute's value.|fullRead|[Self Access]
|enableAttribute(Element whose, String toEnable, String valueToEnable)|Enables a  disabled earlier  of the given attribute.|fullRead|[Self Access]
|getDisabledAttributes(Element whose)|Returns a list of attributes with  disabled values.|fullRead|[Self Access]
|purgeHistoricalData(Date deleteFrom)|Permanently  deletes all service data that is older then deleteFrom (exclusive).|write|Write must be valid in globally.
4+^e|Applications Management
|updateApplicationForm (VOApplicationForm applicationDef,boolean update)|Adds or updates an application definition.|write|write must be valid  for the group which is set in applicationDef.
|getApplications(Integer formId, String status)|Lists all applications for  the selected form and/or with selected status. Both filtering arguments may be null, which eliminates the constraint.|fullRead|Requires perm for the group, which is the application form's base. In case of getting applications of all forms a global fullRead is required.
|submitApplication(VOApplication application)|Adds a new application.|-|
|processApplication(int id, ApplicationActions action, String notes, boolean sendConfirmation, VOApplication application)|Process an application. This operation only marks the application accordingly but it doesn't add a new identity (it must be performed by client software manually).|write|write must be valid  for the group which is set in applicationDef.
|csrProcessedNotification(String csr, boolean accepted, String certificate, boolean sendNotification)|Used to signal the server that the application with the given CSR should be updated, as the contained CSR was processed by a CA.|-|
4+^e|Authorization related functions
|modifyPermissions(Group group, PermissionDesignator designator,Permissions permissions)|Modifies permissions of the group.|write|
|checkPermissions(Group group, Identity whose)|Retrieves a set of permissions for the given identity in the group.|read|[Self Access]
|checkMyPermissions(Group group)|Retrieves a set of permissions for the  method caller  identity  in the given group.|read|[Self Access]
|getGroupAuthZ(Group group, boolean effective)|Retrieves aspecification of authZ settings of the given group.|write|
|modifyAuthenticationData(Identity id, Object newToken)|Changes authentication token of the given identity.|write|[Self Access] In self access mode no write permission is needed, otherwise global write is required.
|============================================================
