directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [22/51] [partial] Rename packages from org.openldap.fortress to org.apache.directory.fortress.core. Change default suffix to org.apache. Switch default ldap api from unbound to apache ldap.
Date Wed, 22 Oct 2014 15:44:41 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/ReviewMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/ReviewMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/rbac/ReviewMgrImpl.java
new file mode 100755
index 0000000..43314aa
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/ReviewMgrImpl.java
@@ -0,0 +1,937 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.ReviewMgr;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * This class performs administrative review functions on already provisioned Fortress RBAC entities
+ * that reside in LDAP directory.  These APIs map directly to similar named APIs specified by ANSI and NIST RBAC models.
+ * Many of the java doc function descriptions found below were taken directly from ANSI INCITS 359-2004.
+ * The RBAC Functional specification describes administrative operations for the creation
+ * and maintenance of RBAC element sets and relations; administrative review functions for
+ * performing administrative queries; and system functions for creating and managing
+ * RBAC attributes on user sessions and making access control decisions.
+ * <p/>
+ * <hr>
+ * <h4>RBAC0 - Core</h4>
+ * Many-to-many relationship between Users, Roles and Permissions. Selective role activation into sessions.  API to add, update, delete identity data and perform identity and access control decisions during runtime operations.
+ * <p/>
+ * <img src="../doc-files/RbacCore.png">
+ * <hr>
+ * <h4>RBAC1 - General Hierarchical Roles</h4>
+ * Simplifies role engineering tasks using inheritance of one or more parent roles.
+ * <p/>
+ * <img src="../doc-files/RbacHier.png">
+ * <hr>
+ * <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4>
+ * Enforce mutual membership exclusions across role assignments.  Facilitate dual control policies by restricting which roles may be assigned to users in combination.  SSD provide added granularity for authorization limits which help enterprises meet strict compliance regulations.
+ * <p/>
+ * <img src="../doc-files/RbacSSD.png">
+ * <hr>
+ * <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4>
+ * Control allowed role combinations to be activated within an RBAC session.  DSD policies fine tune role policies that facilitate authorization dual control and two man policy restrictions during runtime security checks.
+ * <p/>
+ * <img src="../doc-files/RbacDSD.png">
+ * <hr>
+ * <p/>
+ * This class is NOT thread safe if parent instance variables ({@link #contextId} or {@link #adminSess}) are set.
+ *
+ * @author Shawn McKinney
+ */
+public class ReviewMgrImpl extends Manageable implements ReviewMgr
+{
+    private static final String CLS_NM = ReviewMgrImpl.class.getName();
+    private static final UserP userP = new UserP();
+    private static final RoleP roleP = new RoleP();
+    private static final PermP permP = new PermP();
+    private static final SdP ssdP = new SdP();
+
+    // package private constructor ensures outside classes cannot use:
+    ReviewMgrImpl()
+    {}
+
+    /**
+     * This method returns a matching permission entity to caller.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.Permission#objName} - contains the name of existing object being targeted</li>
+     * <li>{@link org.apache.directory.fortress.core.rbac.Permission#opName} - contains the name of existing permission operation</li>
+     * </ul>
+     *
+     * @param permission must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, and optionally object id of targeted permission entity.
+     * @return Permission entity that is loaded with data.
+     * @throws SecurityException if permission not found or system error occurs.
+     */
+    @Override
+    public Permission readPermission(Permission permission)
+        throws SecurityException
+    {
+        String methodName = "readPermission";
+        assertContext(CLS_NM, methodName, permission, GlobalErrIds.PERM_OPERATION_NULL);
+        VUtil.assertNotNullOrEmpty(permission.getObjName(), GlobalErrIds.PERM_OBJECT_NM_NULL, CLS_NM + "." + methodName);
+        VUtil.assertNotNullOrEmpty(permission.getOpName(), GlobalErrIds.PERM_OPERATION_NM_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        return permP.read(permission);
+    }
+
+    /**
+     * Method reads permission object from perm container in directory.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.PermObj#objName} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param permObj entity contains the {@link org.apache.directory.fortress.core.rbac.PermObj#objName} of target record.
+     * @return PermObj loaded with perm object data.
+     * @throws SecurityException is thrown if object not found or system error.
+     */
+    @Override
+    public PermObj readPermObj(PermObj permObj)
+        throws SecurityException
+    {
+        String methodName = "readPermObj";
+        assertContext(CLS_NM, methodName, permObj, GlobalErrIds.PERM_OBJECT_NULL);
+        VUtil.assertNotNull(permObj.getObjName(), GlobalErrIds.PERM_OBJECT_NM_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        return permP.read(permObj);
+    }
+
+    /**
+     * Method returns a list of type Permission that match the perm object search string.
+     * <h4>optional parameters</h4>
+     * <ul>
+     * <li>{@link Permission#objName} - contains one or more characters of existing object being targeted</li>
+     * <li>{@link Permission#opName} - contains one or more characters of existing permission operation</li>
+     * </ul>
+     *
+     * @param permission contains object and operation name search strings.  Each contains 1 or more leading chars that correspond to object or op name.
+     * @return List of type Permission.  Fortress permissions are object->operation mappings.  The permissions may contain
+     *         assigned user, role or group entities as well.
+     * @throws SecurityException thrown in the event of system error.
+     */
+    @Override
+    public List<Permission> findPermissions(Permission permission)
+        throws SecurityException
+    {
+        String methodName = "findPermissions";
+        assertContext(CLS_NM, methodName, permission, GlobalErrIds.PERM_OPERATION_NULL);
+        checkAccess(CLS_NM, methodName);
+        return permP.search(permission);
+    }
+
+    /**
+     * Method returns a list of type PermObj that match the perm object search string.
+     * <h4>optional parameters</h4>
+     * <ul>
+     * <li>{@link PermObj#objName} - contains one or more characters of existing object being targeted</li>
+     * </ul>
+     *
+     * @param permObj contains object name search string.  The search val contains 1 or more leading chars that correspond to object name.
+     * @return List of type PermObj.  Fortress permissions are object->operation mappings.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          thrown in the event of system error.
+     */
+    @Override
+    public List<PermObj> findPermObjs(PermObj permObj)
+        throws SecurityException
+    {
+        String methodName = "findPermObjs";
+        assertContext(CLS_NM, methodName, permObj, GlobalErrIds.PERM_OBJECT_NULL);
+        checkAccess(CLS_NM, methodName);
+        return permP.search(permObj);
+    }
+
+    /**
+     * Method returns a list of type Permission that match the perm object search string.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.OrgUnit#name} - contains one or more characters of org unit associated with existing object being targeted</li>
+     * </ul>
+     *
+     * @param ou contains org unit name {@link org.apache.directory.fortress.core.rbac.OrgUnit#name}.  The search val contains the full name of matching ou in OS-P data set.
+     * @return List of type PermObj.  Fortress permissions are object->operation mappings.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          thrown in the event of system error.
+     */
+    @Override
+    public List<PermObj> findPermObjs(OrgUnit ou)
+        throws SecurityException
+    {
+        String methodName = "findPermObjs";
+        assertContext(CLS_NM, methodName, ou, GlobalErrIds.ORG_NULL_PERM);
+        checkAccess(CLS_NM, methodName);
+        // pass a "false" which places no restrictions on how many records server returns.
+        return permP.search(ou, false);
+    }
+
+    /**
+     * Method reads Role entity from the role container in directory.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.Role#name} - contains the name to use for the Role to read.</li>
+     * </ul>
+     *
+     * @param role contains role name, {@link org.apache.directory.fortress.core.rbac.Role#name}, to be read.
+     * @return Role entity that corresponds with role name.
+     * @throws SecurityException will be thrown if role not found or system error occurs.
+     */
+    @Override
+    public Role readRole(Role role)
+        throws SecurityException
+    {
+        String methodName = "readRole";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        VUtil.assertNotNullOrEmpty(role.getName(), GlobalErrIds.ROLE_NM_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        return roleP.read(role);
+    }
+
+    /**
+     * Method will return a list of type Role matching all or part of Role name, {@link Role#name}.
+     *
+     * @param searchVal contains all or some of the chars corresponding to role entities stored in directory.
+     * @return List of type Role containing role entities that match the search criteria.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of system error.
+     */
+    @Override
+    public List<Role> findRoles(String searchVal)
+        throws SecurityException
+    {
+        String methodName = "findRoles";
+        VUtil.assertNotNull(searchVal, GlobalErrIds.ROLE_NM_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        Role role = new Role(searchVal);
+        role.setContextId(this.contextId);
+        return roleP.search(role);
+    }
+
+    /**
+     * Method returns a list of roles of type String.  This method can be limited by integer value that indicates max
+     * number of records that may be contained in the result set.  This number can further limit global default but can
+     * not increase the max.  This method is called by the Websphere Realm impl.
+     *
+     * @param searchVal contains all or some leading chars that correspond to roles stored in the role container in the directory.
+     * @param limit     integer value specifies the max records that may be returned in the result set.
+     * @return List of type String containing names of the role entities that match the inbound search criteria.
+     * @throws SecurityException in the event of system error.
+     */
+    @Override
+    public List<String> findRoles(String searchVal, int limit)
+        throws SecurityException
+    {
+        String methodName = "findRoles";
+        VUtil.assertNotNull(searchVal, GlobalErrIds.ROLE_NM_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        Role role = new Role(searchVal);
+        role.setContextId(this.contextId);
+        return roleP.search(role, limit);
+    }
+
+    /**
+     * Method returns matching User entity that is contained within the people container in the directory.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.User#userId} - contains the userId associated with the User object targeted for read.</li>
+     * </ul>
+     *
+     * @param user entity contains a value {@link org.apache.directory.fortress.core.rbac.User#userId} that matches record in the directory.  userId is globally unique in
+     *             people container.
+     * @return entity containing matching user data.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          if record not found or system error occurs.
+     */
+    @Override
+    public final User readUser(User user)
+        throws SecurityException
+    {
+        String methodName = "readUser";
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        VUtil.assertNotNullOrEmpty(user.getUserId(), GlobalErrIds.USER_ID_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        return userP.read(user, true);
+    }
+
+    /**
+     * Return a list of type User of all users in the people container that match all or part of the {@link User#userId} field passed in User entity.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link User#userId} - contains all or some leading chars that match userId(s) stored in the directory.</li>
+     * </ul>
+     *
+     * @param user contains all or some leading chars that match userIds stored in the directory.
+     * @return List of type User.
+     * @throws SecurityException In the event of system error.
+     */
+    @Override
+    public final List<User> findUsers(User user)
+        throws SecurityException
+    {
+        String methodName = "findUsers";
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        checkAccess(CLS_NM, methodName);
+        return userP.search(user);
+    }
+
+    /**
+     * Return a list of type User of all users in the people container that match the name field passed in OrgUnit entity.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link OrgUnit#name} - contains one or more characters of org unit associated with existing object(s) being targeted</li>
+     * </ul>
+     *
+     * @param ou contains name of User OU, {@link OrgUnit#name} that match ou attribute associated with User entity in the directory.
+     * @return List of type User.
+     * @throws SecurityException In the event of system error.
+     */
+    @Override
+    public List<User> findUsers(OrgUnit ou)
+        throws SecurityException
+    {
+        String methodName = "findUsers";
+        assertContext(CLS_NM, methodName, ou, GlobalErrIds.ORG_NULL_USER);
+        checkAccess(CLS_NM, methodName);
+        // pass a "false" which places no restrictions on how many records server returns.
+        return userP.search(ou, false);
+    }
+
+    /**
+     * Return a list of type String of all users in the people container that match the userId field passed in User entity.
+     * This method is used by the Websphere realm component.  The max number of returned users may be set by the integer limit arg.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link User#userId} - contains the userId associated with the User object targeted for read.</li>
+     * <li>limit - max number of objects to return.</li>
+     * </ul>
+     *
+     * @param user  contains all or some leading chars that correspond to users stored in the directory.
+     * @param limit integer value sets the max returned records.
+     * @return List of type String containing matching userIds.
+     * @throws SecurityException in the event of system error.
+     */
+    @Override
+    public final List<String> findUsers(User user, int limit)
+        throws SecurityException
+    {
+        String methodName = "findUsers";
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        checkAccess(CLS_NM, methodName);
+        return userP.search(user, limit);
+    }
+
+    /**
+     * This function returns the set of users assigned to a given role. The function is valid if and
+     * only if the role is a member of the ROLES data set.
+     * The max number of users returned is constrained by limit argument.
+     * This method is used by the Websphere realm component.  This method does NOT use hierarchical rbac.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Role#name} - contains the name to use for the Role targeted for search.</li>
+     * <li>limit - max number of objects to return.</li>
+     * </ul>
+     *
+     * @param role  Contains {@link Role#name} of Role entity assigned to user.
+     * @param limit integer value sets the max returned records.
+     * @return List of type String containing userIds assigned to a particular role.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data validation or system error.
+     */
+    @Override
+    public List<String> assignedUsers(Role role, int limit)
+        throws SecurityException
+    {
+        String methodName = "assignedUsers";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        checkAccess(CLS_NM, methodName);
+        Role entity = roleP.read(role);
+        // this one retrieves from the role itself.
+        List<String> users = entity.getOccupants();
+        if (users != null && users.size() > limit)
+        {
+            users = users.subList(0, limit);
+        }
+        // No users found for this role.
+        // return empty list to caller:
+        else if (users == null)
+        {
+            users = new ArrayList<>();
+        }
+        return users;
+        // this one does a search across all users:
+        //return userP.getAuthorizedUsers(role, limit);
+    }
+
+    /**
+     * This method returns the data set of all users who are assigned the given role.  This searches the User data set for
+     * Role relationship.  This method does NOT search for hierarchical RBAC Roles relationships.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Role#name} - contains the name to use for the Role targeted for search.</li>
+     * </ul>
+     *
+     * @param role contains the role name, {@link Role#name} used to search the User data set.
+     * @return List of type User containing the users assigned data.
+     * @throws SecurityException If system error occurs.
+     */
+    @Override
+    public List<User> assignedUsers(Role role)
+        throws SecurityException
+    {
+        String methodName = "assignedUsers";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        checkAccess(CLS_NM, methodName);
+        return userP.getAssignedUsers(role);
+    }
+
+    /**
+     * This function returns the set of roles assigned to a given user. The function is valid if and
+     * only if the user is a member of the USERS data set.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link User#userId} - contains the userId associated with the User object targeted for search.</li>
+     * </ul>
+     *
+     * @param user contains {@link User#userId} matching User entity targeted in the directory.
+     * @return List of type UserRole containing the Roles assigned to User.
+     * @throws SecurityException If user not found or system error occurs.
+     */
+    @Override
+    public List<UserRole> assignedRoles(User user)
+        throws SecurityException
+    {
+        String methodName = "assignedRoles";
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        checkAccess(CLS_NM, methodName);
+        User ue = userP.read(user, true);
+        return ue.getRoles();
+    }
+
+    /**
+     * This function returns the set of roles assigned to a given user. The function is valid if and
+     * only if the user is a member of the USERS data set.
+     *
+     * @param userId matches userId stored in the directory.
+     * @return List of type String containing the role names of all roles assigned to user.
+     * @throws SecurityException If user not found or system error occurs.
+     */
+    @Override
+    public List<String> assignedRoles(String userId)
+        throws SecurityException
+    {
+        String methodName = "assignedRoles";
+        VUtil.assertNotNullOrEmpty(userId, GlobalErrIds.USER_NULL, CLS_NM + "." + methodName);
+        checkAccess(CLS_NM, methodName);
+        User user = new User(userId);
+        user.setContextId(this.contextId);
+        return userP.getAssignedRoles(user);
+    }
+
+    /**
+     * This function returns the set of users authorized to a given role, i.e., the users that are assigned to a role that
+     * inherits the given role. The function is valid if and only if the given role is a member of the ROLES data set.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Role#name} - contains the name to use for the Role targeted for search.</li>
+     * </ul>
+     *
+     * @param role Contains role name, {@link Role#name} of Role entity assigned to User.
+     * @return List of type User containing all user's that having matching role assignment.
+     * @throws SecurityException In the event the role is not present in directory or system error occurs.
+     */
+    @Override
+    public List<User> authorizedUsers(Role role)
+        throws SecurityException
+    {
+        String methodName = "authorizedUsers";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        checkAccess(CLS_NM, methodName);
+        return userP.getAuthorizedUsers(role);
+    }
+
+    /**
+     * This function returns the set of roles authorized for a given user. The function is valid if
+     * and only if the user is a member of the USERS data set.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link User#userId} - contains the userId associated with the User object targeted for search.</li>
+     * </ul>
+     *
+     * @param user contains the {@link User#userId} matching User entity stored in the directory.
+     * @return Set of type String containing the roles assigned and roles inherited.
+     * @throws SecurityException If user not found or system error occurs.
+     */
+    @Override
+    public Set<String> authorizedRoles(User user)
+        throws SecurityException
+    {
+        String methodName = "authorizedRoles";
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        checkAccess(CLS_NM, methodName);
+        User ue = userP.read(user, true);
+        List<UserRole> roles = ue.getRoles();
+        Set<String> iRoles = null;
+        if (VUtil.isNotNullOrEmpty(roles))
+        {
+            iRoles = RoleUtil.getInheritedRoles( roles, this.contextId );
+        }
+        return iRoles;
+    }
+
+    /**
+     * This function returns the set of all permissions (op, obj), granted to or inherited by a
+     * given role. The function is valid if and only if the role is a member of the ROLES data
+     * set.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Role#name} - contains the name to use for the Role targeted for search.</li>
+     * </ul>
+     *
+     * @param role contains role name, {@link Role#name} of Role entity Permission is granted to.
+     * @return List of type Permission that contains all perms granted to a role.
+     * @throws SecurityException In the event system error occurs.
+     */
+    @Override
+    public List<Permission> rolePermissions(Role role)
+        throws SecurityException
+    {
+        String methodName = "rolePermissions";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        checkAccess(CLS_NM, methodName);
+        return permP.search(role);
+    }
+
+    /**
+     * This function returns the set of permissions a given user gets through his/her authorized
+     * roles. The function is valid if and only if the user is a member of the USERS data set.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link User#userId} - contains the userId associated with the User object targeted for search.</li>
+     * </ul>
+     *
+     * @param user contains the {@link User#userId} of User targeted for search.
+     * @return List of type Permission containing matching permission entities.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *
+     */
+    @Override
+    public List<Permission> userPermissions(User user)
+        throws SecurityException
+    {
+        String methodName = "userPermissions";
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        checkAccess(CLS_NM, methodName);
+        user = readUser(user);
+        user.setContextId(this.contextId);
+        return permP.search(user);
+    }
+
+    /**
+     * Return a list of type String of all roles that have granted a particular permission.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Permission#objName} - contains the name of existing object being targeted</li>
+     * <li>{@link Permission#opName} - contains the name of existing permission operation</li>
+     * </ul>
+     *
+     * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, and optionally object id of targeted permission entity.
+     * @return List of type string containing the role names that have the matching perm granted.
+     * @throws SecurityException in the event permission not found or system error occurs.
+     */
+    @Override
+    public List<String> permissionRoles(Permission perm)
+        throws SecurityException
+    {
+        String methodName = "permissionRoles";
+        assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OBJECT_NULL);
+        checkAccess(CLS_NM, methodName);
+        Permission pe = permP.read(perm);
+        List<String> retVals;
+        if(pe != null && VUtil.isNotNullOrEmpty(pe.getRoles()))
+        {
+            retVals = new ArrayList<>(pe.getRoles());
+        }
+        else
+        {
+            retVals =  new ArrayList<>();
+        }
+        return retVals;
+    }
+
+    /**
+     * Return all role names that have been authorized for a given permission.  This will process role hierarchies to determine set of all Roles who have access to a given permission.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Permission#objName} - contains the name of existing object being targeted</li>
+     * <li>{@link Permission#opName} - contains the name of existing permission operation</li>
+     * </ul>
+     *
+     * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, and optionally object id of targeted permission entity.
+     * @return Set of type String containing all roles names that have been granted a particular permission.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of validation or system error.
+     */
+    @Override
+    public Set<String> authorizedPermissionRoles(Permission perm)
+        throws SecurityException
+    {
+        Set<String> authorizedRoles;
+        String methodName = "authorizedPermissionRoles";
+        assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OPERATION_NULL);
+        checkAccess(CLS_NM, methodName);
+        // Pull the permission from ldap:
+        Permission pe = permP.read(perm);
+
+        // Get all roles that this permission is authorized for:
+        authorizedRoles = authorizeRoles(pe.getRoles());
+        return authorizedRoles;
+    }
+
+    /**
+     * Return all userIds that have been granted (directly) a particular permission.  This will not consider assigned or authorized Roles.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Permission#objName} - contains the name of existing object being targeted</li>
+     * <li>{@link Permission#opName} - contains the name of existing permission operation</li>
+     * </ul>
+     *
+     * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, and optionally object id of targeted permission entity.
+     * @return List of type String containing all userIds that have been granted a particular permission.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of validation or system error.
+     */
+    @Override
+    public List<String> permissionUsers(Permission perm)
+        throws SecurityException
+    {
+        String methodName = "permissionUsers";
+        assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OPERATION_NULL);
+        checkAccess(CLS_NM, methodName);
+        Permission pe = permP.read(perm);
+        List<String> retVals;
+        if(pe != null && VUtil.isNotNullOrEmpty(pe.getUsers()))
+        {
+            retVals = new ArrayList<>(pe.getUsers());
+        }
+        else
+        {
+            retVals =  new ArrayList<>();
+        }
+        return retVals;
+    }
+
+    /**
+     * Return all userIds that have been authorized for a given permission.  This will process role hierarchies to determine set of all Users who have access to a given permission.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Permission#objName} - contains the name of existing object being targeted</li>
+     * <li>{@link Permission#opName} - contains the name of existing permission operation</li>
+     * </ul>
+     *
+     * @param perm must contain the object, {@link Permission#objName}, and operation, {@link Permission#opName}, and optionally object id of targeted permission entity.
+     * @return Set of type String containing all userIds that have been granted a particular permission.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of validation or system error.
+     */
+    @Override
+    public Set<String> authorizedPermissionUsers(Permission perm)
+        throws SecurityException
+    {
+        Set<String> authorizedUsers = null;
+        String methodName = "authorizedPermissionUsers";
+        assertContext(CLS_NM, methodName, perm, GlobalErrIds.PERM_OPERATION_NULL);
+        checkAccess(CLS_NM, methodName);
+        // Pull the permission from ldap:
+        Permission pe = permP.read(perm);
+
+        // Get all roles that this permission is authorized for:
+        Set<String> authorizedRoles = authorizeRoles(pe.getRoles());
+        if (authorizedRoles != null)
+        {
+            // Pull the set of users assigned to descendant or assigned roles from ldap:
+            authorizedUsers = userP.getAssignedUsers(authorizedRoles, this.contextId);
+        }
+        // Now add any users who have been directly assigned to this permission entity:
+        Set<String> assignedUsers = pe.getUsers();
+        if (assignedUsers != null)
+        {
+            // It is possible this dataset has not yet been instantiated (if perm has no assigned roles):
+            if (authorizedUsers == null)
+            {
+                authorizedUsers = new HashSet<>();
+            }
+            authorizedUsers.addAll(assignedUsers);
+        }
+        // The returned list includes all assigned users plus any users assigned via authorized roles.
+        return authorizedUsers;
+    }
+
+    /**
+     * @param assignedRoles
+     * @return Set contains both assigned and descendant role names
+     * @throws SecurityException
+     */
+    private Set<String> authorizeRoles(Set<String> assignedRoles)
+    {
+        Set<String> authorizedRoles = null;
+        if (assignedRoles != null)
+        {
+            // Get the descendant roles of all assigned roles from jgrapht hierarchical roles data set:
+            authorizedRoles = RoleUtil.getDescendantRoles(assignedRoles, this.contextId);
+        }
+        return authorizedRoles;
+    }
+
+    /**
+     * This function returns the list of all SSD role sets that have a particular Role as member or Role's
+     * parent as a member.  If the Role parameter is left blank, function will return all SSD role sets.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Role#name} - contains the name to use for the Role targeted for search.</li>
+     * </ul>
+     *
+     * @param role Will contain the role name, {@link Role#name}, for targeted SSD set or null to return all
+     * @return List containing all matching SSD's.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data or system error.
+     */
+    @Override
+    public List<SDSet> ssdRoleSets(Role role)
+        throws SecurityException
+    {
+        String methodName = "ssdRoleSets";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        checkAccess(CLS_NM, methodName);
+        return ssdP.search(role, SDSet.SDType.STATIC);
+    }
+
+    /**
+     * This function returns the list of SSDs that match a given ssd name value.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param ssd contains the name for the SSD set targeted, {@link SDSet#name}.
+     * @return List containing all SSDSets that match a given SSDSet name.
+     * @throws SecurityException in the event of data or system error.
+     */
+    public List<SDSet> ssdSets(SDSet ssd)
+        throws SecurityException
+    {
+        String methodName = "ssdSets";
+        ssd.setType(SDSet.SDType.STATIC);
+        assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        return ssdP.search(ssd);
+    }
+
+    /**
+     * This function returns the SSD data set that matches a particular set name.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param set Will contain the name for existing SSD data set
+     * @return SDSet containing all attributes from matching SSD name.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data or system error.
+     */
+    @Override
+    public SDSet ssdRoleSet(SDSet set)
+        throws SecurityException
+    {
+        String methodName = "ssdRoleSet";
+        assertContext(CLS_NM, methodName, set, GlobalErrIds.SSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        set.setType(SDSet.SDType.STATIC);
+        return ssdP.read(set);
+    }
+
+    /**
+     * This function returns the set of roles of a SSD role set. The function is valid if and only if the
+     * role set exists.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param ssd contains the name for the SSD set targeted.
+     * @return Map containing all Roles that are members of SSD data set.
+     * @throws SecurityException in the event of data or system error.
+     */
+    @Override
+    public Set<String> ssdRoleSetRoles(SDSet ssd)
+        throws SecurityException
+    {
+        String methodName = "ssdRoleSetRoles";
+        assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        ssd.setType(SDSet.SDType.STATIC);
+        SDSet se = ssdP.read(ssd);
+        return se.getMembers();
+    }
+
+    /**
+     * This function returns the cardinality associated with a SSD role set. The function is valid if and only if the
+     * role set exists.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param ssd contains the name of the SSD set targeted, {@link SDSet#name}.
+     * @return int value containing cardinality of SSD set.
+     * @throws SecurityException in the event of data or system error.
+     */
+    @Override
+    public int ssdRoleSetCardinality(SDSet ssd)
+        throws SecurityException
+    {
+        String methodName = "ssdRoleSetCardinality";
+        assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        SDSet se = ssdP.read(ssd);
+        return se.getCardinality();
+    }
+
+    /**
+     * This function returns the list of all dSD role sets that have a particular Role as member or Role's
+     * parent as a member.  If the Role parameter is left blank, function will return all dSD role sets.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link Role#name} - contains the name to use for the Role targeted for search.</li>
+     * </ul>
+     *
+     * @param role Will contain the role name, {@link Role#name}, for targeted dSD set or null to return all
+     * @return List containing all matching dSD's.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data or system error.
+     */
+    @Override
+    public List<SDSet> dsdRoleSets(Role role)
+        throws SecurityException
+    {
+        String methodName = "dsdRoleSets";
+        assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+        checkAccess(CLS_NM, methodName);
+        return ssdP.search(role, SDSet.SDType.DYNAMIC);
+    }
+
+    /**
+     * This function returns the DSD data set that matches a particular set name.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param set Will contain the name for existing DSD data set, {@link SDSet#name}.
+     * @return SDSet containing all attributes from matching DSD name.
+     * @throws org.apache.directory.fortress.core.SecurityException
+     *          in the event of data or system error.
+     */
+    @Override
+    public SDSet dsdRoleSet(SDSet set)
+        throws SecurityException
+    {
+        String methodName = "dsdRoleSet";
+        assertContext(CLS_NM, methodName, set, GlobalErrIds.DSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        set.setType(SDSet.SDType.DYNAMIC);
+        return ssdP.read(set);
+    }
+
+    /**
+     * This function returns the list of DSDs that match a given dsd name value.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param ssd contains the name for the SSD set targeted, {@link SDSet#name}.
+     * @return List containing all DSDSets that match a given DSDSet name.
+     * @throws SecurityException in the event of data or system error.
+     */
+    public List<SDSet> dsdSets(SDSet ssd)
+        throws SecurityException
+    {
+        String methodName = "dsdSets";
+        ssd.setType(SDSet.SDType.DYNAMIC);
+        assertContext(CLS_NM, methodName, ssd, GlobalErrIds.DSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        return ssdP.search(ssd);
+    }
+
+    /**
+     * This function returns the set of roles of a DSD role set. The function is valid if and only if the
+     * role set exists.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param dsd contains the name for the DSD set targeted, {@link SDSet#name}.
+     * @return List containing all Roles that are members of DSD data set.
+     * @throws SecurityException in the event of data or system error.
+     */
+    @Override
+    public Set<String> dsdRoleSetRoles(SDSet dsd)
+        throws SecurityException
+    {
+        String methodName = "dsdRoleSetRoles";
+        assertContext(CLS_NM, methodName, dsd, GlobalErrIds.DSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        dsd.setType(SDSet.SDType.DYNAMIC);
+        SDSet se = ssdP.read(dsd);
+        return se.getMembers();
+    }
+
+    /**
+     * This function returns the cardinality associated with a DSD role set. The function is valid if and only if the
+     * role set exists.
+     * <h4>required parameters</h4>
+     * <ul>
+     * <li>{@link SDSet#name} - contains the name of existing object being targeted</li>
+     * </ul>
+     *
+     * @param dsd contains the name of the DSD set targeted, {@link SDSet#name}.
+     * @return int value containing cardinality of DSD set.
+     * @throws SecurityException in the event of data or system error.
+     */
+    @Override
+    public int dsdRoleSetCardinality(SDSet dsd)
+        throws SecurityException
+    {
+        String methodName = "dsdRoleSetCardinality";
+        assertContext(CLS_NM, methodName, dsd, GlobalErrIds.DSD_NULL);
+        checkAccess(CLS_NM, methodName);
+        SDSet se = ssdP.read(dsd);
+        return se.getCardinality();
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Role.java b/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
new file mode 100755
index 0000000..0d9c20a
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
@@ -0,0 +1,798 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlSeeAlso;
+import javax.xml.bind.annotation.XmlTransient;
+import javax.xml.bind.annotation.XmlType;
+
+import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
+import org.apache.directory.fortress.core.rbac.dao.UserDAO;
+import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.directory.fortress.core.util.time.Constraint;
+
+
+/**
+ * All entities ({@link User}, {@link Role}, {@link Permission},
+ * {@link PwPolicy} {@link SDSet} etc...) are used to carry data between three Fortress
+ * layers.starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into
+ * (3) DAO layer where persistence with the OpenLDAP server occurs.
+ * <h4>Fortress Processing Layers</h4>
+ * <ol>
+ * <li>Manager layer:  {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...</li>
+ * <li>Process layer:  {@link UserP}, {@link RoleP}, {@link PermP},...</li>
+ * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...</li>
+ * </ol>
+ * Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs.  The caller must
+ * provide enough information to uniquely identity the entity target within ldap.<br />
+ * For example, this entity requires {@link #setName} attribute set before passing into {@link AdminMgrImpl} APIs.
+ * Create methods sometimes require more attributes (than Read) due to constraints enforced between entities although only {@link Role#setName} is required for {@link Role}.
+ * <p/>
+ * <h4>Role entity attribute usages include</h4>
+ * <ul>
+ * <li>{@link #setName} attribute must be set before calling {@link AdminMgrImpl#addRole(Role)}, {@link AdminMgrImpl#updateRole(Role)} or  {@link AdminMgrImpl#deleteRole(Role)}
+ * <li>{@link org.apache.directory.fortress.core.util.time.Constraint} may be set <b>before</b> calling method {@link AdminMgrImpl#addRole(Role)}.
+ * <li>{@link org.apache.directory.fortress.core.util.time.Constraint} will be <b>returned</b> to caller on methods like {@link ReviewMgrImpl#readRole(Role)} or {@link ReviewMgrImpl#findRoles(String)} iff persisted to entity prior to call.
+ * </ul>
+ * <p/>
+ * This entity is used to store the RBAC Role assignments that comprise the many-to-many relationships between {@link User}s and {@link Permission}s.
+ * <br />The unique key to locate a Role entity (which is subsequently assigned both to Users and Permissions) is 'Role.name'.<br />
+ * <p/>
+ * There is a many-to-many relationship between User's, RBAC Roles and Permissions.
+ * <h3>{@link User}*<->*{@link Role}*<->*{@link Permission}</h3>
+ * <p/>
+ * <img src="../doc-files/RbacCore.png">
+ * <p/>
+ * Example to create new RBAC Role:
+ * <pre>
+ * try
+ * {
+ *  // Instantiate the AdminMgr first
+ *  AdminMgr adminMgr = AdminMgrFactory.createInstance();
+ *
+ *  Role myRole = new Role("MyRoleName");
+ *  myRole.setDescription("This is a test role");
+ *  adminMgr.addRole(myRole);
+ * }
+ * catch (SecurityException ex)
+ * {
+ *  // log or throw
+ * }</pre>
+ * The above code will persist to LDAP a Role object that can be used as a target for User-Role assignments and Role-Permission grants.
+ * <p/>
+ * <h4>Role Schema</h4>
+ * The Fortress Role entity is a composite of the following other Fortress structural and aux object classes:
+ * <p/>
+ * 1. organizationalRole Structural Object Class is used to store basic attributes like cn and description.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 2.5.6.8 NAME 'organizationalRole'
+ *  DESC 'RFC2256: an organizational role'
+ *  SUP top STRUCTURAL
+ *  MUST cn
+ *  MAY (
+ *      x121Address $ registeredAddress $ destinationIndicator $
+ *      preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ *      telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+ *      seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
+ *      postOfficeBox $ postalCode $ postalAddress $
+ *      physicalDeliveryOfficeName $ ou $ st $ l $ description
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 2. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Roles Structural Object Class
+ * objectclass	( 1.3.6.1.4.1.38088.2.1
+ *  NAME 'ftRls'
+ *  DESC 'Fortress Role Structural Object Class'
+ *  SUP organizationalrole
+ *  STRUCTURAL
+ *  MUST (
+ *      ftId $
+ *      ftRoleName
+ *  )
+ *  MAY (
+ *      description $
+ *      ftCstr $
+ *      ftParents
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 3. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.<br />
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <pre>
+ * ------------------------------------------
+ * AC2: Fortress Properties Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.2
+ *  NAME 'ftProperties'
+ *  DESC 'Fortress Properties AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftProps
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ *  NAME 'ftMods'
+ *  DESC 'Fortress Modifiers AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftModifier $
+ *      ftModCode $
+ *      ftModId
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortRole")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "role", propOrder =
+    {
+        "name",
+        "id",
+        "description",
+        "parents",
+        "children",
+        "beginDate",
+        "beginLockDate",
+        "beginTime",
+        "dayMask",
+        "endDate",
+        "endLockDate",
+        "endTime",
+        "timeout",
+        "rawData"
+})
+@XmlSeeAlso(
+    {
+        AdminRole.class
+})
+public class Role extends FortEntity
+implements Constraint, Graphable, java.io.Serializable
+{
+private String id; // this maps to ftId
+private String name; // this is ftRoleName
+private String description; // this is description
+@XmlTransient
+private String dn; // this attribute is automatically saved to each ldap record.
+@XmlTransient
+private List<String> occupants;
+private Set<String> parents;
+private Set<String> children;
+private String beginTime; // this attribute is ftCstr
+private String endTime; // this attribute is ftCstr
+private String beginDate; // this attribute is ftCstr
+private String endDate; // this attribute is ftCstr
+private String beginLockDate;// this attribute is ftCstr
+private String endLockDate; // this attribute is ftCstr
+private String dayMask; // this attribute is ftCstr
+private int timeout; // this attribute is ftCstr
+
+
+/**
+ * Default constructor is used by internal Fortress classes.
+ */
+public Role()
+{
+}
+
+
+/**
+ * Construct a Role entity with a given name.
+ *
+ * @param name maps to 'cn' attribute on 'organizationalrole' object class.
+ */
+public Role( String name )
+{
+    this.name = name;
+}
+
+
+/**
+ * Construct an RBAC Role with a given temporal constraint.
+ *
+ * @param con maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+public Role( Constraint con )
+{
+    CUtil.copy( con, this );
+}
+
+
+/**
+ * Required on DAO classes convert Temporal attributes stored on entity to raw data object format needed for ldap.  For internal use only.
+ *
+ * @return String that maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+public String getRawData()
+{
+    return rawData;
+}
+
+
+/**
+ * Required on DAO classes convert Temporal from raw ldap data to entity attributes.  For internal use only.
+ *
+ * @param rawData maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+public void setRawData( String rawData )
+{
+    this.rawData = rawData;
+}
+
+private String rawData;
+
+
+/**
+ * Gets the name required attribute of the Role object
+ *
+ * @return attribute maps to 'cn' attribute on 'organizationalrole' object class.
+ */
+public String getName()
+{
+    return name;
+}
+
+
+/**
+ * Sets the required name attribute on the Role object
+ *
+ */
+public void setName( String name )
+{
+    this.name = name;
+}
+
+
+/**
+ * Set the occupant attribute with the contents of the User dn.
+ * @param occupant maps to 'roleOccupant' attribute on 'organizationalrole' object class.
+ */
+public void setOccupant( String occupant )
+{
+    if ( this.occupants == null )
+    {
+        this.occupants = new ArrayList<>();
+    }
+    this.occupants.add( occupant );
+}
+
+
+/**
+ * Return list of occupants for a particular Role entity.
+ * @return List of type String containing User dn that maps to 'roleOccupant' attribute on 'organizationalrole' object class.
+ */
+public List<String> getOccupants()
+{
+    return occupants;
+}
+
+
+/**
+ * Set a list of occupants for a particular Role entity.
+ * @param occupants contains a List of type String which maps to 'roleOccupant' attribute on 'organizationalrole' object class.
+ */
+public void setOccupants( List<String> occupants )
+{
+    this.occupants = occupants;
+}
+
+
+/**
+ * Returns optional description that is associated with Role.  This attribute is validated but not constrained by Fortress.
+ *
+ * @return value that is mapped to 'description' in 'organizationalrole' object class.
+ */
+public String getDescription()
+{
+    return this.description;
+}
+
+
+/**
+ * Sets the optional description that is associated with Role.  This attribute is validated but not constrained by Fortress.
+ *
+ * @param description that is mapped to same name in 'organizationalrole' object class.
+ */
+public void setDescription( String description )
+{
+    this.description = description;
+}
+
+
+/**
+ * Return the internal id that is associated with Role.  This attribute is generated automatically
+ * by Fortress when new Role is added to directory and is not known or changeable by external client.
+ *
+ * @return attribute maps to 'ftId' in 'ftRls' object class.
+ */
+public String getId()
+{
+    return id;
+}
+
+
+/**
+ * Generate an internal Id that is associated with Role.  This method is used by DAO class and
+ * is not available to outside classes.   The generated attribute maps to 'ftId' in 'ftRls' object class.
+ */
+public void setId()
+{
+    // generate a unique id that will be used as the rDn for this entry:
+    UUID uuid = UUID.randomUUID();
+    this.id = uuid.toString();
+}
+
+
+/**
+ * Set the internal Id that is associated with Role.  This method is used by DAO class and
+ * is generated automatically by Fortress.  Attribute stored in LDAP cannot be changed by external caller.
+ * This method can be used by client for search purposes only.
+ *
+ * @param id maps to 'ftId' in 'ftRls' object class.
+ */
+public void setId( String id )
+{
+    this.id = id;
+}
+
+
+/**
+ * temporal boolean flag is used by internal Fortress components.
+ *
+ * @return boolean indicating if temporal constraints are placed on Role.
+ */
+@Override
+public boolean isTemporalSet()
+{
+    return ( beginTime != null || endTime != null || beginDate != null || endDate != null || beginLockDate != null
+        || endLockDate != null || dayMask != null );
+}
+
+
+/**
+ * Contains the begin time of day Role is allowed to be activated in session.  The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getBeginTime()
+{
+    return this.beginTime;
+}
+
+
+/**
+ * Set the begin time of day Role is allowed to be activated in session.  The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param beginTime maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setBeginTime( String beginTime )
+{
+    this.beginTime = beginTime;
+}
+
+
+/**
+ * Contains the end time of day Role is allowed to be activated in session.  The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getEndTime()
+{
+    return this.endTime;
+}
+
+
+/**
+ * Set the end time of day Role is allowed to be activated in session.  The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param endTime maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setEndTime( String endTime )
+{
+    this.endTime = endTime;
+}
+
+
+/**
+ * Contains the begin date when Role is allowed to be activated in session.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getBeginDate()
+{
+    return this.beginDate;
+}
+
+
+/**
+ * Set the beginDate when Role is allowed to be activated in session.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param beginDate maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setBeginDate( String beginDate )
+{
+    this.beginDate = beginDate;
+}
+
+
+/**
+ * Contains the end date when Role is allowed to be activated in session.  The format is - YYYYMMDD, i.e. 20101231 (December 31, 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getEndDate()
+{
+    return this.endDate;
+}
+
+
+/**
+ * Set the end date when Role is not allowed to be activated in session.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param endDate maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setEndDate( String endDate )
+{
+    this.endDate = endDate;
+}
+
+
+/**
+ * Contains the begin lock date when Role is temporarily not allowed to be activated in session.  The format is - YYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getBeginLockDate()
+{
+    return this.beginLockDate;
+}
+
+
+/**
+ * Set the begin lock date when Role is temporarily not allowed to be activated in session.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param beginLockDate maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setBeginLockDate( String beginLockDate )
+{
+    this.beginLockDate = beginLockDate;
+}
+
+
+/**
+ * Contains the end lock date when Role is allowed to be activated in session once again.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getEndLockDate()
+{
+    return this.endLockDate;
+}
+
+
+/**
+ * Set the end lock date when Role is allowed to be activated in session once again.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param endLockDate maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setEndLockDate( String endLockDate )
+{
+    this.endLockDate = endLockDate;
+}
+
+
+/**
+ * Get the daymask that indicates what days of week Role is allowed to be activated in session.  The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return attribute maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public String getDayMask()
+{
+    return this.dayMask;
+}
+
+
+/**
+ * Set the daymask that specifies what days of week Role is allowed to be activated in session.  The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param dayMask maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setDayMask( String dayMask )
+{
+    this.dayMask = dayMask;
+}
+
+
+/**
+ * Return the integer timeout that contains total time (in seconds) that Role may remain inactive in User's session before it is deactivated.
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @return int maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public Integer getTimeout()
+{
+    return this.timeout;
+}
+
+
+/**
+ * Set the integer timeout that contains max time (in seconds) that Role may remain inactive in User's session before it is deactivated.
+ * This attribute is optional but if set will be validated for reasonableness.
+ *
+ * @param timeout maps to 'ftCstr' attribute in 'ftRls' object class.
+ */
+@Override
+public void setTimeout( Integer timeout )
+{
+    this.timeout = timeout;
+}
+
+
+/**
+ * Get the names of roles that are parents (direct ascendants) of this role.
+ * @return Set of parent role names assigned to this role.
+ */
+@Override
+public Set<String> getParents()
+{
+    if ( this.parents == null )
+    {
+        this.parents = new HashSet<>();
+    }
+    return parents;
+}
+
+
+/**
+ * Set the names of roles names that are parents (direct ascendants) of this role.
+ * @param parents contains the Set of parent role names assigned to this role.
+ */
+@Override
+public void setParents( Set<String> parents )
+{
+    this.parents = parents;
+}
+
+
+/**
+ * Set the occupant attribute with the contents of the User dn.
+ * @param parent maps to 'ftParents' attribute on 'ftRls' object class.
+ */
+@Override
+public void setParent( String parent )
+{
+    if ( this.parents == null )
+    {
+        this.parents = new HashSet<>();
+    }
+    this.parents.add( parent );
+}
+
+
+/**
+ * Set the occupant attribute with the contents of the User dn.
+ * @param parent maps to 'ftParents' attribute on 'ftRls' object class.
+ */
+@Override
+public void delParent( String parent )
+{
+    if ( this.parents != null )
+    {
+        this.parents.remove( parent );
+    }
+}
+
+
+/**
+ * Return the Set of child role names (direct descendants) of this role.
+ * @return Set of child role names assigned to this role.
+ */
+public Set<String> getChildren()
+{
+    return children;
+}
+
+
+/**
+ * Set the Set of child role names (direct descendants) of this role
+ * @param children contains the Set of child role names assigned to this role.
+ */
+public void setChildren( Set<String> children )
+{
+    this.children = children;
+}
+
+
+/**
+ * Matches the name from two Role entities.
+ *
+ * @param thatObj contains a Role entity.
+ * @return boolean indicating both objects contain matching Role names.
+ */
+public boolean equals( Object thatObj )
+{
+    if ( this == thatObj )
+    {
+        return true;
+    }
+
+    if ( name == null )
+    {
+        return false;
+    }
+
+    if ( !( thatObj instanceof Role ) )
+    {
+        return false;
+    }
+
+    Role thatRole = ( Role ) thatObj;
+
+    if ( thatRole.getName() == null )
+    {
+        return false;
+    }
+
+    return thatRole.getName().equalsIgnoreCase( name );
+}
+
+
+/**
+ * @see Object#toString()
+ */
+public String toString()
+{
+    StringBuilder sb = new StringBuilder();
+
+    sb.append( "Role[" );
+
+    // The name
+    sb.append( name ).append( ", " );
+
+    if ( ( description != null ) && ( description.length() > 0 ) )
+    {
+        sb.append( description ).append( ", " );
+    }
+
+    // the date
+    sb.append( "date : <" ).append( beginDate ).append( ", " ).append( endDate ).append( ">, " );
+
+    // The time
+    sb.append( "time : <" ).append( beginTime ).append( ", " ).append( endTime ).append( ">, " );
+
+    // The lock date
+    sb.append( "lock date : <" ).append( beginLockDate ).append( ", " ).append( endLockDate ).append( ">, " );
+
+    // The timeout
+    sb.append( "timeout : " ).append( timeout ).append( ", " );
+
+    // The day mask
+    sb.append( "daymask : " ).append( dayMask );
+
+    // The parents if any
+    if ( ( parents != null ) && ( parents.size() > 0 ) )
+    {
+        sb.append( ", parents : {" );
+
+        boolean isFirst = true;
+
+        for ( String parent : parents )
+        {
+            if ( isFirst )
+            {
+                isFirst = false;
+            }
+            else
+            {
+                sb.append( '|' );
+            }
+
+            sb.append( parent );
+        }
+
+        sb.append( '}' );
+    }
+
+    // The children if any
+    if ( ( children != null ) && ( children.size() > 0 ) )
+    {
+        sb.append( ", children : {" );
+
+        boolean isFirst = true;
+
+        for ( String child : children )
+        {
+            if ( isFirst )
+            {
+                isFirst = false;
+            }
+            else
+            {
+                sb.append( '|' );
+            }
+
+            sb.append( child );
+        }
+
+        sb.append( '}' );
+    }
+
+    sb.append( ']' );
+
+    return sb.toString();
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java b/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
new file mode 100755
index 0000000..56e4a13
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
@@ -0,0 +1,307 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ValidationException;
+import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
+import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * Process module for the Role entity.  This class performs data validations and error mapping.  It is typically called
+ * by internal Fortress manager classes ({@link AdminMgrImpl}, {@link AccessMgrImpl},
+ * {@link ReviewMgrImpl}, ...) and not intended for external non-Fortress clients.  This class will accept,
+ * {@link org.apache.directory.fortress.core.rbac.Role}, validate its contents and forward on to it's corresponding DAO class {@link RoleDAO}.
+ * <p>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
+ * {@link org.apache.directory.fortress.core.CreateException},{@link org.apache.directory.fortress.core.UpdateException},{@link org.apache.directory.fortress.core.RemoveException}),
+ *  or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link org.apache.directory.fortress.core.GlobalErrIds}.
+ * <p>
+ * This class is thread safe.
+ * </p>
+
+ *
+ * @author Kevin McKinney
+ */
+public final class RoleP
+{
+    private static RoleDAO rDao = DaoFactory.createRoleDAO();
+
+    /**
+     * Package private
+     */
+    RoleP()
+    {
+    }
+
+
+    /**
+     * Return a fully populated Role entity for a given RBAC role name.  If matching record not found a
+     * SecurityException will be thrown.
+     *
+     * @param role contains full role name for RBAC role in directory.
+     * @return Role entity containing all attributes associated with Role in directory.
+     * @throws SecurityException in the event Role not found or DAO search error.
+     */
+    final Role read( Role role ) throws SecurityException
+    {
+        return rDao.getRole( role );
+    }
+
+
+    /**
+     * Takes a search string that contains full or partial RBAC Role name in directory.
+     *
+     * @param role contains full or partial RBAC role name.
+     * @return List of type Role containing fully populated matching RBAC Role entities.  If no records found this will be empty.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<Role> search( Role role ) throws SecurityException
+    {
+        return rDao.findRoles( role );
+    }
+
+
+    /**
+     * Takes a search string that contains full or partial RBAC Role name in directory.
+     * This search is used by RealmMgr for Websphere.
+     *
+     * @param role contains full or partial RBAC role name.
+     * @param limit     specify the max number of records to return in result set.
+     * @return List of type String containing RBAC Role name of all matching User entities.  If no records found this will be empty.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<String> search( Role role, int limit ) throws SecurityException
+    {
+        return rDao.findRoles( role, limit );
+    }
+
+
+    /**
+     * Return all Roles that have a parent assignment.  This used for hierarchical processing.
+     *
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return List of type Role containing {@link Role#name} and {@link Role#parents} populated.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<Graphable> getAllDescendants( String contextId ) throws SecurityException
+    {
+        return rDao.getAllDescendants( contextId );
+    }
+
+
+    /**
+     * Adds a new Role entity to directory.  The Role entity input object will be validated to ensure that:
+     * role name is present, and reasonability checks on all of the other populated values.
+     *
+     * @param entity Role entity contains data targeted for insertion.
+     * @return Role entity copy of input + additional attributes (internalId) that were added by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final Role add( Role entity ) throws SecurityException
+    {
+        validate( entity );
+        return rDao.create( entity );
+    }
+
+
+    /**
+     * Updates existing Role entity in directory.  For example the Role description and temporal constraints
+     * updated.
+     *
+     * @param entity Role entity contains data targeted for updating.
+     * @return Role entity contains fully populated updated entity.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final Role update( Role entity ) throws SecurityException
+    {
+        validate( entity );
+        return rDao.update( entity );
+    }
+
+
+    /**
+     * Removes parent role assignments from Role entity in directory.
+     * updated.
+     *
+     * @param entity Role entity contains data targeted for updating.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final void deleteParent( Role entity ) throws SecurityException
+    {
+        validate( entity );
+        rDao.deleteParent( entity );
+    }
+
+
+    /**
+     * Method will add the "roleOccupant" attribute on OpenLDAP entry which represents an RBAC Role assignment in Fortress.
+     *
+     * @param entity contains the role name targeted.
+     * @param userDn String contains the dn for the user entry that is being assigned the RBAC Role.
+     * @return Role containing copy of input data.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final Role assign( Role entity, String userDn ) throws SecurityException
+    {
+        return rDao.assign( entity, userDn );
+    }
+
+
+    /**
+     * Method will remove the "roleOccupant" attribute on OpenLDAP entry which represents an RBAC Role assignment in Fortress.
+     *
+     * @param entity contains the role name targeted.
+     * @param userDn String contains the dn for the user entry that is being assigned the RBAC Role.
+     * @return Role containing copy of input data.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final Role deassign( Role entity, String userDn ) throws SecurityException
+    {
+        entity = rDao.deassign( entity, userDn );
+        return entity;
+    }
+
+
+    /**
+     * Add the User dn occupant attribute to the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
+     * when the User is being added.
+     *
+     * @param uRoles contains a collection of UserRole being targeted for assignment.
+     * @param userDn contains the userId targeted for addition.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final void addOccupant( List<UserRole> uRoles, String userDn, String contextId ) throws SecurityException
+    {
+        if ( VUtil.isNotNullOrEmpty( uRoles ) )
+        {
+            for ( UserRole uRole : uRoles )
+            {
+                Role role = new Role( uRole.getName() );
+                role.setContextId( contextId );
+                assign( role, userDn );
+            }
+        }
+    }
+
+
+    /**
+     * Remove the User dn occupant attribute from the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
+     * when the User is being deleted.
+     *
+     * @param userDn contains the userId targeted for attribute removal.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final void removeOccupant( String userDn, String contextId ) throws SecurityException
+    {
+        List<String> list;
+        try
+        {
+            list = rDao.findAssignedRoles( userDn, contextId );
+            for ( String roleNm : list )
+            {
+                Role role = new Role( roleNm );
+                role.setContextId( contextId );
+                deassign( role, userDn );
+            }
+        }
+        catch ( FinderException fe )
+        {
+            String error = "removeOccupant userDn [" + userDn + "] caught FinderException=" + fe;
+            throw new SecurityException( GlobalErrIds.ROLE_REMOVE_OCCUPANT_FAILED, error, fe );
+        }
+    }
+
+
+    /**
+     * This method performs a "hard" delete.  It completely the RBAC Role node from the ldap directory.
+     * RBAC Role entity must exist in directory prior to making this call else exception will be thrown.
+     *
+     * @param entity Contains the name of the RBAC Role targeted for deletion.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    void delete( Role entity ) throws SecurityException
+    {
+        rDao.remove( entity );
+    }
+
+
+    /**
+     * Method will perform simple validations to ensure the integrity of the RBAC Role entity targeted for insertion
+     * or updating in directory.  For example the Role temporal constraints will be validated.  Data reasonability
+     * checks will be performed on all non-null attributes.
+     *
+     * @param entity contains data targeted for insertion or update.
+     * @throws org.apache.directory.fortress.core.ValidationException in the event of data validation error or Org validation.
+     */
+    private void validate( Role entity )
+        throws ValidationException
+    {
+        VUtil.safeText( entity.getName(), GlobalIds.ROLE_LEN );
+        if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+        {
+            VUtil.description( entity.getDescription() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getTimeout() ) )
+        {
+            VUtil.timeout( entity.getTimeout() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getBeginTime() ) )
+        {
+            VUtil.beginTime( entity.getBeginTime() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getEndTime() ) )
+        {
+            VUtil.endTime( entity.getEndTime() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getBeginDate() ) )
+        {
+            VUtil.beginDate( entity.getBeginDate() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getEndDate() ) )
+        {
+            VUtil.endDate( entity.getEndDate() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getDayMask() ) )
+        {
+            VUtil.dayMask( entity.getDayMask() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getBeginLockDate() ) )
+        {
+            VUtil.beginDate( entity.getBeginDate() );
+        }
+        if ( VUtil.isNotNullOrEmpty( entity.getEndLockDate() ) )
+        {
+            VUtil.endDate( entity.getEndLockDate() );
+        }
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/RolePerm.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/RolePerm.java b/src/main/java/org/apache/directory/fortress/core/rbac/RolePerm.java
new file mode 100755
index 0000000..ecb7de3
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/RolePerm.java
@@ -0,0 +1,63 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * This entity is used by en masse to communicate {@link org.apache.directory.fortress.core.rbac.Role}, {@link Permission} and {@link org.apache.directory.fortress.core.rbac.Session} information to the server for access control decisions.
+ * <p/>
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortRolePerm")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "rolePerm", propOrder = {
+    "role",
+    "perm"
+})
+public class RolePerm extends FortEntity
+    implements java.io.Serializable
+{
+    private Role role;
+    private Permission perm;
+
+    public Role getRole()
+    {
+        return role;
+    }
+
+    public void setRole(Role role)
+    {
+        this.role = role;
+    }
+
+    public Permission getPerm()
+    {
+        return perm;
+    }
+
+    public void setPerm(Permission perm)
+    {
+        this.perm = perm;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/RoleRelationship.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/RoleRelationship.java b/src/main/java/org/apache/directory/fortress/core/rbac/RoleRelationship.java
new file mode 100755
index 0000000..626beb2
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/RoleRelationship.java
@@ -0,0 +1,63 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * This entity is used by en masse to communicate parent and child {@link org.apache.directory.fortress.core.rbac.Role} information to the server.
+ * <p/>
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortRoleRelationship")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "roleRelationship", propOrder = {
+    "child",
+    "parent"
+})
+public class RoleRelationship extends FortEntity
+    implements java.io.Serializable
+{
+    private Role parent;
+    private Role child;
+
+    public Role getParent()
+    {
+        return parent;
+    }
+
+    public void setParent(Role parent)
+    {
+        this.parent = parent;
+    }
+
+    public Role getChild()
+    {
+        return child;
+    }
+
+    public void setChild(Role child)
+    {
+        this.child = child;
+    }
+}


Mime
View raw message