directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [12/19] directory-fortress-core git commit: FC-109 - break core package cycles
Date Mon, 01 Jun 2015 23:02:17 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/User.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/User.java b/src/main/java/org/apache/directory/fortress/core/model/User.java
new file mode 100755
index 0000000..c672c1f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/User.java
@@ -0,0 +1,1685 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Properties;
+import java.util.UUID;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlTransient;
+import javax.xml.bind.annotation.XmlType;
+
+import org.apache.directory.fortress.core.util.time.Constraint;
+
+
+/**
+ * All entities ({@link User}, {@link org.apache.directory.fortress.core.model.Role}, {@link org.apache.directory.fortress.core.model.Permission},
+ * {@link org.apache.directory.fortress.core.model.PwPolicy} {@link org.apache.directory.fortress.core.model.SDSet} etc...) are used to carry data between three Fortress
+ * layers.starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into
+ * (3) DAO layer where persistence with the OpenLDAP server occurs.
+ * <p/>
+ * <h4>Fortress Processing Layers</h4>
+ * <ol>
+ * <li>Manager layer:  {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl}, {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl}, {@link org.apache.directory.fortress.core.rbac.ReviewMgrImpl},...</li>
+ * <li>Process layer:  {@link org.apache.directory.fortress.core.rbac.UserP}, {@link org.apache.directory.fortress.core.rbac.RoleP}, {@link org.apache.directory.fortress.core.rbac.PermP},...</li>
+ * <li>DAO layer: {@link org.apache.directory.fortress.core.rbac.UserDAO}, {@link org.apache.directory.fortress.core.rbac.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...</li>
+ * </ol>
+ * Fortress clients must first instantiate the data entity before invoking one of the Manager APIs.  The caller must first
+ * provide enough information to uniquely identity target record for the particular ldap operation performed.<br />
+ * For example the User entity requires the {@link User#setUserId} attribute to be set before calling a Manager API.
+ * The unique key to locate a User entity in the Fortress DIT is simply the userId field.<br />
+ * Other ldap operations on User may require additional attributes to be set.
+ * <p/>
+ * <h4>User entity attribute usages include</h4>
+ * <ul>
+ * <li>{@link #setPassword(char[])} must be set before calling {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#authenticate} and {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#createSession(User, boolean)} (unless trusted).
+ * <li>{@link #setOu} is required before calling {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl#addUser(User)} to add a new user to ldap.
+ * <li>{@link #setRoles} will be set for {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#createSession(User, boolean)} when selective RBAC Role activation is required.
+ * <li>{@link #setAdminRoles} will be set for {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#createSession(User, boolean)} when selective Administrative Role activation is required.
+ * <li>{@link #setPwPolicy} may be set for {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl#updateUser(User)} to assign User to a policy {@link org.apache.directory.fortress.core.model.PwPolicy}.
+ * <li>{@link #password} is the only case sensitive attribute on this entity.
+ * </ul>
+ * <p/>
+ * Example to create new Fortress User:
+ * <pre>
+ * try
+ * {
+ *  // Instantiate the AdminMgr first
+ *  AdminMgr adminMgr = AdminMgrFactory.createInstance();
+ *
+ *  User myUser = new User("myUserId", "myPassword".toCharArray(), myRoleName", "myOU");
+ *  adminMgr.addUser(myUser);
+ * }
+ * catch (SecurityException ex)
+ * {
+ *  // log or throw
+ * }</pre>
+ * The above code will persist to LDAP a User object that has a userId of "myUserId", a password of "myPassword", a role assignment to "myRoleName", and assigned to organzational unit named "myOU".
+ * This User can be used as a target for subsequent User-Role assignments, User-Permission grants, authentication, authorization and more.
+ *
+ * This entity aggregates one standard LDAP structural object class, {@code inetOrgPerson} see <a href="http://www.ietf.org/rfc/rfc2798.txt">RFC 2798</a>,
+ * along with three auxiliary object extensions supplied by Fortress:  {@code ftUserAttrs}, {@code ftProperties}, {@code ftMods}.
+ * The combination of the standard and custom object classes form a single entry within the directory and is represented in this entity class.
+ *
+ * <h4>Fortress User Schema</h4>
+ *
+ * 1. InetOrgPerson Structural Object Class. <br />
+ * <code># The inetOrgPerson represents people who are associated with an</code><br />
+ * <code># organization in some way.  It is a structural class and is derived</code><br />
+ * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 2.16.840.1.113730.3.2.2
+ *  NAME 'inetOrgPerson'
+ *  DESC 'RFC2798: Internet Organizational Person'
+ *  SUP organizationalPerson
+ *  STRUCTURAL
+ *  MAY (
+ *      audio $ businessCategory $ carLicense $ departmentNumber $
+ *      displayName $ employeeNumber $ employeeType $ givenName $
+ *      homePhone $ homePostalAddress $ initials $ jpegPhoto $
+ *      labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $
+ *      roomNumber $ secretary $ uid $ userCertificate $
+ *      x500uniqueIdentifier $ preferredLanguage $
+ *      userSMIMECertificate $ userPKCS12
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ *
+ * 2. organizationalPerson Structural Object Class.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 2.5.6.7
+ *  NAME 'organizationalPerson'
+ *  DESC 'RFC2256: an organizational person'
+ *  SUP person
+ *  STRUCTURAL
+ *  MAY (
+ *      title $ x121Address $ registeredAddress $ destinationIndicator $
+ *      preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ *      telephoneNumber $ internationaliSDNNumber $
+ *      facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
+ *      postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ *
+ * 3. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.<br />
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <pre>
+ * ------------------------------------------
+ * AC2: Fortress Properties Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.2
+ *  NAME 'ftProperties'
+ *  DESC 'Fortress Properties AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftProps
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ *
+ * 4. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress User Attributes Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.1
+ *  NAME 'ftUserAttrs'
+ *  DESC 'Fortress User Attribute AUX Object Class'
+ *  AUXILIARY
+ *  MUST (
+ *      ftId
+ *  )
+ *  MAY (
+ *      ftRC $
+ *      ftRA $
+ *      ftARC $
+ *      ftARA $
+ *      ftCstr $
+ *      ftSystem
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ *
+ * 5. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ *  NAME 'ftMods'
+ *  DESC 'Fortress Modifiers AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftModifier $
+ *      ftModCode $
+ *      ftModId
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+
+@XmlRootElement(name = "fortUser")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "user", propOrder =
+    {
+        "userId",
+        "description",
+        "name",
+        "internalId",
+        "ou",
+        "pwPolicy",
+        "sn",
+        "cn",
+        "dn",
+        "displayName",
+        "employeeType",
+        "title",
+        "address",
+        "phones",
+        "mobiles",
+        "emails",
+        "props",
+        "locked",
+        "reset",
+        "system",
+        "beginTime",
+        "endTime",
+        "beginDate",
+        "endDate",
+        "beginLockDate",
+        "endLockDate",
+        "dayMask",
+        "timeout",
+        "roles",
+        "adminRoles",
+        "password",
+        "newPassword",
+        "uidNumber",
+        "gidNumber",
+        "homeDirectory",
+        "loginShell",
+        "gecos"
+    /*        "jpegPhoto"*/
+})
+public class User extends FortEntity implements Constraint, Serializable
+{
+    /**
+     * The serialVersionUID needed for Serializable classes
+     */
+    private static final long serialVersionUID = 1L;
+
+    private String userId;
+    @XmlElement(nillable = true)
+    private char[] password;
+    @XmlElement(nillable = true)
+    private char[] newPassword;
+    private String internalId;
+    @XmlElement(nillable = true)
+    private List<UserRole> roles;
+    @XmlElement(nillable = true)
+    private List<UserAdminRole> adminRoles;
+    private String pwPolicy;
+    private String cn;
+    private String sn;
+    private String dn;
+    private String ou;
+    private String displayName;
+    private String description;
+    private String beginTime;
+    private String endTime;
+    private String beginDate;
+    private String endDate;
+    private String beginLockDate;
+    private String endLockDate;
+    private String dayMask;
+    private String name;
+    private String employeeType;
+    private String title;
+    private int timeout;
+    private boolean reset;
+    private boolean locked;
+    private Boolean system;
+    @XmlElement(nillable = true)
+    private Props props = new Props();
+    @XmlElement(nillable = true)
+    private Address address;
+    @XmlElement(nillable = true)
+    private List<String> phones;
+    @XmlElement(nillable = true)
+    private List<String> mobiles;
+    @XmlElement(nillable = true)
+    private List<String> emails;
+    @XmlTransient
+    private byte[] jpegPhoto;
+
+    // RFC2307bis:
+    /*
+    MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
+    MAY ( userPassword $ loginShell $ gecos $ description ) )
+     */
+    private String uidNumber;
+    private String gidNumber;
+    private String homeDirectory;
+    private String loginShell;
+    private String gecos;
+
+
+    public String getUidNumber()
+    {
+        return uidNumber;
+    }
+
+
+    public void setUidNumber( String uidNumber )
+    {
+        this.uidNumber = uidNumber;
+    }
+
+
+    public String getGidNumber()
+    {
+        return gidNumber;
+    }
+
+
+    public void setGidNumber( String gidNumber )
+    {
+        this.gidNumber = gidNumber;
+    }
+
+
+    public String getHomeDirectory()
+    {
+        return homeDirectory;
+    }
+
+
+    public void setHomeDirectory( String homeDirectory )
+    {
+        this.homeDirectory = homeDirectory;
+    }
+
+
+    public String getLoginShell()
+    {
+        return loginShell;
+    }
+
+
+    public void setLoginShell( String loginShell )
+    {
+        this.loginShell = loginShell;
+    }
+
+
+    public String getGecos()
+    {
+        return gecos;
+    }
+
+
+    public void setGecos( String gecos )
+    {
+        this.gecos = gecos;
+    }
+
+
+    /**
+     * Default constructor not intended for external use and is typically used by internal Fortress classes.
+     * User entity constructed in this manner cannot be used by other until additional attributes (i.e. userId) are set.
+     */
+    public User()
+    {
+    }
+
+
+    /**
+     * Construct User given userId.   Once loaded this entity can be passed to AccessMgr.createSession iff trusted == 'true'..
+     *
+     * @param userId String validated using simple length test and optional regular expression, i.e. safe text.
+     */
+    public User( String userId )
+    {
+        this.userId = userId;
+    }
+
+
+    /**
+     * Construct User given userId and password.  Once loaded this entity can be passed to AccessMgr.createSession.
+     *
+     * @param userId   String validated using simple length test and optional regular expression, i.e. safe text.
+     * @param password validated using simple length test and OpenLDAP password policies.
+     */
+    public User( String userId, char[] password )
+    {
+        this.userId = userId;
+
+        if ( password != null )
+        {
+            this.password = password.clone();
+        }
+    }
+
+
+    /**
+     * Construct User given userId and password.  Once loaded this entity can be passed to AccessMgr.createSession.
+     *
+     * @param userId   String validated using simple length test and optional regular expression, i.e. safe text.
+     * @param password validated using simple length test and OpenLDAP password policies.
+     * @param roleName contains role that caller is requesting activation.
+     */
+    public User( String userId, char[] password, String roleName )
+    {
+        this.userId = userId;
+
+        if ( password != null )
+        {
+            this.password = password.clone();
+        }
+
+        setRole( new UserRole( roleName ) );
+    }
+
+
+    /**
+     * Construct User given userId and password.  Once loaded this entity can be passed to AccessMgr.createSession.
+     *
+     * @param userId   String validated using simple length test and optional regular expression, i.e. safe text.
+     * @param password validated using simple length test and OpenLDAP password policies.
+     * @param roleNames contains array of roleNames that caller is requesting activation.
+     */
+    public User( String userId, char[] password, String[] roleNames )
+    {
+        this.userId = userId;
+
+        if ( password != null )
+        {
+            this.password = password.clone();
+        }
+
+        if ( roleNames != null )
+        {
+            for ( String name : roleNames )
+            {
+                setRole( new UserRole( name ) );
+            }
+        }
+    }
+
+
+    /**
+     * Construct User given userId and password.  Once loaded this entity can be passed to AccessMgr.createSession.
+     *
+     * @param userId   String validated using simple length test and optional regular expression, i.e. safe text.
+     * @param password validated using simple length test and OpenLDAP password policies.
+     * @param roleName contains role that caller is requesting activation (see {@link org.apache.directory.fortress.core.AccessMgr#createSession(User, boolean)}) or assignment (see {@link org.apache.directory.fortress.core.AdminMgr#addUser(User)}).
+     * @param ou org unit name that caller is requesting assigned to newly created User (see {@link org.apache.directory.fortress.core.AdminMgr#addUser(User)}).
+     */
+    public User( String userId, char[] password, String roleName, String ou )
+    {
+        this.userId = userId;
+
+        if ( password != null )
+        {
+            this.password = password.clone();
+        }
+
+        setRole( new UserRole( roleName ) );
+        this.ou = ou;
+    }
+
+
+    /**
+     * Used to retrieve User's valid userId attribute.  The Fortress userId maps to 'uid' for InetOrgPerson object class.
+     *
+     * @return String containing the userId.
+     */
+    @Override
+    public String toString()
+    {
+        return "User{" +
+            "userId='" + userId + '\'' +
+            ", internalId='" + internalId + '\'' +
+            ", roles=" + roles +
+            ", adminRoles=" + adminRoles +
+            ", pwPolicy='" + pwPolicy + '\'' +
+            ", cn='" + cn + '\'' +
+            ", sn='" + sn + '\'' +
+            ", dn='" + dn + '\'' +
+            ", ou='" + ou + '\'' +
+            ", description='" + description + '\'' +
+            ", beginTime='" + beginTime + '\'' +
+            ", endTime='" + endTime + '\'' +
+            ", beginDate='" + beginDate + '\'' +
+            ", endDate='" + endDate + '\'' +
+            ", beginLockDate='" + beginLockDate + '\'' +
+            ", endLockDate='" + endLockDate + '\'' +
+            ", dayMask='" + dayMask + '\'' +
+            ", name='" + name + '\'' +
+            ", employeeType='" + employeeType + '\'' +
+            ", title='" + title + '\'' +
+            ", timeout=" + timeout +
+            ", reset=" + reset +
+            ", locked=" + locked +
+            ", system=" + system +
+            ", props=" + props +
+            ", address=" + address +
+            ", phones=" + phones +
+            ", mobiles=" + mobiles +
+            ", emails=" + emails +
+            '}';
+    }
+
+
+    /**
+     * Required by Constraint Interface but not needed for user entity. Not intended for external use.
+     *
+     * @return String containing constraint data ready for ldap.
+     * @throws UnsupportedOperationException
+     */
+    public String getRawData()
+    {
+        throw new UnsupportedOperationException( "not allowed for user" );
+    }
+
+
+    /**
+     * This is used internally by Fortress for Constraint operations.
+     *
+     * @return String contains name attribute used internally for constraint checking.
+     */
+    public String getName()
+    {
+        return name;
+    }
+
+
+    /**
+     * This is used internally by Fortress for Constraint operations.  Values set here by external caller will be ignored.
+     *
+     * @param name contains attribute used internally for constraint checking.
+     */
+    public void setName( String name )
+    {
+        this.name = name;
+    }
+
+
+    /**
+     * Used to identify the employer to employee relationship.  Typical values used will be "Contractor", "Employee", "Intern", "Temp",
+     * "External", and "Unknown" but any value may be used.
+     *
+     * @return  attribute maps to 'employeeType' attribute in 'inetOrgPerson' object class.
+     */
+    public String getEmployeeType()
+    {
+        return employeeType;
+    }
+
+
+    /**
+     * Used to identify the employer to employee relationship.  Typical values used will be "Contractor", "Employee", "Intern", "Temp",
+     * "External", and "Unknown" but any value may be used.
+     *
+     * @param employeeType maps to 'employeeType' attribute in 'inetOrgPerson' object class.
+     */
+    public void setEmployeeType( String employeeType )
+    {
+        this.employeeType = employeeType;
+    }
+
+
+    /**
+     * The honorific prefix(es) of the User, or "Title" in most Western languages (e.g.  Ms. given the full name Ms.
+     * Barbara Jane Jensen, III.).
+     *
+     * @return maps to 'title' attribute in 'inetOrgPerson' objectclass.
+     */
+    public String getTitle()
+    {
+        return title;
+    }
+
+
+    /**
+     * The honorific prefix(es) of the User, or "Title" in most Western languages (e.g.  Ms. given the full name Ms.
+     * Barbara Jane Jensen, III.).
+     *
+     * @param title maps to 'title' attribute in 'inetOrgPerson' objectclass.
+     */
+    public void setTitle( String title )
+    {
+        this.title = title;
+    }
+
+
+    /**
+     * Return the name of the OpenLDAP password policy that is set for this user.  This attribute may be null.
+     * The attribute maps to 'pwdPolicySubentry' attribute from pwpolicy ldap object class.
+     *
+     * @return name maps to name of OpenLDAP policy in effect for User.
+     */
+    public String getPwPolicy()
+    {
+        return pwPolicy;
+    }
+
+
+    /**
+     * Sets the OpenLDAP password policy name to enable for User.  This attribute is optional but if set, will be validated to ensure
+     * contains actual OpenLDAP password policy name.
+     *
+     * @param pwPolicy parameter must contain valid OpenLDAP policy name.
+     */
+    public void setPwPolicy( String pwPolicy )
+    {
+        this.pwPolicy = pwPolicy;
+    }
+
+
+    /**
+     * Return a list of User's RBAC Roles.
+     *
+     * @return List containing User's RBAC roles.  This list may be empty if User not assigned RBAC.
+     */
+    public List<UserRole> getRoles()
+    {
+        // do not return a null List to caller:
+        if ( roles == null )
+        {
+            roles = new ArrayList<>();
+        }
+
+        return roles;
+    }
+
+
+    /**
+     * Add a list of RBAC Roles to this entity be considered for later processing:
+     * AccessMgr (user-role activation) or AdminMgr (user-role assignment).
+     *
+     * @param roles List of type UserRole that contains at minimum UserId and Role name.
+     */
+    public void setRoles( List<UserRole> roles )
+    {
+        this.roles = roles;
+    }
+
+
+    /**
+     * Add a single user-role object to the list of UserRoles for User.
+     *
+     * @param role UserRole contains {@link UserRole#name} to target for activation into {@link org.apache.directory.fortress.core.model.Session}.
+     */
+    public void setRole( UserRole role )
+    {
+        if ( roles == null )
+        {
+            roles = new ArrayList<>();
+        }
+
+        roles.add( role );
+    }
+
+
+    /**
+     * Add a single user-role object to the list of UserRoles for User.
+     *
+     * @param roleName contains role name to target for activation into {@link org.apache.directory.fortress.core.model.Session}.
+     */
+    public void setRole( String roleName )
+    {
+        if ( roles == null )
+        {
+            roles = new ArrayList<>();
+        }
+
+        roles.add( new UserRole( roleName ) );
+    }
+
+
+    /**
+     * Removes a user-role object from the list of UserRoles.
+     *
+     * @param role UserRole must contain userId and role name.
+     */
+    public void delRole( UserRole role )
+    {
+        if ( roles != null )
+        {
+            roles.remove( role );
+        }
+    }
+
+
+    /**
+     * Return a list of User's Admin Roles.
+     *
+     * @return List containing User's Admin roles.  This list may be empty if User not assigned Administrative role.
+     */
+    public List<UserAdminRole> getAdminRoles()
+    {
+        // do not return a null List to caller:
+        if ( adminRoles == null )
+        {
+            adminRoles = new ArrayList<>();
+        }
+
+        return adminRoles;
+    }
+
+
+    /**
+     * Add a single user-adminRole object to the list of UserAdminRoles for User.
+     *
+     * @param roles UserAdminRole contains at least userId and admin role name (activation) and additional constraints (assignment)
+     */
+    public void setAdminRoles( List<UserAdminRole> roles )
+    {
+        this.adminRoles = roles;
+    }
+
+
+    /**
+     * Add a single user-adminRole object to the list of UserAdminRoles for User.
+     *
+     * @param role UserAdminRole contains at least userId and adminRole name (activation) and additional constraints (assignment)
+     */
+    public void setAdminRole( UserAdminRole role )
+    {
+        if ( adminRoles == null )
+        {
+            adminRoles = new ArrayList<>();
+        }
+
+        adminRoles.add( role );
+    }
+
+
+    /**
+     * Add a single user-adminRole object to the list of UserAdminRoles for User.
+     *
+     * @param roleName contrains adminRole name.
+     */
+    public void setAdminRole( String roleName )
+    {
+        if ( adminRoles == null )
+        {
+            adminRoles = new ArrayList<>();
+        }
+
+        adminRoles.add( new UserAdminRole( userId, roleName ) );
+    }
+
+
+    /**
+     * Removes a user-adminRole object from the list of UserAdminRoles.
+     *
+     * @param adminRole UserAdminRole must contain userId and adminRole name.
+     */
+    public void delAdminRole( UserAdminRole adminRole )
+    {
+        if ( adminRoles != null )
+        {
+            adminRoles.remove( adminRole );
+        }
+    }
+
+
+    /**
+     * Return the userId that is associated with User.  UserId is required attribute and must be set on add, update, delete, createSession, authenticate, etc..
+     *
+     * @return attribute maps to 'uid' in 'inetOrgPerson' object class.
+     */
+    public String getUserId()
+    {
+        return userId;
+    }
+
+
+    /**
+     * Set the userId that is associated with User.  UserId is required attribute and must be set on add, update, delete, createSession, authenticate, etc..
+     *
+     * @param userId maps to 'uid' attribute in 'inNetOrgPerson' object class.
+     */
+    public void setUserId( String userId )
+    {
+        this.userId = userId;
+    }
+
+
+    /**
+     * Return the internal userId that is associated with User.  This attribute is generated automatically
+     * by Fortress when new User is added to directory and is not known or changeable by external client.
+     *
+     * @return attribute maps to 'ftId' in 'ftUserAttrs' object class.
+     */
+    public String getInternalId()
+    {
+        return internalId;
+    }
+
+
+    /**
+     * Set the internal userId that is associated with User.  This method is used by DAO class and
+     * is generated automatically by Fortress.  Attribute stored in LDAP cannot be changed by external caller.
+     * This method can be used by client for search purposes only.
+     *
+     * @param internalId maps to 'ftId' in 'ftUserAttrs' object class.
+     */
+    public void setInternalId( String internalId )
+    {
+        this.internalId = internalId;
+    }
+
+
+    /**
+     * Generate an internal userId that is associated with User.  This method is used by DAO class and
+     * is not available to outside classes.   The generated attribute maps to 'ftId' in 'ftUserAttrs' object class.
+     */
+    public void setInternalId()
+    {
+        UUID uuid = UUID.randomUUID();
+        internalId = uuid.toString();
+    }
+
+
+    /**
+     * Returns optional description that is associated with User.  This attribute is validated but not constrained by Fortress.
+     *
+     * @return value that is mapped to 'description' in 'inetOrgPerson' object class.
+     */
+    public String getDescription()
+    {
+        return description;
+    }
+
+
+    /**
+     * Sets the optional description that is associated with User.  This attribute is validated but not constrained by Fortress.
+     *
+     * @param description that is mapped to same name in 'inetOrgPerson' object class.
+     */
+    public void setDescription( String description )
+    {
+        this.description = description;
+    }
+
+
+    /**
+     * Return the optional password attribute for User.  Note this will only return values that were set by client
+     * as the Fortress User DAO class does not return the value of stored password to caller.
+     *
+     * @return attribute containing User password.
+     */
+    public char[] getPassword()
+    {
+        if ( password != null )
+        {
+            char[] copy = new char[password.length];
+            System.arraycopy( password, 0, copy, 0, password.length );
+
+            return copy;
+        }
+        else
+        {
+            return null;
+        }
+    }
+
+
+    /**
+     * Set the optional password attribute associated for a User.  Note, this value is required before User will pass Fortress
+     * authentication in {@link org.apache.directory.fortress.core.rbac.AccessMgrImpl#createSession(User, boolean)}.
+     * Even though password is char[] format here it will be stored on the ldap server (using server-side controls) in configurable and standard hashed formats.
+     *
+     * @param password maps to 'userPassword' attribute in 'inetOrgPerson' object class.
+     */
+    public void setPassword( char[] password )
+    {
+        if ( password != null )
+        {
+            // Copy the password
+            this.password = new char[password.length];
+            System.arraycopy( password, 0, this.password, 0, password.length );
+        }
+        else
+        {
+            this.password = null;
+        }
+    }
+
+
+    public char[] getNewPassword()
+    {
+        if ( newPassword != null )
+        {
+            char[] copy = new char[newPassword.length];
+            System.arraycopy( newPassword, 0, copy, 0, newPassword.length );
+
+            return copy;
+        }
+        else
+        {
+            return null;
+        }
+    }
+
+
+    public void setNewPassword( char[] newPassword )
+    {
+        if ( newPassword != null )
+        {
+            // Copy the newPassword
+            this.newPassword = new char[newPassword.length];
+            System.arraycopy( newPassword, 0, this.newPassword, 0, newPassword.length );
+        }
+        else
+        {
+            this.newPassword = null;
+        }
+    }
+
+
+    /**
+     * Returns common name associated with User.  This attribute is validated but not constrained by Fortress.
+     * cn is not required but if not supplied by caller on create, will default to same value as {@link #userId} attribute.
+     *
+     * @return value that is mapped to 'cn' in 'inetOrgPerson' object class.
+     */
+    public String getCn()
+    {
+        return cn;
+    }
+
+
+    /**
+     * Set the common name associated with User.  This attribute is validated but not constrained by Fortress.
+     * cn is not required but if not supplied by caller on create, will default to same value as {@link #userId} attribute.
+     *
+     * @param cn mapped to same name in 'inetOrgPerson' object class.
+     */
+    public void setCn( String cn )
+    {
+        this.cn = cn;
+    }
+
+
+    /**
+     * Returns surname associated with User.  This attribute is validated but not constrained by Fortress.
+     * sn is not required but if not supplied by caller on create, will default to same value as {@link #userId} attribute.
+     *
+     * @return value that is mapped to 'sn' in 'inetOrgPerson' object class.
+     */
+    public String getSn()
+    {
+        return sn;
+    }
+
+
+    /**
+     * Set the surname associated with User.  This attribute is validated but not constrained by Fortress.
+     * sn is not required but if not supplied by caller on create, will default to same value as {@link #userId} attribute.
+     *
+     * @param sn mapped to same name in 'inetOrgPerson' object class.
+     */
+    public void setSn( String sn )
+    {
+        this.sn = sn;
+    }
+
+
+    /**
+     * Returns distinguished name associated with User.  This attribute is generated by DAO and is not allowed for outside classes to modify.
+     * This attribute is for internal user only and need not be processed by external clients.
+     *
+     * @return value that is mapped to 'dn' in 'inetOrgPerson' object class.
+     */
+    public String getDn()
+    {
+        return dn;
+    }
+
+
+    /**
+     * Set distinguished name associated with User.  This attribute is used by DAO and is not allowed for outside classes.
+     * This attribute cannot be set by external callers.
+     *
+     * @param dn that is mapped to same name in 'inetOrgPerson' object class.
+     */
+    public void setDn( String dn )
+    {
+        this.dn = dn;
+    }
+
+
+    /**
+     * Returns orgUnit name for User.  This attribute is validated and constrained by Fortress and must contain name of existing User OU.
+     * This attribute is required on {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl#addUser(User)} but not on {@link org.apache.directory.fortress.core.rbac.ReviewMgrImpl#readUser(User)}.
+     *
+     * @return value that is mapped to 'ou' in 'inetOrgPerson' object class.
+     */
+    public String getOu()
+    {
+        return ou;
+    }
+
+
+    /**
+     * Set the orgUnit name associated with User.  This attribute is validated and constrained by Fortress and must contain name of existing User OU.
+     * This attribute is required on {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl#addUser(User)} but not on {@link org.apache.directory.fortress.core.rbac.ReviewMgrImpl#readUser(User)}.
+     *
+     * @param ou mapped to same name in 'inetOrgPerson' object class.
+     */
+    public void setOu( String ou )
+    {
+        this.ou = ou;
+    }
+
+
+    /**
+     * Optional attribute maps to 'displayName' attribute on inetOrgPerson object class.
+     *
+     * @return value that is mapped to 'displayName' in 'inetOrgPerson' object class.
+     */
+    public String getDisplayName()
+    {
+        return displayName;
+    }
+
+
+    /**
+     * Optional attribute maps to 'displayName' attribute on inetOrgPerson object class.
+     *
+     * @param displayName maps to attribute of same name in 'inetOrgPerson' object class.
+     */
+    public void setDisplayName( String displayName )
+    {
+        this.displayName = displayName;
+    }
+
+
+    /**
+     * temporal boolean flag is used by internal Fortress components.
+     *
+     * @return boolean indicating if temporal constraints are placed on user.
+     */
+    @Override
+    public boolean isTemporalSet()
+    {
+        //return (beginTime != null && endTime != null && beginDate != null && endDate != null && beginLockDate != null && endLockDate != null && dayMask != null);
+        return ( beginTime != null || endTime != null || beginDate != null || endDate != null || beginLockDate != null
+            || endLockDate != null || dayMask != null );
+    }
+
+
+    /**
+     * Contains the begin time of day user is allowed to signon to system.  The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getBeginTime()
+    {
+        return beginTime;
+    }
+
+
+    /**
+     * Set the begin time of day user is allowed to signon to system.  The format is military time - HHMM, i.e. 0800 (8:00 am) or 1700 (5:00 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param beginTime maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setBeginTime( String beginTime )
+    {
+        this.beginTime = beginTime;
+    }
+
+
+    /**
+     * Contains the end time of day user is allowed to occupy system.  The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getEndTime()
+    {
+        return endTime;
+    }
+
+
+    /**
+     * Set the end time of day user is allowed to signon to system.  The format is military time - HHMM, i.e. 0000 (12:00 am) or 2359 (11:59 p.m.).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param endTime maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setEndTime( String endTime )
+    {
+        this.endTime = endTime;
+    }
+
+
+    /**
+     * Contains the begin date when user is allowed to signon to system.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getBeginDate()
+    {
+        return beginDate;
+    }
+
+
+    /**
+     * Set the beginDate when user is allowed to signon to system.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param beginDate maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setBeginDate( String beginDate )
+    {
+        this.beginDate = beginDate;
+    }
+
+
+    /**
+     * Contains the end date when user is allowed to signon to system.  The format is - YYYYMMDD, i.e. 20101231 (December 31, 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getEndDate()
+    {
+        return endDate;
+    }
+
+
+    /**
+     * Set the end date when user is not allowed to signon to system.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param endDate maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setEndDate( String endDate )
+    {
+        this.endDate = endDate;
+    }
+
+
+    /**
+     * Contains the begin lock date when user is temporarily not allowed to signon to system.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getBeginLockDate()
+    {
+        return beginLockDate;
+    }
+
+
+    /**
+     * Set the begin lock date when user is temporarily not allowed to signon to system.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param beginLockDate maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setBeginLockDate( String beginLockDate )
+    {
+        this.beginLockDate = beginLockDate;
+    }
+
+
+    /**
+     * Contains the end lock date when user is allowed to signon to system once again.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getEndLockDate()
+    {
+        return endLockDate;
+    }
+
+
+    /**
+     * Set the end lock date when user is allowed to signon to system once again.  The format is - YYYYMMDD, i.e. 20100101 (January 1. 2010).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param endLockDate maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setEndLockDate( String endLockDate )
+    {
+        this.endLockDate = endLockDate;
+    }
+
+
+    /**
+     * Get the daymask that indicates what days of week user is allowed to signon to system.  The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public String getDayMask()
+    {
+        return dayMask;
+    }
+
+
+    /**
+     * Set the daymask that specifies what days of week user is allowed to signon to system.  The format is 1234567, i.e. 23456 (Monday, Tuesday, Wednesday, Thursday, Friday).
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param dayMask maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setDayMask( String dayMask )
+    {
+        this.dayMask = dayMask;
+    }
+
+
+    /**
+     * Return the integer timeout that contains total time (in seconds) that User's session may remain inactive.
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @return attribute maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public Integer getTimeout()
+    {
+        return timeout;
+    }
+
+
+    /**
+     * Set the integer timeout that contains max time (in seconds) that User's session may remain inactive.
+     * This attribute is optional but if set will be validated for reasonableness.
+     *
+     * @param timeout maps to 'ftCstr' attribute in 'ftUserAttrs' object class.
+     */
+    @Override
+    public void setTimeout( Integer timeout )
+    {
+        this.timeout = timeout;
+    }
+
+
+    /**
+     * If set to true User's password has been reset by administrator.
+     * This attribute will be ignored if set by external callers.
+     *
+     * @return boolean value maps to 'pwdResetTime' in OpenLDAP's pwpolicy object class.
+     */
+    public boolean isReset()
+    {
+        return reset;
+    }
+
+
+    /**
+     * If set to true User's password has been reset by administrator.
+     * This attribute will be ignored if set by external callers.
+     *
+     * @param reset contains boolean value which maps to 'pwdResetTime' in OpenLDAP's pwpolicy object class.
+     */
+    public void setReset( boolean reset )
+    {
+        this.reset = reset;
+    }
+
+
+    /**
+     * If set to true User's password has been locked by administrator or directory itself due to password policy violations.
+     * This attribute will be ignored if set by external callers.
+     *
+     * @return boolean value maps to 'pwdLockedTime' in OpenLDAP's pwpolicy object class.
+     */
+    public boolean isLocked()
+    {
+        return locked;
+    }
+
+
+    /**
+     * If set to true User's password has been locked by administrator or directory itself due to password policy violations.
+     * This attribute will be ignored if set by external callers.
+     *
+     * @param locked contains boolean value which maps to 'pwdResetTime' in OpenLDAP's pwpolicy object class.
+     */
+    public void setLocked( boolean locked )
+    {
+        this.locked = locked;
+    }
+
+
+    /**
+     * Gets the value of the Props property.  This method is used by Fortress and En Masse and should not be called by external programs.
+     *
+     * @return
+     *     possible object is
+     *     {@link Props }
+     *
+     */
+    public Props getProps()
+    {
+        return props;
+    }
+
+
+    /**
+     * Sets the value of the Props property.  This method is used by Fortress and En Masse and should not be called by external programs.
+     *
+     * @param value
+     *     allowed object is
+     *     {@link Props }
+     *
+     */
+    public void setProps( Props value )
+    {
+        this.props = value;
+    }
+
+
+    /**
+     * Add name/value pair to list of properties associated with User.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param key   contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     * @param value
+     */
+    public void addProperty( String key, String value )
+    {
+        Props.Entry entry = new Props.Entry();
+        entry.setKey( key );
+        entry.setValue( value );
+        props.getEntry().add( entry );
+    }
+
+
+    /**
+     * Get a name/value pair attribute from list of properties associated with User.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param key contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     * @return value containing name/value pair that maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public String getProperty( String key )
+    {
+        List<Props.Entry> props = this.props.getEntry();
+        Props.Entry keyObj = new Props.Entry();
+        keyObj.setKey( key );
+
+        String value = null;
+        int indx = props.indexOf( keyObj );
+
+        if ( indx != -1 )
+        {
+            Props.Entry entry = props.get( props.indexOf( keyObj ) );
+            value = entry.getValue();
+        }
+
+        return value;
+    }
+
+
+    /**
+     * Add new collection of name/value pairs to attributes associated with User.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param props contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public void addProperties( Properties props )
+    {
+        if ( props != null )
+        {
+            for ( Enumeration<?> e = props.propertyNames(); e.hasMoreElements(); )
+            {
+                // This LDAP attr is stored as a name-value pair separated by a ':'.
+                String key = ( String ) e.nextElement();
+                String val = props.getProperty( key );
+                addProperty( key, val );
+            }
+        }
+    }
+
+
+    /**
+     * Return the collection of name/value pairs to attributes associated with User.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @return Properties contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public Properties getProperties()
+    {
+        Properties properties = null;
+        List<Props.Entry> props = this.props.getEntry();
+
+        if ( props.size() > 0 )
+        {
+            properties = new Properties();
+
+            for ( Props.Entry entry : props )
+            {
+                String key = entry.getKey();
+                String val = entry.getValue();
+                properties.setProperty( key, val );
+            }
+        }
+
+        return properties;
+    }
+
+
+    /**
+     * Get address data from entity that was persisted in directory as attributes defined by RFC 2798's LDAP inetOrgPerson Object Class:
+     *
+     * <ul>
+     * <li>  ------------------------------------------
+     * <li> <code>postalAddress</code>
+     * <li> <code>st</code>
+     * <li> <code>postalCode</code>
+     * <li> <code>postOfficeBox</code>
+     * <li>  ------------------------------------------
+     * </ul>
+     *
+     * @return {@link Address}
+     */
+    public Address getAddress()
+    {
+        if ( address == null )
+        {
+            address = new Address();
+        }
+
+        return address;
+    }
+
+
+    /**
+     * Set address data onto entity that stored in directory as attributes defined by RFC 2798's LDAP inetOrgPerson Object Class:
+     *
+     * <ul>
+     * <li>  ------------------------------------------
+     * <li> <code>postalAddress</code>
+     * <li> <code>st</code>
+     * <li> <code>postalCode</code>
+     * <li> <code>postOfficeBox</code>
+     * <li>  ------------------------------------------
+     * </ul>
+     *
+     * @param address
+     */
+    public void setAddress( Address address )
+    {
+        this.address = address;
+    }
+
+
+    /**
+     * Retrieve multi-occurring {@code telephoneNumber} associated with {@code organizationalPerson} object class.
+     *
+     * @return List of type String that contains zero or more phone numbers associated with the user.
+     */
+    public List<String> getPhones()
+    {
+        if ( phones == null )
+        {
+            phones = new ArrayList<>();
+        }
+
+        return phones;
+    }
+
+
+    /**
+     * Set multi-occurring {@code telephoneNumber} number to associated with {@code organizationalPerson} object class.
+     *
+     * @param phones contains an ArrayList of type String with zero or more phone numbers associated with the user.
+     */
+    public void setPhones( List<String> phones )
+    {
+        this.phones = phones;
+    }
+
+
+    /**
+     * Set phone number to stored in rfc822Mailbox format and associated with {@code inetOrgPerson} object class.
+     *
+     * @param phone contains String bound to {@code telephoneNumber} attribute on {@code organizationalPerson} object class.
+     */
+    public void setPhone( String phone )
+    {
+        if ( phones == null )
+        {
+            phones = new ArrayList<>();
+        }
+
+        phones.add( phone );
+    }
+
+
+    /**
+     * Retrieve multi-occurring {@code mobile} associated with {@code inetOrgPerson} object class.
+     *
+     * @return List of type String that contains zero or more mobile phone numbers associated with the user.
+     */
+    public List<String> getMobiles()
+    {
+        if ( mobiles == null )
+        {
+            mobiles = new ArrayList<>();
+        }
+
+        return mobiles;
+    }
+
+
+    /**
+     * Set multi-occurring {@code mobile} associated with {@code inetOrgPerson} object class.
+     *
+     * @param mobiles contains an ArrayList of type String with zero or more mobile phone numbers associated with the user.
+     */
+    public void setMobiles( List<String> mobiles )
+    {
+        this.mobiles = mobiles;
+    }
+
+
+    /**
+     * Set a single {@code mobile} associated with {@code inetOrgPerson} object class.
+     *
+     * @param mobile contains a String containing mobile phone numbers associated with the user.
+     */
+    public void setMobile( String mobile )
+    {
+        if ( mobiles == null )
+        {
+            mobiles = new ArrayList<>();
+        }
+
+        mobiles.add( mobile );
+    }
+
+
+    /**
+     * Retrieve multi-occurring email address stored in rfc822Mailbox format associated with {@code inetOrgPerson} object class.
+     *
+     * @return List of type String that contains zero or more email addresses associated with the user.
+     */
+    public List<String> getEmails()
+    {
+        if ( emails == null )
+        {
+            emails = new ArrayList<>();
+        }
+
+        return emails;
+    }
+
+
+    /**
+     * Set multi-occurring email address to stored in rfc822Mailbox format and associated with {@code inetOrgPerson} object class.
+     *
+     * @param emails contains an ArrayList of type String with zero or more email addresses associated with the user.
+     */
+    public void setEmails( List<String> emails )
+    {
+        this.emails = emails;
+    }
+
+
+    /**
+     * Set a single email address in rfc822Mailbox format to be assoicated with {@code inetOrgPerson} object class.
+     *
+     * @param email contains a String to be stored as email address on user.
+     */
+    public void setEmail( String email )
+    {
+        if ( emails == null )
+        {
+            emails = new ArrayList<>();
+        }
+
+        emails.add( email );
+    }
+
+
+    public Boolean isSystem()
+    {
+        return system;
+    }
+
+
+    public void setSystem( Boolean system )
+    {
+        this.system = system;
+    }
+
+
+    /**
+     * Get one image of a person using the JPEG File Interchange Format [JFIF].
+     * ( 0.9.2342.19200300.100.1.60
+     * NAME 'jpegPhoto'
+     * DESC 'a JPEG image'
+     * SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
+     *
+     * return byte array containing the jpeg image.
+     */
+    public byte[] getJpegPhoto()
+    {
+        return jpegPhoto;
+    }
+
+
+    /**
+     * Set one image of a person using the JPEG File Interchange Format [JFIF].
+     * ( 0.9.2342.19200300.100.1.60
+     * NAME 'jpegPhoto'
+     * DESC 'a JPEG image'
+     * SYNTAX 1.3.6.1.4.1.1466.115.121.1.28 )
+     *
+     * @param jpegPhoto contains the jpeg image stored as byte array.
+     */
+    public void setJpegPhoto( byte[] jpegPhoto )
+    {
+        if ( jpegPhoto != null )
+        {
+            this.jpegPhoto = jpegPhoto.clone();
+        }
+    }
+
+
+    /**
+     * Override hashcode so User compare operations work in case insensitive manner in collection classes.
+     *
+     * @return int
+     */
+    public int hashCode()
+    {
+        return userId.toUpperCase().hashCode();
+    }
+
+
+    /**
+     * Matches the userId from two User entities.
+     *
+     * @param thatObj contains a User entity.
+     * @return boolean indicating both objects contain matching userIds.
+     */
+    public boolean equals( Object thatObj )
+    {
+        if ( this == thatObj )
+        {
+            return true;
+        }
+
+        if ( userId == null )
+        {
+            return false;
+        }
+
+        if ( !( thatObj instanceof User ) )
+        {
+            return false;
+        }
+
+        User thatUser = ( User ) thatObj;
+
+        if ( thatUser.getUserId() == null )
+        {
+            return false;
+        }
+
+        return thatUser.getUserId().equalsIgnoreCase( userId );
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java b/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
new file mode 100755
index 0000000..0b96822
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/UserAdminRole.java
@@ -0,0 +1,663 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+import java.util.Set;
+import java.util.TreeSet;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.rbac.Administrator;
+import org.apache.directory.fortress.core.rbac.RoleUtil;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.directory.fortress.core.util.time.Constraint;
+
+
+/**
+ * The UserAdminRole entity extends the UserRole and is used to store ARBAC User to AdminRole assignment along with temporal and
+ * ARBAC contraint values.
+ * The contents of the UserAdminRole entity will be stored on the User entity in the 'ftARA' (AdminRole name) and 'ftARC' (Temporal and ARBAC Constraints) attributes on the 'ftUserAttrs' object class.
+ * The UserAdminRole entity carries elements of {@link org.apache.directory.fortress.core.util.time.Constraint}.  Any attributes of Constraint not set within this entity
+ * will use same attribute from the {@link AdminRole} entity.  Thus the UserAdminRole can override Constraint attributes from it's corresponding AdminRole if required by caller.
+ * <p/>
+ * <h4>UserAdminRole Schema</h4>
+ * ftUserAttrs is used to store RBAC and ARBAC Role role assignments and other security attributes on User entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress User Attributes Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.1
+ *  NAME 'ftUserAttrs'
+ *  DESC 'Fortress User Attribute AUX Object Class'
+ *  AUXILIARY
+ *  MUST (
+ *      ftId
+ *  )
+ *  MAY (
+ *      ftRC $
+ *      ftRA $
+ *      ftARC $
+ *      ftARA $
+ *      ftCstr $
+ *      ftSystem
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+/*
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "userAdminRole", propOrder = {
+    "beginInclusive",
+    "beginRange",
+    "endInclusive",
+    "endRange",
+    "osP",
+    "osU",
+    "roleRangeRaw"
+})
+*/
+@XmlRootElement(name = "fortUserAdminRole")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "userAdminRole", propOrder =
+    {
+        "osPs",
+        "osUs",
+        "beginInclusive",
+        "beginRange",
+        "endInclusive",
+        "endRange",
+        "parents"
+})
+public class UserAdminRole extends UserRole implements Administrator
+{
+    /** Default serialVersionUID */
+    private static final long serialVersionUID = 1L;
+    @XmlElement(nillable = true)
+    private Set<String> osPs;
+    @XmlElement(nillable = true)
+    private Set<String> osUs;
+    private String beginRange;
+    private String endRange;
+    private boolean beginInclusive;
+    private boolean endInclusive;
+    @XmlElement(nillable = true)
+    private Set<String> parents;
+
+    // Used for formatting raw data:
+    private static final String P = "P";
+    private static final String U = "U";
+    private static final String R = "R";
+    private static final String LEFT_PAREN = "(";
+    private static final String RIGHT_PAREN = ")";
+    private static final String LEFT_BRACKET = "[";
+    private static final String RIGHT_BRACKET = "]";
+
+
+    /**
+     * Default constructor is used by internal Fortress classes.
+     */
+    public UserAdminRole()
+    {
+    }
+
+
+    /**
+     * Construct a UserRole entity given the required attributes 'userId' and 'role' name.
+     *
+     * @param userId maps to the 'uid' attribute on the 'inetOrgPerson' object class.
+     * @param name   maps to the 'ftARA' attribute on the 'ftUserAttrs' object class.
+     */
+    public UserAdminRole( String userId, String name )
+    {
+        this.userId = userId;
+        this.name = name;
+    }
+
+
+    /**
+     * Construct an ARBAC Role with required attribute 'userId' and optional temporal constraint.
+     *
+     * @param userId maps to the 'uid' attribute on the 'inetOrgPerson' object class.
+     * @param con    maps to 'ftARC' attribute in 'ftUserAttrs' object class.
+     */
+    public UserAdminRole( String userId, Constraint con )
+    {
+        this.userId = userId;
+        CUtil.copy( con, this );
+    }
+
+
+    /**
+     * This method loads UserAdminRole entity temporal and ARBAC constraint instance variables with data that was retrieved from the
+     * 'ftARC' attribute on the 'ftUserAttrs' object class.  This is the raw format that Fortress uses to condense the temporal and ARBAC data into
+     * a compact String for efficient storage and retrieval and is not intended to be called by external programs.
+     *
+     * @param szRawData contains a raw formatted String that maps to 'ftARC' attribute on 'ftUserAttrs' object class
+     * @param contextId contains the tenant id.
+     * @param parentUtil provides method to getParents.
+     */
+    public void load( String szRawData, String contextId, ParentUtil parentUtil )
+    {
+        if ( ( szRawData != null ) && ( szRawData.length() > 0 ) )
+        {
+            String[] tokens = StringUtils.splitPreserveAllTokens( szRawData, GlobalIds.DELIMITER );
+            for ( int i = 0; i < tokens.length; i++ )
+            {
+                if ( VUtil.isNotNullOrEmpty( tokens[i] ) )
+                {
+                    switch ( i )
+                    {
+                        case 0:
+                            name = tokens[i];
+                            parents = parentUtil.getParentsCB( name.toUpperCase(), contextId );
+                            break;
+
+                        case 1:
+                            this.setTimeout( Integer.parseInt( tokens[i] ) );
+                            break;
+
+                        case 2:
+                            this.setBeginTime( tokens[i] );
+                            break;
+
+                        case 3:
+                            this.setEndTime( tokens[i] );
+                            break;
+
+                        case 4:
+                            this.setBeginDate( tokens[i] );
+                            break;
+
+                        case 5:
+                            this.setEndDate( tokens[i] );
+                            break;
+
+                        case 6:
+                            this.setBeginLockDate( tokens[i] );
+                            break;
+
+                        case 7:
+                            this.setEndLockDate( tokens[i] );
+                            break;
+
+                        case 8:
+                            this.setDayMask( tokens[i] );
+                            break;
+
+                        default:
+                            String szValue = tokens[i];
+                            int indx = szValue.indexOf( P + GlobalIds.PROP_SEP );
+                            if ( indx >= 0 )
+                            {
+                                String szOsP = szValue.substring( indx + 2 );
+                                this.setOsP( szOsP );
+                            }
+                            indx = szValue.indexOf( U + GlobalIds.PROP_SEP );
+                            if ( indx >= 0 )
+                            {
+                                String szOsU = szValue.substring( indx + 2 );
+                                this.setOsU( szOsU );
+                            }
+                            indx = szValue.indexOf( R + GlobalIds.PROP_SEP );
+                            if ( indx >= 0 )
+                            {
+                                String szRangeRaw = szValue.substring( indx + 2 );
+                                this.setRoleRangeRaw( szRangeRaw );
+                            }
+                            break;
+                    }
+                }
+            }
+        }
+    }
+
+
+    /**
+     * This method creates raw data format that represents UserAdminRole temporal and ARBAC constraints using instance variables inside entity.
+     * The raw data is eventually stored in the 'ftARC' attribute on the 'ftUserAttrs' object class.
+     * This is the raw format that Fortress uses to condense the temporal and ARBAC data into a compact String for efficient storage and retrieval
+     * and is not intended to be called by external programs.
+     *
+     * @return String contains a raw formatted String that maps to 'ftARC' attribute on 'ftUserAttrs' object class
+     */
+    @Override
+    public String getRawData()
+    {
+        String szRole;
+        StringBuilder sb = new StringBuilder();
+        sb.append( name );
+        sb.append( GlobalIds.DELIMITER );
+        sb.append( this.getTimeout() );
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getBeginTime() != null )
+        {
+            sb.append( this.getBeginTime() );
+        }
+
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getEndTime() != null )
+        {
+            sb.append( this.getEndTime() );
+        }
+
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getBeginDate() != null )
+        {
+            sb.append( this.getBeginDate() );
+        }
+
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getEndDate() != null )
+        {
+            sb.append( this.getEndDate() );
+        }
+
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getBeginLockDate() != null )
+        {
+            sb.append( this.getBeginLockDate() );
+
+        }
+
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getEndLockDate() != null )
+        {
+            sb.append( this.getEndLockDate() );
+        }
+
+        sb.append( GlobalIds.DELIMITER );
+
+        if ( this.getDayMask() != null )
+        {
+            sb.append( this.getDayMask() );
+        }
+
+        if ( this.getOsU() != null )
+        {
+            for ( String org : this.getOsU() )
+            {
+                sb.append( GlobalIds.DELIMITER );
+                sb.append( U );
+                sb.append( GlobalIds.PROP_SEP );
+                sb.append( org );
+            }
+        }
+
+        if ( this.getOsP() != null )
+        {
+            for ( String org : this.getOsP() )
+            {
+                sb.append( GlobalIds.DELIMITER );
+                sb.append( P );
+                sb.append( GlobalIds.PROP_SEP );
+                sb.append( org );
+            }
+        }
+        if ( VUtil.isNotNullOrEmpty( this.getRoleRangeRaw() ) )
+        {
+            sb.append( GlobalIds.DELIMITER );
+            sb.append( R );
+            sb.append( GlobalIds.PROP_SEP );
+            sb.append( this.getRoleRangeRaw() );
+        }
+
+        szRole = sb.toString();
+        return szRole;
+    }
+
+
+    /**
+     * This method loads UserAdminRole entity Role range ARBAC constraint instance variables with data that was retrieved from the
+     * 'ftARC' attribute on the 'ftUserAttrs' object class.  This is the raw format that Fortress uses to condense the ARBAC data into
+     * a compact String for efficient storage and retrieval and is not intended to be called by external programs.
+     *
+     * @param szRaw contains a raw formatted String that maps to 'ftARC' attribute on 'ftUserAttrs' object class
+     */
+    @Override
+    public void setRoleRangeRaw( String szRaw )
+    {
+        if ( VUtil.isNotNullOrEmpty( szRaw ) )
+        {
+            int bindx = szRaw.indexOf( LEFT_PAREN );
+            if ( bindx > -1 )
+            {
+                this.setBeginInclusive( false );
+            }
+            else
+            {
+                bindx = szRaw.indexOf( LEFT_BRACKET );
+                this.setBeginInclusive( true );
+            }
+            int eindx = szRaw.indexOf( RIGHT_PAREN );
+            if ( eindx > -1 )
+            {
+                this.setEndInclusive( false );
+            }
+            else
+            {
+                eindx = szRaw.indexOf( RIGHT_BRACKET );
+                this.setEndInclusive( true );
+            }
+            int cindx = szRaw.indexOf( GlobalIds.PROP_SEP );
+            if ( cindx > -1 )
+            {
+                String szBeginRange = szRaw.substring( bindx + 1, cindx );
+                String szEndRange = szRaw.substring( cindx + 1, eindx );
+                this.setBeginRange( szBeginRange );
+                this.setEndRange( szEndRange );
+            }
+        }
+    }
+
+
+    /**
+     * This method retrieves UserAdminRole instance variables and formats into raw data for ARBAC constraint storage for the
+     * 'ftARC' attribute on the 'ftUserAttrs' object class.  This is the raw format that Fortress uses to condense the ARBAC data into
+     * a compact String for efficient storage and retrieval and is not intended to be called by external programs.
+     *
+     * @return String contains a raw formatted String that maps to 'ftARC' attribute on 'ftUserAttrs' object class
+     */
+    @Override
+    public String getRoleRangeRaw()
+    {
+        String szRaw = "";
+        if ( this.beginRange != null )
+        {
+            if ( this.isBeginInclusive() )
+                szRaw += LEFT_BRACKET;
+            else
+                szRaw += LEFT_PAREN;
+            szRaw += this.getBeginRange();
+            szRaw += GlobalIds.PROP_SEP;
+            szRaw += this.getEndRange();
+            if ( this.isEndInclusive() )
+                szRaw += RIGHT_BRACKET;
+            else
+                szRaw += RIGHT_PAREN;
+        }
+        return szRaw;
+    }
+
+
+    /**
+     * Get a collection of optional Perm OU attributes that were stored on the AdminRole entity.
+     *
+     * @return List of type String containing Perm OU.  This maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public Set<String> getOsP()
+    {
+        return osPs;
+    }
+
+
+    /**
+     * Set a collection of optional Perm OU attributes to be stored on the AdminRole entity.
+     *
+     * @param osPs is a List of type String containing Perm OU.  This maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setOsP( Set<String> osPs )
+    {
+        this.osPs = osPs;
+    }
+
+
+    /**
+     * Set a Perm OU attribute to be stored on the AdminRole entity.
+     *
+     * @param osP is a Perm OU that maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setOsP( String osP )
+    {
+        if ( this.osPs == null )
+        {
+            // create Set with case insensitive comparator:
+            osPs = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+        }
+        osPs.add( osP );
+    }
+
+
+    /**
+     * Get a collection of optional User OU attributes that were stored on the AdminRole entity.
+     *
+     * @return List of type String containing User OU.  This maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public Set<String> getOsU()
+    {
+        return osUs;
+    }
+
+
+    /**
+     * Set a collection of optional User OU attributes to be stored on the AdminRole entity.
+     *
+     * @param osUs is a List of type String containing User OU.  This maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setOsU( Set<String> osUs )
+    {
+        this.osUs = osUs;
+    }
+
+
+    /**
+     * Set a User OU attribute to be stored on the AdminRole entity.
+     *
+     * @param osU is a User OU that maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setOsU( String osU )
+    {
+        if ( this.osUs == null )
+        {
+            // create Set with case insensitive comparator:
+            osUs = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+        }
+        osUs.add( osU );
+    }
+
+
+    /**
+     * Return the begin Role range attribute for AdminRole entity.
+     *
+     * @return String that maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public String getBeginRange()
+    {
+        return beginRange;
+    }
+
+
+    /**
+     * Set the begin Role range attribute for AdminRole entity.
+     *
+     * @param beginRange maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setBeginRange( String beginRange )
+    {
+        this.beginRange = beginRange;
+    }
+
+
+    /**
+     * Return the end Role range attribute for AdminRole entity.
+     *
+     * @return String that maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public String getEndRange()
+    {
+        return endRange;
+    }
+
+
+    /**
+     * Set the end Role range attribute for AdminRole entity.
+     *
+     * @param endRange maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setEndRange( String endRange )
+    {
+        this.endRange = endRange;
+    }
+
+
+    /**
+     * Set the begin inclusive which specifies if role range includes or excludes the 'beginRange' attribute.
+     *
+     * @return String that maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public boolean isBeginInclusive()
+    {
+        return beginInclusive;
+    }
+
+
+    /**
+     * Get the begin inclusive which specifies if role range includes or excludes the 'beginRange' attribute.
+     *
+     * @param beginInclusive maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setBeginInclusive( boolean beginInclusive )
+    {
+        this.beginInclusive = beginInclusive;
+    }
+
+
+    /**
+     * Set the end inclusive which specifies if role range includes or excludes the 'endRange' attribute.
+     *
+     * @return String that maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public boolean isEndInclusive()
+    {
+        return endInclusive;
+    }
+
+
+    /**
+     * Get the end inclusive which specifies if role range includes or excludes the 'endRange' attribute.
+     *
+     * @param endInclusive maps to 'ftARC' attribute on 'ftUserAttrs' aux object class.
+     */
+    @Override
+    public void setEndInclusive( boolean endInclusive )
+    {
+        this.endInclusive = endInclusive;
+    }
+
+
+    /**
+     * Get the names of admin roles that are parents (direct ascendants) of this admin role.
+     * @return Set of parent admin role names assigned to this admin role.
+     */
+    @Override
+    public Set<String> getParents()
+    {
+        return parents;
+    }
+
+
+    /**
+     * Set the names of parent admin roles.
+     * @param parents Set of admin role names.
+     */
+    @Override
+    public void setParents( Set<String> parents )
+    {
+        this.parents = parents;
+    }
+
+
+    /**
+     * Matches the userId and admin role name from two UserAdminRole entities.
+     *
+     * @param thatObj contains a UserAdminRole entity.
+     * @return boolean indicating both objects contain matching userId and Admin Role names.
+     */
+    public boolean equals( Object thatObj )
+    {
+        if ( this == thatObj )
+        {
+            return true;
+        }
+
+        if ( this.getName() == null )
+        {
+            return false;
+        }
+
+        if ( !( thatObj instanceof UserAdminRole ) )
+        {
+            return false;
+        }
+
+        UserAdminRole thatRole = ( UserAdminRole ) thatObj;
+
+        if ( thatRole.getName() == null )
+        {
+            return false;
+        }
+
+        return ( ( thatRole.getName().equalsIgnoreCase( this.getName() ) ) && ( thatRole.getUserId()
+            .equalsIgnoreCase( this.getUserId() ) ) );
+    }
+
+
+    @Override
+    public int hashCode()
+    {
+        int result = osPs != null ? osPs.hashCode() : 0;
+        result = 31 * result + ( osUs != null ? osUs.hashCode() : 0 );
+        result = 31 * result + ( beginRange != null ? beginRange.hashCode() : 0 );
+        result = 31 * result + ( endRange != null ? endRange.hashCode() : 0 );
+        result = 31 * result + ( beginInclusive ? 1 : 0 );
+        result = 31 * result + ( endInclusive ? 1 : 0 );
+        result = 31 * result + ( parents != null ? parents.hashCode() : 0 );
+        return result;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0c46e4de/src/main/java/org/apache/directory/fortress/core/model/UserAudit.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/UserAudit.java b/src/main/java/org/apache/directory/fortress/core/model/UserAudit.java
new file mode 100755
index 0000000..26646e4
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/model/UserAudit.java
@@ -0,0 +1,312 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.model;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+import java.util.Date;
+
+
+/**
+ * This entity is used to pass search criteria into the {@link org.apache.directory.fortress.core.AuditMgr} APIs, down through the
+ * {@link org.apache.directory.fortress.core.rbac.AuditP} process layer and finally into the {@link org.apache.directory.fortress.core.rbac.AuditDAO} data access layer.  Once the data has been
+ * retrieved from the directory it will be passed back to the caller using one of audit output entities.
+ * <p/>
+ * All audit data is returned to user using one of the following:
+ * <ul>
+ * <li> Authorization events: {@link org.apache.directory.fortress.core.model.AuthZ}
+ * <li> Authentication events: {@link org.apache.directory.fortress.core.model.Bind}
+ * <li> Modification events: {@link org.apache.directory.fortress.core.model.Mod}
+ * </ul>
+ * <p/>
+ * <p/>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@XmlRootElement(name = "fortUserAudit")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "userAudit", propOrder =
+    {
+        "name",
+        "description",
+        "failedOnly",
+        "objName",
+        "objId",
+        "opName",
+        "userId",
+        "internalUserId",
+        "beginDate",
+        "endDate",
+        "dn",
+        "admin"
+})
+public class UserAudit extends FortEntity implements java.io.Serializable
+{
+    /** Default serialVersionUID */
+    private static final long serialVersionUID = 1L;
+    private String name;
+    private String description;
+    private boolean failedOnly;
+    private String objName;
+    private String objId;
+    private String opName;
+    private String userId;
+    private String internalUserId;
+    @XmlElement(nillable = true)
+    private Date beginDate;
+    @XmlElement(nillable = true)
+    private Date endDate;
+    private String dn;
+    private boolean admin = false;
+
+
+    /**
+     * Get the optional objName attribute which limits set by {@link org.apache.directory.fortress.core.model.Permission#objName}.
+     * For modification search, this attr maps to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQMOD}.  For authorization search, it will map to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQDN}.
+     * The object name is derived from another class name which represents targets for Fortress authorizations. For example {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl} or 'CustomerCheckOutPage'.
+     *
+     * @return the name of the object which maps to 'reqDn' for 'auditSearch' target, or 'reqMod' for 'auditMod' search.
+     */
+    public String getObjName()
+    {
+        return objName;
+    }
+
+
+    /**
+     * Set the optional objName attribute which limits set by {@link org.apache.directory.fortress.core.model.Permission#objName}.
+     * For modification search, this attr maps to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQMOD}.  For authorization search, it will map to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQDN}.
+     * The object name is derived from another class name which represents targets for Fortress authorizations. For example {@link org.apache.directory.fortress.core.rbac.AdminMgrImpl} or 'CustomerCheckOutPage'.
+     *
+     * @param objName maps to 'reqDn' for 'auditSearch' target, or 'reqMod' for 'auditMod' search.
+     */
+    public void setObjName( String objName )
+    {
+        this.objName = objName;
+    }
+
+
+    /**
+     * The failedOnly flag will limit result set to include only authN or authZ events that have failed.
+     * <p/>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchInvalidUsers(UserAudit)} maps to ({@link org.apache.directory.fortress.core.rbac.AuditDAO#REQENTRIES} == 0)
+     * <li>{@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchAuthZs(UserAudit)} maps to ({@link org.apache.directory.fortress.core.rbac.AuditDAO#REQENTRIES} == 0)
+     * <li>{@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchBinds(UserAudit)} maps to ({@link org.apache.directory.fortress.core.rbac.AuditDAO#REQRESULT} >= 1)
+     * </ul>
+     *
+     * @return boolean if true will limit search to failed events.
+     */
+    public boolean isFailedOnly()
+    {
+        return failedOnly;
+    }
+
+
+    /**
+     * The failedOnly flag will limit result set to include only authN or authZ events that have failed.
+     * <p/>
+     * <ul>
+     * <li>{@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchInvalidUsers(UserAudit)} maps to ({@link org.apache.directory.fortress.core.rbac.AuditDAO#REQENTRIES} == 0)
+     * <li>{@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchAuthZs(UserAudit)} maps to ({@link org.apache.directory.fortress.core.rbac.AuditDAO#REQENTRIES} == 0)
+     * <li>{@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchBinds(UserAudit)} maps to ({@link org.apache.directory.fortress.core.rbac.AuditDAO#REQRESULT} >= 1)
+     * </ul>
+     *
+     * @param failedOnly if boolean true search will limit to failed only.
+     */
+    public void setFailedOnly( boolean failedOnly )
+    {
+        this.failedOnly = failedOnly;
+    }
+
+
+    /**
+     * Get the optional opName attribute which limits {@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchAdminMods(UserAudit)} by {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQMOD}.
+     * The operation name is derived from a method name of a class which represents targets for Fortress authorizations. For example 'read', 'search' or 'add'.
+     *
+     * @return value that maps to 'reqMod' on 'auditMod' object class.
+     */
+    public String getOpName()
+    {
+        return opName;
+    }
+
+
+    /**
+     * Set the optional opName attribute which limits {@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchAdminMods(UserAudit)} by {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQMOD}.
+     * The operation name is derived from a method name of a class which represents targets for Fortress authorizations. For example 'read', 'search' or 'add'.
+     *
+     * @param opName attribute maps to 'reqMod' on 'auditMod' object class.
+     */
+    public void setOpName( String opName )
+    {
+        this.opName = opName;
+    }
+
+
+    /**
+     * Get the optional userId attribute which limits set by {@link org.apache.directory.fortress.core.model.User#userId}.
+     * For authentication searchs, this attr maps to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQDN}.  For authorization search, it will map to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQUAUTHZID}.
+     * The userId for this search represents the end user.
+     *
+     * @return the userId which maps to 'reqDn' for authentications or 'reqAuthzID' for authorization events.
+     */
+    public String getUserId()
+    {
+        return userId;
+    }
+
+
+    /**
+     * Set the optional userId attribute which limits set by {@link org.apache.directory.fortress.core.model.User#userId}.
+     * For authentication searchs, this attr maps to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQDN}.  For authorization search, it will map to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQUAUTHZID}.
+     * The userId for this search represents the end user.
+     *
+     * @param userId maps to 'reqDn' for authentications or 'reqAuthzID' for authorization events.
+     */
+    public void setUserId( String userId )
+    {
+        this.userId = userId;
+    }
+
+
+    /**
+     * Get the optional internalUserId attribute which limits set by {@link org.apache.directory.fortress.core.model.User#internalId}.
+     * For {@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchUserSessions(UserAudit)} this attr maps to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQMOD}.
+     * The internalUserId for this search represents the end user but is stored as its internal id.
+     *
+     * @return the internalUserId which maps to 'reqMod' for 'auditModify' object class searches.
+     */
+    public String getInternalUserId()
+    {
+        return internalUserId;
+    }
+
+
+    /**
+     * Set the optional internalUserId attribute which limits set by {@link org.apache.directory.fortress.core.model.User#internalId}.
+     * For {@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchUserSessions(UserAudit)} this attr maps to {@link org.apache.directory.fortress.core.rbac.AuditDAO#REQMOD}.
+     * The internalUserId for this search represents the end user but is stored as its internal id.
+     *
+     * @param internalUserId maps to 'reqMod' for 'auditModify' object class searches.
+     */
+    public void setInternalUserId( String internalUserId )
+    {
+        this.internalUserId = internalUserId;
+    }
+
+
+    /**
+     * Get the Date for search to begin.  The earlier the date, the more records will be returned.
+     * This attribute is mapped to 'reqStart' on slapd audit records which provides the start
+     * time of the operation which is also the rDn for the node.
+     *
+     * @return attribute that maps to 'reqStart' in audit object classes.
+     */
+    public Date getBeginDate()
+    {
+        return beginDate;
+    }
+
+
+    /**
+     * Set the Date for search to begin.  The earlier the date, the more records will be returned.
+     * This attribute is mapped to 'reqStart' on slapd audit records which provides the start
+     * time of the operation which is also the rDn for the node.
+     *
+     * @param beginDate attribute that maps to 'reqStart' in audit object classes.
+     */
+    public void setBeginDate( Date beginDate )
+    {
+        this.beginDate = beginDate;
+    }
+
+
+    /**
+     *
+     */
+    public Date getEndDate()
+    {
+        return endDate;
+    }
+
+
+    /**
+     *
+     * @param endDate
+     */
+    public void setEndDate( Date endDate )
+    {
+        this.endDate = endDate;
+    }
+
+
+    /**
+     * Get the optional dn attribute can be used to constraint {@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchUserSessions(UserAudit)}.
+     * The dn for this search may represent any target entry in DIT that has been recently modified or deleted.
+     *
+     * @return the dn which maps to 'reqDn' for 'auditModify' object class searches.
+     */
+    public String getDn()
+    {
+        return dn;
+    }
+
+
+    /**
+     * Set the optional dn attribute can be used to constraint {@link org.apache.directory.fortress.core.rbac.AuditMgrImpl#searchUserSessions(UserAudit)}.
+     * The dn for this search may represent any target entry in DIT that has been recently modified or deleted.
+     *
+     * @param dn maps to 'reqDn' for 'auditModify' object class searches.
+     */
+    public void setDn( String dn )
+    {
+        this.dn = dn;
+    }
+
+
+    public String getObjId()
+    {
+        return objId;
+    }
+
+
+    public void setObjId( String objId )
+    {
+        this.objId = objId;
+    }
+
+
+    public boolean isAdmin()
+    {
+        return admin;
+    }
+
+
+    public void setAdmin( boolean admin )
+    {
+        this.admin = admin;
+    }
+}
\ No newline at end of file


Mime
View raw message