Suppose you want to have a role as an occupant of another role. For example, suppose there is a role called bireporting
and you wish for all the occupants of the ceo
role to also be occupants of the bireporting
role. One way to accomplish this would be to manually add all of the occupants of ceo
as occupants of the bireporting
role. Unfortunately, this solution does not reuse existing roles. Instead, you should be able to add the ceo
role as an occupant just as you would add a user as an occupant. Why would you need to do this? Because your Pentaho security configuration can simply reference the bireporting
role instead of a multitude of occupant roles.
The instructions below describe how to implement nested roles or groups by describing the nesting structure (the child to parent mapping) outside of the LDAP directory. Why would you want to describe the nesting (i.e. what role is an occupant of what other role) outside of the LDAP directory? Because it is potentially prohibitive to repeatedly query the directory to recursively find all parents of a given child role. So for performance reasons, the nesting is described outside of the LDAP directory.
Note: For 2.x, you need to use the two classes (
NestedLdapAuthoritiesPopulator
andExtraRoles
) in a JAR attached to this page. Also note that for 2.x, the package names forNestedLdapAuthoritiesPopulator
andExtraRoles
differ from the package names shown here. For 3.x, the classes are included in the distribution.
Describing the Nesting
Notice the populator
is no longer DefaultLdapAuthoritiesPopulator
. Instead, we've defined NestedLdapAuthoritiesPopulator
which subclasses DefaultLdapAuthoritiesPopulator
and adds a mapping for extra roles. In the extraRolesMapping
, the keys are child roles and the values are parent roles.
<bean id="populator" class="org.pentaho.platform.plugin.services.security.userrole.ldap.NestedLdapAuthoritiesPopulator"> <!-- omitted --> <property name="extraRolesMapping"> <map> <entry key="ceo" value="bireporting" /> <entry key="cto" value="bireporting" /> </map> </property> </bean>
All Authorities Search
If the roles that serve as "parents" to nested roles cannot be returned by a traditional all authorities search, you'll need to add the parents to the list returned by your existing all authorities search using a transformer. The ExtraRoles
transformer handles this.
<bean id="allAuthoritiesSearch" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch"> <!-- omitted --> <constructor-arg index="2"> <bean class="org.apache.commons.collections.functors.ChainedTransformer"> <constructor-arg index="0"> <list> <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.SearchResultToAttrValueList"> <!-- omitted --> </bean> <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.ExtraRoles"> <property name="extraRoles"> <set> <value>bireporting</value> </set> </property> </bean> <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.StringToGrantedAuthority"> <!-- omitted --> </bean> </list> </constructor-arg> </bean> </constructor-arg> </bean>