KIM provides 3 main service APIs with which client applications should interact. These are:
org.kuali.rice.kim.api.role.RoleManagementService
org.kuali.rice.kim.service.PersonService
These services act as client-side facades to the underlying KIM services and provide important features such as caching. It is always recommended that applications invoke these services instead of the individual services that they façade in order to take advantage of these additional features.
In the next few sections we will look in-depth at these services. However, for more details, please see the javadocs for these services and the services they delegate to.
All KIM clients should retrieve service instances using the KIM service locator class KimApiServiceLocator. This class contains static methods to retrieve the appropriate Spring bean for the service. An example of retrieving the IdentityService service is:
IdentityService idmSvc = KimApiServiceLocator.getIdentityService();
You would use a similar mechanism for retrieving references to the other KIM services.
The IdentityManagementService is the service the client applications will interact with most frequently. This service delegates operations to these underlying KIM services:
IdentityService
IdentityUpdateService
GroupService
GroupUpdateService
PermissionService
PermissionUpdateService
ResponsibilityService
ResponsibilityUpdateService
AuthenticationService
The IdentityManagementService aggregates the service methods from all it’s underlying services into a single service contract which client applications interact with.
Additionally, it also provides caching on top of these services to help increase the performance of service calls for the client application. To this end, the identity IdentityManagementService is actually deployed and resides within the client application and is not generally called over a remote interface (such as a web service).
To retrieve the principal ID for a user, use the getPrincipalByPrincipalName method:
KimPrincipalInfo info = idmSvc.getPrincipalByPrincipalName(principalName);
Note that KIM, by default, stores principal names in lower case; the PRNCPL_NM column of KRIM_PRNCPL_T must store values in lower case. If your institution’s existing identity systems do not handle lowercase principal names, then there are three points to override that setting:
org.kuali.rice.kim.service.impl.IdentityServiceImpl method getPrincipalByPrincipalName lowercases the principal name sent in; depending on how principals were integrated into the system it may not need to. Note that IdentityServiceImpl method getPrincipalByPrincipalNameAndPassword does not lowercase the principal name automatically.
org.kuali.rice.kim.lookup.PersonLookableHelperServiceImpl method getSearchResults also automatically lowercases any principal name sent in; that behavior may also need to be changed
Finally, the file {Rice home}/impl/src/main/resources/org/kuali/rice/kim/bo/datadictionary/KimBaseBeans.xml hold the data dictionary attribute templates for principal name as KimBaseBeans-principalName. The forceUppercase attribute is set to false by default, but perhaps should be overridden to true, to force uppercase principal names.
Once these three points have been overridden, you’ll be able to use uppercase principal names.
To retrieve the default information for an entity, use one of the getEntityDefaultInfo methods:
KimEntityDefaultInfo infoByEntityId = idmSvc.getEntityDefaultInfo(entityId); KimEntityDefaultInfo infoByPrincipalId = idmSvc.getEntityDefaultInfoByPrincipalId(principalId);
To retrieve information about a type or status code, use the getter for that type.
Types in KIM are:
Address type
Affiliation type
Citizenship status
Email type
Employment status
Employment type
Entity name type
Entity type
External identifier type
Phone type
For instance, to retrieve information on an address type code:
AddressTypeInfo info = idmSvc.getAddressType(code);
To retrieve a list of all groups in which a particular user is a member, use the getGroupsForPrincipal method:
List<GroupInfo> groups = idmSvc.getGroupsForPrincipal(principalId);
To determine if a user is a member of a particular group, use the isMemberOfGroup method:
if (idmSvc.isMemberOfGroup(principalId, groupId)) {
// Do something special
}To get a list of all members of a group, use the getMemberPrincipalIds method:
List<String> members = idmSvc.getMemberPrincipalIds(groupId);
To retrieve information about a group, use the getGroupInfo or getGroupInfoByName methods, depending on whether you know the group’s ID or name:
GroupInfo info = idmSvc.getGroupInfo(groupId); GroupInfo info = idmSvc.getGroupInfoByName(groupName);
To determine if a user has been granted a permission, without considering role qualifications, use the hasPermission method:
if (idmSvc.hasPermission(principalId, namespaceCode, permissionName,
permissionDetails)) {
// Do the action
}
To determine if a user has been granted a permission, use the isAuthorized method:
if (idmSvc.isAuthorized(principalId, namespaceCode, permissionName,
permissionDetails, qualification)) {
// Do the action
}
To retrieve a list of principals granted a permission (including any delegates), use the getPermissionAssignees method:
List<PermissionAssigneeInfo> people = idmSvc.getPermissionAssignees(namespaceCode, permissionName, permissionDetails, qualification);
To retrieve a list of permissions granted to a principal, use the getAuthorizedPermissions method:
List<KimPermissionInfo> perms = idmSvc.getAuthorizedPermissions(principalId, namespaceCode, permissionName, permissionDetails, qualification);
To determine if a user has a responsibility, use the hasResponsibility method:
if (idmSvc.hasResponsibility(principalId, namespaceCode, responsibilityName, qualification, permissionDetails)) {
// Do the action
}
To retrieve a list of roles associated with a responsibility, use the getRoleIdsForResponsibility method:
List<String> roleIds = idmSvc.getRoleIdsForResponsibility(responsibility, qualification);
The AuthenticationService and related methods on the IdentityManagementService are somewhat different than the other services. The AuthenticationService is not typically deployed remotely (unlike the IdentityService, GroupService, etc.).
Instead, the role of this service is simply to extract the authenticated user’s principal name from the HttpServletRequest and inform the client-side development framework (typically, the KNS) about this information. KIM itself does not implement full authentication services, but rather relies on other implementations (such as CAS or Shibboleth) to provide this functionality.
The client application can then establish a local session to store the information about the principal that authenticated. This will typically be used in subsequent calls to the KIM services, such as making authorization checks for the principal.
The reference implementation of the AuthenticationService simply extracts the REMOTE_USER parameter from the request and presents that as the principal name. This is often sufficient for many authentication providers that are available. However, if necessary this reference implementation can be overridden.
There is only a single method on the IdentityManagementService related to authentication.
String principalName = idmSvc.getAuthenticatedPrincipalName(request);
In KIM, Roles are used as a way to associate principals, groups and other roles with permissions and responsibilities. It is therefore not a common or recommended practice to query for whether or not a principal is a member of a Role for the purposes of logic in a client application. It is recommended to use permissions and the isAuthorized check to perform this sort of logic.
However, in some cases, querying for this information may be desirable. Or, in even more common cases, one may want to use an API to add or remove members from a Role. These kinds of operations are the responsibility of the RoleManagementService. Like the IdentityManagementService, this service is a façade which provides caching and delegates to underlying services. Specifically, it delegates to:
RoleService
RoleUpdateService
To determine if a role is assigned to a principal, use the principalHasRole method:
if (rmSvc.principalHasRole(principalId, roleIds, qualifications)) {
// Do something
}To retrieve information on a role, use the getRole or getRoleByName method:
KimRoleInfo info = rmSvc.getRole(roleId); KimRoleInfo info = rmSvc.getRoleByName(namespaceCode, roleName);
To retrieve the list of principal IDs assigned to a role, use the getRoleMemberPrincipalIds method:
Collection<String> principals = rmSvc.getRoleMemberPrincipalIds(namespaceCode, roleName, qualifications);
To assign a principal to a role, use the assignPrincipalToRole method:
rmSvc.assignPrincipalToRole(principalId, namespaceCode, roleName, qualifications);
To remove a principal from a role, use the removePrincipalFromRole method:
rmSvc.removePrincipalFromRole(principalId, namespaceCode, roleName, qualifications);
The PersonService is used to aggregate Entity and Principal data into a data structure called a Person. A person is essentially a flattened collection of the various attributes on an entity (name, address, principal id, principal name, etc). This is intended to allow client applications to more easily interact with the data in the underlying KIM data model for entities and principals.
To retrieve information on a person by principal ID, use the getPerson method:
Person person = perSvc.getPerson(principalId);
To retrieve information on a person by principal name, use the getPersonByPrincipalName method:
Person person = perSvc.getPersonByPrincipalName(principalName);
In order to search for people by a given set of criteria you can use the findPeople method:
List<? extends Person> people = perSvc.getPersonByPrincipalName(criteria);
In this case, criteria is a java.util.Map<String, String> which contains key-value pairs. The key is the name of the Person property to search on, while the value is the value to search for.