Services

KIM provides 3 main service APIs with which client applications should interact. These are:

These services act as client-side facades to the underlying KIM services and provide important features such as caching. It is always recommended that applications invoke these services instead of the individual services that they façade in order to take advantage of these additional features.

In the next few sections we will look in-depth at these services. However, for more details, please see the javadocs for these services and the services they delegate to.

Using the Services

All KIM clients should retrieve service instances using the KIM service locator class KimApiServiceLocator. This class contains static methods to retrieve the appropriate Spring bean for the service. An example of retrieving the IdentityService service is:

IdentityService idmSvc = KimApiServiceLocator.getIdentityService();

You would use a similar mechanism for retrieving references to the other KIM services.

IdentityManagementService

The IdentityManagementService is the service the client applications will interact with most frequently. This service delegates operations to these underlying KIM services:

  • IdentityService

  • IdentityUpdateService

  • GroupService

  • GroupUpdateService

  • PermissionService

  • PermissionUpdateService

  • ResponsibilityService

  • ResponsibilityUpdateService

  • AuthenticationService

The IdentityManagementService aggregates the service methods from all it’s underlying services into a single service contract which client applications interact with.

Additionally, it also provides caching on top of these services to help increase the performance of service calls for the client application. To this end, the identity IdentityManagementService is actually deployed and resides within the client application and is not generally called over a remote interface (such as a web service).

Retrieving Principal Information

To retrieve the principal ID for a user, use the getPrincipalByPrincipalName method:

KimPrincipalInfo info = idmSvc.getPrincipalByPrincipalName(principalName);

Note that KIM, by default, stores principal names in lower case; the PRNCPL_NM column of KRIM_PRNCPL_T must store values in lower case. If your institution’s existing identity systems do not handle lowercase principal names, then there are three points to override that setting:

  1. org.kuali.rice.kim.service.impl.IdentityServiceImpl method getPrincipalByPrincipalName lowercases the principal name sent in; depending on how principals were integrated into the system it may not need to. Note that IdentityServiceImpl method getPrincipalByPrincipalNameAndPassword does not lowercase the principal name automatically.

  2. org.kuali.rice.kim.lookup.PersonLookableHelperServiceImpl method getSearchResults also automatically lowercases any principal name sent in; that behavior may also need to be changed

  3. Finally, the file {Rice home}/impl/src/main/resources/org/kuali/rice/kim/bo/datadictionary/KimBaseBeans.xml hold the data dictionary attribute templates for principal name as KimBaseBeans-principalName. The forceUppercase attribute is set to false by default, but perhaps should be overridden to true, to force uppercase principal names.

Once these three points have been overridden, you’ll be able to use uppercase principal names.

Retrieving Entity Default Information

To retrieve the default information for an entity, use one of the getEntityDefaultInfo methods:

KimEntityDefaultInfo infoByEntityId = idmSvc.getEntityDefaultInfo(entityId);

KimEntityDefaultInfo infoByPrincipalId = idmSvc.getEntityDefaultInfoByPrincipalId(principalId);

Retrieving Reference Information

To retrieve information about a type or status code, use the getter for that type.

Types in KIM are:

  • Address type

  • Affiliation type

  • Citizenship status

  • Email type

  • Employment status

  • Employment type

  • Entity name type

  • Entity type

  • External identifier type

  • Phone type

For instance, to retrieve information on an address type code:

AddressTypeInfo info = idmSvc.getAddressType(code);

Retrieving Group Membership Information

To retrieve a list of all groups in which a particular user is a member, use the getGroupsForPrincipal method:

List<GroupInfo> groups = idmSvc.getGroupsForPrincipal(principalId);

To determine if a user is a member of a particular group, use the isMemberOfGroup method:

if (idmSvc.isMemberOfGroup(principalId, groupId)) {
    // Do something special
}

To get a list of all members of a group, use the getMemberPrincipalIds method:

List<String> members = idmSvc.getMemberPrincipalIds(groupId);

Retrieving Group Information

To retrieve information about a group, use the getGroupInfo or getGroupInfoByName methods, depending on whether you know the group’s ID or name:

GroupInfo info = idmSvc.getGroupInfo(groupId);
GroupInfo info = idmSvc.getGroupInfoByName(groupName);

Checking Permission

To determine if a user has been granted a permission, without considering role qualifications, use the hasPermission method:

if (idmSvc.hasPermission(principalId, namespaceCode, permissionName,
 permissionDetails)) {
    // Do the action
}

To determine if a user has been granted a permission, use the isAuthorized method:

if (idmSvc.isAuthorized(principalId, namespaceCode, permissionName,
 permissionDetails, qualification)) {
    // Do the action
}

Retrieving Permission Information

To retrieve a list of principals granted a permission (including any delegates), use the getPermissionAssignees method:

List<PermissionAssigneeInfo> people = idmSvc.getPermissionAssignees(namespaceCode,
 permissionName, permissionDetails, qualification);

To retrieve a list of permissions granted to a principal, use the getAuthorizedPermissions method:

List<KimPermissionInfo> perms = idmSvc.getAuthorizedPermissions(principalId,
 namespaceCode, permissionName, permissionDetails, qualification);

Checking Responsibility

To determine if a user has a responsibility, use the hasResponsibility method:

if (idmSvc.hasResponsibility(principalId, namespaceCode, responsibilityName, qualification, permissionDetails)) {
    // Do the action

}

Retrieving Responsibility Information

To retrieve a list of roles associated with a responsibility, use the getRoleIdsForResponsibility method:

List<String> roleIds = idmSvc.getRoleIdsForResponsibility(responsibility, qualification);

Checking Authentication

The AuthenticationService and related methods on the IdentityManagementService are somewhat different than the other services. The AuthenticationService is not typically deployed remotely (unlike the IdentityService, GroupService, etc.).

Instead, the role of this service is simply to extract the authenticated user’s principal name from the HttpServletRequest and inform the client-side development framework (typically, the KNS) about this information. KIM itself does not implement full authentication services, but rather relies on other implementations (such as CAS or Shibboleth) to provide this functionality.

The client application can then establish a local session to store the information about the principal that authenticated. This will typically be used in subsequent calls to the KIM services, such as making authorization checks for the principal.

The reference implementation of the AuthenticationService simply extracts the REMOTE_USER parameter from the request and presents that as the principal name. This is often sufficient for many authentication providers that are available. However, if necessary this reference implementation can be overridden.

There is only a single method on the IdentityManagementService related to authentication.

String principalName = idmSvc.getAuthenticatedPrincipalName(request);

RoleManagementService

In KIM, Roles are used as a way to associate principals, groups and other roles with permissions and responsibilities. It is therefore not a common or recommended practice to query for whether or not a principal is a member of a Role for the purposes of logic in a client application. It is recommended to use permissions and the isAuthorized check to perform this sort of logic.

However, in some cases, querying for this information may be desirable. Or, in even more common cases, one may want to use an API to add or remove members from a Role. These kinds of operations are the responsibility of the RoleManagementService. Like the IdentityManagementService, this service is a façade which provides caching and delegates to underlying services. Specifically, it delegates to:

  • RoleService

Checking Role Assignment

To determine if a role is assigned to a principal, use the principalHasRole method:

if (rmSvc.principalHasRole(principalId, roleIds, qualifications)) {
    // Do something
}

Retrieving Role Information

To retrieve information on a role, use the getRole or getRoleByName method:

KimRoleInfo info = rmSvc.getRole(roleId);
KimRoleInfo info = rmSvc.getRoleByName(namespaceCode, roleName);             

To retrieve the list of principal IDs assigned to a role, use the getRoleMemberPrincipalIds method:

Collection<String> principals = rmSvc.getRoleMemberPrincipalIds(namespaceCode, roleName, qualifications);

Updating Role Membership

To assign a principal to a role, use the assignPrincipalToRole method:

rmSvc.assignPrincipalToRole(principalId, namespaceCode, roleName, qualifications);

To remove a principal from a role, use the removePrincipalFromRole method:

rmSvc.removePrincipalFromRole(principalId, namespaceCode, roleName, qualifications);

Person Service

The PersonService is used to aggregate Entity and Principal data into a data structure called a Person. A person is essentially a flattened collection of the various attributes on an entity (name, address, principal id, principal name, etc). This is intended to allow client applications to more easily interact with the data in the underlying KIM data model for entities and principals.

Retrieving Personal Information

To retrieve information on a person by principal ID, use the getPerson method:

Person person = perSvc.getPerson(principalId);

To retrieve information on a person by principal name, use the getPersonByPrincipalName method:

Person person = perSvc.getPersonByPrincipalName(principalName);

In order to search for people by a given set of criteria you can use the findPeople method:

List<? extends Person> people = perSvc.getPersonByPrincipalName(criteria);

In this case, criteria is a java.util.Map<String, String> which contains key-value pairs. The key is the name of the Person property to search on, while the value is the value to search for.