Interface OrganizationMembershipPolicy

All Known Implementing Classes:
BaseOrganizationMembershipPolicy, DummyOrganizationMembershipPolicy

public interface OrganizationMembershipPolicy
Provides the Organization Membership Policy interface, allowing customization of user membership regarding organizations and organization roles.

Organization Membership Policies define the organizations a user is allowed to be a member of, the organizations the user must be a member of, the organization roles the user is allowed to be assigned, and the organization roles the user must be assigned.

An implementation may include any number of rules and actions to enforce those rules. The implementation may include rules and actions like the following:

  • If a user is a member of the organization he will automatically be a member of all its child organizations.
  • Only the members of the parent organization can become a member of this organization.
  • If a user doesn't have the custom attribute A, he cannot be assigned to organization B.
  • If the user is added to organization A, he will automatically be added to organization B.
  • The user must have the Administrator Role in order to be added to organization "Admin Organization".
  • All users with the custom attribute A will automatically have the organization role B.
  • All the users with organization role A cannot have organization role B (incompatible roles).

Liferay's core services invoke checkMembership(long[], long[], long[]) to detect policy violations before adding the users to and removing the users from the organizations. On passing the check, the service proceeds with the changes and propagates appropriate related actions in the portal by invoking propagateMembership(long[], long[], long[]). On failing the check, the service foregoes making the changes. For example, Liferay executes this logic when adding and updating organizations, adding and removing users with respect to organizations, and adding and removing organization roles with respect to users.

Liferay's UI calls the "is*" methods, such as isMembershipAllowed(long, long), to determine appropriate options to display to the user. For example, the UI calls isMembershipAllowed(long, long) to decide whether to enable the checkbox for adding the user to the organization.

Liferay's core services call isMembershipProtected(PermissionChecker, long, long) and isRoleProtected(PermissionChecker, long, long, long) to protect user organization memberships and organization role assignments, appropriately.

Author:
Roberto Díaz, Sergio González
  • Method Summary

    Modifier and Type
    Method
    Description
    void
    checkMembership(long[] userIds, long[] addOrganizationIds, long[] removeOrganizationIds)
    Checks if the users can be added to and removed from the respective organizations.
    void
    checkRoles(List<UserGroupRole> addUserGroupRoles, List<UserGroupRole> removeUserGroupRoles)
    Checks if the organization roles can be added to or removed from their users.
    boolean
    isMembershipAllowed(long userId, long organizationId)
    Returns true if the user can be added to the organization.
    boolean
    isMembershipProtected(PermissionChecker permissionChecker, long userId, long organizationId)
    Returns true if the policy prevents the user from being removed from the organization by the user associated with the permission checker.
    boolean
    isMembershipRequired(long userId, long organizationId)
    Returns true if organization membership for the user is mandatory.
    boolean
    isRoleAllowed(long userId, long organizationId, long roleId)
    Returns true if the role can be added to the user on the organization.
    boolean
    isRoleProtected(PermissionChecker permissionChecker, long userId, long organizationId, long roleId)
    Returns true if the policy prevents the user from being removed from the role by the user associated with the permission checker.
    boolean
    isRoleRequired(long userId, long organizationId, long roleId)
    Returns true if the role is mandatory for the user on the organization.
    void
    propagateMembership(long[] userIds, long[] addOrganizationIds, long[] removeOrganizationIds)
    Performs membership policy related actions after the users are added to and removed from the respective organizations.
    void
    propagateRoles(List<UserGroupRole> addUserGroupRoles, List<UserGroupRole> removeUserGroupRoles)
    Performs membership policy related actions after the respective organization roles are added to and removed from the affected users.
    void
    Checks the integrity of the membership policy of each of the portal's organizations and performs operations necessary for the compliance of each organization and organization role.
    void
    verifyPolicy(Organization organization)
    Checks the integrity of the membership policy of the organization and performs operations necessary for the organization's compliance.
    void
    verifyPolicy(Organization organization, Organization oldOrganization, List<AssetCategory> oldAssetCategories, List<AssetTag> oldAssetTags, Map<String,Serializable> oldExpandoAttributes)
    Checks the integrity of the membership policy of the organization, with respect to the organization's new attribute values, categories, tags, and expando attributes, and performs operations necessary for the compliance of the organization and its organization roles.
    void
    Checks the integrity of the membership policy of the organization role and performs operations necessary for the role's compliance.
    void
    verifyPolicy(Role role, Role oldRole, Map<String,Serializable> oldExpandoAttributes)
    Checks the integrity of the membership policy of the organization role, with respect to its expando attributes, and performs operations necessary for the role's compliance.
  • Method Details

    • checkMembership

      void checkMembership(long[] userIds, long[] addOrganizationIds, long[] removeOrganizationIds) throws PortalException
      Checks if the users can be added to and removed from the respective organizations.

      Liferay's core services call this method before adding the users to and removing the users from the respective organizations. If this method throws an exception, the service foregoes making the changes.

      Parameters:
      userIds - the primary keys of the users to be added and removed from the organizations
      addOrganizationIds - the primary keys of the organizations to which the users are to be added (optionally null)
      removeOrganizationIds - the primary keys of the organizations from which the users are to be removed (optionally null)
      Throws:
      PortalException
    • checkRoles

      void checkRoles(List<UserGroupRole> addUserGroupRoles, List<UserGroupRole> removeUserGroupRoles) throws PortalException
      Checks if the organization roles can be added to or removed from their users.

      Liferay's core services call this method before adding the users to and removing the users from the respective organization roles. If this method throws an exception, the service foregoes making the changes.

      Parameters:
      addUserGroupRoles - the user group roles to be added
      removeUserGroupRoles - the user group roles to be removed
      Throws:
      PortalException
    • isMembershipAllowed

      boolean isMembershipAllowed(long userId, long organizationId) throws PortalException
      Returns true if the user can be added to the organization. Liferay's UI calls this method.
      Parameters:
      userId - the primary key of the user
      organizationId - the primary key of the organization
      Returns:
      true if the user can be added to the organization; false otherwise
      Throws:
      PortalException
    • isMembershipProtected

      boolean isMembershipProtected(PermissionChecker permissionChecker, long userId, long organizationId) throws PortalException
      Returns true if the policy prevents the user from being removed from the organization by the user associated with the permission checker.
      Parameters:
      permissionChecker - the permission checker referencing a user
      userId - the primary key of the user to check for protection
      organizationId - the primary key of the organization
      Returns:
      true if the policy prevents the user from being removed from the organization by the user associated with the permission checker; false otherwise
      Throws:
      PortalException
    • isMembershipRequired

      boolean isMembershipRequired(long userId, long organizationId) throws PortalException
      Returns true if organization membership for the user is mandatory. Liferay's UI, for example, calls this method in deciding whether to enable the checkbox for removing the user from the organization.
      Parameters:
      userId - the primary key of the user
      organizationId - the primary key of the organization
      Returns:
      true if organization membership for the user is mandatory; false otherwise
      Throws:
      PortalException
    • isRoleAllowed

      boolean isRoleAllowed(long userId, long organizationId, long roleId) throws PortalException
      Returns true if the role can be added to the user on the organization. Liferay's UI calls this method.
      Parameters:
      userId - the primary key of the user
      organizationId - the primary key of the organization
      roleId - the primary key of the role
      Returns:
      true if the role can be added to the user on the organization; false otherwise
      Throws:
      PortalException
    • isRoleProtected

      boolean isRoleProtected(PermissionChecker permissionChecker, long userId, long organizationId, long roleId) throws PortalException
      Returns true if the policy prevents the user from being removed from the role by the user associated with the permission checker.
      Parameters:
      permissionChecker - the permission checker referencing a user
      userId - the primary key of the user to check for protection
      organizationId - the primary key of the organization
      roleId - the primary key of the role
      Returns:
      true if the policy prevents the user from being removed from the role by the user associated with the permission checker; false otherwise
      Throws:
      PortalException
    • isRoleRequired

      boolean isRoleRequired(long userId, long organizationId, long roleId) throws PortalException
      Returns true if the role is mandatory for the user on the organization. Liferay's UI calls this method.
      Parameters:
      userId - the primary key of the user
      organizationId - the primary key of the organization
      roleId - the primary key of the role
      Returns:
      true if the role is mandatory for the user on the organization; false otherwise
      Throws:
      PortalException
    • propagateMembership

      void propagateMembership(long[] userIds, long[] addOrganizationIds, long[] removeOrganizationIds) throws PortalException
      Performs membership policy related actions after the users are added to and removed from the respective organizations. Liferay's core services call this method after adding and removing the users to and from the respective organizations.

      The actions must ensure the integrity of each organization's membership policy. For example, some actions for implementations to consider performing are:

      • Adding the users to the child organizations of each organization to which the users were added.
      • Removing the users from the child organizations of each organization from which the users were removed.
      Parameters:
      userIds - the primary key of the users to be added or removed
      addOrganizationIds - the primary keys of the organizations to which the users were added (optionally null)
      removeOrganizationIds - the primary keys of the organizations from which the users were removed (optionally null)
      Throws:
      PortalException
    • propagateRoles

      void propagateRoles(List<UserGroupRole> addUserGroupRoles, List<UserGroupRole> removeUserGroupRoles) throws PortalException
      Performs membership policy related actions after the respective organization roles are added to and removed from the affected users. Liferay's core services call this method after the roles are added to and removed from the users.

      The actions must ensure the membership policy of each organization role. For example, some actions for implementations to consider performing are:

      • If the role A is added to a user, role B should be added too.
      • If the role A is removed from a user, role B should be removed too.
      Parameters:
      addUserGroupRoles - the user group roles added
      removeUserGroupRoles - the user group roles removed
      Throws:
      PortalException
    • verifyPolicy

      void verifyPolicy() throws PortalException
      Checks the integrity of the membership policy of each of the portal's organizations and performs operations necessary for the compliance of each organization and organization role. This method can be triggered manually from the Control Panel. If the membership.policy.auto.verify portal property is true this method is triggered when starting Liferay and every time a membership policy hook is deployed.
      Throws:
      PortalException
    • verifyPolicy

      void verifyPolicy(Organization organization) throws PortalException
      Checks the integrity of the membership policy of the organization and performs operations necessary for the organization's compliance.
      Parameters:
      organization - the organization to verify
      Throws:
      PortalException
    • verifyPolicy

      void verifyPolicy(Organization organization, Organization oldOrganization, List<AssetCategory> oldAssetCategories, List<AssetTag> oldAssetTags, Map<String,Serializable> oldExpandoAttributes) throws PortalException
      Checks the integrity of the membership policy of the organization, with respect to the organization's new attribute values, categories, tags, and expando attributes, and performs operations necessary for the compliance of the organization and its organization roles. Liferay calls this method when adding and updating organizations.

      The actions must ensure the integrity of the organization's membership policy based on what has changed in the organization's attribute values, categories, tags, and expando attributes.

      For example, if the membership policy is that organizations with the "admnistrator" tag should only allow administrators as users, then this method could enforce that policy using the following logic:

      • If the old tags include the "administrator" tag and the new tags include it too, then no action needs to be performed regarding the policy. Note, the new tags can be obtained by calling assetTagLocalService.getTags(Group.class.getName(), group.getGroupId());.
      • If the old tags include the "administrator" tag and the new tags don't include it, then no action needs to be performed regarding the policy, as non-administrator users need not be removed.
      • However, if the old tags don't include the "administrator" tag, but the new tags include it, any organization user that does not have the Administrator role must be removed from the organization.
      Parameters:
      organization - the added or updated organization to verify
      oldOrganization - the old organization
      oldAssetCategories - the old categories
      oldAssetTags - the old tags
      oldExpandoAttributes - the old expando attributes
      Throws:
      PortalException
    • verifyPolicy

      void verifyPolicy(Role role) throws PortalException
      Checks the integrity of the membership policy of the organization role and performs operations necessary for the role's compliance.
      Parameters:
      role - the role to verify
      Throws:
      PortalException
    • verifyPolicy

      void verifyPolicy(Role role, Role oldRole, Map<String,Serializable> oldExpandoAttributes) throws PortalException
      Checks the integrity of the membership policy of the organization role, with respect to its expando attributes, and performs operations necessary for the role's compliance. Liferay calls this method when adding and updating organization roles.
      Parameters:
      role - the added or updated role to verify
      oldRole - the old role
      oldExpandoAttributes - the old expando attributes
      Throws:
      PortalException