🔍 Code Extractor

class UnifiedRolePermission

Maturity: 53

A data class representing a collection of allowed and excluded resource actions with optional conditions for permission enforcement in a unified role-based access control system.

File:
/tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/rolemanagement/unified_role_permission.py
Lines:
5 - 27
Complexity:
simple

Purpose

This class models permissions for role-based access control by defining which resource actions (like create, update, delete, reset password) are allowed or excluded on a resource, along with optional conditions that must be met for the permission to be effective. It inherits from ClientValue, making it suitable for serialization and transmission in client-server communications, particularly in Microsoft Graph API or similar permission management systems.

Source Code

class UnifiedRolePermission(ClientValue):
    """
    Represents a collection of allowed resource actions and the conditions that must be met for the action to be
    allowed. Resource actions are tasks that can be performed on a resource. For example, an application resource may
    support create, update, delete, and reset password actions.
    """

    def __init__(
        self,
        allowed_resource_actions=None,
        condition=None,
        excluded_resource_actions=None,
    ):
        """
        :param list[str] allowed_resource_actions: Set of tasks that can be performed on a resource. Required.
        :param str condition: Optional constraints that must be met for the permission to be effective.
            Not supported for custom roles.
        :param list[str] excluded_resource_actions: Set of tasks that may not be performed on a resource.
            Not yet supported.
        """
        self.allowedResourceActions = StringCollection(allowed_resource_actions)
        self.condition = condition
        self.excludedResourceActions = StringCollection(excluded_resource_actions)

Parameters

Name Type Default Kind
bases ClientValue -

Parameter Details

allowed_resource_actions: A list of strings representing tasks that can be performed on a resource. This is a required field that defines the permitted actions (e.g., ['create', 'update', 'delete']). The list is converted to a StringCollection internally.

condition: An optional string containing constraints that must be met for the permission to be effective. This field is not supported for custom roles. Can be None if no conditions are required.

excluded_resource_actions: A list of strings representing tasks that may not be performed on a resource. This feature is not yet supported in the current implementation. The list is converted to a StringCollection internally.

Return Value

Instantiation returns a UnifiedRolePermission object with three attributes: allowedResourceActions (StringCollection), condition (str or None), and excludedResourceActions (StringCollection). The object represents a complete permission configuration for role-based access control.

Class Interface

Methods

__init__(self, allowed_resource_actions=None, condition=None, excluded_resource_actions=None)

Purpose: Initializes a new UnifiedRolePermission instance with allowed actions, optional conditions, and excluded actions

Parameters:

  • allowed_resource_actions: List of strings representing permitted resource actions (e.g., create, update, delete)
  • condition: Optional string containing constraints for permission effectiveness (not supported for custom roles)
  • excluded_resource_actions: List of strings representing prohibited resource actions (not yet supported)

Returns: None (constructor)

Attributes

Name Type Description Scope
allowedResourceActions StringCollection Collection of resource action strings that are permitted. Converted from the input list to a StringCollection for consistent handling. instance
condition str or None Optional constraint string that must be met for the permission to be effective. Not supported for custom roles. instance
excludedResourceActions StringCollection Collection of resource action strings that are explicitly prohibited. Feature not yet supported in current implementation. instance

Dependencies

  • office365

Required Imports

from office365.runtime.client_value import ClientValue
from office365.runtime.types.collections import StringCollection

Usage Example

from office365.runtime.client_value import ClientValue
from office365.runtime.types.collections import StringCollection

class UnifiedRolePermission(ClientValue):
    def __init__(self, allowed_resource_actions=None, condition=None, excluded_resource_actions=None):
        self.allowedResourceActions = StringCollection(allowed_resource_actions)
        self.condition = condition
        self.excludedResourceActions = StringCollection(excluded_resource_actions)

# Create a permission with allowed actions
permission = UnifiedRolePermission(
    allowed_resource_actions=['microsoft.directory/applications/create', 'microsoft.directory/applications/update'],
    condition='@Resource.AppId eq "12345678-1234-1234-1234-123456789012"',
    excluded_resource_actions=['microsoft.directory/applications/delete']
)

# Access the attributes
print(permission.allowedResourceActions)  # StringCollection of allowed actions
print(permission.condition)  # Condition string
print(permission.excludedResourceActions)  # StringCollection of excluded actions

# Create a simple permission without conditions
simple_permission = UnifiedRolePermission(
    allowed_resource_actions=['read', 'write']
)

print(simple_permission.condition)  # None

Best Practices

  • Always provide at least one allowed_resource_action when creating a permission, as this is the primary purpose of the class
  • The condition parameter is not supported for custom roles, so avoid using it in custom role scenarios
  • The excluded_resource_actions feature is not yet supported, so this parameter may not have any effect in current implementations
  • This class is designed to be serialized and transmitted to/from APIs, so ensure all values are JSON-serializable
  • Use fully qualified action names (e.g., 'microsoft.directory/applications/create') for consistency with Microsoft Graph API conventions
  • The class inherits from ClientValue, which likely provides serialization methods, so use those methods when transmitting the object
  • Create new instances rather than modifying existing ones to maintain immutability patterns common in permission systems
  • Validate that allowed_resource_actions contains valid action strings for your specific resource type before instantiation

Tags

permissions role-based-access-control rbac authorization security microsoft-graph office365 data-model client-value resource-actions

Similar Components

AI-powered semantic similarity - components with related functionality:

  • class UnifiedRoleAssignment 67.2% similar

    Represents a role assignment in Microsoft Graph API that grants access to resources by associating a role definition with a principal (user or group) at a specific scope.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/rolemanagement/unified_role_assignment.py

  • class UnifiedRoleDefinition 65.9% similar

    Represents an Azure Active Directory (Azure AD) role definition, which is a collection of permissions listing operations that can be performed and resources against which they can be performed.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/rolemanagement/unified_role_definition.py

  • class AppRole 60.6% similar

    Represents an application role in Microsoft Graph API that can be assigned to users, groups, or other applications to define permissions and access control.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/applications/roles/role.py

  • class UserRoleAssignment 59.9% similar

    A data class representing the assignment of a role to a user in SharePoint, inheriting from ClientValue for serialization support.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/sharepoint/sharing/user_role_assignment.py

  • class Role 59.8% similar

    An enumeration class representing abstract roles for SharePoint sharing permissions on securable objects in document libraries.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/sharepoint/sharing/role.py
← Back to Browse