MssubMcp (mssub_mcp v0.1.0)
API for the Master Control Program Subsystem.
The Master Control Program Subsystem provides global services such as tenant and Application Instance management, global user authentication, global system configuration services, and a global enumeration service.
Summary
Instance Manager Runtime
Starts all Applications and each Application's child Instances.
Starts the requested Application and its child Instances.
Starts an Instance and places it under the appropriate Application's supervisor.
Stops all Applications, Application Supervisors, and their child Instances.
Shuts down the Supervisor process of the requested Application and all of its child processes, including Instances.
Stops an Instance.
Instance Applications
Creates a new Application record.
Creates Application Context records for the identified Application.
Deletes an Application Context record from the system
Returns a populated Msdata.SystApplications struct for the requested record.
Retrieves the Application Context record ID for the record matching provided Internal Name argument.
Returns the Application record ID for the requested Application Internal Name; raises on error.
Returns a list of Application Context records.
Updates an existing Application record using the provided parameters as new values.
Updates an existing Application Context record.
Instance Types
Creates a new Instance Type record via the MscmpSystEnums service.
Creates an Instance Type/Application association.
Deletes an Instance Type from the MscmpSystEnums service.
Disassociates the Instance Type/Application support relationship.
Returns the Instance Type record for the given Internal Name; raises on error.
Returns the Instance Type record which is configured as the system default Instance Type.
Updates an existing Instance Type record via the MscmpSystEnums service.
Updates Instance Type Context default values which are applied to new Instance Contexts.
Owners
Creates a new Owner record.
Retrieves an Owner record by its internal name.
Retrieves the Owner record ID by Owner internal name.
Returns the Owner State Enumeration record for the given Internal Name argument.
Returns the Owner State Enumeration record which is configured as being default.
Tests to see if a specific Owner, or any Owner, record exists in the database.
Removes an Owner record from the system.
Updates an Owner record.
Instances
Creates a new Instance record.
Returns a Keyword List of the default values for each Instance State's functional type.
Returns the SystInstances record identified by its internal name.
Retrieves the Datastore Options based on the Instance database record and the provided Startup Options.
Returns the ID of the Instance record as identified by its internal name.
Retrieves the Instance State Enumeration record identified by the provided Internal Name.
Returns the Instance State Enumeration record which is configured as being default.
Initializes an uninitialized Instance.
Purges an eligible Instance from the system.
Sets the Instance State of an Instance.
Authentication Enums
Returns the Credential Type record for the given Internal Name; raises on error.
Returns the Credential Type Enumeration record which is configured as being default.
Returns the Identity Type record for the given Internal Name; raises on error.
Returns the Identity Type Enumeration record which is configured as being default.
Access Accounts
Tests to see if a specific Access Account, or any Access Account, record exists in the database.
Create a new Access Account.
Retrieves a fully populated Access Account record as found by internal name.
Looks up an Access Account record ID by its internal name.
Returns the Access Account State record for the given Internal Name; raises on error.
Returns the Access Account State Enumeration record which is configured as being default.
Purges the requested Access Account if the Access Account State is of a purge eligible functional type.
Updates the maintainable fields of a given Access Account record.
Access Account/Instance Assocs.
Accepts the invitation made to an Access Account to access an Instance.
Accepts the invitation made to an Access Account to access an Instance, referencing the record by its composite key values.
Declines an unaccepted/unexpired invitation made to an Access Account to access an Instance.
Declines an unaccepted/unexpired invitation made to an Access Account to access an Instance, referencing the record by its composite key values.
Invites or re-invites an Access Account to establish access rights to a specific Instance.
Revokes the access or invitation to access an Instance from the given Access Account.
Revokes the access or invitation to access an Instance from the given Access Account/Credential Type combination, referencing the record by its composite key values.
Password Rules
Adds a new password to the Disallowed Passwords list.
Creates Owner Password Rules for the requested Owner.
Removes a password from the disallowed passwords list.
Deletes an Owner Password Rules record from the system.
Tests if the Disallowed Password List has any entries or not.
Retrieves the Password Rules to apply for a requested Access Account as identified by its record ID.
Retrieves the Password Rules to apply for a requested Access Account as identified by its record ID, raising on error.
Converts a Global or Owner Password Rule struct into the generic map based Password Rule required by some functions.
Retrieves the currently active Global Password Rules.
Retrieves the currently active Global Password Rules, raising on error.
Retrieves the currently active Owner Password Rules for the requested Owner.
Retrieves the currently active Owner Password Rules for the requested Owner, raising on error.
Bulk loads a list of passwords into the Disallowed Passwords database table.
Indicates whether the requested password is disallowed.
Indicates whether the requested password is disallowed, raising on error.
Tests a candidate password against the effective Password Rules for a given Access Account.
Updates the Global Password Rules with new values.
Updates the Global Password Rules with new values using a caller provided data source record.
Updates the Owner Password Rules with new values.
Compares a "Test" set of Password Rules against a "Standard" set of Password Rules and reports on which of the "Test" Rules are considered less stringent than the "Standard" Rules.
Compares a "Test" set of Password Rules against a "Standard" set of Password Rules and reports on which of the "Test" Rules are considered less stringent than the "Standard" Rules, raising on error.
Network Rules
Adds a host IP address to the global disallowed hosts list.
Creates a new Global Network Rule using the provided parameters.
Creates a new Instance Network Rule using the provided parameters.
Creates a new Owner Network Rule using the provided parameters.
Deletes a host IP address from the Disallowed Hosts list based on either a
Msdata.SystDisallowedHosts record or the ID of such a
record.
Deletes a host IP address from the Disallowed Hosts list as looked up by the host IP address.
Deletes an existing Global Network Rule record as referenced by the record ID.
Deletes an existing Instance Network Rule record as referenced by the record ID.
Deletes an existing Owner Network Rule record as referenced by the record ID.
Returns the Network Rule which should be applied for the given Host IP Address.
Returns the Network Rule which should be applied for the given Host IP Address, raising on error.
Retrieves a Disallowed Host record from the database as identified by its host address.
Retrieves a Disallowed Host record from the database as identified by its host address, raising on error.
Retrieves a Disallowed Host record by the record ID.
Retrieves a Disallowed Host record by the record ID, raising on error.
Retrieves a Global Network Rule record based on its record ID.
Retrieves a Global Network Rule record based on its record ID, raising on error.
Retrieves a Instance Network Rule record based on its record ID.
Retrieves a Instance Network Rule record based on its record ID, raising on error.
Retrieves a Owner Network Rule record based on its record ID.
Retrieves a Owner Network Rule record based on its record ID, raising on error.
Indicates whether the provided host IP address is to be denied access to the system.
Indicates whether the provided host IP address is to be denied access to the system, raising on error.
Updates an existing Global Network Rule with new values.
Updates an existing Instance Network Rule with new values.
Updates an existing Owner Network Rule with new values.
Account Code
Creates a new Account Code for an Access Account or resets the Account Code if is already exists.
Retrieves the Account Code Identity record defined for the requested Access Account if one exists.
Identifies an Access Account by its Account Code identifier.
Revokes a previously create Account Code Identity from an Access Account, deleting it from the system.
Authenticator Management
Indicates if an Access Account's Password Credential is recoverable or not.
Creates an API Token Authenticator for the requested Access Account.
Creates an Email/Password Authenticator for an Access Account.
Requests the creation of a Validation Token Authenticator for the specified Identity.
Requests to start a Password Credential recovery process for the specified Access Account.
Allows for an existing password to be changed to a new password.
Revokes the request API Token Authenticator by deleting it from the system.
Revokes the Recovery Token Authenticator for a previously initiated Password Credential recovery.
Revokes a Validation Authenticator ("Validator") issued for the requested Identity.
Updates the External Name value of an existing API Token Identity.
Authentication
Identities and authenticates an Access Account using an API Token Authenticator.
Identifies and authenticates an Access Account on the basis of a starting Authentication State value constructed for Email/Password authentication.
Identities and authenticates an Access Account using an Email/Password Authenticator.
Confirms an Access Account's password Recovery Token Authenticator.
Confirms a specific Access Account Identity record as being valid for use.
Session Management
Creates a new session returning the session name for future reference.
Deletes the named Session record from the database.
Generates a random Session Name using the current formulation for automatic session name generation.
Retrieves the Session Data for the named Session and resets the Session Expiration.
Purges the database of previously expired Session records.
Refreshes the Session expiration date/time of the identified record.
Replaces the Session Data of the named Session record with the Session Data provided.
MCP Processing
Bootstraps the initial setup of either the MCP Application Platform or a new tenant.
Processes the given function in the context of the MCP services & Datastore.
Establishes MCP Subsystem process references in the calling process's process dictionary.
Unsets the MCP Subsystem service references from the process's Process Dictionary.
Functions
Retrieves the Permission Role record ID as found by its functional type name and Internal Name.
Retrieves the value of the given type for the requested setting.
Retrieves all values associated with the requested setting.
Retrieves all values for all settings.
Sets the value of any one setting type for the named setting.
Sets one or more of the available setting types for the named setting.
Instance Manager Runtime
start_all_applications(startup_options, opts \\ [])
@spec start_all_applications(map(), Keyword.t()) :: :ok | {:error, MscmpSystError.t()}
Starts all Applications and each Application's child Instances.
This function calls the start_application/3 function for each Application
configured in the system. See the documentation for start_application/3
for more information about this function and the available parameters.
start_application(application, startup_options, opts \\ [])
@spec start_application( MscmpSystInstance.Types.application_id() | Msdata.SystApplications.t(), map(), Keyword.t() ) :: :ok | {:error, MscmpSystError.t()}
Starts the requested Application and its child Instances.
For the requested Application, start a DynamicSupervisor under which to supervise all of the services related to that Application including its child Instances.
Once the Application supervisor is started any child Instances which are in a start-eligible status are started under the Application supervisor. The Instance startup process starts each Instance asynchronously and concurrently. The instance startup process will also upgrade each Instance Datastore to the current version of the application, if required. As such, you should be prepared for Application startup to be long running.
Parameters
application- either the record ID or theMsdata.SystApplicationsstruct representing the Application to start.startup_options- a map of values containing the Startup Options obtained from theMscmpSystOptionscomponent.opts- a Keyword List of optional values used during the initialization process. The available options include:max_concurrency- the maximum number of Instances to start concurrently. This defaults to the greater of 1 or one quarter of the value returned bySystem.schedulers_online/0floored.other available options are passed to
start_instance/3. See the documentation forstart_instance/3for the options it is able to accept.
start_instance(instance, startup_options, opts \\ [])
@spec start_instance( MscmpSystInstance.Types.instance_id() | Msdata.SystInstances.t(), map(), Keyword.t() ) :: :ok | {:error, MscmpSystError.t()}
Starts an Instance and places it under the appropriate Application's supervisor.
An Instance is essentially a tenant environment running a specific Application. Each environment's runtime characteristics are independent of other environments configured to run in the same system.
To be started the Instance must be in an Instance State of either functional
type instance_states_initialized or instance_states_active. Trying to
start an Instance in other Instance States will result in an error.
Note that we assume that the Application supervisor is already started and is ready to start child processes.
Parameters
instance- either the record ID or theMsdata.SystInstancesstruct of the Instance to start.startup_options- a map of values containing the Startup Options obtained from theMscmpSystOptionscomponent.opts- a Keyword List of optional values used during the initialization process. The available options include:migrating_state_id- the record ID of the Instance State to use while the starting Instance is being updated to the most current database definition of the application. If not provided the currently configured default Instance State for functional typeinstance_states_migratingwill be used.active_state_id- the record ID of the Instance State to use indicating that the Instance is ready to accept user workloads. If not provided the currently configured default Instance State for functional typeinstance_states_activewill be used.failure_state_id- the record ID of the Instance State to use indicating that the Instance startup process has failed and that the Instance is in an inconsistent state. If not provided the currently configured default Instance State for functional typeinstance_states_failurewill be used.migration_bindings- this a Keyword List containing values that will be substituted into the migration SQL files used to update a Datastore to the current version of the Application. Usually, there is no need to provide this option as the most common migration bindings are automatically generated from Instance record data.
stop_all_applications(opts \\ [])
@spec stop_all_applications(Keyword.t()) :: :ok | {:error, MscmpSystError.t()}
Stops all Applications, Application Supervisors, and their child Instances.
This function will call stop_application/2 for each Application configured
in the system. For more information about the available options and behaviors
of Application shutdown, please see the documentation for
stop_application/2.
stop_application(application, opts \\ [])
@spec stop_application( MscmpSystInstance.Types.application_id() | Msdata.SystApplications.t(), Keyword.t() ) :: :ok | {:error, MscmpSystError.t()}
Shuts down the Supervisor process of the requested Application and all of its child processes, including Instances.
Parameters
application- either the record ID or theMsdata.SystApplicationsstruct representing the Application to stop.opts- a Keyword List of optional values used during the initialization process. The available options include:supervisor_shutdown_timeout- a timeout value used to allow processes supervised by the Application supervisor to shut down cleanly. By default, this value is set to 60,000ms.Other options available are defined by and passed to the
stop_instance/2function for Instance shutdown. See thestop_instance/2for full information of the available options.
stop_instance(instance, opts \\ [])
@spec stop_instance( MscmpSystInstance.Types.instance_id() | Msdata.SystInstances.t(), Keyword.t() ) :: :ok | {:error, MscmpSystError.t()}
Stops an Instance.
Stopping an Instance shuts down its supervisor and any monitored processes.
Parameters
instance- either the record ID or theMsdata.SystInstancesstruct of the Instance to stop.opts- a Keyword List of optional values used during the initialization process. The available options include:supervisor_shutdown_timeout- a timeout value used to allow processes supervised by the Instance supervisor to shut down cleanly. By default, this value is set to 60,000ms.db_shutdown_timeout- a timeout value used to limit the time allowed for a clean shutdown of the database connections used for operating Datastore. See the documentation forMscmpSystDb.stop_datastore/2for more information.
Instance Applications
create_application(application_params)
@spec create_application(MscmpSystInstance.Types.application_params()) :: {:ok, Msdata.SystApplications.t()} | {:error, MscmpSystError.t()}
Creates a new Application record.
Application Subsystems need means by which they can make the MscmpSystInstance
component aware of their existence and this function provides the means by
which to do that.
Note
Note that this function is meant to expose Application record management to the relevant Application Subsystem programs and is not intended for regular management activities by end users.
Parameters
application_params- the parameters with which the new Application record should be created. The following attribute values are available:internal_name- a predetermined unique identifier for the Application record for use in programmatic contexts. This attribute is required and must be unique in the system.display_name- a unique, friendly name identifying the Application and for use in user interfaces. This attribute is required and must be unique in the system.syst_description- a user facing description of the Application including any special usage requirements or preconditions. This attribute is required.
Examples
Creating a new Application record.
iex> new_app_params = %{
...> internal_name: "ex_app1",
...> display_name: "Example App 1",
...> syst_description: "An example application"
...> }
iex> {:ok, %Msdata.SystApplications{}} =
...> MssubMcp.create_application(new_app_params)create_application_context(application_context_params)
@spec create_application_context(MscmpSystInstance.Types.application_context_params()) :: {:ok, Msdata.SystApplicationContexts.t()} | {:error, MscmpSystError.t()}
Creates Application Context records for the identified Application.
Application Contexts describe the Datastore Contexts each Instance is expected
to support to allow an Application to access its data. Application Subsystems
use this function to create the any required Application Context records not
already registered in the MscmpSystInstance data. Application Contexts are
used in the creation of Msdata.SystInstanceContexts records and provide a
number of default values for the Instance Context records.
Note
Note that this function is meant to expose Application record management to the relevant Application Subsystem programs and is not intended for regular management activities by end users.
Parameters
application_context_params- a map defining the attributes which will be used to create the new Application Context record. The attributes are:internal_name- a predetermined unique identifier for the Application Context record for use in programmatic contexts. This attribute is required and must be unique in the system.display_name- a unique, friendly name identifying the Application Context and for use in user interfaces. This attribute is required and must be unique in the system.application_id- a reference to the ID value of the parent Application record. A valid value for this attribute is required unless theapplication_nameattribute is set with the Internal Name of an existing Application record. If both this attribute and theapplication_nameattributes are set, theattribute_namevalue will be used to resolve the parent Application.application_name- a reference to the Internal Name value of an existing Application record. This value is used to look-up theapplication_idand so if this attribute is provided with a valid value, theapplication_idattribute may be omitted. The value of this attribute takes precedence over any value set explicitly in theapplication_idattribute. Ifapplication_idis omitted, then this attribute is required.description- a description of the Application Context's role in the application and database. This becomes a comment in the database attached to the database role created for the context.start_context- a required boolean value which establishes the default value of derived Instance Context (Msdata.SystInstanceContexts)start_contextsettings. When true, an Instance Context record derived from this Application Context will be, by default, started as active database connections when the parent Instance is started. False indicates that by default Instance startup will not establish database connections for the context. This value muse be setfalsefor any Application Context defining a Datastore Owner Context or any other Context where thelogin_contextis setfalse.login_context- a required boolean value which indicates if a derived Instance Context is used to create database connections. If true, a derived Instance Context record will provide login information to establish a database connection on Instance start so long as itsstart_contextvalue is alsotrue. If this attribute is setfalsethe derived Instance Context record will not define a Context capable of logging into the database.database_owner_context- a required boolean value which, when true, is designates an Application Context record as establishing the default values for Instance Datastore/database owners. If true, thestart_contextandlogin_contextattributes must be set false as owner contexts are not used for database connectivity not may be started during the Instance start process.
Examples
Create an database owner Application Context record.
iex> new_context_params = %{
...> internal_name: "ex_app2_owner",
...> display_name: "Example App 2 Owner",
...> application_name: "ex_app2",
...> description: "Database role owning objects for 'ex_app2'.",
...> start_context: false,
...> login_context: false,
...> database_owner_context: true
...> }
iex> {:ok, %Msdata.SystApplicationContexts{}} =
...> MssubMcp.create_application_context(new_context_params)delete_application_context(application_context_id)
@spec delete_application_context(MscmpSystInstance.Types.application_context_id()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t()}
Deletes an Application Context record from the system
Application Subsystems may use this function to remove an obsolete Application Context record from the system.
Note
Note that this function is meant to expose Application record management to the relevant Application Subsystem programs and is not intended for regular management activities by end users.
Warning!
While this function will remove an Application Context record from the system and prevent any new Instances of the Application from including the deleted Context, existing Instance Contexts based on the Application Context are not currently cleaned up by this function. Any clean-up of existing Instance Context data and of associated database roles and verification of extended clean-up activities is therefore the responsibility of the caller.
On successful delete of the record, a success tuple is returned to the caller
({:ok, :deleted}). If the requested record is not found in the database,
the returned value is {:ok, :not_found}. Any other outcome is returned via
an error tuple.
Parameters
application_context_id- the record ID of the Application Context record to delete. This value is required.
Examples
Deleting an existing Application Context.
iex> record_id = MssubMcp.get_application_context_id_by_name("ex_app2_delctx")
iex> MssubMcp.delete_application_context(record_id)
{:ok, :deleted}Attempting to delete a non-existent record.
iex> record_id = "00000000-0000-0000-0000-000000000000"
iex> MssubMcp.delete_application_context(record_id)
{:ok, :not_found}get_application(application, opts \\ [])
@spec get_application( MscmpSystInstance.Types.application_id() | MscmpSystInstance.Types.application_name(), Keyword.t() ) :: Msdata.SystApplications.t() | nil
Returns a populated Msdata.SystApplications struct for the requested record.
Parameters
application- either the record ID of the desired Application record or its Internal Name. This parameter is required.opts- allows optional parameters to be provided which govern the behavior of this function. The options are provided via a Keyword List. The available options are:include_contexts- a boolean value indicating whether or not to also retrieve the fully populated list of:application_contextsassociated with the requested Application. Contexts are returned as a standard association ofMsdata.SystApplicationContextsstructs. The default value of this option isfalse.
get_application_context_id_by_name(application_context_name)
@spec get_application_context_id_by_name( MscmpSystInstance.Types.application_context_name() ) :: MscmpSystInstance.Types.application_context_id() | nil
Retrieves the Application Context record ID for the record matching provided Internal Name argument.
When the requested Application Context record can not be found this function
returns nil. All errors raise an exception.
Parameters
application_context_name- the Internal Name value of the Application Context record to search for.
Examples
Finding an existing Application Context.
iex> id = MssubMcp.get_application_context_id_by_name("ex_app2_idctx")
iex> is_binary(id)
trueSearching for a non-existent Application Context.
iex> MssubMcp.get_application_context_id_by_name("nonexistent_context")
nilget_application_id_by_name(application_name)
@spec get_application_id_by_name(MscmpSystInstance.Types.application_name()) :: MscmpSystInstance.Types.application_id() | nil
Returns the Application record ID for the requested Application Internal Name; raises on error.
On successful execution the record ID of the requested Application is
returned. If the requested Application Internal Name is not found nil is
returned.
Parameters
applicaton_name- the internal name of the desired Application record.
Examples
Finding an application returns its ID value.
iex> application_id = MssubMcp.get_application_id_by_name("app1")
iex> is_binary(application_id)
true Asking for a non-existent application returns nil.
iex> MssubMcp.get_application_id_by_name("nonexistent_application")
nillist_application_contexts(application_id \\ nil)
@spec list_application_contexts(MscmpSystInstance.Types.application_id() | nil) :: {:ok, [Msdata.SystApplicationContexts.t()]} | {:error, MscmpSystError.t()}
Returns a list of Application Context records.
Parameters
application_id- an optional reference to a specific application for which to return Application Context records. By default this value isnilwhich results in all Application Context records for all Applications being returned.
update_application(application, application_params)
@spec update_application( MscmpSystInstance.Types.application_id() | Msdata.SystApplications.t(), MscmpSystInstance.Types.application_params() ) :: {:ok, Msdata.SystApplications.t()} | {:error, MscmpSystError.t()}
Updates an existing Application record using the provided parameters as new values.
Allows an Application Subsystem program to update its representative Application record as required.
Note
Note that this function is meant to expose Application record management to the relevant Application Subsystem programs and is not intended for regular management activities by end users.
Parameters
application- either a fully populatedMsdata.SystApplicationsstruct representing the current state of the Application record or the ID of the Application record to update. This argument is required.application_params- a map containing the attributes with updated values for the Application record update operation. The attributes which may be updated are:display_name- a unique, friendly name identifying the Application and for use in user interfaces. This value may not be setnilif it is included.syst_description- a user facing description of the Application including any special usage requirements or preconditions. This attribute may not be setnilif it is included.
Examples
Creating a new Application record.
iex> target_app_id = MssubMcp.get_application_id_by_name("ex_app2")
iex> update_app_params = %{
...> display_name: "Example App #2",
...> syst_description: "An updated example application."
...> }
iex> {:ok, %Msdata.SystApplications{display_name: "Example App #2"}} =
...> MssubMcp.update_application(target_app_id, update_app_params)update_application_context(application_context, application_context_params)
@spec update_application_context( MscmpSystInstance.Types.application_context_id() | Msdata.SystApplicationContexts.t(), MscmpSystInstance.Types.application_context_params() ) :: {:ok, Msdata.SystApplicationContexts.t()} | {:error, MscmpSystError.t()}
Updates an existing Application Context record.
Allows an Application Subsystem to update its Application Context entries as permitted.
Note
Note that this function is meant to expose Application record management to the relevant Application Subsystem programs and is not intended for regular management activities by end users.
Parameters
application_context- this required parameter may either be the Application Context record ID or the fully populatedMsdata.SystApplicationContextsstruct to update.application_context_params- a map of attributes which are to be updated with the new values of those attributes. The available attributes for updates are:display_name- a unique, friendly name identifying the Application Context and for use in user interfaces. This attribute is required and must be unique in the system.description- a description of the Application Context's role in the application and database. This becomes a comment in the database attached to the database role created for the context.start_context- a required boolean value which establishes the default value of derived Instance Context (Msdata.SystInstanceContexts)start_contextsettings. When true, an Instance Context record derived from this Application Context will be, by default, started as active database connections when the parent Instance is started. False indicates that by default Instance startup will not establish database connections for the context. This value muse be setfalsefor any Application Context defining a Datastore Owner Context or any other Context where thelogin_contextis setfalse.
Examples
Updating an existing Application Context record
iex> app_context_id =
...> MssubMcp.get_application_context_id_by_name("ex_app2_updctx")
iex> update_params = %{
...> display_name: "Updated Ex. App 2 Context",
...> description: "A now updated description",
...> start_context: false
...> }
iex> {:ok,
...> %Msdata.SystApplicationContexts{
...> display_name: "Updated Ex. App 2 Context",
...> description: "A now updated description",
...> start_context: false
...> }} =
...> MssubMcp.update_application_context(app_context_id, update_params)Instance Types
create_instance_type(instance_type_params)
@spec create_instance_type(MscmpSystInstance.Types.instance_type_params()) :: {:ok, Msdata.SystEnumItems.t()} | {:error, MscmpSystError.t()}
Creates a new Instance Type record via the MscmpSystEnums service.
Parameters
instance_type_params- the parameters to use when creating the new Instance Type. The attributesinternal_name,display_name,external_name,user_description, anduser_optionsfields are required for Instance Type creation.
create_instance_type_application(instance_type_id, application_id)
@spec create_instance_type_application( MscmpSystInstance.Types.instance_type_id(), MscmpSystInstance.Types.application_id() ) :: {:ok, Msdata.SystInstanceTypeApplications.t()} | {:error, MscmpSystError.t()}
Creates an Instance Type/Application association.
Associating an Instance Type with an Application expresses that the Instance Type can support Instances of the given application.
Parameters
instance_type_id- the ID value of the Instance Type which will support Application Instances.application_id- the ID value which identifies the Application to be supported.
delete_instance_type(instance_type_name)
@spec delete_instance_type(MscmpSystInstance.Types.instance_type_name()) :: :ok | {:error, MscmpSystError.t()}
Deletes an Instance Type from the MscmpSystEnums service.
Note that an attempt to delete an in-use Instance Type will result in a constraint error.
Parameters
instance_type_name- the internal name of an Instance Type to delete from the system.
delete_instance_type_application(instance_type_application)
@spec delete_instance_type_application( MscmpSystInstance.Types.instance_type_application_id() | Msdata.SystInstanceTypeApplications.t() ) :: :ok | {:error, MscmpSystError.t()}
Disassociates the Instance Type/Application support relationship.
Note that this will only prevent the creation of new Instances of the Instance Type for the Application. Existing Instances that were created when the relationship was valid will continue to exist.
Parameters
instance_type_application- This value can be either the ID value of the Instance Type Application record or aMsdata.SystInstanceTypeApplicationsstruct with at least theidfield defined.
get_instance_type_by_name(instance_type_name)
@spec get_instance_type_by_name(MscmpSystInstance.Types.instance_type_name()) :: Msdata.SystEnumItems.t() | nil
Returns the Instance Type record for the given Internal Name; raises on error.
On successful execution either the requested Instance Type Enumeration record
is returned or nil if the record does not exist.
Parameters
instance_type_name- the Internal Name of the desire Instance Type record to return.
Examples
Finding a Instance Type record by Internal Name.
iex> %Msdata.SystEnumItems{} =
...> MssubMcp.get_instance_type_by_name("instance_types_big")Looking for a non-existent record.
iex> MssubMcp.get_instance_type_by_name("nonexistent_type")
nilget_instance_type_default()
@spec get_instance_type_default() :: Msdata.SystEnumItems.t()
Returns the Instance Type record which is configured as the system default Instance Type.
If no system default has not been defined nil is returned.
Examples
iex> %Msdata.SystEnumItems{} = MssubMcp.get_instance_type_default()update_instance_type(instance_type_name, instance_type_params \\ %{})
@spec update_instance_type( MscmpSystInstance.Types.instance_type_name(), MscmpSystInstance.Types.instance_type_params() | %{} ) :: {:ok, Msdata.SystEnumItems.t()} | {:error, MscmpSystError.t()}
Updates an existing Instance Type record via the MscmpSystEnums service.
Parameters
instance_type_name- the internal name of the Instance Type to target for updating.instance_type_params- the parameters to use when creating the new Instance Type. All attributes in the parameter map are optional in updating contexts.
update_instance_type_context(instance_type_context, instance_type_context_params \\ %{})
@spec update_instance_type_context( MscmpSystInstance.Types.instance_type_context_id() | Msdata.SystInstanceTypeContexts.t(), MscmpSystInstance.Types.instance_type_context_params() | %{} ) :: {:ok, Msdata.SystInstanceTypeContexts.t()} | {:error, MscmpSystError.t()}
Updates Instance Type Context default values which are applied to new Instance Contexts.
Parameters
instance_type_context- this value may either be the record ID of the target Instance Type Context record or a copy of the currentMsdata.SystInstanceTypeContextsstruct representing the target record.instance_type_context_params- a map containing those attributes to be updated with their new values.instance_type_id- the ID value of the owning Instance Type record. This value is required unless theinstance_type_nameattribute is provided.instance_type_name- the internal name value of the owning Instance Type record. This value required unless theinstance_type_idvalue is provided instead.application_context_id- the record ID value of the Application Context with which this record is associated. This value is required unless theapplication_context_namevalue is provided instead.application_context_name- the internal name value of the Application Context with which this record is associated. This value is required unless theapplication_context_idvalue is provided instead.default_db_pool_size- the default size of the database connection pool to use for Instances Contexts created for Instances of this Instance Type. This field defaults to 0 on Instance Type Context creation.
Owners
create_owner(owner_params)
@spec create_owner(MscmpSystInstance.Types.owner_params()) :: {:ok, Msdata.SystOwners.t()} | {:error, MscmpSystError.t()}
Creates a new Owner record.
Parameters
owner_params- a map of Owner record attributes to use when creating a new record.internal_name- a predetermined unique identifier for the Owner record for use in programmatic contexts. This attribute is required and must be unique in the system.display_name- a unique, friendly name identifying the owner and for use in user interfaces. This attribute is required and must be unique in the system.owner_state_id- the Owner State value with which to create the new Owner record. If not provided in the function call, this attribute will be defaulted to the configured Owner State default value for the enumeration.
get_owner_by_name(owner_name)
@spec get_owner_by_name(MscmpSystInstance.Types.owner_name()) :: {:ok, Msdata.SystOwners.t()} | {:error, MscmpSystError.t()}
Retrieves an Owner record by its internal name.
This retrieval operation will also populate the associated records of Owner State and the Owner State Functional Type.
Examples
iex> {:ok, %Msdata.SystOwners{internal_name: "owner1"}} = ...> MssubMcp.get_owner_by_name("owner1")
get_owner_id_by_name(owner_name)
@spec get_owner_id_by_name(MscmpSystInstance.Types.owner_name()) :: {:ok, MscmpSystInstance.Types.owner_id()} | {:error, MscmpSystError.t()}
Retrieves the Owner record ID by Owner internal name.
Examples
iex> {:ok, owner_id} = MssubMcp.get_owner_id_by_name("owner1") iex> is_binary(owner_id) true
get_owner_state_by_name(owner_state_name)
@spec get_owner_state_by_name(MscmpSystInstance.Types.owner_state_name()) :: Msdata.SystEnumItems.t() | nil
Returns the Owner State Enumeration record for the given Internal Name argument.
If the requested Internal Name does not match an existing Owner State
Enumeration record nil is returned.
Parameters
owner_state_name- the internal name of the Owner State to retrieve.
Examples
Retrieving an Owner State Enumeration record.
iex> %Msdata.SystEnumItems{internal_name: "owner_states_sysdef_active"} =
...> MssubMcp.get_owner_state_by_name("owner_states_sysdef_active")Trying to retrieve a non-existent Owner State.
iex> MssubMcp.get_owner_state_by_name("nonexistent_state")
nilget_owner_state_default(functional_type \\ nil)
@spec get_owner_state_default( MscmpSystInstance.Types.owner_state_functional_types() | nil ) :: Msdata.SystEnumItems.t()
Returns the Owner State Enumeration record which is configured as being default.
If no Owner State record is configured as default, then nil is returned.
Parameters
functional_type- an optional parameter which, if provided and notnil, will return the default Owner State record configured for the requested functional type rather than the system default Owner State. The default for this parameter is to treat the parameter as not provided (nil).
Examples
Requesting the system default Owner State.
iex> %Msdata.SystEnumItems{internal_name: "owner_states_sysdef_active"} =
...> MssubMcp.get_owner_state_default()Requesting the default Owner State for a specific functional type.
iex> %Msdata.SystEnumItems{internal_name: "owner_states_sysdef_inactive"} =
...> MssubMcp.get_owner_state_default(:owner_states_inactive)owner_exists?(opts \\ [])
@spec owner_exists?(Keyword.t()) :: boolean() | {:error, MscmpSystError.t()}
Tests to see if a specific Owner, or any Owner, record exists in the database.
The functions provides an optional test on either an Owner record's Internal Name or record ID value. If no selectivity option is made, the test checks if any Owner records exist in the database at all.
If the Owner record(s) is found, the function returns true; other false. Errors produce a result tuple.
Parameters
opts- an optional Keyword List of optional parameters which can influence the result of calling the function. The available options are:owner_id- tests if a specific Owner record exists as referenced by its record ID value.owner_name- tests if a specific Owner record exists as referenced by its Internal Name.
Examples
Check if any Owner record exists.
iex> MssubMcp.owner_exists?()
trueCheck if a specific Owner record exists.
iex> MssubMcp.owner_exists?(owner_name: "owner1")
trueIf a non-existent Owner is requested, the function indicates the record was not found.
iex> MssubMcp.owner_exists?(owner_name: "nonexistent_owner")
falsepurge_owner(owner)
@spec purge_owner(MscmpSystInstance.Types.owner_id() | Msdata.SystOwners.t()) :: :ok | {:error, MscmpSystError.t()}
Removes an Owner record from the system.
Note that only Owner records in an Owner State of functional type
owner_states_purge_eligible may be purged from the system.
Parameters
owner- either the record ID of an Owner record to delete or theMsdata.SystOwnersstruct representing the Owner to purge.
update_owner(owner, update_params)
@spec update_owner( MscmpSystInstance.Types.owner_id() | Msdata.SystOwners.t(), MscmpSystInstance.Types.owner_params() ) :: {:ok, Msdata.SystOwners.t()} | {:error, MscmpSystError.t()}
Updates an Owner record.
Parameters
owner- This value must either by the record ID of an existing Owner record or theMsdata.SystOwnersstruct representing an existing owner.update_params- a map of Owner record attributes to be updated. For update operations only those attributes to be updates must be provided.internal_name- a predetermined unique identifier for the Owner record for use in programmatic contexts. This attribute must be unique in the system and may not be nil.display_name- a unique, friendly name identifying the owner and for use in user interfaces. This attribute must be unique in the system and may not be nil.owner_state_id- the record ID value of the new Owner State of the Owner record. Note that if this attribute is provided, but is set nil, an error will result.
Instances
create_instance(instance_params)
@spec create_instance(MscmpSystInstance.Types.instance_params()) :: {:ok, Msdata.SystInstances.t()} | {:error, MscmpSystError.t()}
Creates a new Instance record.
Creating a new Instance record will also create new Instance Context records based on the defaults defined in the Instance Type Context records associated with the Instance Type and Application of the new Instance. This is accomplished with database triggers.
Parameters
instance_params- A map of attributes to use in creating the new Instance record in the system.internal_name- a pre-generated identifier for Instance record for use in programmatic contexts. This value is required and must be unique in the system.display_name- a friendly name which identifies the record for use in user interfaces. This value is required and must be unique in the system.dbserver_name- the name of the database server where the Instance Datastore exists. This value is required. Note that invalid values here may not be detected until such time as the Instance Datastore use is attempted.application_id- the record ID of the Application for which this Instance is being created. This value is required unless theapplication_nameattribute has been provided instead.application_name- the internal name of the Application for which this Instance is being created. This value is requires unless theapplication_idattribute has been provided instead.instance_code- A value used in constructing the Instance Context credentials. This value should be a randomly generated series of between 8 and 64 bytes.instance_type_id- the record ID of the Instance Type of the new Instance record. This attribute is required unless theinstance_type_nameattribute is provided instead.instance_type_name- the internal name of the Instance Type of the new Instance record. This attribute is requires unless theinstance_type_idattribute is provided instead.instance_state_id- the record ID of the Instance State in which to create the new Instance record. This value may be omitted and allowed to default based on the configured default Instance State. Optionally the Instance State may also be identified by theinstance_state_nameattribute.instance_state_name- the internal name of the Instance State in which to create the new Instance record. This value may be omitted and allowed to default based on the configured default Instance State. Optionally the Instance State may also be identified by theinstance_state_idattribute.owner_id- the record ID of the Owner of the Instance. This attribute is required unless theowner_nameattribute is provided.owner_name- th internal name of the Owner of the Instance. This attribute is required unless theowner_idattribute is provided.owning_instance_id- if the Instance is associated with a parent instance, such as a sandbox Instance being created for a parent production Instance, the parent/child relationship may be expressed by assigning this attribute to the record ID of the parent. This attribute is not required and the parent Instance may be identified by theowning_instance_nameattribute instead.owning_instance_name- an alternate identification method for identifying a parent Instance when creating a child Instance. This attribute is optional and may used in lieu of using theowning_instance_idattribute to establish the parent/child relationship of the new Instance.
get_default_instance_state_ids()
@spec get_default_instance_state_ids() :: Keyword.t()
Returns a Keyword List of the default values for each Instance State's functional type.
Instance updating functions that change the Instance State value of the Instance will default to the appropriate Instance State if a specific Instance State value is not provided by the caller.
get_instance_by_name(instance_name)
@spec get_instance_by_name(MscmpSystInstance.Types.instance_name()) :: {:ok, Msdata.SystInstances.t()} | {:error, MscmpSystError.t()}
Returns the SystInstances record identified by its internal name.
Parameters
instance_name- the internal name of the Instance record to return.
Example
iex> {:ok, %Msdata.SystInstances{}} =
...> MssubMcp.get_instance_by_name("app1_owner1_instance_types_sml")get_instance_datastore_options(instance, startup_options)
@spec get_instance_datastore_options( MscmpSystInstance.Types.instance_id() | Msdata.SystInstances.t(), map() ) :: MscmpSystDb.Types.DatastoreOptions.t()
Retrieves the Datastore Options based on the Instance database record and the provided Startup Options.
Parameters
instance- the instance parameter is either the record ID value of the Instance record desired or theMsdata.SystInstancesstruct for the target Instance.startup_options- a map of values containing the Startup Options obtained from theMscmpSystOptionscomponent.
get_instance_id_by_name(instance_name)
@spec get_instance_id_by_name(MscmpSystInstance.Types.instance_name()) :: {:ok, MscmpSystInstance.Types.instance_id()} | {:error, MscmpSystError.t()}
Returns the ID of the Instance record as identified by its internal name.
Parameters
instance_name- the internal name of the Instance record to reference.
Example
iex> {:ok, instance_id} =
...> MssubMcp.get_instance_id_by_name("app1_owner1_instance_types_sml")
iex> is_binary(instance_id)
trueget_instance_state_by_name(instance_state_name)
@spec get_instance_state_by_name(MscmpSystInstance.Types.instance_state_name()) :: Msdata.SystEnumItems.t() | nil
Retrieves the Instance State Enumeration record identified by the provided Internal Name.
If the requested Internal Name does not match an existing Instance State
Enumeration record nil is returned.
Parameters
instance_state_name- the internal name of the Instance State to retrieve.
Examples
Retrieving an Instance State Enumeration record.
iex> %Msdata.SystEnumItems{internal_name: "instance_states_sysdef_active"} =
...> MssubMcp.get_instance_state_by_name("instance_states_sysdef_active")Trying to retrieve a non-existent Instance State.
iex> MssubMcp.get_instance_state_by_name("nonexistent_state")
nilget_instance_state_default(functional_type \\ nil)
@spec get_instance_state_default( MscmpSystInstance.Types.instance_state_functional_types() | nil ) :: Msdata.SystEnumItems.t()
Returns the Instance State Enumeration record which is configured as being default.
If no Instance State record is configured as default, then nil is returned.
Parameters
functional_type- an optional parameter which, if provided and notnil, will return the default Instance State record configured for the requested functional type rather than the system default Instance State. The default for this parameter is to treat the parameter as not provided (nil).
Examples
Requesting the system default Instance State.
iex> %Msdata.SystEnumItems{internal_name: "instance_states_sysdef_uninitialized"} =
...> MssubMcp.get_instance_state_default()Requesting the default Instance State for a specific functional type.
iex> %Msdata.SystEnumItems{internal_name: "instance_states_sysdef_active"} =
...> MssubMcp.get_instance_state_default(:instance_states_active)initialize_instance(instance_id, startup_options, opts \\ [])
@spec initialize_instance(MscmpSystInstance.Types.instance_id(), map(), Keyword.t()) :: {:ok, Msdata.SystInstances.t()} | {:error, MscmpSystError.t()}
Initializes an uninitialized Instance.
When a new Instance is created in the database, the record is giving an
Instance State with a functional type of instance_states_uninitialized
meaning that the Instance record has been created in the database, but the
Instance's own database and associated database roles have not yet been set
up.
Initializing an Instance creates its database and its database roles
("Datastore" and "Datastore Contexts"). Once initialized, the Instance record
is given an Instance State of functional type instance_states_initialized.
Initialized Instances may be started and have their Datastores migrated to the current version of the Instance's database.
Parameters
instance_id- the record ID of the Instance to initialize.startup_options- a map of values containing the Startup Options obtained from theMscmpSystOptionscomponent.opts- a Keyword List of optional values used during the initialization process. The available options include:initializing_state_id- the record ID value of the Instance State to use to indicate that the record is being initialized. If this value is not provided the configured default Instance State for the functional typeinstance_states_initializingwill be used.initialized_state_id- the record ID value of the Instance State to use to indicate that the record has successfully been initialized. If this value is not provided the configured default Instance State for the functional typeinstance_states_initializedwill be used.failed_state_id- the record ID value of the Instance State to use to indicate that the record has failed to be initialized. If this value is not provided the default configured Instance State for the functional typeinstance_states_failurewill be used.db_shutdown_timeout- a timeout value used to limit the time allowed for a clean shutdown of the DBA and Privileged database connections used for initialization of the Datastore. See the documentation forMscmpSystDb.create_datastore/2for more information.
purge_instance(instance, startup_options)
@spec purge_instance( MscmpSystInstance.Types.instance_id() | Msdata.SystInstances.t(), map() ) :: :ok | {:error, MscmpSystError.t()}
Purges an eligible Instance from the system.
Purging an Instance drops its associated Datastore and its defining
Msdata.SystInstances records from the database.
In order for the purge to be successful, the Instance must be in an Instance
State of functional type instance_states_purge_eligible.
Warning
Naturally, great care must be taken in the lead up to calling this function as purging an Instance leads to the irreversible loss of the Instance's data (absent externally managed backups of some sort).
Parameters
instance- either the record ID or theMsdata.SystInstancesstruct of the Instance to purge.startup_options- a map of values containing the Startup Options obtained from theMscmpSystOptionscomponent.
set_instance_state(instance, instance_state_id)
@spec set_instance_state( Msdata.SystInstances.t(), MscmpSystInstance.Types.instance_state_id() ) :: {:ok, Msdata.SystInstances.t()} | {:error, MscmpSystError.t()}
Sets the Instance State of an Instance.
Parameters
instance- the currentMsdata.SystInstancesstruct representing the Instance to be updated.instance_state_id- The record ID of the new Instance State value into which to place the Instance record.
Authentication Enums
get_credential_type_by_name(credential_type_name)
@spec get_credential_type_by_name(MscmpSystAuthn.Types.credential_type_name()) :: Msdata.SystEnumItems.t() | nil
Returns the Credential Type record for the given Internal Name; raises on error.
On successful execution either the requested Credential Type Enumeration record
is returned or nil if the record does not exist.
Parameters
credential_type_name- the Internal Name of the desire Credential Type record to return.
Examples
Finding a Credential Type record by Internal Name.
iex> %Msdata.SystEnumItems{} =
...> MssubMcp.get_credential_type_by_name("credential_types_sysdef_token_api")Looking for a non-existent record.
iex> MssubMcp.get_credential_type_by_name("nonexistent_type")
nilget_credential_type_default(functional_type \\ nil)
@spec get_credential_type_default( MscmpSystAuthn.Types.credential_type_functional_types() | nil ) :: Msdata.SystEnumItems.t()
Returns the Credential Type Enumeration record which is configured as being default.
If no Credential Type record is configured as default, then nil is returned.
Parameters
functional_type- an optional parameter which, if provided and notnil, will return the default Credential Type record configured for the requested functional type rather than the system default Credential Type. The default for this parameter is to treat the parameter as not provided (nil).
Examples
Requesting the system default Credential Type.
iex> %Msdata.SystEnumItems{internal_name: "credential_types_sysdef_password"} =
...> MssubMcp.get_credential_type_default()Requesting the default Credential Type for a specific functional type.
iex> %Msdata.SystEnumItems{internal_name: "credential_types_sysdef_mfa_totp"} =
...> MssubMcp.get_credential_type_default(:credential_types_mfa_totp)get_identity_type_by_name(identity_type_name)
@spec get_identity_type_by_name(MscmpSystAuthn.Types.identity_type_name()) :: Msdata.SystEnumItems.t() | nil
Returns the Identity Type record for the given Internal Name; raises on error.
On successful execution either the requested Identity Type Enumeration record
is returned or nil if the record does not exist.
Parameters
identity_type_name- the Internal Name of the desire Identity Type record to return.
Examples
Finding a Identity Type record by Internal Name.
iex> %Msdata.SystEnumItems{} =
...> MssubMcp.get_identity_type_by_name("identity_types_sysdef_account")Looking for a non-existent record.
iex> MssubMcp.get_identity_type_by_name("nonexistent_type")
nilget_identity_type_default(functional_type \\ nil)
@spec get_identity_type_default( MscmpSystAuthn.Types.identity_type_functional_types() | nil ) :: Msdata.SystEnumItems.t()
Returns the Identity Type Enumeration record which is configured as being default.
If no Identity Type record is configured as default, then nil is returned.
Parameters
functional_type- an optional parameter which, if provided and notnil, will return the default Identity Type record configured for the requested functional type rather than the system default Identity Type. The default for this parameter is to treat the parameter as not provided (nil).
Examples
Requesting the system default Identity Type.
iex> %Msdata.SystEnumItems{internal_name: "identity_types_sysdef_email"} =
...> MssubMcp.get_identity_type_default()Requesting the default Identity Type for a specific functional type.
iex> %Msdata.SystEnumItems{internal_name: "identity_types_sysdef_api"} =
...> MssubMcp.get_identity_type_default(:identity_types_api)Access Accounts
access_account_exists?(opts \\ [])
@spec access_account_exists?(Keyword.t()) :: boolean() | {:error, MscmpSystError.t()}
Tests to see if a specific Access Account, or any Access Account, record exists in the database.
The functions provides an optional test on either an Access Account record's Internal Name or record ID value. If no selectivity option is made, the test checks if any Access Account records exist in the database at all.
If an appropriate Access Account record is found, the function returns true, otherwise false. Any other condition is considered an error and will result in an error tuple being returned indicating the cause of the error.
Parameters
opts- an optional Keyword List of optional parameters which can influence the result of calling the function. The available options are:access_account_id- tests if a specific Access Account record exists as referenced by its record ID value.access_account_name- tests if a specific Access Account record exists as referenced by its Internal Name.
Examples
Check if any Access Account record exists.
iex> MssubMcp.access_account_exists?()
trueCheck if a specific Access Account record exists.
iex> MssubMcp.access_account_exists?(access_account_name: "example_accnt")
trueIf a non-existent Access Account is requested, the function indicates the record was not found.
iex> MssubMcp.access_account_exists?(access_account_name: "nonexistent_access_account")
falsecreate_access_account(access_account_params)
@spec create_access_account(MscmpSystAuthn.Types.access_account_params()) :: {:ok, Msdata.SystAccessAccounts.t()} | {:error, MscmpSystError.t()}
Create a new Access Account.
Parameters
access_account_params- a map of required and optional parameters which define the new Access Account record. Required attributes in this map are:internal_name,external_name,access_account_state_id, andallow_global_logins.
Example
iex> state = MssubMcp.get_access_account_state_default()
iex> {:ok, %Msdata.SystAccessAccounts{}} =
...> MssubMcp.create_access_account(
...> %{
...> internal_name: "example_create_accnt",
...> external_name: "Create Access Account Example",
...> access_account_state_id: state.id,
...> allow_global_logins: true
...> }
...> )get_access_account_by_name(access_account_name)
@spec get_access_account_by_name(MscmpSystAuthn.Types.access_account_name()) :: Msdata.SystAccessAccounts.t() | {:error, MscmpSystError.t()}
Retrieves a fully populated Access Account record as found by internal name.
'Fully populated' in this context means that the related Account Account State and related functional type data is also retrieved along with the actual Access Account data.
Parameters
access_account_name- the internal name of the Access Account record to retrieve.
Example
iex> {
...> :ok,
...> %Msdata.SystAccessAccounts{internal_name: "example_accnt"}
...> } =
...> MssubMcp.get_access_account_by_name("example_accnt")get_access_account_id_by_name(access_account_name)
@spec get_access_account_id_by_name(MscmpSystAuthn.Types.access_account_name()) :: {:ok, MscmpSystAuthn.Types.access_account_id()} | {:error, MscmpSystError.t()}
Looks up an Access Account record ID by its internal name.
Parameters
access_account_name- the internal name of the record for which to retrieve the record ID.
Examples
iex> {:ok, access_account_id} =
...> MssubMcp.get_access_account_id_by_name("example_accnt")
iex> is_binary(access_account_id)
trueget_access_account_state_by_name(access_account_state_name)
@spec get_access_account_state_by_name( MscmpSystAuthn.Types.access_account_state_name() ) :: Msdata.SystEnumItems.t() | nil
Returns the Access Account State record for the given Internal Name; raises on error.
On successful execution either the requested Access Account State Enumeration
record is returned or nil if the record does not exist.
Parameters
access_account_state_name- the Internal Name of the desire Access Account State record to return.
Examples
Finding a Access Account State record by Internal Name.
iex> %Msdata.SystEnumItems{} =
...> MssubMcp.get_access_account_state_by_name("access_account_states_sysdef_active")Looking for a non-existent record.
iex> MssubMcp.get_access_account_state_by_name("nonexistent_type")
nilget_access_account_state_default(functional_type \\ nil)
@spec get_access_account_state_default( MscmpSystAuthn.Types.access_account_state_functional_types() | nil ) :: Msdata.SystEnumItems.t()
Returns the Access Account State Enumeration record which is configured as being default.
If no Access Account State record is configured as default, then nil is
returned.
Parameters
functional_type- an optional parameter which, if provided and notnil, will return the default Access Account State record configured for the requested functional type rather than the system default Access Account State. The default for this parameter is to treat the parameter as not provided (nil).
Examples
Requesting the system default Access Account State.
iex> %Msdata.SystEnumItems{internal_name: "access_account_states_sysdef_pending"} =
...> MssubMcp.get_access_account_state_default()Requesting the default Access Account State for a specific functional type.
iex> %Msdata.SystEnumItems{internal_name: "access_account_states_sysdef_inactive"} =
...> MssubMcp.get_access_account_state_default(:access_account_states_inactive)purge_access_account(access_account)
@spec purge_access_account( MscmpSystAuthn.Types.access_account_id() | Msdata.SystAccessAccounts.t() ) :: :ok | {:error, MscmpSystError.t()}
Purges the requested Access Account if the Access Account State is of a purge eligible functional type.
Parameters
access_account- is either the record ID of the Access Account to purge or the populatedMsdata.SystAccessAccountsstruct representing the record to purge.
Example
iex> {:ok, target_access_account} =
...> MssubMcp.get_access_account_by_name("example_purge_accnt")
iex> MssubMcp.purge_access_account(target_access_account)
:okupdate_access_account(access_account, access_account_params)
@spec update_access_account( MscmpSystAuthn.Types.access_account_id() | Msdata.SystAccessAccounts.t(), MscmpSystAuthn.Types.access_account_params() ) :: {:ok, Msdata.SystAccessAccounts.t()} | {:error, MscmpSystError.t()}
Updates the maintainable fields of a given Access Account record.
Parameters
access_account- either the record ID value of the Access Account to update or is the completeMsdata.SystAccessAccountsstruct representing the before-update state of the Access Account record.access_account_params- a map containing those attributes to be changed along with their new values.
Example
iex> {:ok, target_access_account} =
...> MssubMcp.get_access_account_by_name("example_accnt")
iex> {:ok, updated_access_account} =
...> MssubMcp.update_access_account(
...> target_access_account,
...> %{external_name: "Updated Example Account Name"}
...> )
iex> %Msdata.SystAccessAccounts{
...> external_name: "Updated Example Account Name"
...> } = updated_access_accountAccess Account/Instance Assocs.
accept_instance_invite(access_account_instance_assoc)
@spec accept_instance_invite( MscmpSystAuthn.Types.access_account_instance_assoc_id() | Msdata.SystAccessAccountInstanceAssocs.t() ) :: {:ok, Msdata.SystAccessAccountInstanceAssocs.t()} | {:error, MscmpSystError.t()}
Accepts the invitation made to an Access Account to access an Instance.
This process is only needed in the case where a
syst_access_account_instance_assocs invitation may be accepted or declined
by the Access Account holder. To be accepted in this process the invitation
record must have been previously created (see invite_to_instance/3), must
not be expired, previously declined, or previously accepted; trying to accept
a record in such a state will result in an error tuple being returned.
Naturally, the Access Account holder may choose to never accept or decline the invitation and may simply allow the invitation to expire.
Parameters
access_account_instance_assoc- this value may be either the populatedMsdata.SystAccessAccountInstanceAssocsstruct to accept or the record ID of the record to accept.
accept_instance_invite(access_account_id, instance_id)
@spec accept_instance_invite( MscmpSystAuthn.Types.access_account_id(), MscmpSystInstance.Types.instance_id() ) :: {:ok, Msdata.SystAccessAccountInstanceAssocs.t()} | {:error, MscmpSystError.t()}
Accepts the invitation made to an Access Account to access an Instance, referencing the record by its composite key values.
This function performs the same process as accept_instance_invite/1, but
will look up the record to accept using the Access Account, Instance, and
Credential Type record ID values.
Parameters
access_account_id- the record ID of the Access Account accepting the invitation to the Instance.instance_id- the Instance record ID to which the Access Account has been invited.
decline_instance_invite(access_account_instance_assoc)
@spec decline_instance_invite( MscmpSystAuthn.Types.access_account_instance_assoc_id() | Msdata.SystAccessAccountInstanceAssocs.t() ) :: {:ok, Msdata.SystAccessAccountInstanceAssocs.t()} | {:error, MscmpSystError.t()}
Declines an unaccepted/unexpired invitation made to an Access Account to access an Instance.
This process is only needed in the case where a
syst_access_account_instance_assocs invitation may be accepted or declined
by the Access Account holder. To be declined in this process the invitation
record must have been previously created (see invite_to_instance/3), must
not be expired, previously declined, or previously accepted; trying to decline
a record in such a state will result in an error tuple being returned.
Naturally, the Access Account holder may choose to never accept or decline the invitation and may simply allow the invitation to expire.
Parameters
access_account_instance_assoc- this value may be either the populatedMsdata.SystAccessAccountInstanceAssocsstruct to decline or the record ID of the record to decline.
decline_instance_invite(access_account_id, instance_id)
@spec decline_instance_invite( MscmpSystAuthn.Types.access_account_id(), MscmpSystInstance.Types.instance_id() ) :: {:ok, Msdata.SystAccessAccountInstanceAssocs.t()} | {:error, MscmpSystError.t()}
Declines an unaccepted/unexpired invitation made to an Access Account to access an Instance, referencing the record by its composite key values.
This function performs the same process as decline_instance_invite/1, but
will look up the record to decline using the Access Account, Instance, and
Credential Type record ID values.
Parameters
access_account_id- the record ID of the Access Account declining the invitation to the Instance.instance_id- the Instance record ID to which the Access Account has been invited.
invite_to_instance(access_account_id, instance_id, opts \\ [])
@spec invite_to_instance( MscmpSystAuthn.Types.access_account_id(), MscmpSystInstance.Types.instance_id(), Keyword.t() ) :: {:ok, Msdata.SystAccessAccountInstanceAssocs.t()} | {:error, MscmpSystError.t()}
Invites or re-invites an Access Account to establish access rights to a specific Instance.
The invitation process creates a syst_access_account_instance_assocs record
for the requested Access Account and Instance and sets the invitation_issued
field to the current date/time. Re-invitation will update an existing
syst_access_account_instance_assocs record resetting invite data such as the
invitation expiration date or resetting the declined state if the record was
previously declined by the Access Account holder. Once a
syst_access_account_instance_assocs record is accepted, it may not be re-
invited again using this process until the record is revoked (deleted).
syst_access_account_instance_assocs are unique to the Access Account and
Instance combination and only one such record may exist for that combination
at any one time.
Parameters
access_account_id- the record ID of the Access Account to invite to the Instance.instance_id- the Instance record ID to which the Access Account is being invited.opts- a keyword list of optional parameters used to set record values and behaviors. Available options are:create_accepted- will create asyst_access_account_instance_assocsrecord which is already accepted when settrue. The default value isfalse.expiration_days- for records that are not created as accepted and act as true invitations, this option sets the number of days in which an Access Account holder may accept the invitation. After this time the invitation is considered expired and must be re-invited before it can be used to grant access again. The default value for this option is 30 days.
revoke_instance_access(access_account_instance_assoc)
@spec revoke_instance_access( MscmpSystAuthn.Types.access_account_instance_assoc_id() | Msdata.SystAccessAccountInstanceAssocs.t() ) :: :ok | {:error, MscmpSystError.t()}
Revokes the access or invitation to access an Instance from the given Access Account.
Simply put, Access Accounts are both invited and granted access to Instances
via Access Account Instance Association records (see:
Msdata.SystAccessAccountInstanceAssocs) and this
function deletes those records. This has the effect of revoking the
invitation to access an Instance from the Access Account/Credential Type
combination.
Records in any state of invited, accepted, or declined may be revoked/deleted using this function.
Parameters
access_account_instance_assoc- this value may be either the populatedMsdata.SystAccessAccountInstanceAssocsstruct to revoke or the record ID of the record to revoke.
revoke_instance_access(access_account_id, instance_id)
@spec revoke_instance_access( MscmpSystAuthn.Types.access_account_id(), MscmpSystInstance.Types.instance_id() ) :: {:ok, Msdata.SystAccessAccountInstanceAssocs.t()} | {:error, MscmpSystError.t()}
Revokes the access or invitation to access an Instance from the given Access Account/Credential Type combination, referencing the record by its composite key values.
This function performs the same action as revoke_instance_access/1 but
identified the record being revoked (deleted) using its composite/candidate
key values.
Parameters
access_account_id- the record ID of the Access Account from which the invitation to access is being revoked.instance_id- the Instance record ID from which the Access Account had previously been invited to access.
Password Rules
create_disallowed_password(password)
@spec create_disallowed_password(MscmpSystAuthn.Types.credential()) :: :ok | {:error, MscmpSystError.t()}
Adds a new password to the Disallowed Passwords list.
Disallowed passwords are passwords that are commonly known, are known to have
been revealed in a successful hacking attack, or are otherwise not available
for users to choose for their authentication credential. Enforcing that these
passwords are not available for use depends upon the effective
disallow_compromised Password Rule for the Access Account attempting
authentication.
An attempt to add a password which is already on the list will succeed as though the password were not already part of the list.
Parameters
password- The plaintext password to add to the list of disallowed passwords.
Examples
Adding a password successfully will simply return :ok.
iex> MssubMcp.create_disallowed_password("Example Disallowed Password")
:okAny subsequent attempt to add the same password to the list again will appear to succeed while silently doing nothing.
iex> MssubMcp.create_disallowed_password("Example Disallowed Password")
:okcreate_owner_password_rules(owner_id, insert_params)
@spec create_owner_password_rules( MscmpSystInstance.Types.owner_id(), MscmpSystAuthn.Types.password_rule_params() ) :: {:ok, Msdata.SystOwnerPasswordRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Creates Owner Password Rules for the requested Owner.
Owners may optionally define their own Password Rules for their users so long as their desired rules are of equal or greater stringency than the Global Password Rules. If the new Owner Password Rules are defined to be less stringent than the current Global Password Rules, the Owner Password Rules will be saved as requested, but ignored when applied in favor of the more stringent rule.
Parameters
owner_id- the record ID of the Owner for whom the Password Rules are being created.insert_params- a map of the values to use when creating the new record. SeeMscmpSystAuthn.Types.password_rule_params/0for details regarding the available attributes.
delete_disallowed_password(password)
@spec delete_disallowed_password(MscmpSystAuthn.Types.credential()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t()}
Removes a password from the disallowed passwords list.
On success, this function will return a success tuple indicating if the
requested password was deleted from the disallowed passwords list
({:ok, :deleted}) or if the password simply wasn't found in the list
({:ok, :not_found}).
Parameters
password- the plaintext password to delete from the disallowed passwords list.
Examples
Result when deleting a record from the list.
iex> MssubMcp.delete_disallowed_password("No Longer Disallowed")
{:ok, :deleted}Result when trying to delete a record not already on the list.
iex> MssubMcp.delete_disallowed_password("Not on List")
{:ok, :not_found}delete_owner_password_rules(owner_id)
@spec delete_owner_password_rules(MscmpSystInstance.Types.owner_id()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Deletes an Owner Password Rules record from the system.
Parameters
owner_id- the Owner record ID whose Password Rules are to be deleted.
disallowed_passwords_populated?()
@spec disallowed_passwords_populated?() :: boolean()
Tests if the Disallowed Password List has any entries or not.
Returns a simple boolean value. If true, there are existing entries in the Disallowed Passwords Lists; otherwise false is returned.
Examples
iex> MssubMcp.disallowed_passwords_populated?()
trueget_access_account_password_rule(access_account_id)
@spec get_access_account_password_rule(MscmpSystAuthn.Types.access_account_id()) :: {:ok, MscmpSystAuthn.Types.PasswordRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Retrieves the Password Rules to apply for a requested Access Account as identified by its record ID.
When evaluating the validity of candidate passwords for a user the system retrieves the Global Password Rules and then the Access Account Owner Password Rules, if such Rules have been defined. The system will compare each of the Rules in the Global and Owner Password Rules with each other and select the rule which demands the greatest stringency. This process results in a composite Password Rule which can then be applied to test any candidate password for validity. This calculated composite Password Rule is what is returned by this function.
The return value is wrapped in a result tuple, {:ok, <rule>} on success and
{:error, <exception>} in cases of failure.
Parameters
access_account_id- the Access Account record ID of the user.
get_access_account_password_rule!(access_account_id)
@spec get_access_account_password_rule!(MscmpSystAuthn.Types.access_account_id()) :: MscmpSystAuthn.Types.PasswordRules.t()
Retrieves the Password Rules to apply for a requested Access Account as identified by its record ID, raising on error.
This function works the same as get_access_account_password_rule/1 except
that any errors cause an exception to be raised.
Parameters
access_account_id- the Access Account record ID of the user.
get_generic_password_rules(pwd_rules_struct, access_account_id \\ nil)
@spec get_generic_password_rules( Msdata.SystGlobalPasswordRules.t() | Msdata.SystOwnerPasswordRules.t(), MscmpSystAuthn.Types.access_account_id() | nil ) :: MscmpSystAuthn.Types.PasswordRules.t() | nil
Converts a Global or Owner Password Rule struct into the generic map based Password Rule required by some functions.
Msdata.SystGlobalPasswordRules and Msdata.SystOwnerPasswordRules both
define a standard set of known password rules, but do so as different data
types. While this works well for database record management features, testing
and validating actual password rules do not benefit from the distinction.
In these evaluation scenarios it's better to treat the password rule without
consideration of its source. This function returns the generic representation
that certain evaluation features such as test_credential/2 are expecting.
get_global_password_rules()
@spec get_global_password_rules() :: {:ok, Msdata.SystGlobalPasswordRules.t()} | {:error, MscmpSystError.t()}
Retrieves the currently active Global Password Rules.
On successful retrieval a success tuple in the form of {:ok, <record>} is
returned where record is a Msdata.SystGlobalPasswordRules
struct. Any exceptions are returned via an error tuple.
get_global_password_rules!()
@spec get_global_password_rules!() :: Msdata.SystGlobalPasswordRules.t()
Retrieves the currently active Global Password Rules, raising on error.
This function works the same as get_global_password_rules/0 except that
any errors cause an exception to be raised.
get_owner_password_rules(owner_id)
@spec get_owner_password_rules(MscmpSystInstance.Types.owner_id()) :: {:ok, Msdata.SystOwnerPasswordRules.t()} | {:ok, :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Retrieves the currently active Owner Password Rules for the requested Owner.
On successful retrieval a success tuple in the form of {:ok, <record>} is
returned where <record> is a populated
Msdata.SystownerPasswordRules struct if Password Rules
for the requested Owner was found or nil otherwise. Any exceptions are
returned via an error tuple.
Parameters
owner_id- the Owner record ID for whom to retrieve Password Rules.
get_owner_password_rules!(owner_id)
@spec get_owner_password_rules!(MscmpSystInstance.Types.owner_id()) :: Msdata.SystOwnerPasswordRules.t() | :not_found
Retrieves the currently active Owner Password Rules for the requested Owner, raising on error.
This function works the same as get_owner_password_rules/1 except that
any errors cause an exception to be raised.
Parameters
owner_id- the Owner record ID for whom to retrieve Password Rules.
load_disallowed_passwords(password_list, opts \\ [])
@spec load_disallowed_passwords(Enumerable.t(), Keyword.t()) :: :ok | {:error, MscmpSystError.t()}
Bulk loads a list of passwords into the Disallowed Passwords database table.
Typically this function will be used to receive a stream of passwords which
should be added to the system Disallowed Passwords list. The passwords
passed to this function are streamed into the PostgreSQL database via a
COPY ms_syst.syst_disallowed_passwords FROM command.
The system Disallowed Password List is stored using SHA-1 hashes of the disallowed passwords to prevent the casual disclosure of possibly sensitive information including so called "Personally Identifiable Information" (PII). If passwords to this function are provided via plain text this function will convert them to the expected SHA-1 representation.
Parameters
password_list- A required Enumerable of passwords to disallow. The passwords in this list are accepted in one of two possible formats: simple plain text passwords or as sha1 hashes represented using PostgreSQL'sbyteatextual export format (e.g. "example_pg_disallowed" = "\x32dc749fd3ef7bcf79d125a3f9146c0f122f8763"). Which is expected depends on thepg_formatoption described below.
Plain Text Processing Tip
If the
password_listis using the plain text representation, some sources, such asFile.stream!/3may add an extraneous newline (or similar) to the password which must be stripped prior to passing to this function. Failing to do so will result in incorrect hashing and the requested passwords will not be effectively disallowed.
options- An optional Keyword List of settings with which the caller can influence the behavior of this function. The available options are:pg_format- a boolean value which indicates the format that the source passwords are being provided in. If true, the passwords to disallow are expected to be already be SHA-1 hashed and represented using PostgreSQL'sbyteatextual representation; if false, the passwords are assumed to be represented using simple plain text which will be transformed as needed by this function. The default value of this parameter isfalsefor plain text processing.timeout- an integer representing the number of milliseconds that the database transaction processing the load operation will wait prior to timing out with an error. Bulk loading is assumed to be used in cases where a substantial amount of data might be processed; certainly enough data to possibly exceed the system default database transaction timeout. As such it is recommend to be sure the timeout here is fit for the data requirements expected for any given call. The default value is 300,000 milliseconds (5 minutes).
Examples
Loading the Disallowed Passwords List using a file listing plain text passwords.
iex> MssubMcp.password_disallowed?("example_plain_disallowed")
false
iex> Path.join(["database", "example_plain_disallowed_passwords.txt"])
...> |> File.stream!()
...> |> Stream.map(&String.trim_trailing(&1, "\n"))
...> |> MssubMcp.load_disallowed_passwords()
:ok
iex> MssubMcp.password_disallowed?("example_plain_disallowed")
trueLoading the Disallowed Passwords List using a file already formatted for direct loading into PostgreSQL.
iex> MssubMcp.password_disallowed?("example_pg_disallowed")
false
iex> Path.join(["database", "example_pg_disallowed_passwords.txt"])
...> |> File.stream!()
...> |> MssubMcp.load_disallowed_passwords(pg_format: true)
:ok
iex> MssubMcp.password_disallowed?("example_pg_disallowed")
truepassword_disallowed(password)
@spec password_disallowed(MscmpSystAuthn.Types.credential()) :: {:ok, boolean()} | {:error, MscmpSystError.t()}
Indicates whether the requested password is disallowed.
This function returns a tuple in the form of {:ok, <disallowed>} where the
disallowed value is either true meaning that the requested password is
disallowed or false if the password is available for use.
Regardless of the return of this function, disallowed passwords are only
prevented for use if the effective disallow_compromised Password Rule for
the Access Account attempting authentication is set.
Parameters
password- the plaintext password to test for disallowed status.
Examples
When a password has been previously disallowed and cannot be used as a user credential.
iex> MssubMcp.password_disallowed("Is Disallowed")
{:ok, true}When a password has not been previously disallowed.
iex> MssubMcp.password_disallowed("Is Not Disallowed")
{:ok, false}password_disallowed?(password)
@spec password_disallowed?(MscmpSystAuthn.Types.credential()) :: boolean()
Indicates whether the requested password is disallowed, raising on error.
This function works the same as disallowed_password/1 except this function
returns a simple boolean value rather than a result tuple. If an error is
encountered an exception is raised.
Parameters
password- the plaintext password to test for disallowed status.
Examples
When a password has been previously disallowed and cannot be used as a user credential.
iex> MssubMcp.password_disallowed?("Is Disallowed")
trueWhen a password has not been previously disallowed.
iex> MssubMcp.password_disallowed?("Is Not Disallowed")
falsetest_credential(access_account_id, plaintext_pwd)
@spec test_credential( MscmpSystAuthn.Types.access_account_id() | MscmpSystAuthn.Types.PasswordRules.t(), MscmpSystAuthn.Types.credential() ) :: {:ok, Keyword.t(MscmpSystAuthn.Types.password_rule_violations())} | {:error, MscmpSystError.t() | Exception.t()}
Tests a candidate password against the effective Password Rules for a given Access Account.
Prior to attempting to save a Password Credential, it should be tested for
compliance with the Global Password Rules and any Owner Password Rules that
exist for the Owner of the Access Account. This function performs that test
and will return all of the violations detected. If no issues are detected,
a success tuple with a value of empty list will be returned ({:ok, []}).
Note that this function is recommended to run prior to attempting to save a Password Credential, but is not required. Any function which can save a new password to the database will independently test the candidate password against the effective Password Rules prior to saving the Credential, erroring on any invalid password.
Parameters
access_account_id- the record ID of the Access Account for whom to perform the test. The applicable Password Rules may derive from the Access Account Owner if the Access Account is in fact owned.plaintext_pwd- the candidate Password to test against the rules.
Examples
A successful password test.
iex> {:ok, access_account_id} =
...> MssubMcp.get_access_account_id_by_name("example_accnt")
iex> MssubMcp.test_credential(access_account_id, "A Passing Password.")
{:ok, []}An invalid password test.
iex> {:ok, access_account_id} =
...> MssubMcp.get_access_account_id_by_name("example_accnt")
iex> MssubMcp.test_credential(access_account_id, "short")
{:ok, [password_rule_length_min: 8]}update_global_password_rules(update_params)
@spec update_global_password_rules(MscmpSystAuthn.Types.password_rule_params()) :: {:ok, Msdata.SystGlobalPasswordRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Updates the Global Password Rules with new values.
The Global Password Rules are created at system installation time with a default and recommended set of values, but these values may be customized as desired any time after installation.
Note that the original Global Password Rules data will be retrieved for use in the update process and that no Ecto optimistic locking will be employed with this update.
Parameters
update_params- a map of the values to use when updating the Global Password Rules record. SeeMscmpSystAuthn.Types.password_rule_params/0for details regarding the available attributes.
update_global_password_rules(global_password_rules, update_params)
@spec update_global_password_rules( Msdata.SystGlobalPasswordRules.t(), MscmpSystAuthn.Types.password_rule_params() ) :: {:ok, Msdata.SystGlobalPasswordRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Updates the Global Password Rules with new values using a caller provided data source record.
This function works the same as described in create_update_global_password_rules/1
except that in this version the caller must also provide a source
data struct to act as the basis of the update. Ecto optimistic locking will
be applied to the update process.
Parameters
global_password_rules- a fully populatedMsdata.SystGlobalPasswordRulesrecord representing the state of the Global Password Rules prior to the change.update_params- a map of the values to use when updating the Global Password Rules record. SeeMscmpSystAuthn.Types.password_rule_params/0for details regarding the available attributes.
update_owner_password_rules(owner, update_params)
@spec update_owner_password_rules( MscmpSystInstance.Types.owner_id() | Msdata.SystOwnerPasswordRules.t(), MscmpSystAuthn.Types.password_rule_params() ) :: {:ok, Msdata.SystOwnerPasswordRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Updates the Owner Password Rules with new values.
After creation, Owner Password Rules may be updated with new values as might meet the specific needs of the Owner.
Parameters
owner- the record ID of the Owner for whom the Password Rules are being updated or the fully populated data struct representing the current Owner Password Rules. Note that if the data struct is provided Ecto optimistic locking will be in effect.update_params- a map of the values to use when updating the Owner Password Rules record. SeeMscmpSystAuthn.Types.password_rule_params/0for details regarding the available attributes.
verify_password_rules(test_rules, standard_rules \\ nil)
@spec verify_password_rules( MscmpSystAuthn.Types.PasswordRules.t(), Msdata.SystGlobalPasswordRules.t() | MscmpSystAuthn.Types.PasswordRules.t() | nil ) :: {:ok, Keyword.t(MscmpSystAuthn.Types.password_rule_violations())} | {:error, MscmpSystError.t() | Exception.t()}
Compares a "Test" set of Password Rules against a "Standard" set of Password Rules and reports on which of the "Test" Rules are considered less stringent than the "Standard" Rules.
The primary use case for this function is to test how Owner Password Rules ("Test" Rules) compare against the Global Password Rules ("Standard" Rules), but the function can compare any two rules.
The return value of this function is wrapped in a result tuple. A result of
{:ok, <rule violations>} is returned on success and an error tuple in the
form of {:error, <exception>} is returned on error. The <rule violations>
value is a Keyword List where each tuple's key represents the rule violated
and the tuple's value is the required value for that rule; whether the
required value is a minimum or maximum depends on the nature of the specific
rule being reported.
Parameters
test_rules- a Password Rule which will be tested against the value of thestandard_rules. Where thetest_rulesare less stringent than thestandard_rules, a violation is reported in the result.standard_rules- the "Standard" against which thetest_rulesare judged. This parameter is optional and when nil the Global Password Rule is retrieved and used as the default "Standard" Rules. Otherwise either a genericMscmpSystAuthn.Types.PasswordRules.t/0value or a populatedMsdata.SystGlobalPasswordRulesdata struct may be provided.
verify_password_rules!(test_rules, standard_rules \\ nil)
@spec verify_password_rules!( MscmpSystAuthn.Types.PasswordRules.t(), Msdata.SystGlobalPasswordRules.t() | MscmpSystAuthn.Types.PasswordRules.t() | nil ) :: Keyword.t(MscmpSystAuthn.Types.password_rule_violations())
Compares a "Test" set of Password Rules against a "Standard" set of Password Rules and reports on which of the "Test" Rules are considered less stringent than the "Standard" Rules, raising on error.
This function works the same as verify_password_rules/2 except that any
errors cause an exception to be raised.
Parameters
test_rules- a Password Rule which will be tested against the value of thestandard_rules. Where thetest_rulesare less stringent than thestandard_rules, a violation is reported in the result.standard_rules- the "Standard" against which thetest_rulesare judged. This parameter is optional and when nil the Global Password Rule is retrieved and used as the default "Standard" Rules. Otherwise either a genericMscmpSystAuthn.Types.PasswordRules.t/0value or a populatedMsdata.SystGlobalPasswordRulesdata struct may be provided.
Network Rules
create_disallowed_host(host_address)
@spec create_disallowed_host(MscmpSystAuthn.Types.host_address()) :: {:ok, Msdata.SystDisallowedHosts.t()} | {:error, MscmpSystError.t()}
Adds a host IP address to the global disallowed hosts list.
Disallowed hosts are IP addresses which are prevented from authenticating users with the system, and by extension prevents host access to application functions generally. Hosts are disallowed on a global basis and may be added to the list based on system heuristics which detect suspicious activity.
Successfully adding a host to the list returns a success tuple and a struct representing the record just created. Attempting to add a host which is already part of the list will also result in a success tuple, but no record is returned.
Parameters
host_address- the IP address of the host to disallow.
Examples
Adding a new host to the list.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, false} = MssubMcp.host_disallowed(~i"10.123.123.20")
iex> {:ok, %Msdata.SystDisallowedHosts{}} =
...> MssubMcp.create_disallowed_host(~i"10.123.123.20")Attempting to add a host already on the list.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, true} = MssubMcp.host_disallowed(~i"10.123.123.3")
iex> {:ok, nil} =
...> MssubMcp.create_disallowed_host(~i"10.123.123.3")create_global_network_rule(insert_params)
@spec create_global_network_rule(MscmpSystAuthn.Types.global_network_rule_params()) :: {:ok, Msdata.SystGlobalNetworkRules.t()} | {:error, MscmpSystError.t()}
Creates a new Global Network Rule using the provided parameters.
Global Network Rules are checked prior to all attempted user authentication events and have precedence over Owner and Instance Network Rules, though they are secondary to the Disallowed Hosts list.
On successful creation, a result tuple in the form {:ok, <new record>} is
returned where the <new record> is the fully populated Data struct of the
record just created. If an exception is raised this function will return a
failure tuple in the form of {:error, <exception data>}.
Parameters
insert_params- a map representing the values to use when creating the new Global Network Rule. SeeMscmpSystAuthn.Types.global_network_rule_params/0for the available attributes.
Example
Adding a new "Allow" Global Network Rule for a CIDR network.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> new_global_rule = %{
...> ordering: 20,
...> functional_type: :allow,
...> ip_host_or_network: ~i"10.100.150.0/24"
...> }
iex> {:ok, %Msdata.SystGlobalNetworkRules{}} =
...> MssubMcp.create_global_network_rule(new_global_rule)Adding a new "Deny" Global Network Rule for an IP Address range.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> new_global_rule = %{
...> ordering: 21,
...> functional_type: :deny,
...> ip_host_or_network: nil,
...> ip_host_range_lower: ~i"10.100.151.1",
...> ip_host_range_upper: ~i"10.100.152.254"
...> }
iex> {:ok, %Msdata.SystGlobalNetworkRules{}} =
...> MssubMcp.create_global_network_rule(new_global_rule)create_instance_network_rule(instance_id, insert_params)
@spec create_instance_network_rule( MscmpSystInstance.Types.instance_id(), MscmpSystAuthn.Types.instance_network_rule_params() ) :: {:ok, Msdata.SystInstanceNetworkRules.t()} | {:error, MscmpSystError.t()}
Creates a new Instance Network Rule using the provided parameters.
Instance Network Rules the checked after the Disallowed Hosts list, the Global Network Rules, and the Instance Network Rules and apply to all Instances owned by the specified Instance, unless a higher precedence rule already applies to the host.
On successful creation, a result tuple in the form {:ok, <new record>} is
returned where the <new record> is the fully populated Data struct of the
record just created. If an exception is raised this function will return a
failure tuple in the form of {:error, <exception data>}.
Parameters
instance_id- the record ID of the Instance for whom the Instance Network Rule is being created.insert_params- a map representing the values to use when creating the new Instance Network Rule. SeeMscmpSystAuthn.Types.instance_network_rule_params/0for the available attributes.
Example
Adding a new "Allow" Instance Network Rule for a CIDR network.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, instance_id} =
...> MssubMcp.get_instance_id_by_name("app1_owner8_instance_types_std")
iex> new_instance_rule = %{
...> ordering: 1,
...> functional_type: :allow,
...> ip_host_or_network: ~i"10.100.170.0/24"
...> }
iex> {:ok, %Msdata.SystInstanceNetworkRules{}} =
...> MssubMcp.create_instance_network_rule(instance_id, new_instance_rule)Adding a new "Deny" Instance Network Rule for an IP Address range.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, instance_id} =
...> MssubMcp.get_instance_id_by_name("app1_owner8_instance_types_std")
iex> new_instance_rule = %{
...> ordering: 2,
...> functional_type: :deny,
...> ip_host_or_network: nil,
...> ip_host_range_lower: ~i"10.100.171.1",
...> ip_host_range_upper: ~i"10.100.172.254"
...> }
iex> {:ok, %Msdata.SystInstanceNetworkRules{}} =
...> MssubMcp.create_instance_network_rule(instance_id, new_instance_rule)create_owner_network_rule(owner_id, insert_params)
@spec create_owner_network_rule( MscmpSystInstance.Types.owner_id(), MscmpSystAuthn.Types.owner_network_rule_params() ) :: {:ok, Msdata.SystOwnerNetworkRules.t()} | {:error, MscmpSystError.t()}
Creates a new Owner Network Rule using the provided parameters.
Owner Network Rules the checked after the Disallowed Hosts list, the Global Network Rules, and the Instance Network Rules and apply to all Instances owned by the specified Owner, unless a higher precedence rule already applies to the host.
On successful creation, a result tuple in the form {:ok, <new record>} is
returned where the <new record> is the fully populated Data struct of the
record just created. If an exception is raised this function will return a
failure tuple in the form of {:error, <exception data>}.
Parameters
owner_id- the record ID of the Owner for whom the Owner Network Rule is being created.insert_params- a map representing the values to use when creating the new Owner Network Rule. SeeMscmpSystAuthn.Types.owner_network_rule_params/0for the available attributes.
Example
Adding a new "Allow" Owner Network Rule for a CIDR network.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, owner_id} = MssubMcp.get_owner_id_by_name("owner8")
iex> new_owner_rule = %{
...> ordering: 1,
...> functional_type: :allow,
...> ip_host_or_network: ~i"10.100.160.0/24"
...> }
iex> {:ok, %Msdata.SystOwnerNetworkRules{}} =
...> MssubMcp.create_owner_network_rule(owner_id, new_owner_rule)Adding a new "Deny" Owner Network Rule for an IP Address range.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, owner_id} = MssubMcp.get_owner_id_by_name("owner8")
iex> new_owner_rule = %{
...> ordering: 2,
...> functional_type: :deny,
...> ip_host_or_network: nil,
...> ip_host_range_lower: ~i"10.100.161.1",
...> ip_host_range_upper: ~i"10.100.162.254"
...> }
iex> {:ok, %Msdata.SystOwnerNetworkRules{}} =
...> MssubMcp.create_owner_network_rule(owner_id, new_owner_rule)delete_disallowed_host(disallowed_host)
@spec delete_disallowed_host( MscmpSystAuthn.Types.disallowed_host_id() | Msdata.SystDisallowedHosts.t() ) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t()}
Deletes a host IP address from the Disallowed Hosts list based on either a
Msdata.SystDisallowedHosts record or the ID of such a
record.
If the record is found and deleted a success tuple in the form {:ok, :deleted}
is returned. If the record is not found the success tuple {:ok, :not_found}
is returned.
Once a host is removed from the Disallowed Hosts list, users are allowed to authenticate from the host, so long as no other effective Network Rule prevents the action.
Parameters
disallowed_host- either the fully populatedMsdata.SystDisallowedHostsdata struct for the record to delete or the ID of the record. Note that when the data struct is provided Ecto optimistic locking is applied to the the delete operation.
Examples
Deleting a host by record ID.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, target_host_record} =
...> MssubMcp.get_disallowed_host_record_by_host(~i"10.10.250.4")
iex> MssubMcp.delete_disallowed_host(target_host_record.id)
{:ok, :deleted}Deleting a host by record struct.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, target_host_record} =
...> MssubMcp.get_disallowed_host_record_by_host(~i"10.10.250.5")
iex> MssubMcp.delete_disallowed_host(target_host_record)
{:ok, :deleted}Deleting a struct for a no longer existent record.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, target_host_record} =
...> MssubMcp.get_disallowed_host_record_by_host(~i"10.10.250.6")
iex> MssubMcp.delete_disallowed_host(target_host_record)
{:ok, :deleted}
iex> MssubMcp.delete_disallowed_host(target_host_record)
{:ok, :not_found}delete_disallowed_host_addr(host_addr)
@spec delete_disallowed_host_addr(MscmpSystAuthn.Types.host_address()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t()}
Deletes a host IP address from the Disallowed Hosts list as looked up by the host IP address.
If the record is found and deleted a success tuple in the form {:ok, :deleted}
is returned. If the record is not found the success tuple {:ok, :not_found}
is returned. Any other condition would cause an error tuple to be returned.
Once a host is removed from the Disallowed Hosts list, users are allowed to authenticate from the host, so long as no other effective Network Rule prevents the action.
Parameters
host_addr- the IP address of the host that is no longer to be disallowed.
Examples
Deleting a host that does exist in the list.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, true} = MssubMcp.host_disallowed(~i"10.10.251.1")
iex> {:ok, :deleted} =
...> MssubMcp.delete_disallowed_host_addr(~i"10.10.251.1")
iex> {:ok, false} = MssubMcp.host_disallowed(~i"10.10.251.1")Attempting to delete a host not already on the list.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, false} = MssubMcp.host_disallowed(~i"10.10.251.10")
iex> {:ok, :not_found} =
...> MssubMcp.delete_disallowed_host_addr(~i"10.10.251.10")delete_global_network_rule(global_network_rule_id)
@spec delete_global_network_rule(Ecto.UUID.t()) :: :ok | {:error, MscmpSystError.t() | Exception.t()}
Deletes an existing Global Network Rule record as referenced by the record ID.
On successful deletion, a simple result of :ok is returned. On error, an
error tuple in the form of {:error, <exception>} is returned.
Parameters
global_network_rule_id- The record ID of the Global Network Rule record to delete.
delete_instance_network_rule(instance_network_rule_id)
@spec delete_instance_network_rule(Ecto.UUID.t()) :: :ok | {:error, MscmpSystError.t() | Exception.t()}
Deletes an existing Instance Network Rule record as referenced by the record ID.
On successful deletion, a simple result of :ok is returned. On error, an
error tuple in the form of {:error, <exception>} is returned.
Parameters
instance_network_rule_id- The record ID of the Instance Network Rule record to delete.
delete_owner_network_rule(owner_network_rule_id)
@spec delete_owner_network_rule(Ecto.UUID.t()) :: :ok | {:error, MscmpSystError.t() | Exception.t()}
Deletes an existing Owner Network Rule record as referenced by the record ID.
On successful deletion, a simple result of :ok is returned. On error, an
error tuple in the form of {:error, <exception>} is returned.
Parameters
owner_network_rule_id- The record ID of the Owner Network Rule record to delete.
get_applied_network_rule(host_address, instance_id \\ nil, instance_owner_id \\ nil)
@spec get_applied_network_rule( MscmpSystAuthn.Types.host_address(), MscmpSystInstance.Types.instance_id() | nil, MscmpSystInstance.Types.owner_id() | nil ) :: {:ok, MscmpSystAuthn.Types.AppliedNetworkRule.t()} | {:error, MscmpSystError.t() | Exception.t()}
Returns the Network Rule which should be applied for the given Host IP Address.
This function compares the provided Host IP Address against the applicable Network Rules which apply to it and return the specific rule which should be applied during the authentication process.
Network Rule Precedence
The specific rules to check for applicability depends on the other provided parameters. The available Network Rule sets in order of precedence are:
Disallowed Hosts: Globally disallowed hosts are always checked first and no later rule can override the denial. Only removing the host from the Disallowed Hosts List can reverse this denial.
Global Network Rules: These are rules applied to all presented Host IP Addresses.
Instance Network Rules: Rules defined by Instance Owners and are the most granular rule level available. These Network Rules are only evaluated if the
instance_idparameter is provided.Owner Network Rules: Network Rules which are applicable to all Instances of a given Owner, provided no superseding Instance Network Rule was found. This rule set is included if either the
instance_idorowner_idparameter is provided.Default Network Rule: When no explicitly defined Network Rule has been found for a host, this rule will apply implicitly. The current rule grants access from any host.
Return Value
This function returns a result tuple. The value element of the result tuple
is a map of type MscmpSystAuthn.Types.AppliedNetworkRule.t/0.
The map indicates which precedence group the rule came from, the ID of the
Network Rule record if the rule was derived from the various Network Rule
data tables, and the Functional Type of the rule: :allow meaning the
rule explicitly allows the host to attempt an authentication, or :deny
indicating that the host is not allowed to attempt authentication.
Parameters
host_address- the Host IP Address which the user wishes to authenticate from.instance_id- the record ID of an Instance to which the user wants to gain access. This parameter is optional, though excluding this parameter will leave the Instance Network Rules might properly apply unevaluated. If this parameter is provided, the Owner of the Instance is implied and there is no need to also supply theowner_idparameter.owner_id- the record ID of an Owner which owns the candidate Instances to which the user wishes to authenticate. This parameter is not required if theinstance_idparameter has been provided. Otherwise, this parameter is optional, though if the Owner has not been resolved through this parameter or via theinstance_id, the Owner Network Rules that might apply to the authentication attempt will not be applied.
Examples
When the host is a member of the Disallowed Hosts lists.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok,
...> %MscmpSystAuthn.Types.AppliedNetworkRule{
...> functional_type: :deny, network_rule_id: id, precedence: :disallowed
...> }
...> } = MssubMcp.get_applied_network_rule(~i"10.123.123.3")
iex> is_binary(id)
trueWhen the Host IP Address does not match any explicitly defined rule and the implicit rule applies.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.get_applied_network_rule(~i"10.124.124.3")
{:ok,
%MscmpSystAuthn.Types.AppliedNetworkRule{
functional_type: :allow, network_rule_id: nil, precedence: :implied
}
}When a Global Network Rule explicitly allows the Host IP Address to attempt authentication.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok,
...> %MscmpSystAuthn.Types.AppliedNetworkRule{
...> functional_type: :allow, network_rule_id: id, precedence: :global
...> }
...> } = MssubMcp.get_applied_network_rule(~i"10.125.125.3")
iex> is_binary(id)
trueNote that while the examples did not include Instance or Owner IDs, the examples are none-the-less representative of cases where they are included.
get_applied_network_rule!(host_address, instance_id \\ nil, instance_owner_id \\ nil)
@spec get_applied_network_rule!( MscmpSystAuthn.Types.host_address(), MscmpSystInstance.Types.instance_id() | nil, MscmpSystInstance.Types.owner_id() | nil ) :: MscmpSystAuthn.Types.AppliedNetworkRule.t()
Returns the Network Rule which should be applied for the given Host IP Address, raising on error.
This function works the same as get_applied_network_rule/3 except this
function returns its result without wrapping it in a result tuple. If an
error is encountered an exception is raised.
Parameters
host_address- the Host IP Address which the user wishes to authenticate from.instance_id- the record ID of an Instance to which the user wants to gain access. This parameter is optional, though excluding this parameter will leave the Instance Network Rules might properly apply unevaluated. If this parameter is provided, the Owner of the Instance is implied and there is no need to also supply theowner_idparameter.owner_id- the record ID of an Owner which owns the candidate Instances to which the user wishes to authenticate. This parameter is not required if theinstance_idparameter has been provided. Otherwise, this parameter is optional, though if the Owner has not been resolved through this parameter or via theinstance_id, the Owner Network Rules that might apply to the authentication attempt will not be applied.
Examples
When the host is a member of the Disallowed Hosts lists.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> %MscmpSystAuthn.Types.AppliedNetworkRule{
...> functional_type: :deny, network_rule_id: id, precedence: :disallowed
...> } = MssubMcp.get_applied_network_rule!(~i"10.123.123.3")
iex> is_binary(id)
trueWhen the Host IP Address does not match any explicitly defined rule and the implicit rule applies.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.get_applied_network_rule!(~i"10.124.124.3")
%MscmpSystAuthn.Types.AppliedNetworkRule{
functional_type: :allow, network_rule_id: nil, precedence: :implied
}When a Global Network Rule explicitly allows the Host IP Address to attempt authentication.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> %MscmpSystAuthn.Types.AppliedNetworkRule{
...> functional_type: :allow, network_rule_id: id, precedence: :global
...> } = MssubMcp.get_applied_network_rule!(~i"10.125.125.3")
iex> is_binary(id)
trueNote that while the examples did not include Instance or Owner IDs, the examples are none-the-less representative of cases where they are included.
get_disallowed_host_record_by_host(host_addr)
@spec get_disallowed_host_record_by_host(MscmpSystAuthn.Types.host_address()) :: {:ok, Msdata.SystDisallowedHosts.t() | nil} | {:error, MscmpSystError.t()}
Retrieves a Disallowed Host record from the database as identified by its host address.
Parameters
host_address- the IP address of the disallowed host record to retrieve.
Example
Retrieving a Disallowed Host record by IP address.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> {:ok, %Msdata.SystDisallowedHosts{}} =
...> MssubMcp.get_disallowed_host_record_by_host(~i"10.123.123.4")Attempting to retrieve a record for a host not on the list.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.get_disallowed_host_record_by_host(~i"10.125.120.20")
{:ok, nil}get_disallowed_host_record_by_host!(host_addr)
@spec get_disallowed_host_record_by_host!(MscmpSystAuthn.Types.host_address()) :: Msdata.SystDisallowedHosts.t() | nil
Retrieves a Disallowed Host record from the database as identified by its host address, raising on error.
This function works the same as get_disallowed_host_record_by_host/1 except
this function returns its result without wrapping it in a result tuple. If an
error is encountered an exception is raised.
Parameters
host_address- the IP address of the disallowed host record to retrieve.
Example
Retrieving a Disallowed Host record by IP address.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> %Msdata.SystDisallowedHosts{} =
...> MssubMcp.get_disallowed_host_record_by_host!(~i"10.123.123.4")Attempting to retrieve a record for a host not on the list.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.get_disallowed_host_record_by_host!(~i"10.125.120.20")
nilget_disallowed_host_record_by_id(disallowed_host_id)
@spec get_disallowed_host_record_by_id(MscmpSystAuthn.Types.disallowed_host_id()) :: {:ok, Msdata.SystDisallowedHosts.t()} | {:error, MscmpSystError.t() | Exception.t()}
Retrieves a Disallowed Host record by the record ID.
This function assumes the record exists. If the record does not exist an error tuple will be returned.
Parameters
disallowed_host_id- the record ID of the Disallowed Host record to retrieve.
Example
Retrieving a Disallowed Host record by record ID.
{:ok, %Msdata.SystDisallowedHosts{}} =
MssubMcp.get_disallowed_host_record_by_id(
"ad7f2030-5895-11ed-a888-0f8a20e745a9")get_disallowed_host_record_by_id!(disallowed_host_id)
@spec get_disallowed_host_record_by_id!(MscmpSystAuthn.Types.disallowed_host_id()) :: Msdata.SystDisallowedHosts.t()
Retrieves a Disallowed Host record by the record ID, raising on error.
This function works the same as get_disallowed_host_record_by_id/1 except
this function returns its result without wrapping it in a result tuple. If an
error is encountered, including if the record does not exist, an exception is
raised.
Parameters
disallowed_host_id- the record ID of the Disallowed Host record to retrieve.
Example
Retrieving a Disallowed Host record by record ID.
%Msdata.SystDisallowedHosts{} =
MssubMcp.get_disallowed_host_record_by_id!(
"ad7f2030-5895-11ed-a888-0f8a20e745a9")get_global_network_rule(global_network_rule_id)
@spec get_global_network_rule(Ecto.UUID.t()) :: {:ok, Msdata.SystGlobalNetworkRules.t()} | {:ok, :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Retrieves a Global Network Rule record based on its record ID.
For a given Global Network Rule record ID this function will return a result
tuple in the form of {:ok, <record>} where <record> is the fully
populated Msdata.SystGlobalNetworkRules. If the
record does not exist, then {:ok, :not_found} is returned. Otherwise, an
error tuple in the form of {:error, <exception>} is returned.
Parameters
global_network_rule_id- the record ID of the desired Global Network Rule record.
get_global_network_rule!(global_network_rule_id)
@spec get_global_network_rule!(Ecto.UUID.t()) :: Msdata.SystGlobalNetworkRules.t() | :not_found
Retrieves a Global Network Rule record based on its record ID, raising on error.
This function works the same as get_global_network_rule/1 except this
function returns its result without wrapping it in a result tuple. If an
error is encountered, including if the record does not exist, an exception is
raised.
Parameters
global_network_rule_id- the record ID of the desired Global Network Rule record.
get_instance_network_rule(instance_network_rule_id)
@spec get_instance_network_rule(Ecto.UUID.t()) :: {:ok, Msdata.SystInstanceNetworkRules.t()} | {:ok, :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Retrieves a Instance Network Rule record based on its record ID.
For a given Instance Network Rule record ID this function will return a result
tuple in the form of {:ok, <record>} where <record> is the fully
populated Msdata.SystInstanceNetworkRules. If the
record does not exist, then {:ok, :not_found} is returned. Otherwise, an
error tuple in the form of {:error, <exception>} is returned.
Parameters
instance_network_rule_id- the record ID of the desired Instance Network Rule record.
get_instance_network_rule!(instance_network_rule_id)
@spec get_instance_network_rule!(Ecto.UUID.t()) :: Msdata.SystInstanceNetworkRules.t() | :not_found
Retrieves a Instance Network Rule record based on its record ID, raising on error.
This function works the same as get_instance_network_rule/1 except this
function returns its result without wrapping it in a result tuple. If an
error is encountered, including if the record does not exist, an exception is
raised.
Parameters
instance_network_rule_id- the record ID of the desired Instance Network Rule record.
get_owner_network_rule(owner_network_rule_id)
@spec get_owner_network_rule(Ecto.UUID.t()) :: {:ok, Msdata.SystOwnerNetworkRules.t()} | {:ok, :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Retrieves a Owner Network Rule record based on its record ID.
For a given Owner Network Rule record ID this function will return a result
tuple in the form of {:ok, <record>} where <record> is the fully
populated Msdata.SystOwnerNetworkRules. If the
record does not exist, then {:ok, :not_found} is returned. Otherwise, an
error tuple in the form of {:error, <exception>} is returned.
Parameters
owner_network_rule_id- the record ID of the desired Owner Network Rule record.
get_owner_network_rule!(owner_network_rule_id)
@spec get_owner_network_rule!(Ecto.UUID.t()) :: Msdata.SystOwnerNetworkRules.t() | :not_found
Retrieves a Owner Network Rule record based on its record ID, raising on error.
This function works the same as get_owner_network_rule/1 except this
function returns its result without wrapping it in a result tuple. If an
error is encountered, including if the record does not exist, an exception is
raised.
Parameters
owner_network_rule_id- the record ID of the desired Owner Network Rule record.
host_disallowed(host_address)
@spec host_disallowed(MscmpSystAuthn.Types.host_address()) :: {:ok, boolean()} | {:error, MscmpSystError.t()}
Indicates whether the provided host IP address is to be denied access to the system.
This function returns a tuple in the form of {:ok, <disallowed>} where the
disallowed value is either true meaning that the requested host is
disallowed from authenticating with the system or false if the host is
permitted to attempt an authentication.
Parameters
host_address- the host IP address to test. Typically this will be the host address of a user wishing to authenticate with the system.
Examples
An allowed host will return a false result tuple.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.host_disallowed(~i"10.150.150.10")
{:ok, false} A disallowed host returns a true result tuple.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.host_disallowed(~i"10.123.123.5")
{:ok, true}host_disallowed?(host_address)
@spec host_disallowed?(MscmpSystAuthn.Types.host_address()) :: boolean()
Indicates whether the provided host IP address is to be denied access to the system, raising on error.
This function works the same as host_disallowed/1 except this function
returns its result without wrapping it in a result tuple. If an error is
encountered an exception is raised.
Parameters
host_address- the host IP address to test. Typically this will be the host address of a user wishing to authenticate with the system.
Examples
An allowed host will return a false value.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.host_disallowed?(~i"10.150.150.10")
false A disallowed host returns a true value.
iex> import MscmpSystNetwork, only: [sigil_i: 2]
iex> MssubMcp.host_disallowed?(~i"10.123.123.5")
trueupdate_global_network_rule(global_network_rule, update_params)
@spec update_global_network_rule( Ecto.UUID.t() | Msdata.SystGlobalNetworkRules.t(), MscmpSystAuthn.Types.global_network_rule_params() ) :: {:ok, Msdata.SystGlobalNetworkRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Updates an existing Global Network Rule with new values.
This function works similar to create_global_network_rule/1 but updates an
existing Global Network Rule record rather than creating a new one.
On successful update, a result tuple in the form {:ok, <record>} is returned
where the <record> is the fully populated Data struct of the record just
updated. If an exception is raised this function will return a failure tuple
in the form of {:error, <exception data>}.
Parameters
global_network_rule- this value is either a fully populatedMsdata.SystGlobalNetworkRulesstruct of an existing Global Network Rule record or the ID of such a record. If the data struct is provided, Ecto optimistic locking is applied to the update operation.update_params- a map representing the values to use when updating the Global Network Rule. All parameters are optional, with omission meaning that the existing value should retain its current value. SeeMscmpSystAuthn.Types.global_network_rule_params/0for the available attributes.
update_instance_network_rule(instance_network_rule, update_params)
@spec update_instance_network_rule( Ecto.UUID.t() | Msdata.SystInstanceNetworkRules.t(), MscmpSystAuthn.Types.instance_network_rule_params() ) :: {:ok, Msdata.SystInstanceNetworkRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Updates an existing Instance Network Rule with new values.
This function works similar to create_instance_network_rule/2 but updates an
existing Instance Network Rule record rather than creating a new one.
On successful update, a result tuple in the form {:ok, <record>} is returned
where the <record> is the fully populated Data struct of the record just
updated. If an exception is raised this function will return a failure tuple
in the form of {:error, <exception data>}.
Parameters
instance_network_rule- this value is either a fully populatedMsdata.SystInstanceNetworkRulesstruct of an existing Instance Network Rule record or the ID of such a record. If the data struct is provided, Ecto optimistic locking is applied to the update operation.update_params- a map representing the values to use when updating the Instance Network Rule. All parameters are optional, with omission meaning that the existing value should retain its current value. SeeMscmpSystAuthn.Types.instance_network_rule_params/0for the available attributes.
update_owner_network_rule(owner_network_rule, update_params)
@spec update_owner_network_rule( Ecto.UUID.t() | Msdata.SystOwnerNetworkRules.t(), MscmpSystAuthn.Types.owner_network_rule_params() ) :: {:ok, Msdata.SystOwnerNetworkRules.t()} | {:error, MscmpSystError.t() | Exception.t()}
Updates an existing Owner Network Rule with new values.
This function works similar to create_owner_network_rule/2 but updates an
existing Owner Network Rule record rather than creating a new one.
On successful update, a result tuple in the form {:ok, <record>} is returned
where the <record> is the fully populated Data struct of the record just
updated. If an exception is raised this function will return a failure tuple
in the form of {:error, <exception data>}.
Parameters
owner_network_rule- this value is either a fully populatedMsdata.SystOwnerNetworkRulesstruct of an existing Owner Network Rule record or the ID of such a record. If the data struct is provided, Ecto optimistic locking is applied to the update operation.update_params- a map representing the values to use when updating the Owner Network Rule. All parameters are optional, with omission meaning that the existing value should retain its current value. SeeMscmpSystAuthn.Types.owner_network_rule_params/0for the available attributes.
Account Code
create_or_reset_account_code(access_account_id, opts \\ [])
@spec create_or_reset_account_code( MscmpSystAuthn.Types.access_account_id(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticatorResult.t()} | {:error, MscmpSystError.t() | Exception.t()}
Creates a new Account Code for an Access Account or resets the Account Code if is already exists.
On successful Account Code Identity creation or reset, an Authenticator Result
value is returned via a success tuple ({:ok, <result>}). The expected form
of the result for a new Account Code is:
%{
access_account_id: "c3c7fafd-5c45-11ed-ab46-f3d9be809bf9",
account_identifier: "QY7QJTWH7MSK"
}There is no associated Credential or Validator for this Identity Type.
Parameters
access_account_id- the record ID of the Access Account that will be identified by the Account Code Identity.opts- a Keyword list of optional settings which can influence the behavior of the function call. Available options are:account_code- this option overrides the randomly generated Account Code with the value of this option. By default the system randomly generates the Account Code.identity_token_length- overrides the number of characters to randomly generate for use as the Account Code Identifier. The default value is 12.identity_tokens- overrides the character set used to create the randomly generated Account Code Identifier. The default value is:b32c. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.
get_account_code_by_access_account_id(access_account_id)
@spec get_account_code_by_access_account_id(MscmpSystAuthn.Types.access_account_id()) :: {:ok, Msdata.SystIdentities.t() | :not_found} | {:error, MscmpSystError.t()}
Retrieves the Account Code Identity record defined for the requested Access Account if one exists.
If no Account Code Identity exists for the requested Access Account a tuple in
the form of {:ok, :not_found} is returned.
Parameters
access_account_id- the Access Account record ID for which to retrieve the Account Code Identity.
identify_access_account_by_code(account_code, owner_id)
@spec identify_access_account_by_code( MscmpSystAuthn.Types.account_identifier(), MscmpSystInstance.Types.owner_id() | nil ) :: {:ok, Msdata.SystIdentities.t() | :not_found} | {:error, MscmpSystError.t()}
Identifies an Access Account by its Account Code identifier.
On successful identification, the Account Code Identity record which was found
based on the supplied parameters is returned via a success tuple. If the
function completes successfully but no Identity record is found for the
Identifier a value of {:ok, :not_found} is returned.
Parameters
account_code- the Account Code identifier which will identify the Access Accountowner_id- if the expected Access Account is an Owned Access Account, the Owner must be identified. If the Access Account is Unowned, this parameter should benil.
revoke_account_code(access_account_id)
@spec revoke_account_code(MscmpSystAuthn.Types.access_account_id()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t()}
Revokes a previously create Account Code Identity from an Access Account, deleting it from the system.
On successful deletion a success tuple in the form {:ok, :deleted} is
returned. If no existing Account Code Identity is found a tuple in this form
{:ok, :not_found} is returned. All other outcomes are error conditions
resulting in the return of an error tuple.
Parameters
access_account_id- the Access Account record ID from which to revoke the Account Code Identity.
Authenticator Management
access_account_credential_recoverable!(access_account_id)
@spec access_account_credential_recoverable!(MscmpSystAuthn.Types.access_account_id()) :: :ok | :not_found | :existing_recovery
Indicates if an Access Account's Password Credential is recoverable or not.
Access Account Password Credentials are only recoverable when they: 1) exist,
and 2) are not already awaiting recovery. When the Password Credential is
recoverable this function will return a simple :ok value. If the Access
Account's Password Credential already has an issued recovery underway, the
value :existing_recovery is returned. If the Access Account lacks a
Password Credential record to recover, the value :not_found is returned. Any
errors encountered cause the function to raise an exception.
Parameters
access_account_id- the record ID of the Access Account which owns the Password Credential to test for recoverability.
create_authenticator_api_token(access_account_id, opts \\ [])
@spec create_authenticator_api_token( MscmpSystAuthn.Types.access_account_id(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticatorResult.t()} | {:error, MscmpSystError.t() | Exception.t()}
Creates an API Token Authenticator for the requested Access Account.
On successful API Token Authenticator creation, a success tuple is returned where the value element is an Authenticator Result in the form of:
{ :ok,
%{
access_account_id: "c3c7fafd-5c45-11ed-ab46-f3d9be809bf9",
account_identifier: "EQH2jj38ha4qnYWAC8VZ",
credential: "8N5Tp81aeOCrYW9PECANrcwKCroSet3MlMp5BbKb"
}}It is important to note that this result value is the only time that the API Token Credential plaintext is available. After the function result is discarded the credential is no longer obtainable in plaintext form.
Parameters
access_account_id- the record ID of the Access Account for which to create the API Token Authenticator.opts- a Keyword List of optional values which changes the default behavior of the Authenticator creation process. Available options are:identity_token_length- this option overrides the default number of random characters to generate for the API Token Identity identifier. The default number of characters generated is 20.identity_tokens- overrides the default character set to use in the generation of the API Token Identity identifier. The default value is:mixed_alphanum. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.external_name- API Token Identities permit Access Account holder naming of the Identity as it may be common for an one Access Account to require multiple API Token Authenticators for different purposes. This option allows that name to be set at Identity creation time. The default value isnil.credential_token_length- this option overrides the default number of random characters to generate for the API Token Credential. The default number of characters generated is 40.credential_tokens- overrides the default character set to use in the generation of the API Token Credential. The default value is:mixed_alphanum. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.credential_token- overrides the system generated API Token Credential with the value of this option. The default is to allow the system to automatically generate the credential.
create_authenticator_email_password(access_account_id, email_address, plaintext_pwd, opts \\ [])
@spec create_authenticator_email_password( MscmpSystAuthn.Types.access_account_id(), MscmpSystAuthn.Types.account_identifier(), MscmpSystAuthn.Types.credential(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticatorResult.t()} | {:error, MscmpSystError.t() | Exception.t()}
Creates an Email/Password Authenticator for an Access Account.
This function creates an Email Identity, Password Credential, and optionally an Identity Validation Authenticator (created by default). This function is typically used on adding a new Access Account to the system. The process is wrapped in a database transaction so if any one part of the Authenticator creation process fails, all parts should fail.
This function will fail if you attempt to create an Authenticator of this type for an Access Account which already has one. In the case of Email Identity replacement, use the specific Identity process to create a new Email Identity instead of this more expansive process.
On successful save of the Authenticator records, a success tuple is returned where the value element of the tuple will include basic data that might be required for later processing.
If Email/Password Authenticator was created requiring validation (the default), the success tuple's value element will include data required to process the Validation Authenticator:
{:ok,
%{
access_account_id: "c3c7fafd-5c45-11ed-ab46-f3d9be809bf9",
account_identifier: "SomeEmail@somedomain.com",
validation_credential: "Uo0kPoCOZd004g4X7IFWg3iJ7pz7XiBRBDkBGGiu",
validation_identifier: "5D7i6XmmH0HpYL72tePlEdSUMVL9ygMrEsDSGoTE"
}}Note that this is the only time the Validation Authenticator is provided and the Validation Credential plaintext is not recoverable after this return value is provided.
When a Validation Authenticator is not created, no validation data will be included in the result:
{:ok,
%{
access_account_id: "c3c7fafd-5c45-11ed-ab46-f3d9be809bf9",
account_identifier: "SomeEmail@somedomain.com"
}}Parameters
access_account_id- the Access Account for whom the Email/Password Authenticator is being created.email_address- the email address which will identify the Access Account.plaintext_pwd- the candidate password for use a the Credential in Email/Password authentication processes.
request_identity_validation(target_identity, opts \\ [])
@spec request_identity_validation( MscmpSystAuthn.Types.identity_id() | Msdata.SystIdentities.t(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticatorResult.t()} | {:error, MscmpSystError.t() | Exception.t()}
Requests the creation of a Validation Token Authenticator for the specified Identity.
On successful creation of the requested Validation Token Authenticator, an Authenticator Result will be returned as the value element of a success tuple:
{ :ok,
%{
access_account_id: "c3c7fafd-5c45-11ed-ab46-f3d9be809bf9",
validation_identifier: "psYFOfuULJPTbs5MUvOYTyt71fAbQCj7XcmerRlQ",
validation_credential: "zz29w7l5Ev7vuRlGFHcPPjLTXjepdbYlyQwbBjDe"
}}Importantly, the system generated Validation Token identifier and plaintext credential are returned to the caller. This is the only opportunity to obtain the plaintext credential; after the return value of the function is disposed of there is no way to once again retrieve the plaintext of the Validation Token Credential.
Once the Validation Token Authenticator has been successfully created, the
target Identity (typically an Email Identity) may not be used for
authentication until the Validation Token itself has been successfully
authenticated via the authenticate_validation_token/4 function.
The created Validation Token Authenticator will expire after a time. After
expiration the the Authenticator will no longer be to be authenticated by
authenticate_validation_token/4. The only way to validate the target
Identity at that point is to create a new Validation Token Authenticator for
the Identity using this function.
Parameters
target_identity- either the record ID or theMsdata.SystIdentitiesstruct of the Identity record to validate. Typically this Identity will be an Email Identity.opts- a Keyword List of options which can change the behavior to the Identity validation request. The available options are:expiration_hours- overrides the default number of hours after which to consider the Validation Authenticator expired. By default the Validation Authenticator expires 24 hours after creation.identity_token_length- this option overrides the default number of random characters to generate for the Validation Token Identity identifier. The default number of characters generated is 40.identity_tokens- overrides the default character set to use in the generation of the Validation Token Identity identifier. The default value is:mixed_alphanum. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.credential_token_length- this option overrides the default number of random characters to generate for the Validation Token Credential. The default number of characters generated is 40.credential_tokens- overrides the default character set to use in the generation of the Validation Token Credential. The default value is:mixed_alphanum. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.credential_token- overrides the system generated Validation Credential with the value of this option. The default is to allow the system to automatically generate the credential.
request_password_recovery(access_account_id, opts \\ [])
@spec request_password_recovery(MscmpSystAuthn.Types.access_account_id(), Keyword.t()) :: {:ok, MscmpSystAuthn.Types.AuthenticatorResult.t()} | {:error, MscmpSystError.t() | Exception.t()}
Requests to start a Password Credential recovery process for the specified Access Account.
Assuming that the Access Account's Password Credential exists and isn't already being recovered, this function will create a new Recovery Token Authenticator for the Access Account's Password Credential.
On successful creation of the requested Recovery Token Authenticator, an Authenticator Result will be returned as the value element of a success tuple:
{ :ok,
%{
access_account_id: "c3c7fafd-5c45-11ed-ab46-f3d9be809bf9",
account_identifier: "acdyItesdmUvUoM7mKwPKd3mrBBnH87L2WA1DPip",
credential: "WYbFG2vkJOLD5ITX9tSE5OTZ9JlHdJE8BQ8Ukiiq"
}}Importantly, the system generated Recovery Token account identifier and plaintext credential are returned to the caller. This is the only opportunity to obtain the plaintext credential; after the return value of the function is disposed of there is no way to once again retrieve the plaintext of the Recovery Token Credential.
The existence of a Recovery Token Authenticator for a Password Credential does not prevent that Password Credential from continuing to be used in the authentication process.
A Recovery Token Authenticator will expire after a time. After expiration the
Recovery Token will no longer be able to be authenticated with
authenticate_recovery_token/4. Any further recovery of the Password
Credential will require a new Recovery Token be created.
Parameters
access_account_id- the record ID of the Access Account to which the Password Credential needing recovering belongs.opts- a Keyword List of options which can change the behavior to the password recovery request. The available options are:expiration_hours- overrides the default number of hours after which to consider the Recovery Authenticator expired. By default the Recovery Authenticator expires 24 hours after creation.identity_token_length- this option overrides the default number of random characters to generate for the Recovery Token Identity identifier. The default number of characters generated is 40.identity_tokens- overrides the default character set to use in the generation of the Recovery Token Identity identifier. The default value is:mixed_alphanum. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.credential_token_length- this option overrides the default number of random characters to generate for the Recovery Token Credential. The default number of characters generated is 40.credential_tokens- overrides the default character set to use in the generation of the Recovery Token Credential. The default value is:mixed_alphanum. See theMscmpSystUtils.get_random_string/2documentation for thetokensparameter which receives this option for more information regarding valid values for this setting.credential_token- overrides the system generated Recovery Credential with the value of this option. The default is to allow the system to automatically generate the credential.
reset_password_credential(access_account_id, new_credential)
@spec reset_password_credential( MscmpSystAuthn.Types.access_account_id(), MscmpSystAuthn.Types.credential() ) :: :ok | MscmpSystAuthn.Types.credential_set_failures() | {:error, MscmpSystError.t()}
Allows for an existing password to be changed to a new password.
The assumption is that a Password Credential already exists and that only the password itself is being changed from an old value to a new value.
This function ensures that the new password meets all applicable Password Rules prior to completing the change. This function will not allow you to set the password to an invalid value.
Finally, in the case of a user initiated password change, it is traditional that the user has to re-authenticate or provide their current password to verify they are, in fact, the person initiating the change. This function does not try to achieve this goal. The scope of this function assumes that any such confirmation of identity has been completed satisfactorily elsewhere.
On successful Password Credential reset this function will return :ok. If
the new credential fails to meet the Password Rule criteria that applies to
it, the function will return a failure tuple of type
MscmpSystAuthn.Types.credential_set_failures/0. All other return
conditions are errors and result in an error tuple.
Parameters
access_account_id- the Access Account for whom the Password is being changed.new_credential- the new Password which will become the credential on the successful completion of the function.
revoke_api_token(identity)
@spec revoke_api_token(MscmpSystAuthn.Types.identity_id() | Msdata.SystIdentities.t()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t()}
Revokes the request API Token Authenticator by deleting it from the system.
API Token Authenticators will regularly need to be decommissioned from the system by the Access Account holders they represent. By revoking an API Token it is deleted from system.
A successful deletion will return a success tuple if the form
{:ok, :deleted}. If the API Token Identity is not found this function will
return a success tuple of {:ok, :not_found}. Any other outcome is an error
and results in an error tuple being returned.
Parameters
identity- either the record ID of the API Token Identity to revoke or the current-stateMsdata.SystIdentitiesstruct of that record.
revoke_password_recovery(access_account_id)
@spec revoke_password_recovery(MscmpSystAuthn.Types.access_account_id()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Revokes the Recovery Token Authenticator for a previously initiated Password Credential recovery.
While Recovery Token Authenticators expire of their own accord after a time, they may also explicitly be revoked. In reality this means simply deleting the Recovery Token Authenticator from the system.
The return value of this function on successful execution will be the success
tuple {:ok, :deleted}. If a recovery is not already underway for the
requested Access Account, the function will return successfully but will
indicate that no action took place with a return of {:ok, :not_found}. Any
other condition is an error condition and the return value will be an error
tuple indicating the nature of the issue.
Parameters
access_account_id- identifies the Access Account for whom the Recovery Token Authenticator should be revoked. The expected value is the record ID of the Access Account.
revoke_validator_for_identity_id(target_identity_id)
@spec revoke_validator_for_identity_id(MscmpSystAuthn.Types.identity_id()) :: {:ok, :deleted | :not_found} | {:error, MscmpSystError.t() | Exception.t()}
Revokes a Validation Authenticator ("Validator") issued for the requested Identity.
While Validators will expire on their own if not confirmed first, there are cases where Validators should be revoked prior to that time, such as if the Validator communication to the user has been lost and a new Validator needs to be generated.
The return value is a result tuple which indicates whether or not the
revocation happened ({:ok, :deleted}), if the Validator was not found
({:ok, :not_found}), or an error tuple in any other circumstance.
Parameters
target_identity_id- the record ID of the Identity record which the Validator was meant to validate. So if the Validator to revoke was for an Email Identity, this value would be the ID of the Email Identity and not the Validation Identity.
update_api_token_external_name(identity, external_name)
@spec update_api_token_external_name( MscmpSystAuthn.Types.identity_id() | Msdata.SystIdentities.t(), String.t() | nil ) :: {:ok, Msdata.SystIdentities.t()} | {:error, MscmpSystError.t()}
Updates the External Name value of an existing API Token Identity.
API Token Identities permit Access Account holder naming of the Identity as it may be common for an one Access Account to require multiple API Token Authenticators for different purposes.
On success this function returns a success tuple where the value element of
the tuple is the updated Msdata.SystIdentities struct.
On error, an error tuple is returned.
Parameters
identity- either the record ID of the API Token Identity to update or the current-stateMsdata.SystIdentitiesstruct of that record.external_name- the text of the updated External Name value ornilto remove the text of an existing non-nil value.
Authentication
authenticate_api_token(identifier, plaintext_token, host_addr, instance_id, opts \\ [])
@spec authenticate_api_token( MscmpSystAuthn.Types.account_identifier(), MscmpSystAuthn.Types.credential(), MscmpSystNetwork.Types.addr_structs(), MscmpSystInstance.Types.instance_id(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticationState.t()} | {:error, MscmpSystError.t()}
Identities and authenticates an Access Account using an API Token Authenticator.
The return value of this function is a result tuple where a success tuple
({:ok, <value>}) indicates that the function processed without error, not
that the API Token Authenticator was successfully authenticated. The value
element of the success tuple, the Authentication State, carries information
about the actual outcome of the authentication attempt; see
MscmpSystAuthn.Types.AuthenticationState.t/0 for more about the
specific information carried by the Authentication State value. Otherwise,
an error tuple is returned indicating the nature of the processing failure.
The authentication process executed by this function is not interruptible. The initial call to this function must contain all parameter values required to fully complete the authentication process. Any missing information will cause the authentication attempt to be rejected.
Parameters
identifier- the identifier defined by the API Token identifier. Typically this would have been a system generated random string of characters available at API Token Authenticator creation time.plaintext_token- the plaintext API Token credential. Typically this would have been a system generated random string of characters available at API Token Authenticator creation time.host_address- the apparent origin host IP address from where the authentication attempt is originating. This value is used in the enforcement of applicable Network Rules.opts- a Keyword List of values that either optionally override default behaviors of this function or are optionally required. The available options are:owning_owner_id- if the Access Account is an Owned Access Account, this value must be set to the record ID of the Access Account's Owner. Otherwise it must be setnilor not provided. The default value isnil.instance_id- the record ID of the Application Instance to which the Access Account holder wishes to authenticate. This value is required must be provided at function call time or the Authentication State will be returned in a:rejectedstatus. In special cases where the authentication attempt is outside of the context of a specific Instance, the special value:bypassmay be used for this option indicating that the authentication attempt may skip the permitted Instance check. There is no default value (defaultnil).host_ban_rate_limit- overrides the default host IP address based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 30 attempts over a time window of 2 hours.identifier_rate_limit- overrides the default identifier based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 5 attempts over a time window of 30 minutes.deadline_minutes- overrides the default number of minutes that an authentication process can take before being rejected for taking too long. This deadline is needed because an arbitrary time can pass due to user interaction if the authenticator allows for an interruptable authentication process. The default deadline allows for 5 minutes to complete the authentication process.
authenticate_email_password(authentication_state, opts \\ [])
@spec authenticate_email_password( MscmpSystAuthn.Types.AuthenticationState.t(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticationState.t()} | {:error, MscmpSystError.t()}
Identifies and authenticates an Access Account on the basis of a starting Authentication State value constructed for Email/Password authentication.
This function works the same as authenticate_email_password/4 except that it
expects an existing Authentication State value to contain the basic
information to process the authentication, with other parameters provided via
the opts parameter. This function is typically used to continue a
previously interrupted call to authenticate_email_password/4 and supplying
it the necessary additional information to continue processing the
authentication to completion.
The options available for use here are the same as for
authenticate_email_password/4. However the options specified here are only
valid if they are applied to authentication process operations that are still
pending when this function is called. Options influencing operations
previously processed, such as owning_owner_id as used in Access Account
identification will simply be ignored if they are different in the resumption
of the process than they were in the initiating call.
See authenticate_email_password/4 for a discussion of the possible return
values.
authenticate_email_password(email_address, plaintext_pwd, host_address, opts \\ [])
@spec authenticate_email_password( MscmpSystAuthn.Types.account_identifier(), MscmpSystAuthn.Types.credential(), MscmpSystNetwork.Types.addr_structs(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticationState.t()} | {:error, MscmpSystError.t()}
Identities and authenticates an Access Account using an Email/Password Authenticator.
The return value of this function is a result tuple where a success tuple
({:ok, <value>}) indicates that the function processed without error, not
that the authentication was successful. The value element of the success
tuple, the Authentication State, carries information about the outcome of the
authentication attempt; see
MscmpSystAuthn.Types.AuthenticationState.t/0 for more about the
specific information carried by the Authentication State value. Otherwise,
an error tuple is returned indicating the nature of the processing failure.
Email/Password authentication is an interruptible process, meaning that this function may return prior to the authentication having been fully processed to a final result. The two most common examples of when this partial processing may happen are 1) the Application Instance was not initially identified; and
- further authentication is required such as when Multi-Factor Authentication
is required. In these cases the returned Authentication State is resubmitted
for process via
authenticate_email_password/2along with the updated information which allows authentication processing to complete.
Parameters
email_address- this is the username in the form of an email address used to identify the correct Email Identity record which in turn identifies a specific Access Account.plaintext_pwd- the Access Account holder's password as submitted in plaintext. This is the credential that will be authenticated using the Password Credential record belonging to the identified Access Account.host_address- the apparent origin host IP address from where the authentication attempt is originating. This value is used in the enforcement of applicable Network Rules.opts- a Keyword List of values that either optionally override default behaviors of this function, are optionally required, or are required on a deferred basis (eventually required). The available options are:owning_owner_id- if the Access Account is an Owned Access Account, this value must be set to the record ID of the Access Account's Owner. Otherwise it must be setnilor not provided. The default value isnil.instance_id- the record ID of the Application Instance to which the Access Account holder wishes to authenticate. A final value for instance_id is not required when the Email/Password authentication process is initiated but is required for it to complete. If this value is not initially provided, the function will beinterruptedreturning an Authentication State status value of:pending. Deferral may be appropriate if, for example, we want to allow the Access Account holder to select the specific Instance they wish to access from a list of their permitted Instances. Final resolution of the value must reference an Instance for which the Access Account permitted authentication attempts or must be set:bypassif the authentication attempt is a special case where a specific Instance is not relevant. The default value of this option isnil.host_ban_rate_limit- overrides the default host IP address based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 30 attempts over a time window of 2 hours.identifier_rate_limit- overrides the default identifier based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 5 attempts over a time window of 30 minutes.deadline_minutes- overrides the default number of minutes that an authentication process can take before being rejected for taking too long. This deadline is needed because an arbitrary time can pass due to user interaction, such as selecting an Instance or providing an MFA credential. The default value is 5 minutes from the time the authentication process is started.
authenticate_recovery_token(identifier, plaintext_token, host_addr, opts \\ [])
@spec authenticate_recovery_token( MscmpSystAuthn.Types.account_identifier(), MscmpSystAuthn.Types.credential(), MscmpSystNetwork.Types.addr_structs(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticationState.t()} | {:error, MscmpSystError.t()}
Confirms an Access Account's password Recovery Token Authenticator.
The return value of this function is a result tuple where a success tuple
({:ok, <value>}) indicates that the function processed without error, not
that the Recovery Token Authenticator was successfully authenticated. The
value element of the success tuple, the Authentication State, carries
information about the actual outcome of the authentication attempt; see
MscmpSystAuthn.Types.AuthenticationState.t/0 for more about the
specific information carried by the Authentication State value. Otherwise,
an error tuple is returned indicating the nature of the processing failure.
If the Authentication State's status is returned as :authenticated, the
process of Password Credential recovery may be undertaken. On success the
Recovery Token Authenticator is deleted from the system, but no further action
is taken by this function. The actual process of recovering a password is
external to this function.
The authentication process executed by this function is not interruptible. The initial call to this function must contain all parameter values required to fully complete the authentication process. Any missing information will cause the authentication attempt to be rejected.
Parameters
identifier- the identifier defined by the Recovery Token identifier. Typically this would have been a system generated random string of characters available at Recovery Token Authenticator creation time.plaintext_token- the plaintext Recovery Token credential. Typically this would have been a system generated random string of characters available at Recovery Token Authenticator creation time.host_address- the apparent origin host IP address from where the authentication attempt is originating. This value is used in the enforcement of applicable Network Rules.opts- a Keyword List of values that either optionally override default behaviors of this function or are optionally required. The available options are:owning_owner_id- if the Access Account is an Owned Access Account, this value must be set to the record ID of the Access Account's Owner. Otherwise it must be setnilor not provided. The default value isnil.host_ban_rate_limit- overrides the default host IP address based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 30 attempts over a time window of 2 hours.identifier_rate_limit- overrides the default identifier based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 5 attempts over a time window of 30 minutes.deadline_minutes- overrides the default number of minutes that an authentication process can take before being rejected for taking too long. This deadline is needed because an arbitrary time can pass due to user interaction if the authenticator allows for an interruptable authentication process. The default deadline allows for 5 minutes to complete the authentication process.
authenticate_validation_token(identifier, plaintext_token, host_address, opts \\ [])
@spec authenticate_validation_token( MscmpSystAuthn.Types.account_identifier(), MscmpSystAuthn.Types.credential(), MscmpSystNetwork.Types.addr_structs(), Keyword.t() ) :: {:ok, MscmpSystAuthn.Types.AuthenticationState.t()} | {:error, MscmpSystError.t()}
Confirms a specific Access Account Identity record as being valid for use.
The return value of this function is a result tuple where a success tuple
({:ok, <value>}) indicates that the function processed without error, not
that the validation was successful. The value element of the success
tuple, the Authentication State, carries information about the actual outcome
of the authentication attempt; see
MscmpSystAuthn.Types.AuthenticationState.t/0 for more about the
specific information carried by the Authentication State value. Otherwise,
an error tuple is returned indicating the nature of the processing failure.
If the Authentication State's status is returned as :authenticated, the
validation process succeeded. On success the target Identity record has its
validated field set to the current date/time and the Validation
Authenticator is deleted from the system.
The authentication process executed by this function is not interruptible. The initial call to this function must contain all parameter values required to fully complete the authentication process. Any missing information will cause the authentication attempt to be rejected.
Parameters
identifier- the identifier defined by the Validation Token identifier. Typically this would have been a system generated random string of characters available at Validation Token Authenticator creation time.plaintext_token- the plaintext Validation Token credential. Typically this would have been a system generated random string of characters available at Validation Token Authenticator creation time.host_address- the apparent origin host IP address from where the authentication attempt is originating. This value is used in the enforcement of applicable Network Rules.opts- a Keyword List of values that either optionally override default behaviors of this function or are optionally required. The available options are:owning_owner_id- if the Access Account is an Owned Access Account, this value must be set to the record ID of the Access Account's Owner. Otherwise it must be setnilor not provided. The default value isnil.host_ban_rate_limit- overrides the default host IP address based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 30 attempts over a time window of 2 hours.identifier_rate_limit- overrides the default identifier based Rate Limit. The value is set via a tuple in the following form:{<Maximum Attempts>, <Time Window in Seconds>}. The default value is 5 attempts over a time window of 30 minutes.deadline_minutes- overrides the default number of minutes that an authentication process can take before being rejected for taking too long. This deadline is needed because an arbitrary time can pass due to user interaction if the authenticator allows for an interruptable authentication process. The default deadline allows for 5 minutes to complete the authentication process.
Session Management
create_session(session_data, opts \\ [])
@spec create_session(map(), Keyword.t()) :: {:ok, MscmpSystSession.Types.session_name()} | {:error, MscmpSystError.t()}
Creates a new session returning the session name for future reference.
Using a starting set of data and a expiration period, creates a new Session record. The return value is either a success tuple including the generated name of the session record or an error tuple explaining the failure.
Currently, the Session name is an automatically generated random 96 bytes run through base 64 encoding.
Parameters
session_data- the initial Session Data to use in creating the new Session record in the database. Currently the expectation is that this value will be any arbitraryMap. This parameter is required.opts- a Keyword List of optional parameters. The available parameters are:session_name- a binary to use for the session name rather than letting the system create a random session name. The default behavior is for the system to set the session name usinggenerate_session_name/0.expires_after- the number of seconds for which the session will be considered valid. The default value for this setting via this API is the current value of the MCP integer settingmssub_mcp_session_expiration; by default that value is 3,600 seconds (1 hour).
Examples
Creating a new Session with the default expiration time.
iex> {:ok, session_name} =
...> MssubMcp.create_session(%{test: "test"})
iex> is_binary(session_name)
truedelete_session(session_name)
@spec delete_session(MscmpSystSession.Types.session_name()) :: :ok | {:ok, :not_found} | {:error, MscmpSystError.t()}
Deletes the named Session record from the database.
This is the de facto method for terminating a session.
Unlike the other functions in this module which treat expired Session records as though they've not been found, deleting an expired Session is permitted and will return the same value as deleting an unexpired Session record.
Parameters
session_name- the Session Name that was generated bycreate_session/2at Session create time. This argument is required.
Examples
Deleting a Session record.
iex> MssubMcp.delete_session("example_delete_session")
:okAttempting to delete a nonexistent Session returns the not found value.
iex> MssubMcp.delete_session("nonexistent_session")
{:ok, :not_found}generate_session_name()
@spec generate_session_name() :: MscmpSystSession.Types.session_name()
Generates a random Session Name using the current formulation for automatic session name generation.
Currently generated Session Names are strings of 16 random characters using a mixed case, alphanumeric character set.
Examples
Generating a random name.
iex> session_name = MssubMcp.generate_session_name()
iex> String.length(session_name) == 16
trueget_session(session_name, opts \\ [])
@spec get_session(MscmpSystSession.Types.session_name(), Keyword.t()) :: {:ok, MscmpSystSession.Types.session_data()} | {:ok, :not_found} | {:error, MscmpSystError.t()}
Retrieves the Session Data for the named Session and resets the Session Expiration.
It should be noted that reading a Session will also refresh the expiration of that Session's expiration date.
Trying to retrieve the Session data of an already expired Session results in
a not found tuple being returned ({:ok, :not_found}).
Parameters
session_name- the Session Name that was generated bycreate_session/2at Session create time. This argument is required.opts- a Keyword List of optional parameters. The available parameters are:expires_after- the number of seconds for which the session will be considered valid. The default value for this setting via this API is the current value of the MCP integer settingmssub_mcp_session_expiration; by default that value is 3,600 seconds (1 hour).
Examples
Retrieving a Session and setting the renewed expiration date/time to 30 minutes from retrieval time.
iex> {:ok, %{}} = MssubMcp.get_session("example_session", expires_after: 1800)Attempting to retrieve an expired Session returns the not found value.
iex> MssubMcp.get_session("example_expired_session")
{:ok, :not_found}purge_expired_sessions(opts \\ [])
@spec purge_expired_sessions(Keyword.t()) :: :ok | {:error, MscmpSystError.t()}
Purges the database of previously expired Session records.
The intention of this function is for it to be called on a periodic, scheduled basis in order to keep the system clean of expired Sessions. The expectations are that the purge process may take some time. Currently, 4 minutes are allotted for the running of the process prior to timing out, so a schedule more aggressive than once every 5 minutes is not advised.
Parameters
opts- a Keyword List of optional parameters. The available parameters are:db_timeout- the number of seconds to allow the database DELETE query to run before timing out the transaction. The default value is 300 (5 minutes).
refresh_session_expiration(session_name, opts \\ [])
@spec refresh_session_expiration(MscmpSystSession.Types.session_name(), Keyword.t()) :: :ok | {:ok, :not_found} | {:error, MscmpSystError.t()}
Refreshes the Session expiration date/time of the identified record.
The function only returns its success status absent any data.
Do note that all other interactions with the Session will also refresh the Session expiration date/time so in many cases there is no need to call this function explicitly. Typically you'd only call this function if you've had interaction with the user, but not needed to access the session for some time.
Trying to refresh the expiration date/time of an already expired Session will be treated as a "not found" record.
Parameters
session_name- the Session Name that was generated bycreate_session/2at Session create time. This argument is required.opts- a Keyword List of optional parameters. The available parameters are:expires_after- the number of seconds for which the session will be considered valid. The default value for this setting via this API is the current value of the MCP integer settingmssub_mcp_session_expiration; by default that value is 3,600 seconds (1 hour).
Examples
Refreshing a Session expiration date/time to 30 minutes from refresh time.
iex> MssubMcp.refresh_session_expiration("example_session", expires_after: 1800)
:okAttempting to refresh an already expired Session returns the not found value.
iex> MssubMcp.refresh_session_expiration("example_expired_session")
{:ok, :not_found}update_session(session_name, session_data, opts \\ [])
@spec update_session( MscmpSystSession.Types.session_name(), MscmpSystSession.Types.session_data(), Keyword.t() ) :: :ok | {:ok, :not_found} | {:error, MscmpSystError.t()}
Replaces the Session Data of the named Session record with the Session Data provided.
As with other kinds of interactions with the Session, updating the Session data will also update the expiration date/time.
Attempting to update the Session Data of an already expired Session will be treated as attempting to update a not found record.
Parameters
session_name- the Session Name that was generated bycreate_session/2at Session create time. This argument is required.session_data- the updated Session Data which replaces the existing Session Data. Currently the expectation is that this value will be any arbitraryMap. This argument is required.opts- a Keyword List of optional parameters. The available parameters are:expires_after- the number of seconds for which the session will be considered valid. The default value for this setting via this API is the current value of the MCP integer settingmssub_mcp_session_expiration; by default that value is 3,600 seconds (1 hour).
Examples
Updating a Session with new data and resetting the expiration date/time to 30 minutes from update time.
iex> MssubMcp.update_session("example_update_session", %{updated_key: "updated_value"},
...> expires_after: 1800)
:ok
iex> MssubMcp.get_session("example_update_session")
{:ok, %{"updated_key" => "updated_value"}}Attempting to update an already expired Session returns the not found value.
iex> MssubMcp.update_session("example_expired_session", %{updated_key: "updated_value"})
{:ok, :not_found}Permissions
MCP Processing
bootstrap_tenant(params)
@spec bootstrap_tenant(MssubMcp.Types.tenant_bootstrap_params()) :: {:ok, MssubMcp.Types.tenant_bootstrap_result()} | {:error, MscmpSystError.t()}
Bootstraps the initial setup of either the MCP Application Platform or a new tenant.
In this context, a "tenant" is the combination of an MCP Owner Record, a linked Access Account record and related Authenticator, and an Application Instance.
This process also bootstraps the system Owner and Platform Administrator Access Account if the Application Platform itself has not been previously set up.
process_operation(operation)
Processes the given function in the context of the MCP services & Datastore.
Returns the return value of the provided function.
Parameters
operation- a function which wraps the operations to be executed in the MCP service context.
Examples
Retrieving an Msdata.SystOwners record from the MCP database.
iex> mcp_operation = fn -> MscmpSystInstance.get_owner_by_name("owner1") end
iex> {:ok, %Msdata.SystOwners{}} = MssubMcp.process_operation(mcp_operation)start_mcp_service_context()
@spec start_mcp_service_context() :: {datastore_context :: atom() | pid() | nil, enums_service_name :: MscmpSystEnums.Types.service_name() | nil, settings_service_name :: MscmpSystSettings.Types.service_name() | nil}
Establishes MCP Subsystem process references in the calling process's process dictionary.
Datastore, Enumerations, and Settings services are determined by entries in the executing process's Process Dictionary. The MCP Subsystem as an OTP Application starts these services under pre-determined local names which are in turn set in the Process Dictionary by this function.
This function is used by processes wishing to set MCP Subsystem services as the long running context spanning multiple function calls by the process. For example, a GenServer that only every access MCP Subsystem Datastores or Services can call this during the initialization process which will live for the life of the GenServer or until they are explicitly unset by some other call.
The return value of the call provides the caller references to identifiers for each of the three previously set target services represented as a tuple:
{
<previous_datastore_context>,
<previous_enums_service_name>,
<previous_settings_service_name>
}This value is suitable to pass to stop_mcp_service_context/1 if the MCP
Subsystem context setting is only intended to be temporary.
stop_mcp_service_context(replacement_service_names \\ {nil, nil, nil})
@spec stop_mcp_service_context( {datastore_context :: atom() | pid() | nil, enums_service_name :: MscmpSystEnums.Types.service_name() | nil, settings_service_name :: MscmpSystSettings.Types.service_name() | nil} ) :: :ok
Unsets the MCP Subsystem service references from the process's Process Dictionary.
This function unsets the MCP Subsystem service references in one of two ways depending on the argument passed to the function. If a tuple in the form:
{
<new_datastore_context>,
<new_enums_service_name>,
<new_settings_service_name>
}is passed, the references in the tuple will be set as the new service context
for the process. This is useful if a previous context existed and only
temporary access to the MCP Subsystem context was required (see
start_mcp_service_context/0 for the most common source for these values.)
Otherwise the service context values in the Process Dictionary are set to
nil and calls to other contextually sensitive functions will fail until a
new service context is set for the process.
The function simply returns :ok once it has stopped the MCP Subsystem
service context.
Parameters
replacement_service_names- an optional tuple of references to the services which are to replace the MCP Subsystem service references being unset by this function. See the above for the form of the tuple. If this parameter is omitted, the Process Dictionary references for context services will be setnil, meaning no service context aware functions will work properly until a new service context is set.
Functions
get_perm_role_id_by_name(perm_func_type_name, perm_role_name)
@spec get_perm_role_id_by_name( MscmpSystPerms.Types.perm_functional_type_name(), MscmpSystPerms.Types.perm_role_name() ) :: MscmpSystPerms.Types.perm_role_id() | nil | {:error, MscmpSystError.t()}
Retrieves the Permission Role record ID as found by its functional type name and Internal Name.
The function will either return the record ID of the requested Permission Role
or nil of that role was not found. If an error occurs an error tuple is
returned.
Parameters
perm_func_type_name- the Internal Name of the Permission Functional Type to which the search should be restricted. While the Permission Role name itself is unique, specifying the Permission Functional Type serves as a check that request context is correct.perm_role_name- the Internal Name value of the Permission Role to search for.
Examples
Retrieve the record ID of a Permission Role record.
iex> _perm_role_id =
...> MssubMcp.get_perm_role_id_by_name("func_type_1", "perm_role_1")Searching for a non-existent record returns nil.
iex> MssubMcp.get_perm_role_id_by_name("func_type_1", "nonexistent_role")
nilget_setting_value(setting_name, setting_type)
@spec get_setting_value( MscmpSystSettings.Types.setting_name(), MscmpSystSettings.Types.setting_types() ) :: any()
Retrieves the value of the given type for the requested setting.
Parameters
setting_name- the name of the setting for which to retrieve a value.setting_type- the type of value which to return.
Examples
iex> MssubMcp.get_setting_value(
...> "get_example_setting",
...> :setting_decimal_range)
%MscmpSystDb.DbTypes.DecimalRange{
lower: Decimal.new("1.1"),
upper: Decimal.new("99.99"),
lower_inclusive: true,
upper_inclusive: false
}get_setting_values(setting_name)
@spec get_setting_values(MscmpSystSettings.Types.setting_name()) :: Msdata.SystSettings.t()
Retrieves all values associated with the requested setting.
Parameters
setting_name- the name of the setting for which to retrieve values.
The successful return of this function is an instance of the
Msdata.SystSettings struct containing the values requested.
Examples
iex> MssubMcp.get_setting_values("get_example_setting")list_all_settings()
@spec list_all_settings() :: [Msdata.SystSettings]
Retrieves all values for all settings.
This function returns all other setting metadata, such as the records' IDs, descriptions, etc.
Examples
iex> MssubMcp.list_all_settings()set_setting_value(setting_name, setting_type, setting_value)
@spec set_setting_value( MscmpSystSettings.Types.setting_name(), MscmpSystSettings.Types.setting_types(), any() ) :: :ok | {:error, MscmpSystError.t()}
Sets the value of any one setting type for the named setting.
Parameters
setting_name- the name of the setting to update with the new value.setting_type- sets which of the different available value types is being updated.setting_value- is the new value to set on the setting. Note that the setting value must be appropriate for thesetting_typeargument or an error will be raised.
Examples
iex> MssubMcp.set_setting_value(
...> "set_example_setting",
...> :setting_decimal,
...> Decimal.new("1029.3847"))
:okset_setting_values(setting_name, update_params)
@spec set_setting_values( MscmpSystSettings.Types.setting_name(), MscmpSystSettings.Types.setting_service_params() ) :: :ok | {:error, MscmpSystError.t()}
Sets one or more of the available setting types for the named setting.
This function is similar to set_setting_values/4, except that multiple
setting types can have their values set at the same time. In addition to the
typed setting values, the setting display name and/or user description values
may also be set.
Parameters
setting_name- the name of the setting to update with the new values.update_params- is a map that complies with theMscmpSystSettings.Types.setting_service_params()type specification and includes the updates to setting type values, updates to thedisplay_namevalue, and/or updates to theuser_descriptionvalue.
Examples
iex> update_values = %{
...> user_description: "An example of updating the user description.",
...> setting_integer: 6758,
...> setting_date_range:
...> %MscmpSystDb.DbTypes.DateRange{
...> lower: ~D[2022-04-01],
...> upper: ~D[2022-04-12],
...> upper_inclusive: true
...> }
...> }
iex> MssubMcp.set_setting_values(
...> "set_example_setting",
...> update_values)
:ok