Product SiteDocumentation Site

11.5. Partition-Based Access Control

PicketLink uses partitions to logically separate identities such as user, roles and groups. A very common requirement for SaaS applications where multi-tenancy may be an important requirement.
The @PartitionsAllowed annotation allows you to restrict access for beans based on the partition an user belongs. You only need to specify the partition name.
@PartitionsAllowed("Acme Realm")
public void someMethod() {
	// only users from "Acme Realm" partition are allowed to access this method
The @PartitionsAllowed annotation can also be used on types. In this case, all bean methods are protected:
@PartitionsAllowed("Acme Realm")
public class ACMEServices() {
You can also define multiple partitions if you want to:
@PartitionsAllowed({"ACME Realm", "Foo Realm"})
Partitions in PicketLink are represented by a specific type. For example, by default PicketLink provides a org.picketlink.idm.model.basic.Realm type to represent them. Considering that PicketLink allows you to provide your own types, the @PartitionsAllowed can also be used to restrict which partition types are allowed to perform an operation:
@PartitionsAllowed(type = {Acme.class, Foo.class})
Where Acme and Foo are partition types, implementing the org.picketlink.idm.model.Partition interface.
You can even combine both configurations (name and type) if you want.