Class ThingAccessUtils


  • public final class ThingAccessUtils
    extends Object
    Implements the “Common Security” protocol described in the documentation.

    This allows more detailed authorization to check access to various objects within IIQ.

    There are two users involved in thing access: an subject Identity and a target Identity. The subject is the one doing the thing while the target is the one the thing is being done to. Some actions may be ‘self’ actions, where both the subject and the target are the same. Other actions don’t have a ‘target’ concept and are treated as ‘self’ actions.

    See the COMMON-SECURITY.adoc documentation.

    See Also:
    AccessCheck
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext, CommonSecurityConfig config)
      Returns true if the logged in user can access the item based on the CommonSecurityConfig object
      static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext, Map<String,​Object> configuration)
      Returns true if the logged in user can access the item based on the Common Security configuration parameters.
      static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext, sailpoint.object.Identity targetIdentity, String thingName, Map<String,​Object> configuration)
      Returns true if the logged in user can access the item based on the common configuration parameters.
      static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext, sailpoint.object.Identity targetIdentity, Map<String,​Object> configuration)
      Returns true if the logged in user can access the item based on the common configuration parameters.
      static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext, CommonSecurityConfig config)
      Returns true if the logged in user can access the item based on the CommonSecurityConfig object
      static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext, Map<String,​Object> configuration)
      Returns true if the logged in user can access the item based on the Common Security configuration parameters.
      static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext, sailpoint.object.Identity target, String thingName, CommonSecurityConfig config)
      Returns true if the logged in user can access the item based on the common configuration parameters.
      static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext, sailpoint.object.Identity targetIdentity, String thingName, Map<String,​Object> configuration)
      Returns true if the logged in user can access the item based on the common configuration parameters.
      static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext, sailpoint.object.Identity targetIdentity, Map<String,​Object> configuration)
      Returns true if the logged in user can access the item based on the common configuration parameters.
      static void clearCachedResults()
      An optional clear-cache method that can be used by plugin code
      static sailpoint.rest.plugin.BasePluginResource createFakePluginContext​(sailpoint.api.SailPointContext context, sailpoint.object.Identity loggedInUser, String pluginName)
      Creates a fake plugin context for use with checkThingAccess(UserContext, Identity, String, Map) outside of a plugin.
    • Method Detail

      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext,
                                               Map<String,​Object> configuration)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the Common Security configuration parameters.
        Parameters:
        pluginContext - The plugin context, which provides user details
        configuration - The configuration for the field or button or other object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                               Map<String,​Object> configuration)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the Common Security configuration parameters.
        Parameters:
        pluginContext - The plugin context, which provides user details
        configuration - The configuration for the field or button or other object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext,
                                               CommonSecurityConfig config)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the CommonSecurityConfig object
        Parameters:
        pluginContext - The plugin context, which provides user details
        config - the CommonSecurityConfig object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                               CommonSecurityConfig config)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the CommonSecurityConfig object
        Parameters:
        pluginContext - The plugin context, which provides user details
        config - the CommonSecurityConfig object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext,
                                               sailpoint.object.Identity targetIdentity,
                                               Map<String,​Object> configuration)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the common configuration parameters.
        Parameters:
        pluginContext - The login context, which provides user details
        targetIdentity - The target identity for the action (as opposed to the actor)
        configuration - The configuration for the field or button or other object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                               sailpoint.object.Identity targetIdentity,
                                               Map<String,​Object> configuration)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the common configuration parameters.
        Parameters:
        pluginContext - The plugin context, which provides user details
        targetIdentity - The target identity for the action (as opposed to the actor)
        configuration - The configuration for the field or button or other object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                               sailpoint.object.Identity targetIdentity,
                                               String thingName,
                                               Map<String,​Object> configuration)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the common configuration parameters.
        Parameters:
        pluginContext - The plugin context, which provides user details
        targetIdentity - The target identity for the action (as opposed to the actor)
        configuration - The configuration for the field or button or other object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext,
                                               sailpoint.object.Identity targetIdentity,
                                               String thingName,
                                               Map<String,​Object> configuration)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the common configuration parameters.
        Parameters:
        pluginContext - A plugin REST API resource (or fake equivalent) used to get some details and settings. This must not be null.
        targetIdentity - The target identity
        thingName - The thing being checked
        configuration - The configuration for the field or button or other object
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • checkThingAccess

        public static boolean checkThingAccess​(sailpoint.web.UserContext pluginContext,
                                               sailpoint.object.Identity target,
                                               String thingName,
                                               CommonSecurityConfig config)
                                        throws sailpoint.tools.GeneralException
        Returns true if the logged in user can access the item based on the common configuration parameters.

        Results for the same CommonSecurityConfig, source, and target user will be cached for up to one minute unless the CommonSecurityConfig object has noCache set to true.

        Parameters:
        pluginContext - A plugin REST API resource (or fake equivalent) used to get some details and settings. This must not be null.
        target - The target identity
        thingName - The thing being checked, entirely for logging purposes
        config - The configuration specifying security rights
        Returns:
        True if the user has access to the thing based on the configuration
        Throws:
        sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)
      • clearCachedResults

        public static void clearCachedResults()
        An optional clear-cache method that can be used by plugin code
      • createFakePluginContext

        public static sailpoint.rest.plugin.BasePluginResource createFakePluginContext​(sailpoint.api.SailPointContext context,
                                                                                       sailpoint.object.Identity loggedInUser,
                                                                                       String pluginName)
        Creates a fake plugin context for use with checkThingAccess(UserContext, Identity, String, Map) outside of a plugin.

        This constructs a new instance of a dummy BasePluginResource web service endpoint class.

        Parameters:
        context - The SailPointContext to return from BaseResource.getContext()
        loggedInUser - The Identity to return from various getLoggedIn… methods
        pluginName - The name of the plugin to include in the fake plugin context
        Returns:
        The fake plugin resource