Package com.identityworksllc.iiq.common

Class ThingAccessUtils

java.lang.Object

com.identityworksllc.iiq.common.ThingAccessUtils

public final class ThingAccessUtils
extends Object

Implements the “Common Security” protocol that was originally part of the UPE plugin.

This allows more detailed authorization to check access to various objects within IIQ.

There are two users involved in thing access: an subject Identity and a target Identity. The subject is the one doing the thing while the target is the one the thing is being done to. Some actions may be ‘self’ actions, where both the subject and the target are the same. Other actions don’t have a ‘target’ concept and are treated as ‘self’ actions.

See Also:

AccessCheck

Constructor Summary

Constructors

Constructor	Description
ThingAccessUtils()

Method Summary

Modifier and Type	Method	Description
static boolean	checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext, CommonSecurityConfig config)	Returns true if the logged in user can access the item based on the CommonSecurityConfig object
static boolean	checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext, Map<String,Object> configuration)	Returns true if the logged in user can access the item based on the Common Security configuration parameters.
static boolean	checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext, sailpoint.object.Identity targetIdentity, String thingName, Map<String,Object> configuration)	Returns true if the logged in user can access the item based on the common configuration parameters.
static boolean	checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext, sailpoint.object.Identity targetIdentity, Map<String,Object> configuration)	Returns true if the logged in user can access the item based on the common configuration parameters.
static boolean	checkThingAccess(sailpoint.web.UserContext pluginContext, CommonSecurityConfig config)	Returns true if the logged in user can access the item based on the CommonSecurityConfig object
static boolean	checkThingAccess(sailpoint.web.UserContext pluginContext, Map<String,Object> configuration)	Returns true if the logged in user can access the item based on the Common Security configuration parameters.
static boolean	checkThingAccess(sailpoint.web.UserContext pluginContext, sailpoint.object.Identity target, String thingName, CommonSecurityConfig config)	Returns true if the logged in user can access the item based on the common configuration parameters.
static boolean	checkThingAccess(sailpoint.web.UserContext pluginContext, sailpoint.object.Identity targetIdentity, String thingName, Map<String,Object> configuration)	Returns true if the logged in user can access the item based on the common configuration parameters.
static boolean	checkThingAccess(sailpoint.web.UserContext pluginContext, sailpoint.object.Identity targetIdentity, Map<String,Object> configuration)	Returns true if the logged in user can access the item based on the common configuration parameters.
static void	clearCachedResults()	An optional clear-cache method that can be used by plugin code
static sailpoint.rest.plugin.BasePluginResource	createFakePluginContext(sailpoint.api.SailPointContext context, sailpoint.object.Identity loggedInUser, String pluginName)	Creates a fake plugin context for use with checkThingAccess(UserContext, Identity, String, Map) outside of a plugin.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ThingAccessUtils

public ThingAccessUtils()

Method Detail

checkThingAccess

public static boolean checkThingAccess(sailpoint.web.UserContext pluginContext,
                                       Map<String,Object> configuration)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the Common Security configuration parameters.

Parameters:

pluginContext - The plugin context, which provides user details

configuration - The configuration for the field or button or other object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                       Map<String,Object> configuration)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the Common Security configuration parameters.

Parameters:

pluginContext - The plugin context, which provides user details

configuration - The configuration for the field or button or other object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.web.UserContext pluginContext,
                                       CommonSecurityConfig config)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the CommonSecurityConfig object

Parameters:

pluginContext - The plugin context, which provides user details

config - the CommonSecurityConfig object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                       CommonSecurityConfig config)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the CommonSecurityConfig object

Parameters:

pluginContext - The plugin context, which provides user details

config - the CommonSecurityConfig object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.web.UserContext pluginContext,
                                       sailpoint.object.Identity targetIdentity,
                                       Map<String,Object> configuration)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the common configuration parameters.

Parameters:

pluginContext - The login context, which provides user details

targetIdentity - The target identity for the action (as opposed to the actor)

configuration - The configuration for the field or button or other object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                       sailpoint.object.Identity targetIdentity,
                                       Map<String,Object> configuration)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the common configuration parameters.

Parameters:

pluginContext - The plugin context, which provides user details

targetIdentity - The target identity for the action (as opposed to the actor)

configuration - The configuration for the field or button or other object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.rest.plugin.BasePluginResource pluginContext,
                                       sailpoint.object.Identity targetIdentity,
                                       String thingName,
                                       Map<String,Object> configuration)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the common configuration parameters.

Parameters:

pluginContext - The plugin context, which provides user details

targetIdentity - The target identity for the action (as opposed to the actor)

configuration - The configuration for the field or button or other object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.web.UserContext pluginContext,
                                       sailpoint.object.Identity targetIdentity,
                                       String thingName,
                                       Map<String,Object> configuration)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the common configuration parameters.

Parameters:

pluginContext - A plugin REST API resource (or fake equivalent) used to get some details and settings. This must not be null.

targetIdentity - The target identity

thingName - The thing being checked

configuration - The configuration for the field or button or other object

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

checkThingAccess

public static boolean checkThingAccess(sailpoint.web.UserContext pluginContext,
                                       sailpoint.object.Identity target,
                                       String thingName,
                                       CommonSecurityConfig config)
                                throws sailpoint.tools.GeneralException

Returns true if the logged in user can access the item based on the common configuration parameters.

Results for the same CommonSecurityConfig, source, and target user will be cached for up to one minute unless the CommonSecurityConfig object has noCache set to true.

Parameters:

pluginContext - A plugin REST API resource (or fake equivalent) used to get some details and settings. This must not be null.

target - The target identity

thingName - The thing being checked, entirely for logging purposes

config - The configuration specifying security rights

Returns:

True if the user has access to the thing based on the configuration

Throws:

sailpoint.tools.GeneralException - if any check failures occur (this should be interpreted as “no access”)

clearCachedResults

public static void clearCachedResults()

An optional clear-cache method that can be used by plugin code

createFakePluginContext

public static sailpoint.rest.plugin.BasePluginResource createFakePluginContext(sailpoint.api.SailPointContext context,
                                                                               sailpoint.object.Identity loggedInUser,
                                                                               String pluginName)

Creates a fake plugin context for use with checkThingAccess(UserContext, Identity, String, Map) outside of a plugin.

This constructs a new instance of a dummy BasePluginResource web service endpoint class.

Parameters:

context - The SailPointContext to return from BaseResource.getContext()

loggedInUser - The Identity to return from various getLoggedIn… methods

pluginName - The name of the plugin to include in the fake plugin context

Returns:

The fake plugin resource