Class AccessCheck
- java.lang.Object
-
- com.identityworksllc.iiq.common.access.AccessCheck
-
public final class AccessCheck extends Object
Static methods for implementing access checks.This is used directly by
ThingAccessUtils
, but allows migration to this better interface.- See Also:
ThingAccessUtils
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
AccessCheck.SecurityCacheToken
The container object to identify the cached ThingAccessUtil inputs.static class
AccessCheck.SecurityResult
The container object to hold the cached ThingAccessUtil results
-
Field Summary
Fields Modifier and Type Field Description static String
ANONYMOUS_THING
The access check name used for an anonymous input
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static AccessCheckResponse
accessCheck(AccessCheckInput input)
Returns an ‘allowed’ response if the logged-in (subject) user can access the item based on the common configuration parameters and target defined.static void
clearCachedResults()
An optional clear-cache method that can be used by plugin codestatic sailpoint.authorization.Authorizer
createAuthorizer(CommonSecurityConfig config)
Creates a native IIQ authorizer that performs a CommonSecurityConfig checkstatic ConcurrentHashMap<AccessCheck.SecurityCacheToken,AccessCheck.SecurityResult>
getCacheMap()
Creates the cache map, which should be stored in CustomGlobal.static boolean
matchesAnyWorkgroup(sailpoint.object.Identity currentUser, List<String> workgroups)
Returns true if the current user is a member of any of the given workgroups.static FluentAccessCheck
setup()
Returns a newFluentAccessCheck
, permitting a nice flow-y API for access checks.
-
-
-
Field Detail
-
ANONYMOUS_THING
public static final String ANONYMOUS_THING
The access check name used for an anonymous input- See Also:
- Constant Field Values
-
-
Method Detail
-
accessCheck
public static AccessCheckResponse accessCheck(AccessCheckInput input)
Returns an ‘allowed’ response if the logged-in (subject) user can access the item based on the common configuration parameters and target defined.Results for the same
CommonSecurityConfig
, source, and target user will be cached for up to one minute unless the CommonSecurityConfig object has noCache set to true.- Parameters:
input
- The input containing the configuration for the checkThingAccess utility- Returns:
- True if the user has access to the thing based on the configuration
-
clearCachedResults
public static void clearCachedResults()
An optional clear-cache method that can be used by plugin code
-
createAuthorizer
public static sailpoint.authorization.Authorizer createAuthorizer(CommonSecurityConfig config)
Creates a native IIQ authorizer that performs a CommonSecurityConfig check- Parameters:
config
- The configuration- Returns:
- The authorizer
-
getCacheMap
public static ConcurrentHashMap<AccessCheck.SecurityCacheToken,AccessCheck.SecurityResult> getCacheMap()
Creates the cache map, which should be stored in CustomGlobal.If it does not exist, we create and store a new one. Since this is just for efficiency, we don’t really care about synchronization.
A new cache will be created whenever a new plugin is installed, incrementing the Environment’s plugin version.
- Returns:
- The cache map
-
matchesAnyWorkgroup
public static boolean matchesAnyWorkgroup(sailpoint.object.Identity currentUser, List<String> workgroups)
Returns true if the current user is a member of any of the given workgroups.Note that this check is NOT recursive and does not check whether a workgroup is a member of another workgroup.
- Parameters:
currentUser
- The user to checkworkgroups
- The workgroups to check- Returns:
- true if the user is in the given workgroup
-
setup
public static FluentAccessCheck setup()
Returns a newFluentAccessCheck
, permitting a nice flow-y API for access checks.For example:
AccessCheck .setup() .config(commonSecurityObject) .name("some name") .subject(pluginResource) // contains the logged-in username, so counts as a subject .target(targetIdentity) .isAllowed()
- Returns:
- The fluent access check builder
-
-