Class AccessCheck


  • public final class AccessCheck
    extends Object
    Static methods for implementing access checks.

    This is used directly by ThingAccessUtils, but allows migration to this better interface.

    • Method Detail

      • accessCheck

        public static AccessCheckResponse accessCheck​(AccessCheckInput input)
        Returns an ‘allowed’ response if the logged in user can access the item based on the common configuration parameters.

        Results for the same CommonSecurityConfig, source, and target user will be cached for up to one minute unless the CommonSecurityConfig object has noCache set to true.

        Parameters:
        input - The input containing the configuration for the checkThingAccess utility
        Returns:
        True if the user has access to the thing based on the configuration
      • clearCachedResults

        public static void clearCachedResults()
        An optional clear-cache method that can be used by plugin code
      • createAuthorizer

        public static sailpoint.authorization.Authorizer createAuthorizer​(CommonSecurityConfig config)
        Creates a native IIQ authorizer that performs a CommonSecurityConfig check
        Parameters:
        config - The configuration
        Returns:
        The authorizer
      • getCacheMap

        public static ConcurrentHashMap<AccessCheck.SecurityCacheToken,​AccessCheck.SecurityResultgetCacheMap()
        Creates the cache map, which should be stored in CustomGlobal.

        If it does not exist, we create and store a new one. Since this is just for efficiency, we don’t really care about synchronization.

        A new cache will be created whenever a new plugin is installed, incrementing the Environment’s plugin version.

        Returns:
        The cache map
      • matchesAnyWorkgroup

        public static boolean matchesAnyWorkgroup​(sailpoint.object.Identity currentUser,
                                                  List<String> workgroups)
        Returns true if the current user is a member of any of the given workgroups.

        Note that this check is NOT recursive and does not check whether a workgroup is a member of another workgroup.

        Parameters:
        currentUser - The user to check
        workgroups - The workgroups to check
        Returns:
        true if the user is in the given workgroup
      • setup

        public static FluentAccessCheck setup()
        Returns a new FluentAccessCheck, permitting a nice flow-y API for this class.

        For example:

        AccessCheck .setup() .config(commonSecurityObject) .name(“some name”) .subject(pluginResource) // contains the logged-in username, so counts as a subject .target(targetIdentity) .isAllowed()

        Returns:
        The fluent access check builder