Package com.identityworksllc.iiq.common.access

Class AccessCheck

java.lang.Object

com.identityworksllc.iiq.common.access.AccessCheck

public final class AccessCheck
extends Object

Static methods for implementing access checks.

This is used directly by ThingAccessUtils, but allows migration to this better interface.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AccessCheck.SecurityCacheToken	The container object to identify the cached ThingAccessUtil inputs.
static class	AccessCheck.SecurityResult	The container object to hold the cached ThingAccessUtil results

Field Summary

Fields

Modifier and Type	Field	Description
static String	ANONYMOUS_THING	The access check name used for an anonymous input

Method Summary

Modifier and Type	Method	Description
static AccessCheckResponse	accessCheck(AccessCheckInput input)	Returns an ‘allowed’ response if the logged in user can access the item based on the common configuration parameters.
static void	clearCachedResults()	An optional clear-cache method that can be used by plugin code
static sailpoint.authorization.Authorizer	createAuthorizer(CommonSecurityConfig config)	Creates a native IIQ authorizer that performs a CommonSecurityConfig check
static ConcurrentHashMap<AccessCheck.SecurityCacheToken,AccessCheck.SecurityResult>	getCacheMap()	Creates the cache map, which should be stored in CustomGlobal.
static boolean	matchesAnyWorkgroup(sailpoint.object.Identity currentUser, List<String> workgroups)	Returns true if the current user is a member of any of the given workgroups.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ANONYMOUS_THING

public static final String ANONYMOUS_THING

The access check name used for an anonymous input

See Also:

Constant Field Values

Method Detail

createAuthorizer

public static sailpoint.authorization.Authorizer createAuthorizer(CommonSecurityConfig config)

Creates a native IIQ authorizer that performs a CommonSecurityConfig check

Parameters:

config - The configuration

Returns:

The authorizer

accessCheck

public static AccessCheckResponse accessCheck(AccessCheckInput input)

Returns an ‘allowed’ response if the logged in user can access the item based on the common configuration parameters.

Results for the same CommonSecurityConfig, source, and target user will be cached for up to one minute unless the CommonSecurityConfig object has noCache set to true.

Parameters:

input - The input containing the configuration for the checkThingAccess utility

Returns:

True if the user has access to the thing based on the configuration

clearCachedResults

public static void clearCachedResults()

An optional clear-cache method that can be used by plugin code

getCacheMap

public static ConcurrentHashMap<AccessCheck.SecurityCacheToken,AccessCheck.SecurityResult> getCacheMap()

Creates the cache map, which should be stored in CustomGlobal.

If it does not exist, we create and store a new one. Since this is just for efficiency, we don’t really care about synchronization.

A new cache will be created whenever a new plugin is installed, incrementing the Environment’s plugin version.

Returns:

The cache map

matchesAnyWorkgroup

public static boolean matchesAnyWorkgroup(sailpoint.object.Identity currentUser,
                                          List<String> workgroups)

Returns true if the current user is a member of any of the given workgroups.

Note that this check is NOT recursive and does not check whether a workgroup is a member of another workgroup.

Parameters:

currentUser - The user to check

workgroups - The workgroups to check

Returns:

true if the user is in the given workgroup