Class DelegatedAccessController
- java.lang.Object
-
- com.identityworksllc.iiq.common.access.DelegatedAccessController
-
public class DelegatedAccessController extends Object
Utilities for delegated access checks.The access checks are implemented as follows:
-
A Configuration exists that contains ThingAccessUtils-friendly access controls.
-
Access controls are nested and cumulative. If a user can’t read from an Identity, then they trivially can’t read any of its attributes.
-
If a ‘global’ access control exists, its elements will always be added to the controls.
-
A purpose can be specified as a colon-delimited string, e.g., read:private:ssn. Access controls will be added from ‘read’, ‘read:private’, ‘read:private:ssn’, if they exist. More specific entries will override less specific entries. More specific entries can also specify a special ‘_remove’ entry that will suppress upper-level controls.
If no access controls exist for a purpose string, the answer is always yes.
The specific purpose strings are arbitrary and are defined in the various IID plugins. For example, the UI Enhancer has a slew of them, along with its own mechanism for pointing the access checks at the DA adapter.
-
-
-
Constructor Summary
Constructors Constructor Description DelegatedAccessController(sailpoint.api.SailPointContext context, sailpoint.object.Identity requester)Constructs a new delegated access controller with the given IIQ and user contextDelegatedAccessController(sailpoint.web.UserContext requesterContext)Constructor for delegated access
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description booleancanSeeIdentity(sailpoint.object.Identity target, String purpose)Returns true if, according to the configuration, the logged in user can do the given action (purpose) against the target user.booleancanSeeIdentity(sailpoint.object.Identity target, String purpose, boolean audit)Returns true if, according to the configuration, the logged in user can do the given action (purpose) against the target user.static voidclearCache()Clear cache method, for use via the UI Toolbox cache rulestatic booleanexplicitControlExists(sailpoint.api.SailPointContext context, String purpose)Returns true if an explicit control exists for the given purpose token.static sailpoint.object.ConfigurationgetDelegatedAccessConfig(sailpoint.api.SailPointContext context)Gets the delegated access config object if one existsstatic StringgetRemoteIp(javax.servlet.http.HttpServletRequest request)Gets the remote IP address of the user from the given HttpServletRequest.
-
-
-
Constructor Detail
-
DelegatedAccessController
public DelegatedAccessController(sailpoint.api.SailPointContext context, sailpoint.object.Identity requester)
Constructs a new delegated access controller with the given IIQ and user context- Parameters:
context- The IIQ contextrequester- The subject or requester Identity
-
DelegatedAccessController
public DelegatedAccessController(sailpoint.web.UserContext requesterContext)
Constructor for delegated access- Parameters:
requesterContext- A plugin resource (likely ‘this’ in your plugin)
-
-
Method Detail
-
clearCache
public static void clearCache()
Clear cache method, for use via the UI Toolbox cache rule
-
explicitControlExists
public static boolean explicitControlExists(sailpoint.api.SailPointContext context, String purpose) throws sailpoint.tools.GeneralException
Returns true if an explicit control exists for the given purpose token.In other words, if the token is a:b:c, this method returns true only if a:b:c exists in the configuration. A subset, such as a:b, will not match.
- Parameters:
context- The IIQ contextpurpose- The colon-delimited purpose- Returns:
- True of an explicit control (i.e., does not match as a substring) exists for the given purpose
- Throws:
sailpoint.tools.GeneralException- if anything fails
-
getDelegatedAccessConfig
public static sailpoint.object.Configuration getDelegatedAccessConfig(sailpoint.api.SailPointContext context) throws sailpoint.tools.GeneralException
Gets the delegated access config object if one exists- Parameters:
context- The IIQ context- Returns:
- The Configuration if one exists
- Throws:
sailpoint.tools.GeneralException- if the configuration does not exist
-
getRemoteIp
public static String getRemoteIp(javax.servlet.http.HttpServletRequest request)
Gets the remote IP address of the user from the given HttpServletRequest.This can be used in a situation where there is no FacesContext, like in a web service call.
- Parameters:
request- The request to grab the IP from- Returns:
- The remote IP of the user
-
canSeeIdentity
public boolean canSeeIdentity(sailpoint.object.Identity target, String purpose) throws sailpoint.tools.GeneralException
Returns true if, according to the configuration, the logged in user can do the given action (purpose) against the target user.If the concept is generic, like “can load plugin page”, you can pass null as the target Identity.
The attempt will not be audited.
- Parameters:
target- The target userpurpose- The purpose for which we are checking access (e.g., read, edit, etc)- Returns:
- true if access is allowed
- Throws:
sailpoint.tools.GeneralException- on any check failures
-
canSeeIdentity
public boolean canSeeIdentity(sailpoint.object.Identity target, String purpose, boolean audit) throws sailpoint.tools.GeneralException
Returns true if, according to the configuration, the logged in user can do the given action (purpose) against the target user.If the concept is generic, like “can load plugin page”, you can pass null as the target Identity.
- Parameters:
target- The target userpurpose- The purpose for which we are checking access (e.g., read, edit, etc)audit- True if we should audit this access attempt- Returns:
- true if access is allowed
- Throws:
sailpoint.tools.GeneralException- on any check failures
-
-