com.ibm.itim.apps.provisioning
Class AccessManager

java.lang.Object
  extended by com.ibm.itim.apps.provisioning.AccessManager

public class AccessManager
extends java.lang.Object

Provides aggregate access management capabilities. These capabilities include the creation or request, removal and search of access. An access can be either a role-based or a group-based access. Before creating or requesting a role based access, there must be (1) A person or access owner who will own the access, (2) A role which is enabled as an access, and And before you create or request a group access, there should be (1) A person ot access owner who will own the access, (2) A service that hosts the account and the group.

Since:
6.0

Constructor Summary
AccessManager(PlatformContext platform, javax.security.auth.Subject subject)
          Constructs the manager with a platform context and a subject.
 
Method Summary
 java.util.List<Request> createAccess(java.util.List<NewUserAccess> lstNewUserAccesses, AccessEntitlement userAccess, java.util.Date scheduledTime)
          Creates an access in the provisioning platform with the specified attributes for the mentioned users.
 void getAccesses(PersonMO owner, Access accessInfo, SearchResultsMO searchResults, java.util.Locale locale)
          The method returns all the accesses assigned to a person.
 void getAuthorizedAccesses(OrganizationalContainerMO container, PersonMO person, com.ibm.itim.dataservices.model.domain.access.AccessType accessType, java.lang.String accessInfo, SearchResultsMO results, java.util.Locale locale, boolean checkAddAccess)
          Returns authorized access for a user based on the access information provided.
 Request removeAccess(IUserAccess accessToBeRemoved, java.util.Date scheduledTime)
          Submits a user access removal request to the provisioning platform.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AccessManager

public AccessManager(PlatformContext platform,
                     javax.security.auth.Subject subject)
Constructs the manager with a platform context and a subject.

Parameters:
platform - PlatformContext holding platform connection information.
subject - Subject representing the authenticated caller.
Method Detail

createAccess

public java.util.List<Request> createAccess(java.util.List<NewUserAccess> lstNewUserAccesses,
                                            AccessEntitlement userAccess,
                                            java.util.Date scheduledTime)
                                     throws java.rmi.RemoteException,
                                            ApplicationException,
                                            AuthorizationException,
                                            SchemaViolationException
Creates an access in the provisioning platform with the specified attributes for the mentioned users. For group based access if the account is not existing the API creates an account and then assigns the group membership. If the IUserAccess does not have a serviceDN then access type is considered as a role access. The user can request for only one type of access at a given time. For example if the IUserAccess has a null serviceDN then all the AccessEntitlement objects in the array should have a resource object of type Role. If there is a resource type of any other type then the API throws an ApplicationException with INVALID_ARGUMENT error code.

Parameters:
lstNewUserAccesses - An array of com.ibm.itim.apps.provisioning.AccessEntitlement object capturing owner and the access resource information. For role based access the resource object is of type Role while for group based access the resource object type is Account
userAccess - com.ibm.itim.apps.provisioning.AccessEntitlement capturing the details of the access which is being requested.
scheduledTime - The scheduled starting time of the process. If NULL, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date and time of the client machine is not a safe technique to use, since the date and time of the client machine may not be the same as the date and time of the ISIM server machine.
Returns:
java.util.List of com.ibm.itim.apps.Request objects for each of the user
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown with an invalid argument error code if an invalid resource is specified in the AccessEntitlement object. The valid types are Account and Role. The exception is also thrown when there is an error in submitting the request. *
AuthorizationException - Thrown if the user is not authorized to perform the operation.
SchemaViolationException - Thrown if there is a violation in the LDAP schema.
Since:
6.0

getAccesses

public void getAccesses(PersonMO owner,
                        Access accessInfo,
                        SearchResultsMO searchResults,
                        java.util.Locale locale)
                 throws java.rmi.RemoteException,
                        ApplicationException
The method returns all the accesses assigned to a person. Specifying the accessId in the Access can filter the access list.

Parameters:
owner - com.ibm.itim.apps.identity.PersonMO object representing the person whose assigned accesses are to be retrieved.
accessInfo - Optional com.ibm.itim.dataservices.model.domain.access.Access object that contains the unique accessId to filter the owner accesses list. It returns all the owner accesses if the value is NULL.
searchResults - Contains the IUserAccess objects that are returned.
locale - java.util.Locale object represents the client locale to sort the results. You can sort the results on the access name attribute.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to find the owner or the owner does not have sufficient privileges for performing the operation.
Since:
6.0

removeAccess

public Request removeAccess(IUserAccess accessToBeRemoved,
                            java.util.Date scheduledTime)
                     throws java.rmi.RemoteException,
                            ApplicationException,
                            AuthorizationException,
                            SchemaViolationException
Submits a user access removal request to the provisioning platform.

Parameters:
accessesToBeRemoved - com.ibm.itim.apps.provisioning.IUserAccess object that contains the access information you want to remove.
scheduledTime - The scheduled starting time of the process. If NULL, the process will start immediately. In case this method is invoked remotely, passing this parameter as the current date and time of the client machine is not a safe technique to use, since the date and time of the client machine may not be the same as the date and time of the ISIM server machine.
Returns:
com.ibm.itim.apps.Request Represents a request submitted to the provisioning platform.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to locate the role or group.
AuthorizationException - Thrown if the user does not have sufficient privileges for performing the operation.
SchemaViolationException - Thrown if there is a violation in the LDAP schema.
Since:
6.0

getAuthorizedAccesses

public void getAuthorizedAccesses(OrganizationalContainerMO container,
                                  PersonMO person,
                                  com.ibm.itim.dataservices.model.domain.access.AccessType accessType,
                                  java.lang.String accessInfo,
                                  SearchResultsMO results,
                                  java.util.Locale locale,
                                  boolean checkAddAccess)
                           throws java.rmi.RemoteException,
                                  ApplicationException,
                                  AuthorizationException,
                                  SchemaViolationException
Returns authorized access for a user based on the access information provided. If the client is not authorized to view or search an access that matches this criteria, it is filtered from the return list. The AuthorizationException does not produce an error.

Parameters:
container - the organizational container represents the parent container to scope the search. If the value is NULL, the search is performed from the root.
person - The target person for whom the access is authorized. If input is NULL an ApplicationException with error code not-support is thrown.
accessType - An Access type to filter the access search. If the input value is NULL, it matches all access types.
accessInfo - The access information used for the access name and access description substring match. If the input value is NULL, then it matches all accesses.
results - SearchResultsMO holds the results of the search. Contains a collection of com.ibm.itim.apps.provisioning.AccessEntitlement object. SearchResultsMO supports the paging and sorting.
locale - Clients locale to sort the results. If the input value is NULL, then use the Locale.getDefault() server JVM.
checkAddAccess - Indicates whether to determine the ACI for an access request.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to obtain the accesses. This may possibly be caused by the container being removed by another client previous to this call.
AuthorizationException - Thrown if the user does not have the privileges for performing the operation.
SchemaViolationException - Thrown if there is a violation in the LDAP schema.
Since:
6.0


IBM Security Identity Manager 6.0.0
© Copyright International Business Machines Corporation 2007, 2012. All rights reserved. US Government Users Restricited Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.