com.ibm.itim.apps.provisioning
Class AccountManager

java.lang.Object
  |
  +--com.ibm.itim.apps.provisioning.AccountManager

public class AccountManager
extends java.lang.Object

Provides aggregate account management capabilities. These capabilities include the creation of accounts, the validation of accounts, and the resolution of what services are available for an individual within the provisioning platform.

See Also:
AccountMO

Constructor Summary
AccountManager(PlatformContext platform, javax.security.auth.Subject subject)
          Constructs the manager with a platform context and a subject.
 
Method Summary
 void adopt(DistinguishedName ownerDN, java.util.Collection accounts)
          Adopts multiple accounts, or assigns the same owner (given) to all the accounts submitted.
 Request createAccount(PersonMO owner, ServiceMO service, Account subject, java.util.Date scheduledTime)
          Creates an account in the provisioning platform with the specified attributes for the given person.
 AttributeValues getAccountParameters(PersonMO owner, ServiceMO service)
          Returns the auto-generated parameters used to define the potential owner's account on the given service.
 java.util.Collection getAccounts(PersonMO person, java.util.Locale locale)
          Returns the account(s) for the given person.
 java.util.Collection getAccounts(ServiceMO service, java.lang.String uid)
          Returns the account(s) with the uid hosted on the given service.
 java.util.Collection getAccounts(ServiceMO service, java.lang.String attributeName, java.lang.Object attributeValue)
          Returns the account(s) matching the given attribute hosted on the given service.
 void getAccounts(ServiceMO service, java.lang.String attributeName, java.lang.Object attributeValue, SearchResultsMO results)
          Returns the account(s) matching the given attribute hosted on the given service.
 java.util.Collection getAuthorizedServices(PersonMO subject, java.util.Locale locale)
          Returns the services the given person is authorized to have access to.
 void getNonCompliantAccounts(SearchResultsMO results)
          Returns all accounts that are currently tracked as non-compliant by the provisioning system.
 void getNonCompliantAccounts(ServiceMO service, SearchResultsMO results)
          Returns all accounts on the given service that are currently tracked as non-compliant by the provisioning system.
 boolean isAccountCompliant(AccountMO subject, java.util.Collection errors)
          Returns whether the given account is compliant with all policies.
 boolean isAccountCompliant(PersonMO owner, ServiceMO service, AttributeValues params, java.util.Collection errors)
          Returns whether the an (potential) account on the given service with the given parameters for the given owner is compliant with all policies.
 void orphan(DistinguishedName userDN, java.util.Collection accounts)
          Orphans multiple accounts, or changes the account owner to unknown.
 Request remove(java.util.Collection accounts, java.util.Date scheduledTime)
          Removes multiple accounts from the provisioning platform.
 Request restore(java.util.Collection accounts, java.util.Date scheduledTime)
          Restores multiple accounts.
 Request suspend(java.util.Collection accounts, java.util.Date scheduledTime)
          Suspends multiple accounts.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AccountManager

public AccountManager(PlatformContext platform,
                      javax.security.auth.Subject subject)
Constructs the manager with a platform context and a subject.
Parameters:
platform - PlatformContext holding platform connection information.
subject - Subject representing the authenticated caller.
Method Detail

createAccount

public Request createAccount(PersonMO owner,
                             ServiceMO service,
                             Account subject,
                             java.util.Date scheduledTime)
                      throws java.rmi.RemoteException,
                             AuthorizationException,
                             SchemaViolationException,
                             ApplicationException
Creates an account in the provisioning platform with the specified attributes for the given person.
Parameters:
owner - PersonMO who will own the account.
service - ServiceMO the account will be provisioned on.
subject - Account value object defining the attributes the account will have.
scheduledTime - Date holding the time the operation is to be executed.
Returns:
Request object representing the operation's status.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to create the account for the given person.
SchemaViolationException - Thrown if any of the attributes in the value object are violate the managed object's schema. This may be caused by an invalid attribute or if a required attribute is missing entirely.
ApplicationException - Thrown if unable to submit the request. This may possibly be caused by the owner being removed by another client previous to this call.

getAuthorizedServices

public java.util.Collection getAuthorizedServices(PersonMO subject,
                                                  java.util.Locale locale)
                                           throws java.rmi.RemoteException,
                                                  AuthorizationException,
                                                  ApplicationException
Returns the services the given person is authorized to have access to.
Parameters:
subject - PersonMO representing the person in question.
locale - optional Locale used to sort the results by Service name. If null, Locale.getDefault() (server JVM) is used.
Returns:
Collection of ServiceMO's representing the services the subject has access to.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to view (search) the subject person.
ApplicationException - Thrown if unable to obtain the authorized services. This may possibly be caused by the subject being removed by another client previous to this call. This may be also caused by a fault in processing policies in order to obtain the authorized services.

getAccountParameters

public AttributeValues getAccountParameters(PersonMO owner,
                                            ServiceMO service)
                                     throws java.rmi.RemoteException,
                                            AuthorizationException,
                                            ApplicationException
Returns the auto-generated parameters used to define the potential owner's account on the given service. Note, the client may not be authorized to view all of the parameters. These parameters will be omitted from the returned list without the generation of an AuthorizationException.
Parameters:
owner - PersonMO representing the person in question.
service - ServiceMO representing the service in question.
Returns:
AttributeValues holding the generated account parameters.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to view (search) the subject person, accounts of this type, and/or service.
ApplicationException - Thrown if unable to generate the parameters. This may possibly be caused by the owner or service being removed by another client previous to this call. This may be also caused by a fault in processing policies in order to generate the parameters.

getNonCompliantAccounts

public void getNonCompliantAccounts(SearchResultsMO results)
                             throws java.rmi.RemoteException,
                                    ApplicationException
Returns all accounts that are currently tracked as non-compliant by the provisioning system. The non-compliance may be due to unathorized access to a service completely, or just a constraint violation with the parameters of an account. Note, the client may not be authorized to view all of the accounts that are non-compliant. Those unauthorized accounts will be filtered out of the returned list and no AuthorizationException will be thrown.
Parameters:
results - SearchResultsMO to hold the results of the search. The object will be filled with Account value objects that represent non-compliant accounts. Note, if the SearchResultsMO object was constructed using a different user context, that context will be changed to match the context of this object.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to retrieve the accounts.

getNonCompliantAccounts

public void getNonCompliantAccounts(ServiceMO service,
                                    SearchResultsMO results)
                             throws java.rmi.RemoteException,
                                    ApplicationException
Returns all accounts on the given service that are currently tracked as non-compliant by the provisioning system. The non-compliance may be due to unathorized access to a service completely, or just a constraint violation with the parameters of an account. Note, the client may not be authorized to view all of the accounts that are non-compliant. Those unauthorized accounts will be filtered out of the returned list and no AuthorizationException will be thrown.
Parameters:
service - ServiceMO constraining the search.
results - SearchResultsMO to hold the results of the search. The object will be filled with Account value objects that represent non-compliant accounts. Note, if the SearchResultsMO object was constructed using a different user context, that context will be changed to match the context of this object.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to retrieve the accounts.

isAccountCompliant

public boolean isAccountCompliant(AccountMO subject,
                                  java.util.Collection errors)
                           throws java.rmi.RemoteException,
                                  AuthorizationException,
                                  ApplicationException
Returns whether the given account is compliant with all policies. Not only is a boolean result returned, but a list of errors (if any) are also available on request.
Parameters:
subject - AccountMO representing the account in question.
errors - If non-null, will be filled with detected errors. The errors are represented as Strings.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to view (search) the subject account.
ApplicationException - Thrown if unable to generate the parameters. This may possibly be caused by the account being removed by another client previous to this call. This may be also caused by a fault in processing policies in order to evaluate compliance.

isAccountCompliant

public boolean isAccountCompliant(PersonMO owner,
                                  ServiceMO service,
                                  AttributeValues params,
                                  java.util.Collection errors)
                           throws java.rmi.RemoteException,
                                  AuthorizationException,
                                  ApplicationException
Returns whether the an (potential) account on the given service with the given parameters for the given owner is compliant with all policies. Not only is a boolean result returned, but a list of errors (if any) are also available on request.
Parameters:
owner - PersonMO representing the person in question.
service - ServiceMO representing the service in question.
params - AttributeValues holding the parameters of the (potential) account.
errors - If non-null, will be filled with detected errors. The errors are represented as Strings.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to view (search) the subject person and/or service.
ApplicationException - Thrown if unable to generate the parameters. This may possibly be caused by the owner and/or service being removed by another client previous to this call. This may be also caused by a fault in processing policies in order to evaluate compliance.

getAccounts

public java.util.Collection getAccounts(PersonMO person,
                                        java.util.Locale locale)
                                 throws java.rmi.RemoteException,
                                        ApplicationException
Returns the account(s) for the given person. Note, if the client is unauthorized to view (search) an account that matches this criteria, it will be filtered out of the return list and no AuthorizationException will be thrown.
Parameters:
person - PersonMO representing the person to scope the search.
locale - optional Locale used to do a locale-sensitive sort of the results by user id. If null, Locale.getDefault() is used (server JVM).
Returns:
Collection of AccountMO's representing the matching accounts.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to obtain the accounts. This may possibly be caused by the service being removed by another client previous to this call.

getAccounts

public java.util.Collection getAccounts(ServiceMO service,
                                        java.lang.String uid)
                                 throws java.rmi.RemoteException,
                                        ApplicationException
Returns the account(s) with the uid hosted on the given service. Note, if the client is unauthorized to view (search) an account that matches this criteria, it will be filtered out of the return list and no AuthorizationException will be thrown.
Parameters:
service - ServiceMO representing the service to scope the search.
uid - User id of the account to retrieve.
Returns:
Collection of AccountMO's representing the matching accounts.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to obtain the accounts. This may possibly be caused by the service being removed by another client previous to this call.

getAccounts

public java.util.Collection getAccounts(ServiceMO service,
                                        java.lang.String attributeName,
                                        java.lang.Object attributeValue)
                                 throws java.rmi.RemoteException,
                                        ApplicationException
Returns the account(s) matching the given attribute hosted on the given service. Note, if the client is unauthorized to view (search) an account that matches this criteria, it will be filtered out of the return list and no AuthorizationException will be thrown.
Parameters:
service - ServiceMO representing the service to scope the search.
attributeName - Name of attribute to match with.
attributeValue - Value of the attribute to match with. A * can be used as the first and/or last character of a String value if a "contains" expression is wished.
Returns:
Collection of AccountMO's representing the matching accounts.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to obtain the accounts. This may possibly be caused by the service being removed by another client previous to this call.

getAccounts

public void getAccounts(ServiceMO service,
                        java.lang.String attributeName,
                        java.lang.Object attributeValue,
                        SearchResultsMO results)
                 throws java.rmi.RemoteException,
                        ApplicationException
Returns the account(s) matching the given attribute hosted on the given service. Note, if the client is unauthorized to view (search) an account that matches this criteria, it will be filtered out of the return list and no AuthorizationException will be thrown.
Parameters:
service - ServiceMO representing the service to scope the search.
attributeName - Name of attribute to match with.
attributeValue - Value of the attribute to match with. A * can be used as the first and/or last character of a String value if a "contains" expression is wished.
results - SearchResultsMO to hold the results of the search. The object will be filled with Account value objects that match the given criteria. Note, if the SearchResultsMO object was constructed using a different user context, that context will be changed to match the context of this object.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
ApplicationException - Thrown if unable to obtain the accounts. This may possibly be caused by the service being removed by another client previous to this call.

adopt

public void adopt(DistinguishedName ownerDN,
                  java.util.Collection accounts)
           throws java.rmi.RemoteException,
                  AuthorizationException,
                  ApplicationException
Adopts multiple accounts, or assigns the same owner (given) to all the accounts submitted.
Parameters:
ownerDN - DistinguishedName of the new account owner.
accounts - Collection of Account DirectoryObject to assign an owner to.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to change any of the account owners.
ApplicationException - Thrown if unable to adopt any of the accounts. This may possibly be caused by the account or owner being removed by another client previous to this call.

orphan

public void orphan(DistinguishedName userDN,
                   java.util.Collection accounts)
            throws java.rmi.RemoteException,
                   AuthorizationException,
                   ApplicationException
Orphans multiple accounts, or changes the account owner to unknown.
Parameters:
userDN - DistinguishedName identifies an authenticated SystemUser.
accounts - Collection of Account DirectoryObjects to orphan.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to orphan any of the accounts.
ApplicationException - Thrown if unable to orphan the accounts. This may possibly be caused by the account being removed by another client previous to this call.

suspend

public Request suspend(java.util.Collection accounts,
                       java.util.Date scheduledTime)
                throws java.rmi.RemoteException,
                       ApplicationException,
                       AuthorizationException
Suspends multiple accounts.
Parameters:
accounts - Collection of Account DirectoryObjects to suspend.
scheduledTime - Date holding the time the operation is to be executed.
Returns:
long Workflow Process ID.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to suspend any of the accounts.
ApplicationException - Thrown if unable to submit the request.

restore

public Request restore(java.util.Collection accounts,
                       java.util.Date scheduledTime)
                throws java.rmi.RemoteException,
                       ApplicationException,
                       AuthorizationException
Restores multiple accounts.
Parameters:
accounts - Collection of Account DirectoryObjects to restore.
scheduledTime - Date holding the time the operation is to be executed.
Returns:
long Workflow Process ID.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to restore any of the accounts.
ApplicationException - Thrown if unable to submit the request.

remove

public Request remove(java.util.Collection accounts,
                      java.util.Date scheduledTime)
               throws java.rmi.RemoteException,
                      ApplicationException,
                      AuthorizationException
Removes multiple accounts from the provisioning platform.
Parameters:
accounts - Collection of Account DirectoryObjects to remove.
scheduledTime - Date holding the time the operation is to be executed.
Returns:
long Workflow Process ID.
Throws:
java.rmi.RemoteException - Thrown if unable to communicate with platform.
AuthorizationException - Thrown if client is unauthorized to remove any of the accounts.
ApplicationException - Thrown if unable to submit the request.