Sun Java[TM] System Identity Manager 7.1 Release Notes |
Documentation Additions and Corrections
This section contains new and corrected information that was required after the Identity Manager 7.1 documentation set was published. This information is organized as follows:
Identity Manager InstallationThis section provides new information and documentation corrections related to Sun Java System Identity Manager Installation.
Identity Manager UpgradeThis section provides new information and documentation corrections for Sun Java System Identity Manager Upgrade.
- Before upgrading, it is important to back up both the directory where Identity Manager is installed and the database that Identity Manager is using. You can use third-party back up software or a back up utility supplied with your system to back up the Identity Manager file system. To back up your database, refer to the database documentation for recommended back up procedures. (ID-2810)
- The AD Active Sync resource has been deprecated and replaced by the AD resource. Perform the following steps to migrate to the AD Active Sync to newer releases: (ID-11363)
- Export the existing AD Active Sync resource object to an xml file (either from the command line or debug pages).
- Delete the existing resource (this will not affect Identity Manager users or resource account users)
- Create a new AD resource that is Active Sync.
- Export this new resource object to an XML file.
- Edit this file and change the value of the id attribute and the value of the name attribute to match the values from the OLD resource object saved in step 1. These attributes are in the <Resource id='idnumber' name='AD' ...> tag.
- Save the changes to the file.
- Import the modified object back into Identity Manager using either the Configure->Import Exchange File page or the command line.
- Updated the Other Custom Repository Objects section to include instructions for using Identity Manager’s SnapShot feature to create a baseline or “snap shot” of the customized repository objects in a deployment. (ID-14840)
Other Custom Repository Objects
Record the names of any other custom repository objects that you created or updated. You might have to export these objects from your current installation and then re-import them to the newer version of Identity Manager after upgrading.
You can use Identity Manager’s SnapShot feature to create a baseline or “snap shot” of the customized repository objects in your deployment, which can be very useful when you are planning an upgrade.
SnapShot copies the following, specific object types from your system for comparison:
You can then compare two snapshots to determine what changes have been made to certain system objects before and after upgrade.
Note
This feature is not intended for detailed, on-going XML diffs — it is only a minimal tool for “first-pass” comparisons.
To create a snapshot:
- From the Identity Manager Debug page ( ), click the SnapShot button to view the SnapShot Management page.
Figure 1 SnapShot Management Page
- Type a name for the snapshot in the Create text box, and then click the Create button.
When Identity Manager adds the snapshot, the snapshot’s name displays in the Compare menu list and to the right of the Export label.
To compare two snapshots:
Figure 2 SnapShot Management Page
- Click the Compare button.
- If there are no object changes, then the page indicates that no differences were found.
- If object changes were found, then the page displays the object type and name, and whether an object is different, absent, or present.
For example, if an object is present in baseline_1, but is not present in baseline_2, then the baseline_1 column indicates Present and the baseline_2 column indicates Absent.
You can export a snapshot in XML format. Click the snapshot name to export the snapshot file.
To delete a snapshot, select the snapshot from the Delete menu, and then clicking the Delete button.
- If you are upgrading from a 6.x install to version 7.0 or 7.1, and you want to start using the new Identity Manager end-user pages, you must manually change the system configuration ui.web.user.showMenu to true for the horizontal navigation bar to display. (ID-14901)
- If you are upgrading from 6.0 or 7.0 to version 7.1, and using LocalFiles, you must export all of your data before upgrading and then re-import the data after doing a clean installation of 7.1. (ID-15366)
- Upgrading from 6.0 or 7.0 to version 7.1 requires a database schema upgrade. (ID-15392)
- During the upgrade process, Identity Manager analyzes all roles on the system and then updates any missing subroles and super roles links using the RoleUpdater class. (ID-15734)
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
<ImportCommand class='com.waveset.session.RoleUpdater' >
<Map>
<MapEntry key='verbose' value='true' />
<MapEntry key='noupdate' value='false' />
<MapEntry key='nofixsubrolelinks' value='false' />
v</Map>
</ImportCommand>
</Waveset>
Where:
- verbose: Provides verbose output when updating roles. Specify false to enable a silent update of roles.
- noupdate: Determines whether the roles are updated. Specify false to get a report that only lists which roles will be updated.
- nofixsubrolelinks: Determines whether super roles are updated with missing subrole links. This value is set to false by default and links will be repaired.
Identity Manager Administration GuideThis section provides new information and documentation corrections for Sun Java System Identity Manager Administration.
Chapter 3, User and Account Management
- In the section titled Disable Users (User Actions, Organization Actions), the note has been amended.:
- In the section titled Enable Users (User Actions, Organization Actions), the note has been added.:
Chapter 5, Administration
- In the section titled Delegating Work Items, the following note has been added.
- In the section titled Managing Work Items, the following information has been added.
Delegations to Deleted Users
If you have delegated a work item to a user who is later deleted from Identity Manager, then the deleted user is indicated in the Current Delegations list in parentheses. If you subsequently edit or create a delegation that includes the deleted user, then the action fails. Additionally, any user create or update work items that are delegated to a deleted user will fail.
You can recover work items that are delegated to a deleted user by ending the delegation.
- In the table titled Identity Manager Capabilities Descriptions, the End User Administrator capability has been added. Any user assigned this capability can view and modify the rights to object types specified in the End User capability, as well as the contents of the end User Controlled Organizatsions rule. By default, this capability is assigned to Configurator.
Chapter 11, Identity Auditing
The following information has been added to this chapter.
Resolving Auditor Capabilities Limitations
By default, capabilities needed to perform auditing tasks are contained in the Top organization (object group). As a result, only those administrators who control Top can assign these capabilities to other administrators.
You can resolve this limitation by adding the capabilities to another organization. Identity Manager provides two utilities, located in the sample/scripts directory, to assist with this task.
Chapter 13, Service Provider Administrator
The section titled “Configure Synchronization” should state the default synchronization interval for Service Provider synchronization tasks defaults to 1 minute.
Identity Manager Resources ReferenceThis section contains new information and documentation corrections for the Sun Java System Identity Manager Resources Reference:
- The Flat File Active Sync adapter discusses setting the sources.hosts property in the Waveset.properties file. This configuration should now be accomplished using synchronization policy.
- The NDS adapter has improved support for GroupWise:
- The “Managing ACL List” procedure of this guide contains the following step: (ID-16476)
Identity Manager Technical Deployment OverviewThis section contains new information and documentation corrections for Sun Java System Identity Manager Technical Deployment Overview:
th#UserListTreeContent_Col0 {
width: 1px;
}th#UserListTreeContent_Col1 {
width: 1px;
}th#UserListTreeContent_Col2 {
width: 50%;
}th#UserListTreeContent_Col3 {
width: 50%;
}th#ResourceListTreeContent_Col0 {
width: 1px;
}th#ResourceListTreeContent_Col1 {
width: 1px;
}th#ResourceListTreeContent_Col2 {
width: 33%;
}th#ResourceListTreeContent_Col3 {
width: 33%;
}th#ResourceListTreeContent_Col4 {
width: 33%;
}
You can also resize table columns by clicking and dragging the right border of the column header. If you mouse over the right border of the column header, the cursor will change to a horizontal resize arrow. Left-click and drag the cursor will resize the column. (Resizing ends when you release the mouse button.)
- The System Configuration object now contains the security.delegation.historyLength attribute, which controls the number of previous delegations that are recorded.
- The Access Review Dashboard and Access Review Detail Report both show instances of reviews that are recorded in the audit logs. Without database maintenance, the audit logs are never trimmed, and the list of reviews grows. Identity Manager provides the ability to limit the reviews shown to a certain age range. To change this limit, you must customize compliance/dashboard.jsp (for the dashboard) and sample/auditortasks.xml (for the Details report). (The default is to show only reviews that are less than 2 years old.)
to limit reviews to the last 6 months. The same qualifiers as above apply.
Each Periodic Access Review includes a set of UserEntitlement records that were created when the review was run. These records, which accumulate over time, provide valuable historical information about accounts. However, to conserve database space, consider deleting some records. You can delete a record by executing Server Task > Run Task > Delete Access Review. Deleting a review adds new audit log entries that indicate the review is deleted, and deletes all UserEntitlement records associated with the review, which conserves database space.
- Code Example 5-5 contains information that should appear in Code Example 5-4.
Code Example 5-4 should be as follows:
Code Example 5.5 should be as follows:
Code Example 5-5 Changing Tab Panel Tabs
table.Tab2TblNew td {background-image:url(../images/other/dot.gif);background-repeat:repeat-x;background-positi on:left top;background-color:#CCCCFF;border:solid 1px #8f989f}
table.Tab2TblNew td.Tab2TblSelTd {border-bottom:none;background-image:url(../images/other/dot.gif);background-repeat:repeat- x;background-position:left bottom;background-color:#FFF;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f}
The extends attribute allows for a hierarchy of work item types (workItem Types). When Identity Manager creates a work item, it delegates the work item to the specified users if its workItem type is:
- the type delegated
- one of the subordinate workItem types of the type being delegated.
workItem Type
Description
Display Name
Approval
extends WorkItem
Approval
OrganizationApproval
extends Approval
Organization Approval
ResourceApproval
extends Approval
Resource Approval
RoleApproval
extends Approval
Role Approval
Attestation
WorkItem
Access Review Attestation
review
WorkItem
Remediation
accessReviewRemediation
WorkItem
Access
Because anonymous enrollment processing can result in the inclusion of non-ASCII characters in email addresses and account IDs, international users should modify EndUserRuleLibrary rules so that Identity Manager maintains ASCII account IDs and email addresses during anonymous enrollment processing.
To maintain account ID and email address values in ASCII during anonymous enrollment processing, follow these two steps:
- Edit the following three rules within the EndUserRuleLibrary as indicated below:
Edit this rule
To make this change...
getAccountId
To use employeeId only (and remove firstName and lastName)
getEmailAddress
To use employeeId only (remove firstName, lastName, and ".")
verifyFirstname
To change length check from 2 to 1 to allow for single character Asian first names
- Edit the End User Anon Enrollment Completion form to remove the firstName and lastName arguments from calls to the getAccountId and getEmailAddress rules.
Identity Manager Workflows, Forms, and ViewsThis section contains new information and documentation corrections for Sun Java System Identity Manager Workflows, Forms, and Views.
Chapter 2, Identity Manager Workflow
Test Auto Attestation
Use to test new Review Determination rules without creating Attestation work items. This workflow does not create any work items, and simply terminates shortly after it starts. It leaves all User Entitlement objects in the same state that they were created in by the access scan. Use the Terminate and Delete options to clean up the results from access scans run with this workflow.
You can import this stub workflow as needed. (Identity Manager does not import it automatically.)
- Identity Manager Compliance uses workflows as integration and customization points for the application. The default compliance-related workflows are described below. (ID-15447)
Workflow Name
Purpose
Remediation
Remediation for a single Remediator working with a single Compliance Violation
Access Review Remediation
Remediation for a single remediator working with a single UserEntitlement
Attestation
Attestation for a single Attestor working with a single UserEntitlement
Multi Remediation
Remediation for a single Compliance Violation and multiple remediators
Update Compliance Violation
Mitigates a Compliance Violation
Launch Access Scan
Launch an Access Scan task from an Access Review task
Launch Entitlement Rescan
Launch a rescan of an Access Scan for a single user
Launch Violation Rescan
Launch a rescan of an Audit Policy Scan for a single user
- The description of the maxSteps property has been revised as follows: (ID-15618)
Specifies the maximum number of steps allowed in any workflow process or subprocess. Once this level is exceeded, Identity Manager terminates the workflow. This setting is used as a safeguard for detecting when a workflow is stuck in an infinite loop. The default value set in the workflow itself is 0, which indicates that Identity Manager should pull the actual setting value from the global setting stored in the SystemConfiguration object's workflow.maxSteps attribute. The value of this global setting is 5000.
Executes Beanshell or JavaScript based on the script provided. As a task, it can be scheduled to run periodically. For example, you can use it to export data from the repository to a database for reporting and analysis. Benefits include the ability to write a custom task without writing custom Java code. (Custom Java code requires a re-compile on every upgrade and must be deployed to every server because the script is embedded in the task there is no need to recompile or deploy it.)
Chapter 3, Identity Manager Forms
Identity Manager auditing and compliance forms provide a feature unique among Identity Manager forms: You can assign a form on a per-user and per-organization basis. Forms assigned on a per-user basis can boost the efficiency of attestation and remediation processing.
For example, you can specify the user form that Identity Manager displays for editing a user in the context of an access review, remediation or a compliance violation remediation. You can specify this user form at the level of user or organization. When Identity Manager rescans a user in context of an access review re-scan or access review remediation, the re-scan will respect the audit policies as defined in the AccessScan. You can define this to include the continuous compliance audit policies.
Related Information
- See Identity Manager Administration for a discussion of the concepts that support Identity Manager auditing and compliance features as well as the basic procedures for implementing the default auditing and compliance features.
- See Identity Manager Rules in Identity Manager Deployment Tools for a general discussion of rules as well as specific information about remediation rules.
About Auditing-Related Form Processing
Much like userForm and viewUserForm, you can set the form on a specific user, or on an organization, and the user (or all users in the organization) will used that form. If you set a form on both user and organization, the form set on the user takes precedence. (When looking up the form, Identity Manager searches organizations upwards.)
Auditing-related forms behave the same way that the User Form and View User Form work: Each user can designate a specific form to use, and the resolution of which form a specific user should use will honor the user's organization.
Specifying User Forms
The Audit Policy List and Access Scan List forms support a fullView property that causes the form to display a significant amount of data about the elements in the list. Set this policy to false to improve the performance of the list viewer.
The Access Approval List form has a similar property named includeUE, and the Remediation List form uses the includeCV property.
Default Auditing-Related Forms
The following table identifies the default auditing-related forms that ship with Identity Manager.
Form Name
Mapped Name
Per-User Control
General Purpose
Access Approval List
accessApprovalList
Display the list of attestation workitems
Access Review Delete Confirmation
accessReviewDeleteConfirmation
Confirm the deletion of an access review
Access Review Abort Confirmation
accessReviewAbortConfirmation
Confirm the termination of an access review
Access Review Dashboard
accessReviewDashboard
Show the list of all access reviews
Access Review Remediation Form
accessReviewRemediationWorkItem
Yes
renders each UE-based remediation workitem
Access Review Summary
accessReviewSummary
Show the details of a specific access review
Access Scan Form
accessScanForm
Display or edit an access scan
Access Scan List
accessScanList
Show the list of all access scans
Access Scan Delete Confirmation
accessScanDeleteConfirmation
Confirm the deletion of an access scan
Access Approval List
attestationList
Yes
Renders the list of all pending attestations.
Attestation Form
attestationWorkItem
Yes
Renders each attestation work item
UserEntitlementForm
userEntitlementForm
Display the contents of a UserEntitlement
UserEntitlement Summary Form
userEntitlementSummaryForm
Violation Detail Form
violationDetailForm
Show the details of a compliance violation
Remediation List
remediationList
Yes
Show a list of remediation work items
Audit Policy List
auditPolicyList
Show a list of audit policies
Audit Policy Delete Confirmation Form
auditPolicyDeleteConfirmation
Confirm the deletion of an audit policy
Conflict Violation Details Form
conflictViolationDetailsForm
Show the SOD violation matrix
Compliance Violation Summary Form
complianceViolationSummaryForm
Remediation Form
reviewWorkItem
Yes
Renders a compliance violation.
Why Customize These Forms?
Attestors and remediators can specify forms that show exactly the detail they need to more efficiently attest and remediate. For example, a resource attestor could show specific resource-specific attributes in the list form to allow them to attest without looking at each specific work item. Because this form would differ depending on the resource type (and thus attributes) involved, customizing the form on a per-attestor basis makes sense.
During attestation, each attestor can look at entitlements from a unique perspective. For example, the idmManager attestor may be looking at the user entitlement in a general way, but a resource attestor is interested only in resource-specific data. Allowing each attestor to tailor both the Attestation-list form and the AttestationWorkItem form to retrieve and display only the information they need can boost the efficiency of the product interface.
Scan Task Variables
The Audit Policy Scan Task and Access Scan Task task definitions both specify the forms to be used when initiating the task. These forms include fields that allow for most, but not all, of the scan task variables to be controlled.
Variable Name
Default Value
Purpose
maxThreads
5
Identifies the number of concurrent users to work at one time for a single scanner. Increase this value to potentially increase throughput when scanning users with accounts on very slow resources.
userLock
5000
Indicates time (in mS) spent trying to obtain lock on user to be scanned. If several concurrent scans are scanning the same user, and the user has resources that are slow, increasing this value can result in fewer lock errors, but a slower overall scan.
scanDelay
0
Indicates time (in mS) to delay between issuing new scan threads. Can be set to a positive number to force Scanner to be less CPU-hungry.
Calculates a Boolean value. If true, the field and all its nested fields will be ignored during current form processing.
Do not create potentially long-running activities in Disable elements. These expressions run each time the form is recalculated. Instead, use a different form element that will not run as frequently perform this calculation.
- You can now insert WARNING), error (ERROR), or informational (OK) alert messages into an XPRESS form. (ID-14540, ID-14953)
Note
Although this example illustrates how to insert a Warning ErrorMessage object into a form, you can assign a different severity level.
- Use the Identity Manager IDE to open the form to which you want to add the warning.
- Add the <Property name='messages'> to the main EditForm or HtmlPage display class.
- Add the <defvar name='msgList'> code block from the following sample code.
- Substitute the message key that identifies the message text to be displayed in the Alert box in the code sample string:
<message name='UI_USER_REQUESTS_ACCOUNTID_NOT_FOUND_ALERT_VALUE >
- Save and close the file.
Code Example
<Display class='EditForm'>
<Property name='componentTableWidth' value='100%'/>
<Property name='rowPolarity' value='false'/>
<Property name='requiredMarkerLocation' value='left'/>
<Property name='messages'>
<ref>msgList</ref>
</Property>
</Display>
<defvar name='msgList'>
<cond>
<and>
<notnull>
<ref>username</ref>
</notnull>
<isnull>
<ref>userview</ref>
</isnull>
</and>
<list>
<new class='com.waveset.msgcat.ErrorMessage'>
<invoke class='com.waveset.msgcat.Severity' name='fromString'>
<s>warning</s>
</invoke>
<message name='UI_USER_REQUESTS_ACCOUNTID_NOT_FOUND_ALERT_VALUE'>
<ref>username</ref>
</message>
</new>
</list>
</cond>
</defvar>
Chapter 4, Identity Manager Views
Common Attributes
The high-level attributes of the Org view are listed in the following table.
Name
Editable?
Data Type
Required?
orgName
Read
String
System-Generated
orgDisplayName
Read/Write
String
Yes
orgType
Read/Write
String
No
orgId
Read
String
System-Generated
orgAction
Write
String
No
orgNewDisplayName
Write
String
No
orgParentName
Read/Write
String
No
orgChildOrgNames
Read
List
System-Generated
orgApprovers
Read/Write
List
No
allowsOrgApprovers
Read
List
System-Generated
allowedOrgApproverIds
Read
List
System-Generated
orgUserForm
Read/Write
String
No
orgViewUserForm
Read/Write
String
No
orgPolicies
Read/Write
List
No
orgAuditPolicies
Read/Write
List
No
renameCreate
Read/Write
String
No
renameSaveAs
Read/Write
String
No
orgName
Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.
orgDisplayName
Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.
orgType
Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.
orgId
Specifies the ID that is used to uniquely identify the organization within Identity Manager.
orgAction
Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.
orgNewDisplayName
Specifies the new short name when you are renaming the organization.
orgParentName
Identifies the full pathname of the parent organization.
orgChildOrgNames
Lists the Identity Manager interface names of all direct and indirect child organizations.
orgApprovers
Lists the Identity Manager administrators who are required to approve users added to or modified in this organization.
allowedOrgApprovers
Lists the potential user names who could be approvers for users added to or modified in this organization.
allowedOrgApproverIds
Lists the potential user IDs who could be approvers for users added to or modified in this organization.
orgUserForm
Specifies the userForm used by members users of this organization when creating or editing users.
orgViewUserForm
Specifies the view user form that is used by member users of this organization when viewing users.
orgPolicies
Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).
orgAuditPolicies
Specifies the audit policies that apply to all member users of this organization.
renameCreate
When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.
renameSaveAs
When set to true, renames this organization using the value of orgNewDisplayName.
Directory Junction and Virtual Organization Attributes
Name
Editable?
Data Type
Required?
orgContainerId
Read
String
System-generated
orgContainerTypes
Read
List
System-generated
orgContainers
Read
List
System-generated
orgParentContainerId
Read
String
System-generated
orgResource
Read/Write
String
yes, if directory junction or virtual organization
orgResourceType
Read
String
System-generated
orgResourceId
Read
String
System-generated
orgRefreshAllOrgsUserMembers
Write
String
No
orgContainerId
Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).
orgContainerTypes
Lists the allowed resource object types that can contain other resource objects.
orgContainers
Lists the base containers for the resource used by the Identity Manager interface to display a list to choose from.
orgParentContainerId
Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).
orgResource
Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).
orgResourceType
Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).
orgResourceId
Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations.
orgRefreshAllOrgsUserMembers
If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.
Dynamic Organization Attributes
Name
Editable?
Data Type
Required?
orgUserMembersRule
Read/Write
String
No
orgUserMembersRuleCacheTimeout
Read/Write
String
No
orgUserMembersRule
Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.
orgUserMembersCacheTimeout
Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.
The discussion of the User view now includes the following discussion of the accounts[Lighthouse].delegates attributes: (ID-15468)
accounts[Lighthouse].delegates
Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item
accounts[Lighthouse].delegatesHistory
Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth
This attribute has one unique attribute: selected, which is a Boolean that indicates the currently selected delegate history object.
accounts[Lighthouse].delegatesOriginal
Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation.
All accounts[Lighthouse].delegates* attributes take the following attributes:
Attributes of accounts[Lighthouse].delegate* Attributes
Description
workItemType
Identifies the type of workItem being delegated. See the description of the Delegate Object Model in the Identity Manager Technical Deployment Overview section of this Documentation Addendum for a valid list of workItem types.
workItemTypeObjects
Lists the names of the specific roles, resources, or organizations on which the user is delegating future workItem approval requests. This attribute is valid when the value of workItemType is roleApproval, resourceApproval, or organizationApproval.
If not specified, this attribute by default specifies the delegation of future workItem requests on all roles, resources, or organizations on which this user is an approver.
toType
Type to delegate to. Valid values are:
manager
delegateWorkItemsRule
selectedUsers
toUsers
Lists the names of the users to delegate to (if toType is selectedUsers).
toRule
Specifies the name of the rule that will be evaluated to determine the set of users to delegate to (if toType is delegateWorkItemsRule).
startDate
Specifies the date when delegation will start.
endDate
Specifies the date when delegation will end.
Referencing a DelegateWorkItems View Object from a Form
The following code sample illustrates how to reference a DelegateWorkItems view delegate object from a form:
<Field name='delegates[*].workItemType'>
<Field name=’delegates[*].workItemTypeObjects’>
<Field name=’delegates[*].toType’>
<Field name='delegates[*].toUsers'>
<Field name=’delegates[*].toRule’>
<Field name='delegates[*].startDate'>
<Field name='delegates[*].endDate'>
where supported index values (*) are workItemType values.
Name
Editable?
Type
Required?
name
String
Yes
status
String
Yes
user
String
Yes
userId
String
Yes
attestorHint
String
No
userView
GenericObject
Yes
reviewInstanceId
String
Yes
reviewStartDate
String
Yes
scanId
String
Yes
scanInstanceId
String
Yes
approvalWorkflowName
String
Yes
organizationId
String
Yes
attestorComments.name
String
No
attestorComments.attestor
String
No
attestorComments.time
String
No
attestorComments.timestamp
String
No
attestorComments.status
No
name
Identifies the User Entitlement (by a unique identifier).
status
Specifies the state of User Entitlement object. Valid states include PENDING, ACCEPTED, REJECTED, REMEDIATING, CANCELLED.
user
Identifies the name of the associated WSUser for this entitlement.
userId
Specifies the ID of the associated WSUser.
attestorHint
Displays the (String) hint to the attestor that is provided by the Review Determination Rule. This hints acts as “advice” from the rule to the attestor.
userView
Contains the User view that is captured by User Entitlement scanner. This view contains zero or more resource accounts depending on the configuration of the Access Scan object.
reviewInstanceId
Specifies the ID of the PAR Task instance.
reviewStartDate
Indicates the (String) start date of the PAR task (in canonical format).
scanId
Specifies the ID of AccessScan Task definition.
scanInstanceId
Specifies the ID of AccessScan Task instance.
approvalWorkflowName
Identifies the name of workflow to be run for approval. This value comes from the Access Scan Task definition.
organizationId
Specifies the ID of the WSUser's organization at the time of the scan.
attestorComments
Lists attestation records for the entitlement. Each attestation record indicates an action or statement made about the entitlement, including approval, rejection, and rescan.
attestorComments[timestamp].name
Timestamp used to identify this element in the list.
attestorComments[timestamp].attestor
Identifies the WSUser name of the attestor making the comment on the entitlement.
attestorComments[timestamp].time
Specifies the time at which the attestor attested this record. May differ from the timestamp.
attestorComments[timestamp].status
Indicates the status assigned by the attestor. This can be any string, but typically is a string that indicates the action taken by the attestor -- for example, approve, reject, rescan, remediate.
attestorComments[name].comment
Contains comments added by attestor.
- The following User view attributes have been deprecated. (ID-15468)
- accounts[Lighthouse].delegateApproversTo
- accounts[Lighthouse].delegateApproversSelected
- accounts[Lighthouse].delegateApproversStartDate
- accounts[Lighthouse].delegateApproversEndDate
- The Delegate Approvers view has been deprecated, but still works for editing Delegate objects whose workItemType is approval.
Chapter 6, XPRESS Language
This chapter has been substantially updated. See the.pdf titled XPRESS in the same directory as these Release Notes.
Chapter 8, HTML Display Components
It can be unwieldy to display many admin roles using the MultiSelect component (either the applet or HTML version). Identity Manager provides a more scalable way of displaying and managing admin roles: the objectSelector field template. (ID-15433)
The Scalable Selection Library (in sample/formlib.xml) includes an example of using an objectSelector field template to search for admin role names that a user can select.
Code Example Example of objectSelector Field Template
<Field name='scalableWaveset.adminRoles'>
<FieldRef name='objectSelector'>
<Property name='selectorTitle' value='_FM_ADMIN_ROLES'/>
<Property name='selectorFieldName' value='waveset.adminRoles'/>
<Property name='selectorObjectType' value='AdminRole'/>
<Property name='selectorMultiValued' value='true'/>
<Property name='selectorAllowManualEntry' value='true'/>
<Property name='selectorFixedConditions'>
<appendAll>
<new class='com.waveset.object.AttributeCondition'>
<s>hidden</s>
<s>notEquals</s>
<s>true</s>
</new>
<map>
<s>onlyAssignedToCurrentSubject</s>
<Boolean>true</Boolean>
</map>
</appendAll>
</Property>
<Property name='selectorFixedInclusions'>
<appendAll>
<ref>waveset.original.adminRoles</ref>
</appendAll>
</Property>
</FieldRef>
</Field>
How to Use the objectSelector Example Code
- From the Identity Manager IDE, open the Administrator Library UserForm object.
- Add the following code to this form:
<Include>
<ObjectRef type='UserForm' name='Scalable Selection Library'/>
</Include>
- Select the accounts[Lighthouse].adminRoles field within the AdministratorFields field.
- Replace the entire accounts[Lighthouse].adminRoles with the following reference:
<FieldRef name='scalableWaveset.adminRoles'/>
- Save the object.
When you subsequently edit a user and select the Security tab, Identity Manager displays the customized form. Clicking ... opens the Selector component and exposes a search field. Use this field to search for admin roles that begin with a text string and set the value of the field to one or more values.
To restore the form, import $WSHOME/sample/formlib.xml from Configure > Import Exchange File.
See the Scalable Selection Library in sample/formlib.xml for other examples of using the objectSelector template to manage resources and roles in environments with many objects.
- The discussion of the TabPanel component now contains the following description of the validatePerTab property: (ID-15501)
Consists of three classes: Menu, MenuBar, and MenuItem.
Menu contains the following properties:
- layout - A String with value horizontal or vertical. A value of horizontal generates a horizontal navigation bar with tabs. A value of vertical causes the menu to be rendered as a vertical tree menu with typical node layout.
- stylePrefix - String prefix for the CSS class name. For the Identity Manager End User pages, this value is User.
MenuBar contains the following properties:
MenuItem contains the following properties:
- containedUrls - A List of URL path(s) to JSPs that are "related" to the MenuItem. The current MenuItem will be rendered as "selected" if any of the containedUrls JSPs are rendered. An example is the request launch results page that is displayed after a workflow is launched from the request launch page.
You can set these properties on either a MenuBar or MenuItem:
The following XPRESS example creates a menu with two tabs. The second tab contain two subtabs:
Code Example Implementation of Menu, MenuItem, and MenuBar Components
<Display class='Menu'/>
<Field>
<Display class='MenuItem'>
<Property name='URL' value='user/main.jsp'/>
<Property name='title' value='Home' />
</Display>
</Field>
<Field>
<Display class='MenuBar' >
<Property name='title' value='Work Items' />
<Property name='URL' value='user/workItemListExt.jsp' />
</Display>
<Field>
<Display class='MenuItem'>
<Property name='URL' value='user/workItemListExt.jsp'/>
<Property name='title' value='Approvals' />
</Display>
</Field>
<Field>
<Display class='MenuItem'>
<Property name='URL' value='user/otherWorkItems/listOtherWorkItems.jsp'/>
<Property name='title' value='Other' />
</Display>
</Field>
</Field>
Appendix A, Form and Process Mappings
- An updated version of this appendix, titled Form and Process Mappings, is included in the same directory as these Release Notes.
- You can access compliance-specific tasks through the mapped names. (ID-15447)
Process Name
Mapped Name
Description
Access Review
accessReview
Performs an access review
Access Scan
accessReviewScan
Performs an access scan
Access Review Rescan
accessReviewRescan
Performs an access rescan
Audit Policy Rescan
auditPolicyRescan
Performs an audit policy rescan
Abort Access Review
abortAccessReview
Terminates an access review
Delete Access Review
deleteAccessReview
Deletes an access review
Recover Access Review
recoverAccessReview
Recovers missing access review status objects from audit logs
Identity Manager Deployment ToolsThis section contains new information and documentation corrections for the Sun Java System Identity Manager Deployment Tools:
What’s New?
Substantial information was added to the following chapters in the Identity Manager Deployment Tools book:
- Chapter 1, “Using the Identity Manager IDE,” was updated to provide information about the following new features and functionality:
- The process for creating and working with Identity Manager IDE projects was updated to provide two project types (ID-14587):
- Identity Manager IDE projects are now integrated with a Configuration Build Environment (CBE) (ID-14980)
- There is now an IdM menu on the NetBean's top level menu bar from which you can can select actions that are appropriate for selected object nodes. (ID-14787)
- Library objects were added to the list of object types displayed in the Explorer window, and these objects have Property Sheets, Palette features, and navigation nodes. (ID-14817)
- When you select Design view for a Rule object, an Expression Builder now displays in the Editor window to make it easier for you to see the logical structure of a rule and to modify the rule’s properties. (ID-15104)
- You can now compare (diff) objects in a local directory with those in the repository. (ID-15206)
- The process for testing forms and rules was modified. The Form Previewer option was renamed to Form Tester. (ID-15325)
- Features and functionality were added to the Identity Manager IDE Expression Builder dialogs, including:
- You can now edit simple data types (integers and strings) directly in the Expression Builder table. (ID-15528)
- You can now create a specific expression rather than first creating a BLOCK and then changing it to the expression you want. (ID-15932)
- A new Change To button and dialog were created that enable you to change an element’s expression type. (ID-15933)
- You can now edit property values that support an expression and a primitive value (such as a string) directly in a property table. (ID-15528)
- When defining instance or static XPRESS invoke statements in the Expression Builder, you can view the related JavaDoc information for the Identity Manager API methods. You access this JavaDoc by running your cursor over the methods listed in the Method Name menus. A pop-up window displays with the information.
- The Identity Manager IDE plugin now requires JDK 1.5 and Netbeans 5.5. (ID-14950)
- You can now delete objects from the Identity Manager IDE repository. (ID-15031)
- You can now upload an object in the IDE to an Identity Manager 7.0 server and manually assign an ID to the object. (ID-15474)
- You can now right-click nodes in the Project tree and open objects to which certain references refer (such as ObjectRefs, FormRefs, FieldRefs and Workflow Subprocesses). (ID-15406)
- Other, minor user interface and process changes.
- The “Auditor Rules” section in Chapter 2, “Working with Rules,” was updated to provide more detailed information about Identity Auditor rules. (ID-15367, 15496, 15609, 15934, 16166, 16263, and 16292)
- Chapter 7, “Using SPML 1.0 with Identity Manager Web Services,” was updated to include information about the SPE SPML interface. (ID-14458)
- The “Using Trace in SPML” section in Chapter 7, “Using SPML 1.0 with Identity Manager Web Services,” was updated to provide additional information about how to enable trace output so you can log Identity Manager’s SPML traffic and diagnose problems. (ID-15346)
- The “Using Trace in SPML” section in Chapter 8, “Using SPML 2.0 with Identity Manager Web Services,” was updated to provide additional information about how to enable trace output so you can log Identity Manager’s SPML traffic and diagnose problems. (ID-15346)
Updates
This section provides corrections and additions to the Identity Manager Deployment Tools documentation:
- The “Palette Window” and “Properties Window” sections in Chapter 1, “Using the Identity Manager IDE,” should include GenericObjects in the list of elements provided in the first paragraph of both sections, as follows: (ID-14817)
- The Palette window (such as Figure 1-11) enables you to “drag-and-drop” elements into Email Template, Form, GenericObjects, Library, Workflow Process, or Workflow Subprocess objects displayed in the Editor windows — without having to type XML.
- The Identity Manager IDE Properties window consists of a properties sheet for XML elements associated with Email Template, Form, GenericObjects, Library, Rule, Workflow Process, and Workflow Subprocess objects. You can use this properties sheet to view and edit a selected object’s properties; including the object name, file sizes, modification times, result information, and so forth.
Identity Manager Tuning, Troubleshooting, and Error MessagesThis section provides new information and documentation corrections for Sun Java System Identity Manager Tuning, Troubleshooting, and Error Messages.
- Some tasks have been moved from the adapter to the task package. Update these paths if you have tracing enabled for any of the following tasks, or if you have customized task definitions referencing these packages.
Old Package Name
New Package Name
com.waveset.adapter.ADSyncFailoverTask
com.waveset.task.ADSyncFailoverTask
com.waveset.adapter.ADSyncRecoveryCollectorTask
com.waveset.task.ADSyncRecoveryCollectorTask
com.waveset.adapter.SARunner
com.waveset.task.SARunner
com.waveset.adapter.SourceAdapterTask
com.waveset.task.SourceAdapterTask
Identity Manager Service Provider Edition DeploymentThis section provides new information and documentation corrections for Sun Java System Identity Manager SPE Deployment.
Chapter 5, Other Objects in Identity Manager SPE
Identity Manager Identity Manager SPE now supports link correlation and link confirmation rules.
Link Correlation Rule
The linkTargets IDMXUser view option allows the caller to specify the list of resources that should be targeted for linking. When using forms, the list can be provided as a form property with the same name. Form properties are assimilated into view options when the IDMXUser view is checked in.
A link correlation rule selects resource accounts that the user might own. Given the view of the user, a link correlation rule returns an identity, a list of identities, or an option map.
If the rule returns an option map, then the view handler uses the map to look for resource accounts and obtains a list of identities that satisfy these options. For example, the searchFilter option of the getResourceObjects FormUtil method can be used to pass a search filter to an LDAP resource adapter.
A link correlation rule must have the authType attribute set to SPERule with the subtype set to SUBTYPE_SPE_LINK_CORRELATION_RULE.
Link Confirmation Rule
A link confirmation rule eliminates any resource accounts from the list of potential accounts that the link correlation rule selects. Given the view of the user and the list of candidate resource accounts, a link confirmation rule selects at most one resource account from the candidate list. The view of the user is visible under the 'view' path, while the list of candidates is available under the 'candidates' path.
If the link correlation rule selects no more than one resource account, the link confirmation rule is optional.
Note
Unlike Identity Manager confirmation rules, a link confirmation rule is invoked only once during the linking process.
A link confirmation rule must have the authType attribute set to SPERule with the subtype set to SUBTYPE_SPE_LINK_CONFIRMATION_RULE.
LighthouseContext API
Several convenience methods have been added to the SessionFactory class. The table on page 16 should be updated as follows.
Connection Type
Method
Description
Local anonymous
getServerInternalContext()
Returns a fully authorized context without any authentication.
Local authenticated
getSPESession(String user, EncryptedData password)
Constructs a session for the Service Provider user interface.
Local authenticated
getSPESession(Map credentials)
Constructs a session for the Service Provider user interface. The map specifies the credentials of the user, including the values of the user and password keys.
Local pre-authenticated
getSPEPreAuthenticatedSession(String user)
Constructs a pre-authenticated session for the Service Provider user interface.
Remote anonymous
Not applicable
This connection type is only available through SPML.
Remote authenticated
getSession(URL url, String user, EncryptedData pass)
Returns an authenticated session.
Localization ScopeHistorically, Identity Manager does not localize resource objects and functions, primarily because they are mostly samples that get loaded (through init.xml) during initialization of Identity Manager, and because the attributes of object types can vary between actual customer deployments, depending on the level of customizations. Following is a list of areas where users might encounter English: (ID-16349)
Using helpToolWith the Identity Manager 6.0 release, a new feature has been added that allows you to search the online help and documentation files, which are in HTML format. The search engine is based on the SunLabs “Nova” search engine technology.
There are two stages to using the Nova engine: indexing and retrieval. During the indexing stage, the input documents are analyzed and an index is created which is used during the retrieval stage. During retrieval, it is possible to pull “passages” that consist of the context in which the query terms were found. The passage retrieval process requires the original HTML files to be present, so these files must exist in a location in the file system accessible by the search engine.
helpTool is a Java program that performs two basic functions:
You execute helpTool from the command line, as follows:
$ java -jar helpTool.jar
usage: HelpTool
-d Destination directory
-h This help information
-i Directory or JAR containing input files, no wildcards
-n Directory for Nova index
-o Output file name
-p Indexing properties file
Rebuilding/Re-Creating the Online Help Index
The HTML files for online help are packaged in a JAR file. You must extract these files to a directory for the search engine. Use the following procedure:
- Unpack the helpTool distribution to a temporary directory. (Details TBD)
In this example, we will extract the files to /tmp/helpTool.
- In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.
For example, a directory for Sun Java System Application Server might look like the following:
/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm
- Change your current working directory to the help/ directory.
Note
It is important to run helpTool from this directory or the index will not build correctly. In addition, you should remove the old index files by deleting the contents of the index/help/ subdirectory.
- Gather the following information for your command line arguments:
- Run the following command:
$ java -jar /tmp/helpTool/helpTool.jar -d html/help/en_US -i ../
WEB-INF/lib/idm.jar -n index/help -o help_files_help.txt -p index/index.propertiesExtracted 475 files.
[15/Dec/2005:13:11:38] PM Init index/help AWord 1085803878
[15/Dec/2005:13:11:38] PM Making meta file: index/help/MF: 0
[15/Dec/2005:13:11:38] PM Created active file: index/help/AL
[15/Dec/2005:13:11:40] MP Partition: 1, 475 documents, 5496 terms.
[15/Dec/2005:13:11:40] MP Finished dumping: 1 index/help 0.266
[15/Dec/2005:13:11:40] IS 475 documents, 6.56 MB, 2.11 s, 11166.66 MB/h
[15/Dec/2005:13:11:40] PM Waiting for housekeeper to finish
[15/Dec/2005:13:11:41] PM Shutdown index/help AWord 1085803878Rebuilding/Re-Creating the Documentation Index
Use the following procedure to rebuild or re-create the documentation index:
- Unpack the helpTool distribution to a temporary directory. (Details TBD)
In this example, we will extract the files to /tmp/helpTool.
- In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.
For example, a directory for Sun Java System Application Server might look like:
/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm
- Change your current working directory to the help/ directory.
Note
You must run helpTool from this directory or the index will not build correctly. In addition you should remove the old index files by deleting the contents of the index/docs/ subdirectory.
- Gather the following information for your command line arguments:
- Run the following command:
$ java -jar /tmp/helpTool/helpTool.jar -d html/docs -i ../doc/HTML/en_US -n index/docs -o help_files_docs.txt -p index/index.properties
Copied 84 files.
Copied 105 files.
Copied 1 files.
Copied 15 files.
Copied 1 files.
Copied 58 files.
Copied 134 files.
Copied 156 files.
Copied 116 files.
Copied 136 files.
Copied 21 files.
Copied 37 files.
Copied 1 files.
Copied 13 files.
Copied 2 files.
Copied 19 files.
Copied 20 files.
Copied 52 files.
Copied 3 files.
Copied 14 files.
Copied 3 files.
Copied 3 files.
Copied 608 files.
[15/Dec/2005:13:24:25] PM Init index/docs AWord 1252155067
[15/Dec/2005:13:24:25] PM Making meta file: index/docs/MF: 0
[15/Dec/2005:13:24:25] PM Created active file: index/docs/AL
[15/Dec/2005:13:24:28] MP Partition: 1, 192 documents, 38488 terms.
[15/Dec/2005:13:24:29] MP Finished dumping: 1 index/docs 0.617
[15/Dec/2005:13:24:29] IS 192 documents, 14.70 MB, 3.81 s, 13900.78 MB/h
[15/Dec/2005:13:24:29] PM Waiting for housekeeper to finish
[15/Dec/2005:13:24:30] PM Shutdown index/docs AWord 1252155067