Sun Identity Manager 8.1 Web Services

Configuration: IDM Schema Configuration Object

If you want to use attributes in an SPML search filter, you must define those attributes as extended attributes for Identity Manager users. Identity Manager stores extended attribute values in the repository, even when that value is also stored as a resource account attribute.

Try to minimize the use of extended attributes. Too many extended attributes can increase the repository size and might cause consistency problems between attributes stored in Identity Manager and the real value of the attribute stored on a resource. To use an attribute in an Identity Manager query, you must declare the attribute as an extended attribute to ensure that the value is accessible when the repository query indexes are built.

To include attributes in a user’s set of summary attributes, you must define those attributes as extended attributes. You can use summary attributes to optimize searches by avoiding deserialization of the object XML, and instead return only a few of the most important user attributes. In the Identity Manager SPML implementation, summary attributes are returned when you do not explicitly provide a list of return attributes in the search request.

In the following example, firstname, lastname, fullname, description, and telephone are extended attributes that are present on the User IDMObjectClassConfiguration after being defined in IDMAttributeConfigurations. Only firstname, lastname, and telephone are queryable and summary attributes.

Example 1–3 telephone and description Declared as Extended Attributes

<Configuration name="IDM Schema Configuration"
               <!-- this is the standard set -->
               <IDMAttributeConfiguration name=’firstname’
               <IDMAttributeConfiguration name=’lastname’
               <IDMAttributeConfiguration name=’fullname’
               <!-- these are the SPML extensions -->
               <IDMAttributeConfiguration name=’description’
               <IDMAttributeConfiguration name=’telephone’
               <IDMObjectClassConfiguration name=’User’
                                            description=’User description’>
                   <IDMObjectClassAttributeConfiguration name=’firstname’
                   <IDMObjectClassAttributeConfiguration name=’lastname’
                   <IDMObjectClassAttributeConfiguration name=’fullname’/>
                   <IDMObjectClassAttributeConfiguration name=’description’/>
                   <IDMObjectClassAttributeConfiguration name=’telephone’

You can customize the list of attributes according to the needs of your site.

The names you choose for extended attributes depend on the mappings performed in the class form. Because the default SPMLPerson form maps sn into lastname, you must declare the extended attribute as lastname. The form does not transform the name of telephone or description, so the extended attribute name comes directly from the SPML schema.

Beyond declaring extended attributes, you must also modify the same Configuration: object to declare which of the attributes are queryable, or usable in an SPML filter, and which attributes are summary attributes to be returned by an optimized search result.