test

Sun Identity Manager Deployment Guide

Architectural Features

The primary architectural feature of authorization types is the Configuration:AuthorizationTypes object. You can add or remove authorization types by modifying this object.

Configuration:AuthorizationTypes Object

The Configuration:AuthorizationTypes object defines valid authorization types. Each authorization type is declared in an <AuthType> element:

<AuthType name=’SPML’ extends=’Configuration’/>

The AuthTypes element contains a list of AuthType elements. Each AuthType has, at minimum, a name attribute and typically an extends attribute. The value of the extends attribute must be the name of another authorization type or repository type.

AuthType Element

This element requires the name property. The example below displays the correct syntax for an <AuthType> element. The following example shows how to add a custom task to move multiple users into a new organization.


<Configuration name=’AuthorizationTypes’>
   <Extension>
      <AuthTypes>
         <AuthType name=’Move User’ extends=’TaskDefinition,TaskInstance,TaskTemplate’/>
      </AuthTypes>
   </Extension>
</Configuration>

The AuthType element supports the following attributes.

Table 2–1 AuthType Attributes

AuthType Object Attributes 

Description 

name

Identifies the authorization type. 

extends

Specifies the name of an authorization type repository type that is the supertype of this type. 

displayName

Provides an alternate display name for this type, typically a message catalog key. 

auditKey

Identifies the audit log key to be used for audit records associated with objects of this type. If none is specified, the audit key of the base type is used. 

allowedRights

Provides a comma delimited list of right names. This defines the rights that can be used with this authorization type in a permission definition. If not specified, all rights are allowed. 

Authorization Subtype Permissions

Identity Manager uses the extends attribute to define the supertype of an authorization type. Supertype permissions are inherited by the subtype. For example, if a user has view rights on TaskDefinition, they would also have view rights on UsageReportTask and all other subtypes of TaskDefinition.

Although you can edit the AuthorizationTypes object only in XML, you can define permissions that reference authorization types from the Capability page. (You can access this page under the Capabilities subtab of the Security tab.)