Chapter 3 Identity Manager Views

This chapter introduces Identity Manager views, which are data structures used in Identity Manager. It provides background for views, including an overview of how to implement views with Identity Manager workflows and forms as well as reference information.

You can use the Identity Manager IDE to learn more about Identity Manager views and other generic objects. Instructions for installing and configuring the Identity Manager IDE are provided on https://identitymanageride.dev.java.net.

Topics in this Chapter

This chapter is organized into the following sections:

• Understanding Identity Manager Views

• Understanding the User View

• Common Views

• View Options

• Deferred Attributes

• Extending Views

Understanding Identity Manager Views

An Identity Manager view is a collection of attributes that is assembled from one or more objects managed by Identity Manager. Views are transient, dynamic, and not stored in the repository. The data in a view can change if the view is refreshed to reflect a new role or resource assignment.

If you are using Identity Manager, you will encounter views primarily in forms and workflows. An Identity Manager form is an object that describes how to display view attributes in a browser for editing. The form can also contain the rules by which hidden attributes are calculated from the displayed attributes. A workflow process is a logical, repeatable, series of activities during which documents, information, or tasks are passed from one participant to another for action, according to a set of procedural rules.

When working with views, it helps to first understand:

• general view concepts

• how views are used in Identity Manager

• frequently customized views

What Is a View?

The most important view is the user view, which contains the user attributes that are stored in Identity Manager and attributes that are read from accounts managed by Identity Manager. Some attributes in the user view are visible in the forms that are presented by the Identity Manager User and Administrator Interfaces. Other attributes are hidden or read-only. Hidden attributes are typically used by rules that derive other visible attributes or calculate field values.

For example, when creating a user (represented as a user view), an administrator enters a first and last name in the appropriate form fields on the Create User page. When the administrator saves the form, the system can calculate the user’s full name in a hidden field by concatenating the first and last name. This full name can then be saved to one or more resources, including Identity Manager. Once approved (where approval is required), the system converts the user view back into one or more objects in the Identity Manager repository and sends the view to the resources assigned to the user to create or update the user’s resource accounts.

View Attributes

A view is a collection of name/value pairs that are assembled from one or more objects stored in the repository, or read from resources. The value of a view attribute can be atomic such as a string, a collection such as a list, or reference to another object.

Any Boolean attribute can be omitted from a view. If omitted, the attribute is considered logically false.

What is a View Handler?

View handlers are Java classes that contain the logic necessary to create a view and perform actions specified by setting attributes of the view. View handlers also can include information for the convenience of interactive forms. When a view is checked in, the view handler reads the view attributes and converts them into operations on repository objects. The view handler will often launch a workflow to perform more complex tasks such as approvals or provisioning. Most view handlers that operate on users prevent you from checking in the view if there is already a workflow in progress for that user.

Views and Forms

Identity Manager forms contain rules for transforming data in views and describe how the view attributes are to be displayed and edited in a browser. The Identity Manager user interface processes the view and form to generate an HTML form. When the user submits the HTML form, Identity Manager merges the submitted values into the view, then asks the view handler to refresh the view. The view can be refreshed several times during an interactive editing session, and different HTML fields can be generated based on logic in the form. When the user is finished interacting, the view is checked in which typically results in the view being passed as input to a workflow process.

Views and Workflow

Checking in a view often results in a new workflow process being launched to complete the modifications specified in the view. The workflow can perform time-intensive tasks in the background, launch approval processes, query resources, or take whatever action is appropriate. During approvals, the administrator is able to examine the contents of the view and make changes if desired. After approvals, the view attributes are converted into modifications of one or more repository objects. For views related to users, provisioning may occur to propagate the changes to selected resource accounts.

Account Types and User-Oriented Views

When you assign an account type to a user, Identity Manager makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:

• Use a value of null to indicate an account of the default type. Reference an accounts of the default type by resource name for example, accounts[corp-ad]

• Use a type-qualified name instead of the resource name to reference an account of a specific type. The type-qualified resource name takes this form:

  <resource name>|<type of account>

  To reference the account data for the account of type Admin on the resource corp-ad, reference accounts[corp-ad|Admin].

Common Views

The following views are frequently used with both customized forms and workflows.

Understanding the User View

The User view is the collection of attributes that contain information about an Identity Manager user, including:

• Attributes stored in the Identity Manager repository

• Attributes fetched from resource accounts

• Information derived from other sources such as resources, roles, and organizations

The user view is most often used with forms that are designed for the pages that create or edit users. These pages launch workflow processes that store a changed user view until it is necessary to push the updated view information back out to Identity Manager and associated resources. While the user view is stored in a workflow process, the workflow process can manipulate attribute values through workflow actions. Workflow can also expose attribute values for user input through manual actions and approval forms.

How the User View Is Integrated with Forms

The user view is often used in conjunction with a form. Forms contain rules that control how data is presented through HTML fields and is processed after the HTML page rendering the form is submitted. A system component called the form generator combines a form definition and a view to produce HTML that a browser then displays.

View attribute values are displayed by assigning them to an HTML component in the form. (See Chapter 7, HTML Display Components for more information on how view attributes can be displayed.)

Views are implemented as instances of the GenericObject class. This class provides a mechanism for the representation of name/value pairs and utilities for traversing complex hierarchies of objects through path expressions. A path expression is a string that is interpreted at runtime to traverse an object hierarchy and retrieve or assign the value of an attribute.

You must understand how to write path expressions to assign valid form field names. For more information on using path expressions, refer to the section titled Path Expressions.

How the User View Is Integrated with Workflow

Workflow processes that contain a user view typically store it in a workflow variable named user. You can reference a view in the workflow expressions by prefixing user to a user view path (for example, user.waveset.accountId). The string waveset identifies the attribute named accountId as belonging to another object named waveset, which itself belongs to the user view object.

Approval forms are written for a view known as the WorkItem view. The Work Item view by default contains all the workflow variables under an attribute named variables. If the approval form is written for a workflow that contains a user view, the prefix variables.user. is used to reference attributes in the user view (for example, variables.user.waveset.roles). See WorkItem View later in this chapter for more information.

Generic Object Class

At a high level, objects are simply named collections of attributes, which are name/value pairs. The value of an attribute can be an atomic value such as a string, a collection such as a list, or a reference to another object. You can represent almost any object abstractly with the Map, List, and String Java classes.

Within the Identity Manager system, the GenericObject class provides a simple memory model for the representation of arbitrary objects and collections. It includes features for easily navigating object hierarchies to access or modify attribute values.

The GenericObject class implements the java.util.Map interface and internally uses a java.util.HashMap to manage a collection of name/value pairs. The entries in this map are called attributes. The value of an attribute can be any Java object that is able to serialize itself as XML. The most common attribute values found in a GenericObject:

The following are instances of the following classes:

• String

• Integer

• Boolean

• EncryptedData

• List

• Date

• GenericObject

• X509cert

You can construct complex hierarchies of objects by assigning Lists or GenericObjects as attribute values. Once you have assigned attribute values, you traverse this hierarchy to access the values of an attribute.

Path Expressions

A path expression is a string that is interpreted at runtime by the GenericObject class to traverse an object hierarchy and retrieve or assign the value of an attribute. Identity Manager uses a system of dots and brackets to represent objects and attributes in the hierarchy.

You use path expressions as the value of the name attribute in form fields when customizing a form (for example, <Field name=’user.waveset.roles’/>).

Traversing Objects

The following simple example illustrates a GenericObject with two attributes:

• name (String)

• address (GenericObject) The address object, in turn, has an attribute named street, which is a string.

To create a path expression to the street attribute of the address object, use address.street.

Path expressions use the dot character (.) to indicate traversal from one object to another. This is similar to the way dot is used in Java or the ’->’ operator is used in C. Paths can be long, as illustrated by this example:

user.role.approver.department.name

Traversing Lists

You can also use path expressions to traverse values that are lists. Consider an object that has an attribute children whose value is a java.util.List. Each object in the list is itself a GenericObject with a name attribute and an age attribute. Write the path to the name of the first child as:

children[#0].name

Path expressions use square brackets to indicate the indexing of a list. The token between brackets is the index expression. In the simplest case, this is a positive integer that is used to index the list by element position.

Typically, the position of an object in a list is arbitrary. Index expressions can also specify simple search criteria to identify one object in the list. Objects in a list typically have a name attribute, which serves to uniquely identify this object among its peers. Path expressions support an implicit reference to an object’s name attribute within the index expression.

For example

children[hannah].age

The preceding path expression obtains the list of objects stored under the children attribute. This list is searched until an object with a name attribute equal to hannah is found. If a matching object is found, Identity Manager returns the value of the age attribute.

Example: Using the = Operator

<ref>accountInfo.accounts[type=vms].name</ref>

accountInfo.accounts[type=vms].name returns a list of names for VMS resources. It returns a list of only one element if only one exists.

Using the == Operator

children[hannah].age is equivalent to children[name==hannah].age. If you search using type=LDAP for example, you would get a list of names of LDAP resources. However, if you use the == operator, the result is a single object. For example, children[parent=hannah].occupation returns a list of occupations for all of hannah’s children, but children[parent==hannah].occupation returns a single occupation (not in a list) for whichever child was found first.

Example

<index i=’0’>
<   ref>accountInfo.accounts[type=vms].name</ref>
</index>

is equivalent to

<ref>accountInfo.accounts[type==vms].name</ref>

If more than one account with type vms exists, then either example will return the first account found with no particular guaranteed ordering.

Calculating Lists

You can also write path expressions that calculate List values that are not stored in the object. For example:

accounts[*].name

When an asterisk is found as an index expression, it implies an iteration over each element of the list. The result of the expression is a list that contains the results of applying the remaining path expression to each element of the list. In the previous example, the result would be a list of String objects. The strings would be taken from the name attribute of each object in the accounts list.

Path expressions with * (asterisk) are used with the FieldLoop construct in forms to replicate a collection of fields.

Account Types and User-Oriented Views

When you assign an account type to a user, Identity Manager makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:

• Use a value of null to indicate an account of the default type. Reference an accounts of the default type by resource name for example, accounts[corp-ad]

• Use a type-qualified name instead of the resource name to reference an account of a specific type. The type-qualified resource name takes this form:

  <resource name>|<type of account>

  To reference the account data for the account of type Admin on the resource corp-ad, reference accounts[corp-ad|Admin].

User View Attributes

Whenever you create or modify a user account from a web browser, you are indirectly working with the user view. From the perspective of altering user account information, it is the most significant view in the Identity Manager system.

Workflow processes also interact with the user view. When a request is passed to a workflow process, the attributes are sent to the process as a view. When a manual process is requested during a workflow process, the attributes in the user view can be displayed and modified further.

Introduction

Like all views, the user view is implemented as a GenericObject that contains a set of attributes. The values of the attributes in the root object are themselves GenericObjects. Attributes can be nested.

The user view contains the attributes described in the following table, which are further defined in subsequent sections.

When you design a form, the field names are typically paths into the user view objects waveset. global, and account attributes (for example, global.firstname).

Selecting the Appropriate Variable Namespaces

The user view provides several namespaces for deriving account-related information. The following table summarizes these variable namespaces.

Referencing Attributes

Within a form, you can reference attributes in two ways:

• Use the name attribute of a Field element by adding the complete attribute pathname as follows:

  <Field name=’waveset.accountId’>

  For more information on setting the Field name element in a form field, see the chapter titled Identity Manager Forms.

• Reference an attribute from within another field:

  <Expansion> <concat> <ref>global.firstname</ref><s> </s> <ref>global.lastname</ref> </concat> </Expansion>

  Within workflow, you can reference Field attributes as process variables (that is, variables that are visible to the workflow engine) or in XPRESS statements for actions and transitions. When referencing these attributes in workflow, you must prefix the path with the name of the workflow variable where the view is stored (for example, user.waveset.accountId).

Attributes with Transient Values

You can define fields that store values at the top-level of the user view, but these values are transient. Although they exist throughout the life of the in-memory user view (typically the life of the process), the values of these fields are not stored in the Identity Manager repository or propagated to a resource account.

For example, a phone number value is the result of concatenating the values of three form fields. In the following example, p1 refers to the area code, p2 and p3 refer to the rest of the phone number. These are then combined by a field named global.workPhone. Because the combined phone number is the only value you want propagated to the resources, only that field is prepended with global.

In general, use the top-level field syntax if you are:

• not pushing a field value out to Identity Manager or any other resource

• the field is being used only in email notifications or for calculating other fields.

Any field that is to be passed to the next level must have one of the path prefixes defined in the preceding table, User View Attributes.

Field name=’p1’ required=’true’>
   <Display class=’Text’>
      <Property name=’title’ value=’Work Phone Number’/>
      <Property name=’size’ value=’3’/>
      <Property name=’maxLength’ value=’3’/>
   </Display>
</Field>
<Field name=’p2’ display=’true’ required=’true’>
   <Display class=’Text’>
      <Property name=’rowHold’ value=’true’/>
      <Property name=’noNewRow’ value=’true’/>
      <Property name=’size’ value=’3’/>
      <Property name=’maxLength’ value=’3’/>
   </Display>
</Field>
<Field name=’p3’ display=’true’ required=’true’>
   <Display class=’Text’>
      <Property name=’rowHold’ value=’true’/>
      <Property name=’noNewRow’ value=’true’/>
      <Property name=’size’ value=’4’/>
      <Property name=’maxLength’ value=’4’/>
   </Display>
</Field>
<Field name=’global.workPhone’ required=’true’ hidden=’true’>
   <Expansion>
      <concat>
         <ref>p1</ref>
         <s>-</s>
         <ref>p2</ref>
         <s>-</s>
         <ref>p3</ref>
      </concat>
   </Expansion>
</Field>

waveset Attribute

The waveset attribute set contains the information that is stored in a WSUser object in the Identity Manager repository. Some attributes nested within this attribute set are not intended for direct manipulation in the form but are provided so that Identity Manager can fully represent all information in the WSUser object in the view.

Most Used Attributes

Not all attributes are necessary when creating a new user. The following list contains the waveset attributes that are most often visible during creation or editing. Some attributes are read-only, but their values are used when calculating the values of other attributes. All waveset attributes are described in the sections that follow this table.

waveset.accountId

Specifies the visible name of the Identity Manager user object. It must be set during user creation. Once the user has been created, modifications to this attribute will trigger the renaming of the Identity Manager account.

For information on renaming a user, see Business Administrator's Guide.

waveset.applications

Contains a list of the names of each application (also called resource group in the Identity Manager User Interface) assigned directly to the user. This does not include applications that are assigned to a user through a role.

waveset.attributes

Collection of arbitrary attributes that is stored with the WSUser in the Identity Manager repository. The value of the waveset.attributes attribute is either null or another object. The names of the attributes in this object are defined by a system configuration object named Extended User Attributes. Common examples of extended attributes are firstname, lastname, and fullname. You can reference these attributes in the following ways:

waveset.attributes.fullname

or

accounts[Lighthouse].fullname

You typically do not modify the contents of the waveset.attributes attribute. Instead, modify the values of the accounts[Lighthouse] attributes. When the attribute is stored, values in accounts[Lighthouse] are copied into waveset.attributes before storage. waveset.attributes is used to record the original values of the attributes. The system compares the values here to the ones in accounts[Lighthouse] to generate an update summary report. See the section on the account[Lighthouse] attribute for an example of how to extend the extended user attributes.

waveset.correlationKey

Contains the correlation value used to identify a user during reconciliation and discovery of users. You can directly edit it, although it is generally not exposed.

waveset.creator

Contains the name of the administrator that created this user.

This attribute is read-only.

waveset.createDate

Contains the date on which this account was created. Dates are rendered in the following format: MM/dd/yy HH:mm:ss z

Example

05/21/02 14:34:30 CST

This attribute is set once only and is read-only.

waveset.disabled

Contains the disabled status of the Identity Manager user. It is set to a value that is logically true if the account is disabled. In the memory model, it is either a Boolean object or the string true or false. When accessed through forms, you can assume it is a string.

You can modify this attribute to enable or disable the Identity Manager user, although it is more common to use the global.disable. (Prepending global. to a variable name ensures that the system applies the value of that variable to all resources that recognize the variable, including Identity Manager.)

Once this value becomes true, the user cannot log in to the Identity Manager user interface.

waveset.email

Specifies the email address stored for a user in the Identity Manager repository. Typically, it is the same email address that is propagated to the resource accounts.

Modifications to this attribute apply to the Identity Manager repository only. If you want to synchronize email values across resources, you must use the global.email attribute.

You can modify this attribute.

waveset.exclusions

List the names of the resource that will be excluded from provisioning, even if the resource is assigned to the user through a role, resource group, or directly.

waveset.id

Identifies the repository ID of the Identity Manager user object. Once the user has been created in Identity Manager, this value is non-null. You can test this value to see if the user is being created or edited. This attribute is tested with logic in the form. You can use it to customize the displayed fields depending on whether a new user is being created (waveset.id is null) or an existing user account is being edited (waveset.id is non-null).

Example

The following example shows an XPRESS statement that tests to see if waveset.id is null:

<isnull><ref>waveset.id</ref></isnull>

waveset.lastModDate

Contains the date at which the last modification was made. It represents the date by the number of milliseconds since midnight, January 1970 GMT. This attribute is updated each time a user account is modified.

This attribute is read-only.

waveset.lastModifier

Contains the name of the administrator or user that last modified this user account.

This attribute is read-only.

waveset.locked

Indicates whether the user is locked. A value of true indicates that the user is locked.

waveset.lockExpiry

Specifies when the user lock expires if the user’s Lighthouse Account policy contains a non-zero value for the locked account expiry date. This attribute value is a human-readable date and time.

waveset.organization

Contains the name of the organization (or ObjectGroup) in which a user resides. An administrator can modify this attribute if he has sufficient privileges for the new organization.

Since changing an organization is a significant event, the original value of the organization is also stored in the waveset.original attribute, which can be used for later comparison.

waveset.original

Contains information about the original values of several important attributes in the waveset attribute. The system sets this value when the view is constructed and should never be modified. The system uses this information to construct summary reports and audit log records.

Not all of the original waveset attributes are saved here. The attributes currently defined for change tracking are:

• password

• role

• organization

To reference these attributes, prepend waveset.original. to the attribute name (for example, waveset.original.role).

password

Specifies the Identity Manager user password. When the view is first constructed, this attribute does not contain the decrypted user password. Instead, it contains a randomly generated string.

The password attribute set contains the attributes described in the following table.

waveset.passwordExpiry

Contains the date on which the Identity Manager password will expire. When the view is initially constructed, the memory representation will be a java.util.Date object. As the view is processed with the form, the value can either be a Date object or a String object that contains a text representation of the date in the format mm/dd/yy.

waveset.passwordExpiryWarning

Contains the date on which warning messages will start being displayed whenever the user logs into the Identity Manager User Interface. This is typically a date prior to the waveset.passwordExpiry date in the same format (mm/dd/yy).

waveset.questions

Contains information about the authentication questions and answers assigned to this user. The value of the attribute is a List whose elements are waveset.questions attributes.

The waveset.questions attribute set contains the attributes described in the following table.

The name attribute is not stored. The system generates the name by transforming the id. This is necessary because question IDs are typically numbers, and numbers that are used to index an array in a path expression are considered absolute indexes rather than object names.

For example, the path waveset.questions[#1].question addresses the second element of the questions list (list indexes start from zero). However, since there may be only one question on the list whose ID is the number 1, the ID is not necessarily suitable as a list index. To reliably address the elements of the list, the system manufactures a name for each question that consists of the letter Q followed by the ID (in this example, Q1). The path waveset.questions[Q1].question then always correctly addresses the question.

waveset.resources

Contains a list of the names of each resource that is assigned directly to the user. This list does not include resources that are assigned to a user through a role or through applications. You can add only unqualified resource names to this attribute. To find all resources that are assigned to a user, see the section on the accountInfo attribute.

waveset.resourceAssignments

Qualifies the assigned resource list. (This attribute parallels the existing attribute waveset.resources attribute.) All resources in this attribute appear as unqualified in waveset.resources. Even if a user is assigned only an account of non-default type, the resource will appear in waveset.resources.

You can add new assignments made to either waveset.resource or waveset.resourceAssignments, with the lists automatically resynchronizing when the view is refreshed. This adds an assignment for an account of default type. You can add both qualified and unqualified resource names to waveset.resourceAssignments. This adds an account of the specified type based on the qualifier.

waveset.roleInfos

Contains a list of objects that contain information about the roles assigned to this user.

waveset.roles

Contains the names of the roles assigned to this user. An administrator can modify this attribute if he has sufficient privileges for the new roles.

Since changing a role is a significant event, the original value of the role attribute is also stored in the original view, which can be used for later comparison.

waveset.serverId

Use to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server. See Installation Guide for more information.

accounts Attribute

The accounts attribute contains a list of objects for each account linked to the Identity Manager user. Each account object contains the values of the account attributes retrieved from the resource.

The name of each account object is typically the name of the associated resource. If more than one account exists for a given resource, the object names take a suffix of the form |n where n is an integer. The first account on a resource has no suffix. The second account has the suffix |2. The third account on a resource has |3, etc.

For example, if you have a resource named Active Directory that defines an account attribute named Profile, the view path to this attribute would be:

accounts[Active Directory].Profile

If this view path were used in a form field, it would prevent the value of the global.Profile attribute from being propagated to the Active Directory account.

You may want to use account-specific attributes in forms rather than global attributes to prevent propagation of values to all resources

Overriding Resource Attributes

In addition to setting account attributes, you can also specify resource attribute overrides for each account. Resource attributes are attributes that are defined for the resource definition in Identity Manager, and consequently for the resource type. They are not attributes associated with an individual account. Examples of resource attributes include the host name of the server, or the base context in a directory.

You may want to create an account on a resource, but use a different value for one of the resource attributes. You could do this by duplicating the resource and changing the value, but excessive resource duplication can be confusing. Instead, resource attributes can be overridden on a per-account basis in the view.

Resource attribute overrides are stored in the attribute object under an attribute named resourceAttributes. If, for example, the resource defined an attribute named host, this could be specified in the view with the path:

accounts[Active Directory].resourceAttributes.host

Although overriding resource attributes is not recommended, sometimes you cannot avoid it. You might choose to overwrite a resource to avoid creating duplicate resources that point to the same physical resource but differ by one attribute. For example, in a customer environment that has multiple Active Directory servers, it may make more sense to override the resource attribute host in the form than to create a new resource. Contact your Identity Manager support representative for more information.

accounts[Lighthouse]

Sets the values of only the attributes stored in the Identity Manager repository. When a view is created, it contains a copy of the attributes in the waveset.attributes attribute set. When the view is saved, the system compares the contents of accounts[Lighthouse] with waveset.attributes to generate and update reports and audit log entries. Although this attribute is stored in the Identity Manager repository, changes to this attribute are not automatically propagated to resources.

The Extended User Attributes Configuration object defines the attributes that are allowed in this view. The system ignores any name found in this set of attributes that is not registered in the configuration object.

The following code is a sample of the Extended User Attributes Configuration object. This object maintains the list of attributes that are managed by the waveset.attribute set.

<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE Configuration PUBLIC ’waveset.dtd’ ’waveset.dtd’>
<!--  id="#ID#Configuration:UserExtendedAttributes" 
      name="User Extended Attributes"-->
 <Configuration id=’#ID#Configuration:UserExtendedAttributes’ 
      name=’User Extended Attributes’
 creator=’Configurator’ createDate=’1019603369733’ lastMod=’2’ counter=’0’>
  <Extension>
    <List>
      <String>firstname</String>
      <String>lastname</String>
      <String>fullname</String>
<!—add string values here - - >
      <String>SSN</String>
    </List>
  </Extension>
  <MemberObjectGroups>
    <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/>
  </MemberObjectGroups>
</Configuration>

This object can be modified to extend the list from the default firstname, lastname, and fullname attributes. In this case, an attribute called SSN has been added.

accounts[Lighthouse].delegates

Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item

• If delegatedApproversRule is the value of delegateApproversTo, identifies the selected rule.

• If manager is the value of delegateApproversTo, this attribute has no value.

This attribute takes the attributes contained in the Attributes of accounts[Lighthouse].delegate* Attributes table.

accounts[Lighthouse].delegatesHistory

Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth. This attribute takes the attributes contained in the Attributes of accounts[Lighthouse].delegate* Attributes table.

accounts[Lighthouse].delegatesOrginal

Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation. This attribute takes the attributes contained in the following table.

accounts[Lighthouse].properties

The value of this attribute is an object whose attribute names correspond to the properties defined by the user. User properties allow arbitrary custom data to be stored with the user in the Identity Manager repository. You can then use properties in forms and workflows. A property is similar in some ways to an Extended User Attribute, but are not limited to primitive data types such as strings or integers.

Identity Manager defines the tasks system property, which is used by the Deferred Task Scanner to cause workflow tasks to be run at some date in the future. The value of the tasks property is a list of objects. The following table defines the attributes that belong to objects in the list.

Sample Use

You can use the accounts[Lighthouse].properties value to display a table of the deferred tasks assigned to a user. This list is added to the form library named Default User Library, which is found in sample/formlib.xml.

The field that displays the deferred task table is named Deferred Tasks. After modifying the waveset.properties attribute, the deferred task table is now referenced by the default Tabbed User Form. If any deferred tasks exist, the table will be displayed at the bottom of the Identity tab panel.

accounts[Lighthouse].viewUserForm

Used to display a view-only User form. This view-only form displays field information as Labels, to ensure that the administrator cannot change values, although he can list, view, and search on this user information. (The administrator selects a user from the accounts list, then clicks View to see user details.)

accounts[<resource>].properties

Used to store account properties in the Identity Manager repository. Use this attribute if you have some information about the account -- for example the date it was created -- that cannot be stored as a native account attribute on the resource.

accounts[<resource>].waveset.forceUpdate

Used to specify a list of resource account attributes that will always be sent to the resource for update when a user is modified and that an attribute value remains available to resource actions. This attribute is required for resource actions to be run when a user is unassigned from a resource.

The following field definition from a user form uses a Solaris resource. (<resource> has been replaced with the name of the resource.):

<Field name=’accounts[waterloo].waveset.forceUpdate’>
   <Default>
      <List>
          <String>delete after action</String>
          <String>Home directory</String>
      </List>
   </Default>
</Field

The preceding code causes Identity Manager to send the delete after action and Home directory attribute to the provisioner and resource adapter.

global Attribute

You can use the global attribute set of the user view to conveniently assign attributes to many resource accounts (including Identity Manager). The value of the global attribute is an object whose attributes are referred to as global attributes. When the view is saved, the system assigns the value of each global attribute to all resource accounts that define the global attribute name in their schema map. These values are also propagated to the Identity Manager repository if there is an extended attribute with the same name.

For example, two resources R1 and R2 define an attribute named fullname. When the attribute global.fullname is stored in the view, this value is automatically copied into attributes accounts[R1].fullname and accounts[R2].fullname.

You can also use global attributes to assign extended attributes that are stored in the Identity Manager repository. If a global attribute is also declared as an extended Identity Manager attribute, it is copied into accounts[Lighthouse].

Do not use global.accountId when creating accounts. The account ID is created by the DN templates on the resources. Using global.accountId overrides this, which may cause problems.

Referencing Two Different Fullname Attributes

The global attribute can be used in combination with the account attribute for the same attribute name. For example, on an Active Directory resource, the structure of the fullname is lastname, firstname. But all other resources that have a fullname use firstname lastname.

The following example shows how you can reference these two fields in a form.

<Field name=’global.fullname’>
 <Expansion>
       <concat>
         <ref>global.firstname</ref><s> </s>
         <ref>global.lastname</ref>
       </concat>
 </Expansion>
</Field>
<Field name=’accounts[ActiveDir].fullname’>
 <Expansion>
       <concat>
          <ref>global.lastname</ref><s>, </s>
          <ref>global.firstname</ref>
      </concat>
   </Expansion>
</Field>

In the preceding example, creating a new user works as expected. However, when you load the user, the fullname attribute from the Active Directory resource can be used to populate the global.fullname field.

A more accurate implementation for this scenario would be to declare one resource to be the authoritative source for an attribute and create a Derivation rule such as the following:

<Field name=’global.fullname’>
 <Derivation>
       <or>
         <ref>accounts[LDAP res].fullname</ref>
         <ref>accounts[AD res].fullname</ref>
       </or>
 </Derivation>
      <concat>
          <ref>global.firstname</ref><s> </s>
          <ref>global.lastname</ref>
      </concat>
   </Expansion>
</Field>
   <Expansion>

By defining a Derivation rule, the value of the fullname attribute in the LDAP resource will be used first to populate the fullname field. If the value does not exist on LDAP, then the value will be set from the AD resource.

accountInfo Attribute

Contains read-only information about resource accounts associated with the user. It is used within system views besides the user view. Some information in this view is a duplicate of the information found in the waveset.accounts attribute. There are two reasons for this duplication:

• Information in this view is structured so that it is easier to use in forms

• This view can be used as a component of other views without including the entire waveset view.

Most account information is stored in the accountsInfo.accounts attribute. Other attributes simply contain lists of account names. It is common to use a FieldLoop in a form to iterate over the names in one of the name list attributes, then use this name to index the account list attribute.

For example, the following form element generates a list of labels that contain the names of each resource that is assigned indirectly through a role.

<Field name=’accountInfo.accounts[$(name)].name>
   <FieldLoop for=’name’ in=’accountInfo.fromRole’>
     <Display class=’Label’/>
   </Field>
</FieldLoop>

The following tables shows the accountInfo view attributes, which describe characteristics about the user.

accountInfo.accounts

Contains a list of objects that themselves contain information about each associated resource account. Elements in the accounts list are referenced by name, where the name is the name of the resource.

Example

accountInfo.accounts[Active Directory].type

Objects found in the accountInfo.accounts list have the following attributes, as defined in the following table.

accountInfo.accounts[ ].attributes[ ]

Contains information about all the account attributes defined by this resource. These attributes are listed on the schema map page of the resource. The value of the attribute is a List of objects.

The following table defines the attributes that these objects contain.

If you are designing a form, do not worry about the declared resource account attribute types. The user view processing system makes the appropriate type coercions when necessary.

accountInfo.accounts[].passwordPolicy

A resource can be assigned a password policy. If an attribute has an assigned password policy, the value of this attribute will contain information about it.

The following table defines the attributes in the accountInfo.accounts[resname].passwordPolicy.

Applications that display policy information typically display the summary text, but if you need more fine-grained control over the display of each policy attribute, you can use the attributes map.

Forms that provide an interface for changing and synchronizing passwords often use this information.

accountInfo.accounts[Lighthouse]

This special entry in the accountInfo list is used to hold information about the Identity Manager default password policy. This is convenient when displaying password forms since information about the Identity Manager password and policies must be displayed along with the information for resource accounts.

This element is present only when pass-through authentication is not being used. The resource type is Lighthouse.

accountInfo Resource Name Lists

The accountInfo view includes attributes that contain lists of resource names. Each list is intended to be used in forms with FieldLoop constructs to iterate over resources with certain characteristics.

The accountInfo attributes that can contain resource names are:

• assigned

• created

• fromRole

• private

• toCreate

• toDelete

accountInfo.assigned

Identifies the resources that are assigned to the user. If you are designing a form, you can call this attribute to display a list of resources that are assigned from the role, applications, and that are directly assigned to a user.

accountInfo.typeNames

A list of unique type names for every assigned resource. This is used in Disable expressions in forms where you want to disable fields unless a resource of a particular type is selected.

<Field name=’HomeDirectory’ prompt=’Home Directory’>
   <Display class=’Text’/>
      <Disable>
         <not>
            <contains>
               <ref>accountInfo.typeNames</ref>
               <s>Solaris</s>
            </contains>
         </not>
      </Disable>
</Field>

This returns the same information as the path accountInfo.types[*].name but is more efficient, which is important when used with Disable expressions. This list can include common resource types.

You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator Interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountInfo.types

This attribute contains information about each type of resource that is currently assigned. The value of the attribute is a List (objects).

The following table shows the attributes that belong to each object.

For example, you can determine a list of IDs for all UNIX accounts with the following path:

accountInfo.types[Unix].accounts

display Attribute

The display attribute contains information that relates to the context in which the view is being processed. Most of the attributes are valid only during interactive form processing.

The following table shows the most used display view attributes.

Default itemType Behavior

Typically, only wizard itemTypes cause a workflow to transition directly to a WorkItem if the requester is the owner of the workItem.

When itemType is set as follows, the workflow will not transition into a WorkItem, but will instead appear under the Approval tab:

• approval

• custom

• itemType

Overriding Default Behavior

You can override behavior in the User view by setting the allowedWorkItemTransitions option as a property of the form as follows:

<Form ......>
   <Properties>
     <Property name=’allowedWorkItemTransitions’>
       <list>
         <s>myCustomType</s>
        </list>
 <     /Property>
    </Properties>

Deferred Attributes

A deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.

If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.

When to Use Deferred Attributes

Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.

Using Deferred Attributes

There are two main steps to defining a deferred attribute:

To Define a Deferred Attribute

1. Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.

2. Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:

   accounts[<resource>].deferredAttributes.<attname>.resource accounts[<resource>].deferredAttributes.<attname>.attribute

   where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.

   For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.

   The following form fields set the necessary view attributes to define this association.

   <Field name=’accounts[HR].deferredAttributes.directoryid.resource’> <Expansion><s>LDAP</s></Expansion> </Field> <Field name=’accounts[HR].deferredAttributes.directoryid <Expansion><s>uid</s></Expansion> </Field>

Debugging the User View

When debugging the User view, you might find it useful to dump the contents of the view into a new file. To create a dump file, add the following Derivation statement to the User view:

<Field name=’DumpView’>
   <Derivation>
      <invoke name=’dumpFile’>
         <ref>form_inputs</ref>
            <s>c:/temp/view.xml</s>
      </invoke>
   </Derivation>
</Field>

This Derivation expression invokes the dumpFile method, which generates the file after the User form is displayed for the first time. The form_inputs variable is automatically bound to the view that is being used with this form.

In the preceding example, the String argument to the dumpFile method is a file system path, where you substitute a valid path for c:/temp/view.xml.

Account Correlation View

Used to search for users correlating to a specified account (or account attributes). This view is used as part of the account reconciliation process.

This view contains the root attributes listed below. The values of these attributes are GenericObjects. The new ID is <account_name>@<resource_name>

The correlation request is executed on both the view get operation and refresh request. In the case of a refresh, the request specified in the view is used (with the exception of accountId and resource, as these values are overridden by the view ID). In the case of a get request, view options of the same name as the view attribute (for example, correlator) can be used to specify the view-supplied portion of the request.

accountAttributes, when provided as a view option, can be supplied as a WSUser (as returned by resource adapter methods) or as a GenericObject.

Correlation

accountId

Specifies the name of the account to correlate. This is automatically obtained from the view ID.

accountGUID

Specifies the GUID of the account to correlate. Required only if accountId and resource cannot clearly and unambiguously identify the resource.

resource

Specifies the name of the resource where the account resides. This value is automatically obtained from the view ID.

accountAttributes

Specifies the attributes of the account. If present, the viewer will not fetch the current account attributes to pass to the correlation/confirmation rules. Instead, these attributes will be passed in.

correlator

Specifies the correlation rule to use. If not present, the correlation rule specified by reconciliation policy for the resource will be used. If present, but null, no correlation rule is used.

confirmer

Specifies the confirmation rule to use. If not present, the confirmation rule specified by reconciliation policy for the resource will be used. If present, but null, no confirmation rule is used.

These lists consist of GenericObjects that contain the summary attributes of users.

claimant

Lists claimants that are calculated independent of the correlation algorithm, so claimants may also appear in another of the lists. Claimant discovery can be disabled by setting ignoreClaimants to true in the view options. A user claims an account if it has a ResourceInfo explicitly referencing the account.

correlated

Lists the users who were correlated to the resource account.

unconfirmed

Lists users who were selected by the correlation rule, but were rejected by the confirmation rule. This list is only present if the includeUnconfirmed is set to true in the view options.

Admin Role View

Used when creating or updating an admin role to a user. Admin roles enable you to define a unique set of capabilities for each set of organizations. Capabilities and controlled organizations can be assigned directly or indirectly through roles.

One or more admin roles can be assigned to a single user and one or more users can be assigned the same admin role.

id

Uniquely identifies the AdminRole object in Identity Manager. System-generated.

name

Specifies the name of the admin role.

capabilities

Identifies the list of capability names that are assigned to this admin role.

capabilitiesRule

Specifies the name of the rule to be evaluated that will return a list of zero or more capability names to be assigned.

controlledOrganizations

Lists organization names over which the associated capabilities are allowed.

controlledOrganizationsRule

Specifies the name of the rule to be evaluated. This rule will return a list of zero of more controlled organizations names to be assigned.

controlledOrganizationsUserform

Specifies the userform that will be used when editing or creating users in the scope of organizations controlled by this admin role. Valid if the userform is not directly assigned to the user that is assigned this Admin role.

controlledSubOrganizations

Lists the controlled organizations for which a subset of the objects available has been either included or excluded. The value of this attribute consists of a list of controlledSubOrganization objects. Each ControlledOrganization object view is as follows.

types is a list of objects, where the list of objects to include or exclude are organized by type (for example, Resource, Role, and Policy). The view for each object type is as follows:

name

Specifies the name of the object type.

include

Lists object names of the associated object type to include.

exclude

Lists object names of the associated type to exclude.

memberObjectGroup

Lists the ObjectGroups of which this Admin role is a member. These are the object groups (organizations) that this Admin role is available to.

Change User Answers View

Used to change an existing user’s authentication answers for one or more login interfaces.

Contains two high-level attributes.

questions

Describes the question. Contains the following attributes:

qid

Uniquely identifies a question that is used to associate this question with one defined in the policy.

question

Specifies the question string as defined in the policy.

answer

Specifies the user’s answer, if specified, associated with the value of qid.

answerObfuscated

Specifies whether the answer is displayed or encrypted.

loginInterface

Identifies the login interface with which this question is associated. Its value is a unique message catalog key for each login interface.

Contains the following attributes:

name

Identifies the name of the login interface that the question is associated with.

Valid values include:

• UI_LOGIN_CONFIG_DISPLAY_NAME_ALL_INTERFACES

• UI_LOGIN_CONFIG_DISPLAY_NAME_ADMIN_INTERFACE

• UI_LOGIN_CONFIG_DISPLAY_NAME_CLI_INTERFACE

• UI_LOGIN_CONFIG_DISPLAY_NAME_DEFAULT_USER_INTERFACE

• UI_LOGIN_CONFIG_DISPLAY_NAME_IVR_INTERFACE

• UI_LOGIN_CONFIG_DISPLAY_NAME_QUESTION_INTERFACE

• UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE

questionPolicy

Specifies the policy that this question is associated with (for example, All, Random, Any, or RoundRobin).

questionCount

Set only if the questionPolicy attribute is set to Any or Random.

Change User Capabilities View

Used to change an Identity Manager user’s capabilities.

adminRoles

Lists the Admin roles that are assigned to the user.

capabilities

Lists capabilities assigned to this user.

controlledOrganizations

Lists the organizations that this user controls with the assigned capabilities.

Delegate WorkItems View

Use this view to delegate the work items for specified users.

Top-level attributes include the following:

manager

Specifies the accountId of the user whose workItem will be deleted. This value is null if the user has no idmManager assigned.

name

Identifies the user (by name) whose work items will be delegated.

delegates

Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item (workItem).

delegatesHistory

Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth. (Delegate history depth is the number of previous delegations to keep for reuse. You can configure the number kept in the System Configuration object by setting the security.delegation.historyLength attribute to an integer value greater than 0. The default number kept is 10.)

Each of the preceding attributes has the following attributes:

Referencing a DelegateWorkItems View Object from a Form

The following code sample illustrates how to reference a DelegateWorkItems view delegate object from a form:

<Field name=’delegates[*].workItemType’>
<Field name=’delegates[*].workItemTypeDisplayName’>
<Field name=’delegates[*].workItemTypeObjects’>
<Field name=’delegates[*].toType’>
<Field name=’delegates[*].toUsers’>
<Field name=’delegates[*].toRule’>
<Field name=’delegates[*].startDate’>
<Field name=’delegates[*].endDate’>
<Field name=’delegates[*].status’>

where supported index values (*) are workItemType values.

The following code sample illustrates how to reference a delegate history object from the DelegateWorkItems view:

<Field name=’delegatesHistory[*].workItemType’>
<Field name=’delegatesHistory[*].workItemTypeDisplayName’>
<Field name=’delegatesHistory[*].workItemTypeObjects’>
<Field name=’delegatesHistory[*].toType’>
<Field name=’delegatesHistory[*].toUsers’>
<Field name=’delegatesHistory[*].toRule’>
<Field name=’delegatesHistory[*].startDate’>
<Field name=’delegatesHistory[*].endDate’>
<Field name=’delegatesHistory[*].selected’>
<Field name=’delegatesHistory[*].status’>

where supported index values (*) are 0 to n, where n is the current number of delegate history objects up to delegate history depth.

Deprovision View

Used to present and select a list of resources to be deprovisioned. Contains one single top-level attribute.

resourceAccounts

This attribute contain the following attributes.

id

Specifies the unique identifier for the account.

selectAll

Controls whether all resources are selected.

unassignAll

Specifies that all resources should be removed from the user’s list of private resources.

unlinkAll

Specifies that all resources should be unlinked from the Identity Manager user.

tobeCreatedResourceAccounts

Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.

tobeDeletedResourceAccounts

Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.

All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).

All account lists are indexed by resource name.

selected

If set to true, indicates that for a given resource, the associated account should be deprovisioned. If the selected account is Lighthouse, the Identity Manager user and all associated resource assignments will be deleted unless they are also selected. However, the associated resource accounts will not be deleted.

unassign

If set to true, indicates that the specified resource should be removed from the user’s list of private resources (for example, waveset.resources).

unlink

If set to true, indicates that the specified resource should be unlinked from the Identity Manager user (for example, remove the associated ResourceInfo object).

If selected or unassign are set to true, this suggests that unlink will also be true. However, the converse is not true. unlink can be true and selected and unassign can be set to false.

name

Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository.

type

Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountId

Specifies the identity of the resource account.

exists

Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).

disabled

Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).

authenticator

Indicates whether the account is one that the user is configured to log in.

directlyAssigned

If true, indicates that the account is directly assigned to the user. A value of false indicates that the account is indirectly assigned by a role or application.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.

See Setting View Options in Forms in this chapter for more information.

Disable View

Used to disable accounts on the Identity Manager user. This view is often used in custom workflows.

resourceAccounts

Represents the top-level attribute when accessing attributes in this view.

id

Identifies the Identity Manager ID of the user.

selectAll

When set, causes all resource accounts to be disabled, including the Identity Manager account.

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager, including the Identity Manager account itself. Use the selected field to signify that the specific resource should be enabled.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.

See Setting View Options in Forms in this chapter for more information.

Enable View

Used to enable accounts on the Identity Manager user. This view is often used in custom workflows.

resourceAccounts

Represents the top-level attribute when accessing attributes in this view.

id

Identifies the user’s Identity Manager ID.

selectAll

When set, all resource accounts will be enabled, including the Identity Manager account.

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager, including the Identity Manager account itself. Use the selected field to signify that the specific resource should be enabled.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.

See Setting View Options in Forms in this chapter for more information.

Find Objects View

Provides a customizable, generic Identity Manager repository search interface for any object type defined in Identity Manager that has rights and is not deprecated or restricted to internal use. The Find Objects view handler provides the associated forms for specifying one or more attribute query conditions and parameters and for the display of the find results. In addition, you can use view options to specify attribute query conditions and parameters.

This view contain the following attributes.

objectType

Specifies the Identity Manager repository object type to find (for example, Role, User, or Resource).

allowedAttrs

Lists the specified object types (specified by the objectType attribute) allowed queryable attribute names that are obtained by default by calling the objectType’s listQueryableAttributeAttrs() method. This method is exposed by each class that extends PersistentObject. If not overridden by the object type class, it inherits the PersistentObject implementation returning the default set of queryable attributes supported by all PersistentObjects.

You can override the default set by specifying the set of allowedAttrs in either the default section or the objectType-specific section of the findObjectsDefaults.xml configuration file. This file resides in the sample directory. Specify each allowed attribute in the sample/findObjectsDefaults.xml file as follows:

name

Identifies the attribute.

displayName

Specifies the attribute name as it is displayed in the Identity Manager Administrator interface. If not specified, the value of this attribute defaults to the same value as name.

syntax

Indicates the data type of attribute value where supported values include string, int, and boolean. If not specified, this value defaults to string.

multiValued

Indicates whether the attribute supports multiple values. A value of true indicates that attribute supports multiple values. If unspecified, this value defaults to false. This attribute applies only if the attribute syntax is string.

allowedValuesType

Specifies the name of the Identity Manager type if the allowed values of the attribute are instances of an Identity Manager type (for example, Role or Resource). If not specified, this attribute defaults to null.

If the name attribute is an Identity Manager-defined attribute, then only name is required. If the attribute name is an extended attribute, you must specify at least the name and, optionally, the other attributes unless the defaults are sufficient.

See sample/findObjectsDefaults.xml for example formats for specification of allowed attributes.

You can specify the list of allowedAttrs as either a list of strings, a list of objects, or a combination of both.

attrsToGet

Lists the summary attribute names of the specified object types (objectType) to be returned with each object that match the specified attribute query conditions. You can obtain the object type’s set of supported summary attributes by calling the object type’s listSummaryAttributeAttrs() method. (This method is exposed by each class that extends PersistentObject.) If not overridden by the objectType class, it inherits the PersistentObject implementation that returns the default set of summary attributes that are supported by all Persistent Objects.

You can override the default by specifying the list of resultColumnNames in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.

attrConditions

Lists the attribute conditions that are used to find objects of the specified object type (objectType) that match the specified attribute conditions (attrConditions). Each attribute condition in the list should be specified as follows:

selectedAttr

Identifies one of the attribute names from the list of allowed attributes (allowedAttrs).

selectedAttrRequired

(Optional) Indicates whether the selected attribute (selectedAttr) can be changed for this attribute condition. A value of true indicates that the selected attribute cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions

defaultAttr

(Optional) Identifies the allowedAttrs name to select by default when the list of allowed attributes is displayed in interface.

allowedOperators

Lists the operators allowed based on the syntax specified in the selected attribute (selectedAttr). By default, this list is obtained by calling the getAllowedOperators method passing the values of the syntax and multiValued attributes of the selected attribute (selectedAttr). You can override the default by specifying the set of allowed operators (allowedOperators) in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.

selectedOperator

Specifies the name of one operator from the list specified in allowedOperators.

selectedOperatorRequired

(Optional) Indicates whether the selected operator (selectedOperator) can be changed for this attribute condition. A value of true indicates that the selected operator cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions

defaultOperator

(Optional) Specifies the name of the operator (allowedOperators) to select by default when the list of allowed operators (allowedOperators) is displayed in the form.

value

Indicates the value or operand for the selected attribute name and operator that must be tested when Identity Manager determines if it should return an object of the specified object type (objectType). You can omit this attribute if the value of selectedOperator is exists or notPresent.

valueRequired

(Optional) Indicates whether the value of the attribute condition can be changed. A value of true indicates that value can be changed. It also indicates that the attribute condition cannot be removed from the list of attribute conditions.

removeAttrCond

Determines if this attribute condition should be removed or not (internal).

You can specify attribute conditions as view options by using the FindObjects.ATTR_CONDITIONS constant or the attrCondition string. If attrConditions is not specified, Identity Manager returns all objects of the specified object type.

maxResults

(Optional) Specifies the maximum number of objects of the specified objectType that Identity Manager should return from the find request. Defaults to 100 if not specified. You can override the default by specifying the a value for resultMaxRows attribute in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.

Use of this attribute can improve performance in cases where many Identity Manager repository objects of the specified type exist.

results

If the value of attrsToGet is null, the value of result is a list of object names that match the specified attribute condition. If the value of attrsToGet is non-null, results is a list of objects that matched the specified attrConditions, where each object consists of:

• columns - Lists displayable column names that match the requested attrsToGet

• rows - Lists row objects named from 0 to the number of rows (for example, ”10’)

• row - Lists objects that consist of a name from ”0’ to the number of columns (for example, ”6’) and a value for that rows column

sortColumn

(Optional) Indicates the value of the column to sort the results on. Defaults to ’0’ if not specified. You can override the default by specifying a value for resultSortColumn in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.

selectEnable

(Optional) Specifies whether more than one result row can be selected simultaneously. A value of true indicates that more than one result row can be selected. The default is false. The default can be overridden by specifying a value for resultSelectEnable in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.

Org View

Used to specify the type of organization created and options for processing it.

Common Attributes

The high-level attributes of this view are listed in the following table.

orgName

Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.

orgDisplayName

Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.

orgType

Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.

orgId

Specifies the ID that is used to uniquely identify the organization within Identity Manager.

orgAction

Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.

orgNewDisplayName

Specifies the new short name when you are renaming the organization.

orgParentName

Identifies the full pathname of the parent organization.

orgChildOrgNames

Lists the Identity Manager interface names of all direct and indirect child organizations.

orgApprovers

Lists the Identity Manager administrators who are required to approve users added to or modified in this organization.

allowedOrgApprovers

Lists the potential user names who could be approvers for users added to or modified in this organization.

allowedOrgApproverIds

Lists the potential user IDs who could be approvers for users added to or modified in this organization.

orgUserForm

Specifies the userForm used by members users of this organization when creating or editing users.

orgViewUserForm

Specifies the view user form that is used by member users of this organization when viewing users.

orgPolicies

Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).

• policyName -- Specifies name

• id -- Indicates ID

• implementation -- Identifies the class that implements this policy.

orgAuditPolicies

Specifies the audit policies that apply to all member users of this organization.

renameCreate

When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.

renameSaveAs

When set to true, renames this organization using the value of orgNewDisplayName.

Directory Junction and Virtual Organization Attributes

orgContainerId

Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).

orgContainerTypes

Lists the allowed resource object types that can contain other resource objects.

orgContainers

Lists the base containers for the resource used by the Identity Manager interface to display a list to choose from.

orgParentContainerId

Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).

orgResource

Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).

orgResourceType

Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).

orgResourceId

Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations.

orgRefreshAllOrgsUserMembers

If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.

Dynamic Organization Attributes

orgUserMembersRule

Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.

orgUserMembersCacheTimeout

Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.

Password View

Used by administrators to change passwords of the Identity Manager user or their resource accounts.

This view contains one top-level attribute.

resourceAccounts

This attribute contains the following attributes.

id

Specifies the account ID of the Identity Manager user whose passwords are being changed. Typically set by the view handler and never modified by the form.

selectAll

Controls whether all password are selected.

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).

tobeCreatedResourceAccounts

Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.

tobeDeletedResourceAccounts

Represents the set of resources assigned to this user that are not yet being managed by Identity Manager (for example, they do not have an associated resinfo object). Passwords cannot be changed on accounts that are going to be deleted.

All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts

Both resource account lists are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.

password

Specifies the new password you want to assign to the Identity Manager account or the resource accounts.

confirmPassword

Confirms the password specified in the password attribute. When the view is used interactively, the form requires you to enter the same values in the password and confirmPassword fields. When the view is used programmatically, such as within a workflow, the confirmPassword attribute is ignored. If you are using this view interactively, you must set this attribute.

selected

Indicates that the specified resource should receive the new password.

name

Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository.

type

Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountId

Specifies the identity of the account on this resource, if one has been created.

exists

Indicates whether the account already exists on the resource.

disabled

Indicates whether the account is currently disabled.

passwordPolicy

When set, describes the password policy for this resource. Can be null. It contains these attributes.

In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as defined in the policy.

The summary string contains a pre-formatted description of the policy attributes.

authenticator

If true, indicates that this resource is serving as the pass-through authentication resource for Identity Manager.

changePasswordLocation

(Optional) Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.

expirePassword

Can be set to a non-null Boolean value to control whether the password is marked as expiring immediately after it has been changed. If null, the password expires by the default if the user whose password is being changed differs from the user that is changing the password.

tobeCreatedResourceAccounts

Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.

tobeDeletedResourceAccounts

Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.

See Setting View Options in Forms in this chapter for more information.

Process View

Used to launch tasks such as workflows or reports. The task to be launched must be defined by a TaskDefinition or TaskTemplate object in Identity Manager. Launching the task results in the creation of a TaskInstance object.

This view contains one top-level attribute named task. All other top-level attributes are arbitrary and are passed as inputs to the task.

task

This top-level attribute defines how the task is to be launched.

process

Names the process to launch. This can be the name of a TaskDefinition or TaskTemplate object in Identity Manager. It can also be an abstract process name mapped through the process settings in the System Configuration object. This attribute is required.

taskName

Specifies the name given to the TaskInstance object that is created to hold the runtime state of the task. If this attribute is not set, a random name is generated.

organization

Names the organization in which to place the TaskInstance. If this attribute is not set, the TaskInstance is placed in Top.

taskDisplay

Specifies a display name for the TaskInstance.

description

Specifies a descriptive string for the TaskInstance. This string is displayed in the Manage Tasks table in the product interface.

execMode

Specifies execution mode. This is typically not specified, in which case the execution mode is determined by the TaskDefinition. Setting this attribute overrides the value in the TaskDefinition.

Allowed execMode values are:

Use the asyncImmediate execution mode only for special system tasks that must pass non-serializable values into the task through the view. The task thread is started immediately. The default behavior is to save the TaskInstance temporarily in the repository and have the Scheduler resume it later.

result

Specifies the initial result for the TaskInstance. You can use this setting to pass information into the task that you eventually want displayed with the task results when the task completes.

owner

Specifies the user name that is considered to be the owner of the task. If not set, the currently logged-in user is designated as the owner.

View Options

The following options are recognized by the createView and checkinView methods.

endUser

Specifies that the task is being launched from the Identity Manager User Interface. This allows users with no formal privileges to launch specially designated end-user tasks.

process

Names the process to launch. This name is recognized by the createView method and becomes the value of the process attribute in the view.

suppressExecuteMessage

When set to true, suppresses a default message that is added to the task result when an asynchronous task is launched. The default English text is, The task is being executed in the background.

Checkin View Results

The following named result items can be found in the WavesetResult object that is returned by the checkinView method.

Reconcile View

Used to request or cancel reconciliation operations on a resource. This view is used to perform on-demand reconciliation as part of a workflow. It can also be used when implementing a custom scheduler for reconciliation.

This view is write-only. get and checkout operations are not supported.

request

Specifies the operation to perform. You must specify one of the following valid operations:

accountId

Identifies the account to reconcile. This string is ignored if the request is not ACCOUNT.

Examples

• To request a reconciliation of a single account on a resource (in this case, an Active Directory resource):

  request = “ACCOUNT”
  accountId = “cn=maurelius, ou=Austin, DC=Waveset, DC=com”

• To cancel the pending or currently active reconciliation process on a resource:

  request = “CANCEL”

Reconcile Policy View

Used to view and modify reconciliation policy, which is stored as part of the Identity Manager system configuration object.

Reconciliation Policies and the Reconcile Policy View

Reconciliation policy settings are stored in a tree structure with the following general structure:

• default, or global, policy (Default). This is the root policy level.

• resource type (ResType:) policy

• resource policy (Resource:)

Settings can be specified at any point in the tree. If a level does not specify a value for a policy, it is inherited from the next highest policy.

The view represents an effective policy at a specified point in the policy tree, which is identified by the view name.

Policy Values

Values of policy settings are always policy values. Policy values can contain up to three components, as described in the following table.

Authorization Required

To modify the view, users require Reconcile Administrator Capability.

To access the view, users require Reconcile Administrator or Reconcile Request Administrator capabilities.

View Attributes

The following table lists the high-level attributes of this view.

scheduling

reconcileServer

Specifies the reconciliation server that should be used to perform scheduled reconciliations.

reconcileModes

Specifies the reconciliation modes that are enabled. Valid values are: BOTH, FULL, NONE.

fullSchedule

Identifies the schedule for full reconciles when enabled.

incrementalSchedule

Identifies the schedule for incremental reconciles when enabled.

nextFull

Containing the time of the next incremental reconcile, if enabled.

nextIncremental

Specifies the repetition count for the schedule. Schedule values are GenericObjects with the following attributes:

• count -- Specifies the repetition count for the schedule

• units -- Specifies the repetition unit for the schedule

• time -- Specifies the start time for the schedule

correlation

Identifies the name of the correlation rule.

correlationRule

Identifies the name of the correlation rule to use when correlating accounts to users.

confirmationRule

Identifies the name of the confirmation rule to use when confirming correlated users against accounts. When no confirmation is required, specify the value CONFIRMATION_RULE_NONE.

workflow

proxyAdministrator

Specifies the name of the user with administrative capabilities.

preReconWorkflow, perAccountWorkflow, postReconWorkflow

Specifies the name of the workflow to run at appropriate point in reconciliation processing. To specify that no workflow be run, use the value AR_WORKFLOW_NONE.

response

situations

Specifies the automated response to perform for the specified situation. Valid responses are:

explainActions

Specifies whether reconciliation should record detailed explanations of actions in the Account Index.

resource

reconcileNativeChanges

Specifies whether native changes to account attributes should be reconciled.

reconciledAttributes

Specifies the list of account attributes that should be monitored for native changes

listTimeout

Specifies (in milliseconds) how long reconciliation should wait for a response when enumerating the accounts present on the resource.

fetchTimeout

Specifies (in milliseconds) how long reconciliation process should wait for a response when fetching an account from a resource.

Reconcile Status View

Used to obtain the status of the last requested reconciliation operation. This view is read-only.

status

Indicates the status code request (string). Valid status codes include:

reconcileMode

Indicates the reconciliation mode of the request. Either FULL or INCREMENTAL.

reconciler

Identifies the Identity Manager server that is processing the reconciliation request.

requestedAt

Indicates the date on which the request was received.

startedAt

Specifies a date on which the reconciliation operation started. If the reconciliation operation has not yet started or was cancelled while still pending, this value is null.

finishedAt

Indicates the date on which the reconciliation operation completed. If the reconciliation process has not yet completed, this value is null.

errors.fatal

Describes the error (if any) that terminated the reconciliation operation. Errors are returned as a list of strings.

errors.warnings

Describes any non-fatal errors that are encountered during the reconciliation operation. Errors are returned as a list of strings.

statistics.accounts.discovered

Identifies the number of accounts that is found on the resource at the time of the reconciliation operation.

statistics.situation[<situation>].resulting

Identifies the number of accounts in the specified reconciliation situation after responses have been performed (successfully or not).

Valid situations are any of the following:

• CONFIRMED

• FOUND

• DELETED

• MISSING

• COLLISION

• UNMATCHED

• UNASSIGNED

• DISPUTED

Rename User View

Used to rename the Identity Manager and resource account identities. This view is typically used when a user in a company has a name change. The other main use for this view is to change the identity of a directory user that essentially causes a move in the directory structure.

newAccountId

Specifies the new accountId to be set on the Identity Manager user and used in the Identity templates for resource accounts.

toRename

Specifies a list of accounts in the currentResourceAccounts list that support the rename operation.

noRename

Specifies a list of accounts that do not support the rename functionality.

resourceAccounts

Contains mostly read-only information about the resource accounts. Use the following attributes to rename resource accounts:

accounts[<resourcename>].identity

Overrides the use of the Identity Template to create the accountId for this resource account.

accounts[<resourcename>].<attribute>

Used when not specifying the accounts[<resourcename>].identity attribute to pass attributes to the Identity Template for the creation of the new accountId.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.

See Setting View Options in Forms in this chapter for more information.

Example

renameView.newAccountId="saurelius"
renameView.resourceAccounts.selectAll="false"
renameView.resourceAccounts.currentResourceAccounts[Lighthouse].selected="true"
renameView.accounts[AD].identity="cn=saurelius,OU=Austin,DC=Waveset,DC=com"
renameView.resourceAccounts.currentResourceAccounts[AD].selected="true"
renameView.accounts[LDAP].identity="CN=saurelius,CN=Users,DC=us,DC=com"
renameView.resourceAccounts.currentResourceAccounts[LDAP].selected="true"
renameView.accounts[AD].identity="Marcus Aurelius"
renameView.resourceAccounts.currentResourceAccounts[AD].selected="true"

Reprovision View

Used to present and select the list of resources to be reprovisioned. This view contains one top-level attribute (resourceAccounts).

resourceAccounts

This attribute contains the following attributes.

id

Specifies the unique identifier for the account.

selectAll

Controls whether all resources are selected.

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).

All account lists are indexed by resource name.

selected

If set to true, indicates that for a given resource, the associated account should be reprovisioned. If the selected account is Lighthouse, the Identity Manager user and all associated resource assignments will be reprovisioned unless they are also selected. However, the associated resource accounts will not be reprovisioned.

name

Specifies the name of the resource. This corresponds to the name of a resource object in the Identity Manager repository.

type

Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountId

Specifies the identity of the resource account.

exists

Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).

disabled

Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).

authenticator

Indicates whether the account is one that the user is configured to login.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.

See Setting View Options in Forms in this chapter for more information.

Reset User Password View

Used by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts.

resourceAccounts

Defines characteristics of resource accounts. This attribute contains the following attributes.

id

Specifies the account ID of the Identity Manager user whose passwords are being changed.

selectAll

Controls whether all passwords are selected.

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).

tobeCreatedResourceAccounts

Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.

tobeDeletedResourceAccounts

Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are scheduled for deletion.

The three account list attributes -- tobeDeletedResourceAccounts, tobeCreatedResourceAccounts, and currentResourceAccounts -- contain the attributes described in the following table. These attributes describe the state of the account on each resource and allow you to individually select accounts.

selected

Set to true if this account is to have its password reset.

name

Specifies the name of resource. This corresponds to the name of a Resource object in the Identity Manager repository.

type

Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountId

Specifies the identity of the account on this resource, if one has been created.

exists

Indicates whether the account already exists on the resource.

disabled

Indicates whether the account is currently disabled.

passwordPolicy

When set, describes the password policy for this resource. Can be null. It contains these attributes.

In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as the WSAttribute in the Policy.

The summary string contains a pre-formatted description of the policy attributes.

authenticator

If true, indicates that this resource is serving as the pass-through authentication resource for Identity Manager.

changePasswordLocation

Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.

Resource View

Used when modifying resources.

Specifically, the view handler that creates this view instantiates resource parameters for the various view methods as follows:

• The createView method requires a typeString option, which is used to locate the correct prototypeXML for the resource type. The prototypeXML contains the initial set of resource parameters and their initial values. Thus, the view is populated with this list of initial resource parameters and their default values.

• The getView and checkoutView methods return only the resource parameters that exist in the resource object. The prototypeXML is not used to fill in this list if any resource parameters are missing in the actual resource object.

• The checkinView method replaces the list of resource parameters in the stored resource object in the repository. Again, the prototypeXML is not used to fill in any missing resource parameters that are not supplied during the checkinView operation.

  The checkinView method launches the Manage Resource workflow, which actually commits the changes to the repository. You can modify this workflow to include approvals or notifications.

Top Level Attributes

Top level attributes of this view include:

accountAttributes

Define the accounts managed on this resource. Attributes vary depending on the resource type, and correspond directly to the schema map. Each element in this list corresponds to an element in the List that resourceAttributes comprises.

Each element of the list contains the following attributes

accountId

Specifies the ID by which the resource identifies this account.

accountPolicy

Specifies the policy for account IDs on this resource.

adapterClassName

Identifies the Resource Adapter class to be used to provision to the resource.

allowedApprovers

(Computed read-only value) Lists display names of users who have the permission to perform resource approvals. Edit the UserUIConfig object to specify the user attribute to be used as the display attribute. By default, Identity Manager uses the administrator’s name attribute.

allowedApproversIds

(Computed read-only value). Computed only if the display attribute used for allowedApprovers is something other than name.

approvers

Lists the administrator approvers for this resource.

available

Specifies available attributes as indicated in the following table.

description

Provides a textual description of the resource.

displayName

Specifies the name that Identity Manager displays on the user edit and password pages.

excludedAccountsRule

Specifies the policy for excluding resource accounts from account lists.

facets

Comma-separated list of values that can contain any of these values: provision, activesync, or none. If this string contains activesync, then the resource has active sync processing enabled (that is, not disabled). If this string contains provision, then Identity Manager displays the basic connection-related resource parameters.

identityTemplate

Specifies the identity template used to generate a user’s identity on this resource.

name

Externally identifies the resource. This user-supplied name is unique among resource objects.

organizations

Lists the organizations available to the resource.

passwordPolicy

Specifies the password policy for accounts on this resource.

resourceAttributes

Lists Views. Each element of this List contains the attributes below.

Certain attributes depend upon the type of adapter being configured. At a minimum, these attributes specify how to connect to the resource.

The following attributes uniquely identify the resource object.

For example, <Field name=’resourceAttributes[Display Name Attribute].value’>.

resourcePasswordPolicy

Indicates the resource password policy for resource accounts on this resource.

retryMax

Indicates the maximum number of retries that will be tried on errors attempting to manage objects on a resource.

retryDelay

Specifies the number of seconds between retries.

retryEmail

Identifies the email addresses to send notifications to after reaching the retry notification threshold.

retryEmailThreshold

Specifies the number of retries after which an email is sent.

startupType

Specifies whether the activeSync resource starts up automatically or manually.

syncSource

If set to true, indicates that the resource supports synchronization events.

typeDisplayString

Identifies the display name for the resource type. This should be a message key or ID to be found in the message catalog.

typeString

Specifies the internal name for the resource type.

Resource Object View

Used when modifying resource objects.

All attributes are editable, except <resourceobjectType>.oldAttributes, which are used to calculate attribute-level changes for updates.

In practice, replace <resourceobjectType> with the lowercase name of a resource-specific object type (for example, group, organizationalunit, organization, or role).

<resourceobjectType>.ResourceType

Lists the Identity Manager resource type name (for example, LDAP, Active Directory).

<resourceobjectType>.resourceName

Lists the Identity Manager resource name.

<resourceobjectType>.resourceId

Lists the Identity Manager resource ID or name.

<resourceobjectType>.objectType

Indicates the resource-specific object type (for example, Group).

<resourceobjectType>.objectName

Lists the name of the resource object.

<resourceobjectType>.objectId

Specifies the fully qualified name of the resource object (for example, dn).

<resourceobjectType>.requestor

Specifies the ID of the user who is requesting the view.

<resourceobjectType>.attributes

Indicates new or updated resource object attribute name/value pairs (object). This attribute has the following subattribute:

resourceattrname -- String used to get or set the value of a specified resource attribute (for example, <objectType>.attributes.cn, where cn is the resource attribute common name).

<resourceobjectType>.oldAttributes

Specifies the fetched resource object attribute name/value pairs (object). You cannot edit this value. The view uses this attribute to calculate attribute-level changes for update.

<resourceobjectType>.organization

Identifies the list of organizations of which the resource is a member. This list is used to determine which organizations should have access to the associated audit event record when available for future analysis and reporting.

<resourceobjectType>.attrstoget

List of object-type-specific attributes to return when requesting an object with the checkoutView or getView methods.

<resourceobjectType>.searchContext

Specifies the context used to search for non-fully qualified names in resources with hierarchical namespaces.

<resourceobjectType>.searchAttributes

Lists the resource object type-specific attribute names that will be used to search within the specified searchContext for names of resources with hierarchical namespaces.

<resourceobjectType>.searchTimelimit

Specifies the maximum time spent searching for a name input to a form (if supported by the resource).

Role View

Used to define Identity Manager role objects.

When checked in, this view launches the Manage Role workflow. By default, this workflow simply commits the view changes to the repository, but it also provides hooks for approvals and other customizations.

The following table lists the high-level attributes of this view.

applications

Specifies the names of locally assigned applications (Resource Groups).

approvers

Specifies the names of the approvers that must approve the assignment of this role to a user.

approversRule

Specifies a rule that returns a list of one or more users who are approvers when this role is assigned and provisioned on a user.

assignedResources

Flattened list of all assigned resources via resources, resource groups, and roles.

resourceName

Identifies the name of the assigned resource.

name

Identifies the resource name or ID (preferably ID).

attributes

Identifies the characteristics of the resource. All subattributes are strings and are editable.

containedRoles

Lists objects that contain information about each contained role.

name

Specifies the role name.

info

Specifies the following information about the role: description, id, name, noApprovers, and type.

associationType

Specifies whether the association is required, conditional, or optional.

approvalRequired

If associationType is optional, this is a Boolean flag that indicates whether approval is required when this role is requested by the user.

condition

If associationType is conditional, this is the condition that determines whether this role is assigned to a given user.

description

Describes this role.

disabled

Indicates whether the specified role is disabled. The default value is false.

name

Identifies the name of the role. This corresponds to the name of a Role object in the Identity Manager repository.

notifications

Lists the names of administrators that must approve the assignment of this role to a user.

notificationsRule

Specifies a rule that returns a list of one or more users who will be notified when this role is assigned and provisioned on a user.

organizations

Lists organizations of which this role is a member.

owners

Lists one or more users who are specified as approvers for changes to this role.

ownersRule

Specifies a rule that returns a list of one or more users who are approvers for changes to this role.

properties

Identifies the user-defined properties that are stored on this role.

resources

Specifies the names of locally assigned resources.

roles

Specifies the names of locally assigned roles.

type

Identifies this role’s type as defined in the Role Configuration object.

types

Cached type information from the Role Configuration object for use by the view (read-only).

Task Schedule View

Use to create and modify TaskSchedule objects.

This view contains the following attributes:

scheduler

Contains attributes that are related to the scheduler itself, which are common to all scheduled tasks. The attributes are:

Typically, you supply a value for either scheduler.definition or scheduler.template. If you do not specify either value, Identity Manager creates a TaskSchedule object that you can later edit to specify the definition or template.

name

Specifies the name of an existing TaskSchedule object or the desired name for a new TaskSchedule object. It is not required, but if not specified, the system will generate a random identifier.

id

Uniquely identifies the existing TaskSchedule object.

definition

Defines the name a TaskDefinition object to be scheduled.

template

Specifies the name of a TaskTemplate object to be scheduled. If both definition and template are specified, template has priority.

taskOrganization

Contains the name of the organization in which the TaskInstance will be placed when the schedule task is launched.

taskName

Specifies the name of the TaskInstance that is created when the schedule task is launched.

description

Contains descriptive text that will be saved in the TaskInstance that will be created when the schedule task is launched. The description will appear in the task tables in the product interface.

disabled

Controls whether the task scheduler will process the TaskSchedule object. The scheduler ignores TaskSchedule’s whose disable attribute is true. You can use this to temporarily stop running a schedule task, without having to delete and recreate the TaskSchedule object.

start

Indicates the date and time at which to launch the task.

repeatCount

Combined with repeatUnit, determines how frequently tasks will be run. If repeatCount is zero or not specified a scheduled task will only run once. If repeatCount is a positive number, the task will be run more than once at the interval specified by repeatUnit.

repeatUnit

Defines the interval of time between running tasks that have a positive repeatCount value. Valid values include: second, minute, hour, day, week, month. For example, to schedule a task to run once a week for a year set repeatUnit to week, repeatCount to 52, and start to the first day that the task is to run.

resultOption

Specifies what the scheduler will do if a TaskInstance with the desired name already exists when the scheduled task is run. The possible values are: wait, delete, rename, and terminate.

wait

Indicates whether the scheduler should run the task again or wait for another repetition. This attribute is only meaningful if you have set repeatCount and repeatUnit.

delete

Tells the scheduler to delete the existing TaskInstance, if it has finished.

rename

Indicates that the scheduler should rename the existing TaskInstance, if it has finished.

skipMissed

Indicates whether Identity Manager attempts to immediately make up a missed schedule time (false) or simply wait until the next scheduled time (true).

When set to false, Identity Manager immediately attempts to make up a missed schedule time. When set to true, Identity Manager instead waits until the next scheduled time. The default is false.

terminate

Similar to delete, but will also terminate the existing task, if it is still running.

allowMultiple

Controls whether more than one instance of the same task definition or task template are allowed to run. If true (the default), the scheduler will always create a new instance of the task. If false, the scheduler will not create a new instance if there is one already running.

task

Contains task-specific attributes. Each task defines its own attributes, and the task’s form should reference them relative to the task namespace.

Unlock View

Used to unlock accounts for those resources that support native account locking. This view presents and selects the list of resource accounts to be unlocked.

Use the Unlock view instead of the Disable view for accounts whose resources support native account locking.

Contains the following high-level attributes:

id

Specifies the account ID of the Identity Manager user whose passwords are being unlocked.

selectAll

Controls whether all password are unlocked.

currentResourceAccounts

Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).

tobeCreatedResourceAccounts

Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.

tobeDeletedResourceAccounts

Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.

All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts.

Both resource account list are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.

selected

Identifies that this resource has been selected to be unlocked.

name

Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository

type

Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountId

Specifies the identity of the account on this resource, if one has been created.

exists

Indicates whether the account already exists on the resource (only in currentResourceAccounts).

locked

Indicates whether the account is currently locked or not (unlocked). The value of exists indicates whether the account already exists on the resource or not (only in currentResourceAccounts).

authenticator

If true, indicates that this resource serves as the pass-through authentication resource for Identity Manager.

fetchAccounts

Causes the view to include account attributes for the resources assigned to the user.

See Setting View Options in Forms in this chapter for more information.

fetchAccountResources

Lists resource names from which to fetch. If unspecified, Identity Manager uses all.

See Setting View Options in Forms in this chapter for more information.

User Entitlement View

Use to create and modify UserEntitlement objects.

This view has the following top-level attributes:

name

Identifies the User Entitlement (by a unique identifier).

status

Specifies the state of User Entitlement object. Valid states include PENDING, ACCEPTED, REJECTED, REMEDIATING, CANCELLED.

user

Identifies the name of the associated WSUser for this entitlement.

userId

Specifies the ID of the associated WSUser.

attestorHint

Displays the (String) hint to the attestor that is provided by the Review Determination Rule. This hints acts as “advice” from the rule to the attestor.

userView

Contains the User view that is captured by User Entitlement scanner. This view contains zero or more resource accounts depending on the configuration of the Access Scan object.

reviewInstanceId

Specifies the ID of the PAR Task instance.

reviewStartDate

Indicates the (String) start date of the PAR task (in canonical format).

scanId

Specifies the ID of AccessScan Task definition.

scanInstanceId

Specifies the ID of AccessScan Task instance.

approvalWorkflowName

Identifies the name of workflow to be run for approval. This value comes from the Access Scan Task definition.

organizationId

Specifies the ID of the WSUser’s organization at the time of the scan.

attestorComments

Lists attestation records for the entitlement. Each attestation record indicates an action or statement made about the entitlement, including approval, rejection, and rescan.

attestorComments[timestamp].name

Timestamp used to identify this element in the list.

attestorComments[timestamp].attestor

Identifies the WSUser name of the attestor making the comment on the entitlement.

attestorComments[timestamp].time

Specifies the time at which the attestor attested this record. May differ from the timestamp.

attestorComments[timestamp].status

Indicates the status assigned by the attestor. This can be any string, but typically is a string that indicates the action taken by the attestor -- for example, approve, reject, rescan, remediate.

attestorComments[name].comment

Contains comments added by attestor.

WorkItem View

Used to view and modify WorkItem objects in the repository.

A WorkItem object is created whenever a manual action that is defined in a workflow process is activated. The WorkItem view contains a few attributes that describe the WorkItem object itself, as well as values of selected workflow variables copied from the workflow task.

Identity Manager returns information about the work items in the Work Item view under the workItem.related attribute.

Returning Information about All Active Work Items

This view provides the ability to return information about all work items that are currently active in a workflow task. By default, Identity Manager returns information about only a specified work item, not related work items. However, you can use other options to filter work items, and the attributes of the related work items you want to display.

Example: Using the includeRelatedItems Form Property

By default, Identity Manager uses the Approval form to display work items. Edit this form by adding the includeRelatedItems element to include related work items:

<Properties>
   <Property name=’includeRelatedItems’ value=’true’/>
</Properties>

Example: Using the relatedItemAttributes Form Property

You can also request additional attributes with the relatedItemAttributes option. This option can be a CSV string of names or a list of names. You can request the following standard attributes:

• request

• requester

• description

• activityName

If you request an attribute name that is not on this list, Identity Manager assumes that it is an arbitrary workflow variable, and the value will be returned if it exists in the work item. Common variables found in the standard workflows include:

• accountId

• objectType

• objectName

• diagramLabel

Example: Using the includeRelatedItems Form Property

To include the request and description attributes, add these properties to the Approval form:

<Properties>
   <Property name=’includeRelatedItems’ value=’true’/>
   <Property name=’relatedItemAttributes’ value=’request,description’/>
</Properties>

Example: Using relatedItemFilter Form Property

You can specify the following filter attributes.

If more than one filter attribute is on the list, they will be logically AND’ed together. For example, to return only work items with the same request string that are current locked, add this property to the Approval form:

<Properties>
   <Property name=’includeRelatedItems’ value=’true’/>
     <Property name=’relatedItemAttributes’value=’request,description’/>
     <Property name=’relatedItemFilter’ value=’request,locked’/>
</Properties>

An example field that displays a table of information about the related work items was added to the Approval Library form library, the field name is Related Approvers. You can reference this field from the standard Approval form as follows:

 <FieldRef name=’Related Approvers’/>

Changing the Repository Lock Timeout for Work Items

The default time-out interval for locking work items in the repository is five minutes. You can change this value by adding the following element to the RelocatedTypes element of the RepositoryConfiguration Configuration object:

<TypeDataStore typeName=’WorkItem’ lockTimeoutMillis=’10000’/>

Top-Level Attributes

The following table lists the top-level WorkItem view attributes.

id

Identifies the repository ID of the WorkItem object. Typically generated by Identity Manager and not displayed.

name

Identifies the repository name of the WorkItem object.

taskId

Identifies the repository ID of the workflow TaskInstance. This attribute is used by the system to correlate the work item with the workflow task and must not be changed.

taskName

Identifies the repository name of the workflow TaskInstance. This name is typically set to an informative value and can be displayed. Do not modify it. A typical example task name for a user update would be Updating User jdoe.

processName

Identifies the name of the workflow process definition that contains the manual action.

activityName

Specifies the name of the workflow activity that contains the manual action.

description

Contains a textual description of the work item. Its contents are defined by the workflow process definition. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.

owner

Identifies the name of the current Identity Manager administrator or user that created the workflow process. This attribute is typically the name of an Identity Manager user. If this work item is assigned to an anonymous user, the name will have the prefix Temp:.

complete

Set to true when the manual action has completed and the workflow is to be resumed. Assignment of the complete attribute must be performed in the Work Item form.

You can edit this Boolean value.

variables

Contains another object whose attributes contain copies of variables from the workflow task. By default, every workflow variable that is in scope when the manual action is activated is copied into the work item. This can be controlled with the Exposed Variables and Editable Variables options in the process definition. Most work item forms display information found under the variables attribute. See the section Using the variables Attribute later in this chapter for more information on using this attribute.

workItem

Specifies additional information about the work item. Contains the following attributes:

views

Contains a list of workflow variables whose values are views. The system uses this attribute to cause view-specific refresh operations when the work item view is refreshed.

Do not change this value.

related

Contains a list of attributes that describe the specified work item.

request

Succinctly describes the purpose of the work item. This description is typically shorter than the value of the description attribute and is often displayed in summary tables.

requester

Identifies the user that initiated the approval.

ignoreTimeOut

Indicates whether the time out should be ignored. A value of true (assigned by the system) indicates that this is a read-only work item that may timeout while being viewed. This is a signal to the system that a check-in failure of the Work Item view should be ignored if the work item no longer exists, rather than displaying an error message. This can be useful for work items that are intended only for status messages that time out immediately so the workflow can continue while the user views the messages.

Do not change this value.

Using the variables Attribute

When writing a work item form, the most common attributes to reference are complete and variables. The complete attribute must be set to the value true in order for the workflow to be resumed. It is typically set by a hidden field in response to pressing button fields with labels such as Approve and Reject.

The variables attribute contains an object whose values are copies of variables from the workflow task. One of the most common workflow variables used in work items is user, which contains a user view. For example, to reference the global.email attribute from a work item form, use the following path expression: