Sun Identity Manager Deployment Reference

accounts Attribute

The accounts attribute contains a list of objects for each account linked to the Identity Manager user. Each account object contains the values of the account attributes retrieved from the resource.

The name of each account object is typically the name of the associated resource. If more than one account exists for a given resource, the object names take a suffix of the form |n where n is an integer. The first account on a resource has no suffix. The second account has the suffix |2. The third account on a resource has |3, etc.

For example, if you have a resource named Active Directory that defines an account attribute named Profile, the view path to this attribute would be:

accounts[Active Directory].Profile

If this view path were used in a form field, it would prevent the value of the global.Profile attribute from being propagated to the Active Directory account.


Note –

You may want to use account-specific attributes in forms rather than global attributes to prevent propagation of values to all resources


Overriding Resource Attributes

In addition to setting account attributes, you can also specify resource attribute overrides for each account. Resource attributes are attributes that are defined for the resource definition in Identity Manager, and consequently for the resource type. They are not attributes associated with an individual account. Examples of resource attributes include the host name of the server, or the base context in a directory.

You may want to create an account on a resource, but use a different value for one of the resource attributes. You could do this by duplicating the resource and changing the value, but excessive resource duplication can be confusing. Instead, resource attributes can be overridden on a per-account basis in the view.

Resource attribute overrides are stored in the attribute object under an attribute named resourceAttributes. If, for example, the resource defined an attribute named host, this could be specified in the view with the path:

accounts[Active Directory].resourceAttributes.host

Note –

Although overriding resource attributes is not recommended, sometimes you cannot avoid it. You might choose to overwrite a resource to avoid creating duplicate resources that point to the same physical resource but differ by one attribute. For example, in a customer environment that has multiple Active Directory servers, it may make more sense to override the resource attribute host in the form than to create a new resource. Contact your Identity Manager support representative for more information.


accounts[Lighthouse]

Sets the values of only the attributes stored in the Identity Manager repository. When a view is created, it contains a copy of the attributes in the waveset.attributes attribute set. When the view is saved, the system compares the contents of accounts[Lighthouse] with waveset.attributes to generate and update reports and audit log entries. Although this attribute is stored in the Identity Manager repository, changes to this attribute are not automatically propagated to resources.

The Extended User Attributes Configuration object defines the attributes that are allowed in this view. The system ignores any name found in this set of attributes that is not registered in the configuration object.

The following code is a sample of the Extended User Attributes Configuration object. This object maintains the list of attributes that are managed by the waveset.attribute set.


<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE Configuration PUBLIC ’waveset.dtd’ ’waveset.dtd’>
<!--  id="#ID#Configuration:UserExtendedAttributes" 
      name="User Extended Attributes"-->
 <Configuration id=’#ID#Configuration:UserExtendedAttributes’ 
      name=’User Extended Attributes’
 creator=’Configurator’ createDate=’1019603369733’ lastMod=’2’ counter=’0’>
  <Extension>
    <List>
      <String>firstname</String>
      <String>lastname</String>
      <String>fullname</String>
<!—add string values here - - >
      <String>SSN</String>
    </List>
  </Extension>
  <MemberObjectGroups>
    <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/>
  </MemberObjectGroups>
</Configuration>

This object can be modified to extend the list from the default firstname, lastname, and fullname attributes. In this case, an attribute called SSN has been added.

accounts[Lighthouse].delegates

Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item

This attribute takes the attributes contained in the Attributes of accounts[Lighthouse].delegate* Attributes table.

accounts[Lighthouse].delegatesHistory

Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth. This attribute takes the attributes contained in the Attributes of accounts[Lighthouse].delegate* Attributes table.

accounts[Lighthouse].delegatesOrginal

Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation. This attribute takes the attributes contained in the following table.

Table 3–7 Attributes of accounts[Lighthouse].delegate* Attributes

Attributes of accounts[Lighthouse].delegate* Attributes 

Description 

workItemType

Identifies the type of workItem being delegated. See Delegate object model description for valid list of workItem types.

workItemTypeObjects

Lists the names of the specific roles, resources, or organizations on which the user is delegating future workItem approval requests. This attribute is valid when the value of workItemType is roleApproval, resourceApproval, or organizationApproval.

If not specified, the value of this attribute default is to delegate future workItem requests on all roles, resources, or organizations on which this user is an approver.

toType

Type to delegate to. Valid values are: 

  • manager

  • delegateWorkItemsRule

  • selectedUsers

toUsers

Lists the names of the users to delegate to (if toType is selectedUsers).

toRule

Specifies the name of the rule that will be evaluated to determine the set of users to delegate to (if toType is delegateWorkItemsRule).

startDate

Specifies the date when delegation will start. 

endDate

Specifies the date when delegation will end. 

accounts[Lighthouse].properties

The value of this attribute is an object whose attribute names correspond to the properties defined by the user. User properties allow arbitrary custom data to be stored with the user in the Identity Manager repository. You can then use properties in forms and workflows. A property is similar in some ways to an Extended User Attribute, but are not limited to primitive data types such as strings or integers.

Identity Manager defines the tasks system property, which is used by the Deferred Task Scanner to cause workflow tasks to be run at some date in the future. The value of the tasks property is a list of objects. The following table defines the attributes that belong to objects in the list.

Table 3–8 Attributes of accounts[Lighthouse].properties

Attribute 

Description 

name

Identifies the name of the TaskDefinition object to run. 

date

Specifies the date on which to run the task. 

taskName

Identifies the TaskInstance that is created. If none is specified, Identity Manager generates a random name. 

owner

Identifies the name of an Identity Manager administrator that is considered to be the owner of the task. If none is specified, the default owner is Configurator. 

organization

Identifies the Identity Manager organization that the TaskInstance will be placed in. If none is specified, an organization controlled by the task owner is selected at random. 

description

Descriptive text that will be stored in the TaskInstance when it is created. This text is displayed in the task status page of the Identity Manager Administrator Interface. 

Sample Use

You can use the accounts[Lighthouse].properties value to display a table of the deferred tasks assigned to a user. This list is added to the form library named Default User Library, which is found in sample/formlib.xml.

The field that displays the deferred task table is named Deferred Tasks. After modifying the waveset.properties attribute, the deferred task table is now referenced by the default Tabbed User Form. If any deferred tasks exist, the table will be displayed at the bottom of the Identity tab panel.

accounts[Lighthouse].viewUserForm

Used to display a view-only User form. This view-only form displays field information as Labels, to ensure that the administrator cannot change values, although he can list, view, and search on this user information. (The administrator selects a user from the accounts list, then clicks View to see user details.)

accounts[<resource>].properties

Used to store account properties in the Identity Manager repository. Use this attribute if you have some information about the account -- for example the date it was created -- that cannot be stored as a native account attribute on the resource.

accounts[<resource>].waveset.forceUpdate

Used to specify a list of resource account attributes that will always be sent to the resource for update when a user is modified and that an attribute value remains available to resource actions. This attribute is required for resource actions to be run when a user is unassigned from a resource.

The following field definition from a user form uses a Solaris resource. (<resource> has been replaced with the name of the resource.):


<Field name=’accounts[waterloo].waveset.forceUpdate’>
   <Default>
      <List>
          <String>delete after action</String>
          <String>Home directory</String>
      </List>
   </Default>
</Field

The preceding code causes Identity Manager to send the delete after action and Home directory attribute to the provisioner and resource adapter.

global Attribute

You can use the global attribute set of the user view to conveniently assign attributes to many resource accounts (including Identity Manager). The value of the global attribute is an object whose attributes are referred to as global attributes. When the view is saved, the system assigns the value of each global attribute to all resource accounts that define the global attribute name in their schema map. These values are also propagated to the Identity Manager repository if there is an extended attribute with the same name.

For example, two resources R1 and R2 define an attribute named fullname. When the attribute global.fullname is stored in the view, this value is automatically copied into attributes accounts[R1].fullname and accounts[R2].fullname.

You can also use global attributes to assign extended attributes that are stored in the Identity Manager repository. If a global attribute is also declared as an extended Identity Manager attribute, it is copied into accounts[Lighthouse].


Note –

Do not use global.accountId when creating accounts. The account ID is created by the DN templates on the resources. Using global.accountId overrides this, which may cause problems.


Referencing Two Different Fullname Attributes

The global attribute can be used in combination with the account attribute for the same attribute name. For example, on an Active Directory resource, the structure of the fullname is lastname, firstname. But all other resources that have a fullname use firstname lastname.

The following example shows how you can reference these two fields in a form.


<Field name=’global.fullname’>
 <Expansion>
       <concat>
         <ref>global.firstname</ref><s> </s>
         <ref>global.lastname</ref>
       </concat>
 </Expansion>
</Field>
<Field name=’accounts[ActiveDir].fullname’>
 <Expansion>
       <concat>
          <ref>global.lastname</ref><s>, </s>
          <ref>global.firstname</ref>
      </concat>
   </Expansion>
</Field>

In the preceding example, creating a new user works as expected. However, when you load the user, the fullname attribute from the Active Directory resource can be used to populate the global.fullname field.

A more accurate implementation for this scenario would be to declare one resource to be the authoritative source for an attribute and create a Derivation rule such as the following:


<Field name=’global.fullname’>
 <Derivation>
       <or>
         <ref>accounts[LDAP res].fullname</ref>
         <ref>accounts[AD res].fullname</ref>
       </or>
 </Derivation>
      <concat>
          <ref>global.firstname</ref><s> </s>
          <ref>global.lastname</ref>
      </concat>
   </Expansion>
</Field>
   <Expansion>

By defining a Derivation rule, the value of the fullname attribute in the LDAP resource will be used first to populate the fullname field. If the value does not exist on LDAP, then the value will be set from the AD resource.

accountInfo Attribute

Contains read-only information about resource accounts associated with the user. It is used within system views besides the user view. Some information in this view is a duplicate of the information found in the waveset.accounts attribute. There are two reasons for this duplication:

Most account information is stored in the accountsInfo.accounts attribute. Other attributes simply contain lists of account names. It is common to use a FieldLoop in a form to iterate over the names in one of the name list attributes, then use this name to index the account list attribute.

For example, the following form element generates a list of labels that contain the names of each resource that is assigned indirectly through a role.


<Field name=’accountInfo.accounts[$(name)].name>
   <FieldLoop for=’name’ in=’accountInfo.fromRole’>
     <Display class=’Label’/>
   </Field>
</FieldLoop>

The following tables shows the accountInfo view attributes, which describe characteristics about the user.

Table 3–9 accountInfo Attributes (User View)

Attribute 

Description 

accountInfo.accounts

Lists objects that contain information about each resource account associated with the user (for example, created, disabled). 

accountInfo.assigned

Lists the resources that are assigned to the user. 

accountInfo.fromRole

Lists (in flat list format) resources assigned to the user through the role. 

accountInfo.privates

Lists (in flat list format) resources assigned directly to the user. 

accountInfo.toCreate

Lists names of all resources currently assigned to the user but for which accounts do not yet exist in Identity Manager. 

accountInfo.toDelete

Lists names of resources that are no longer assigned to the user, but that are still known to exist. 

accountInfo.types

Lists each type of resource that is currently assigned to the user or through Reserve Groups. 

accountInfo.typeNames

Lists unique type names for every assigned resource. 

accountInfo.accounts

Contains a list of objects that themselves contain information about each associated resource account. Elements in the accounts list are referenced by name, where the name is the name of the resource.

Example

accountInfo.accounts[Active Directory].type

Objects found in the accountInfo.accounts list have the following attributes, as defined in the following table.

Table 3–10 accountInfo.accounts. Attributes (User View)

Attribute 

Description  

attributes

Information about all the account attributes defined by this resource. 

name

Name of the resource where the account exists or will be created. 

id

Repository ID of the resource. 

type

Resource type name. 

accountId

Name of the user’s account on this resource. 

assigned

True if the account is currently assigned. Accounts that are not assigned can be deleted by Identity Manager. 

protected

True if the account is currently protected. This means that update or delete operations on the account are ignored. 

passwordPolicy

Information about the password policy defined for this resource. 

accountInfo.accounts[ ].attributes[ ]

Contains information about all the account attributes defined by this resource. These attributes are listed on the schema map page of the resource. The value of the attribute is a List of objects.

The following table defines the attributes that these objects contain.

Table 3–11 accountInfo.accounts. Attributes (User View)

Attribute  

Description  

name

The name of the Identity Manager resource account attribute. This name is defined in the resource schema map. 

syntax

The syntax of the attribute value. The value of the syntax attribute is one of the following values.

int 

string 

boolean 

encrypted 

binary 

complex 

Refer to the Resource Reference to determine if binary or complex attributes are supported for the resource. An exception is thrown if you attempt to send binary or complex attributes to a resource that does not support these attributes. 

Binary attributes should be kept as small as possible. Identity Manager will throw an exception if you attempt to manage a binary attribute that is larger than 350 KB. Contact Customer Support for guidance if you need to manage attributes larger than 350 KB. 

multi

True if the attribute allows multiple values. 

If you are designing a form, do not worry about the declared resource account attribute types. The user view processing system makes the appropriate type coercions when necessary.

accountInfo.accounts[].passwordPolicy

A resource can be assigned a password policy. If an attribute has an assigned password policy, the value of this attribute will contain information about it.

The following table defines the attributes in the accountInfo.accounts[resname].passwordPolicy.

Table 3–12 accountInfo.accounts[resname].passwordPolicy Attributes (User VIew)

Attribute 

Description 

name

The name of policy. This corresponds to the name of a policy object in the Identity Manager repository. 

summary

A brief text description of the policy including information about each of the policy attributes. 

attributes

The value of this attribute is another object that contains the names and values of each policy attribute. 

Applications that display policy information typically display the summary text, but if you need more fine-grained control over the display of each policy attribute, you can use the attributes map.

Forms that provide an interface for changing and synchronizing passwords often use this information.

accountInfo.accounts[Lighthouse]

This special entry in the accountInfo list is used to hold information about the Identity Manager default password policy. This is convenient when displaying password forms since information about the Identity Manager password and policies must be displayed along with the information for resource accounts.

This element is present only when pass-through authentication is not being used. The resource type is Lighthouse.

accountInfo Resource Name Lists

The accountInfo view includes attributes that contain lists of resource names. Each list is intended to be used in forms with FieldLoop constructs to iterate over resources with certain characteristics.

The accountInfo attributes that can contain resource names are:

accountInfo.assigned

Identifies the resources that are assigned to the user. If you are designing a form, you can call this attribute to display a list of resources that are assigned from the role, applications, and that are directly assigned to a user.

accountInfo.typeNames

A list of unique type names for every assigned resource. This is used in Disable expressions in forms where you want to disable fields unless a resource of a particular type is selected.


<Field name=’HomeDirectory’ prompt=’Home Directory’>
   <Display class=’Text’/>
      <Disable>
         <not>
            <contains>
               <ref>accountInfo.typeNames</ref>
               <s>Solaris</s>
            </contains>
         </not>
      </Disable>
</Field>

This returns the same information as the path accountInfo.types[*].name but is more efficient, which is important when used with Disable expressions. This list can include common resource types.

You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator Interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.

accountInfo.types

This attribute contains information about each type of resource that is currently assigned. The value of the attribute is a List (objects).

The following table shows the attributes that belong to each object.

Table 3–13 accountInfo.types Attributes (User VIew)

Attribute 

Description 

accounts

List of accountIds for each account assigned to the user that is of this type

name

Resource type name 

For example, you can determine a list of IDs for all UNIX accounts with the following path:

accountInfo.types[Unix].accounts

display Attribute

The display attribute contains information that relates to the context in which the view is being processed. Most of the attributes are valid only during interactive form processing.

The following table shows the most used display view attributes.

Table 3–14 Most Used display Attributes (User VIew)

Attribute 

Description  

eventType 

Indicates whether the user view is servicing a create or update request, as indicated by the values create or update (read-only). 

session

A handle to an authenticated Identity Manager session. This attribute is valid only during interactive editing session in the Identity Manager Administrator Interface. It is provided as an access point into the Identity Manager repository. The value of this attribute can be passed to methods in the com.waveset.ui.FormUtil class.

The display.session attribute is not valid in the following cases where form processing may occur:

in the bulk loader 

during background reprovisioning 

in unsynchronized actions or approvals 

Best practices suggest using this attribute only within a Property or Constraints element. In almost all existing forms, display.session is used only in Constraints elements.

subject

An object holding information about the credentials of an Identity Manager user or administrator. This value is set in almost all cases, but is typically used in workflow applications called during background activities where the display.session is no longer valid. The subject can be used to get a new session. In this case, it is used for gaining access to the repository.

state 

A handle to a _com.waveset.ui.util.RequestState_ object that in turn contains handles to objects related to the HTTP request such as the _javax.servlet.http.HttpSession_.

Default itemType Behavior

Typically, only wizard itemTypes cause a workflow to transition directly to a WorkItem if the requester is the owner of the workItem.

When itemType is set as follows, the workflow will not transition into a WorkItem, but will instead appear under the Approval tab:

Overriding Default Behavior

You can override behavior in the User view by setting the allowedWorkItemTransitions option as a property of the form as follows:


<Form ......>
   <Properties>
     <Property name=’allowedWorkItemTransitions’>
       <list>
         <s>myCustomType</s>
        </list>
 <     /Property>
    </Properties>