Usage Notes
This section provides information related to using the SmartRoles resource adapter. The information is organized as follows:
-
General Notes
-
Complex Attribute Support
-
Limitations
General Notes
The following general notes are provided for this resource:
-
The SmartRoles adapter communicates directly with the SmartRoles repository, so the Relationship Manager application does not have to be running for the adapter to work.
-
The adapter can generate universal IDs and store connection information in configuration files.
When configuring the SmartRoles adapter, you can choose to have SmartRoles generate the universal ID for new accounts or have the adapter provide the universal ID. When the adapter provides the ID, it uses the value generated from the Identity Template.
Complex Attribute Support
Identity Manager introduced a new complex attribute type that enables the SmartRoles adapter to support complex attributes. The complex attribute type is used when an attribute value is more complicated than a single value or list of values. This new complex type is used with the following attributes:
-
sr_positions
-
sr_grantedRolesSphere
-
sr_organizations
The attribute value for a complex attribute is an instance of the new com.waveset.object.GenericAttribute class. The GenericAttribute instance wraps a GenericObject instance containing the real attribute value information. The GenericObject stores attributes and values in a hierarchy that can be set and retrieved using path expressions.
ResourceAction Support
Although the adapter does not support before and after actions, it does support running actions using the runResourceAction Provision Workflow Service. You can write a SmartRoles action in javascript or BeanShell, and it can call the SmartRoles APIs to perform custom behavior as part of a workflow. Input to the action script is contained in a Map object named actionContext. The actionContext Map contains the following:
|
Key |
Value |
|---|---|
|
action |
String describing the type of action being run. Currently, this action can only be run. |
|
adapter |
Contains a reference to the com.waveset.adapter.SmartRolesResourceAdapter instance. |
|
additionalArgs |
A Map containing any additional arguments passed in to the runResourceAction Provision Workflow Service call. |
|
result |
Reference to the WavesetResult that is returned from the runResourceAction Provision Workflow Service call. |
|
session |
Reference to a SmartRoles IOMSession instance. The session is created using the administrator and password defined in the SmartRoles resource. |
|
trace |
Reference to the com.sun.idm.logging.trace.Trace instance associated with the com.waveset.adapter.SmartRolesResourceAdapter class. You can use this to output trace messages for use in debugging the action script. |
The following ResourceAction XML is an example of a BeanShell action. (Set the actionType to JAVASCRIPT for a javascript action.) This action script takes an argument named user (retrieved from the additionalArgs Map) and searches the SmartRoles repository for one or more Person objects with a LOGON_ID that matches the value in the user argument. The string representation of each matching Person is then returned in the WavesetResult in the ACTION_RC ResultItem.
<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE ResourceAction PUBLIC ’waveset.dtd’ ’waveset.dtd’>
<!-- MemberObjectGroups="#ID#Top"-->
<ResourceAction createDate=’1148443502593’>
<ResTypeAction restype=’SmartRoles’ timeout=’0’ actionType=’BEANSHELL’>
<act>
import bridgestream.core.*;
import bridgestream.util.*;
import bridgestream.temporal.person.*;
import java.util.*;
import com.waveset.object.*;
IOMSession session = actionContext.get("session");
OMEngine engine = OMEngine.getInstance(session);
String user = actionContext.get("additionalArgs").get("user");
UTNameValuePair[] criteria = new UTNameValuePair[] { new UTNameValuePair
("LOGON_ID", user) };
UTTimestamp time = UTTimestamp.getSystemTimestamp();
List list = session.search("PERSON", criteria, time, null, null);
Iterator iter = list.iterator();
StringBuffer buf = new StringBuffer();
while (iter.hasNext()) {
ENPerson person = (ENPerson)iter.next();
buf.append(person.toString());
buf.append("\n\n");
}
WavesetResult result = actionContext.get("result");
result.addResult("ACTION_RC", buf.toString());
</act>
</ResTypeAction>
<MemberObjectGroups>
<ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/>
</MemberObjectGroups>
</ResourceAction>
Limitations
Currently, this adapter has the following limitations:
-
Roles can only be granted to SmartRoles person objects. You cannot grant roles to position objects.
-
An Identity Manager installation can only be configured to communicate with a single SmartRoles installation.
-
When assigning a granted role sphere of control, the organizations in the sphere of control include organizations that are directly assigned as well as all descendants of those organizations. If you attempt to assign a descendant of an organization that is assigned, an error will occur.
-
Because the adapter references SmartRoles organizations by name, the organization names within SmartRoles must be unique.
-
When you assign a SmartRoles person object to a position, the adapter does not attempt to find an available position. Instead, the adapter always creates a new position object and assigns the person object to the new position.
- © 2010, Oracle Corporation and/or its affiliates