Sun Java[TM] System Identity Manager 7.0 Workflows, Forms, and Views |
Chapter 5
Identity Manager ViewsThis chapter introduces Sun Java System Identity Manager views, which are data structures used in Identity Manager. It provides background for views, including an overview of how to implement views with Identity Manager workflows and forms as well as reference information.
Topics in this Chapter
This chapter is organized into the following sections:
Related Chapters
- Identity Manager Forms — Identity Manager forms interact with an internal Identity Manager data structure called the user view. When customizing a form, you can call view attributes.
Understanding Identity Manager ViewsAn Identity Manager view is a collection of attributes that is assembled from one or more objects managed by Identity Manager. Views are transient, dynamic, and not stored in the repository. The data in a view can change if the view is refreshed to reflect a new role or resource assignment.
If you are using Identity Manager, you will encounter views primarily in forms and workflows. An Identity Manager form is an object that describes how to display view attributes in a browser for editing. The form can also contain the rules by which hidden attributes are calculated from the displayed attributes. A workflow process is a logical, repeatable, series of activities during which documents, information, or tasks are passed from one participant to another for action, according to a set of procedural rules.
When working with views, it helps to first understand:
What Is a View?
The most important view is the user view, which contains the user attributes that are stored in Identity Manager and attributes that are read from accounts managed by Identity Manager. Some attributes in the user view are visible in the forms that are presented by the Identity Manager User and Administrator Interfaces. Other attributes are hidden or read-only. Hidden attributes are typically used by rules that derive other visible attributes or calculate field values.
For example, when creating a user (represented as a user view), an administrator enters a first and last name in the appropriate form fields on the Create User page. When the administrator saves the form, the system can calculate the user’s full name in a hidden field by concatenating the first and last name. This full name can then be saved to one or more resources, including Identity Manager. Once approved (where approval is required), the system converts the user view back into one or more objects in the Identity Manager repository and sends the view to the resources assigned to the user to create or update the user’s resource accounts.
View Attributes
A view is a collection of name/value pairs that are assembled from one or more objects stored in the repository, or read from resources. The value of a view attribute can be atomic such as a string, a collection such as a list, or reference to another object.
Any Boolean attribute can be omitted from a view. If omitted, the attribute is considered logically false.
What is a View Handler?
View handlers are Java classes that contain the logic necessary to create a view and perform actions specified by setting attributes of the view. View handlers also can include information for the convenience of interactive forms. When a view is checked in, the view handler reads the view attributes and converts them into operations on repository objects. The view handler will often launch a workflow to perform more complex tasks such as approvals or provisioning. Most view handlers that operate on users prevent you from checking in the view if there is already a workflow in progress for that user.
Views and Forms
Identity Manager forms contain rules for transforming data in views and describe how the view attributes are to be displayed and edited in a browser. The Identity Manager user interface processes the view and form to generate an HTML form. When the user submits the HTML form, Identity Manager merges the submitted values into the view, then asks the view handler to refresh the view. The view can be refreshed several times during an interactive editing session, and different HTML fields can be generated based on logic in the form. When the user is finished interacting, the view is checked in which typically results in the view being passed as input to a workflow process.
Views and Workflow
Checking in a view often results in a new workflow process being launched to complete the modifications specified in the view. The workflow can perform time-intensive tasks in the background, launch approval processes, query resources, or take whatever action is appropriate. During approvals, the administrator is able to examine the contents of the view and make changes if desired. After approvals, the view attributes are converted into modifications of one or more repository objects. For views related to users, provisioning may occur to propagate the changes to selected resource accounts.
Common Views
The following views are frequently used with both customized forms and workflows
.
Understanding the User ViewThe User view is the collection of attributes that contain information about an Identity Manager user, including:
The user view is most often used with forms that are designed for the pages that create or edit users. These pages launch workflow processes that store a changed user view until it is necessary to push the updated view information back out to Identity Manager and associated resources. While the user view is stored in a workflow process, the workflow process can manipulate attribute values through workflow actions. Workflow can also expose attribute values for user input through manual actions and approval forms.
How the User View Is Integrated with Forms
The user view is often used in conjunction with a form. Forms contain rules that control how data is presented through HTML fields and is processed after the HTML page rendering the form is submitted. A system component called the form generator combines a form definition and a view to produce HTML that a browser then displays.
View attribute values are displayed by assigning them to an HTML component in the form. (See Chapter 8, "HTML Display Components," for more information on how view attributes can be displayed.)
Views are implemented as instances of the GenericObject class. This class provides a mechanism for the representation of name/value pairs and utilities for traversing complex hierarchies of objects through path expressions. A path expression is a string that is interpreted at runtime to traverse an object hierarchy and retrieve or assign the value of an attribute.
You must understand how to write path expressions to assign valid form field names. For more information on using path expressions, refer to the section titled Path Expressions.
How the User View Is Integrated with Workflow
Workflow processes that contain a user view typically store it in a workflow variable named user. You can reference a view in the workflow expressions by prefixing user to a user view path (for example, user.waveset.accountId). The string waveset identifies the attribute named accountId as belonging to another object named waveset, which itself belongs to the user view object.
Approval forms are written for a view known as the WorkItem view. The Work Item view by default contains all the workflow variables under an attribute named variables. If the approval form is written for a workflow that contains a user view, the prefix variables.user. is used to reference attributes in the user view (for example, variables.user.waveset.roles). See WorkItem View later in this chapter for more information.
Generic Object Class
At a high level, objects are simply named collections of attributes, which are name/value pairs. The value of an attribute can be an atomic value such as a string, a collection such as a list, or a reference to another object. You can represent almost any object abstractly with the Map, List, and String Java classes.
Within the Identity Manager system, the GenericObject class provides a simple memory model for the representation of arbitrary objects and collections. It includes features for easily navigating object hierarchies to access or modify attribute values.
The GenericObject class implements the java.util.Map interface and internally uses a java.util.HashMap to manage a collection of name/value pairs. The entries in this map are called attributes. The value of an attribute can be any Java object that is able to serialize itself as XML. The most common attribute values found in a GenericObject:
The following are instances of the following classes:
You can construct complex hierarchies of objects by assigning Lists or GenericObjects as attribute values. Once you have assigned attribute values, you traverse this hierarchy to access the values of an attribute.
Path Expressions
A path expression is a string that is interpreted at runtime by the GenericObject class to traverse an object hierarchy and retrieve or assign the value of an attribute. Identity Manager uses a system of dots and brackets to represent objects and attributes in the hierarchy.
You use path expressions as the value of the name attribute in form fields when customizing a form (for example, <Field name='user.waveset.roles'/>).
Traversing Objects
The following simple example illustrates a GenericObject with two attributes:
To create a path expression to the street attribute of the address object, use address.street.
Path expressions use the dot character (.) to indicate traversal from one object to another. This is similar to the way dot is used in Java or the '->' operator is used in C. Paths can be long, as illustrated by this example:
user.role.approver.department.name
Traversing Lists
You can also use path expressions to traverse values that are lists. Consider an object that has an attribute children whose value is a java.util.List. Each object in the list is itself a GenericObject with a name attribute and an age attribute. Write the path to the name of the first child as:
children[#0].name
Path expressions use square brackets to indicate the indexing of a list. The token between brackets is the index expression. In the simplest case, this is a positive integer that is used to index the list by element position.
Typically, the position of an object in a list is arbitrary. Index expressions can also specify simple search criteria to identify one object in the list. Objects in a list typically have a name attribute, which serves to uniquely identify this object among its peers. Path expressions support an implicit reference to an object's name attribute within the index expression.
For example:
children[hannah].age
The preceding path expression obtains the list of objects stored under the children attribute. This list is searched until an object with a name attribute equal to hannah is found. If a matching object is found, the value of the age attribute is returned. The previous example is shorthand for the more general form.
children[name=hannah].age
Calculating Lists
You can also write path expressions that calculate List values that are not stored in the object. For example:
accounts[*].name
When an asterisk is found as an index expression, it implies an iteration over each element of the list. The result of the expression is a list that contains the results of applying the remaining path expression to each element of the list. In the previous example, the result would be a list of String objects. The strings would be taken from the name attribute of each object in the accounts list.
Path expressions with * (asterisk) are used with the FieldLoop construct in forms to replicate a collection of fields.
Account Types and User-Oriented Views
When you assign an account type to a user, Identity Manager makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:
- Use a value of null to indicate an account of the default type. Reference an accounts of the default type by resource name for example, accounts[corp-ad]
- Use a type-qualified name instead of the resource name to reference an account of a specific type. The type-qualified resource name takes this form:
<resource name>|<type of account>
User View Attributes
Whenever you create or modify a user account from a web browser, you are indirectly working with the user view. From the perspective of altering user account information, it is the most significant view in the Identity Manager system.
Workflow processes also interact with the user view. When a request is passed to a workflow process, the attributes are sent to the process as a view. When a manual process is requested during a workflow process, the attributes in the user view can be displayed and modified further.
MetaView Attributes
If your deployment uses Identity attributes, Identity Manager creates an additional namespace in the User view. This additional namespace, called metaView, contains identity attribute-related information. Identity Manager creates this MetaView object to store meta view/identity attribute information in the Identity Manager repository.
For each Identity attribute that is defined, there is an attribute in the metaView namespace that contains the value of this attribute. For example, for the firstname, lastname, and waveset.roles Identity attributes, the User view has corresponding attributes called metaView.firstname, metaView.lastname, and metaView.waveset.roles that contain the calculated values for each of these attributes.
When populating a User view for Reconciliation, Load from Resource, or Load from File, the Meta view supports loading only the resource account data from the resources assigned to an Identity Manager user that are also targets sourced from the resource being loaded, therefore subject to being changed. The Identity Manager user's operational attributes that don't affect accounts – for example, account ID and organization – are always in the view, as are user extended attributes such as firstname, and lastname.
For more information, see Working with Attributes in the Identity Manager Technical Deployment Overview
Introduction
Like all views, the user view is implemented as a GenericObject that contains a set of attributes. The values of the attributes in the root object are themselves GenericObjects. Attributes can be nested.
The user view contains the attributes described in the following table, which are further defined in subsequent sections.
When you design a form, the field names are typically paths into the user view objects waveset. global, and account attributes (for example, global.firstname).
Selecting the Appropriate Variable Namespaces
The user view provides several namespaces for deriving account-related information. The following table summarizes these variable namespaces.
Referencing Attributes
Within a form, you can reference attributes in two ways:
For more information on setting the Field name element in a form field, see the chapter titled Identity Manager Forms.
Within workflow, you can reference Field attributes as process variables (that is, variables that are visible to the workflow engine) or in XPRESS statements for actions and transitions. When referencing these attributes in workflow, you must prefix the path with the name of the workflow variable where the view is stored (for example, user.waveset.accountId).
Attributes with Transient Values
You can define fields that store values at the top-level of the user view, but these values are transient. Although they exist throughout the life of the in-memory user view (typically the life of the process), the values of these fields are not stored in the Identity Manager repository or propagated to a resource account.
For example, a phone number value is the result of concatenating the values of three form fields. In the following example, p1 refers to the area code, p2 and p3 refer to the rest of the phone number. These are then combined by a field named global.workPhone. Because the combined phone number is the only value you want propagated to the resources, only that field is prepended with global.
In general, use the top-level field syntax if you are:
Any field that is to be passed to the next level must have one of the path prefixes defined in the preceding table, User View Attributes.
Field name='p1' required='true'>
<Display class='Text'>
<Property name='title' value='Work Phone Number'/>
<Property name='size' value='3'/>
<Property name='maxLength' value='3'/>
</Display>
</Field>
<Field name='p2' display='true' required='true'>
<Display class='Text'>
<Property name='rowHold' value='true'/>
<Property name='noNewRow' value='true'/>
<Property name='size' value='3'/>
<Property name='maxLength' value='3'/>
</Display>
</Field>
<Field name='p3' display='true' required='true'>
<Display class='Text'>
<Property name='rowHold' value='true'/>
<Property name='noNewRow' value='true'/>
<Property name='size' value='4'/>
<Property name='maxLength' value='4'/>
</Display>
</Field>
<Field name='global.workPhone' required='true' hidden='true'>
<Expansion>
<concat>
<ref>p1</ref>
<s>-</s>
<ref>p2</ref>
<s>-</s>
< <ref>p3</ref>
</concat>
</Expansion>
</Field>
waveset Attribute
The waveset attribute set contains the information that is stored in a WSUser object in the Identity Manager repository. Some attributes nested within this attribute set are not intended for direct manipulation in the form but are provided so that Identity Manager can fully represent all information in the WSUser object in the view.
Most Used Attributes
Not all attributes are necessary when creating a new user. The following list contains the waveset attributes that are most often visible during creation or editing. Some attributes are read-only, but their values are used when calculating the values of other attributes. All waveset attributes are described in the sections that follow this table.
waveset.accountId
Specifies the visible name of the Identity Manager user object. It must be set during user creation. Once the user has been created, modifications to this attribute will trigger the renaming of the Identity Manager account.
For information on renaming a user, see Identity Manager Administration.
waveset.applications
Contains a list of the names of each application (also called resource group in the Identity Manager user interface) assigned directly to the user. This does not include applications that are assigned to a user through a role.
waveset.attributes
Collection of arbitrary attributes that is stored with the WSUser in the Identity Manager repository. The value of the waveset.attributes attribute is either null or another object. The names of the attributes in this object are defined by a system configuration object named Extended User Attributes. Common examples of extended attributes are firstname, lastname, and fullname. You can reference these attributes in the following ways:
waveset.attributes.fullname
or
accounts[Lighthouse].fullname
You typically do not modify the contents of the waveset.attributes attribute. Instead, modify the values of the accounts[Lighthouse] attributes. When the attribute is stored, values in accounts[Lighthouse] are copied into waveset.attributes before storage. waveset.attributes is used to record the original values of the attributes. The system compares the values here to the ones in accounts[Lighthouse] to generate an update summary report. See the section on the account[Lighthouse] attribute for an example of how to extend the extended user attributes.
waveset.correlationKey
Contains the correlation value used to identify a user during reconciliation and discovery of users. You can directly edit it, although it is generally not exposed.
waveset.creator
Contains the name of the administrator that created this user.
This attribute is read-only.
waveset.createDate
Contains the date on which this account was created. Dates are rendered in the following format: MM/dd/yy HH:mm:ss z
Example
05/21/02 14:34:30 CST
This attribute is set once only and is read-only.
waveset.disabled
Contains the disabled status of the Identity Manager user. It is set to a value that is logically true if the account is disabled. In the memory model, it is either a Boolean object or the string true or false. When accessed through forms, you can assume it is a string.
You can modify this attribute to enable or disable the Identity Manager user, although it is more common to use the global.disable. (Prepending global. to a variable name ensures that the system applies the value of that variable to all resources that recognize the variable, including Identity Manager.)
Once this value becomes true, the user cannot log in to the Identity Manager user interface.
waveset.email
Specifies the email address stored for a user in the Identity Manager repository. Typically, it is the same email address that is propagated to the resource accounts.
Modifications to this attribute apply to the Identity Manager repository only. If you want to synchronize email values across resources, you must use the global.email attribute.
You can modify this attribute.
waveset.exclusions
List the names of the resource that will be excluded from provisioning, even if the resource is assigned to the user through a role, resource group, or directly.
waveset.id
Identifies the repository ID of the Identity Manager user object. Once the user has been created in Identity Manager, this value is non-null. You can test this value to see if the user is being created or edited. This attribute is tested with logic in the form. You can use it to customize the displayed fields depending on whether a new user is being created (waveset.id is null) or an existing user account is being edited (waveset.id is non-null).
Example
The following example shows an XPRESS statement that tests to see if waveset.id is null:
<isnull><ref>waveset.id</ref></isnull>
waveset.lastModDate
Contains the date at which the last modification was made. It represents the date by the number of milliseconds since midnight, January 1970 GMT. This attribute is updated each time a user account is modified.
This attribute is read-only.
waveset.lastModifier
Contains the name of the administrator or user that last modified this user account.
This attribute is read-only.
waveset.locked
Indicates whether the user is locked. A value of true indicates that the user is locked.
waveset.lockExpiry
Specifies when the user lock expires if the user's Lighthouse Account policy contains a non-zero value for the locked account expiry date. This attribute value is a human-readable date and time.
waveset.organization
Contains the name of the organization (or ObjectGroup) in which a user resides. An administrator can modify this attribute if he has sufficient privileges for the new organization.
Since changing an organization is a significant event, the original value of the organization is also stored in the waveset.original attribute, which can be used for later comparison.
waveset.original
Contains information about the original values of several important attributes in the waveset attribute. The system sets this value when the view is constructed and should never be modified. The system uses this information to construct summary reports and audit log records.
Not all of the original waveset attributes are saved here. The attributes currently defined for change tracking are:
To reference these attributes, prepend waveset.original. to the attribute name (for example, waveset.original.role).
password
Specifies the Identity Manager user password. When the view is first constructed, this attribute does not contain the decrypted user password. Instead, it contains a randomly generated string.
The password attribute set contains the attributes described in the following table.
waveset.passwordExpiry
Contains the date on which the Identity Manager password will expire. When the view is initially constructed, the memory representation will be a java.util.Date object. As the view is processed with the form, the value can either be a Date object or a String object that contains a text representation of the date in the format mm/dd/yy.
waveset.passwordExpiryWarning
Contains the date on which warning messages will start being displayed whenever the user logs into the Identity Manager User Interface. This is typically a date prior to the waveset.passwordExpiry date in the same format (mm/dd/yy).
waveset.questions
Contains information about the authentication questions and answers assigned to this user. The value of the attribute is a List whose elements are waveset.questions attributes.
The waveset.questions attribute set contains the attributes described in the following table.
The name attribute is not stored. The system generates the name by transforming the id. This is necessary because question IDs are typically numbers, and numbers that are used to index an array in a path expression are considered absolute indexes rather than object names.
For example, the path waveset.questions[#1].question addresses the second element of the questions list (list indexes start from zero). However, since there may be only one question on the list whose ID is the number 1, the ID is not necessarily suitable as a list index. To reliably address the elements of the list, the system manufactures a name for each question that consists of the letter Q followed by the ID (in this example, Q1). The path waveset.questions[Q1].question then always correctly addresses the question.
waveset.resources
Contains a list of the names of each resource that is assigned directly to the user. This list does not include resources that are assigned to a user through a role or through applications. You can add only unqualified resource names to this attribute. To find all resources that are assigned to a user, see the section on the accountInfo attribute.
waveset.resourceAssignments
Qualifies the assigned resource list. (This attribute parallels the existing attribute waveset.resources attribute.) All resources in this attribute appear as unqualified in waveset.resources. Even if a user is assigned only an account of non-default type, the resource will appear in waveset.resources.
You can add new assignments made to either waveset.resource or waveset.resourceAssignments, with the lists automatically resynchronizing when the view is refreshed. This adds an assignment for an account of default type. You can add both qualified and unqualified resource names to waveset.resourceAssignments. This adds an account of the specified type based on the qualifier.
waveset.roles
Contains the names of the roles assigned to this user. An administrator can modify this attribute if he has sufficient privileges for the new roles.
Since changing a role is a significant event, the original value of the role attribute is also stored in the original view, which can be used for later comparison.
waveset.serverId
Use to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server. See Identity Manager Installation for more information.
accounts Attribute
The accounts attribute contains a list of objects for each account linked to the Identity Manager user. Each account object contains the values of the account attributes retrieved from the resource.
The name of each account object is typically the name of the associated resource. If more than one account exists for a given resource, the object names take a suffix of the form |n where n is an integer. The first account on a resource has no suffix. The second account has the suffix |2. The third account on a resource has |3, etc.
For example, if you have a resource named Exchange Server that defines an account attribute named Profile, the view path to this attribute would be:
accounts[Exchange Server].Profile
If this view path were used in a form field, it would prevent the value of the global.Profile attribute from being propagated to the Exchange Server account.
Note
You may want to use account-specific attributes in forms rather than global attributes to prevent propagation of values to all resources
Overriding Resource Attributes
In addition to setting account attributes, you can also specify resource attribute overrides for each account. Resource attributes are attributes that are defined for the resource definition in Identity Manager, and consequently for the resource type. They are not attributes associated with an individual account. Examples of resource attributes include the host name of the server, or the base context in a directory.
You may want to create an account on a resource, but use a different value for one of the resource attributes. You could do this by duplicating the resource and changing the value, but excessive resource duplication can be confusing. Instead, resource attributes can be overridden on a per-account basis in the view.
Resource attribute overrides are stored in the attribute object under an attribute named resourceAttributes. If, for example, the resource defined an attribute named host, this could be specified in the view with the path:
accounts[Exchange Server].resourceAttributes.host
accounts[Lighthouse]
Sets the values of only the attributes stored in the Identity Manager repository. When a view is created, it contains a copy of the attributes in the waveset.attributes attribute set. When the view is saved, the system compares the contents of accounts[Lighthouse] with waveset.attributes to generate and update reports and audit log entries. Although this attribute is stored in the Identity Manager repository, changes to this attribute are not automatically propagated to resources.
The Extended User Attributes Configuration object defines the attributes that are allowed in this view. The system ignores any name found in this set of attributes that is not registered in the configuration object.
The following code is a sample of the Extended User Attributes Configuration object. This object maintains the list of attributes that are managed by the waveset.attribute set.
This object can be modified to extend the list from the default firstname, lastname, and fullname attributes. In this case, an attribute called SSN has been added.
accounts[Lighthouse].delegateApproversTo
Specifies to whom the user is delegating approvals where valid values include manager, selectedUsers, or delegateApproversRule.
accounts[Lighthouse].delegateApproversSelected
accounts[Lighthouse].delegateApproversStartDate
Specifies the date on which to start approval delegation. By default, the selected start date’s hours and minutes are 12:01 am of that day.
accounts[Lighthouse].delegateApproversEndDate
Specifies the date to end approval delegation. By default, the selected end date’s hours and minutes are 11:59 pm of that day
accounts[Lighthouse].properties
The value of this attribute is an object whose attribute names correspond to the properties defined by the user. User properties allow arbitrary custom data to be stored with the user in the Identity Manager repository. You can then use properties in forms and workflows. A property is similar in some ways to an Extended User Attribute, but are not limited to primitive data types such as strings or integers.
Identity Manager defines the tasks system property, which is used by the Deferred Task Scanner to cause workflow tasks to be run at some date in the future. The value of the tasks property is a list of objects. The following table defines the attributes that belong to objects in the list.
Table 5-6
Attribute
Description
name
Identifies the name of the TaskDefinition object to run.
date
Specifies the date on which to run the task.
taskName
Identifies the TaskInstance that is created. If none is specified, Identity Manager generates a random name.
owner
Identifies the name of an Identity Manager administrator that is considered to be the owner of the task. If none is specified, the default owner is Configurator.
organization
Identifies the Identity Manager organization that the TaskInstance will be placed in. If none is specified, an organization controlled by the task owner is selected at random.
description
Descriptive text that will be stored in the TaskInstance when it is created. This text is displayed in the task status page of the Identity Manager Administrator Interface.
Sample Use
You can use the accounts[Lighthouse].properties value to display a table of the deferred tasks assigned to a user. This list is added to the form library named Default User Library, which is found in sample/formlib.xml.
The field that displays the deferred task table is named Deferred Tasks. After modifying the waveset.properties attribute, the deferred task table is now referenced by the default Tabbed User Form. If any deferred tasks exist, the table will be displayed at the bottom of the Identity tab panel.
accounts[Lighthouse].viewUserForm
Used to display a view-only User form. This view-only form displays field information as Labels, to ensure that the administrator cannot change values, although he can list, view, and search on this user information. (The administrator selects a user from the accounts list, then clicks View to see user details.)
accounts[<resource>].properties
Used to store account properties in the Identity Manager repository. Use this attribute if you have some information about the account -- for example the date it was created -- that cannot be stored as a native account attribute on the resource.
accounts[<resource>].waveset.forceUpdate
Used to specify a list of resource account attributes that will always be sent to the resource for update when a user is modified and that an attribute value remains available to resource actions. This attribute is required for resource actions to be run when a user is unassigned from a resource.
The following field definition from a user form uses a Solaris resource. (<resource> has been replaced with the name of the resource.):
<Field name='accounts[waterloo].waveset.forceUpdate'>
<Default>
<List>
<String>delete after action</String>
<String>Home directory</String>
</List>
</Default>
</Field>
The preceding code causes Identity Manager to send the delete after action and Home directory attribute to the provisioner and resource adapter.
global Attribute
You can use the global attribute set of the user view to conveniently assign attributes to many resource accounts (including Identity Manager). The value of the global attribute is an object whose attributes are referred to as global attributes. When the view is saved, the system assigns the value of each global attribute to all resource accounts that define the global attribute name in their schema map. These values are also propagated to the Identity Manager repository if there is an extended attribute with the same name.
For example, two resources R1 and R2 define an attribute named fullname. When the attribute global.fullname is stored in the view, this value is automatically copied into attributes accounts[R1].fullname and accounts[R2].fullname.
You can also use global attributes to assign extended attributes that are stored in the Identity Manager repository. If a global attribute is also declared as an extended Identity Manager attribute, it is copied into accounts[Lighthouse].
Note
Do not use global.accountId when creating accounts. The account ID is created by the DN templates on the resources. Using global.accountId overrides this, which may cause problems.
Referencing Two Different Fullname Attributes
The global attribute can be used in combination with the account attribute for the same attribute name. For example, on an Active Directory resource, the structure of the fullname is lastname, firstname. But all other resources that have a fullname use firstname lastname.
The following example shows how you can reference these two fields in a form.
<Field name='global.fullname'>
<Expansion>
<concat>
<ref>global.firstname</ref><s> </s>
<ref>global.lastname</ref>
</concat>
</Expansion>
</Field>
<Field name='accounts[ActiveDir].fullname'>
<Expansion>
<concat>
<ref>global.lastname</ref><s>, </s>
<ref>global.firstname</ref>
</concat>
</Expansion>
</Field>
In the preceding example, creating a new user works as expected. However, when you load the user, the fullname attribute from the Active Directory resource can be used to populate the global.fullname field.
A more accurate implementation for this scenario would be to declare one resource to be the authoritative source for an attribute and create a Derivation rule such as the following:
<Field name='global.fullname'>
<Derivation>
<or>
<ref>accounts[LDAP res].fullname</ref>
<ref>accounts[NT res].fullname</ref>
</or>
</Derivation>
<Expansion>
<concat>
<ref>global.firstname</ref><s> </s>
<ref>global.lastname</ref>
</concat>
</Expansion>
</Field>
By defining a Derivation rule, the value of the fullname attribute in the LDAP resource will be used first to populate the fullname field. If the value does not exist on LDAP, then the value will be set from the NT resource.
accountInfo Attribute
Contains read-only information about resource accounts associated with the user. It is used within system views besides the user view. Some information in this view is a duplicate of the information found in the waveset.accounts attribute. There are two reasons for this duplication:
Most account information is stored in the accountsInfo.accounts attribute. Other attributes simply contain lists of account names. It is common to use a FieldLoop in a form to iterate over the names in one of the name list attributes, then use this name to index the account list attribute.
For example, the following form element generates a list of labels that contain the names of each resource that is assigned indirectly through a role.
<FieldLoop for='name' in='accountInfo.fromRole'>
<Field name='accountInfo.accounts[$(name)].name>
<Display class='Label'/>
</Field>
</FieldLoop>
The following tables shows the accountInfo view attributes, which describe characteristics about the user.
Table 5-7 accountInfo Attributes (User View)
Attribute
Description
accountInfo.accounts
Lists objects that contain information about each resource account associated with the user (for example, created, disabled).
accountInfo.assigned
Lists the resources that are assigned to the user.
accountInfo.fromRole
Lists (in flat list format) resources assigned to the user through the role.
accountInfo.privates
Lists (in flat list format) resources assigned directly to the user.
accountInfo.toCreate
Lists names of all resources currently assigned to the user but for which accounts do not yet exist in Identity Manager.
accountInfo.toDelete
Lists names of resources that are no longer assigned to the user, but that are still known to exist.
accountInfo.types
Lists each type of resource that is currently assigned to the user or through Reserve Groups.
accountInfo.typeNames
Lists unique type names for every assigned resource.
accountInfo.accounts
Contains a list of objects that themselves contain information about each associated resource account. Elements in the accounts list are referenced by name, where the name is the name of the resource.
Example
accountInfo.accounts[Microsoft Exchange].type
Objects found in the accountInfo.accounts list have the following attributes, as defined in the following table.
Table 5-8 accountInfo.accounts. Attributes (User View)
Attribute
Description
attributes
Information about all the account attributes defined by this resource.
name
Name of the resource where the account exists or will be created.
id
Repository ID of the resource.
type
Resource type name.
accountId
Name of the user's account on this resource.
assigned
True if the account is currently assigned. Accounts that are not assigned can be deleted by Identity Manager.
protected
True if the account is currently protected. This means that update or delete operations on the account are ignored.
passwordPolicy
Information about the password policy defined for this resource.
accountInfo.accounts[ ].attributes[ ]
Contains information about all the account attributes defined by this resource. These attributes are listed on the schema map page of the resource. The value of the attribute is a List of objects.
The following table defines the attributes that these objects contain.
Table 5-9 accountInfo.accounts. Attributes (User View)
Attribute
Description
name
The name of the Identity Manager resource account attribute. This name is defined in the resource schema map.
syntax
The syntax of the attribute value. The value of the syntax attribute is one of the following values.
Refer to the Identity Manager Resources Reference to determine if binary or complex attributes are supported for the resource. An exception is thrown if you attempt to send binary or complex attributes to a resource that does not support these attributes.
Binary attributes should be kept as small as possible. Identity Manager will throw an exception if you attempt to manage a binary attribute that is larger than 350 KB. Contact Customer Support for guidance if you need to manage attributes larger than 350 KB.
multi
True if the attribute allows multiple values.
If you are designing a form, do not worry about the declared resource account attribute types. The user view processing system makes the appropriate type coercions when necessary.
accountInfo.accounts[].passwordPolicy
A resource can be assigned a password policy. If an attribute has an assigned password policy, the value of this attribute will contain information about it.
The following table defines the attributes in the accountInfo.accounts[resname].passwordPolicy.
Table 5-10 accountInfo.accounts[resname].passwordPolicy Attributes (User VIew)
Attribute
Description
name
The name of policy. This corresponds to the name of a policy object in the Identity Manager repository.
summary
A brief text description of the policy including information about each of the policy attributes.
attributes
The value of this attribute is another object that contains the names and values of each policy attribute.
Applications that display policy information typically display the summary text, but if you need more fine-grained control over the display of each policy attribute, you can use the attributes map.
Forms that provide an interface for changing and synchronizing passwords often use this information.
accountInfo.accounts[Lighthouse]
This special entry in the accountInfo list is used to hold information about the Identity Manager default password policy. This is convenient when displaying password forms since information about the Identity Manager password and policies must be displayed along with the information for resource accounts.
This element is present only when pass-through authentication is not being used. The resource type is Lighthouse.
accountInfo Resource Name Lists
The accountInfo view includes attributes that contain lists of resource names. Each list is intended to be used in forms with FieldLoop constructs to iterate over resources with certain characteristics.
The accountInfo attributes that can contain resource names are:
accountInfo.assigned
Identifies the resources that are assigned to the user. If you are designing a form, you can call this attribute to display a list of resources that are assigned from the role, applications, and that are directly assigned to a user.
accountInfo.typeNames
A list of unique type names for every assigned resource. This is used in Disable expressions in forms where you want to disable fields unless a resource of a particular type is selected.
<Field name='HomeDirectory' prompt='Home Directory'>
<Display class='Text'/>
<Disable>
<not>
<contains>
<ref>accountInfo.typeNames</ref>
<s>Solaris</s>
</contains>
</not>
</Disable>
</Field>
This returns the same information as the path accountInfo.types[*].name but is more efficient, which is important when used with Disable expressions. This list can include common resource types.
You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator Interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountInfo.types
This attribute contains information about each type of resource that is currently assigned. The value of the attribute is a List (objects).
The following table shows the attributes that belong to each object.
Table 5-11 accountInfo.types Attributes (User VIew)
Attribute
Description
accounts
List of accountIds for each account assigned to the user that is of this type
name
Resource type name
For example, you can determine a list of IDs for all UNIX accounts with the following path: accountInfo.types[Unix].accounts
display Attribute
The display attribute contains information that relates to the context in which the view is being processed. Most of the attributes are valid only during interactive form processing.
The following table shows the most used display view attributes.
Table 5-12 Most Used display Attributes (User VIew)
Attribute
Description
eventType
Indicates whether the user view is servicing a create or update request, as indicated by the values create or update (read-only).
session
A handle to an authenticated Identity Manager session. This attribute is valid only during interactive editing session in the Identity Manager Administrator Interface. It is provided as an access point into the Identity Manager repository. The value of this attribute can be passed to methods in the com.waveset.ui.FormUtil class.
The display.session attribute is not valid in the following cases where form processing may occur:
in the bulk loader
during background reprovisioning
in unsynchronized actions or approvals
Best practices suggest using this attribute only within a Property or Constraints element. In almost all existing forms, display.session is used only in Constraints elements.
subject
An object holding information about the credentials of an Identity Manager user or administrator. This value is set in almost all cases, but is typically used in workflow applications called during background activities where the display.session is no longer valid. The subject can be used to get a new session. In this case, it is used for gaining access to the repository.
state
A handle to a _com.waveset.ui.util.RequestState_ object that in turn contains handles to objects related to the HTTP request such as the _javax.servlet.http.HttpSession_.
Default itemType Behavior
Typically, only wizard itemTypes cause a workflow to transition directly to a WorkItem if the requester is the owner of the workItem.
When itemType is set as follows, the workflow will not transition into a WorkItem, but will instead appear under the Approval tab:
Overriding Default Behavior
You can override behavior in the User view by setting the allowedWorkItemTransitions option as a property of the form as follows:
<Form ......>
<Properties>
<Property name='allowedWorkItemTransitions'>
<list>
<s>myCustomType</s>
</list>
</Property>
</Properties>
Deferred Attributes
A deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.
If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.
When to Use Deferred Attributes
Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.
Using Deferred Attributes
There are two main steps to defining a deferred attribute:
- Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.
- Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:
accounts[<resource>].deferredAttributes.<attname>.resource
accounts[<resource>].deferredAttributes.<attname>.attribute
where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.
For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.
The following form fields set the necessary view attributes to define this association.
Debugging the User View
When debugging the User view, you might find it useful to dump the contents of the view into a new file. To create a dump file, add the following Derivation statement to the User view:
<Field name='DumpView'>
<Derivation>
<invoke name='dumpFile'>
<ref>form_inputs</ref>
<s>c:/temp/view.xml</s>
</invoke>
</Derivation>
</Field>
This Derivation expression invokes the dumpFile method, which generates the file after the User form is displayed for the first time. The form_inputs variable is automatically bound to the view that is being used with this form.
In the preceding example, the String argument to the dumpFile method is a file system path, where you substitute a valid path for c:/temp/view.xml.
Account Correlation ViewUsed to search for users correlating to a specified account (or account attributes). This view is used as part of the account reconciliation process.
This view contains the root attributes listed below. The values of these attributes are GenericObjects. The new ID is <account_name>@<resource_name>
Table 5-13 Top-Level Attributes of Account Correlation View
Attribute
Description
correlation
Contains information about how correlation should be done
matches
Contains the result of the correlation
The correlation request is executed on both the view get operation and refresh request. In the case of a refresh, the request specified in the view is used (with the exception of accountId and resource, as these values are overridden by the view ID). In the case of a get request, view options of the same name as the view attribute (for example, correlator) can be used to specify the view-supplied portion of the request.
Note
accountAttributes, when provided as a view option, can be supplied as a WSUser (as returned by resource adapter methods) or as a GenericObject.
Correlation
Table 5-14 Attributes of Correlation Attribute (Account Correlation View)
Attribute
Editable?
Data Type
Required?
accountId
Read
String
Yes
accountGUID
Read/Write
String
No (unless if accountId and resource cannot clearly identify the resource)
resource
Read
String
Yes
accountAttributes
Read/Write
String
correlator
Read/Write
String
No
confirmer
Read/Write
String
No
accountId
Specifies the name of the account to correlate. This is automatically obtained from the view ID.
accountGUID
Specifies the GUID of the account to correlate. Required only if accountId and resource cannot clearly and unambiguously identify the resource.
resource
Specifies the name of the resource where the account resides. This value is automatically obtained from the view ID.
accountAttributes
Specifies the attributes of the account. If present, the viewer will not fetch the current account attributes to pass to the correlation/confirmation rules. Instead, these attributes will be passed in.
correlator
Specifies the correlation rule to use. If not present, the correlation rule specified by reconciliation policy for the resource will be used. If present, but null, no correlation rule is used.
confirmer
Specifies the confirmation rule to use. If not present, the confirmation rule specified by reconciliation policy for the resource will be used. If present, but null, no confirmation rule is used.
These lists consist of GenericObjects that contain the summary attributes of users.
Table 5-15 Attributes of confirmer Attribute (Account Correlation View)
Attribute
Editable?
Data Type
claimants
Read
List
correlated
Read
List
unconfirmed
Read
List
claimant
Lists claimants that are calculated independent of the correlation algorithm, so claimants may also appear in another of the lists. Claimant discovery can be disabled by setting ignoreClaimants to true in the view options. A user claims an account if it has a ResourceInfo explicitly referencing the account.
correlated
Lists the users who were correlated to the resource account.
unconfirmed
Lists users who were selected by the correlation rule, but were rejected by the confirmation rule. This list is only present if the includeUnconfirmed is set to true in the view options.
Admin Role ViewUsed when creating or updating an admin role to a user. Admin roles enable you to define a unique set of capabilities for each set of organizations. Capabilities and controlled organizations can be assigned directly or indirectly through roles.
One or more admin roles can be assigned to a single user and one or more users can be assigned the same admin role.
Table 5-16 Top-Level Attributes of Admin Role View
Name
Editable?
Type
Required?
id
Read/Write
String
No
name
Read/Write
String
Yes
capabilities
List
Yes
capabilitiesRule
String
Yes
controlledOrganizations
List
Yes
controlledOrganizationsRule
String
Yes
controlledOrganizationsUserform
String
Yes
controlledSubOrganizations
List (object)
No
memberObjectGroup
List
Yes
id
Uniquely identifies the AdminRole object in Identity Manager. System-generated.
name
Specifies the name of the admin role.
capabilities
Identifies the list of capability names that are assigned to this admin role.
capabilitiesRule
Specifies the name of the rule to be evaluated that will return a list of zero or more capability names to be assigned.
controlledOrganizations
Lists organization names over which the associated capabilities are allowed.
controlledOrganizationsRule
Specifies the name of the rule to be evaluated. This rule will return a list of zero of more controlled organizations names to be assigned.
controlledOrganizationsUserform
Specifies the userform that will be used when editing or creating users in the scope of organizations controlled by this admin role. Valid if the userform is not directly assigned to the user that is assigned this Admin role.
controlledSubOrganizations
Lists the controlled organizations for which a subset of the objects available has been either included or excluded. The value of this attribute consists of a list of controlledSubOrganization objects. Each ControlledOrganization object view is as follows.
Table 5-17 controlledSubOrganizations View Attributes (Admin Role view)
Attribute
Data Type
Required?
name
String (name of controlled object group)
types
List (objects)
types is a list of objects, where the list of objects to include or exclude are organized by type (for example, Resource, Role, and Policy). The view for each object type is as follows:
Table 5-18 controlledSubOrganizations View Attribute Object Types (Admin Role view)
Attribute
Data Type
Required?
name
String
include
List (objects)
exclude
List (objects)
name
Specifies the name of the object type.
include
Lists object names of the associated object type to include.
exclude
Lists object names of the associated type to exclude.
memberObjectGroup
Lists the ObjectGroups of which this Admin role is a member. These are the object groups (organizations) that this Admin role is available to.
Change User Answers ViewUsed to change an existing user's authentication answers for one or more login interfaces.
Contains two high-level attributes.
Table 5-19 Change User Answers View Attributes
Attribute
Editable?
Data Type
Required?
questions
List
loginInterface
String
questions
Describes the question. Contains the following attributes:
Table 5-20 questions Attributes (Change User Answers View)
Attribute
Data Type
Required?
qid
String
question
String
answer
String
answerObfuscated
Boolean
qid
Uniquely identifies a question that is used to associate this question with one defined in the policy.
question
Specifies the question string as defined in the policy.
answer
Specifies the user's answer, if specified, associated with the value of qid.
answerObfuscated
Specifies whether the answer is displayed or encrypted.
loginInterface
Identifies the login interface with which this question is associated. Its value is a unique message catalog key for each login interface.
Contains the following attributes:
Table 5-21 loginInterface Attributes (Change User Answers View)
Attribute
Data Type
Required?
name
String
questionPolicy
String
questionCount
String
name
Identifies the name of the login interface that the question is associated with.
Valid values include:
- UI_LOGIN_CONFIG_DISPLAY_NAME_ALL_INTERFACES
- UI_LOGIN_CONFIG_DISPLAY_NAME_ADMIN_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_CLI_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_DEFAULT_USER_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_IVR_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_QUESTION_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE
questionPolicy
Specifies the policy that this question is associated with (for example, All, Random, Any, or RoundRobin).
questionCount
Set only if the questionPolicy attribute is set to Any or Random.
Change User Capabilities ViewUsed to change an Identity Manager user's capabilities.
Table 5-22 Change User Capabilities View Attributes
Attribute
Editable?
Data Type
Required
adminRoles
List [String]
capabilities
List [String]
controlledOrganizations
List [String]
adminRoles
Lists the Admin roles that are assigned to the user.
capabilities
Lists capabilities assigned to this user.
controlledOrganizations
Lists the organizations that this user controls with the assigned capabilities.
Delegate Approvers ViewUse this view to assign one or more Identity Manager users as delegate approvers to an existing approver. This enables an approver to delegate his approval capabilities for a specified period of time to users who may not be approvers themselves.
Top-level attributes include the following:
Table 5-23 Delegate Approvers View Attributes
Attribute
Editable?
Data Type
Required
name
List [String]
yes
delegateApproversTo
List [String]
yes
delegateApproversSelected
List [String]
delegateApproversStartDate
String
delegateApproversEndDate
String
name
Identifies the user who is delegating approvals.
delegateApproversTo
Specifies to whom the user is delegating approvals where valid values include manager, selectedUsers, or delegateApproversRule.
delegateApproversSelected
delegateApproversStartDate
Specifies the date on which to start approval delegation. By default, the selected start date’s hours and minutes are 12:01 am of that day.
delegateApproversEndDate
Specifies the date to end approval delegation. By default, the selected end date’s hours and minutes are 11:59 pm of that day
Deprovision ViewUsed to present and select a list of resources to be deprovisioned. Contains one single top-level attribute.
resourceAccounts
This attribute contain the following attributes.
Table 5-24 resourceAccounts Attributes (Deprovision View)
Name
Editable?
Data Type
Required?
id
Read/Write
String
selectAll
Read/Write
Boolean
unassignAll
Read/Write
Boolean
unlinkAll
Read/Write
Boolean
currentResourceAccounts
Read
List (objects)
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
id
Specifies the unique identifier for the account.
selectAll
Controls whether all resources are selected.
unassignAll
Specifies that all resources should be removed from the user's list of private resources.
unlinkAll
Specifies that all resources should be unlinked from the Identity Manager user.
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
All account lists are indexed by resource name.
Table 5-25 currentResourceAccounts Attributes (Deprovision View)
Name
Editable?
Data Type
selected
Read/Write
Boolean
unassign
Read/Write
Boolean
unlink
Read/Write
Boolean
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
authenticator
Read
Boolean
directlyAssigned
Read
Boolean
selected
If set to true, indicates that for a given resource, the associated account should be deprovisioned. If the selected account is Lighthouse, the Identity Manager user and all associated resource assignments will be deleted unless they are also selected. However, the associated resource accounts will not be deleted.
unassign
If set to true, indicates that the specified resource should be removed from the user's list of private resources (for example, waveset.resources).
unlink
If set to true, indicates that the specified resource should be unlinked from the Identity Manager user (for example, remove the associated ResourceInfo object).
Note
If selected or unassign are set to true, this suggests that unlink will also be true. However, the converse is not true. unlink can be true and selected and unassign can be set to false.
name
Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the resource account.
exists
Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
disabled
Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).
authenticator
Indicates whether the account is one that the user is configured to log in.
directlyAssigned
If true, indicates that the account is directly assigned to the user. A value of false indicates that the account is indirectly assigned by a role or application.
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Disable ViewUsed to disable accounts on the Identity Manager user. This view is often used in custom workflows.
resourceAccounts
Represents the top-level attribute when accessing attributes in this view.
Table 5-26 Attributes of resourceAccounts Attribute (Disable View)
Name
Editable?
Type
Required?
id
Read
String
selectAll
Read
Boolean
currentResourcesAccount
Read
String
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
id
Identifies the Identity Manager ID of the user.
selectAll
When set, causes all resource accounts to be disabled, including the Identity Manager account.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager, including the Identity Manager account itself. Use the selected field to signify that the specific resource should be enabled.
Table 5-27 resourceAccounts.currentResourceAccounts Attributes (Disable View)
Name
Editable?
Type
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
selected
Read/Write
Boolean
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Enable ViewUsed to enable accounts on the Identity Manager user. This view is often used in custom workflows.
resourceAccounts
Represents the top-level attribute when accessing attributes in this view.
Table 5-28 Attributes of resourceAccounts Attribute (Enable View)
Name
Editable?
Type
Required?
id
Read
String
selectAll
Read
Boolean
currentResourcesAccount
Read
String
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
id
Identifies the user’s Identity Manager ID.
selectAll
When set, all resource accounts will be enabled, including the Identity Manager account.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager, including the Identity Manager account itself. Use the selected field to signify that the specific resource should be enabled.
Table 5-29 resourceAccount.currentResourceAccounts Attributes (Enable View)
Name
Editable?
Type
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
selected
Read/Write
Boolean
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Find Objects ViewProvides a customizable, generic Identity Manager repository search interface for any object type defined in Identity Manager that has rights and is not deprecated or restricted to internal use. The Find Objects view handler provides the associated forms for specifying one or more attribute query conditions and parameters and for the display of the find results. In addition, you can use view options to specify attribute query conditions and parameters.
This view contain the following attributes.
Table 5-30 Top-Level Attributes (Find Objects View)
Name
Editable?
Type
Required?
objectType
Read/Write
String
Yes
allowedAttrs
Read/Write
List
No
attrsToGet
Read/Write
List
No
attrConditions
Read/Write
List
No
maxResults
Read/Write
String
No
results
Read
List
No
sortColumn
Read/Write
String
No
selectEnable
Read/Write
Boolean
No
objectType
Specifies the Identity Manager repository object type to find (for example, Role, User, or Resource).
allowedAttrs
Lists the specified object types (specified by the objectType attribute) allowed queryable attribute names that are obtained by default by calling the objectType's listQueryableAttributeAttrs() method. This method is exposed by each class that extends PersistentObject. If not overridden by the object type class, it inherits the PersistentObject implementation returning the default set of queryable attributes supported by all PersistentObjects.
You can override the default set by specifying the set of allowedAttrs in either the default section or the objectType-specific section of the findObjectsDefaults.xml configuration file. This file resides in the sample directory. Specify each allowed attribute in the sample/findObjectsDefaults.xml file as follows:
name
Identifies the attribute.
displayName
Specifies the attribute name as it is displayed in the Identity Manager Administrator interface. If not specified, the value of this attribute defaults to the same value as name.
syntax
Indicates the data type of attribute value where supported values include string, int, and boolean. If not specified, this value defaults to string.
multiValued
Indicates whether the attribute supports multiple values. A value of true indicates that attribute supports multiple values. If unspecified, this value defaults to false. This attribute applies only if the attribute syntax is string.
allowedValuesType
Specifies the name of the Identity Manager type if the allowed values of the attribute are instances of an Identity Manager type (for example, Role or Resource). If not specified, this attribute defaults to null.
If the name attribute is an Identity Manager-defined attribute, then only name is required. If the attribute name is an extended attribute, you must specify at least the name and, optionally, the other attributes unless the defaults are sufficient.
See sample/findObjectsDefaults.xml for example formats for specification of allowed attributes.
You can specify the list of allowedAttrs as either a list of strings, a list of objects, or a combination of both.
attrsToGet
Lists the summary attribute names of the specified object types (objectType) to be returned with each object that match the specified attribute query conditions. You can obtain the object type's set of supported summary attributes by calling the object type's listSummaryAttributeAttrs() method. (This method is exposed by each class that extends PersistentObject.) If not overridden by the objectType class, it inherits the PersistentObject implementation that returns the default set of summary attributes that are supported by all Persistent Objects.
You can override the default by specifying the list of resultColumnNames in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
attrConditions
Lists the attribute conditions that are used to find objects of the specified object type (objectType) that match the specified attribute conditions (attrConditions). Each attribute condition in the list should be specified as follows:
selectedAttr
Identifies one of the attribute names from the list of allowed attributes (allowedAttrs).
selectedAttrRequired
(Optional) Indicates whether the selected attribute (selectedAttr) can be changed for this attribute condition. A value of true indicates that the selected attribute cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions
defaultAttr
(Optional) Identifies the allowedAttrs name to select by default when the list of allowed attributes is displayed in interface.
allowedOperators
Lists the operators allowed based on the syntax specified in the selected attribute (selectedAttr). By default, this list is obtained by calling the getAllowedOperators method passing the values of the syntax and multiValued attributes of the selected attribute (selectedAttr). You can override the default by specifying the set of allowed operators (allowedOperators) in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
selectedOperator
Specifies the name of one operator from the list specified in allowedOperators.
selectedOperatorRequired
(Optional) Indicates whether the selected operator (selectedOperator) can be changed for this attribute condition. A value of true indicates that the selected operator cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions
defaultOperator
(Optional) Specifies the name of the operator (allowedOperators) to select by default when the list of allowed operators (allowedOperators) is displayed in the form.
value
Indicates the value or operand for the selected attribute name and operator that must be tested when Identity Manager determines if it should return an object of the specified object type (objectType). You can omit this attribute if the value of selectedOperator is exists or notPresent.
valueRequired
(Optional) Indicates whether the value of the attribute condition can be changed. A value of true indicates that value can be changed. It also indicates that the attribute condition cannot be removed from the list of attribute conditions.
removeAttrCond
Determines if this attribute condition should be removed or not (internal).
You can specify attribute conditions as view options by using the FindObjects.ATTR_CONDITIONS constant or the attrCondition string. If attrConditions is not specified, Identity Manager returns all objects of the specified object type.
maxResults
(Optional) Specifies the maximum number of objects of the specified objectType that Identity Manager should return from the find request. Defaults to 100 if not specified. You can override the default by specifying the a value for resultMaxRows attribute in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Use of this attribute can improve performance in cases where many Identity Manager repository objects of the specified type exist.
results
If the value of attrsToGet is null, the value of result is a list of object names that match the specified attribute condition. If the value of attrsToGet is non-null, results is a list of objects that matched the specified attrConditions, where each object consists of:
sortColumn
(Optional) Indicates the value of the column to sort the results on. Defaults to '0' if not specified. You can override the default by specifying a value for resultSortColumn in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
selectEnable
(Optional) Specifies whether more than one result row can be selected simultaneously. A value of true indicates that more than one result row can be selected. The default is false. The default can be overridden by specifying a value for resultSelectEnable in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Org ViewUsed to specify the type of organization created and options for processing it.
Common Attributes
The high-level attributes of this view are listed in the following table.
Table 5-31 Org View Attributes
Name
Editable?
Data Type
Required?
orgName
Read
String
System-Generated
orgDisplayName
Read/Write
String
Yes
orgType
Read/Write
String
No
orgId
Read
String
System-Generated
orgAction
Write
String
No
orgNewDisplayName
Write
String
No
orgParentName
Read/Write
String
No
orgChildOrgNames
Read
List
System-Generated
orgApprovers
Read/Write
List
No
allowsOrgApprovers
Read
List
System-Generated
allowedOrgApproverIds
Read
List
System-Generated
orgUserForm
Read/Write
String
No
orgViewUserForm
Read/Write
String
No
orgPolicies
Read/Write
List
No
orgAuditPolicies
Read/Write
List
No
renameCreate
Read/Write
String
No
renameSaveAs
Read/Write
String
No
orgName
Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.
orgDisplayName
Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.
orgType
Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.
orgId
Specifies the ID that is used to uniquely identify the organization within Identity Manager.
orgAction
Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.
orgNewDisplayName
Specifies the new short name when you are renaming the organization.
orgParentName
Identifies the full pathname of the parent organization.
orgChildOrgNames
Lists the Identity Manager interface names of all direct and indirect child organizations.
orgApprovers
Lists the Identity Manager administrators who are required to approve users added to or modified in this organization.
allowedOrgApprovers
Lists the potential user names who could be approvers for users added to or modified in this organization.
allowedOrgApproverIds
Lists the potential user IDs who could be approvers for users added to or modified in this organization.
orgUserForm
Specifies the userForm used by members users of this organization when creating or editing users.
orgViewUserForm
Specifies the view user form that is used by member users of this organization when viewing users.
orgPolicies
Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).
orgAuditPolicies
Specifies the audit policies that apply to all member users of this organization.
renameCreate
When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.
renameSaveAs
When set to true, renames this organization using the value of orgNewDisplayName.
Directory Junction and Virtual Organization Attributes
Table 5-32 Directory Junction and Virtual Organization Attributes
Name
Editable?
Data Type
Required?
orgContainerId
Read
String
System-generated
orgContainerTypes
Read
List
System-generated
orgContainers
Read
List
System-generated
orgParentContainerId
Read
String
System-generated
orgResource
Read/Write
String
yes, if directory junction or virtual organization
orgResourceType
Read
String
System-generated
orgResourceId
Read
String
System-generated
orgRefreshAllOrgsUserMembers
Write
String
No
orgContainerId
Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).
orgContainerTypes
Lists the allowed resource object types that can contain other resource objects.
orgContainers
Lists the base containers for the resource used by the Identity Manager interface to display a list to choose from.
orgParentContainerId
Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).
orgResource
Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).
orgResourceType
Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).
orgResourceId
Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations.
orgRefreshAllOrgsUserMembers
If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.
Dynamic Organization Attributes
Table 5-33 Dynamic Organization Attributes
Name
Editable?
Data Type
Required?
orgUserMembersRule
Read/Write
String
No
orgUserMembersRuleCacheTimeout
Read/Write
String
No
orgUserMembersRule
Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.
orgUserMembersCacheTimeout
Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.
Using an Organizational Path Name Instead of a System-Generated ID
When calling this view in workflow, you can use either the system-generated ID or supply an organizational path expression as a value for checkoutView (for example, top:us:central:texas).
Sample Workflow
<Activity id="1" name="Refresh Organization">
<Variable name="orgView"/>
<Action name="Get Organization"
Application="com.waveset.session.WorkflowServices">
<Argument name="op" value="checkoutView"/>
<Argument name="subject" value="#ID#Configurator"/>
<Argument name="viewId" value="OrgViewer:top:us:central:texas"/>
</Argument>
<Return from="view" to="orgView"/>
</Action>
Password ViewUsed by administrators to change passwords of the Identity Manager user or their resource accounts.
This view contains one top-level attribute.
resourceAccounts
This attribute contains the following attributes.
Table 5-34 ResourceAccounts Attributes (Password View)
Attribute
Editable?
Data Type
Required?
id
Read/Write
String
Yes
selectAll
Read/Write
Boolean
No
currentResourceAccounts
Read
List (object)
No
tobeCreatedResourceAccounts
Read
List (object)
No
tobeDeletedResourceAccounts
Read
List (object)
No
password
Read/Write
encrypted
Yes
confirmPassword
Read/Write
encrypted
Yes, if view is being used interactively
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
id
Specifies the account ID of the Identity Manager user whose passwords are being changed. Typically set by the view handler and never modified by the form.
selectAll
Controls whether all password are selected.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the set of resources assigned to this user that are not yet being managed by Identity Manager (for example, they do not have an associated resinfo object). Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts
Both resource account list are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.
Table 5-35 tobeDeletedResourceAccounts Attributes (PasswordView)
Attribute
Editable?
Data Type
selected
Read/Write
Boolean
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean (only in currentResourceAccounts
disabled
Read
Boolean (only in currentResourceAccounts)
passwordPolicy
Read
Object
authenticator
Read
Boolean
changePasswordLocation
Read
String (only in currentResourceAccounts)
expirePassword
Read/Write
Boolean
password
Specifies the new password you want to assign to the Identity Manager account or the resource accounts.
confirmPassword
Confirms the password specified in the password attribute. When the view is used interactively, the form requires you to enter the same values in the password and confirmPassword fields. When the view is used programmatically, such as within a workflow, the confirmPassword attribute is ignored. If you are using this view interactively, you must set this attribute.
selected
Indicates that the specified resource should receive the new password.
name
Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the account on this resource, if one has been created.
exists
Indicates whether the account already exists on the resource.
disabled
Indicates whether the account is currently disabled.
passwordPolicy
When set, describes the password policy for this resource. Can be null. It contains these attributes.
Table 5-36 passwordPolicy Attributes (PasswordView)
Attribute
Description
name
String
summary
String
In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as defined in the policy.
The summary string contains a pre-formatted description of the policy attributes.
authenticator
If true, indicates that this resource is serving as the pass-through authentication resource for Identity Manager.
changePasswordLocation
(Optional) Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.
expirePassword
Can be set to a non-null Boolean value to control whether the password is marked as expiring immediately after it has been changed. If null, the password expires by the default if the user whose password is being changed differs from the user that is changing the password.
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Process ViewUsed to launch tasks such as workflows or reports. The task to be launched must be defined by a TaskDefinition or TaskTemplate object in Identity Manager. Launching the task results in the creation of a TaskInstance object.
This view contains one top-level attribute named task. All other top-level attributes are arbitrary and are passed as inputs to the task.
task
This top-level attribute defines how the task is to be launched.
Table 5-37 Process View Attributes
Attribute
Editable?
Data Type
Required?
process
Read/Write
String
Yes
taskName
Read/Write
String
Yes
organization
Read/Write
String
Yes
taskDisplay
Read/Write
String
No
description
Read/Write
String
No
execMode
Read/Write
String
No
result
Read/Write
WavesetResult
No
owner
Read/Write
String
No
process
Names the process to launch. This can be the name of a TaskDefinition or TaskTemplate object in Identity Manager. It can also be an abstract process name mapped through the process settings in the System Configuration object. This attribute is required.
taskName
Specifies the name given to the TaskInstance object that is created to hold the runtime state of the task. If this attribute is not set, a random name is generated.
organization
Names the organization in which to place the TaskInstance. If this attribute is not set, the TaskInstance is placed in Top.
taskDisplay
Specifies a display name for the TaskInstance.
description
Specifies a descriptive string for the TaskInstance. This string is displayed in the Manage Tasks table in the product interface.
execMode
Specifies execution mode. This is typically not specified, in which case the execution mode is determined by the TaskDefinition. Setting this attribute overrides the value in the TaskDefinition.
Allowed execMode values are:
Table 5-38 execMode Attribute Values (Process View)
Value
Description
sync
Specifies synchronous or foreground execution
async
Specifies asynchronous or background execution
asyncImmediate
Specifies asynchronous with immediate thread launch
Use the asyncImmediate execution mode only for special system tasks that must pass non-serializable values into the task through the view. The task thread is started immediately. The default behavior is to save the TaskInstance temporarily in the repository and have the Scheduler resume it later.
result
Specifies the initial result for the TaskInstance. You can use this setting to pass information into the task that you eventually want displayed with the task results when the task completes.
owner
Specifies the user name that is considered to be the owner of the task. If not set, the currently logged-in user is designated as the owner.
View Options
The following options are recognized by the createView and checkinView methods.
endUser
Specifies that the task is being launched from the Identity Manager User Interface. This allows users with no formal privileges to launch specially designated end-user tasks.
process
Names the process to launch. This name is recognized by the createView method and becomes the value of the process attribute in the view.
suppressExecuteMessage
When set to true, suppresses a default message that is added to the task result when an asynchronous task is launched. The default English text is, The task is being executed in the background.
Checkin View Results
The following named result items can be found in the WavesetResult object that is returned by the checkinView method.
Table 5-39 Checkin View Results
Result
Description
taskId
Identifies the repository ID of the TaskInstance
taskState
Identifies the current state of the TaskInstance. It will be one of: ready, executing, suspended or finished
extendedResults
When set to true, indicates that the TaskInstance will have extended results.
Reconcile ViewUsed to request or cancel reconciliation operations on a resource. This view is used to perform on-demand reconciliation as part of a workflow. It can also be used when implementing a custom scheduler for reconciliation.
This view is write-only. get and checkout operations are not supported.
request
Specifies the operation to perform. You must specify one of the following valid operations:
Table 5-40 Valid Operations for request Attribute (Reconcile View)
Operation
Description
FULL
Starts a full reconciliation of the resource
INCREMENTAL
Starts an incremental reconciliation of the resource
ACCOUNT
Starts a reconciliation of the account
CANCEL
Cancels the currently active resource reconciliation process
accountId
Identifies the account to reconcile. This string is ignored if the request is not ACCOUNT.
Examples
Reconcile Policy ViewUsed to view and modify reconciliation policy, which is stored as part of the Identity Manager system configuration object.
Reconciliation Policies and the Reconcile Policy View
Reconciliation policy settings are stored in a tree structure with the following general structure:
Settings can be specified at any point in the tree. If a level does not specify a value for a policy, it is inherited from the next highest policy.
The view represents an effective policy at a specified point in the policy tree, which is identified by the view name.
Table 5-41 ReconcilePolicy Tree and View Names
View Name
Description
Default
Addresses the root of the policy tree
ResType:resource type
Addresses the specified resource type beneath the root
Resource:resource name
Addresses the specified resource beneath the resource's resource type
Policy Values
Values of policy settings are always policy values. Policy values can contain up to three components, as described in the following table.
Table 5-42 Policy Value Settings Attributes (ReconcilePolicy View)
Policy Value Settings
Description
value
Specifies the value of the setting.
scope
Identifies the scope from which this setting is derived. Values of scope include Local, ResType, and Default, indicating which level is specifying this policy. For example, a value of SCOPE_LOCAL indicates the value is set at the current policy level.
SCOPE_LOCAL -- Policy is set at the resource level or current policy level
SCOPE_RESTYPE -- Policy is set at the restype, or resource type, level
SCOPE_GLOBAL. -- Policy is set at the global level
inheritance
Identifies the policy setting that is inherited at this level. If the scope is not Local, the inheritance will match the effective value. Not present on policy settings at the Default level.
Authorization Required
To modify the view, users require Reconcile Administrator Capability.
To access the view, users require Reconcile Administrator or Reconcile Request Administrator capabilities.
View Attributes
The following table lists the high-level attributes of this view.
Table 5-43 ReconcilePolicy View Attributes
Attribute
Description
scheduling
Contains information about automated scheduling of reconciles.
correlation
Contains information about how ownership of resource accounts is determined.
workflow
Contains information about user-supplied extensions to the reconciliation process.
response
Contains information about how reconciliation should respond to discovered situations.
resource
Contains information about how reconciliation interacts with the resource.
scheduling
Table 5-44 scheduling Attributes (ReconcilePolicy View)
Attribute
Editable?
Data Type
reconcileServer
Read/Write
String
reconcileModes
Read/Write
String
fullSchedule
Read/Write
Schedule
incrementalSchedule
Read/Write
Schedule
nextFull
Read
Date
nextIncremental
Read
Date
reconcileServer
Specifies the reconciliation server that should be used to perform scheduled reconciliations.
reconcileModes
Specifies the reconciliation modes that are enabled. Valid values are: BOTH, FULL, NONE.
fullSchedule
Identifies the schedule for full reconciles when enabled.
incrementalSchedule
Identifies the schedule for incremental reconciles when enabled.
nextFull
Containing the time of the next incremental reconcile, if enabled.
nextIncremental
Specifies the repetition count for the schedule. Schedule values are GenericObjects with the following attributes:
correlation
Identifies the name of the correlation rule.
Table 5-45 correlation rules (ReconcilePolicy View)
Attribute
Editable?
Data Type
correlationRule
Read/Write
String
confirmationRule
Read/Write
String
correlationRule
Identifies the name of the correlation rule to use when correlating accounts to users.
confirmationRule
Identifies the name of the confirmation rule to use when confirming correlated users against accounts. When no confirmation is required, specify the value CONFIRMATION_RULE_NONE.
workflow
Table 5-46 workflow Attributes (ReconcilePolicy View
Attribute
Editable?
Data Type
proxyAdministrator
Read/Write
String
preReconWorkflow
Read/Write
String
perAccountWorkflow
Read/Write
String
postReconWorkflow
Read/Write
String
proxyAdministrator
Specifies the name of the user with administrative capabilities.
preReconWorkflow, perAccountWorkflow, postReconWorkflow
Specifies the name of the workflow to run at appropriate point in reconciliation processing. To specify that no workflow be run, use the value AR_WORKFLOW_NONE.
response
Table 5-47 response Attributes (ReconcilePolicy View)
Attribute
Editable?
Data Type
situations
Read/Write
List
explanations
Read/Write
Boolean
situations
Specifies the automated response to perform for the specified situation. Valid responses are:
Table 5-48 situations Options (ReconcilePolicy View
Response
Description
DO_NOTHING
Performs no automated response
CREATE_NEW_USER
Creates new user based on the resource account
LINK_ACCOUNT
Assigns the account to the claiming user
CREATE_ACCOUNT
Recreates the account on the resource
DELETE_ACCOUNT
Removes the account from the resource
DISABLE_ACCOUNT
Disables the account on the resource
explainActions
Specifies whether reconciliation should record detailed explanations of actions in the Account Index.
resource
Table 5-49 resource Attributes (ReconcilePolicy View
Attribute
Editable?
Data Type
reconcileNativeChanges
Read/Write
Boolean
reconciledAttributes
Read/Write
List (of Strings)
listTimeout
Read/Write
Integer
fetchTimeout
Read/Write
Integer
reconcileNativeChanges
Specifies whether native changes to account attributes should be reconciled.
reconciledAttributes
Specifies the list of account attributes that should be monitored for native changes
listTimeout
Specifies (in milliseconds) how long reconciliation should wait for a response when enumerating the accounts present on the resource.
fetchTimeout
Specifies (in milliseconds) how long reconciliation process should wait for a response when fetching an account from a resource.
Reconcile Status ViewUsed to obtain the status of the last requested reconciliation operation. This view is read-only.
status
Indicates the status code request (string). Valid status codes include:
Table 5-50 ReconcileStatus View Attributes
Status Code
Description
UNKNOWN
Status cannot be determined. The value of the other attribute is unspecified.
PENDING
Request was received, but has not been processed yet.
RUNNING
Request is currently being processed.
COMPLETE
Request has completed. Consult the attributes to determine the success or failure of the other request.
CANCELLED
Request was cancelled by an administrator.
reconcileMode
Indicates the reconciliation mode of the request. Either FULL or INCREMENTAL.
reconciler
Identifies the Identity Manager server that is processing the reconciliation request.
requestedAt
Indicates the date on which the request was received.
startedAt
Specifies a date on which the reconciliation operation started. If the reconciliation operation has not yet started or was cancelled while still pending, this value is null.
finishedAt
Indicates the date on which the reconciliation operation completed. If the reconciliation process has not yet completed, this value is null.
errors.fatal
Describes the error (if any) that terminated the reconciliation operation. Errors are returned as a list of strings.
errors.warnings
Describes any non-fatal errors that are encountered during the reconciliation operation. Errors are returned as a list of strings.
statistics.accounts.discovered
Identifies the number of accounts that is found on the resource at the time of the reconciliation operation.
statistics.situation[<situation>].resulting
Identifies the number of accounts in the specified reconciliation situation after responses have been performed (successfully or not).
Valid situations are any of the following:
Rename User ViewUsed to rename the Identity Manager and resource account identities. This view is typically used when a user in a company has a name change. The other main use for this view is to change the identity of a directory user that essentially causes a move in the directory structure.
Table 5-51 RenameUser View Attributes
Name
Editable?
Data Type
Required?
newAccountId
Read/Write
String
toRename
Read
List
noRename
Read
List
resourceAccounts
Read
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
newAccountId
Specifies the new accountId to be set on the Identity Manager user and used in the Identity templates for resource accounts.
toRename
Specifies a list of accounts in the currentResourceAccounts list that support the rename operation.
noRename
Specifies a list of accounts that do not support the rename functionality.
resourceAccounts
Contains mostly read-only information about the resource accounts. Use the following attributes to rename resource accounts:
Table 5-52 resourceAccounts Attributes
Attribute
Type
Description
selectAll
Boolean
Controls whether all accounts are renamed.
currentResourceAccounts
[<resourcename>].selected
Boolean
Indicates that the new accountId should be used to rename the identity of this resource account.
currentResourceAccounts
[Lighthouse].selected
Boolean
Controls whether the Identity Manager account is renamed. selectAll=true overrides this setting.
accounts[<resourcename>].identity
Overrides the use of the Identity Template to create the accountId for this resource account.
accounts[<resourcename>].<attribute>
Used when not specifying the accounts[<resourcename>].identity attribute to pass attributes to the Identity Template for the creation of the new accountId.
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Example
renameView.newAccountId="saurelius"
renameView.resourceAccounts.selectAll="false"
renameView.resourceAccounts.currentResourceAccounts[Lighthouse].selecte d="true"
renameView.accounts[AD].identity="cn=saurelius,OU=Austin,DC=Waveset,DC= com"
renameView.resourceAccounts.currentResourceAccounts[AD].selected="true"
renameView.accounts[LDAP].identity="CN=saurelius,CN=Users,DC=us,DC=com"
renameView.resourceAccounts.currentResourceAccounts[LDAP].selected="tru e"
renameView.accounts[NT].identity="Marcus Aurelius"
renameView.resourceAccounts.currentResourceAccounts[NT].selected="true"
Reprovision ViewUsed to present and select the list of resources to be reprovisioned. This view contains one top-level attribute (resourceAccounts).
resourceAccounts
This attribute contains the following attributes.
Table 5-53 resourceAccounts Attributes (Reprovision View)
Name
Editable?
Data Type
Required?
id
Read
String
selectAll
Read/Write
Boolean
currentResourceAccounts
Read
List (objects)
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
id
Specifies the unique identifier for the account.
selectAll
Controls whether all resources are selected.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
All account lists are indexed by resource name.
Table 5-54 currentResourceAccounts Attributes (Reprovision View)
Name
Editable?
Data Type
selected
Read/Write
Boolean
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
authenticator
Read
Boolean
selected
If set to true, indicates that for a given resource, the associated account should be reprovisioned. If the selected account is Lighthouse, the Identity Manager user and all associated resource assignments will be reprovisioned unless they are also selected. However, the associated resource accounts will not be reprovisioned.
name
Specifies the name of the resource. This corresponds to the name of a resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the resource account.
exists
Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
disabled
Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).
authenticator
Indicates whether the account is one that the user is configured to login.
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Reset User Password ViewUsed by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts.
resourceAccounts
Defines characteristics of resource accounts. This attribute contains the following attributes.
Table 5-55 resourceAccounts Attributes (Reset User Password View)
Attribute
Editable?
Data Type
Required?
id
Read
String
selectAll
Read/Write
Boolean
currentResourceAccounts
Read
List (object)
tobeCreatedResourceAccounts
Read
List (object)
tobeDeletedResourceAccounts
Read
List (object)
id
Specifies the account ID of the Identity Manager user whose passwords are being changed.
selectAll
Controls whether all passwords are selected.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are scheduled for deletion.
The three account list attributes -- tobeDeletedResourceAccounts, tobeCreatedResourceAccounts, and currentResourceAccounts -- contain the attributes described in the following table. These attributes describe the state of the account on each resource and allow you to individually select accounts.
Table 5-56 tobeDeletedResourceAccounts Attributes (Reset User Password View
Attribute
Editable?
Data Type
Required?
selected
Read/Write
Boolean
name
Read
String
type
Read
String
accountId
Read
String (only in currentResourceAccounts)
exists
Read
Boolean (only in currentResourceAccounts
disabled
Read
Boolean (only in currentResourceAccounts)
passwordPolicy
Read
Object
authenticator
Read
Boolean
changePasswordLocation
Read
String
selected
Set to true if this account is to have its password reset.
name
Specifies the name of resource. This corresponds to the name of a Resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the account on this resource, if one has been created.
exists
Indicates whether the account already exists on the resource.
disabled
Indicates whether the account is currently disabled.
passwordPolicy
When set, describes the password policy for this resource. Can be null. It contains these attributes.
Table 5-57 Reset User Password Attributes (Reset User Password View)
Attribute
Data Type
Editable?
Required?
name
String
summary
String
In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as the WSAttribute in the Policy.
The summary string contains a pre-formatted description of the policy attributes.
authenticator
If true, indicates that this resource is serving as the pass-through authentication resource for Identity Manager.
changePasswordLocation
Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.
Resource ViewUsed when modifying resources.
Table 5-58 Resource View Attributes
Attribute
Editable?
Data Type
Required?
name
Read/Write
String
Yes
adapterClassName
Read/Write
String
Yes
typeString
Read/Write
String
Yes
typeDisplayString
Read/Write
String
Yes
startupType
Read/Write
String
No
organizations
Read/Write
List (Strings)
Yes
resourceAttributes
Read/Write
List (Strings)
No
displayName
Read
String
No
type
Read
String
No
multivalued
Read
String
No
syncSource
Read/Write
Boolean
No
facets
Read
String
No
description
Read
String
No
noTrim
Read
String
No
accountAttributes
Read/Write
List (Strings)
No
identityTemplate
Read/Write
String
No
approvers
Read/Write
List (Strings)
No
allowedApprovers
Read
List (Strings)
No
allowedApproversIds
Read
List (Strings)
No
passwordPolicy
Read/Write
String
No
accountPolicy
Read/Write
String
No
resourcePasswordPolicy
Read/Write
String
No
respolExcludeAccountsRule
Read/Write
String
No
retryMax
Read/Write
Integer
No
retryDelay
Read/Write
Integer
No
retryEmail
Read/Write
String
No
retryEmailThreshold
Read/Write
Integer
No
form
Read
String
No
licensedProducts
Read
List (Strings)
No
available.MetaViewAttribute
Read
List (Strings)
No
available.extendedAttributes
Read
List (Strings)
No
available.formFieldNames
Read
List (Strings)
No
host
password
TCPPort
user
The resource viewer instantiates the resource parameters for the various view methods as follows:
- The createView method requires a typeString option, which is used to locate the correct prototypeXML for the resource type. The prototypeXML contains the initial set of resource parameters and their initial values. Thus, the view is populated with this list of initial resource parameters and their default values.
- The getView and checkoutView methods return only the resource parameters that exist in the resource object. The prototypeXML is not used to fill in this list if any resource parameters are missing in the actual resource object.
- The checkinView method replaces the list of resource parameters in the stored resource object in the repository. Again, the prototypeXML is not used to fill in any missing resource parameters that are not supplied during the checkinView operation.
Resource Parameters
Resource parameters vary depending on the type of resource adapter being configured. Each resource contains a prototypeXML string that the resource viewer uses to determine the default set of resource parameters and their default values. Once Identity Manager creates a resource object, the resource viewer no longer uses the prototypeXML string, but rather uses the resource parameters from the actual object.
The following attributes uniquely identify the resource object.
name
Externally identifies the resource. This user-supplied name is unique among resource objects.
adapterClassName
Identifies the Resource Adapter class to be used to provision to the resource.
type
Identifies the data type of the resource.
typeString
Specifies the internal name for the resource type.
typeDisplayString
Identifies the display name for the resource type. This should be a message key or ID to be found in the message catalog.
syncSource
If set to true, indicates that the resource supports synchronization events.
facets
description
Provides a textual description of the resource.
startupType
Specifies whether the activeSync resource starts up automatically or manually.
Additional Attributes
Additional attributes depend upon the type of adapter being configured. At a minimum, these attributes specify how to connect to the resource. Typical parameters include TCP port, user, and password.
host
Uniquely identifies the host.
password
Specifies the password of the user (host administrator) to connect as.
TCPPort
Identifies the port on the host to connect to.
user
Identifies the user (host Administrator) to connect as.
accountAttributes
Define the accounts managed on this resource. Attributes vary depending on the resource type.
Typical attributes are:
accountId
Specifies the ID by which the resource identifies this account.
roles
Identifies the roles the account will have on the resource.
identityTemplate
Specifies the identity template used to generate a user's identity on this resource.
Identity Manager Parameters
Identity Manager parameters are used by Identity Manager to help manage the resource.
resourceName
Specifies the name by which Identity Manager identifies this resource object.
displayName
Specifies the display name that will display on the Identity Manager user edit and password pages to help identify users.
retryMax
Indicates the maximum number of retries that will be tried on errors attempting to manage objects on a resource.
retryDelay
Specifies the number of seconds between retries.
retryEmail
Identifies the email addresses to send notifications to after reaching the retry notification threshold.
retryEmailThreshold
Specifies the number of retries after which an email is sent.
form
Identifies the user form that is used in workflows that edit accounts on the resource.
passwordPolicy
Specifies the password policy for accounts on this resource.
resourcePasswordPolicy
Indicates the resource password policy for resource accounts on this resource.
accountPolicy
Specifies the policy for account IDs on this resource.
excludedResourceAccountsPolicy
Specifies the policy for excluding resource accounts from account lists.
available
Table 5-59 Attributes of Resource View Attribute
Attributes of available Attribute
Description
available.organizations
available.formFieldNames
available.metaViewAttributes
available.extendedAttributes
approvers
Lists the administrator approvers for this resource.
allowedApprovers
allowedApproversIds
organizations
Lists the organizations available to the resource.
licensedProducts
Resource Object ViewUsed when modifying resource objects.
All attributes are editable, except <resourceobjectType>.oldAttributes, which are used to calculate attribute-level changes for updates.
In practice, replace <resourceobjectType> with the lowercase name of a resource-specific object type (for example, group, organizationalunit, organization, or role).
Table 5-60 ResourceObject View Attributes
Attribute
Editable?
Data Type
Required?
resourceType
Read/Write
String
resourceName
Read/Write
String
resourceId
Read/Write
String
objectType
Read/Write
String
objectName
Read/Write
String
objectId
Read/Write
String
requestor
Read/Write
String
attributes
Read/Write
Object
oldAttributes
Read
Object
organization
Read/Write
String
attrstoget
Read/Write
List
searchContext
Read/Write
Object
searchAttributes
Read/Write
List
<resourceobjectType>.resourceType
Lists the Identity Manager resource type name (for example, LDAP, Active Directory).
<resourceobjectType>.resourceName
Lists the Identity Manager resource name.
<resourceobjectType>.resourceId
Lists the Identity Manager resource ID or name.
<resourceobjectType>.objectType
Indicates the resource-specific object type (for example, Group).
<resourceobjectType>.objectName
Lists the name of the resource object.
<resourceobjectType>.objectId
Specifies the fully qualified name of the resource object (for example, dn).
<resourceobjectType>.requestor
Specifies the ID of the user who is requesting the view.
<resourceobjectType>.attributes
Indicates new or updated resource object attribute name/value pairs (object). This attribute has the following subattribute:
resourceattrname -- String used to get or set the value of a specified resource attribute (for example, <objectType>.attributes.cn, where cn is the resource attribute common name).
<resourceobjectType>.oldAttributes
Specifies the fetched resource object attribute name/value pairs (object). You cannot edit this value. The view uses this attribute to calculate attribute-level changes for update.
<resourceobjectType>.organization
Identifies the list of organizations of which the resource is a member. This list is used to determine which organizations should have access to the associated audit event record when available for future analysis and reporting.
<resourceobjectType>.attrstoget
List of object-type-specific attributes to return when requesting an object with the checkoutView or getView methods.
<resourceobjectType>.searchContext
Specifies the context used to search for non-fully qualified names in resources with hierarchical namespaces.
<resourceobjectType>.searchAttributes
Lists the resource object type-specific attribute names that will be used to search within the specified searchContext for names of resources with hierarchical namespaces.
<resourceobjectType>.searchTimelimit
Specifies the maximum time spent searching for a name input to a form (if supported by the resource).
Role ViewUsed to define Identity Manager role objects.
When checked in, this view launches the Manage Role workflow. By default, this workflow simply commits the view changes to the repository, but it also provides hooks for approvals and other customizations.
The following table lists the high-level attributes of this view.
Table 5-61 Role View Attributes
Attribute
Editable?
Data Type
Required
name
Read/Write
String
Yes
resources
Read/Write
List
No
applications
Read/Write
List
No
roles
Read/Write
List
No
assignedResources
Read/Write
List
No
notifications
Read/Write
List
No
approvers
Read/Write
List
No
properties
Read/Write
List
organizations
Read/Write
List
Yes
name
Identifies the name of the role. This corresponds to the name of a Role object in the Identity Manager repository.
resources
Specifies the names of locally assigned resources.
applications
Specifies the names of locally assigned applications (Resource Groups).
roles
Specifies the names of locally assigned roles.
assignedResources
Flattened list of all assigned resources via resources, applications, and roles.
Table 5-62 Attributes of assignedResource Attribute (Role View)
Attribute
Editable?
Data Type
resourceName
String
name
String
attributes
Object
resourceName
Identifies the name of the assigned resource.
name
Identifies the resource name or ID (preferably ID).
attributes
Identifies the characteristics of the resource. All subattributes are strings and are editable.
Table 5-63 attribute Options (Role View)
Attribute
Description
name
Name of resource attribute
valueType
Type of value set for this attribute. Allowed values include Rule, text, or none.
requirement
Type of value set by this attribute. allowed values include Rule, Text, None, Value, Merge with Value, Remove with Value, Merge with Value clear existing, Authoritative set to value. Authoritative merge with value, Authoritative merge with value clear existing.
rule
Specifies rule name if value type is Rule.
value
Specifies value if rule type is Text.
notifications
Lists the names of administrators that must approve the assignment of this role to a user.
approvers
Specifies the names of the approvers that must approve the assignment of this role to a user.
properties
Identifies the user-defined properties that are stored on this role.
organizations
Lists organizations of which this role is a member.
Task Schedule ViewUse to create and modify TaskSchedule objects.
This view contains the following attributes:
Table 5-64 Task Schedule View Attributes
Name
Editable?
Data Type
Required?
scheduler
Read/Write
String
task
Read/Write
Boolean
scheduler
Contains attributes that are related to the scheduler itself, which are common to all scheduled tasks. The attributes are:
Table 5-65 Attributes of scheduler Attribute (Task Schedule View)
Name
Editable?
Data Type
Required?
name
Read/Write
String
No
id
Read
String
No
definition
Read/Write
String
No
template
Read/Write
String
No
taskOrganization
Read/Write
String
No
taskName
Read/Write
String
No
description
Read/Write
String
No
disabled
Read/Write
Boolean
No
skipMissed
Read/Write
Boolean
No
start
Read/Write
Date
No
repeatCount
Read/Write
Int
No
repeatUnit
Read/Write
String
No
resultOption
Read/Write
String
No
allowMultiple
Read/Write
Boolean
No
Note
Typically, you supply a value for either scheduler.definition or scheduler.template. If you do not specify either value, Identity Manager creates a TaskSchedule object that you can later edit to specify the definition or template.
name
Specifies the name of an existing TaskSchedule object or the desired name for a new TaskSchedule object. It is not required, but if not specified, the system will generate a random identifier.
id
Uniquely identifies the existing TaskSchedule object.
definition
Defines the name a TaskDefinition object to be scheduled.
template
Specifies the name of a TaskTemplate object to be scheduled. If both definition and template are specified, template has priority.
taskOrganization
Contains the name of the organization in which the TaskInstance will be placed when the schedule task is launched.
taskName
Specifies the name of the TaskInstance that is created when the schedule task is launched.
description
Contains descriptive text that will be saved in the TaskInstance that will be created when the schedule task is launched. The description will appear in the task tables in the product interface.
disabled
Controls whether the task scheduler will process the TaskSchedule object. The scheduler ignores TaskSchedule's whose disable attribute is true. You can use this to temporarily stop running a schedule task, without having to delete and recreate the TaskSchedule object.
start
Indicates the date and time at which to launch the task.
repeatCount
Combined with repeatUnit, determines how frequently tasks will be run. If repeatCount is zero or not specified a scheduled task will only run once. If repeatCount is a positive number, the task will be run more than once at the interval specified by repeatUnit.
repeatUnit
Defines the interval of time between running tasks that have a positive repeatCount value. Valid values include: second, minute, hour, day, week, month. For example, to schedule a task to run once a week for a year set repeatUnit to week, repeatCount to 52, and start to the first day that the task is to run.
resultOption
Specifies what the scheduler will do if a TaskInstance with the desired name already exists when the scheduled task is run. The possible values are: wait, delete, rename, and terminate.
wait
Indicates whether the scheduler should run the task again or wait for another repetition. This attribute is only meaningful if you have set repeatCount and repeatUnit.
delete
Tells the scheduler to delete the existing TaskInstance, if it has finished.
rename
Indicates that the scheduler should rename the existing TaskInstance, if it has finished.
skipMissed
Indicates whether Identity Manager attempts to immediately make up a missed schedule time (false) or simply wait until the next scheduled time (true).
When set to false, Identity Manager immediately attempts to make up a missed schedule time. When set to true, Identity Manager instead waits until the next scheduled time. The default is false.
terminate
Similar to delete, but will also terminate the existing task, if it is still running.
allowMultiple
Controls whether more than one instance of the same task definition or task template are allowed to run. If true (the default), the scheduler will always create a new instance of the task. If false, the scheduler will not create a new instance if there is one already running.
task
Contains task-specific attributes. Each task defines its own attributes, and the task's form should reference them relative to the task namespace.
Unlock ViewUsed to unlock accounts for those resources that support native account locking. This view presents and selects the list of resource accounts to be unlocked.
Note
Use the Unlock view instead of the Disable view for accounts whose resources support native account locking.
Contains the following high-level attributes:
Table 5-66 Unlock View Attributes
Name
Editable?
Data Type
Required?
id
Read
String
Yes
selectAll
Read/Write
Boolean
No
currentResourceAccounts
Read
List (objects)
No
tobeCreatedResourceAccounts
Read
List (objects)
No
tobeDeletedResourceAccounts
Read
List (objects)
No
fetchAccounts
Read/Write
Boolean
fetchAccountResources
Read/Write
List
id
Specifies the account ID of the Identity Manager user whose passwords are being unlocked.
selectAll
Controls whether all password are unlocked.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts.
Both resource account list are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.
Table 5-67 tobeDeletedResourceAccounts Attributes (Unlock View)
Name
Editable?
Data Type
selected
Read/Write
Boolean
name
Read/Write
String
type
Read/Write
String
accountId
Read/Write
String
exists
Read/Write
Boolean
locked
Read/Write
Boolean
authenticator
Read/Write
Boolean
selected
Identifies that this resource has been selected to be unlocked.
name
Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the account on this resource, if one has been created.
exists
Indicates whether the account already exists on the resource (only in currentResourceAccounts).
locked
Indicates whether the account is currently locked or not (unlocked). The value of exists indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
authenticator
If true, indicates that this resource serves as the pass-through authentication resource for Identity Manager.
fetchAccounts
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
fetchAccountResources
Lists resource names from which to fetch. If unspecified, Identity Manager uses all.
See Setting View Options in Forms in this chapter for more information.
WorkItem ViewUsed to view and modify WorkItem objects in the repository.
A WorkItem object is created whenever a manual action that is defined in a workflow process is activated. The WorkItem view contains a few attributes that describe the WorkItem object itself, as well as values of selected workflow variables copied from the workflow task.
Identity Manager returns information about the work items in the Work Item view under the workItem.related attribute.
Returning Information about All Active Work Items
This view provides the ability to return information about all work items that are currently active in a workflow task. By default, Identity Manager returns information about only a specified work item, not related work items. However, you can use other options to filter work items, and the attributes of the related work items you want to display.
Use the following three form properties to change the default behavior of this view:
Table 5-68
If you want to ...
Use this form property
Return all related items by default...
includeRelatedItems form property
Request additional attributes to be returned...
relatedItemAttributes form property
Limit which items are returned...
relatedItemFilter form property
Example: Using the includeRelatedItems Form Property
By default, Identity Manager uses the Approval form to display work items. Edit this form by adding the includeRelatedItems element to include related work items:
<Properties>
<Property name='includeRelatedItems' value='true'/>
</Properties>Example: Using the relatedItemAttributes Form Property
You can also request additional attributes with the relatedItemAttributes option. This option can be a CSV string of names or a list of names. You can request the following standard attributes:
If you request an attribute name that is not on this list, Identity Manager assumes that it is an arbitrary workflow variable, and the value will be returned if it exists in the work item. Common variables found in the standard workflows include:
Example: Using the includeRelatedItems Form Property
To include the request and description attributes, add these properties to the Approval form:
<Properties>
<Property name='includeRelatedItems' value='true'/>
<Property name='relatedItemAttributes' value='request,description'/>
</Properties>
Example: Using relatedItemFilter Form Property
You can specify the following filter attributes.
Table 5-69 relatedItemFilter Option Values
relatedItemFilter Option Values
Results of Filtering
itemType
Only work items with a matching itemType are returned
activityName
Only work items created from the same activity are returned
request
Only work items with the same user defined request string are returned
locked
Only work items that are currently locked for editing are returned
If more than one filter attribute is on the list, they will be logically AND'ed together. For example, to return only work items with the same request string that are current locked, add this property to the Approval form:
<Properties>
<Property name='includeRelatedItems' value='true'/>
<Property name='relatedItemAttributes'value='request,description'/>
<Property name='relatedItemFilter' value='request,locked'/>
</Properties>
An example field that displays a table of information about the related work items was added to the Approval Library form library, the field name is Related Approvers. You can reference this field from the standard Approval form as follows:
<FieldRef name='Related Approvers'/>
Changing the Repository Lock Timeout for Work Items
The default time-out interval for locking work items in the repository is five minutes. You can change this value by adding the following element to the RelocatedTypes element of the RepositoryConfiguration Configuration object:
<TypeDataStore typeName='WorkItem' lockTimeoutMillis='10000'/>
Top-Level Attributes
The following table lists the top-level WorkItem view attributes.
Table 5-70 WorkItem View Attributes
Attribute
Editable?
Data Type
Required?
id
Read
String
name
Read
String
taskId
Read
String
taskName
Read
String
processName
Read
String
activityName
Read
String
description
Read/Write
String
owner
Read/Write
String
complete
Read/Write
Boolean
variables
workItem
id
Identifies the repository ID of the WorkItem object. Typically generated by Identity Manager and not displayed.
name
Identifies the repository name of the WorkItem object.
taskId
Identifies the repository ID of the workflow TaskInstance. This attribute is used by the system to correlate the work item with the workflow task and must not be changed.
taskName
Identifies the repository name of the workflow TaskInstance. This name is typically set to an informative value and can be displayed. Do not modify it. A typical example task name for a user update would be Updating User jdoe.
processName
Identifies the name of the workflow process definition that contains the manual action.
activityName
Specifies the name of the workflow activity that contains the manual action.
description
Contains a textual description of the work item. Its contents are defined by the workflow process definition. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.
owner
Identifies the name of the current Identity Manager administrator or user that created the workflow process. This attribute is typically the name of an Identity Manager user. If this work item is assigned to an anonymous user, the name will have the prefix Temp:.
complete
Set to true when the manual action has completed and the workflow is to be resumed. Assignment of the complete attribute must be performed in the Work Item form.
You can edit this Boolean value.
variables
Contains another object whose attributes contain copies of variables from the workflow task. By default, every workflow variable that is in scope when the manual action is activated is copied into the work item. This can be controlled with the Exposed Variables and Editable Variables options in the process definition. Most work item forms display information found under the variables attribute. See the section Using the variables Attribute later in this chapter for more information on using this attribute.
workItem
Specifies additional information about the work item. Contains the following attributes:
views
Contains a list of workflow variables whose values are views. The system uses this attribute to cause view-specific refresh operations when the work item view is refreshed.
Do not change this value.
related
Contains a list of attributes that describe the specified work item.
Table 5-71 Subattributes of the workItem.related Attribute (Work Item View
Attribute
Description
name
Specifies the repository ID of the work item.
owner
Identifies the owner of the item.
locked
Indicates whether the work item is being edited. A value of true indicates that the work item is currently being edited.
complete
Specifies whether the work item has completed. A value of true indicates that the work item completed.
itemType
Identifies item type as defined by the process. The default is approval.
request
Succinctly describes the purpose of the work item. This description is typically shorter than the value of the description attribute and is often displayed in summary tables.
requester
Identifies the user that initiated the approval.
ignoreTimeOut
Indicates whether the time out should be ignored. A value of true (assigned by the system) indicates that this is a read-only work item that may timeout while being viewed. This is a signal to the system that a check-in failure of the Work Item view should be ignored if the work item no longer exists, rather than displaying an error message. This can be useful for work items that are intended only for status messages that time out immediately so the workflow can continue while the user views the messages.
Do not change this value.
Using the variables Attribute
When writing a work item form, the most common attributes to reference are complete and variables. The complete attribute must be set to the value true in order for the workflow to be resumed. It is typically set by a hidden field in response to pressing button fields with labels such as Approve and Reject.
The variables attribute contains an object whose values are copies of variables from the workflow task. One of the most common workflow variables used in work items is user, which contains a user view. For example, to reference the global.email attribute from a work item form, use the following path expression:
variables.user.global.email
This differs from attribute paths used in a standard user form. First, the entire view is stored in a workflow variable named user, which results in the user. prefix being required in the attribute path. Next, the workflow variables are stored under the variables attribute in the Work Item view, which results in an additional variables. prefix being required in the attribute path.
Because of this nesting of the user view attributes, you cannot use a standard user form with the Work Item view without modification. However, you can define a work item form that references the user form with the base context option.
Example
<Form name='WorkItemForm'>
<Include>
<ObjectRef Type='UserForm' name='Default User Form'/>
</Include>
<FormRef name='Default User Form' baseContext='variables.user'/> </Form>
Note
Although in practice the work item form requires additional fields for buttons such as Approve and Reject, you may not want everything displayed by Default User Form displayed in the work item form. Typically, you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms.
WorkItem List ViewUsed to view information about collections of work items in the repository and to perform operations on multiple work items at a time.
This view handler gathers information about:
The view is used in the Approvals page of the Identity Manager Administrator Interface. The default form used with this view is named Work Item List.
The following table lists the top-level WorkItem List view attributes.
Table 5-72 WorkItem View Attributes
Attribute
Editable?
Data Type
authType
Read/Write
String
userId
Read
String
user
Read/Write
String
self
Read
Boolean
forwardedUser
Read
Boolean
itemType
Read/Write
String
users
Read
List
userIds
Read
String
forwardingApproverStyle
Read
forwardingUsers
Read
List
forwardingUserIds
Read
List
workItems
Read/Write
String
selectedWorkItems
Read/Write
String
forwardTo
Read/Write
Boolean
forwardToNow
Read/Write
String
variables
Read/Write
String
action
Read/Write
Boolean
confirm
Read/Write
Boolean
authType
Specifies access to work items by type. For example, there is a built-in authorization type called EndUserRule. All end-users implicitly get access to all rules tagged with the EndUserRule authorization type.
userId
Specifies the name of the Identity Manager user whose work items are contained in the workItem list. Initially, this value is the name of the current session user. The value can be null to indicate that the work items for all controlled users with approver rights should be displayed. This is always the Identity Manager user name, never a display name.
The form must not be modify this value. To change users, set the user attribute.
user
Specifies the display name of the Identity Manager user whose work items are listed. This value is the same as userId if display names are not used. The form can modify this value, which causes the system to recalculate the work item list during refresh. A null value indicates that all work items are being displayed.
self
Set to true if the userId is the same as the current session user.
forwardedUser
When set, indicates that the user named by userId has elected to have work items forwarded to another user. The other user is identified by its display name.
users
Lists the display names of Identity Manager users that the current user controls and which have work item capabilities. This value is typically used to build an user select box. If a custom form wants to compute the user list in a different way, you can specify the view option CustomUserLists as either a view option or form property.
userIds
Typically null. If you are configured to use alternate display names, then the users list contains display names, and this list contains the true repository names.
forwardingUsers
Lists the display names of Identity Manager users to which the current user can forward work items. This value depends on the value of the ForwardingApproverStyle attribute, which defaults to peers.
itemType
When set, the work items in the list will be filtered to contain only those whose item type matches this value. This gives the WorkItemList view the ability to filter the item list based on the work item type.
forwardingUserIds
Typically null. If you are configured to use alternate display names, then the forwardingUsers list will have display names, and this list will have the true repository names.
workItems
Lists the objects that contain information about the work items for the selected user(s). The object names are the repository IDs of the work items.
workItems[].owner
Specifies the display name of the owner. Set only if user is null and all work items are displayed.
workItems[].request
Supplies a brief description of the object being requested. This value is computed by the WorkItemRequest expression of the manual action in the workflow process.
workItems[].requester
Identifies the display name of the user that made the request.
workItems[].description
Provides a more detailed description of the work item. The value is computed by the WorkItemDescription expression of the manual action in the workflow process. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.
workItems[].selected
Individual item selection flag. An alternative to selectedWorkItems.
selectedWorkItems
Lists the work item IDs that represent the items to be processed by the next action. An alternative to setting the selected attribute inside the work item object, which is easier for SortingTable components. If both this attribute and individual select flags are set, the value of this attribute takes precedence.
forwardTo
Identifies the name of an Identity Manager user to which all selected work items will be forwarded when the action attribute is set to Forward.
forwardToNow
Similar to forwardTo, but is also an action attribute. It copies its value to forwardTo, set action=Forward and process the refresh as if forwardTo and action were set independently. Use this attribute if you want to have the form process the forwarding immediately after a user is selected from a form component. If you would rather have forwarding controlled with a button, then have the form component set the forwardTo attribute and have the button post an action value of Forward.
action
(Boolean) When non-null, initiates an operation on the selected work items.
Valid values include:
If the NoConfirm option is set, the action is processed immediately. Otherwise, Identity Manager waits for the confirm attribute to be set to true. The form is expected to define its own confirmation page rendering.
confirm
(Boolean) Indicates that the operation specified in the action attribute can be performed.
Using the variables Attribute
When editing an individual work item, the form can set work item variables, such as comments, to pass additional information about the approval or rejection into the workflow process for auditing.
You can also set arbitrary work item variables when performing actions in the WorkItemList view. The value of the attribute variables can be set to an object whose attributes will be copied into the work item when it is approved or rejected. For example, if the variables object contains an attribute named comments, the same comments will be saved with every selected work item.
<Form name='variables.comments'>
<Default>
<concat>
<s>Approval performed on </s>
<invoke class='com.waveset.util.Util' name='dateToString'>
<new class='java.util.Date'/>
</invoke>
</concat>
</Default>
</Form>
Note
Although in practice the work item form requires additional fields for buttons such as Approve and Reject, you may not want everything displayed by Default User Form displayed in the work item form. Typically, you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms.
View Options
You can specify the following options when the view is created or refreshed to control the behavior of the WorkItemList viewer.
userId
Identifies the name of the initial user whose work items are to be displayed. Can be used to override the default, which is the current session user.
CustomUserLists
When set to true, indicates the form will generate both the users and forwardingUsers lists in a custom way and that the view handler should not generate them. Generating these lists can be time-consuming if there are many approvers in the system. If the form does not intend to use the default users and forwardingUsers lists, enable this option.
ForwardingApproverStyle
Specifies the types of administrators whose names will be available in the Forward to list. The value of this attribute defaults to peers. Can be set to one of these values:
Table 5-73 ForwardingApproverStyle View Option Values
Option Value
Description
peers
Specifies administrators at the same organization level as the current user or above
controlled
Specifies administrators in organizations that are controlled by the current user
all
Specifies both controlled and peers
You can set this and other view options as form properties:
<Form...>
<Properties>
<Property name='ForwardingApproverStyle" value='peers'/>
</Properties>
...
</Form>
NoUserListCache
When true, indicates that the view handler should not cache the users and forwardingUsers lists but instead recalculate them every time the form is refreshed. Since calculating the user lists can be expensive, it is generally preferred to cache them and refresh only when explicitly instructed by setting the action attribute to Refresh.
UserDisplayName
Can be set to the name of an extended user attribute whose value is to be used instead of the repository name in the user lists. This can also be specified in the UserUIConfig object, but it may be more convenient to set in the form.
NoUserDisplayName
When true, indicates that display names should not be used even if one is specified in the UserUIConfig object. You can set this option in a form to selectively override the UserUIConfig setting.
NoConfirm
When true, indicates that the action specified with the action attribute should be executed immediately without confirmation.
Setting View Options in Forms
View options can be conveniently set in some forms. To set view options in a form, follow these steps. The following procedure uses the WorkItem List view as an example.
In the custom form, you can then specify view options as properties of the form as indicated in the following example.
Example
<Form>
<Properties>
<Property name='CustomUserLists' value='true'/>
</Properties>
...
</Form>
Deferred AttributesA deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.
If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.
When to Use Deferred Attributes
Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.
Using Deferred Attributes
There are two main steps to defining a deferred attribute:
- Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.
- Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:
accounts[<resource>].deferredAttributes.<attname>.resource
accounts[<resource>].deferredAttributes.<attname>.attribute
where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.
For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.
The following form fields set the necessary view attributes to define this association.
<Field name='accounts[HR].deferredAttributes.directoryid.resource'>
<Expansion><s>LDAP</s></Expansion>
</Field>
<Field name='accounts[HR].deferredAttributes.directoryid
<Expansion><s>uid</s></Expansion>
</Field>
Extending ViewsSome views that set specific resource account attributes such as the password or the enable flag allow you to set additional account attributes. For security, however, these extended attributes must be registered.
Attribute Registration
Attributes can be registered in one of two locations:
Table 5-74 Locations for Attribute Registration
Location
Register attributes here if...
AccountAttributeType definition in the resource
... the attributes you want to update are specific to a particular resource, rather than to all resources of that type.
System Configuration Object
...you want to make global registrations for all resources of a particular type. These registrations must be done in XML format.
You can register different attributes for different views. For example, you can register the lock attribute for the Password view and the firstname attribute for the Rename view.
Global Registration
To make global registrations (that is, registrations that apply to all resources), add an attribute in the System Configuration object with this path:
updatableAttributes.ViewName.ResourceTypeName
where ViewName is one of Password, Reset, Enable, Disable, Rename, or Delete, and ResourceTypeName is the name of the resource type. The type name all is reserved for registrations that apply to all resources.
The value of this attribute must be a List of Strings. The strings are names of the attributes you want to update.
The following example registers the attribute named delete before action in the Deprovision view for all resources.
<Attribute name='updatableAttributes'>
<Object>
<Attribute name='Delete'>
<Object>
<Attribute name='all'>
<List>
<String>delete before action</String>
</List>
</Attribute>
</Object>
</Attribute>
<Attribute name='Enable'>
<Object>
<Attribute name='all'>
<List>
<String>enable before action</String>
</List>
</Attribute>
</Object>
</Attribute>
</Object>
</Attribute>
Resource-Specific Registration
To make resource-specific registrations, modify the resource object from the Identity Manager Debug page and insert a <Views> subelement in the AccountAttributeType element. <Views> must contain a list of strings whose values are the names of the views in which this attribute can be updated.
<AccountAttributeType name='lastname' mapName='sn'mapType='string'>
<Views>
<String>Rename</String>
</Views>
</AccountAttributeType>
In the view, attributes you want to modify are placed within this object:
resourceAccounts.currentResourceAccounts[ResourceTypeName].attributes
<Field name= 'resourceAccounts.currentResourceAccounts[OS400ResourceName].attributes .delete before action' hidden='true'>
<Expansion>
<s>os400BeforeDeleteAction</s>
</Expansion>
</Field>