Sun[TM] Identity Manager 8.0 Release Notes |
Documentation Additions and Corrections
This section contains new and corrected information that was required after the Identity Manager 8.0 documentation set was published. This information is organized as follows:
Identity Manager 8.0 AdministrationThis section contains a correction for Sun Identity Manager Administration:
Identity Manager Technical Deployment OverviewThis section contains new information and documentation corrections for Sun Identity Manager Technical Deployment Overview:
The following information will be added to, or corrected in, the “Private Labeling of Identity Manager” chapter of the Identity Manager Technical Deployment Overview:
For Identity Manager End User pages, the End User Navigation UserForm in enduser.xml determines how the horizontal navigation bar is displayed. The End User pages contain a userHeader.jsp that contains another JSP named menuStart.jsp. The menuStart.jsp accesses two system configuration objects:
The CSS style classes that determine how the menu is rendered are in style.css.
th#UserListTreeContent_Col0 {
width: 1px;
}th#UserListTreeContent_Col1 {
width: 1px;
}th#UserListTreeContent_Col2 {
width: 50%;
}th#UserListTreeContent_Col3 {
width: 50%;
}th#ResourceListTreeContent_Col0 {
width: 1px;
}th#ResourceListTreeContent_Col1 {
width: 1px;
}th#ResourceListTreeContent_Col2 {
width: 33%;
}th#ResourceListTreeContent_Col3 {
width: 33%;
}th#ResourceListTreeContent_Col4 {
width: 33%;
}
You can also resize table columns by clicking and dragging the right border of the column header. If you mouse over the right border of the column header, the cursor will change to a horizontal resize arrow. Left-click and drag the cursor to resize the column. (Resizing ends when you release the mouse button.)
- Customers who want to use custom JavaScript functions specifically in the end user navigation bar (tabs) must reference that form using endUserNavigation. For example, document.forms['endUserNavigation'].elements. (ID-13769)
- The Access Review Dashboard and Access Review Detail Report both show instances of reviews that are recorded in the audit logs. Without database maintenance, the audit logs are never trimmed, and the list of reviews grows. Identity Manager provides the ability to limit the reviews shown to a certain age range. To change this limit, you must customize compliance/dashboard.jsp (for the dashboard) and sample/auditortasks.xml (for the Details report). (The default is to show only reviews that are less than 2 years old.)
Each Periodic Access Review includes a set of UserEntitlement records that were created when the review was run. These records, which accumulate over time, provide valuable historical information about accounts. However, to conserve database space, consider deleting some records. You can delete a record by executing Server Task > Run Task > Delete Access Review. Deleting a review adds new audit log entries that indicate the review is deleted, and deletes all UserEntitlement records associated with the review, which conserves database space.
- Code Example 5-5 contains information that should appear in Code Example 5-4.
Code Example 5-4 should be as follows:
Code Example 5.5 should be as follows:
Code Example 5-5 Changing Tab Panel Tabs
table.Tab2TblNew td {background-image:url(../images/other/dot.gif);background-repeat:repeat-x;background-positi on:left top;background-color:#CCCCFF;border:solid 1px #8f989f}
table.Tab2TblNew td.Tab2TblSelTd {border-bottom:none;background-image:url(../images/other/dot.gif);background-repeat:repeat- x;background-position:left bottom;background-color:#FFF;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f}
You can now replace the product name string in the browser title bar with a localizable string of your choice.
- Import the following XML file:
Code Example 1 XML to Import
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name='AltMsgCatalog'>
<Extension>
<CustomCatalog id='AltMsgCatalog' enabled='true'>
<MessageSet language='en' country='US'>
<Msg id='UI_BROWSER_TITLE_PROD_NAME_OVERRIDE'>Override Name</Msg>
</MessageSet>
</CustomCatalog>
</Configuration>
</Extension>
- Using the Identity Manager IDE, load the System Configuration object for editing. Add a new top-level attribute:
Name = customMessageCatalog
Type = string
Value = AltMsgCatalog
- Open the ui.web Generic Object and look for the browserTitleProdNameOverride attribute. Set this value to true.
- Save this change to the System Configuration object, and restart your application server.
- The instructions for customizing login pages provided in “Customizing Identity Manager End User Pages” should now include the following information about message keys. (ID-16072)
JSP or Identity Manager Component
Interface Affected
Message Key
Login Page TITLE
Administrator and User
UI_LOGIN_TITLE_TO_RESOURCE
UI_LOGIN_CHALLENGE
Login Page SUBTITLE
Administrator and User
Select a key depending on the login mode: Forgot Password, Forgot User ID, Login Challenge.
UI_LOGIN_WELCOME3
UI_LOGIN_WELCOME4
UI_LOGIN_WELCOME5
UI_LOGIN_WELCOME6
UI_LOGIN_CHALLENGE_INFO
staticLogout.jsp and user/staticUserLogout.jsp
Administrator and User
UI_LOGIN_TITLE
continueLogin.jsp
Administrator
UI_LOGIN_IN_PROGRESS_TITLE
UI_LOGIN_WELCOME
- The instructions for “Changing the Default “Logged in as ...” Text“ should be corrected as follows: (ID-18545)
- The following note should be added after the bulleted deactivateDate information in the “features” section of Appendix A, “Editing Configuration Objects.”
Note
You can set both activateDate and deactivateDate to true, even if userAssignment.manual is not. If you set both attributes to true for a roleType, and if the role is contained by another role optionally, then you can specify activate and deactivate dates when assigning the optional role to a user.
Changing the Default “Logged in as ...” Text
- Import the following XML file:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Configuration name='AltMsgCatalog'>
<Extension>
<CustomCatalog id='AltMsgCatalog' enabled='true'>
<MessageSet language='en' country='US'>
<Msg id='UI_NAV_FOOT_LOG_AS'>mytext {0}!</Msg>
</MessageSet>
</CustomCatalog>
</Extension>
</Configuration>
- Add the following line to the System Configuration object within the <Configuration><Extension><Object> element:
Identity Manager Workflows, Forms, and ViewsThis section contains new information and documentation corrections for Sun Identity Manager Workflows, Forms, and Views.
Chapter 1, Identity Manager Workflow
Test Auto Attestation
Use to test new Review Determination rules without creating Attestation work items. This workflow does not create any work items, and simply terminates shortly after it starts. It leaves all User Entitlement objects in the same state that they were created in by the access scan. Use the Terminate and Delete options to clean up the results from access scans run with this workflow.
You can import this stub workflow as needed. (Identity Manager does not import it automatically.)
- Identity Manager Compliance uses workflows as integration and customization points for the application. The default compliance-related workflows are described below. (ID-15447)
Workflow Name
Purpose
Remediation
Remediation for a single Remediator working with a single Compliance Violation
Access Review Remediation
Remediation for a single remediator working with a single UserEntitlement
Attestation
Attestation for a single Attestor working with a single UserEntitlement
Multi Remediation
Remediation for a single Compliance Violation and multiple remediators
Update Compliance Violation
Mitigates a Compliance Violation
Launch Access Scan
Launch an Access Scan task from an Access Review task
Launch Entitlement Rescan
Launch a rescan of an Access Scan for a single user
Launch Violation Rescan
Launch a rescan of an Audit Policy Scan for a single user
- The description of the maxSteps property has been revised as follows: (ID-15618)
Specifies the maximum number of steps allowed in any workflow process or subprocess. Once this level is exceeded, Identity Manager terminates the workflow. This setting is used as a safeguard for detecting when a workflow is stuck in an infinite loop. The default value set in the workflow itself is 0, which indicates that Identity Manager should pull the actual setting value from the global setting stored in the SystemConfiguration object's workflow.maxSteps attribute. The value of this global setting is 5000.
Executes Beanshell or JavaScript based on the script provided. As a task, it can be scheduled to run periodically. For example, you can use it to export data from the repository to a database for reporting and analysis. Benefits include the ability to write a custom task without writing custom Java code. (Custom Java code requires a re-compile on every upgrade and must be deployed to every server because the script is embedded in the Scripted Task Executor task there is no need to recompile or deploy it.)
Chapter 2, Workflow Services
- The Arguments table of the createView Session Workflow Service is incorrect. The following table describes the arguments available in this service.(ID-14201)
Table 1
Name
Required
Valid Values
Description
op
yes
createView
viewId
yes
Specifies the type of view to create.
options
no
Specifies view-specific options. The values you can pass are specific to the view being used. The most common is the User view.
Options can be found in session.UserViewConstants. The simpler views should declare their option constants in the Viewer.java file.
Probably the second most common view used from workflow is ProcessViewer, followed by PasswordViewer, DisableViewer, EnableViewer, and RenameViewer. These have comparatively few options
- The description of the disableUser Workflow Service should clarify that the default behavior of this service is to disable the Identity Manager account as well as the resource account. (ID-14572) If you do not want to disable the Identity Manager account, pass the following argument:
The discussion of this method’s arguments should read as follows:
Name
Required
Valid Values
Description
op
yes
disableUser
accountId
yes
Identifies the Identity Manager user to disable accounts for.
doWaveset
no
true/false
If true, the Identity Manager account is disabled for this user. If not supplied, it defaults to true, and the account is disabled.
services
no
Identifies a list of resources to disable. If this argument is not supplied, all of the user’s resource accounts will be disabled.
lock Provisioning Workflow Service
Use to lock an object.
Argument
Required
Description
subject
no
Indicates the effective subject for the call. If not supplied, Identity Manager uses the task's subject. If the value of this argument is none, Identity Manager performs no authorization.
options
no
(Map) A value map of option name/option value pairs. If not supplied, specific arguments below are used. If supplied, any specific arguments below will override the same argument contained in this options map.
accountId
no
(String) Identifies the name of the Identity Manager user to lock.
adminName
no
(String) Indicates the name of the administrator performing the operation.
loginAppName
no
(String) Specifies the login application name.
op
yes
Valid value is unlock
This method returns a null value.
unlock Workflow Service
Use to unlock a locked object.
Table 1
Argument
Required
Description
subject
no
(String) Indicates the effective subject for the call. If not supplied, the task's subject is used. If the value of this argument is none, then no authorization is performed.
options
no
(Map) A value map of option name/option value pairs. If not supplied, Identity Manager uses the specific arguments below. If supplied, any specific arguments below will override the same argument contained in this options map.
accountId
no
(String) Identifies the name of the Identity Manager user to unlock.
adminName
no
(String) Indicates the name of the administrator performing the operation
loginAppName
no
(String) Specifies the login application name.
doLighthouse
no
(Boolean) Indicates whether or not to unlock the Identity Manager account.
doResources
no
(Boolean) Indicates whether or not to unlock the user's resources.
doAuthenticators
no
(Boolean) If true, unlocks all pass-through authentication.
op
yes
Valid value is unlock.
This method returns a WavesetResult with the result of the operation.
Used to remove a deferred task from an Identity Manager object. Identity Manager will ensure that the administrator that launched the workflow is authorized to remove the object.
Table 2 removeDeferredTask Method Arguments
Name
Required
Valid Values
Description
type
no
valid values are the list of types
Specifies the type of the object that the deferred task will be removed from. If not supplied, the type is defaulted to user.
name
yes
Specifies the name of the object that the deferred task will be removed from.
task
Specifies the name of the TaskDefinition to remove.
Chapter 3, Identity Manager Forms
Identity Manager auditing and compliance forms provide a feature unique among Identity Manager forms: You can assign a form on a per-user and per-organization basis. Forms assigned on a per-user basis can boost the efficiency of attestation and remediation processing.
For example, you can specify the user form that Identity Manager displays for editing a user in the context of an access review, remediation or a compliance violation remediation. You can specify this user form at the level of user or organization. When Identity Manager re-scans a user in context of an access review re-scan or access review remediation, the re-scan will respect the audit policies as defined in the AccessScan. You can define this to include the continuous compliance audit policies.
Related Information
- See Identity Manager Administration for a discussion of the concepts that support Identity Manager auditing and compliance features as well as the basic procedures for implementing the default auditing and compliance features.
- See Identity Manager Rules in Identity Manager Deployment Tools for a general discussion of rules as well as specific information about remediation rules.
About Auditing-Related Form Processing
Much like userForm and viewUserForm, you can set the form on a specific user, or on an organization, and the user (or all users in the organization) will used that form. If you set a form on both user and organization, the form set on the user takes precedence. (When looking up the form, Identity Manager searches organizations upwards.)
Auditing-related forms behave the same way that the User Form and View User Form work: Each user can designate a specific form to use, and the resolution of which form a specific user should use will honor the user's organization.
Specifying User Forms
The Audit Policy List and Access Scan List forms support a fullView property that causes the form to display a significant amount of data about the elements in the list. Set this policy to false to improve the performance of the list viewer.
The Access Approval List form has a similar property named includeUE, and the Remediation List form uses the includeCV property.
Default Auditing-Related Forms
The following table identifies the default auditing-related forms that ship with Identity Manager.
Table 2
Form Name
Mapped Name
Per-User Control
General Purpose
Access Approval List
accessApprovalList
Display the list of attestation workitems
Access Review Delete Confirmation
accessReviewDeleteConfirmation
Confirm the deletion of an access review
Access Review Abort Confirmation
accessReviewAbortConfirmation
Confirm the termination of an access review
Access Review Dashboard
accessReviewDashboard
Show the list of all access reviews
Access Review Remediation Form
accessReviewRemediationWorkItem
Yes
renders each UE-based remediation workitem
Access Review Summary
accessReviewSummary
Show the details of a specific access review
Access Scan Form
accessScanForm
Display or edit an access scan
Access Scan List
accessScanList
Show the list of all access scans
Access Scan Delete Confirmation
accessScanDeleteConfirmation
Confirm the deletion of an access scan
Access Approval List
attestationList
Yes
Renders the list of all pending attestations.
Attestation Form
attestationWorkItem
Yes
Renders each attestation work item
UserEntitlementForm
userEntitlementForm
Display the contents of a UserEntitlement
UserEntitlement Summary Form
userEntitlementSummaryForm
Violation Detail Form
violationDetailForm
Show the details of a compliance violation
Remediation List
remediationList
Yes
Show a list of remediation work items
Audit Policy List
auditPolicyList
Show a list of audit policies
Audit Policy Delete Confirmation Form
auditPolicyDeleteConfirmation
Confirm the deletion of an audit policy
Conflict Violation Details Form
conflictViolationDetailsForm
Show the SOD violation matrix
Compliance Violation Summary Form
complianceViolationSummaryForm
Remediation Form
reviewWorkItem
Yes
Renders a compliance violation.
Why Customize These Forms?
Attestors and remediators can specify forms that show exactly the detail they need to more efficiently attest and remediate. For example, a resource attestor could show specific resource-specific attributes in the list form to allow them to attest without looking at each specific work item. Because this form would differ depending on the resource type (and thus attributes) involved, customizing the form on a per-attestor basis makes sense.
During attestation, each attestor can look at entitlements from a unique perspective. For example, the idmManager attestor may be looking at the user entitlement in a general way, but a resource attestor is interested only in resource-specific data. Allowing each attestor to tailor both the Attestation-list form and the AttestationWorkItem form to retrieve and display only the information they need can boost the efficiency of the product interface.
Scan Task Variables
The Audit Policy Scan Task and Access Scan Task task definitions both specify the forms to be used when initiating the task. These forms include fields that allow for most, but not all, of the scan task variables to be controlled.
Variable Name
Default Value
Purpose
maxThreads
5
Identifies the number of concurrent users to work at one time for a single scanner. Increase this value to potentially increase throughput when scanning users with accounts on very slow resources.
userLock
5000
Indicates time (in mS) spent trying to obtain lock on user to be scanned. If several concurrent scans are scanning the same user, and the user has resources that are slow, increasing this value can result in fewer lock errors, but a slower overall scan.
scanDelay
0
Indicates time (in mS) to delay between issuing new scan threads. Can be set to a positive number to force Scanner to be less CPU-hungry.
Calculates a Boolean value. If true, the field and all its nested fields will be ignored during current form processing.
Do not create potentially long-running activities in Disable elements. These expressions run each time the form is recalculated. Instead, use a different form element that will not run as frequently perform this calculation.
- You can now insert WARNING), error (ERROR), or informational (OK) alert messages into an XPRESS form. (ID-14540, ID-14953)
Note
Although this example illustrates how to insert a Warning ErrorMessage object into a form, you can assign a different severity level.
- Use the Identity Manager IDE to open the form to which you want to add the warning.
- Add the <Property name='messages'> to the main EditForm or HtmlPage display class.
- Add the <defvar name='msgList'> code block from the following sample code.
- Substitute the message key that identifies the message text to be displayed in the Alert box in the code sample string:
<message name='UI_USER_REQUESTS_ACCOUNTID_NOT_FOUND_ALERT_VALUE >
- Save and close the file.
Code Example
<Display class='EditForm'>
<Property name='componentTableWidth' value='100%'/>
<Property name='rowPolarity' value='false'/>
<Property name='requiredMarkerLocation' value='left'/>
<Property name='messages'>
<ref>msgList</ref>
</Property>
</Display>
<defvar name='msgList'>
<cond>
<and>
<notnull>
<ref>username</ref>
</notnull>
<isnull>
<ref>userview</ref>
</isnull>
</and>
<list>
<new class='com.waveset.msgcat.ErrorMessage'>
<invoke class='com.waveset.msgcat.Severity' name='fromString'>
<s>warning</s>
</invoke>
<message name='UI_USER_REQUESTS_ACCOUNTID_NOT_FOUND_ALERT_VALUE'>
<ref>username</ref>
</message>
</new>
</list>
</cond>
</defvar>
The Hidden display class corresponds to the <input type=hidden’/> HTML component. This component supports only single-valued data types because there is no way to reliably serialize and deserialize multi-valued data types. (ID-16904)
If you have a List that you want to render it as a string, you must explicitly convert it to a string. For example:
Chapter 4, Identity Manager Views
Common Attributes
The high-level attributes of the Org view are listed in the following table.
Name
Editable?
Data Type
Required?
orgName
Read
String
System-Generated
orgDisplayName
Read/Write
String
Yes
orgType
Read/Write
String
No
orgId
Read
String
System-Generated
orgAction
Write
String
No
orgNewDisplayName
Write
String
No
orgParentName
Read/Write
String
No
orgChildOrgNames
Read
List
System-Generated
orgApprovers
Read/Write
List
No
allowsOrgApprovers
Read
List
System-Generated
allowedOrgApproverIds
Read
List
System-Generated
orgUserForm
Read/Write
String
No
orgViewUserForm
Read/Write
String
No
orgPolicies
Read/Write
List
No
orgAuditPolicies
Read/Write
List
No
renameCreate
Read/Write
String
No
renameSaveAs
Read/Write
String
No
orgName
Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.
orgDisplayName
Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.
orgType
Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.
orgId
Specifies the ID that is used to uniquely identify the organization within Identity Manager.
orgAction
Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.
orgNewDisplayName
Specifies the new short name when you are renaming the organization.
orgParentName
Identifies the full pathname of the parent organization.
orgChildOrgNames
Lists the Identity Manager interface names of all direct and indirect child organizations.
orgApprovers
Lists the Identity Manager administrators who are required to approve users added to or modified in this organization.
allowedOrgApprovers
Lists the potential user names who could be approvers for users added to or modified in this organization.
allowedOrgApproverIds
Lists the potential user IDs who could be approvers for users added to or modified in this organization.
orgUserForm
Specifies the userForm used by members users of this organization when creating or editing users.
orgViewUserForm
Specifies the view user form that is used by member users of this organization when viewing users.
orgPolicies
Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).
orgAuditPolicies
Specifies the audit policies that apply to all member users of this organization.
renameCreate
When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.
renameSaveAs
When set to true, renames this organization using the value of orgNewDisplayName.
Directory Junction and Virtual Organization Attributes
Name
Editable?
Data Type
Required?
orgContainerId
Read
String
System-generated
orgContainerTypes
Read
List
System-generated
orgContainers
Read
List
System-generated
orgParentContainerId
Read
String
System-generated
orgResource
Read/Write
String
yes, if directory junction or virtual organization
orgResourceType
Read
String
System-generated
orgResourceId
Read
String
System-generated
orgRefreshAllOrgsUserMembers
Write
String
No
orgContainerId
Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).
orgContainerTypes
Lists the allowed resource object types that can contain other resource objects.
orgContainers
Lists the base containers for the resource used by the Identity Manager interface to display a list to choose from.
orgParentContainerId
Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).
orgResource
Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).
orgResourceType
Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).
orgResourceId
Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations.
orgRefreshAllOrgsUserMembers
If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.
Dynamic Organization Attributes
Name
Editable?
Data Type
Required?
orgUserMembersRule
Read/Write
String
No
orgUserMembersRuleCacheTimeout
Read/Write
String
No
orgUserMembersRule
Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.
orgUserMembersCacheTimeout
Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.
The discussion of the User view now includes the following discussion of the accounts[Lighthouse].delegates attributes: (ID-15468)
accounts[Lighthouse].delegates
Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item
accounts[Lighthouse].delegatesHistory
Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth
This attribute has one unique attribute: selected, which is a Boolean that indicates the currently selected delegate history object.
accounts[Lighthouse].delegatesOriginal
Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation.
All accounts[Lighthouse].delegates* attributes take the following attributes:
Attributes of accounts[Lighthouse].delegate* Attributes
Description
workItemType
Identifies the type of workItem being delegated. See the description of the Delegate Object Model in the Identity Manager Technical Deployment Overview section of this Documentation Addendum for a valid list of workItem types.
workItemTypeObjects
Lists the names of the specific roles, resources, or organizations on which the user is delegating future workItem approval requests. This attribute is valid when the value of workItemType is roleApproval, resourceApproval, or organizationApproval.
If not specified, this attribute by default specifies the delegation of future workItem requests on all roles, resources, or organizations on which this user is an approver.
toType
Type to delegate to. Valid values are:
manager
delegateWorkItemsRule
selectedUsers
toUsers
Lists the names of the users to delegate to (if toType is selectedUsers).
toRule
Specifies the name of the rule that will be evaluated to determine the set of users to delegate to (if toType is delegateWorkItemsRule).
startDate
Specifies the date when delegation will start.
endDate
Specifies the date when delegation will end.
Referencing a DelegateWorkItems View Object from a Form
The following code sample illustrates how to reference a DelegateWorkItems view delegate object from a form:
<Field name='delegates[*].workItemType'>
<Field name=’delegates[*].workItemTypeObjects’>
<Field name=’delegates[*].toType’>
<Field name='delegates[*].toUsers'>
<Field name=’delegates[*].toRule’>
<Field name='delegates[*].startDate'>
<Field name='delegates[*].endDate'>
where supported index values (*) are workItemType values.
Name
Editable?
Type
Required?
name
String
Yes
status
String
Yes
user
String
Yes
userId
String
Yes
attestorHint
String
No
userView
GenericObject
Yes
reviewInstanceId
String
Yes
reviewStartDate
String
Yes
scanId
String
Yes
scanInstanceId
String
Yes
approvalWorkflowName
String
Yes
organizationId
String
Yes
attestorComments.name
String
No
attestorComments.attestor
String
No
attestorComments.time
String
No
attestorComments.timestamp
String
No
attestorComments.status
No
name
Identifies the User Entitlement (by a unique identifier).
status
Specifies the state of User Entitlement object. Valid states include PENDING, ACCEPTED, REJECTED, REMEDIATING, CANCELLED.
user
Identifies the name of the associated WSUser for this entitlement.
userId
Specifies the ID of the associated WSUser.
attestorHint
Displays the (String) hint to the attestor that is provided by the Review Determination Rule. This hints acts as “advice” from the rule to the attestor.
userView
Contains the User view that is captured by User Entitlement scanner. This view contains zero or more resource accounts depending on the configuration of the Access Scan object.
reviewInstanceId
Specifies the ID of the PAR Task instance.
reviewStartDate
Indicates the (String) start date of the PAR task (in canonical format).
scanId
Specifies the ID of AccessScan Task definition.
scanInstanceId
Specifies the ID of AccessScan Task instance.
approvalWorkflowName
Identifies the name of workflow to be run for approval. This value comes from the Access Scan Task definition.
organizationId
Specifies the ID of the WSUser's organization at the time of the scan.
attestorComments
Lists attestation records for the entitlement. Each attestation record indicates an action or statement made about the entitlement, including approval, rejection, and rescan.
attestorComments[timestamp].name
Timestamp used to identify this element in the list.
attestorComments[timestamp].attestor
Identifies the WSUser name of the attestor making the comment on the entitlement.
attestorComments[timestamp].time
Specifies the time at which the attestor attested this record. May differ from the timestamp.
attestorComments[timestamp].status
Indicates the status assigned by the attestor. This can be any string, but typically is a string that indicates the action taken by the attestor -- for example, approve, reject, rescan, remediate.
attestorComments[name].comment
Contains comments added by attestor.
- The following User view attributes have been deprecated. (ID-15468)
- accounts[Lighthouse].delegateApproversTo
- accounts[Lighthouse].delegateApproversSelected
- accounts[Lighthouse].delegateApproversStartDate
- accounts[Lighthouse].delegateApproversEndDate
- The Delegate Approvers view has been deprecated, but still works for editing Delegate objects whose workItemType is approval.
Chapter 6, XPRESS Language
Chapter 8, HTML Display Components
It can be unwieldy to display many admin roles using the MultiSelect component (either the applet or HTML version). Identity Manager provides a more scalable way of displaying and managing admin roles: the objectSelector field template. (ID-15433)
The Scalable Selection Library (in sample/formlib.xml) includes an example of using an objectSelector field template to search for admin role names that a user can select.
Code Example Example of objectSelector Field Template
<Field name='scalableWaveset.adminRoles'>
<FieldRef name='objectSelector'>
<Property name='selectorTitle' value='_FM_ADMIN_ROLES'/>
<Property name='selectorFieldName' value='waveset.adminRoles'/>
<Property name='selectorObjectType' value='AdminRole'/>
<Property name='selectorMultiValued' value='true'/>
<Property name='selectorAllowManualEntry' value='true'/>
<Property name='selectorFixedConditions'>
<appendAll>
<new class='com.waveset.object.AttributeCondition'>
<s>hidden</s>
<s>notEquals</s>
<s>true</s>
</new>
<map>
<s>onlyAssignedToCurrentSubject</s>
<Boolean>true</Boolean>
</map>
</appendAll>
</Property>
<Property name='selectorFixedInclusions'>
<appendAll>
<ref>waveset.original.adminRoles</ref>
</appendAll>
</Property>
</FieldRef>
</Field>
How to Use the objectSelector Example Code
- From the Identity Manager IDE, open the Administrator Library UserForm object.
- Add the following code to this form:
<Include>
<ObjectRef type='UserForm' name='Scalable Selection Library'/>
</Include>
- Select the accounts[Lighthouse].adminRoles field within the AdministratorFields field.
- Replace the entire accounts[Lighthouse].adminRoles with the following reference:
<FieldRef name='scalableWaveset.adminRoles'/>
- Save the object.
When you subsequently edit a user and select the Security tab, Identity Manager displays the customized form. Clicking ... opens the Selector component and exposes a search field. Use this field to search for admin roles that begin with a text string and set the value of the field to one or more values.
To restore the form, import $WSHOME/sample/formlib.xml from Configure > Import Exchange File.
See the Scalable Selection Library in sample/formlib.xml for other examples of using the objectSelector template to manage resources and roles in environments with many objects.
- The discussion of the TabPanel component now contains the following description of the validatePerTab property: (ID-15501)
Consists of three classes: Menu, MenuBar, and MenuItem.
Menu contains the following properties:
- layout - A String with value horizontal or vertical. A value of horizontal generates a horizontal navigation bar with tabs. A value of vertical causes the menu to be rendered as a vertical tree menu with typical node layout.
- stylePrefix - String prefix for the CSS class name. For the Identity Manager End User pages, this value is User.
MenuBar contains the following properties:
MenuItem contains the following properties:
- containedUrls - A List of URL path(s) to JSPs that are "related" to the MenuItem. The current MenuItem will be rendered as "selected" if any of the containedUrls JSPs are rendered. An example is the request launch results page that is displayed after a workflow is launched from the request launch page.
You can set these properties on either a MenuBar or MenuItem:
The following XPRESS example creates a menu with two tabs. The second tab contain two subtabs:
Code Example Implementation of Menu, MenuItem, and MenuBar Components
<Display class='Menu'/>
<Field>
<Display class='MenuItem'>
<Property name='URL' value='user/main.jsp'/>
<Property name='title' value='Home' />
</Display>
</Field>
<Field>
<Display class='MenuBar' >
<Property name='title' value='Work Items' />
<Property name='URL' value='user/workItemListExt.jsp' />
</Display>
<Field>
<Display class='MenuItem'>
<Property name='URL' value='user/workItemListExt.jsp'/>
<Property name='title' value='Approvals' />
</Display>
</Field>
<Field>
<Display class='MenuItem'>
<Property name='URL' value='user/otherWorkItems/listOtherWorkItems.jsp'/>
<Property name='title' value='Other' />
</Display>
</Field>
</Field>
ListEditor
Renders an editable list of strings.
Table 3 Properties of the ListEditor Component
Property
Description
listTitle
(String) Specifies the label that Identity Manager places next to the ListEditor graphical representation.
pickListTitle
(String) Specifies the label to use on the picklist component.
valueMap
(Map) Specifies a map of display labels for the values in the list.
allowDuplicates
(Boolean) A value of true indicates that Identity Manager allows duplicates in the managed list
allowTextEntry
(Boolean) A value of true indicates that Identity Manager displays a text entry box, along with an add button.
fixedWidth
(Boolean) A value of true indicates that the component should be of fixed width (same behavior as Multiselect component).
ordered
(Boolean) A value of true indicates that the order of values is important.
sorted
(Boolean) A value of true indicates that the values should be sorted in the pick list. If values are multi-valued and not ordered, Identity Manager also sorts the value list.
pickValueMap
(List or Map) Specifies a map of display labels for the values in the pick list.
pickValues
(List) Specifies the available values in the picklist component. If null, the picklist is not shown
height
(Integer) Specifies preferred height.
width
(Integer) Specifies the preferred width. Can be used by the Container as a property of the table cell in which this item is rendered
Example
The following example from the Tabbed User Form shows a form field that uses the ListEditor display class:
<Field name='accounts[Sim1].Group'>
<Display class='ListEditor' action='true'>
<Property name='listTitle' value='stuff'/>
<Property name='allowTextEntry'>
<Boolean>true</Boolean>
</Property>
<Property name='ordered'>
<Boolean>true</Boolean>
</Property>
</Display>
<Expansion>
<ref>accounts[Sim1].Group</ref>
</Expansion>
</Field>
This code snippet creates a field where the customer can add groups to or remove them from a user.
Enabling autocomplete for Identity Manager Login Pages
You can enable this feature for the Identity Manager login pages by changing the ui.web.disableAutocomplete system configuration object to true. Identity Manager login pages include login.jsp, continueLogin.jsp, user/login.jsp, and user/continueLogin.jsp.
Identity Manager login forms other than the preceding ones are generated from XPRESS, and you must edit these forms to use the new display property. These forms, which reside in the sample directory, include this property commented out by default.
Appendix A, Form and Process Mappings
- An updated version of this appendix, titled Form and Process Mappings, is included in the same directory as these Release Notes.
- You can access compliance-specific tasks through the mapped names. (ID-15447)
Process Name
Mapped Name
Description
Access Review
accessReview
Performs an access review
Access Scan
accessReviewScan
Performs an access scan
Access Review Rescan
accessReviewRescan
Performs an access rescan
Audit Policy Rescan
auditPolicyRescan
Performs an audit policy rescan
Abort Access Review
abortAccessReview
Terminates an access review
Delete Access Review
deleteAccessReview
Deletes an access review
Recover Access Review
recoverAccessReview
Recovers missing access review status objects from audit logs
Identity Manager Deployment ToolsThis section provides corrections and additions to the Identity Manager Deployment Tools documentation:.
- The “Using the Identity Manager IDE” chapter (provided in previous releases) has been removed from this book. Instructions for installing and configuring the Identity Manager Integrated Development Environment (Identity Manager IDE) are now provided on https://identitymanageride.dev.java.net. (ID-17700)
Working with the Identity Manager Profiler
Identity Manager provides a Profiler utility to help you troubleshoot performance problems with forms, Java, rules, workflows, and XPRESS in your deployment.
Forms, Java, rules, workflows, and XPRESS can all cause performance and scale problems. The Profiler profiles how much time is spent in these different areas, enabling you to determine if these forms, Java, rules, workflows, or XPRESS objects are contributing to performance and scale problems and, if so, which parts of these objects are causing the problems.
This section explains how to use Identity Manager’s Profiler and provides a tutorial to help you learn how to troubleshoot performance issues in your deployment. The information is organized as follows:
Overview
The section provides an overview of the Identity Manager’s Profiler’s features and functionality. The information is organized as follows:
Major Features
You can use the Profiler utility to
- You an display snapshot results in four, different data views:
- Call Tree view provides a tree table showing the call timing and invocations counts throughout the system.
- Hotspots view provides a flattened list of nodes that shows the aggregate call timings regardless of parent.
- Back Traces view provides an inverted call stack showing all the call chains from which that node (known as the root node) was called.
- Callees view provides an aggregate call tree of the root node, regardless of its parent chain.
- Specify what kinds of information to include in your snapshot:
- Manage your project snapshots as follows:
- Save the snapshot in your project’s nbproject/private/idm-profiler directory or to an arbitrary location outside of your project.
Note
You can view a list of all saved snapshots in the Saved Snapshots section of the IDM Profiler view.
- Open snapshots from your project or load them from an arbitrary location outside your project.
- Delete snapshots.
- Search for specific nodes, by name.
How the Profiler Locates and Manages Source
This section describes how the Profiler looks up and manages the source for the following Identity Manager objects:
For Forms, Rules, Workflows, and XPRESS Objects When you take a snapshot with the Profiler, the server evaluates all of the profiling data and discovers on which sources the data depends. The server then fetches all of these sources from the repository and includes them in the snapshot. Consequently, you can be sure that the Identity Manager objects displayed in the snapshot are accurately reflecting the point at which the snapshot was captured.
This process adds to the size of the snapshot, but the source size is actually a relatively small fraction of the total size. As a result, you can send a snapshot to Sun’s Customer Support without having to send your source files separately.
For Java Source When you take a snapshot of Java source, the client downloads the snapshot and then goes through the snapshot to capture all referenced Java sources from the project. When you save the snapshot, the client zips the sources and attaches them to the end of the snapshot.
Then, when you view the snapshot and go to the Java source, the client first checks the content of the snapshot. If the client cannot find the content there, it checks the project’s content. This process allows you to send a snapshot containing profiling data from both your custom Java code and Identity Manager code.
Note
In a Java source snapshot, do not assume the source is up-to-date with the server or always available.
Statistics Caveats
The following sections contain information to consider when you evaluate results provided by the Profiler:
Self Time Statistics To compute a root node’s Self Time statistic, the Profiler subtracts the times of all children nodes from the root node’s total time.
Consequently, an uninstrumented child node’s time is reflected in the root node’s self time. If a root node has a significant self time, you should certainly investigate why. You might not have the proper methods instrumented and so you are looking in the wrong place.
For example, assume method A calls method B.
Method A takes a total time of 10 seconds (where total time includes the call to B) and the call to B takes a total time of 10 seconds.
If both A and B are instrumented, the call stack reflects that information. You will see that A has a self-time of 0 seconds and that B has a self-time of 10 seconds (where 10 seconds was actually spent in B). If, however, B is not instrumented, you only see that the call to A takes 10 seconds and that A's self-time is 10 seconds. Consequently, you might assume the problem lies directly in A rather than in B.
In particular, you might notice large self times on JSPs during their initial compile. If you reset the collected results and then redisplay the page, the self time value will be much less.
Constructor Calls Because there are limitations in the Java instrumentation strategy, initial calls to this() or super() will appear as a sibling to the constructor call, rather than as a child. See the following example:
class A
{
public A()
{
this(0);
}
public A(int i)
{
}
}
and:
class B
{
public static void test()
{
new A();
}
}
The call tree will look like this:
B.test()
-A.<init>(int)
-A.<init>()
Rather than this:
B.test()
-A.<init>()
-A.<init>(int)
Daemon Threads Do not be mislead by the seemingly large amount of time spent in a number of Identity Manager’s daemon threads, such as ReconTask.WorkerThread.run() or TaskThread.WorkerThread.run(). Most of this time is spent sleeping, while waiting for events. You must explore these traces to see how much time is actually spent when they are processing an event.
Getting Started
This section describes how to start the Profiler and how to work with various features of the Profiler’s graphical user interface. This information is organized as follows:
Before You Begin
Because the Profiler is very memory intensive, you should significantly increase the memory for both your server and the Netbeans Java Virtual Machine (JVM).
- To increase your server’s memory,
- Open the Netbeans window and select the Runtime tab.
- Expand the Servers node, right-click Bundled Tomcat, and select Properties from the menu.
- When the Server Manager dialog displays, clear the Enable HTTP Monitor box on the Connection tab.
- Select the Platform tab, set VM Options to -Xmx1024M, and then click Close.
- To increase the Netbeans JVM memory,
When you are finished, you can start the Profiler as described in the next section.
Starting the Profiler
You can use any of the following methods to start the Profiler from the Identity Manager IDE window:
When you start the Profiler, the Profiler Options dialog displays so you can specify which profiling options you want to use. Instructions for setting these options are provided in Specifying the Profiler Options.
Using the Profiler
This section describes the features of the Profiler graphical user interface, and how to use these features. The information is organized as follows:
Specifying the Profiler Options
The Profiler Options dialog consists of the following tabs:
Use the options on these tabs to indicate which objects to profile and which elements to display in the profile.
After specifying the Profiler options, click OK to start the Profiler. Depending on your project configuration, the Profiler does one of two things:
- If you are using a regular Identity Manager project with an Embedded Identity Manager Instance, the Profiler performs a full build, deploys into the NetBean's application server, and starts the Profiler.
- If you are using a regular Identity Manager project with an External Identity Manager Instance or the remote Identity Manager project, the Profiler attaches to the Identity Manager instance configured for the project.
Mode The Mode tab provides the following options:
- IDM Objects Only: Select to profile form, rule, workflow, and XPRESS objects. Excludes Java objects from the profile.
- Java and IDM Objects: Select to profile form, Java, rule, workflow, and XPRESS objects.
Note
- The Java and IDM Objects option is not available if you are using a regular Identity Manager project with an external Identity Manager instance or using a remote Identity Manager project.
- You cannot change the Mode option while the Profiler is running. You must stop the Profiler to change the option.
IDM Object Filters The IDM Object Filters tab provides the following options:
Java Filters Select the Java Filters tab to
Java filters are given in terms of method patterns, and they are expressed in patterns that include or exclude based on canonical method name. Where a canonical method name is:
fully-qualified-class-name.method-name(parameter-type-1, parameter-type-2, ...)
Here are a few examples:
If necessary, you can instrument other jars by modifying the following lines in build.xml as appropriate. For example,
<instrument todir="${lighthouse-dir-profiler}/WEB-INF" verbose="${instrumentor.verbose}" includeMethods="${profiler.includes}" excludeMethods="${profiler.excludes}">
<fileset dir="${lighthouse-dir}/WEB-INF">
<include name="lib/idm*.jar"/>
<include name="classes/**/*.class"/>
</fileset>
</instrument>
By default, the configuration includes all your custom classes and most Identity Manager classes. A number of Identity Manager classes are forcibly excluded — because enabling them would break the Profiler.
For example, classes from the workflow, forms, and XPRESS engines are excluded or the Profiler would produce an unintelligible snapshot when profiling Java and Identity Manager objects.
Note that Java filters provide much more filtering granularity than IDM Object Filters. Java instrumentation adds significant overhead to the execution time, which can drastically skew the profiling results. Because Identity Manager objects are interpreted rather than compiled, the instrumentation overhead is negligible. So for example, there is basically no reason to exclude workflow A and include workflow B, and so forth.
Note
You cannot modify Java filters while the Profiler is running. You must stop the Profiler before changing Java filters.
Miscellaneous The Miscellaneous tab provides the following options:
- Prune snapshot nodes where execution time is 0:
- Automatically Open Browser Upon Profiler Start:
- Include Java Sources in Snapshot:
- Enable this option (default) to include Java sources for any Java methods referenced by the profiling data in the Snapshot. You should always use this setting for snapshots in the field. Custom Java is relatively small and it is very valuable to have for support.
- Disable this option only if you are profiling Identity Manager and have the complete Identity Manager source available.
In this situation, you do not want to include the Identity Manager source because it can create extremely large snapshots. (See How the Profiler Locates and Manages Source for more information.)
Working with the IDM Profiler View
The IDM Profiler view consists of the following areas:
Current Project Area The Current Project area consists of a drop-down menu that lists all of your current projects. Use this menu to select the project you want to profile.
Controls Area The Controls area contains four icons, as described in the following table:
Icon
Purpose
Start Identity Manager Profiler
Starts the Profiler and opens the Profiler Options dialog.
Stop Identity Manager Profiler
Stops the Profiler.
Reset Collected Results
Resets all of the profile results you collected to this point.
Modify Profiling
Re-opens the Profiler Options dialog so you can change any of the settings to modify your current profile results.
Status Area The Status area reports whether you are connected to the Host and provides Status information as the Profiler is starting up, running, and stopping.
Profiling Results Area The Profiling Results area contains two icons, which are described in the following table:
Icon
Purpose
Start Identity Manager Profiler
Starts the Profiler and opens the Profiler Options dialog.
Reset Collected Results
Resets all of the profile results you collected to this point.
Saved Snapshots Area The Saved Snapshots area provides a list of all saved snapshots.
Note
Instructions for saving snapshots are provided in Saving a Snapshot.
In addition, you can use the following buttons to manage these snapshots:
- Open: Click to open saved snapshots in the Snapshot View window.
- Delete: Select a snapshot in the Saved Snapshots list, and then click this button to delete the selected snapshot.
- Save As: Select a snapshot in the list and then click this button to save that snapshot externally to an arbitrary location.
- Load: Click to open a snapshot from an arbitrary location into the Snapshot View window.
Working with the Snapshot View
When you open a snapshot, the results display in the Snapshot View window, located on the upper right side of Identity Manager IDE.
A snapshot provides several views of your data, which are described in the following sections:
Call Tree View Call Tree view consists of a tree table showing the call timing and invocation counts throughout your system.
This tree table contains three columns:
Top-level nodes are one of the following:
For example, if you viewed the idm/login.jsp URL, you will see a top-level entry for idm/login.jsp. The data displayed in the Time column for this entry represents the total time for that request (or requests). The data displayed in the Invocations column represents the total number of invocations to that page. You can then explore further into that data to see what calls contributed to its time.
Note
The Call Tree also contains Self Time nodes. Self Time values represent how much time was spent in the node itself. (For more information, see Self Time Statistics.)
Hotspots View Hotspots view provides a flattened list of nodes that shows aggregate call timings regardless of parent.
This view contains the following columns:
Back Traces View Back Traces view provides an inverted call stack showing all the call chains from where each node was called.
You can use these statistics to answer the question — How much time would I save if I eliminated this particular call chain from this node?
You can access the Back Traces view from any of the other snapshot views by right-clicking a node (known as the root node) and selecting Show Back Traces from the pop-up menu.
Callees View Callees view provides an aggregate call tree for a node (known as the root node), regardless of its parent chain.
These statistics are helpful if you have a problem area that is called from many places throughout the master call tree and you want to see the overall profile for that node.
You can access the Callees view from any of the other snapshot views by right-clicking a node (known as the root node) and selecting Show Callees from the pop-up menu.
Note
The Time and Invocations data values used in Callees view have the same meaning as those used in Call Tree view.
Using the Pop-Up Menu Options
Right-click any node in Call Tree view or in Hotspots view and a pop-up menu displays with the options described the following table:
Menu Options
Description
GoTo Source
Select this option to view the XML source for a node that corresponds to a Java method, workflow, form, rule, or XPRESS. For detailed information about this view, see How the Profiler Locates and Manages Source.
Show Back Traces
Select this option to access the Back Traces view. For detailed information about this view, see Back Traces View.
Show Callees
Select this option to access the Callees view. For detailed information about this view, see Callees View.
Find In Hotspots
Select this option to find a node in the Hotspots view. For detailed information about this view, see Hotspots View.
List Options > Sort >
Select this option to
List Options > Change Visible Columns
Select this option to change the columns displayed in the Call Tree or Hotspots list.
When the Change Visible Columns dialog displays, you can select one or more of the following options:
Searching a Snapshot
Use the Search icon , located at the top of the Snapshot View window to search for nodes by name the Call Tree view or Hotspots tree.
Alternatively, right-click any node in Call Tree view or Hotspots view and select Find in Call Tree or Find in Hotspots (respectively) from the pop-up menu to search for a node.
Saving a Snapshot
The Profiler provides several options for saving a snapshot. See the following table for a description of these options:
Icon
Purpose
Save the Snapshot in the Project icon (located at the top of the Snapshot View window)
Saves the snapshot in the nbproject/private/idm-profiler directory of your project. Snapshots saved in your project are listed in the Saved Snapshots section of the Profiler view.
Save the Snapshot Externally icon (located at the top of the Snapshot View window)
Saves a snapshot to an external, arbitrary location.
Save As button (located in the Saved Snapshots area)
Saves a snapshot to an external, arbitrary location.
Tutorial: Troubleshooting Performance Problems
Identity Manager provides a tutorial (profiler-tutorial.zip) to help you learn how to use the Profiler to troubleshoot forms, Java rules, workflows, and XPRESS.
Step 1: Create an Identity Manager Project
Follow these steps to create an Identity Manager project:
- Select File > New Project.
- When the New Project wizard displays, specify the following, and then click Next:
- Complete the following fields on the Name and Location panel, and then click Next:
- When the Identity Manager WAR File Location panel displays, enter the location of the Identity Manager 8.0 war file. Typically, unzipping this file creates an idm.war file in the same directory.
- Click Next to continue to the Repository Setup panel.
You should not have to change the default settings on this panel, just click Finish. When you see the BUILD SUCCESSFUL message in the Identity Manager IDE Output window, you can extract the Profiler tutorial files. See Step 2: Unzip the Profiler Tutorial for instructions.
Step 2: Unzip the Profiler Tutorial
Unzip profiler-tutorial.zip in the project root. The extracted files include:
<project root>/custom/WEB-INF/config/ProfilerTutorial1.xml
<project root>/custom/WEB-INF/config/ProfilerTutorial2.xml
<project root>/src/org/example/ProfilerTutorialExample.java
<project root>/PROFILER_TUTORIAL_README.txt
You are now ready to start the Profiler.
Step 3: Starting the Profiler
To start the Profiler,
- Use the instructions provided in Before You Begin to increase the memory for your server and Netbeans JVM.
- Use any of the methods described in Overview to start the Profiler.
- When the Profiler Options dialog displays, you can specify profiling options.
- Continue to Step 4: Setting the Profiler Options.
Step 4: Setting the Profiler Options
Note
For detailed information about all of the different Profiler options, see Specifying the Profiler Options.
For the purposes of this tutorial, specify the following Profiler options:
- On the Mode tab, select Java and IDM Objects to profile form, Java, rule, workflow, and XPRESS objects.
- Select the Java Filters tab.
Use the following steps to disable all Identity Manager Java classes except your custom Java classes (in this case, org.example.ProfilerTutorialExample):
- Click OK to run the Profiler.
Note
The Profiler takes a few minutes to complete the first time you run it on a project or if you have recently performed a Clean Project action.
When the Profiler finishes processing, you are prompted to Log In.
- Enter the password configurator, select the Remember Password box, and then click OK to continue.
- When the Identity Manager window displays, log in.
Note
Typically, you should log in to Identity Manager as a different user instead of logging in as configurator again. You are already logged into the Profiler as configurator, and the Identity Manager session pool only allows one entry per user. Using multiple entries can result in the appearance of a broken session pool and might skew your profiling results for finer-grained performance problems.
However, for this simple example the session pool is of no consequence so you can login as configurator/configurator.
- In Identity Manager, select Server Tasks > Run Tasks, and then click ProfilerTutorialWorkflow1.
The tutorial might take a few moments to respond.
- Although you could take a snapshot now; you are going to reset your results instead, run the Profiler, run it again, and then take a snapshot.
Note
It is a best practice to run the Profiler a couple of times before taking a snapshot to be sure all the caches are primed, all the JSPs are compiled, and so forth.
Running the Profiler several times enables you to focus on actual performance problems. The only exception to this practice is if you are having a problem populating the caches themselves.
- Return to the IDM Profiler view in the Identity Manager IDE. Click the Reset Collected Results icon in the Profiling Results section (or in the Controls section) to reset all of the results collected so far.
- In Identity Manager, select Server Tasks > Run Tasks again, and click ProfilerTutorialWorkflow1.
- When the Process Diagram displays, return to the Identity Manager IDE and click Take Snapshot in the Profiling Results section.
- The Identity Manager IDE downloads your snapshot and displays the results on the right side of the window.
This area is the Call Tree view. At the top of the Call Tree, you should see a /idm/task/taskLaunch.jsp with a time listed in the Time column. The time should indicate that the entire request took six+ seconds.
- Expand the /idm/task/taskLaunch.jsp node, and you can see that ProfilerTutorialWorkflow1 took six seconds.
- Expand the ProfilerTutorialWorkflow1 node. Note that activity2 took four seconds and activity1 took two seconds.
- Expand activity2.
Note that action1 took two seconds and action2 took two seconds.
- Expand action1 and note that the <invoke> also took two seconds.
- Double-click the <invoke> to open ProfilerTutorialWorkflow1.xml and highlight the following line:
<invoke name='example' class='org.example.ProfilerTutorialExample'/>
You should see that a call to the ProfilerTutorialExample method took two seconds.
Note
You are actually browsing XML source that was captured in the snapshot, rather than source in the project. Snapshots are completely self-contained. (For more information, see How the Profiler Locates and Manages Source.)
- If you return to the Call Tree, you can see that all of the two second paths lead to this method. (You should see three paths; for a total of six seconds.)
- Select the Hotspots tab (located at the bottom of the Call Tree area) to open the Hotspots view. Notice that ProfilerTutorialExample.example() has a total self time of six seconds.
(For more information about Hotspots, see Hotspots View.)
- Right-click ProfilerTutorialExample.example() and select Show Back Traces from the pop-up menu.
A new Back Traces tab displays at the bottom of the area.
- Expand the ProfilerTutorialExample.example() node on the Back Traces tab to see that this method was called from three places, and that the method took two seconds when it was called from each place.
(For more information about Back Traces, see Back Traces View.)
- Click the Save the snapshot in the project icon to save your snapshot and close it.
If you check the Saved Snapshots section on the IDM Profiler tab, you should see your snapshot. (You might have to scroll down.)
- Select the saved snapshot, and then click Open to re-open it.
Note
You can use the Save As button to save your snapshots externally and use the Load button to load a snapshot from outside your project.
- Close the snapshot again.
Using the Profiler on a Workflow ManualAction
The next part of this tutorial illustrates how to profile a workflow ManualAction.
- In Identity Manager, select Server Tasks > Run Tasks, and then click ProfilerTutorialWorkflow2.
After a few moments, an empty form displays.
- Click Save and the process diagram displays.
- Select Server Tasks > Run Tasks again.
- Return to the Identity Manager IDE IDM Profiler view and click the Reset Collected Results icon in the Profiling Results section.
- Now click ProfilerTutorialWorkflow2 in Identity Manager.
- When the blank form displays again, click Save.
- In the IDM Profiler view, click Take Snapshot.
After a few seconds, a snapshot should display in the Call Tree area. You should see that /idm/task/workItemEdit.jsp took six+seconds. (This result corresponds to the manual action in the workflow.)
- Expand the /idm/task/workItemEdit.jsp node and note that running all Derivations in the ManualAction form took a total of six seconds.
- Expand the Derivation, displayNameForm, variables.dummy, and <block> nodes.
You should see that the <block> took six seconds and, of that time, the Profiler spent two seconds in each of the three invokes to the ProfilerTutorialExample.example(). method.
- You can double-click <block> to view the source.
Identity Manager IDE Frequently Asked Questions (FAQ)
This FAQ answers some commonly asked questions related to using the Identity Manager Integrated Development Environment (Identity Manager IDE). The information is organized into these categories:
Using NetBeans
Q: Which version of Netbeans should I use?
A: Use the Netbeans version referenced in the Identity Manager product documentation provided for the Netbeans plugin version you are using.
Note
Always use the exact version referenced because even patch releases can cause major functionality to break.
Q: The Netbeans plugin was working, I did something, and now it is no longer working. What could be causing this problem?
A: This problem is commonly caused by a corrupt file in your .netbeans directory. Generally, deleting your .netbeans directory and re-installing the NetBeans plugin resolves the problem. (Deleting the .netbeans directory effectively uninstalls the NetBeans plugin. You lose all of your user settings, but the contents of your project will be safe.)
The steps are as follows:
Working with Projects
Q: Building and running a project is taking a very long time, and the Identity Manager IDE seems to be copying a lot of files. What could be causing this problem?
A: This problem can occur for the following reasons:
When you use Clean Project or Clean And Build Project, the Identity Manager IDE deletes the entire image directory, which contains several thousand files. Identity Manager IDE must copy all of these files from idm-staging during the next build.
To use the Identity Manager IDE efficiently, you must understand when to use the Clean commands. Refer to the “When to Use Clean” section in the Identity Manager IDE README.txt file for more information.
Q: Now that I have created an Identity Manager project, what files should be checked into source control?
A: See the “CVS Best Practices” section in the Identity Manager IDE README.txt for information.
Q: What are the best practices for using project management in CVS?
A: See the “CVS Best Practices” section in the Identity Manager IDE README.txt for information.
Q: When are objects imported into the repository?
A: See Working with the Repository for information.
Q: How do I add a new JAR to the project?
A: See the “How to add a new JAR dependency” section in the Identity Manager IDE README.txt.
Working with the Repository
Q: Which repository should I use for my sandbox repository?
A: Use the embedded repository for your sandbox — particularly if you are using Identity Manager 7.1 (or higher), which has an HsSQL repository available. You lose functionality if you do not use the embedded repository.
Refer to the “Working with the Repository” section in the Identity Manager IDE README.txt for more information.
Q: When are objects imported automatically?
A: You have to configure Identity Manager IDE to import objects automatically.
The steps are as follows:
- Select Repository > Manage Embedded Repository from the IdM menu.
- Enable the Automatically Publish Identity Manager Objects option on the Manage Embedded Repository dialog.
Note
This option is not available for Identity Manager Project (Remote) or if you specify your own repository.
- Select Project > Run Project or Project > Debug Project.
The Identity Manager IDE automatically imports all objects that have changed since the last time you ran the project.
Q: What is the most effective way to upload objects?
A: Use one of the following methods to upload modified objects:
Either method uploads the object(s) directly to the server, so there is no cache latency issue and it is much faster than using Run Project or Debug Project. The Upload Objects feature is available regardless of which repository you are using.
Using the Identity Manager IDE Debugger
Q: The Identity Manager IDE Debugger is sluggish. What could be causing this problem?
A: To improve the Debugger’s performance:
Q: I cannot set a breakpoint in the Debugger. What could be causing this problem?
A: The following conditions might prevent you from setting a breakpoint:
The Identity Manager IDE basically ignores any file that starts with a <Waveset> wrapper element because the Identity Manager IDE parses that element as a multi-object file.
The following features do not work on multi-object files:
Basically, all you can do with multi-object files is import them. The only files that should contain <Waveset> wrapper elements are your project’s top-level import files.
Q: I set a breakpoint in the Debugger and it is not suspending on the breakpoint. What could be causing this problem?
A: There are two things to check:
Working with Rules
Q: When developing rules in Netbeans, why is design mode not available for a Rule Library?
A: The design mode functionality is available from the explorer tree in Projects view. Use the following steps:
Identity Manager Tuning, Troubleshooting, and Error MessagesThis section provides new information and documentation corrections for Sun Identity Manager Tuning, Troubleshooting, and Error Messages.
- Some tasks have been moved from the adapter to the task package. Update these paths if you have tracing enabled for any of the following tasks, or if you have customized task definitions referencing these packages.
Old Package Name
New Package Name
com.waveset.adapter.ADSyncFailoverTask
com.waveset.task.ADSyncFailoverTask
com.waveset.adapter.ADSyncRecoveryCollectorTask
com.waveset.task.ADSyncRecoveryCollectorTask
com.waveset.adapter.SARunner
com.waveset.task.SARunner
com.waveset.adapter.SourceAdapterTask
com.waveset.task.SourceAdapterTask
- The “Unable to Delete Errors” troubleshooting information previously provided in the “Troubleshooting Identity Manager IDE” section is no longer applicable and has been removed from the book. Now, the Netbeans embedded application server automatically shuts down whenever you perform any of the following project operations: (ID-16851)
- The “Debugging PasswordSync” section has moved from the “PasswordSync“ chapter in Identity Manager Administration into the “Tracing and Troubleshooting Identity Manager” chapter in Identity Manager Tuning, Troubleshooting, and Error Messages. (ID-17340)
Localization ScopeHistorically, Identity Manager does not localize resource objects and functions, primarily because they are mostly samples that get loaded (through init.xml) during initialization of Identity Manager, and because the attributes of object types can vary between actual customer deployments, depending on the level of customizations. Following is a list of areas where users might encounter English: (ID-16349)
Online HelpThis section contains documentation corrections for online help.