13 Configuring User Attributes

The Oracle Identity Manager user management feature is configured and customized by using the configuration management feature. Configuration management helps customize the User Management UI and configure the user entity operations and attributes.

In Oracle Identity Manager, there are certain operations involved in the life-cycle management of each entity. Some of the basic operations for the user entity are:

• Create

• View/Modify

• Browse

• Delete

• Disable

• Enable

• Bulk Operations

See Also:

"Managing Users" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the operations related to the user entity

Based on the operations performed on an entity, a set of attributes is shown to the user in the Oracle Identity Administration. For example, for searching users through advanced search, a set of searchable user attributes is displayed for performing the search. After the search operation is completed, search results involving a set of attributes are displayed. These attribute sets are managed by using the configuration management feature.

You use the Configuration Management UI in the Oracle Identity Administration to define user entity data structure and configure user management operations and attributes. The availability of configuring attributes in the UI is subject to permissions that are controlled by authorization policies. See "User Management" and "Authenticated Self Service" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about authorization policies for managing users and self service operations.

This chapter describes user configuration management in the following sections:

• Entity Configuration Operations

• Search Operation Configuration

• User Configuration Management Authorization

• Synchronizing User-Defined Fields Between Oracle Identity Manager and LDAP

• Configuration Management Architecture

13.1 Entity Configuration Operations

Entity configuration operations allow you to define the set of attributes for the user entity. You can also add the attribute definitions and modify the existing ones. In addition to the attributes defined by default, you can define your own attributes for the user entity.

Note:

To access the Configuration Management section in the Advanced Administration, the user must have authorization to configure the user attributes. For more details, see "User Management Configuration" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.

Entity configuration operations include:

• Listing Entity Attributes

• Creating Entity Attributes

• Modifying Entity Attributes

• Deleting Entity Attributes

• Performing Category Configuration

13.1.1 Listing Entity Attributes

To list the entity attributes in the Configuration Management console:

1. Login to the Oracle Identity Manager Advanced Administration.

2. In the Welcome page, under Configuration, click User Configuration. Alternatively, you can click the Configuration tab, and then click the User Configuration tab.

3. On the left pane of the console, from the Actions menu, select User Attributes. The User Attributes page is displayed with a table containing all user attributes that are defined in the User.xml configuration file.

   Table 13-1 describes the columns in the User Attributes table:

   Table 13-1 Columns in the User Attributes Table

   Column	Description
   Category Name	The category to which the attribute belongs. The categorization is used to organize data in the User Management console. Note: For information about each category, see "Performing Category Configuration".
   Attribute Names	The unique name for the attribute. It is also used as the caption when this attribute is displayed on the user profile page.
   Order in Category	The order of the attributes within the category. The attributes are displayed on the User Management console based on this order.
   Attribute Type	Whether the type of the attribute is System or user-defined field (UDF). System attributes cannot be deleted and have restrictions on their modifications.
   Backend Data Type	The data type of the attribute in the backend datastore.
   Display Type	The display type of the attribute in the User Management console.

   
   

   You can select a row in the User Attributes table, and perform entity configuration operations, such as creating or modifying attributes, which are described in the subsequent sections.

   Note:

   Any administrator user cannot access the Configuration Management section in Oracle Identity Manager Administration. The user must have authorization to configure the user attributes.

4. In the Category Name column, expand a category name by clicking the icon to the left of the category name. The attributes under the category are listed in the Attribute Name column.

13.1.2 Creating Entity Attributes

To create new attributes for an entity:

1. In the User Attributes page, from the Actions menu, select Create Attribute. The Create Attribute wizard is displayed.

2. In the Set Attribute Details page of the wizard, enter values in the fields. Table 13-2 lists the fields in the Set Attribute Details page:

   Table 13-2 Fields in the Set Attribute Details Page

   Field	LOV Types	Description
   Attribute Name		This is the unique name for the attribute. It is also used as the caption when this attribute is displayed on the User profile page.
   Backend Attribute Name		This is the name of the field that will be created in the user backend schema to store the value specified for this attribute while creating or modifying users . Oracle Identity Manager automatically prefixes the Backend Attribute Name with "USR_UDF.".
   Category Name		This is the category name to which the attribute belongs. The categorization is used to organize the data in the UI. Note: For information about category configuration, see "Performing Category Configuration".
   Display Type		This indicates the display type of the attribute in the UI. This is an attribute property and is stored in the User.xml file as metadata attachment. The available display types are: String Integer Text Area Check Box Double Date Secret List of Values Selecting Display Type sets the appropriate backend and frontend data types. Backend data type is the data type of the attribute in the backend datastore. This is stored in the User.xml file along with the attribute definition. Frontend data type indicates the data type of the attribute as interpreted by Oracle Identity Manager. This is stored in the User.xml file along with the attribute definition. This is not displayed in the UI. See Also: The "Attribute Properties" section for information about properties to be configured for each attribute
   LOV Type		This field is hidden by default. If the display type is selected as List Of Values, then the LOV-related fields are displayed. The LOV Type can be System Generated, Admin Configured, and By Query.
   	System Generated	The user can specify existing LOVs. For example: Select System Generated as the LOV Type. The LOV Search Options points to the Contains operator by default. In the LOV Code field, enter country, and click Search. The list of available LOV codes matching the search criteria is displayed in the Avaliable LOV Codes list. Select Lookup.Locations.Country and move to the Selected LOV codes list by clicking the right arrow. Only one LOV code should be moved to this list. Then, click Next, and complete the rest of the steps in the wizard as described in this section. After saving the attribute, a drop-down list with country codes is displayed in the user details page.
   	Admin Configured	The user can add this LOV. For example: Select Admin Configured as the LOV Type. In the LOV Code field, enter level. For a LOV code, you can add multiple LOV options and corresponding LOV descriptions. In the LOV Options field, enter L1, and in the LOV Options Description field, enter Executive. Then, click Add. The LOV option and description is added and are displayed on the page. To add another value, in the LOV Options field, enter L2. and in the LOV Options Description field, enter Senior Executive. Then click Add. After adding multiple values, click Next, and complete the rest of the steps in the wizard as described in this section. After saving the attribute, a drop-down list with the values specified in the LOV Options Description field are displayed in the user details page.
   	By Query	The LOV Code and LOV Options fields are not displayed. Instead, the following fields are displayed: - LOV Query: In this field, you can specify any SQL query that is valid in the Oracle Identity Manager database schema. - LOV Column to Display: This is a list showing all the columns from the select query. The selected column values are available on clicking a search icon on the pages for creating or modifying the user entity. For example, you might want to display Manager Name instead of Manager Key. - LOV Column to Save: This is a list showing all columns from the select query. The selected column value is the one that is saved in the backend store when the user makes a selection in the dropdown available on the pages for creating or modifying the user entity. For example, you can display Manager Name, but want to save Manager Key value. Note: A list of values is already defined in the LKU and LKV tables in the database. For administrator specified, the user must specify an LOV code. This is stored in the LKU table. Associated with each code are the list of values. The user must add new values here. These values are stored in the LKV table and are used as this attribute's LOV values. For system generated, the user can search for LOV codes, and then select a code. Values already exist for this code in the LKV table and are used as this attribute's LOV values. The following is an example of setting the By Query LOV type: Select By Query as the LOV Type. In the LOV Query field, enter SELECT USR_FIRST_NAME as FirstName , USR_LOGIN as UserLogin FROM USR WHERE USR_STATUS = 'Active'. In the LOV Column to Display list, select FIRSTNAME. In the LOV Column to Save list, select USERLOGIN and click Next, and complete the rest of the steps in the wizard as described in this section. After saving the attribute, a search icon against this attribute is displayed in the user details page. The user can search and select value for the attribute. FIRSTNAME is displayed in the user details page and USERLOGIN is saved in the backend store.
   LOV Code		This is the code to identify the LOV. For system-generated LOV, this value must be of an existing LOV code. Note: The LoV Code, LOV Options, and LOV Options Description fields are displayed only when Display Type is selected as List Of Values. For other display types, these fields are not displayed.
   LOV Options		This is displayed only if the LOV Type is administrator specified. The user must specify the LOV values here.
   LOV Options Description		These are the descriptive LOV options.

   
   

   Note:

   You cannot remove a value from the list of values.

3. Click Next. The Set the attribute properties page is displayed.

4. Enter values for the attribute properties. Table 13-3 lists the fields in the Set Properties page:

   Table 13-3 Fields in the Set Properties Page

   Field	Description
   Read Only Value	Determines if the attribute is a read only attribute
   Encryption	Determines if the attribute value is stored in encrypted or clear formats
   Visible	Determines if the attribute is displayed on the UI
   Attribute Size	The maximum size the attribute value can take
   Searchable	Determines if the attribute is searchable
   Bulk Updatable	Determines if the attribute can be modified while modifying multiple users at the same time.
   Default Value	The default value of the attribute to be displayed on the user details.

   
   

5. Click Next. The Confirm page of the Create Attribute wizard is displayed with information that you entered for creating the attribute.

6. Review the attribute information, and then click Save. The MDS schema, which is the User.xml file, and the DB schema are updated with the new attribute. The new attribute added is displayed in the User Management section based on the properties set. See "User Management" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about authorization policies for the user management.

   Note:

   • To make the newly created attribute that can be viewed or modified in the User Profile, you must create appropriate authorization policies. See "Managing Authorization Policies" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about authorization policies.

   • For information about using these fields with LDAP, see "Synchronizing User-Defined Fields Between Oracle Identity Manager and LDAP".

   • For information about configuring request datasets, see "Step 1: Creating a Request Dataset for the Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

13.1.2.1 Attribute Properties

For each attribute, you must configure the following properties:

• Required: Determines if every user in the repository must have a non-null value for this attribute. For predefined users, the required attributes have values. If you create a user, you must provide a value for the required attribute. An attribute cannot be modified to required unless the attribute has values for all the existing users.

• Read-Only: Makes an attribute read-only, which means that the attribute cannot be modified irrespective of the authorization policy. Some attributes in the UI must always be read-only. These include the system-controlled attributes and may include custom attributes.

• System Controlled: Determines if the value can only be set and edited by Oracle Identity Manager.

• Encrypted: Determines if the value is stored in the repository in reversible encrypted or clear formats.

• Searchable: Determines if the values can be used in simple as well as advanced searches. An attribute must be configured for use in simple search or advanced search by modifying the search configuration. See "Search Operation Configuration" for information about configuring search operations.

• Bulk Updatable: Determines if the attribute can be updated during a bulk modify operation.

• Size: Indicates the max size that the value for this attribute can take.

• Default Value: The default value of the attribute, which is the value that will be populated in the backend store if no value is provided while creating the user entity.

Note:

When you create a new user-defined attribute (UDF), you must add a corresponding entry in any custom resource bundle. The naming convention for the entry is:

global.udf.BACKEND_UDF_NAME=DESCRIPTION_DISPLAYED_ON_THE_UI

For example: global.udf.USR_UDF_ATT=Attestation

After adding the entry, upload the resource bundle to MDS by using the Upload JAR utility. See "Upload JAR Utility" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about this utility.

13.1.3 Modifying Entity Attributes

The Modify Attribute operation allows you to edit the attributes specific to user entity. To do so:

1. In the User Attributes table, select an attribute.

2. From the Actions menu, select Modify Attribute. The Modify Attribute page is displayed.

3. On the Modify Attribute page, edit the attribute details and attribute properties. You cannot edit the Attribute Name and Display Type fields. If you are the system administrator, you can edit all fields except Frontend Attribute Name, Backend Attribute Name, and Backend Data Type.

4. (Optional) Click Preview User Profile to display a preview of the user profile.

   The Preview User Profile feature renders a hypothetical page that contains all available categories and attributes. This feature helps you review the Profile before saving it to the database. Note that a user may not be able to view all of the categories and attributes shown due to user permissions and other constraints.

5. Click Save to save the changes.

For attributes with default values, only the following modifications can be done:

• Modifying the default value of the attribute.

• Modifying the visible property of the attribute.

• If an attribute has a default value and is nonrequired, then that attribute can be changed to be required. If an attribute is nonrequired and it does not have a default value, then the attribute cannot be changed to required. Therefore, if you have a nonrequired attribute and you wish to change it to required but it does not have a default value, then add a default value to it first, and then you are able to change the attribute from nonrequired to required.

13.1.4 Deleting Entity Attributes

The Delete operation allows you to delete an attribute. To delete an attribute:

1. In the User Attributes table, select a row.

2. From the Actions menu, select Delete Attribute. A message box is displayed asking for confirmation.

3. Click OK. A message is displayed confirming that the attribute is deleted.

On performing the delete operation, the actual attribute in the backend is not deleted. The existing data is not affected and audit logs continue to display the data. The deletion happens only in the MDS schema (User.xml).

Note:

Default attributes cannot be deleted. Only user-defined attributes can be deleted.

13.1.5 Performing Category Configuration

Category configuration allows you to organize the data in the UI. The following categories are available by default:

• Basic User Information: This contains the user's personal information such as first name, last name, e-mail, and organizational information, for example manager or department.

• Account Settings: This contains the user login and password information.

• Account Effective Dates: The dates on which the user account is activated or deactivated.

• Provisioning Dates: The dates on which the user account is provisioned and deprovisioned.

• Lifecycle: This is for attributes for user account locked, manually locked, or the date when the account will be automatically deleted. These are not displayed on the UI.

• System: These include attributes that are used internally by the application, such as login attempts by the user, the date when the user is created, and user password cannot be changed. These are not displayed on the UI.

• Other User Attributes: This contains the remaining attributes of the user.

• Custom Attributes: This is an empty category. Attributes are added here by the Deployment Manager while importing from Oracle Identity Manager release 9.1.0 UDFs.

• Preferences: This contains the attributes that control the user preferences. For example, Locale and Timezone.

You can perform the following category configuration operations:

• Creating Category

• Renaming Category

• Deleting Category

• Ordering Attributes Within a Category

13.1.5.1 Creating Category

Create category operation allows you to add new categories. To create a new category:

1. In the User Attributes page, from the Actions menu, select Add Category. The Create Category dialog box is displayed.

2. In the Category Name field, enter the name of the category.

3. Click Save to create the category. A message is displayed stating that the category is successfully created.

4. Click OK.

13.1.5.2 Renaming Category

The category names that are displayed in the UI are taken from the resource bundles. To change the display name of a category, you must change the value in the resource bundle.

13.1.5.3 Deleting Category

You can delete only empty categories. To delete a category:

1. In the User Attributes page, select an empty category that you want to delete.

2. From the Actions menu, select Delete Category. A message box is displayed asking for confirmation.

3. Click OK. A message is displayed that confirms the deletion.

4. Click OK.

13.1.5.4 Ordering Attributes Within a Category

You can specify the order of the attributes within the category. The attributes are displayed on the User Management section based on this order.

To order the attributes within a category:

1. In the User Attributes page, select a category whose attributes you want to order.

2. From the Actions menu, select Order Category Attribtues. The Order Category Attributes dialog box is displayed with all the attribute names within the selected category.

3. Edit the numbers corresponding to each attribute to specify the attribute's order in the category.

4. Click Save.

13.2 Search Operation Configuration

The search operation allows searching of user entities based on a query provided by the user. You can configure the attributes for the search operation, the search results table, and the full table for simple/advanced search.

Searchable attributes define the set of attributes to which the search string is applied when performing the simple search. By default, the display name, user name, first name, and last name searchable attributes are configured for simple search. The same are configured by default for advanced search.

Result attributes define the set of attributes that is returned by the search operation. You can define the columns to display in the search results, and the subset to display in the limited search result table for simple search.

You can configure the available attributes for use in simple search and advanced search queries. In addition, you can configure the attributes that you want to be displayed in the search results table. To do so:

1. On the left pane in the User Configuration section, from the Actions menu, select Search Configuration. The User Search Configuration page is displayed, as shown in Figure 13-1:

   Figure 13-1 The Search Configuration Form

   
   Description of "Figure 13-1 The Search Configuration Form"
   
   

2. In the Simple Search: Search Attributes section, select the attributes that you want to make available for simple search. Click the move and move all icons to add the attributes for simple search. You can also click the remove and remove all icons to remove attributes from the search.

3. In the Advanced Search: Search Attributes section, select the attributes that you want to make available for advanced search. Click the move and move all icons to add the attributes for advanced search.

4. In the Search Results Table Configuration section, select the attributes that you want to display in the search results table. Click the move and move all icons to add the attributes for the search results table.

5. Click Save.

Note:

• The Modify and Create operations are not configurable to this level. All the attributes are displayed as editable on the User Management UI, with the following exception:

  Attributes with property Visible=No
  Attributes with property System Controlled=Yes"
  

• The attributes that are visible, but have the property System Controlled=Yes, are displayed as read only.

• The final list of attributes displayed on the UI depends on the authorization policies configured.

• Any user defined field is not displayed in the Available Attributes list for simple search.

13.3 User Configuration Management Authorization

Authorization of the user configuration management is governed by a default authorization policy. Custom authorization policies cannot be created for this feature.

See Also:

"User Management Configuration" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager for information about the default authorization policy for user configuration management

The users that are members of the System Administrators role are authorized to perform all user configuration operations. The operations are defined by the permissions set for the default authorization policy for this feature. Table 13-4 lists the permissions:

Table 13-4 Authorization Permissions

Permission	Description
Create Attribute	Decides if adding attributes is enabled in the UI for the user. This permission is also used at the API level to decide if the user can add an attribute.
Update Attribute	Decides if updating all attributes is enabled in the UI for the user. This permission is also used at the API level to decide if the user can update attributes.
Delete Attribute	Decides if deleting an attribute is enabled in the UI for the user. This permission is also used at the API level to decide if user can delete an attribute.
Add Category	Decides if adding categories is enabled in the UI for the user. This permission is also used at the API level to decide if the user can add a category.
Order Category Attribute	Decides if updating attributes is enabled in the UI for the user. This permission is also used at the API level to decide if the user can update a category.
Delete Category	Decides if deleting categories is enabled in the UI for the user. This permission is also used at the API level to decide if the user can delete a category.
Add Derived Attributes	Decides if adding derived attributes is enabled for the user. The option to add derived attributes is available at the API level only.
Set Search Attributes	Decides if searching configuration is enabled in the UI for the user. This permission is also used at the API level to decide if the user can update simple search and advanced search, and search table attributes.

13.4 Synchronizing User-Defined Fields Between Oracle Identity Manager and LDAP

This section describes how to synchronize user-defined fields between Oracle Identity Manager and LDAP. After creating a user-defined field using the Oracle Identity Manager Advanced Administration Configuration Service, you must extend the OVD and OID schema by adding the new attribute before you can synchronize that attribute. For example, assume you created an Oracle Identity Manager attribute named Employee ID and that the corresponding column name in the USR table is USR_EMPLOYEE_ID. You must add the Employee ID attribute to the orclIDXPerson objectclass in both OVD and OID.

See Also:

OVD and OID documentation for information about adding new attributes to the schema.

Use the following steps to synchronize the attribute:

1. Extend the OVD and OID schemas by adding the emplyeeid attribute to the orclIDXPerson objectclass in both OVD and OID.

2. To propagate the attribute value from Oracle Identity Manager to LDAP, perform the following steps:

   1. Export the following file from MDS:

      /metadata/iam-features-ldap-sync/LDAPUser.xml

   2. Add the following entry to the end of the <entity-attributes> tag:

      <attribute name="Employee ID">
                          <type>string</type>
                          <required>false</required>
                          <attribute-group>Basic</attribute-group>
                          <searchable>true</searchable>
            </attribute>
      

      Note:

      Oracle Identity Manager does not support provisioning or reconciling Boolean-type attributes to LDAP.

   3. Add the following entry to the end of the <target-fields> tag:

      <field name="employeeid">
                    <type>string</type>
                    <required>false</required>
             </field>
      

   4. Add the following entry to the end of the <attribute-maps> tag:

      <attribute-map>
                    <entity-attribute>Employee ID</entity-attribute>
                    <target-field>employeeid</target-field>
             </attribute-map>
      

   5. Import the LDAPUser.xml file back into MDS. After importing, verify that the full path in MDS is /metadata/iam-features-ldap-sync/LDAPUser.xml.

3. To propagate the attribute value from LDAP to Oracle Identity Manager, perform these steps:

   1. Extend the RA_LDAPUSER table by adding a new column. For example, add the RECON_EMPLOYEE_ID column.

   2. Export the reconciliation profile, /db/LDAPUser from MDS.

   3. Add the following entry to the end of the <reconFields> tag:

      <reconAttr>
                    <oimFormDescriptiveName>Employee ID</oimFormDescriptiveName>
                    <reconFieldName
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                        xmlns:xs="http://www.w3.org/2001/XMLSchema"
                        xsi:type="xs:string">employeeid</reconFieldName>
                    <reconColName>RECON_EMPLOYEE_ID</reconColName>
                    <emDataType>string</emDataType>
                    <formFieldType/>
                         <targetattr keyfield="false" encrypted="false"
       required="false"
                         type="String" name="usr_employee_id"/>
             </reconAttr>
      

   4. Add the following entry to the end of the <reconToOIMMappings> tag:

      <reconAttr>
                    <oimFormDescriptiveName>Employee ID</oimFormDescriptiveName>
                    <reconFieldName
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"                        
            
           xmlns:xs="http://www.w3.org/2001/XMLSchema"
                        xsi:type="xs:string">employeeid</reconFieldName>
                    <reconColName> RECON_EMPLOYEE_ID </reconColName>
                    <emDataType>string</emDataType>
                    <formFieldType/>
                    <targetattr keyfield="false" encrypted="false" required="false"
       type="String" name="                
      
               usr_employee_id">
                    <Transformation name="OneToOne">
                    <Parameter name=" employeeid " fieldname=" employeeid "/>
                    </Transformation>
                    </targetattr>
          </reconAttr>
      

   5. Import the xml file back into MDS. After importing, verify that the full path in MDS is /db/LDAPUser.

   6. Export the /db/RA_LDAPUSER.xml file from MDS.

   7. Add the following entry to the end of the <entity-attributes> tag:

      <attribute name="Employee ID">
                    <type>string</type>
                    <required>false</required>
                    <attribute-group>Basic</attribute-group>
                    <searchable>true</searchable>
           </attribute>
      

   8. Add this entry to the end of the <target-fields> tag:

      <field name=" RECON_EMPLOYEE_ID">
                    <type>string</type>
                    <required>false</required>
           </field>
      

   9. Add the following entry to the end of the <attribute-maps> tag:

      <attribute-map>
                    <entity-attribute>Employee ID</entity-attribute>
                    <target-field> RECON_EMPLOYEE_ID </target-field>
           </attribute-map>
      

   10. Import the RA_LDAPUSER.xml file back into MDS. After importing, verify that the full path in MDS is /db/RA_LDAPUSER.xml.

13.5 Configuration Management Architecture

For all attribute definitions and the Configuration Management pages in the UI, the configuration file for maintaining the user entity attributes is User.xml. This configuration file defines all attributes of user entity and their properties. The mapping of the attribute to the backend attributes or columns is also specified in the file. The attributes to be displayed on the UI are determined based on the attribute properties. For example, if an attribute is system-controlled, then the attribute is not displayed in the UI.

Example 13-1 the code for a sample User.xml configuration file:

Example 13-1 Entity XML Definition

<?xml version="1.0" encoding="UTF-8"?>
<schema targetNamespace="http://www.oracle.com/schema/oim/entity/" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.oracle.com/schema/oim/entity/">
<element name="entity-definition"
type="tns:entity-definition-type">
</element>
 
<complexType name="entity-definition-type">
        <all>
        <element name="entity-type" minOccurs="1" maxOccurs="1">
        <complexType>
        <simpleContent>
        <extension base="string">
        <attribute name="child-entity"
        type="boolean">
        </attribute>
        </extension>
        </simpleContent>
        </complexType>
        </element>
        <element name="description" type="string" maxOccurs="1"
        minOccurs="0">
        </element>
        <element name="provider-instance"
        type="tns:provider-instance-type" minOccurs="1"
        maxOccurs="1">
        </element>
        <element name="container-capability"
        type="tns:container-definition-type" maxOccurs="1"
        minOccurs="1">
        </element>
        <element name="entity-attributes" maxOccurs="1"
        minOccurs="1">
        <complexType>
        <sequence>
        <element name="attribute"
        type="tns:attribute-definition-type" maxOccurs="unbounded"
        minOccurs="1">
        </element>
        </sequence>
        </complexType>
        </element>
        <element name="target-fields" maxOccurs="1" minOccurs="1">
        <complexType>
        <sequence>
        <element name="field"
        type="tns:field-definition-type" maxOccurs="unbounded"
        minOccurs="1">
        </element>
        </sequence>
        </complexType>
        </element>
        <element name="attribute-maps" maxOccurs="1"
        minOccurs="0">
        <complexType>
        <sequence>
        <element name="attribute-map"
        type="tns:attribute-map-definition-type"
        maxOccurs="unbounded" minOccurs="1">
        </element>
        </sequence>
        </complexType>
        </element>
        <element name="child-entities" maxOccurs="1"
        minOccurs="0">
        <complexType>
        <sequence>
        <element name="entity"
        type="tns:attribute-definition-type" maxOccurs="unbounded"
        minOccurs="1">
        </element>
        </sequence>
        </complexType>
        </element>
        <element name="metadata-attachment" maxOccurs="1"
        minOccurs="0">
        <complexType>
        <sequence>
        <element name="metadata"
        type="tns:metadata-attachment-type" maxOccurs="unbounded"
        minOccurs="0">
        </element>
        </sequence>
        </complexType>
        </element>
        <element name="control-attributes" minOccurs="0" maxOccurs="1">
        <complexType>
        <sequence>
        <element name="attribute" minOccurs="1" maxOccurs="unbounded">
        <complexType>
        <sequence>
        <element name="type" type="string"
        minOccurs="1" maxOccurs="1">
        </element>
        <element name="description"
        type="string" minOccurs="0" maxOccurs="1">
        </element>
        <element name="required"
        type="boolean" minOccurs="1" maxOccurs="1">
        </element>
        </sequence>
        <attribute name="name"
        type="string" use="required">
        </attribute>
        </complexType></element>
        </sequence>
        </complexType></element>
        </all>
</complexType>
 
<complexType name="provider-instance-type">
        <all>
<element name="repository-instance" type="string" maxOccurs="1" minOccurs="0"></element>
<element name="provider-type" type="string" maxOccurs="1" minOccurs="1"></element>
<element name="parameters" minOccurs="0" maxOccurs="1">
<complexType>
<sequence>
<element name="parameter" maxOccurs="unbounded" minOccurs="1">
<complexType>
<sequence>
<element name="value" type="string" maxOccurs="unbounded" minOccurs="1">
</element>
</sequence>
<attribute name="name" type="string">
</attribute>
</complexType>
</element>
</sequence>
</complexType>
</element>
</all>
</complexType>
 
<complexType name="parameter-definition-type">
        <all>
<element name="type" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="description" type="string" maxOccurs="1" minOccurs="0">
</element>
<element name="required" type="boolean" maxOccurs="1" minOccurs="1">
</element>
<element name="multi-valued" type="boolean" maxOccurs="1" minOccurs="0">
</element>
</all>
<attribute name="name" type="string"></attribute>
</complexType>

<complexType name="attribute-definition-type">
        <all>
        <element name="type" type="string" maxOccurs="1"
        minOccurs="1">
        </element>
        <element name="description" type="string" maxOccurs="1"
        minOccurs="0">
        </element>
        <element name="required" type="boolean" maxOccurs="1"
        minOccurs="1">
        </element>
        <element name="searchable" type="boolean" maxOccurs="1"
        minOccurs="1">
        </element>
        <element name="MLS" type="boolean" minOccurs="0" maxOccurs="1"></element>
        <element name="default-value" type="string" maxOccurs="1"
        minOccurs="0">
        </element>
        <element name="attribute-group" type="string" maxOccurs="1"
        minOccurs="1">
        </element>
        <element name="metadata-attachment" maxOccurs="1"
        minOccurs="0">
        <complexType>
        <sequence>
        <element name="metadata"
        type="tns:metadata-attachment-type" maxOccurs="unbounded"
        minOccurs="0">
        </element>
        </sequence>
        </complexType>
        </element>
        </all>
        <attribute name="name" type="string"></attribute>
</complexType>
 
<complexType name="field-definition-type">
        <all>
<element name="type" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="description" type="string" maxOccurs="1" minOccurs="0">
</element>
<element name="required" type="boolean" maxOccurs="1" minOccurs="1">
</element>
</all>
<attribute name="name" type="string"></attribute>
</complexType>
 
<complexType name="attribute-map-definition-type">
        <all>
<element name="entity-attribute" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="target-field" type="string" maxOccurs="1" minOccurs="1">
</element>
</all>
</complexType>
 
<element name="repository-definition"
type="tns:repository-definition-type">
</element>
 
<complexType name="repository-definition-type">
        <all>
<element name="name" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="class" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="parameters" maxOccurs="1" minOccurs="0">
<complexType>
<sequence>
<element name="parameter-def" type="tns:parameter-definition-type" maxOccurs="unbounded" minOccurs="1">
</element>
</sequence>
</complexType>
</element>
<element name="description" type="string" maxOccurs="1" minOccurs="0"></element>
</all>
</complexType>
 
<element name="provider-definition"
type="tns:provider-definition-type">
</element>
 
<complexType name="provider-definition-type">
        <all>
<element name="name" type="string" maxOccurs="1" minOccurs="1"></element>
<element name="type" maxOccurs="1" minOccurs="1">
<complexType>
<choice>
<element name="DataProvider" type="string"></element>
<element name="RelationProvider" type="string">
</element>
</choice>
</complexType>
</element>
<element name="class" type="string" maxOccurs="1" minOccurs="1"></element>
<element name="description" type="string" maxOccurs="1" minOccurs="0"></element>
<element name="parameters" maxOccurs="1" minOccurs="0">
<complexType>
                    <sequence>
<element name="parameter-def" type="tns:parameter-definition-type" maxOccurs="unbounded" minOccurs="1">
</element>
</sequence>
</complexType>
</element>
</all>
</complexType>
 
<element name="repository-instance">
<complexType>
            <all>
<element name="name" type="string"></element>
<element name="type" type="string"></element>
<element name="parameters" maxOccurs="1" minOccurs="0">
<complexType>
<sequence>
<element name="parameter" maxOccurs="unbounded" minOccurs="1">
<complexType>
<sequence>
<element name="value" type="string" maxOccurs="1" minOccurs="1">
</element>
</sequence>
<attribute name="name" type="string">
</attribute>
</complexType>
</element>
</sequence>
</complexType>
</element>
</all>
</complexType>
</element>
 
<complexType name="container-definition-type">
        <sequence>
<element name="enabled" type="boolean" maxOccurs="1" minOccurs="1"></element>
<element name="contained-entity" type="string" maxOccurs="unbounded" minOccurs="0">
</element>
</sequence>
</complexType>
 
<complexType name="relation-definition-type">
        <all>
<element name="relation-type" type="string" maxOccurs="1" minOccurs="1"></element>
<element name="description" type="string" maxOccurs="1" minOccurs="0"></element>
<element name="provider-instance" type="tns:provider-instance-type" maxOccurs="1" minOccurs="1">
</element>
<element name="entity1" type="tns:relation-entity-type" maxOccurs="1" minOccurs="1">
</element>
<element name="entity2" type="tns:relation-entity-type" maxOccurs="1" minOccurs="1"></element>
<element name="relation-attributes" maxOccurs="1" minOccurs="1">
<complexType>
<sequence>
<element name="attribute" type="tns:attribute-definition-type" maxOccurs="unbounded" minOccurs="0">
</element>
</sequence>
</complexType>
</element>
<element name="target-fields" maxOccurs="1" minOccurs="1">
<complexType>
<sequence>
<element name="field" type="tns:field-definition-type" maxOccurs="unbounded" minOccurs="0">
</element>
</sequence>
</complexType>
</element>
<element name="attribute-maps" maxOccurs="1" minOccurs="0">
<complexType>
<sequence>
<element name="attribute-map" type="tns:attribute-map-definition-type" maxOccurs="unbounded" minOccurs="1">
</element>
</sequence>
</complexType>
</element>
</all>
</complexType>
 
<element name="relation-definition"
type="tns:relation-definition-type">
</element>
 
<complexType name="relation-entity-type">
        <all>
<element name="entity-type" type="string"></element>
<element name="attribute" type="string"></element>
<element name="attribute-in-entity" type="string"></element>
<element name="attribute-group" type="string" maxOccurs="1" minOccurs="1"></element>
</all>
</complexType>
 
 
<element name="datatype-definition"
type="tns:datatype-definition-type">
</element>
 
<complexType name="datatype-definition-type">
        <all>
<element name="name" type="string" maxOccurs="1" minOccurs="1"></element>
<element name="class" type="string" maxOccurs="1" minOccurs="1"></element>
<element name="base-type" type="string" maxOccurs="1" minOccurs="1"></element>
</all>
</complexType>
 
<complexType name="metadata-attachment-type">
        <all>
<element name="name" type="string"></element>
<element name="value" type="string"></element>
<element name="category" type="string"></element>
</all>
</complexType>

<element name="derived-datatype-definition"
type="tns:derived-datatype-definition-type">
</element>
 
<complexType name="derived-datatype-definition-type">
        <all>
<element name="name" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="class" type="string" maxOccurs="1" minOccurs="1">
</element>
<element name="parameters" minOccurs="0" maxOccurs="1">
<complexType>
<sequence>
<element name="parameter" maxOccurs="unbounded" minOccurs="1">
<complexType>
<sequence>
<element name="value" type="string" maxOccurs="1" minOccurs="1">
</element>
</sequence>
<attribute name="name" type="string">
</attribute>
</complexType>
</element>
</sequence>
</complexType>
</element>
</all>
</complexType>
</schema>

The entity XML files are stored in MDS. When a new attribute is added, the database schema is updated along with the entity XML in MDS. The configuration service APIs can be used to fetch the attribute information and can be leveraged while building custom UI.