Chapter 3
Working with Variable Namespaces
This chapter provides an overview of common Identity Manager tasks and processes, how they are typically used, and the namespace in which they run.
The information is organized as follows:
Active Sync
The following table provides information about the common Identity Manager processes or tasks related to the Active Sync category:
Table 3-1 Active Sync Processes/Tasks
|
Process or Task Running
|
How it is Used
|
Namespace
|
|
ActiveSync IAPIUser
|
- Processes user-related changes on a particular resource.
- Performs actions directly on the full User view before launching the designated workflow process.
|
Merges attributes from the ActiveSync event into the User view.
Typical attributes on the Input Form include:
- accounts[*].*
- waveset.*
- accountInfo.*
- activeSync.<LHS Attr Name>
- activeSync.resourceName
- activeSync.resourceId
- activeSync.resource
- display.session
(session for Proxy Admin)
- global.<LHS Attr Name>
(if set globals flag is set on resource)
|
|
ActiveSync IAPIProcess
|
- Processes generic events on a resource by creating a Process view.
- Top-level fields in Process view are arbitrary inputs to the task.
- Collects attributes related to launching the task under the global attribute.
- Writes the workflow to retrieve inputs from under global rather than as top-level attributes.
|
Launches the specified task with ActiveSync poll attributes dumped into top-level workflow global attribute.
Workflow attributes assume the form:
global.<LHS Attr Name>
|
Interactive Edits
The following table provides information about the common Identity Manager processes or tasks related to the interactive edits category:
Table 3-2 Interactive Edits Processes/Tasks
|
Process or Task Running
|
How it is Used
|
Namespace
|
|
Administrator Interface Forms
|
View/form interactions through the Administrator Interface JSPs for launching requests (no workflow has been launched yet)
Does not apply to approval pages
|
The view is edited directly, so typical attribute names of the form:
|
|
WorkItems
|
Launched using the <ManualAction> directive. Applies to both custom tasks and administrator approvals.
The form associated with a specified workflow can set the base context to variables.user. This eliminates the need to put user.variables in the variable name.
|
The WorkItem is the name space, so typical attribute names of the form:
- complete (WorkItem attribute)
- variables.* (task variables)
- variables.<view>.accounts[*].*
- variables.<view>.waveset.*
- variables.<view>.accountInfo.*
- :display.session (session for Owner)
|
|
Role-defined Assigned Resource Attribute Value Rule
|
Rule is attached to Role definitions and evaluated when the view is refreshed to assign values to resource account attributes.
|
Regardless of the calling context, the rule is applied directly to the view. Consequently, expect typical view attribute names of the form:
- accounts[*].*
- waveset.*
- accountInfo.*
|
Load Operations
The following table provides information about the common Identity Manager processes or tasks related to the load operations category:
Table 3-3 Load Operations Processes/Tasks
|
Process or Task
|
How it is Used
|
Namespace
|
|
Load from File
|
Retrieves account information from a CVS or XML file (invoked through Administrator Interface).
Identity Manager reads a WSUser object from a file, converts it to the User view, and applies the form. The attributes are processed as if they were extended attributes of the Identity Manager user. Attributes are put in accounts[Lighthouse] and will only be put under the global attribute if the form defines global fields for each of them.
|
All attribute values for each line in the file are pulled into the global namespace:
global.<attr name>
Note: Applies to create operations only.
|
|
Load from Resource
|
Retrieves account information from a particular resource (invoked through Administrator Interface and uses an adapter to list and fetch accounts).
|
All attribute values for each account on the resource are pulled into the global namespace.
global.<LHS Attr Name>
Note: Applies to create operations only.
|
|
Bulk Operations
|
Retrieves commands and User view data from a CVS file (invoked through Administrator Interface).
You can specify any attribute in the User view namespace. Attribute names are specified using the view path syntax. See “Understanding the User View” in the Identity Manager Technical Deployment Overview for more information about the User view namespace and view path syntax
|
Attribute values from the file are pulled into the global namespace:
- accounts[*].*
- waveset.*
- accountInfo.*
- global.*
Note: There is no authorized session available.
|
|
|
Note
|
Identity Attributes can now be applied during Load from File and Load from Resource operations when you add Load from File and Load from Resource to the list of enabled applications for the identity attributes.
When enabled for Load from File and Load from Resource, these pages do not display options for selecting a User Form, Update Attributes, or Merge Attributes. If you select Update Accounts, Identity Manager fully processes all identity attributes and re-provisions accounts. Otherwise, only those attributes that are sourced from the resource being loaded (and flow to the identity user) are processed.
During Reconciliation, Identity Manager applies identity attributes only for the following Reconciliation Responses:
- Create user based on resource account
- Create resource account for user
|
|
Reconciliation Rules
The following table provides information about the common Identity Manager processes or tasks related to the reconciliation rules category:
Table 3-4 Reconciliation Rules Processes/Tasks
|
Process or Task Running
|
How it is Used
|
Namespace
|
|
Correlation Rule
|
Invoked during reconciliation to associate a resource account with one (or more) Identity Manager users
|
All attribute values for the resource account defined in the schema are provided in the form
account.<LHS Attr Name>
Returns:
- Matching Identity Manager user name
- List of AttributeConditions or WSAttributes that are used to search for matching Identity Manager user
|
|
Confirmation Rule
|
Invoked during reconciliation if the Correlation Rule results in multiple matches. The resource account is compared against each correlated Identity Manager user.
|
All attribute values for the resource account and all attributes in the user view are provided in the form:
- account.<LHS Attr Name>
- user.accounts[*].*
- user.waveset.*
- user.accountInfo.*
Returns: Logical true or false (1 or 0) depending on whether there is a match
|
|
|
Note
|
Identity Attributes can now be applied during Reconciliation operations if you add Reconciliation to the list of enabled applications for the identity attributes.
When enabled for Reconciliation, these pages do not display options for selecting a User Form, Update Attributes, or Merge Attributes. If you select Update Accounts, Identity Manager fully processes all identity attributes and re-provisions accounts. Otherwise, only those attributes that are sourced from the resource being loaded (and flow to the identity user) are processed.
During Reconciliation, Identity Manager applies identity attributes only for the following Reconciliation Responses:
- Create user based on resource account
- Create resource account for user
|
|
SPML
The following table provides information about the common Identity Manager processes or tasks related to the SPML category:
Table 3-5 SPML Processes/Tasks
|
Process or Task Running
|
How it is Used
|
Namespace
|
|
Person object class
|
Generic implementation of SPML interface. SPMLPerson Form, identified in SPML Configuration object, specifies mapping from a flat namespace of SPML schema to view attributes.
|
Pairs of mapping fields provided in form. Fields with
- <Derivation> expressions set response schema attribute to view attribute. Fields with Derivations will have flat names, but reference view paths in their derivation expression.
- <Expansion> expressions push request schema attribute to view attribute. Fields with Expansions will have path names, but reference flat names in their Expansion expression.
The namespace for the view attribute consists of the accounts, waveset, accountInfo namespace attributes. The namespace of SPML schema attributes consists of a flat namespace.
|
|
Any request with form parameter set to view
|
No form processing
|
View attributes are set directly:
- accounts[*].*
- waveset.*
- accountInfo.*
|
X.509 Integration
The following table provides information about the common Identity Manager processes or tasks related to the X.509 integration category:
Table 3-6 X.509 Integration Processes/Tasks
|
Process or Task Running
|
How it is Used
|
Namespace
|
|
Login Correlation Rule
|
Provides mechanism for resolving conflicting Identity Manager user entries (rule incorporates standard X.509 certificate).
|
Provide standard certification fields plus critical and non-critical extension properties. Certification properties assume the form cert.<field name>.<subfield name>:
- cert.subjectDN
- cert.issuerDN
Note: There is no authorized session available.
Returns:
|
|
New User Name Rule
|
If no user is correlated using Login Correlation Rule, provides mechanism for setting the name for a new Identity Manager user from the certification information.
|
See Login Correlation Rule
Returns: name (or accountId) to use for the Identity Manager user
|
Miscellaneous Variable Contexts
The following table provides information about the common Identity Manager tasks or processes related to the miscellaneous variable contexts category:
Table 3-7 Miscellaneous Variable Contexts Processes/Tasks
|
Process or Task Running
|
How It is Used
|
Namespace
|
|
Launch Forms
|
Embedded in a TaskDefinition for the purpose of initializing the Executor
|
Any field elements specified are assimilated directly into the task context, and, if launching a workflow task, are available as top-level variables.
|
|
User Members Rule
|
Defined specifically for organizations that must dynamically return the list of member users.
This rule cannot fetch against the repository. Instead, it is limited to FormUtil.getResourceObjects calls, such as finding all the entries in a specified directory OU.
|
User view of authenticated administrator (no resource account attributes fetched) plus the administrator’s session:
|
