Sun Java[TM] System Identity Manager 7.1 Resources Reference |
BridgeStream SmartRolesThe BridgeStream SmartRoles adapter provisions users in SmartRoles. The adapter places these users in the appropriate organizations within SmartRoles so that SmartRoles can determine which business roles those users should have.
When retrieving a user from SmartRoles, the adapter retrieves the user's business roles. These business roles can be used within Identity Manager to determine the Identity Manager roles, resources, attributes, and access that user should be assigned.
Additionally, SmartRoles can be a source of user changes using Active Sync. You can load SmartRoles users into Identity Manager and reconcile them.
The BridgeStream SmartRoles resource adapter is defined in the com.waveset.adapter.SmartRolesResourceAdapter class.
Resource Configuration Notes
None
Identity Manager Installation Notes
The SmartRoles adapter is a custom adapter. You must perform the following steps to complete the installation process:
- To add a SmartRoles resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SmartRolesResourceAdapter
- Copy the following jar files from the SmartRoles installation directory
(SR_install_dir/Foundation/lib) to $WSHOME/WEB-INF/lib:- Copy the following files from the SR_install_dir/Foundation/config directory to the $WSHOME/WEB-INF/classes directory:
- Edit the log4j.properties file to specify the path to the log files in the log4j.appender.debuglog.File and log4j.appender.logfile.File properties files. These properties can both specify the same file.
- Set the following Java system properties in the JVM running Identity Manager:
Note
If you need to specify these properties on the JVM command line, use the -D option to set the properties as follows:
-Djava.security.auth.login.config=PathToBridgestream_jaas.config
-DbrLoggingConfig=PathTolog4j.properties
-DbrfConfig=PathTofoundation_config.xml and foundation_config.dtd files
Usage Notes
This section provides information related to using the SmartRoles resource adapter. The information is organized as follows:
General Notes
The following general notes are provided for this resource:
Complex Attribute Support
Identity Manager introduced a new complex attribute type that enables the SmartRoles adapter to support complex attributes. The complex attribute type is used when an attribute value is more complicated than a single value or list of values. This new complex type is used with the following attributes:
The attribute value for a complex attribute is an instance of the new com.waveset.object.GenericAttribute class. The GenericAttribute instance wraps a GenericObject instance containing the real attribute value information. The GenericObject stores attributes and values in a hierarchy that can be set and retrieved using path expressions.
Note
For more information about using GenericObjects, see the “Generic Object Class” section in Sun Java System Identity Manager Workflows, Forms, and Views.
ResourceAction Support
Although the adapter does not support before and after actions, it does support running actions using the runResourceAction Provision Workflow Service. You can write a SmartRoles action in javascript or BeanShell, and it can call the SmartRoles APIs to perform custom behavior as part of a workflow. Input to the action script is contained in a Map object named actionContext. The actionContext Map contains the following:
The following ResourceAction XML is an example of a BeanShell action. (Set the actionType to JAVASCRIPT for a javascript action.) This action script takes an argument named user (retrieved from the additionalArgs Map) and searches the SmartRoles repository for one or more Person objects with a LOGON_ID that matches the value in the user argument. The string representation of each matching Person is then returned in the WavesetResult in the ACTION_RC ResultItem.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ResourceAction PUBLIC 'waveset.dtd' 'waveset.dtd'>
<!-- MemberObjectGroups="#ID#Top"-->
<ResourceAction createDate='1148443502593'>
<ResTypeAction restype='SmartRoles' timeout='0' actionType='BEANSHELL'>
<act>
import bridgestream.core.*;
import bridgestream.util.*;
import bridgestream.temporal.person.*;
import java.util.*;
import com.waveset.object.*;
IOMSession session = actionContext.get("session");
OMEngine engine = OMEngine.getInstance(session);
String user = actionContext.get("additionalArgs").get("user");
UTNameValuePair[] criteria = new UTNameValuePair[] { new UTNameValuePair
("LOGON_ID", user) };
UTTimestamp time = UTTimestamp.getSystemTimestamp();
List list = session.search("PERSON", criteria, time, null, null);
Iterator iter = list.iterator();
StringBuffer buf = new StringBuffer();
while (iter.hasNext()) {
ENPerson person = (ENPerson)iter.next();
buf.append(person.toString());
buf.append("\n\n");
}
WavesetResult result = actionContext.get("result");
result.addResult("ACTION_RC", buf.toString());
</act>
</ResTypeAction>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</ResourceAction>Limitations
Currently, this adapter has the following limitations:
- Roles can only be granted to SmartRoles person objects. You cannot grant roles to position objects.
- An Identity Manager installation can only be configured to communicate with a single SmartRoles installation.
- When assigning a granted role sphere of control, the organizations in the sphere of control include organizations that are directly assigned as well as all descendants of those organizations. If you attempt to assign a descendant of an organization that is assigned, an error will occur.
- Because the adapter references SmartRoles organizations by name, the organization names within SmartRoles must be unique.
- When you assign a SmartRoles person object to a position, the adapter does not attempt to find an available position. Instead, the adapter always creates a new position object and assigns the person object to the new position.
Security Notes
This section provides information about supported connections and privilege requirements.
Supported Connections
The SmartRoles adapter communicates with the SmartRoles repository as specified in the configuration files copied from the SmartRoles installation. See the SmartRoles product documentation for details about configuring this connection.
Required Administrative Privileges
The user that the adapter uses to connect to SmartRoles must be assigned to a role (such as the SmartRoles Administrator role) that can manage SmartRoles users.
Provisioning Notes
The following table summarizes the provisioning capabilities of this adapter:
Account Attributes
The SmartRoles adapter provides the following Identity system user attributes:
Use attribute namespaces to specify attributes generically on related or underlying objects. Use dotted syntax, as follows:
namespace.attribute_name
- Use WORKER for Worker attributes (for example, WORKER.WORKER_TYPE)
- Use X500_PERSON and AUTHENTICATION_INFO namespaces for information objects containing additional attributes for the Person object.
- X500_PERSON contains attributes such as POSTAL_ADDRESS and SECRETARY
- AUTHENTICATION_INFO contains attributes such as LOGON_ATTEMPTS and PASSWORD_CHANGED (date)
Resource Object Management
The SmartRoles adapter supports listing objects only, and it supports the following object types:
When listing objects, you can specify the following options in the option Map:
Identity Template
$Logon ID$
Sample Forms
The following sample forms are provided with the SmartRoles resource adapter:
Built-In
None
Also Available
SmartRolesUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the com.waveset.adapter.SmartRolesResourceAdapter class.
You can also enable DEBUG logging in the SmartRoles APIs by editing the log4j.properties file that is configured in your JVM's system properties.