This section describes how to define the following resource object components:
Object classes are handled differently for LDAP-based resource objects than for other resource objects.
LDAP-based resource objects can consist of more than one LDAP object class, where each object class is an extension of its parent object class. However, within LDAP, the complete set of these object classes is viewed and managed as a single object type within LDAP.
To manage this type of resource object within Identity Manager, include the XML element <ObjectClasses> within the <ObjectType> definition. The <ObjectClasses> element allows you to define the set of object classes that is associated with this <ObjectType> as well as the relationship of classes to each other.
For non-LDAP-based resource objects, you can use the <ObjectType> to represent information other than the resource object type name.
In the following example, the primary attribute defines the object class to be used when creating and updating an object of this type. In this case, inetorgperson is the object class that is defined as the primary one because it is a subclass of the other listed object classes. The operator attribute specifies whether the list of object classes should be treated as one (logical AND) or treated as unique classes (logical OR) when listing or getting an object of this type. In this case, Identity Manager performs an AND operation on these object classes prior to any list or get requests for this object type.
<ObjectClasses primary=’inetorgperson’ operator=’AND’>\n"+ <ObjectClass name=’person’/>\n"+ <ObjectClass name=’organizationalPerson’/>\n"+ <ObjectClass name=’inetorgperson’/>\n"+ </ObjectClasses>\n"+ |
In the next example, all requests to create and/or update resource objects of this type are done using the groupOfUniqueNames object class. All list and get requests will query for all objects whose object class is either groupOfNames or groupOfUniqueNames.
<ObjectClasses primary=’groupOfUniqueNames’ operator=’OR’>\n"+ <ObjectClass name=’groupOfNames’/>\n"+ <ObjectClass name=’groupOfUniqueNames’/>\n"+ </ObjectClasses>\n"+ |
In this example, only one object class is defined so all create, get, list, and update operations are performed using object class organizationalUnit.
<ObjectClasses operator=’AND’>\n"+ <ObjectClass name=’organizationalUnit’/>\n"+ </ObjectClasses>\n"+ |
Because there is only one object class, you can exclude the <ObjectClasses> section. If you exclude the <ObjectClasses> section, the object class defaults to the <ObjectType> name attribute value. However, if you want the object type name to differ from the resource object class name, you must include the <ObjectClasses> section with the single <ObjectClass> entry.
Resource Object types uniquely define a specific type of resource, and you define object types in the adapter’s prototypeXML string.
The XML <ObjectTypes> element is a container within the adapter’s prototypeXML string that contains one or more object type definitions to be managed on that resource. This <ObjectTypes> element fully describes the resource-specific object to Identity Manager, including the following:
A list of specific object classes contained in the object type (required only for LDAP-compliant directories)
A list of supported features
A list of object type-specific attributes that are available within Identity Manager for editing and searching
The following table describes the supported attributes of the <ObjectType> element.
Table 9–27 Supported <ObjectType> Element Attributes
The following example shows ObjectType definitions:
static final String prototypeXml = "<Resource name=’Skeleton’ class= ’com.waveset.adapter.sample.SkeletonStandardResourceAdapter’ typeString=’Skeleton of a resource adapter’ typeDisplayString=’"+Messages.RESTYPE_SKELETON+"’>\n"+ " <ObjectTypes>\n"+ " <ObjectType name=’Group’ icon=’group’>\n"+ … other content defined below will go here … " </ObjectType>\n"+ " <ObjectType name=’Role’ icon=’ldap_role’>\n"+ … other content defined below will go here … " </ObjectType>\n"+ " <ObjectType name=’Organization’ icon=’folder_with_org’ container=’true’>\n"+ … other content defined below will go here … "</ObjectType>\n"+ " </ObjectTypes>\n”+ |
The <ObjectFeatures> section specifies a list of one or more features supported by this object type, where each object feature is directly tied to the implementation of the associated object type method in the resource adapter.
Each ObjectFeature definition must contain the name attribute, which specifies a feature name. The create and update features can specify a form attribute, which defines the resource form used to process create and update features. If you do not specify a form attribute, Identity Manager processes the create and update features with the same form used by all resources of a given type.
The following table describes the object feature mappings.
Table 9–28 Object Feature Mappings
Object Feature |
Method |
Supports Form Attribute? |
---|---|---|
create |
createObject |
Yes |
delete |
deleteObject |
No |
find |
listObjects |
No |
list |
listObjects |
No |
rename |
updateObject |
No |
saveas |
createObject |
No |
update |
updateObject |
Yes |
view |
getObject |
No |
In the following example, the <ObjectFeatures> section includes all supported object features. Your resource adapter can support all of these features or just a subset of features. The more object features your adapter supports, the richer the object management function within Identity Manager.
<ObjectFeatures>\n"+ <ObjectFeature name=’create’ form=’My Create Position Form’/> <ObjectFeature name=’update’ form=’My Update Position Form’/> <ObjectFeature name=’create’/>\n"+ <ObjectFeature name=’delete’/>\n"+ <ObjectFeature name=’rename’/>\n"+ <ObjectFeature name=’saveas’/>\n"+ <ObjectFeature name=’find’/>\n"+ <ObjectFeature name=’list’/>\n"+ <ObjectFeature name=’view’/>\n"+ </ObjectFeatures>\n"+ |
The <ObjectAttributes> section specifies the set of attributes to be managed and queried in Identity Manager. Each <ObjectAttribute> element name should be the same as the native resource attribute name. Unlike user attributes in Identity Manager, no attribute mapping is specified. Use only the native attribute names.
The following table describes attributes that are required for <ObjectAttributes>.
Table 9–29 Required Attributes for <ObjectAttributes>
Attribute |
Description |
---|---|
idAttr |
The value of this attribute should be the resource object attribute name that uniquely identifies this object within the resource’s object namespace (for example, dn, uid) |
displayNameAttr |
The value of this attribute should be the resource object attribute name whose value is the name you want displayed when objects of this type are viewed within Identity Manager (for example, cn, samAccountName). |
descriptionAttr |
(Optional) This value of this attribute should be the resource object attribute name whose value you want displayed in the Description column of the Resources page. |
The following example shows an <ObjectAttributes> section defined in an <ObjectType>.
<ObjectAttributes idAttr=’dn’ displayNameAttr=’cn’ descriptionAttr= ’description’>\n"+ <ObjectAttribute name=’cn’ type=’string’/>\n"+ <ObjectAttribute name=’description’ type=’string’/>\n"+ <ObjectAttribute name=’owner’ type=’distinguishedname’ namingAttr=’cn’/>\n"+ <ObjectAttribute name=’uniqueMember’ type=’dn’ namingAttr=’cn’ />\n"+ </ObjectAttributes>\n"+ |
The following table describes the <ObjectAttribute> attributes.
Table 9–30 <ObjectAttribute> Attributes
Attribute |
Description |
---|---|
name |
Identifies the resource object type attribute name (required) |
type |
Identifies the type of object. Valid types include string or distinguishedname / ”dn’ (defaults to string) |
namingAttr |
If object type is distinguishedname or dn, this value specifies the attribute whose value should be used to display an instance of this object type referred to by the dn within Identity Manager |
The methods in the resource adapter object type implementation are responsible for coercing all string values into the appropriate type based on the resource attribute name.
You must provide the following resource forms:
A ResourceForm named <resource type> Create <object type> Form for each resource <ObjectType> that supports the Create feature.
For example, AIX Create Group Form or LDAP Create Organizational Unit Form
A ResourceForm named <resource type> Update <object type> Form for each resource <ObjectType> that supports the Update feature.
For example, AIX Update Group Form or LDAP Update Organizational Unit Form
You can also assign an optional form that processes incoming data before storing it in Identity Manager. This resource form is a mechanism that transforms incoming data from the schema map and applies the transformed data to the User view. The sample form also performs actions, such as enabling and disabling an account, that are based on specific incoming data values such as employee status.
The following table describes attributes contained in the top-level namespace.
All values are strings unless otherwise specified.
Attribute |
Description |
---|---|
<objectType>.resourceType |
Identity Manager resource type name (for example, LDAP, Active Directory) |
<objectType>.resourceName |
Identity Manager resource name |
<objectType>.resourceId |
Identity Manager resource ID |
<objectType>.objectType |
Resource-specific object type (for example, Group) |
<objectType>.objectName |
Name of resource object (for example, cn or samAccountName) |
<objectType>.objectId |
Fully qualified name of resource object (for example, dn) |
<objectType>.requestor |
ID of user requesting view |
<objectType>.attributes |
Resource object attribute name/value pairs (object) |
<objectType>.organization |
Identity Manager member organization |
<objectType>.attrsToGet |
List of object type specific attributes to return when requesting an object through checkoutView or getView (list) |
<objectType>.searchContex |
Context used to search for non-fully qualified names in form input |
<objectType>.searchAttributes |
List of resource object type-specific attribute names that will be used to search within the specified searchContext for names input to the form (list). |
<objectType>.searchTimeLimit |
Maximum time spent searching where <objectType> is the lowercase name of a resource specific object type. For example, group, organizationalunit, organization. |
<objectType>.attributes<resource attribute name> |
Used to get or set the value of specified resource attribute (for example, <objectType>.attributes.cn, where cn is the resource attribute name). When resource attributes are distinguished names, the name returned when getting the value is the value of the namingAttr specified in the <ObjectAttribute> section of the <ObjectType> description. |