User View Attributes (Sun Identity Manager Deployment Reference)

Sun Identity Manager Deployment Reference

User View Attributes

Whenever you create or modify a user account from a web browser, you are indirectly working with the user view. From the perspective of altering user account information, it is the most significant view in the Identity Manager system.

Workflow processes also interact with the user view. When a request is passed to a workflow process, the attributes are sent to the process as a view. When a manual process is requested during a workflow process, the attributes in the user view can be displayed and modified further.

Introduction

Like all views, the user view is implemented as a GenericObject that contains a set of attributes. The values of the attributes in the root object are themselves GenericObjects. Attributes can be nested.

The user view contains the attributes described in the following table, which are further defined in subsequent sections.

Table 3–1 Top-Level Attributes User View


Attribute	Description
`waveset`	Contains information stored in the Identity Manager repository (the `WSUser` object). This is sometimes referred to as the basic view.
`accounts`	Contains the values of all resource account attributes fetched from resources. These are typically the values that are edited with forms.
`accountInfo`	Contains read-only information about the resources and accounts associated with the user.
`display`	Contains the read-only runtime state for the interface. It is used only during interactive editing of the user. `display.session` describes login and access information. `display.subject` identifies the account under which the user is logged in. `display.eventType` indicates whether the user view is servicing a create or an update operation.
`global`	Contains attributes that are synchronized across all resource accounts.
`password`	Contains attribute values that are specific to the user’s password, password expiration, and target systems.

When you design a form, the field names are typically paths into the user view objects waveset. global, and account attributes (for example, global.firstname).

Selecting the Appropriate Variable Namespaces

The user view provides several namespaces for deriving account-related information. The following table summarizes these variable namespaces.

Table 3–2 Account-Related User View Attributes


Account-Related Namespace	Description
`waveset.accounts`	Used internally for difference detection during check-in operations. It contains the starting values for all account attributes. Do not modify this value.
`accountInfo.accounts`	Derived read-only information about the accounts that are linked to the user and their associated resources. Use this attribute in forms, but do not modify.
`accounts`	Stores the read/write copies of the account attributes. Updatable fields should point to this namespace.
`global`	Stores copies of global attributes. Values in this area appear only if the form defines global fields, or if you are using the special MissingFields reference. (The form determines how global attributes are processed.) If you set a global attribute in a workflow, you must also define a global field in the form. Simply depositing a global value in the view is insufficient.

Referencing Attributes

Within a form, you can reference attributes in two ways:

Use the name attribute of a Field element by adding the complete attribute pathname as follows:
```
<Field name=’waveset.accountId’>
```
For more information on setting the Field name element in a form field, see the chapter titled Identity Manager Forms.
Reference an attribute from within another field:
<Expansion> <concat> <ref>global.firstname</ref><s> </s> <ref>global.lastname</ref> </concat> </Expansion>
Within workflow, you can reference Field attributes as process variables (that is, variables that are visible to the workflow engine) or in XPRESS statements for actions and transitions. When referencing these attributes in workflow, you must prefix the path with the name of the workflow variable where the view is stored (for example, user.waveset.accountId).

Attributes with Transient Values

You can define fields that store values at the top-level of the user view, but these values are transient. Although they exist throughout the life of the in-memory user view (typically the life of the process), the values of these fields are not stored in the Identity Manager repository or propagated to a resource account.

For example, a phone number value is the result of concatenating the values of three form fields. In the following example, p1 refers to the area code, p2 and p3 refer to the rest of the phone number. These are then combined by a field named global.workPhone. Because the combined phone number is the only value you want propagated to the resources, only that field is prepended with global.

In general, use the top-level field syntax if you are:

not pushing a field value out to Identity Manager or any other resource
the field is being used only in email notifications or for calculating other fields.

Any field that is to be passed to the next level must have one of the path prefixes defined in the preceding table, User View Attributes.

Field name=’p1’ required=’true’>
   <Display class=’Text’>
      <Property name=’title’ value=’Work Phone Number’/>
      <Property name=’size’ value=’3’/>
      <Property name=’maxLength’ value=’3’/>
   </Display>
</Field>
<Field name=’p2’ display=’true’ required=’true’>
   <Display class=’Text’>
      <Property name=’rowHold’ value=’true’/>
      <Property name=’noNewRow’ value=’true’/>
      <Property name=’size’ value=’3’/>
      <Property name=’maxLength’ value=’3’/>
   </Display>
</Field>
<Field name=’p3’ display=’true’ required=’true’>
   <Display class=’Text’>
      <Property name=’rowHold’ value=’true’/>
      <Property name=’noNewRow’ value=’true’/>
      <Property name=’size’ value=’4’/>
      <Property name=’maxLength’ value=’4’/>
   </Display>
</Field>
<Field name=’global.workPhone’ required=’true’ hidden=’true’>
   <Expansion>
      <concat>
         <ref>p1</ref>
         <s>-</s>
         <ref>p2</ref>
         <s>-</s>
         <ref>p3</ref>
      </concat>
   </Expansion>
</Field>

waveset Attribute

The waveset attribute set contains the information that is stored in a WSUser object in the Identity Manager repository. Some attributes nested within this attribute set are not intended for direct manipulation in the form but are provided so that Identity Manager can fully represent all information in the WSUser object in the view.

Most Used Attributes

Not all attributes are necessary when creating a new user. The following list contains the waveset attributes that are most often visible during creation or editing. Some attributes are read-only, but their values are used when calculating the values of other attributes. All waveset attributes are described in the sections that follow this table.

Table 3–3 Most Used Attributes of the waveset Attribute (User View)


Attribute	Editable?	Data type
`waveset.accountId`	Read/Write	String
`waveset.applications`	Read/Write	String
`waveset.correlationKey`	Read/Write	String
`waveset.creator`	Read only	String
`waveset.createDate`	Read only	String
`waveset.disabled`	Read/Write	String
`waveset.email`	Read/Write	String
`waveset.exclusions`	Read/Write	List
`waveset.id`	Read	String
`waveset.lastModDate`	Read	String
`waveset.lastModifier`	Read	String
`waveset.locked`	Read	String
`waveset.lockExpiry`	Read/Write	String
`waveset.organization`	Read/Write	String
`waveset.questions`	Read/Write	List
`waveset.resources`	Read/Write	List
`waveset.resourceAssignments`	Read/Write	List
`waveset.roleInfos`	Read/Write	List
`waveset.roles`	Read/Write	String
`waveset.serverId`	Read/Write	String

waveset.accountId

Specifies the visible name of the Identity Manager user object. It must be set during user creation. Once the user has been created, modifications to this attribute will trigger the renaming of the Identity Manager account.

For information on renaming a user, see Business Administrator's Guide.

waveset.applications

Contains a list of the names of each application (also called resource group in the Identity Manager User Interface) assigned directly to the user. This does not include applications that are assigned to a user through a role.

waveset.attributes

Collection of arbitrary attributes that is stored with the WSUser in the Identity Manager repository. The value of the waveset.attributes attribute is either null or another object. The names of the attributes in this object are defined by a system configuration object named Extended User Attributes. Common examples of extended attributes are firstname, lastname, and fullname. You can reference these attributes in the following ways:

waveset.attributes.fullname

accounts[Lighthouse].fullname

You typically do not modify the contents of the waveset.attributes attribute. Instead, modify the values of the accounts[Lighthouse] attributes. When the attribute is stored, values in accounts[Lighthouse] are copied into waveset.attributes before storage. waveset.attributes is used to record the original values of the attributes. The system compares the values here to the ones in accounts[Lighthouse] to generate an update summary report. See the section on the account[Lighthouse] attribute for an example of how to extend the extended user attributes.

waveset.correlationKey

Contains the correlation value used to identify a user during reconciliation and discovery of users. You can directly edit it, although it is generally not exposed.

waveset.creator

Contains the name of the administrator that created this user.

This attribute is read-only.

waveset.createDate

Contains the date on which this account was created. Dates are rendered in the following format: MM/dd/yy HH:mm:ss z

Example

05/21/02 14:34:30 CST

This attribute is set once only and is read-only.

waveset.disabled

Contains the disabled status of the Identity Manager user. It is set to a value that is logically true if the account is disabled. In the memory model, it is either a Boolean object or the string true or false. When accessed through forms, you can assume it is a string.

You can modify this attribute to enable or disable the Identity Manager user, although it is more common to use the global.disable. (Prepending global. to a variable name ensures that the system applies the value of that variable to all resources that recognize the variable, including Identity Manager.)

Once this value becomes true, the user cannot log in to the Identity Manager user interface.

waveset.email

Specifies the email address stored for a user in the Identity Manager repository. Typically, it is the same email address that is propagated to the resource accounts.

Modifications to this attribute apply to the Identity Manager repository only. If you want to synchronize email values across resources, you must use the global.email attribute.

You can modify this attribute.

waveset.exclusions

List the names of the resource that will be excluded from provisioning, even if the resource is assigned to the user through a role, resource group, or directly.

waveset.id

Identifies the repository ID of the Identity Manager user object. Once the user has been created in Identity Manager, this value is non-null. You can test this value to see if the user is being created or edited. This attribute is tested with logic in the form. You can use it to customize the displayed fields depending on whether a new user is being created (waveset.id is null) or an existing user account is being edited (waveset.id is non-null).

Example

The following example shows an XPRESS statement that tests to see if waveset.id is null:

<isnull><ref>waveset.id</ref></isnull>

waveset.lastModDate

Contains the date at which the last modification was made. It represents the date by the number of milliseconds since midnight, January 1970 GMT. This attribute is updated each time a user account is modified.

This attribute is read-only.

waveset.lastModifier

Contains the name of the administrator or user that last modified this user account.

This attribute is read-only.

waveset.locked

Indicates whether the user is locked. A value of true indicates that the user is locked.

waveset.lockExpiry

Specifies when the user lock expires if the user’s Lighthouse Account policy contains a non-zero value for the locked account expiry date. This attribute value is a human-readable date and time.

waveset.organization

Contains the name of the organization (or ObjectGroup) in which a user resides. An administrator can modify this attribute if he has sufficient privileges for the new organization.

Since changing an organization is a significant event, the original value of the organization is also stored in the waveset.original attribute, which can be used for later comparison.

waveset.original

Contains information about the original values of several important attributes in the waveset attribute. The system sets this value when the view is constructed and should never be modified. The system uses this information to construct summary reports and audit log records.

Not all of the original waveset attributes are saved here. The attributes currently defined for change tracking are:

password
role
organization

To reference these attributes, prepend waveset.original. to the attribute name (for example, waveset.original.role).

password

Specifies the Identity Manager user password. When the view is first constructed, this attribute does not contain the decrypted user password. Instead, it contains a randomly generated string.

The password attribute set contains the attributes described in the following table.

Table 3–4 Attributes of the password Attribute (User View)


Attribute	Description
`password`	Identifies the password to be set
`confirmPassword`	Confirms the password to be set. The password should match the value of `password.password`
`targets`	Specifies a list of resources that can have their password changed
`selectAll`	Specifies a Boolean flag that signifies that the password should be pushed to all of the resources
`accounts[]`	Specifies a list of objects that contains information about each of the resources. This attribute contains two attributes, which are described below.
`accounts[<resource>]. selected`	Boolean. When set, indicates that the password should be changed on the resource.
`accounts[<resource>]. expire`	Boolean. When set, indicates that the password will expire. This attribute is set to false if the user changes his own password. However, if an administrator changes another user’s passwords, the flag is set to true. To prevent the password from being expired when administrators or proxy accounts other than the user change a password on an account, set `accounts [<resource>].expire = <s>false</s>` This setting ensures that the password is not expired Identity Manager does not force the user to change the password again

waveset.passwordExpiry

Contains the date on which the Identity Manager password will expire. When the view is initially constructed, the memory representation will be a java.util.Date object. As the view is processed with the form, the value can either be a Date object or a String object that contains a text representation of the date in the format mm/dd/yy.

waveset.passwordExpiryWarning

Contains the date on which warning messages will start being displayed whenever the user logs into the Identity Manager User Interface. This is typically a date prior to the waveset.passwordExpiry date in the same format (mm/dd/yy).

waveset.questions

Contains information about the authentication questions and answers assigned to this user. The value of the attribute is a List whose elements are waveset.questions attributes.

The waveset.questions attribute set contains the attributes described in the following table.

Table 3–5 waveset.questions Attributes (User View)


Attribute	Editable?	Description
`answer`	Read/Write	Encrypted answer to the question
`id`	Read	System-generated ID for the question
`name`	Read	Name used to identify this question
`question`	Read	Text of the authentication question

The name attribute is not stored. The system generates the name by transforming the id. This is necessary because question IDs are typically numbers, and numbers that are used to index an array in a path expression are considered absolute indexes rather than object names.

For example, the path waveset.questions[#1].question addresses the second element of the questions list (list indexes start from zero). However, since there may be only one question on the list whose ID is the number 1, the ID is not necessarily suitable as a list index. To reliably address the elements of the list, the system manufactures a name for each question that consists of the letter Q followed by the ID (in this example, Q1). The path waveset.questions[Q1].question then always correctly addresses the question.

waveset.resources

Contains a list of the names of each resource that is assigned directly to the user. This list does not include resources that are assigned to a user through a role or through applications. You can add only unqualified resource names to this attribute. To find all resources that are assigned to a user, see the section on the accountInfo attribute.

waveset.resourceAssignments

Qualifies the assigned resource list. (This attribute parallels the existing attribute waveset.resources attribute.) All resources in this attribute appear as unqualified in waveset.resources. Even if a user is assigned only an account of non-default type, the resource will appear in waveset.resources.

You can add new assignments made to either waveset.resource or waveset.resourceAssignments, with the lists automatically resynchronizing when the view is refreshed. This adds an assignment for an account of default type. You can add both qualified and unqualified resource names to waveset.resourceAssignments. This adds an account of the specified type based on the qualifier.

waveset.roleInfos

Contains a list of objects that contain information about the roles assigned to this user.

Table 3–6 waveset.roleInfos Attributes


Attribute	Description
approvalRequired	(Boolean) Specifies whether approval is required for this optional role. If the value of `directlyAssigned` is false, and `assignmentType` is optional, this value determines if approval is required for this optional role or not
`assignedBy`	Identifies which role assigned to the user contains this role. If `directlyAssigned` is false, this value is the name of the directly assigned role or roles that resulted in this role being assigned
assignmentType	Specifies how the indirect role is assigned. If `directlyAssigned` is false, this value will be either `required`, `conditional`, or `optional`.
directlyAssigned	(Boolean) Specifies whether the role is directly assigned to the user.
`events`	Maps the name/date entries that define events to be processed for this role (for example, activation date and deactivation date). name -- allowed values include:activate and deactivate. activate indicates when to provision this role. deactivate indicates when to deprovision this role. date -- Date for associated event.
info	(Object) Contains role information that should not appear when determining user-role assignment changes. This object can have the following attributes: * typeDisplayName - role type display name / message key * description - user-provided description of the role
`name`	Specifies the role name
`type`	Specifies the role type as defined in the Role Configuration object. Valid types include BusinessRole, ITRole, Application Role, Asset Role.
state	Specifies role assignment state. Valid values include assigned or pendingActivationDate. You can define additional custom states.

waveset.roles

Contains the names of the roles assigned to this user. An administrator can modify this attribute if he has sufficient privileges for the new roles.

Since changing a role is a significant event, the original value of the role attribute is also stored in the original view, which can be used for later comparison.

waveset.serverId

Use to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server. See Installation Guide for more information.