Sun Identity Manager Deployment Reference

Understanding Identity Manager Views

An Identity Manager view is a collection of attributes that is assembled from one or more objects managed by Identity Manager. Views are transient, dynamic, and not stored in the repository. The data in a view can change if the view is refreshed to reflect a new role or resource assignment.

If you are using Identity Manager, you will encounter views primarily in forms and workflows. An Identity Manager form is an object that describes how to display view attributes in a browser for editing. The form can also contain the rules by which hidden attributes are calculated from the displayed attributes. A workflow process is a logical, repeatable, series of activities during which documents, information, or tasks are passed from one participant to another for action, according to a set of procedural rules.

When working with views, it helps to first understand:

What Is a View?

The most important view is the user view, which contains the user attributes that are stored in Identity Manager and attributes that are read from accounts managed by Identity Manager. Some attributes in the user view are visible in the forms that are presented by the Identity Manager User and Administrator Interfaces. Other attributes are hidden or read-only. Hidden attributes are typically used by rules that derive other visible attributes or calculate field values.

For example, when creating a user (represented as a user view), an administrator enters a first and last name in the appropriate form fields on the Create User page. When the administrator saves the form, the system can calculate the user’s full name in a hidden field by concatenating the first and last name. This full name can then be saved to one or more resources, including Identity Manager. Once approved (where approval is required), the system converts the user view back into one or more objects in the Identity Manager repository and sends the view to the resources assigned to the user to create or update the user’s resource accounts.

View Attributes

A view is a collection of name/value pairs that are assembled from one or more objects stored in the repository, or read from resources. The value of a view attribute can be atomic such as a string, a collection such as a list, or reference to another object.

Any Boolean attribute can be omitted from a view. If omitted, the attribute is considered logically false.

What is a View Handler?

View handlers are Java classes that contain the logic necessary to create a view and perform actions specified by setting attributes of the view. View handlers also can include information for the convenience of interactive forms. When a view is checked in, the view handler reads the view attributes and converts them into operations on repository objects. The view handler will often launch a workflow to perform more complex tasks such as approvals or provisioning. Most view handlers that operate on users prevent you from checking in the view if there is already a workflow in progress for that user.

Views and Forms

Identity Manager forms contain rules for transforming data in views and describe how the view attributes are to be displayed and edited in a browser. The Identity Manager user interface processes the view and form to generate an HTML form. When the user submits the HTML form, Identity Manager merges the submitted values into the view, then asks the view handler to refresh the view. The view can be refreshed several times during an interactive editing session, and different HTML fields can be generated based on logic in the form. When the user is finished interacting, the view is checked in which typically results in the view being passed as input to a workflow process.

Views and Workflow

Checking in a view often results in a new workflow process being launched to complete the modifications specified in the view. The workflow can perform time-intensive tasks in the background, launch approval processes, query resources, or take whatever action is appropriate. During approvals, the administrator is able to examine the contents of the view and make changes if desired. After approvals, the view attributes are converted into modifications of one or more repository objects. For views related to users, provisioning may occur to propagate the changes to selected resource accounts.

Account Types and User-Oriented Views

When you assign an account type to a user, Identity Manager makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:

Common Views

The following views are frequently used with both customized forms and workflows.




Used to manipulate Identity Manager users and provision resource accounts. 


Used to search for users correlating to a specified account (or account attributes). 


Used when assigning an Admin role to a user. 


Used to present and select the list of resource accounts to be disabled. 


Used to present and select a list of resources to be deprovisioned. 


Used to present and select the list of resource accounts to be enabled. 


Used to change a user’s authentication answers. 


Used to change an Identity Manager user’s capabilities. 


Used to generate a list of work items and processes in the Identity Manager User Interface. 


Used to specify the type of organization created and options for processing it. 


Used to change an Identity Manager user’s password, and optionally propagate the password to resource accounts. 


Used to launch tasks such as workflows or reports. 


Used to request or cancel reconciliation operations. 


Used to obtain the status of the last requested reconciliation operation. 


Used to rename the Identity Manager and resource account identities. 


Used to present and select the list of resources to be reprovisioned. 


Used by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts. 


Used to manipulate resources. 


A family of views used to manipulate arbitrary objects supported by a resource, for example groups and mailing lists. 


Used to specify the types of Identity Manager roles created. 


Used to create and modify TaskSchedule objects. 


Used to unlock accounts for those resources that support native account locking. 


Used when writing a workflow approval form. 


Used to view information about collections of work items in the repository and to perform operations on multiple work items at a time.