When retrieving a user from SmartRoles, the adapter retrieves the user’s business roles. These business roles can be used within Waveset to determine the Waveset roles, resources, attributes, and access that user should be assigned.
Additionally, SmartRoles can be a source of user changes using Active Sync. You can load SmartRoles users into Waveset and reconcile them.
The BridgeStream SmartRoles resource adapter is defined in the com.waveset.adapter.SmartRolesResourceAdapter class.
None
The SmartRoles adapter is a custom adapter. You must perform the following steps to complete the installation process:
To add a SmartRoles resource to the Waveset resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SmartRolesResourceAdapter |
Copy the following jar files from the SmartRoles installation directory (SR_install_dir/Foundation/lib) to $WSHOME/WEB-INF/lib:
bridgestream-common.jar
jgroups-all.jar
log4j-1.2.8.jar
rowset.jar
fxrm.jar
jmxri.jar
ojdbc14.jar
jcert.jar
jmxtools.jar
ojdbc14_g.jar
Copy the following files from the SR_install_dir/Foundation/config directory to the $WSHOME/WEB-INF/classes directory:
bridgestream_jaas.config
log4j.properties
foundation_config.xml
foundation_config.dtd
Edit the log4j.properties file to specify the path to the log files in the log4j.appender.debuglog.File and log4j.appender.logfile.File properties files. These properties can both specify the same file.
Set the following Java system properties in the JVM running Waveset.
System Property |
Value |
---|---|
java.security.auth.login.config |
Path to bridgestream_jaas.config file |
brLoggingConfig |
Path to log4j.properties file |
brfConfig |
Path to foundation_config.xml and foundation_config.dtd files |
If you need to specify these properties on the JVM command line, use the -D option to set the properties as follows:
-Djava.security.auth.login.config=PathToBridgestream_jaas.config -DbrLoggingConfig=PathTolog4j.properties -DbrfConfig=PathTofoundation_config.xml and foundation_config.dtd files |
This section provides information related to using the SmartRoles resource adapter. The information is organized as follows:
General Notes
Complex Attribute Support
Limitations
The following general notes are provided for this resource:
The SmartRoles adapter communicates directly with the SmartRoles repository, so the Relationship Manager application does not have to be running for the adapter to work.
The adapter can generate universal IDs and store connection information in configuration files.
When configuring the SmartRoles adapter, you can choose to have SmartRoles generate the universal ID for new accounts or have the adapter provide the universal ID. When the adapter provides the ID, it uses the value generated from the Identity Template.
Waveset introduced a new complex attribute type that enables the SmartRoles adapter to support complex attributes. The complex attribute type is used when an attribute value is more complicated than a single value or list of values. This new complex type is used with the following attributes:
sr_positions
sr_grantedRolesSphere
sr_organizations
The attribute value for a complex attribute is an instance of the new com.waveset.object.GenericAttribute class. The GenericAttribute instance wraps a GenericObject instance containing the real attribute value information. The GenericObject stores attributes and values in a hierarchy that can be set and retrieved using path expressions.
Although the adapter does not support before and after actions, it does support running actions using the runResourceAction Provision Workflow Service. You can write a SmartRoles action in javascript or BeanShell, and it can call the SmartRoles APIs to perform custom behavior as part of a workflow. Input to the action script is contained in a Map object named actionContext. The actionContext Map contains the following:
Key |
Value |
---|---|
action |
String describing the type of action being run. Currently, this action can only be run. |
adapter |
Contains a reference to the com.waveset.adapter.SmartRolesResourceAdapter instance. |
additionalArgs |
A Map containing any additional arguments passed in to the runResourceAction Provision Workflow Service call. |
result |
Reference to the WavesetResult that is returned from the runResourceAction Provision Workflow Service call. |
session |
Reference to a SmartRoles IOMSession instance. The session is created using the administrator and password defined in the SmartRoles resource. |
trace |
Reference to the com.sun.idm.logging.trace.Trace instance associated with the com.waveset.adapter.SmartRolesResourceAdapter class. You can use this to output trace messages for use in debugging the action script. |
The following ResourceAction XML is an example of a BeanShell action. (Set the actionType to JAVASCRIPT for a javascript action.) This action script takes an argument named user (retrieved from the additionalArgs Map) and searches the SmartRoles repository for one or more Person objects with a LOGON_ID that matches the value in the user argument. The string representation of each matching Person is then returned in the WavesetResult in the ACTION_RC ResultItem.
<?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE ResourceAction PUBLIC ’waveset.dtd’ ’waveset.dtd’> <!-- MemberObjectGroups="#ID#Top"--> <ResourceAction createDate=’1148443502593’> <ResTypeAction restype=’SmartRoles’ timeout=’0’ actionType=’BEANSHELL’> <act> import bridgestream.core.*; import bridgestream.util.*; import bridgestream.temporal.person.*; import java.util.*; import com.waveset.object.*; IOMSession session = actionContext.get("session"); OMEngine engine = OMEngine.getInstance(session); String user = actionContext.get("additionalArgs").get("user"); UTNameValuePair[] criteria = new UTNameValuePair[] { new UTNameValuePair ("LOGON_ID", user) }; UTTimestamp time = UTTimestamp.getSystemTimestamp(); List list = session.search("PERSON", criteria, time, null, null); Iterator iter = list.iterator(); StringBuffer buf = new StringBuffer(); while (iter.hasNext()) { ENPerson person = (ENPerson)iter.next(); buf.append(person.toString()); buf.append("\n\n"); } WavesetResult result = actionContext.get("result"); result.addResult("ACTION_RC", buf.toString()); </act> </ResTypeAction> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </ResourceAction>
Currently, this adapter has the following limitations:
Roles can only be granted to SmartRoles person objects. You cannot grant roles to position objects.
An Waveset installation can only be configured to communicate with a single SmartRoles installation.
When assigning a granted role sphere of control, the organizations in the sphere of control include organizations that are directly assigned as well as all descendants of those organizations. If you attempt to assign a descendant of an organization that is assigned, an error will occur.
Because the adapter references SmartRoles organizations by name, the organization names within SmartRoles must be unique.
When you assign a SmartRoles person object to a position, the adapter does not attempt to find an available position. Instead, the adapter always creates a new position object and assigns the person object to the new position.
This section provides information about supported connections and privilege requirements.
The SmartRoles adapter communicates with the SmartRoles repository as specified in the configuration files copied from the SmartRoles installation. See the SmartRoles product documentation for details about configuring this connection.
The user that the adapter uses to connect to SmartRoles must be assigned to a role (such as the SmartRoles Administrator role) that can manage SmartRoles users.
The following table summarizes the provisioning capabilities of this adapter:
The SmartRoles adapter provides the following Identity system user attributes:
Use attribute namespaces to specify attributes generically on related or underlying objects. Use dotted syntax, as follows:
namespace.attribute_name
Use WORKER for Worker attributes (for example, WORKER.WORKER_TYPE)
Use X500_PERSON and AUTHENTICATION_INFO namespaces for information objects containing additional attributes for the Person object.
X500_PERSON contains attributes such as POSTAL_ADDRESS and SECRETARY
AUTHENTICATION_INFO contains attributes such as LOGON_ATTEMPTS and PASSWORD_CHANGED (date)
The SmartRoles adapter supports listing objects only, and it supports the following object types:
Organizations
Roles
When listing objects, you can specify the following options in the option Map:
$Logon ID$
The following sample forms are provided with the SmartRoles resource adapter:
None
SmartRolesUserForm.xml
Use the Waveset debug pages to set trace options on the com.waveset.adapter.SmartRolesResourceAdapter class.
You can also enable DEBUG logging in the SmartRoles APIs by editing the log4j.properties file that is configured in your JVM’s system properties.