Oracle Waveset 8.1.1 Deployment Guide

Viewing and Editing Configuration Objects

Editing configuration object properties is one way of implementing persistent changes to Waveset behavior.

You can use the Oracle Waveset Integrated Development Environment (Identity Manager IDE) to view and edit Waveset objects for your deployment. Instructions for installing and configuring the Identity Manager IDE are now provided on

This section describes how to view and edit the following configuration objects:

Note –

IDM Schema Configuration Object

You configure User and Role extended, queryable, and summary attributes in the IDM Schema Configuration configuration object.

Note –

The schema customizations provided in the IDM ObjectClass Configuration object are loaded at server startup. Whenever you modify the schema, you must restart the server to load the changes.

Waveset records any problems loading the schema in the system log messages. Use one of the following methods to view these messages:

A sample of the schema can be found in the schema.xml file in the sample directory.

Edit the IDM Schema Configuration configuration object to add extended attributes to multiple object types during deployment. Specifically, you can

Note –

The IDM Schema Configuration object is protected with the IDMSchemaConfig authType.

Administrators needing to view or edit the Waveset schema for Users or Roles must have the IDMSchemaConfig AdminGroup (capability) assigned. The Configurator user has this AdminGroup assigned by default.

Adding an Extended Attribute to an Object

To add an extended attribute, you must define the attribute with an IDMAttributeConfiguration (unless the attribute is a built-in attribute).

IDMAttributeConfigurations require a name and syntax. The valid syntax options are BOOLEAN, DATE, INT, or STRING. Optionally, an IDMAttributeConfiguration can specify whether the attribute is multi-valued, and can provide a display name (currently not used), and a description.

To add an extended attribute, or mark an attribute (either extended or built-in) as queryable or summary, specify an IDMObjectClassAttributeConfiguration in the appropriate IDMObjectClassConfiguration, such as User. You must specify a name that matches an existing (built-in or configured in the same configuration object) IDMAttributeConfiguration. You can also mark the IDMObjectClassAttributeConfiguration as queryable or summary.

In the following example, firstname, lastname, and fullname are extended attributes. The firstname and lastname User attributes are queryable and summary, but fullname is not.

Example 12–1 Extended Attributes Example

<?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE Waveset PUBLIC ’waveset.dtd’ ’waveset.dtd’> 
<Configuration name="IDM Schema Configuration" id=’#ID#Configuration:IDM_Schema_Configuration’ 
<IDMAttributeConfiguration name=’firstname’ description=’User’s first name’ syntax=’STRING’/> 
<IDMAttributeConfiguration name=’lastname’ description=’User’s last name’ syntax=’STRING’/> 
<IDMAttributeConfiguration name=’fullname’ description=’User’s full name’ syntax=’STRING’/> 
<IDMObjectClassConfiguration name=’User’ extends=’Principal’> 
<IDMObjectClassAttributeConfiguration name=’firstname’ queryable=’true’ summary=’true’/> 
<IDMObjectClassAttributeConfiguration name=’lastname’ queryable=’true’ summary=’true’/> 
<IDMObjectClassAttributeConfiguration name=’fullname’/> 

Note –

To prevent potential conflicts with new core attributes in future releases of Oracle Waveset, prefix extended attributes with a deployment-specific prefix.

For example, to add an extended attribute to User to record the employeeNumber, prefer a prefix associated with the company, such as acme_employeeNumber. If a future release of Waveset incorporates a built-in user attribute named employeeNumber, the two attributes will remain distinct. Otherwise the built-in attribute takes precedence.

Extending the Role Object Class

You can extend Role using an IDMObjectClassConfiguration. The following built-in Role extensions all extend the Role object class:

To add an extended attribute to a particular role extension, such as AssetRole, add the IDMObjectClassAttributeConfiguration to the AssetRole IDMObjectClassConfiguration. To add an extended attribute to all kinds of roles, add the IDMObjectClassAttributeConfiguration to the Role IDMObjectClassConfiguration, and it will be inherited by all extensions of Role.

You can define custom extensions of Role or any extension of Role. For example, to add a custom extension of AssetRole, define a new IDMObjectClassConfiguration (in the IDM Schema Configuration) for the new role, and use the extends field to specify the parent role, as shown in the following example:

<IDMObjectClassConfiguration name=’MyAssetRole’
                             description=’My Asset Role Description’/>

When you add a new Role objectclass, you must add a new Role type to the Role Configuration object. In addition, the new Role type’s name must match the name of the new Role objectclass. For more information, see Role Configuration Object.

UserUIConfig Object

Note –

You now configure extended, queryable, and summary attributes for Users (WSUser) in the schema configuration instead of in the UserUIConfig object. For more information, see IDM Schema Configuration Object

The SummaryAttrRoleCountLimit attribute controls the number of roles that appear in the summary attribute string for a user. To control this number, specify a value here. If you do not specify a value in this object, Waveset will list at most three roles.

RepositoryConfiguration Object

The RepositoryConfiguration object contains settings that control the behavior of the Waveset Repository. Each XML attribute of the top-level <RepositoryConfiguration> element configures some aspect of overall Repository behavior.

For example, the following line specifies that repository locks expire in five minutes by default.

<RepositoryConfiguration ... lockTimeoutMillis=’300000’ ... >

Caution – Caution –

Do not modify any RepositoryConfiguration setting unless you understand its effects.

The RepositoryConfiguration object also contains some settings that are specific to User objects. For example, the TypeDataStore element for User objects specifies the inline attributes for User objects.

Inline attributes are single-valued attributes that the Repository stores directly in the main object table for each type, in this case, in columns attr1 through attr5 of the USEROBJ table. Most attribute values are stored in the USERATTR table (which requires a separate join for each attribute). Inlining an attribute improves the performance of queries that use the attribute.

The sample RepositoryConfiguration object specifies default inline attributes for User objects, as follows:

<TypeDataStore typeName=’User’ ... attr1=’MemberObjectGroups’ \
  attr2=’lastname’ attr3=’firstname’ attr4=’’ attr5=’’ />

Do not change the value of attr1, which is set to attr1=’MemberObjectGroups’. You can, however, specify the name of any attribute that is queryable and single-valued as the value of any of the remaining inline columns (attr2 through attr5).

Note –

To view or edit the RepositoryConfiguration object, you must have Debug and Security Administrator capabilities.

For more information, see the “Upgrade Issues” section of the Release Notes, and the Oracle Waveset 8.1.1 System Administrator’s Guide.

WorkItemTypes Configuration Object

This configuration object is defined in sample/workItemTypes.xml, which is imported by init.xml and update.xml. This object enumerates the supported work item type names, extensions, and display names.

The extends attribute allows for a hierarchy of work item types (workItem Types). When Waveset creates a work item, it delegates the work item to the specified users if its workItem type is:

Table 12–1 workItem Types



Display Name  



All Work Items 






Organization Approval 



Resource Approval 



Role Approval 



Role Change Approval 



Application Approval 



Application Change Approval 



Asset Approval 



Asset Change Approval 



Business Role Approval 



Business Role Change Approval 



IT Role Approval 



IT Role Change Approval 



Access Review Attestation 







SystemConfiguration Object

The SystemConfiguration object provides a central control point for many system behaviors and provides a means of storing persistent customizations to system behavior. Given its importance, and the frequency with deployers customize it, the full range of possible customizations are not documented here. Some common customizations are documented here:

Controlling the Display of the Password Confirmation Popup

The forgotPasswordChangeResults attribute in the System Configuration object controls whether Waveset displays a confirmation page after a user or administrator has initiated a password change by clicking the Forgot My Password button during log in.

Configuring Delegate History List Length

The delegation.historyLength attribute controls the size of the list of both current and completed delegations displayed by the End User View workItem Delegation form. This attribute specifies the maximum number of delegations that can appear in the delegation table. Note that the table will show all current delegations, no matter which value you set here.

The SystemConfiguration object contains the security.delegation.historyLength attribute, which controls the number of previous delegations that are recorded.

Enabling Attribute Value Customization

The process.handleNativeChangeToAccountAttributes attribute controls the auditing of attribute values. When set to true, attribute value enabling is enabled for both the reconciliation process and for the provisioner. By default, this property is not enabled.

Form and Workflow Save Behavior Customization

The security.saveNoValidateAllowedFormsAndWorkflows attribute lists the IDs of forms and workflows that will be processed as a SaveNoValidate action. All other forms and workflows will be processed as a Save. If this list is not present, the behavior remains the same for all forms and workflows (all forms and workflows will be processed as SaveNoValidate.

Login-Related Customizations

You can customize login behavior by directly editing system configuration object attributes.

Enabling autocomplete for Login Pages

By default, Waveset prevents browsers from offering to store the user's credentials. You can enable the autocomplete feature for the login pages by changing the ui.web.disableAutocomplete system configuration object to true. The login pages include login.jsp, continueLogin.jsp, user/login.jsp, and user/continueLogin.jsp.

Waveset login forms other than the preceding ones are generated from XPRESS, and you must edit these forms to use the new display property. These forms, which reside in the sample directory, include this property commented out by default.

Displaying an Error Message During an Attempt to Provision a Disabled User

The ProvisioningDisabledUserShouldThrow attribute controls whether Waveset will produce an error message when preventing an attempt to provision a disabled user. When set to true, Waveset will prevent any attempt to provision a disabled user to a resource and will produce an error. When this attribute is not set to true, then Waveset will still prevent the provisioning, but will not produce an error.

Launching the Password Login Workflow upon Login

The runPasswordLoginOnSuccess attribute controls whether Waveset will run the Password Login workflow when a user successfully logs in. When set to true, Waveset will run this workflow after successful login. By default, the value of this attribute is false.

PasswordSync-Related Customizations

You can customize PasswordSync behavior by directly editing the following system configuration object attributes:

Registering Scheduler Startup (for Clustered Environments)

The scheduler.hosts attribute registers startup behavior for the scheduler for each Waveset application instance.

The value of scheduler.hosts is a map that contains an entry for each host that you want to control. The key is the hostname for the Waveset application instance.

Note –

To see the hostname value, go to the debug/GetStatus.jsp page in your Waveset installation.

The following values are valid:

The default value is used if no value or an invalid value is specified.

Note –

The task.scheduler.enabled and task.scheduler.suspended properties in the file override the value set in the System Configuration object.

Following is an example of the scheduler attribute from Configuration:System Configuration:

<Attribute name=’scheduler’>
      <Attribute name=’hosts’>
            <MapEntry key=’goliad’ value=’enabled’/>
            <MapEntry key=’sanjacinto’ value=’manual’/>
            <MapEntry key=’washington’ value=’disabled’/>

Source Adapter Task Customization

You can edit the following two attributes to customize the behavior of the source adapter task:

Role Configuration Object

The Role Configuration object defines the supported Role Types, Actions, and List Columns. The following sections describe the supported elements of a Role Type definition:

Types Attribute

Role type attributes are configured in the types section of the Role Configuration object. For each type of role in the list, for example business or IT roles, you must specify the following attributes:

displayName Attribute

Specifies the type’s display name whose value is a message catalog key.

authType Attribute

Specifies the authorization type associated with the role type. An authorization type enables fine-grain authorization for who is allowed to view and manage this role type. If you have not yet defined an authType, add one to the AuthorizationTypes configuration object. You must reference that authType within an AdminGroup (capability) as a type within a Permission that grants access to roles of this authType.

Note –

All roles have an authorization type. If you load a role without an authorization type, the authorization type defaults to ITRole.

workItemTypes Attribute

The type of work items that can be created for role assignment approval and role change approval. If you have not yet defined the specified workItem types, add them to the WorkItemTypes configuration object.

features Attribute

The features attribute includes the following features:

Actions Attribute

The Actions attribute defines a set of actions that a Role administrator can take on one or more Roles in the list Roles table and when adding role exclusions to contained roles to an existing role.

Three sets of actions are specified in role configuration:

Each action is defined with the following attributes:

List Columns Attribute

The List Columns attribute defines the set of attribute names and labels to display as column headings when viewing lists of Roles (for example, List roles and find role results).

You can specify unique sets of attributes to display as list column headings. The attributes for each defined column are

Other Options

You can also set the following options in the Role Configuration object:

End User Tasks Object

The End User Tasks object defines the tasks that you can run from the Waveset user interface. You can assign the EndUserTask authorization type to any TaskDefinition object, and you can assign the EndUserRule authorization type to any Rule objects that must be exposed.