This chapter introduces Waveset views, which are data structures used in Waveset. It provides background for views, including an overview of how to implement views with Waveset workflows and forms as well as reference information.
You can use the Waveset IDE to learn more about Waveset views and other generic objects. Instructions for installing and configuring the Waveset IDE are provided on https://identitymanageride.dev.java.net.
This chapter is organized into the following sections:
Understanding Waveset Views
Understanding the User View
Common Views
View Options
Deferred Attributes
Extending Views
An Waveset view is a collection of attributes that is assembled from one or more objects managed by Waveset. Views are transient, dynamic, and not stored in the repository. The data in a view can change if the view is refreshed to reflect a new role or resource assignment.
If you are using Waveset, you will encounter views primarily in forms and workflows. An Waveset form is an object that describes how to display view attributes in a browser for editing. The form can also contain the rules by which hidden attributes are calculated from the displayed attributes. A workflow process is a logical, repeatable, series of activities during which documents, information, or tasks are passed from one participant to another for action, according to a set of procedural rules.
When working with views, it helps to first understand:
general view concepts
how views are used in Waveset
frequently customized views
The most important view is the user view, which contains the user attributes that are stored in Waveset and attributes that are read from accounts managed by Waveset. Some attributes in the user view are visible in the forms that are presented by the Waveset User and Administrator Interfaces. Other attributes are hidden or read-only. Hidden attributes are typically used by rules that derive other visible attributes or calculate field values.
For example, when creating a user (represented as a user view), an administrator enters a first and last name in the appropriate form fields on the Create User page. When the administrator saves the form, the system can calculate the user’s full name in a hidden field by concatenating the first and last name. This full name can then be saved to one or more resources, including Waveset. Once approved (where approval is required), the system converts the user view back into one or more objects in the Waveset repository and sends the view to the resources assigned to the user to create or update the user’s resource accounts.
A view is a collection of name/value pairs that are assembled from one or more objects stored in the repository, or read from resources. The value of a view attribute can be atomic such as a string, a collection such as a list, or reference to another object.
Any Boolean attribute can be omitted from a view. If omitted, the attribute is considered logically false.
View handlers are Java classes that contain the logic necessary to create a view and perform actions specified by setting attributes of the view. View handlers also can include information for the convenience of interactive forms. When a view is checked in, the view handler reads the view attributes and converts them into operations on repository objects. The view handler will often launch a workflow to perform more complex tasks such as approvals or provisioning. Most view handlers that operate on users prevent you from checking in the view if there is already a workflow in progress for that user.
Waveset forms contain rules for transforming data in views and describe how the view attributes are to be displayed and edited in a browser. The Waveset user interface processes the view and form to generate an HTML form. When the user submits the HTML form, Waveset merges the submitted values into the view, then asks the view handler to refresh the view. The view can be refreshed several times during an interactive editing session, and different HTML fields can be generated based on logic in the form. When the user is finished interacting, the view is checked in which typically results in the view being passed as input to a workflow process.
Checking in a view often results in a new workflow process being launched to complete the modifications specified in the view. The workflow can perform time-intensive tasks in the background, launch approval processes, query resources, or take whatever action is appropriate. During approvals, the administrator is able to examine the contents of the view and make changes if desired. After approvals, the view attributes are converted into modifications of one or more repository objects. For views related to users, provisioning may occur to propagate the changes to selected resource accounts.
When you assign an account type to a user, Waveset makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:
Use a value of null to indicate an account of the default type. Reference an accounts of the default type by resource name for example, accounts[corp-ad]
Use a type-qualified name instead of the resource name to reference an account of a specific type. The type-qualified resource name takes this form:
<resource name>|<type of account>
To reference the account data for the account of type Admin on the resource corp-ad, reference accounts[corp-ad|Admin].
The following views are frequently used with both customized forms and workflows.
View |
Description |
---|---|
User |
Used to manipulate Waveset users and provision resource accounts. |
AccountCorrelation |
Used to search for users correlating to a specified account (or account attributes). |
AdminRole |
Used when assigning an Admin role to a user. |
Enable |
Used to present and select the list of resource accounts to be disabled. |
Deprovision |
Used to present and select a list of resources to be deprovisioned. |
Disable |
Used to present and select the list of resource accounts to be enabled. |
ChangeUserAnswers |
Used to change a user’s authentication answers. |
ChangeUserCapabilities |
Used to change an Waveset user’s capabilities. |
List |
Used to generate a list of work items and processes in the Waveset User Interface. |
Org |
Used to specify the type of organization created and options for processing it. |
Password |
Used to change an Waveset user’s password, and optionally propagate the password to resource accounts. |
Process |
Used to launch tasks such as workflows or reports. |
Reconcile |
Used to request or cancel reconciliation operations. |
ReconcileStatus |
Used to obtain the status of the last requested reconciliation operation. |
RenameUser |
Used to rename the Waveset and resource account identities. |
Reprovision |
Used to present and select the list of resources to be reprovisioned. |
ResetUserPassword |
Used by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts. |
Resource |
Used to manipulate resources. |
ResourceObject |
A family of views used to manipulate arbitrary objects supported by a resource, for example groups and mailing lists. |
Role |
Used to specify the types of Waveset roles created. |
TaskSchedule |
Used to create and modify TaskSchedule objects. |
Unlock |
Used to unlock accounts for those resources that support native account locking. |
WorkItem |
Used when writing a workflow approval form. |
WorkItemList |
Used to view information about collections of work items in the repository and to perform operations on multiple work items at a time. |
The User view is the collection of attributes that contain information about an Waveset user, including:
Attributes stored in the Waveset repository
Attributes fetched from resource accounts
Information derived from other sources such as resources, roles, and organizations
The user view is most often used with forms that are designed for the pages that create or edit users. These pages launch workflow processes that store a changed user view until it is necessary to push the updated view information back out to Waveset and associated resources. While the user view is stored in a workflow process, the workflow process can manipulate attribute values through workflow actions. Workflow can also expose attribute values for user input through manual actions and approval forms.
The user view is often used in conjunction with a form. Forms contain rules that control how data is presented through HTML fields and is processed after the HTML page rendering the form is submitted. A system component called the form generator combines a form definition and a view to produce HTML that a browser then displays.
View attribute values are displayed by assigning them to an HTML component in the form. (See Chapter 7, HTML Display Components for more information on how view attributes can be displayed.)
Views are implemented as instances of the GenericObject class. This class provides a mechanism for the representation of name/value pairs and utilities for traversing complex hierarchies of objects through path expressions. A path expression is a string that is interpreted at runtime to traverse an object hierarchy and retrieve or assign the value of an attribute.
You must understand how to write path expressions to assign valid form field names. For more information on using path expressions, refer to the section titled Path Expressions.
Workflow processes that contain a user view typically store it in a workflow variable named user. You can reference a view in the workflow expressions by prefixing user to a user view path (for example, user.waveset.accountId). The string waveset identifies the attribute named accountId as belonging to another object named waveset, which itself belongs to the user view object.
Approval forms are written for a view known as the WorkItem view. The Work Item view by default contains all the workflow variables under an attribute named variables. If the approval form is written for a workflow that contains a user view, the prefix variables.user. is used to reference attributes in the user view (for example, variables.user.waveset.roles). See WorkItem View later in this chapter for more information.
At a high level, objects are simply named collections of attributes, which are name/value pairs. The value of an attribute can be an atomic value such as a string, a collection such as a list, or a reference to another object. You can represent almost any object abstractly with the Map, List, and String Java classes.
Within the Waveset system, the GenericObject class provides a simple memory model for the representation of arbitrary objects and collections. It includes features for easily navigating object hierarchies to access or modify attribute values.
The GenericObject class implements the java.util.Map interface and internally uses a java.util.HashMap to manage a collection of name/value pairs. The entries in this map are called attributes. The value of an attribute can be any Java object that is able to serialize itself as XML. The most common attribute values found in a GenericObject:
The following are instances of the following classes:
String
Integer
Boolean
EncryptedData
List
Date
GenericObject
X509cert
You can construct complex hierarchies of objects by assigning Lists or GenericObjects as attribute values. Once you have assigned attribute values, you traverse this hierarchy to access the values of an attribute.
A path expression is a string that is interpreted at runtime by the GenericObject class to traverse an object hierarchy and retrieve or assign the value of an attribute. Waveset uses a system of dots and brackets to represent objects and attributes in the hierarchy.
You use path expressions as the value of the name attribute in form fields when customizing a form (for example, <Field name=’user.waveset.roles’/>).
The following simple example illustrates a GenericObject with two attributes:
name (String)
address (GenericObject) The address object, in turn, has an attribute named street, which is a string.
To create a path expression to the street attribute of the address object, use address.street.
Path expressions use the dot character (.) to indicate traversal from one object to another. This is similar to the way dot is used in Java or the ’->’ operator is used in C. Paths can be long, as illustrated by this example:
user.role.approver.department.name
You can also use path expressions to traverse values that are lists. Consider an object that has an attribute children whose value is a java.util.List. Each object in the list is itself a GenericObject with a name attribute and an age attribute. Write the path to the name of the first child as:
children[#0].name
Path expressions use square brackets to indicate the indexing of a list. The token between brackets is the index expression. In the simplest case, this is a positive integer that is used to index the list by element position.
Typically, the position of an object in a list is arbitrary. Index expressions can also specify simple search criteria to identify one object in the list. Objects in a list typically have a name attribute, which serves to uniquely identify this object among its peers. Path expressions support an implicit reference to an object’s name attribute within the index expression.
For example
children[hannah].age
The preceding path expression obtains the list of objects stored under the children attribute. This list is searched until an object with a name attribute equal to hannah is found. If a matching object is found, Waveset returns the value of the age attribute.
<ref>accountInfo.accounts[type=vms].name</ref>
accountInfo.accounts[type=vms].name returns a list of names for VMS resources. It returns a list of only one element if only one exists.
children[hannah].age is equivalent to children[name==hannah].age. If you search using type=LDAP for example, you would get a list of names of LDAP resources. However, if you use the == operator, the result is a single object. For example, children[parent=hannah].occupation returns a list of occupations for all of hannah’s children, but children[parent==hannah].occupation returns a single occupation (not in a list) for whichever child was found first.
Example
<index i=’0’> < ref>accountInfo.accounts[type=vms].name</ref> </index>
is equivalent to
<ref>accountInfo.accounts[type==vms].name</ref>
If more than one account with type vms exists, then either example will return the first account found with no particular guaranteed ordering.
You can also write path expressions that calculate List values that are not stored in the object. For example:
accounts[*].name
When an asterisk is found as an index expression, it implies an iteration over each element of the list. The result of the expression is a list that contains the results of applying the remaining path expression to each element of the list. In the previous example, the result would be a list of String objects. The strings would be taken from the name attribute of each object in the accounts list.
Path expressions with * (asterisk) are used with the FieldLoop construct in forms to replicate a collection of fields.
When you assign an account type to a user, Waveset makes available the account type as well as the accountId. When working with the user-oriented views, including the User, Enable, Disable, and Deprovision views, follow these addressing guidelines:
Use a value of null to indicate an account of the default type. Reference an accounts of the default type by resource name for example, accounts[corp-ad]
Use a type-qualified name instead of the resource name to reference an account of a specific type. The type-qualified resource name takes this form:
<resource name>|<type of account>
To reference the account data for the account of type Admin on the resource corp-ad, reference accounts[corp-ad|Admin].
Whenever you create or modify a user account from a web browser, you are indirectly working with the user view. From the perspective of altering user account information, it is the most significant view in the Waveset system.
Workflow processes also interact with the user view. When a request is passed to a workflow process, the attributes are sent to the process as a view. When a manual process is requested during a workflow process, the attributes in the user view can be displayed and modified further.
Like all views, the user view is implemented as a GenericObject that contains a set of attributes. The values of the attributes in the root object are themselves GenericObjects. Attributes can be nested.
The user view contains the attributes described in the following table, which are further defined in subsequent sections.
Table 3–1 Top-Level Attributes User View
Attribute |
Description |
---|---|
waveset |
Contains information stored in the Waveset repository (the WSUser object). This is sometimes referred to as the basic view. |
accounts |
Contains the values of all resource account attributes fetched from resources. These are typically the values that are edited with forms. |
accountInfo |
Contains read-only information about the resources and accounts associated with the user. |
display |
Contains the read-only runtime state for the interface. It is used only during interactive editing of the user. display.session describes login and access information. display.subject identifies the account under which the user is logged in. display.eventType indicates whether the user view is servicing a create or an update operation. |
global |
Contains attributes that are synchronized across all resource accounts. |
password |
Contains attribute values that are specific to the user’s password, password expiration, and target systems. |
When you design a form, the field names are typically paths into the user view objects waveset. global, and account attributes (for example, global.firstname).
The user view provides several namespaces for deriving account-related information. The following table summarizes these variable namespaces.
Table 3–2 Account-Related User View Attributes
Account-Related Namespace |
Description |
---|---|
waveset.accounts |
Used internally for difference detection during check-in operations. It contains the starting values for all account attributes. Do not modify this value. |
accountInfo.accounts |
Derived read-only information about the accounts that are linked to the user and their associated resources. Use this attribute in forms, but do not modify. |
accounts |
Stores the read/write copies of the account attributes. Updatable fields should point to this namespace. |
global |
Stores copies of global attributes. Values in this area appear only if the form defines global fields, or if you are using the special MissingFields reference. (The form determines how global attributes are processed.) If you set a global attribute in a workflow, you must also define a global field in the form. Simply depositing a global value in the view is insufficient. |
Within a form, you can reference attributes in two ways:
Use the name attribute of a Field element by adding the complete attribute pathname as follows:
<Field name=’waveset.accountId’>
For more information on setting the Field name element in a form field, see the chapter titled Waveset Forms.
Reference an attribute from within another field:
<Expansion> <concat> <ref>global.firstname</ref><s> </s> <ref>global.lastname</ref> </concat> </Expansion> |
Within workflow, you can reference Field attributes as process variables (that is, variables that are visible to the workflow engine) or in XPRESS statements for actions and transitions. When referencing these attributes in workflow, you must prefix the path with the name of the workflow variable where the view is stored (for example, user.waveset.accountId).
You can define fields that store values at the top-level of the user view, but these values are transient. Although they exist throughout the life of the in-memory user view (typically the life of the process), the values of these fields are not stored in the Waveset repository or propagated to a resource account.
For example, a phone number value is the result of concatenating the values of three form fields. In the following example, p1 refers to the area code, p2 and p3 refer to the rest of the phone number. These are then combined by a field named global.workPhone. Because the combined phone number is the only value you want propagated to the resources, only that field is prepended with global.
In general, use the top-level field syntax if you are:
not pushing a field value out to Waveset or any other resource
the field is being used only in email notifications or for calculating other fields.
Any field that is to be passed to the next level must have one of the path prefixes defined in the preceding table, User View Attributes.
Field name=’p1’ required=’true’> <Display class=’Text’> <Property name=’title’ value=’Work Phone Number’/> <Property name=’size’ value=’3’/> <Property name=’maxLength’ value=’3’/> </Display> </Field> <Field name=’p2’ display=’true’ required=’true’> <Display class=’Text’> <Property name=’rowHold’ value=’true’/> <Property name=’noNewRow’ value=’true’/> <Property name=’size’ value=’3’/> <Property name=’maxLength’ value=’3’/> </Display> </Field> <Field name=’p3’ display=’true’ required=’true’> <Display class=’Text’> <Property name=’rowHold’ value=’true’/> <Property name=’noNewRow’ value=’true’/> <Property name=’size’ value=’4’/> <Property name=’maxLength’ value=’4’/> </Display> </Field> <Field name=’global.workPhone’ required=’true’ hidden=’true’> <Expansion> <concat> <ref>p1</ref> <s>-</s> <ref>p2</ref> <s>-</s> <ref>p3</ref> </concat> </Expansion> </Field> |
The waveset attribute set contains the information that is stored in a WSUser object in the Waveset repository. Some attributes nested within this attribute set are not intended for direct manipulation in the form but are provided so that Waveset can fully represent all information in the WSUser object in the view.
Not all attributes are necessary when creating a new user. The following list contains the waveset attributes that are most often visible during creation or editing. Some attributes are read-only, but their values are used when calculating the values of other attributes. All waveset attributes are described in the sections that follow this table.
Table 3–3 Most Used Attributes of the waveset Attribute (User View)
Attribute |
Editable? |
Data type |
---|---|---|
waveset.accountId |
Read/Write |
String |
waveset.applications |
Read/Write |
String |
waveset.correlationKey |
Read/Write |
String |
waveset.creator |
Read only |
String |
waveset.createDate |
Read only |
String |
waveset.disabled |
Read/Write |
String |
waveset.email |
Read/Write |
String |
waveset.exclusions |
Read/Write |
List |
waveset.id |
Read |
String |
waveset.lastModDate |
Read |
String |
waveset.lastModifier |
Read |
String |
waveset.locked |
Read |
String |
waveset.lockExpiry |
Read/Write |
String |
waveset.organization |
Read/Write |
String |
waveset.questions |
Read/Write |
List |
waveset.resources |
Read/Write |
List |
waveset.resourceAssignments |
Read/Write |
List |
waveset.roleInfos |
Read/Write |
List |
waveset.roles |
Read/Write |
String |
waveset.serverId |
Read/Write |
String |
Specifies the visible name of the Waveset user object. It must be set during user creation. Once the user has been created, modifications to this attribute will trigger the renaming of the Waveset account.
For information on renaming a user, see Business Administrator's Guide.
Contains a list of the names of each application (also called resource group in the Waveset User Interface) assigned directly to the user. This does not include applications that are assigned to a user through a role.
Collection of arbitrary attributes that is stored with the WSUser in the Waveset repository. The value of the waveset.attributes attribute is either null or another object. The names of the attributes in this object are defined by a system configuration object named Extended User Attributes. Common examples of extended attributes are firstname, lastname, and fullname. You can reference these attributes in the following ways:
waveset.attributes.fullname
or
accounts[Lighthouse].fullname
You typically do not modify the contents of the waveset.attributes attribute. Instead, modify the values of the accounts[Lighthouse] attributes. When the attribute is stored, values in accounts[Lighthouse] are copied into waveset.attributes before storage. waveset.attributes is used to record the original values of the attributes. The system compares the values here to the ones in accounts[Lighthouse] to generate an update summary report. See the section on the account[Lighthouse] attribute for an example of how to extend the extended user attributes.
Contains the correlation value used to identify a user during reconciliation and discovery of users. You can directly edit it, although it is generally not exposed.
Contains the name of the administrator that created this user.
This attribute is read-only.
Contains the date on which this account was created. Dates are rendered in the following format: MM/dd/yy HH:mm:ss z
05/21/02 14:34:30 CST
This attribute is set once only and is read-only.
Contains the disabled status of the Waveset user. It is set to a value that is logically true if the account is disabled. In the memory model, it is either a Boolean object or the string true or false. When accessed through forms, you can assume it is a string.
You can modify this attribute to enable or disable the Waveset user, although it is more common to use the global.disable. (Prepending global. to a variable name ensures that the system applies the value of that variable to all resources that recognize the variable, including Waveset.)
Once this value becomes true, the user cannot log in to the Waveset user interface.
Specifies the email address stored for a user in the Waveset repository. Typically, it is the same email address that is propagated to the resource accounts.
Modifications to this attribute apply to the Waveset repository only. If you want to synchronize email values across resources, you must use the global.email attribute.
You can modify this attribute.
List the names of the resource that will be excluded from provisioning, even if the resource is assigned to the user through a role, resource group, or directly.
Identifies the repository ID of the Waveset user object. Once the user has been created in Waveset, this value is non-null. You can test this value to see if the user is being created or edited. This attribute is tested with logic in the form. You can use it to customize the displayed fields depending on whether a new user is being created (waveset.id is null) or an existing user account is being edited (waveset.id is non-null).
The following example shows an XPRESS statement that tests to see if waveset.id is null:
<isnull><ref>waveset.id</ref></isnull>
Contains the date at which the last modification was made. It represents the date by the number of milliseconds since midnight, January 1970 GMT. This attribute is updated each time a user account is modified.
This attribute is read-only.
Contains the name of the administrator or user that last modified this user account.
This attribute is read-only.
Indicates whether the user is locked. A value of true indicates that the user is locked.
Specifies when the user lock expires if the user’s Lighthouse Account policy contains a non-zero value for the locked account expiry date. This attribute value is a human-readable date and time.
Contains the name of the organization (or ObjectGroup) in which a user resides. An administrator can modify this attribute if he has sufficient privileges for the new organization.
Since changing an organization is a significant event, the original value of the organization is also stored in the waveset.original attribute, which can be used for later comparison.
Contains information about the original values of several important attributes in the waveset attribute. The system sets this value when the view is constructed and should never be modified. The system uses this information to construct summary reports and audit log records.
Not all of the original waveset attributes are saved here. The attributes currently defined for change tracking are:
password
role
organization
To reference these attributes, prepend waveset.original. to the attribute name (for example, waveset.original.role).
Specifies the Waveset user password. When the view is first constructed, this attribute does not contain the decrypted user password. Instead, it contains a randomly generated string.
The password attribute set contains the attributes described in the following table.
Table 3–4 Attributes of the password Attribute (User View)
Attribute |
Description |
---|---|
password |
Identifies the password to be set |
confirmPassword |
Confirms the password to be set. The password should match the value of password.password |
targets |
Specifies a list of resources that can have their password changed |
selectAll |
Specifies a Boolean flag that signifies that the password should be pushed to all of the resources |
accounts[] |
Specifies a list of objects that contains information about each of the resources. This attribute contains two attributes, which are described below. |
accounts[<resource>]. selected |
Boolean. When set, indicates that the password should be changed on the resource. |
accounts[<resource>]. expire |
Boolean. When set, indicates that the password will expire. This attribute is set to false if the user changes his own password. However, if an administrator changes another user’s passwords, the flag is set to true. To prevent the password from being expired when administrators or proxy accounts other than the user change a password on an account, set accounts [<resource>].expire = <s>false</s> This setting ensures that the password is not expired Waveset does not force the user to change the password again |
Contains the date on which the Waveset password will expire. When the view is initially constructed, the memory representation will be a java.util.Date object. As the view is processed with the form, the value can either be a Date object or a String object that contains a text representation of the date in the format mm/dd/yy.
Contains the date on which warning messages will start being displayed whenever the user logs into the Waveset User Interface. This is typically a date prior to the waveset.passwordExpiry date in the same format (mm/dd/yy).
Contains information about the authentication questions and answers assigned to this user. The value of the attribute is a List whose elements are waveset.questions attributes.
The waveset.questions attribute set contains the attributes described in the following table.
Table 3–5 waveset.questions Attributes (User View)
Attribute |
Editable? |
Description |
---|---|---|
answer |
Read/Write |
Encrypted answer to the question |
id |
Read |
System-generated ID for the question |
name |
Read |
Name used to identify this question |
question |
Read |
Text of the authentication question |
The name attribute is not stored. The system generates the name by transforming the id. This is necessary because question IDs are typically numbers, and numbers that are used to index an array in a path expression are considered absolute indexes rather than object names.
For example, the path waveset.questions[#1].question addresses the second element of the questions list (list indexes start from zero). However, since there may be only one question on the list whose ID is the number 1, the ID is not necessarily suitable as a list index. To reliably address the elements of the list, the system manufactures a name for each question that consists of the letter Q followed by the ID (in this example, Q1). The path waveset.questions[Q1].question then always correctly addresses the question.
Contains a list of the names of each resource that is assigned directly to the user. This list does not include resources that are assigned to a user through a role or through applications. You can add only unqualified resource names to this attribute. To find all resources that are assigned to a user, see the section on the accountInfo attribute.
Qualifies the assigned resource list. (This attribute parallels the existing attribute waveset.resources attribute.) All resources in this attribute appear as unqualified in waveset.resources. Even if a user is assigned only an account of non-default type, the resource will appear in waveset.resources.
You can add new assignments made to either waveset.resource or waveset.resourceAssignments, with the lists automatically resynchronizing when the view is refreshed. This adds an assignment for an account of default type. You can add both qualified and unqualified resource names to waveset.resourceAssignments. This adds an account of the specified type based on the qualifier.
Contains a list of objects that contain information about the roles assigned to this user.
Table 3–6 waveset.roleInfos Attributes
Contains the names of the roles assigned to this user. An administrator can modify this attribute if he has sufficient privileges for the new roles.
Since changing a role is a significant event, the original value of the role attribute is also stored in the original view, which can be used for later comparison.
Use to set unique server names when your deployment includes multiple Waveset instances that point to one repository on a single physical server. See Installation Guide for more information.
The accounts attribute contains a list of objects for each account linked to the Waveset user. Each account object contains the values of the account attributes retrieved from the resource.
The name of each account object is typically the name of the associated resource. If more than one account exists for a given resource, the object names take a suffix of the form |n where n is an integer. The first account on a resource has no suffix. The second account has the suffix |2. The third account on a resource has |3, etc.
For example, if you have a resource named Active Directory that defines an account attribute named Profile, the view path to this attribute would be:
accounts[Active Directory].Profile
If this view path were used in a form field, it would prevent the value of the global.Profile attribute from being propagated to the Active Directory account.
You may want to use account-specific attributes in forms rather than global attributes to prevent propagation of values to all resources
In addition to setting account attributes, you can also specify resource attribute overrides for each account. Resource attributes are attributes that are defined for the resource definition in Waveset, and consequently for the resource type. They are not attributes associated with an individual account. Examples of resource attributes include the host name of the server, or the base context in a directory.
You may want to create an account on a resource, but use a different value for one of the resource attributes. You could do this by duplicating the resource and changing the value, but excessive resource duplication can be confusing. Instead, resource attributes can be overridden on a per-account basis in the view.
Resource attribute overrides are stored in the attribute object under an attribute named resourceAttributes. If, for example, the resource defined an attribute named host, this could be specified in the view with the path:
accounts[Active Directory].resourceAttributes.host
Although overriding resource attributes is not recommended, sometimes you cannot avoid it. You might choose to overwrite a resource to avoid creating duplicate resources that point to the same physical resource but differ by one attribute. For example, in a customer environment that has multiple Active Directory servers, it may make more sense to override the resource attribute host in the form than to create a new resource. Contact your Waveset support representative for more information.
Sets the values of only the attributes stored in the Waveset repository. When a view is created, it contains a copy of the attributes in the waveset.attributes attribute set. When the view is saved, the system compares the contents of accounts[Lighthouse] with waveset.attributes to generate and update reports and audit log entries. Although this attribute is stored in the Waveset repository, changes to this attribute are not automatically propagated to resources.
The Extended User Attributes Configuration object defines the attributes that are allowed in this view. The system ignores any name found in this set of attributes that is not registered in the configuration object.
The following code is a sample of the Extended User Attributes Configuration object. This object maintains the list of attributes that are managed by the waveset.attribute set.
<?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE Configuration PUBLIC ’waveset.dtd’ ’waveset.dtd’> <!-- id="#ID#Configuration:UserExtendedAttributes" name="User Extended Attributes"--> <Configuration id=’#ID#Configuration:UserExtendedAttributes’ name=’User Extended Attributes’ creator=’Configurator’ createDate=’1019603369733’ lastMod=’2’ counter=’0’> <Extension> <List> <String>firstname</String> <String>lastname</String> <String>fullname</String> <!—add string values here - - > <String>SSN</String> </List> </Extension> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </Configuration> |
This object can be modified to extend the list from the default firstname, lastname, and fullname attributes. In this case, an attribute called SSN has been added.
Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item
If delegatedApproversRule is the value of delegateApproversTo, identifies the selected rule.
If manager is the value of delegateApproversTo, this attribute has no value.
This attribute takes the attributes contained in the Attributes of accounts[Lighthouse].delegate* Attributes table.
Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth. This attribute takes the attributes contained in the Attributes of accounts[Lighthouse].delegate* Attributes table.
Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation. This attribute takes the attributes contained in the following table.
Table 3–7 Attributes of accounts[Lighthouse].delegate* Attributes
The value of this attribute is an object whose attribute names correspond to the properties defined by the user. User properties allow arbitrary custom data to be stored with the user in the Waveset repository. You can then use properties in forms and workflows. A property is similar in some ways to an Extended User Attribute, but are not limited to primitive data types such as strings or integers.
Waveset defines the tasks system property, which is used by the Deferred Task Scanner to cause workflow tasks to be run at some date in the future. The value of the tasks property is a list of objects. The following table defines the attributes that belong to objects in the list.
Table 3–8 Attributes of accounts[Lighthouse].properties
Attribute |
Description |
---|---|
name |
Identifies the name of the TaskDefinition object to run. |
date |
Specifies the date on which to run the task. |
taskName |
Identifies the TaskInstance that is created. If none is specified, Waveset generates a random name. |
owner |
Identifies the name of an Waveset administrator that is considered to be the owner of the task. If none is specified, the default owner is Configurator. |
organization |
Identifies the Waveset organization that the TaskInstance will be placed in. If none is specified, an organization controlled by the task owner is selected at random. |
description |
Descriptive text that will be stored in the TaskInstance when it is created. This text is displayed in the task status page of the Waveset Administrator Interface. |
externalPolicy[ResourceName] |
Lists the resources on which to perform an external policy check. |
You can use the accounts[Lighthouse].properties value to display a table of the deferred tasks assigned to a user. This list is added to the form library named Default User Library, which is found in sample/formlib.xml.
The field that displays the deferred task table is named Deferred Tasks. After modifying the waveset.properties attribute, the deferred task table is now referenced by the default Tabbed User Form. If any deferred tasks exist, the table will be displayed at the bottom of the Identity tab panel.
Used to display a view-only User form. This view-only form displays field information as Labels, to ensure that the administrator cannot change values, although he can list, view, and search on this user information. (The administrator selects a user from the accounts list, then clicks View to see user details.)
Used to store account properties in the Waveset repository. Use this attribute if you have some information about the account -- for example the date it was created -- that cannot be stored as a native account attribute on the resource.
Used to specify a list of resource account attributes that will always be sent to the resource for update when a user is modified and that an attribute value remains available to resource actions. This attribute is required for resource actions to be run when a user is unassigned from a resource.
The following field definition from a user form uses a Solaris resource. (<resource> has been replaced with the name of the resource.):
<Field name=’accounts[waterloo].waveset.forceUpdate’> <Default> <List> <String>delete after action</String> <String>Home directory</String> </List> </Default> </Field |
The preceding code causes Waveset to send the delete after action and Home directory attribute to the provisioner and resource adapter.
You can use the global attribute set of the user view to conveniently assign attributes to many resource accounts (including Waveset). The value of the global attribute is an object whose attributes are referred to as global attributes. When the view is saved, the system assigns the value of each global attribute to all resource accounts that define the global attribute name in their schema map. These values are also propagated to the Waveset repository if there is an extended attribute with the same name.
For example, two resources R1 and R2 define an attribute named fullname. When the attribute global.fullname is stored in the view, this value is automatically copied into attributes accounts[R1].fullname and accounts[R2].fullname.
You can also use global attributes to assign extended attributes that are stored in the Waveset repository. If a global attribute is also declared as an extended Waveset attribute, it is copied into accounts[Lighthouse].
Do not use global.accountId when creating accounts. The account ID is created by the DN templates on the resources. Using global.accountId overrides this, which may cause problems.
The global attribute can be used in combination with the account attribute for the same attribute name. For example, on an Active Directory resource, the structure of the fullname is lastname, firstname. But all other resources that have a fullname use firstname lastname.
The following example shows how you can reference these two fields in a form.
<Field name=’global.fullname’> <Expansion> <concat> <ref>global.firstname</ref><s> </s> <ref>global.lastname</ref> </concat> </Expansion> </Field> <Field name=’accounts[ActiveDir].fullname’> <Expansion> <concat> <ref>global.lastname</ref><s>, </s> <ref>global.firstname</ref> </concat> </Expansion> </Field> |
In the preceding example, creating a new user works as expected. However, when you load the user, the fullname attribute from the Active Directory resource can be used to populate the global.fullname field.
A more accurate implementation for this scenario would be to declare one resource to be the authoritative source for an attribute and create a Derivation rule such as the following:
<Field name=’global.fullname’> <Derivation> <or> <ref>accounts[LDAP res].fullname</ref> <ref>accounts[AD res].fullname</ref> </or> </Derivation> <concat> <ref>global.firstname</ref><s> </s> <ref>global.lastname</ref> </concat> </Expansion> </Field> <Expansion> |
By defining a Derivation rule, the value of the fullname attribute in the LDAP resource will be used first to populate the fullname field. If the value does not exist on LDAP, then the value will be set from the AD resource.
Contains read-only information about resource accounts associated with the user. It is used within system views besides the user view. Some information in this view is a duplicate of the information found in the waveset.accounts attribute. There are two reasons for this duplication:
Information in this view is structured so that it is easier to use in forms
This view can be used as a component of other views without including the entire waveset view.
Most account information is stored in the accountsInfo.accounts attribute. Other attributes simply contain lists of account names. It is common to use a FieldLoop in a form to iterate over the names in one of the name list attributes, then use this name to index the account list attribute.
For example, the following form element generates a list of labels that contain the names of each resource that is assigned indirectly through a role.
<Field name=’accountInfo.accounts[$(name)].name> <FieldLoop for=’name’ in=’accountInfo.fromRole’> <Display class=’Label’/> </Field> </FieldLoop> |
The following tables shows the accountInfo view attributes, which describe characteristics about the user.
Table 3–9 accountInfo Attributes (User View)
Attribute |
Description |
---|---|
accountInfo.accounts |
Lists objects that contain information about each resource account associated with the user (for example, created, disabled). |
accountInfo.assigned |
Lists the resources that are assigned to the user. |
accountInfo.fromRole |
Lists (in flat list format) resources assigned to the user through the role. |
accountInfo.privates |
Lists (in flat list format) resources assigned directly to the user. |
accountInfo.toCreate |
Lists names of all resources currently assigned to the user but for which accounts do not yet exist in Waveset. |
accountInfo.toDelete |
Lists names of resources that are no longer assigned to the user, but that are still known to exist. |
accountInfo.types |
Lists each type of resource that is currently assigned to the user or through Reserve Groups. |
accountInfo.typeNames |
Lists unique type names for every assigned resource. |
Contains a list of objects that themselves contain information about each associated resource account. Elements in the accounts list are referenced by name, where the name is the name of the resource.
accountInfo.accounts[Active Directory].type
Objects found in the accountInfo.accounts list have the following attributes, as defined in the following table.
Table 3–10 accountInfo.accounts. Attributes (User View)
Attribute |
Description |
---|---|
attributes |
Information about all the account attributes defined by this resource. |
name |
Name of the resource where the account exists or will be created. |
id |
Repository ID of the resource. |
type |
Resource type name. |
accountId |
Name of the user’s account on this resource. |
assigned |
True if the account is currently assigned. Accounts that are not assigned can be deleted by Waveset. |
protected |
True if the account is currently protected. This means that update or delete operations on the account are ignored. |
passwordPolicy |
Information about the password policy defined for this resource. |
Contains information about all the account attributes defined by this resource. These attributes are listed on the schema map page of the resource. The value of the attribute is a List of objects.
The following table defines the attributes that these objects contain.
Table 3–11 accountInfo.accounts. Attributes (User View)
Attribute |
Description |
---|---|
name |
The name of the Waveset resource account attribute. This name is defined in the resource schema map. |
syntax |
The syntax of the attribute value. The value of the syntax attribute is one of the following values. int string boolean encrypted binary complex Refer to the Resource Reference to determine if binary or complex attributes are supported for the resource. An exception is thrown if you attempt to send binary or complex attributes to a resource that does not support these attributes. Binary attributes should be kept as small as possible. Waveset will throw an exception if you attempt to manage a binary attribute that is larger than 350 KB. Contact Customer Support for guidance if you need to manage attributes larger than 350 KB. |
multi |
True if the attribute allows multiple values. |
If you are designing a form, do not worry about the declared resource account attribute types. The user view processing system makes the appropriate type coercions when necessary.
A resource can be assigned a password policy. If an attribute has an assigned password policy, the value of this attribute will contain information about it.
The following table defines the attributes in the accountInfo.accounts[resname].passwordPolicy.
Table 3–12 accountInfo.accounts[resname].passwordPolicy Attributes (User VIew)
Attribute |
Description |
---|---|
name |
The name of policy. This corresponds to the name of a policy object in the Waveset repository. |
summary |
A brief text description of the policy including information about each of the policy attributes. |
attributes |
The value of this attribute is another object that contains the names and values of each policy attribute. |
Applications that display policy information typically display the summary text, but if you need more fine-grained control over the display of each policy attribute, you can use the attributes map.
Forms that provide an interface for changing and synchronizing passwords often use this information.
This special entry in the accountInfo list is used to hold information about the Waveset default password policy. This is convenient when displaying password forms since information about the Waveset password and policies must be displayed along with the information for resource accounts.
This element is present only when pass-through authentication is not being used. The resource type is Lighthouse.
The accountInfo view includes attributes that contain lists of resource names. Each list is intended to be used in forms with FieldLoop constructs to iterate over resources with certain characteristics.
The accountInfo attributes that can contain resource names are:
assigned
created
fromRole
private
toCreate
toDelete
Identifies the resources that are assigned to the user. If you are designing a form, you can call this attribute to display a list of resources that are assigned from the role, applications, and that are directly assigned to a user.
A list of unique type names for every assigned resource. This is used in Disable expressions in forms where you want to disable fields unless a resource of a particular type is selected.
<Field name=’HomeDirectory’ prompt=’Home Directory’> <Display class=’Text’/> <Disable> <not> <contains> <ref>accountInfo.typeNames</ref> <s>Solaris</s> </contains> </not> </Disable> </Field> |
This returns the same information as the path accountInfo.types[*].name but is more efficient, which is important when used with Disable expressions. This list can include common resource types.
You can determine the resource type names by bringing up the resource list from the Waveset Administrator Interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
This attribute contains information about each type of resource that is currently assigned. The value of the attribute is a List (objects).
The following table shows the attributes that belong to each object.
Table 3–13 accountInfo.types Attributes (User VIew)
Attribute |
Description |
---|---|
accounts |
List of accountIds for each account assigned to the user that is of this type |
name |
Resource type name |
For example, you can determine a list of IDs for all UNIX accounts with the following path:
accountInfo.types[Unix].accounts
The display attribute contains information that relates to the context in which the view is being processed. Most of the attributes are valid only during interactive form processing.
The following table shows the most used display view attributes.
Table 3–14 Most Used display Attributes (User VIew)
Attribute |
Description |
---|---|
eventType |
Indicates whether the user view is servicing a create or update request, as indicated by the values create or update (read-only). |
session |
A handle to an authenticated Waveset session. This attribute is valid only during interactive editing session in the Waveset Administrator Interface. It is provided as an access point into the Waveset repository. The value of this attribute can be passed to methods in the com.waveset.ui.FormUtil class. The display.session attribute is not valid in the following cases where form processing may occur: in the bulk loader during background reprovisioning in unsynchronized actions or approvals Best practices suggest using this attribute only within a Property or Constraints element. In almost all existing forms, display.session is used only in Constraints elements. |
subject |
An object holding information about the credentials of an Waveset user or administrator. This value is set in almost all cases, but is typically used in workflow applications called during background activities where the display.session is no longer valid. The subject can be used to get a new session. In this case, it is used for gaining access to the repository. |
state |
A handle to a _com.waveset.ui.util.RequestState_ object that in turn contains handles to objects related to the HTTP request such as the _javax.servlet.http.HttpSession_. |
Typically, only wizard itemTypes cause a workflow to transition directly to a WorkItem if the requester is the owner of the workItem.
When itemType is set as follows, the workflow will not transition into a WorkItem, but will instead appear under the Approval tab:
approval
custom
itemType
You can override behavior in the User view by setting the allowedWorkItemTransitions option as a property of the form as follows:
<Form ......> <Properties> <Property name=’allowedWorkItemTransitions’> <list> <s>myCustomType</s> </list> < /Property> </Properties> |
A deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.
If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.
Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.
There are two main steps to defining a deferred attribute:
Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.
Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:
accounts[<resource>].deferredAttributes.<attname>.resource accounts[<resource>].deferredAttributes.<attname>.attribute |
where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.
For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.
The following form fields set the necessary view attributes to define this association.
<Field name=’accounts[HR].deferredAttributes.directoryid.resource’> <Expansion><s>LDAP</s></Expansion> </Field> <Field name=’accounts[HR].deferredAttributes.directoryid <Expansion><s>uid</s></Expansion> </Field> |
When debugging the User view, you might find it useful to dump the contents of the view into a new file. To create a dump file, add the following Derivation statement to the User view:
<Field name=’DumpView’> <Derivation> <invoke name=’dumpFile’> <ref>form_inputs</ref> <s>c:/temp/view.xml</s> </invoke> </Derivation> </Field> |
This Derivation expression invokes the dumpFile method, which generates the file after the User form is displayed for the first time. The form_inputs variable is automatically bound to the view that is being used with this form.
In the preceding example, the String argument to the dumpFile method is a file system path, where you substitute a valid path for c:/temp/view.xml.
Used to search for users correlating to a specified account (or account attributes). This view is used as part of the account reconciliation process.
This view contains the root attributes listed below. The values of these attributes are GenericObjects. The new ID is <account_name>@<resource_name>
Table 3–15 Top-Level Attributes of Account Correlation View
Attribute |
Description |
---|---|
correlation |
Contains information about how correlation should be done |
matches |
Contains the result of the correlation |
The correlation request is executed on both the view get operation and refresh request. In the case of a refresh, the request specified in the view is used (with the exception of accountId and resource, as these values are overridden by the view ID). In the case of a get request, view options of the same name as the view attribute (for example, correlator) can be used to specify the view-supplied portion of the request.
accountAttributes, when provided as a view option, can be supplied as a WSUser (as returned by resource adapter methods) or as a GenericObject.
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
accountId |
Read |
String |
Yes |
accountGUID |
Read/Write |
String |
No (unless if accountId and resource cannot clearly identify the resource) |
resource |
Read |
String |
Yes |
accountAttributes |
Read/Write |
String | |
correlator |
Read/Write |
String |
No |
confirmer |
Read/Write |
String |
No |
Specifies the name of the account to correlate. This is automatically obtained from the view ID.
Specifies the GUID of the account to correlate. Required only if accountId and resource cannot clearly and unambiguously identify the resource.
Specifies the name of the resource where the account resides. This value is automatically obtained from the view ID.
Specifies the attributes of the account. If present, the viewer will not fetch the current account attributes to pass to the correlation/confirmation rules. Instead, these attributes will be passed in.
Specifies the correlation rule to use. If not present, the correlation rule specified by reconciliation policy for the resource will be used. If present, but null, no correlation rule is used.
Specifies the confirmation rule to use. If not present, the confirmation rule specified by reconciliation policy for the resource will be used. If present, but null, no confirmation rule is used.
These lists consist of GenericObjects that contain the summary attributes of users.
Table 3–17 Attributes of confirmer Attribute (Account Correlation View)
Attribute |
Editable? |
Data Type |
---|---|---|
claimants |
Read |
List |
correlated |
Read |
List |
unconfirmed |
Read |
List |
Lists claimants that are calculated independent of the correlation algorithm, so claimants may also appear in another of the lists. Claimant discovery can be disabled by setting ignoreClaimants to true in the view options. A user claims an account if it has a ResourceInfo explicitly referencing the account.
Lists the users who were correlated to the resource account.
Lists users who were selected by the correlation rule, but were rejected by the confirmation rule. This list is only present if the includeUnconfirmed is set to true in the view options.
Used when creating or updating an admin role to a user. Admin roles enable you to define a unique set of capabilities for each set of organizations. Capabilities and controlled organizations can be assigned directly or indirectly through roles.
One or more admin roles can be assigned to a single user and one or more users can be assigned the same admin role.
Table 3–18 Top-Level Attributes of Admin Role View
Name |
Editable? |
Type |
Required? |
---|---|---|---|
id |
Read/Write |
String |
No |
name |
Read/Write |
String |
Yes |
capabilities |
List |
Yes |
|
capabilitiesRule |
String |
Yes |
|
controlledOrganizations |
List |
Yes |
|
controlledOrganizationsRule |
String |
Yes |
|
controlledOrganizationsUserform |
String |
Yes |
|
controlledSubOrganizations |
List (object) |
No |
|
memberObjectGroup |
List |
Yes |
Uniquely identifies the AdminRole object in Waveset. System-generated.
Specifies the name of the admin role.
Identifies the list of capability names that are assigned to this admin role.
Specifies the name of the rule to be evaluated that will return a list of zero or more capability names to be assigned.
Lists organization names over which the associated capabilities are allowed.
Specifies the name of the rule to be evaluated. This rule will return a list of zero of more controlled organizations names to be assigned.
Specifies the userform that will be used when editing or creating users in the scope of organizations controlled by this admin role. Valid if the userform is not directly assigned to the user that is assigned this Admin role.
Lists the controlled organizations for which a subset of the objects available has been either included or excluded. The value of this attribute consists of a list of controlledSubOrganization objects. Each ControlledOrganization object view is as follows.
Table 3–19 controlledSubOrganizations View Attributes (Admin Role view)
Attribute |
Data Type |
Required? |
---|---|---|
name |
String (name of controlled object group) | |
types |
List (objects) |
types is a list of objects, where the list of objects to include or exclude are organized by type (for example, Resource, Role, and Policy). The view for each object type is as follows:
Table 3–20 controlledSubOrganizations View Attribute Object Types (Admin Role view)
Attribute |
Data Type |
Required? |
---|---|---|
name |
String | |
include |
List (objects) | |
exclude |
List (objects) |
Specifies the name of the object type.
Lists object names of the associated object type to include.
Lists object names of the associated type to exclude.
Lists the ObjectGroups of which this Admin role is a member. These are the object groups (organizations) that this Admin role is available to.
Used to change an existing user’s authentication answers for one or more login interfaces.
Contains two high-level attributes.
Table 3–21 Change User Answers View Attributes
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
questions |
List | ||
loginInterface |
String |
Describes the question. Contains the following attributes:
Table 3–22 questions Attributes (Change User Answers View)
Attribute |
Data Type |
Required? |
---|---|---|
qid |
String | |
question |
String | |
answer |
String | |
answerObfuscated |
Boolean |
Uniquely identifies a question that is used to associate this question with one defined in the policy.
Specifies the question string as defined in the policy.
Specifies the user’s answer, if specified, associated with the value of qid.
Specifies whether the answer is displayed or encrypted.
Identifies the login interface with which this question is associated. Its value is a unique message catalog key for each login interface.
Contains the following attributes:
Table 3–23 loginInterface Attributes (Change User Answers View)
Attribute |
Data Type |
---|---|
name |
String |
questionPolicy |
String |
questionCount |
String |
Identifies the name of the login interface that the question is associated with.
Valid values include:
UI_LOGIN_CONFIG_DISPLAY_NAME_ALL_INTERFACES
UI_LOGIN_CONFIG_DISPLAY_NAME_ADMIN_INTERFACE
UI_LOGIN_CONFIG_DISPLAY_NAME_CLI_INTERFACE
UI_LOGIN_CONFIG_DISPLAY_NAME_DEFAULT_USER_INTERFACE
UI_LOGIN_CONFIG_DISPLAY_NAME_IVR_INTERFACE
UI_LOGIN_CONFIG_DISPLAY_NAME_QUESTION_INTERFACE
UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE
Specifies the policy that this question is associated with (for example, All, Random, Any, or RoundRobin).
Set only if the questionPolicy attribute is set to Any or Random.
Used to change an Waveset user’s capabilities.
Table 3–24 Change User Capabilities View Attributes
Attribute |
Editable? |
Data Type |
Required |
---|---|---|---|
adminRoles |
List [String] | ||
capabilities |
List [String] | ||
controlledOrganizations |
List [String] |
Lists the Admin roles that are assigned to the user.
Lists capabilities assigned to this user.
Lists the organizations that this user controls with the assigned capabilities.
Use this view to delegate the work items for specified users.
Top-level attributes include the following:
Specifies the accountId of the user whose workItem will be deleted. This value is null if the user has no idmManager assigned.
Identifies the user (by name) whose work items will be delegated.
Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item (workItem).
Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth. (Delegate history depth is the number of previous delegations to keep for reuse. You can configure the number kept in the System Configuration object by setting the security.delegation.historyLength attribute to an integer value greater than 0. The default number kept is 10.)
Each of the preceding attributes has the following attributes:
Table 3–25 Delegate Attributes
The following code sample illustrates how to reference a DelegateWorkItems view delegate object from a form:
<Field name=’delegates[*].workItemType’> <Field name=’delegates[*].workItemTypeDisplayName’> <Field name=’delegates[*].workItemTypeObjects’> <Field name=’delegates[*].toType’> <Field name=’delegates[*].toUsers’> <Field name=’delegates[*].toRule’> <Field name=’delegates[*].startDate’> <Field name=’delegates[*].endDate’> <Field name=’delegates[*].status’>
where supported index values (*) are workItemType values.
The following code sample illustrates how to reference a delegate history object from the DelegateWorkItems view:
<Field name=’delegatesHistory[*].workItemType’> <Field name=’delegatesHistory[*].workItemTypeDisplayName’> <Field name=’delegatesHistory[*].workItemTypeObjects’> <Field name=’delegatesHistory[*].toType’> <Field name=’delegatesHistory[*].toUsers’> <Field name=’delegatesHistory[*].toRule’> <Field name=’delegatesHistory[*].startDate’> <Field name=’delegatesHistory[*].endDate’> <Field name=’delegatesHistory[*].selected’> <Field name=’delegatesHistory[*].status’>
where supported index values (*) are 0 to n, where n is the current number of delegate history objects up to delegate history depth.
Table 3–26 Work Item Types
workItem Type |
Description |
Display Name |
---|---|---|
Approval |
extends WorkItem |
Approval |
OrganizationApproval |
extends Approval |
Organization Approval |
ResourceApproval |
extends Approval |
Resource Approval |
RoleApproval |
extends Approval |
Role Approval |
Attestation |
WorkItem |
Access Review Attestation |
review |
WorkItem |
Remediation |
accessReviewRemediation |
WorkItem |
Access |
Used to present and select a list of resources to be deprovisioned. Contains one single top-level attribute.
This attribute contain the following attributes.
Table 3–27 resourceAccounts Attributes (Deprovision View)
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
id |
Read/Write |
String | |
selectAll |
Read/Write |
Boolean | |
unassignAll |
Read/Write |
Boolean | |
unlinkAll |
Read/Write |
Boolean | |
currentResourceAccounts |
Read |
List (objects) | |
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Specifies the unique identifier for the account.
Controls whether all resources are selected.
Specifies that all resources should be removed from the user’s list of private resources.
Specifies that all resources should be unlinked from the Waveset user.
Represents the accounts that are assigned to this Waveset user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts
Represents the set of accounts that are currently being managed by Waveset (including the Waveset account itself).
All account lists are indexed by resource name.
Table 3–28 currentResourceAccounts Attributes (Deprovision View)
Name |
Editable? |
Data Type |
---|---|---|
selected |
Read/Write |
Boolean |
unassign |
Read/Write |
Boolean |
unlink |
Read/Write |
Boolean |
name |
Read |
String |
type |
Read |
String |
accountId |
Read |
String |
exists |
Read |
Boolean |
disabled |
Read |
Boolean |
authenticator |
Read |
Boolean |
directlyAssigned |
Read |
Boolean |
If set to true, indicates that for a given resource, the associated account should be deprovisioned. If the selected account is Lighthouse, the Waveset user and all associated resource assignments will be deleted unless they are also selected. However, the associated resource accounts will not be deleted.
If set to true, indicates that the specified resource should be removed from the user’s list of private resources (for example, waveset.resources).
If set to true, indicates that the specified resource should be unlinked from the Waveset user (for example, remove the associated ResourceInfo object).
If selected or unassign are set to true, this suggests that unlink will also be true. However, the converse is not true. unlink can be true and selected and unassign can be set to false.
Specifies the name of resource. This corresponds to the name of a resource object in the Waveset repository.
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Waveset Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
Specifies the identity of the resource account.
Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).
Indicates whether the account is one that the user is configured to log in.
If true, indicates that the account is directly assigned to the user. A value of false indicates that the account is indirectly assigned by a role or application.
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Used to disable accounts on the Waveset user. This view is often used in custom workflows.
Represents the top-level attribute when accessing attributes in this view.
Table 3–29 Attributes of resourceAccounts Attribute (Disable View)
Name |
Editable? |
Type |
Required? |
---|---|---|---|
id |
Read |
String | |
selectAll |
Read |
Boolean | |
currentResourcesAccount |
Read |
String | |
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Identifies the Waveset ID of the user.
When set, causes all resource accounts to be disabled, including the Waveset account.
Represents the set of accounts that are currently being managed by Waveset, including the Waveset account itself. Use the selected field to signify that the specific resource should be enabled.
Table 3–30 resourceAccounts.currentResourceAccounts Attributes (Disable View)
Name |
Editable? |
Type |
---|---|---|
name |
Read |
String |
type |
Read |
String |
accountId |
Read |
String |
exists |
Read |
Boolean |
disabled |
Read |
Boolean |
selected |
Read/Write |
Boolean |
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Used to enable accounts on the Waveset user. This view is often used in custom workflows.
Represents the top-level attribute when accessing attributes in this view.
Table 3–31 Attributes of resourceAccounts Attribute (Enable View)
Name |
Editable? |
Type |
Required? |
---|---|---|---|
id |
Read |
String | |
selectAll |
Read |
Boolean | |
currentResourcesAccount |
Read |
String | |
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Identifies the user’s Waveset ID.
When set, all resource accounts will be enabled, including the Waveset account.
Represents the set of accounts that are currently being managed by Waveset, including the Waveset account itself. Use the selected field to signify that the specific resource should be enabled.
Table 3–32 resourceAccount.currentResourceAccounts Attributes (Enable View)
Name |
Editable? |
Type |
---|---|---|
name |
Read |
String |
type |
Read |
String |
accountId |
Read |
String |
exists |
Read |
Boolean |
disabled |
Read |
Boolean |
selected |
Read/Write |
Boolean |
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Provides a customizable, generic Waveset repository search interface for any object type defined in Waveset that has rights and is not deprecated or restricted to internal use. The Find Objects view handler provides the associated forms for specifying one or more attribute query conditions and parameters and for the display of the find results. In addition, you can use view options to specify attribute query conditions and parameters.
This view contain the following attributes.
Table 3–33 Top-Level Attributes (Find Objects View)
Name |
Editable? |
Type |
Required? |
---|---|---|---|
objectType |
Read/Write |
String |
Yes |
allowedAttrs |
Read/Write |
List |
No |
attrsToGet |
Read/Write |
List |
No |
attrConditions |
Read/Write |
List |
No |
maxResults |
Read/Write |
String |
No |
results |
Read |
List |
No |
sortColumn |
Read/Write |
String |
No |
selectEnable |
Read/Write |
Boolean |
No |
Specifies the Waveset repository object type to find (for example, Role, User, or Resource).
Lists the specified object types (specified by the objectType attribute) allowed queryable attribute names that are obtained by default by calling the objectType’s listQueryableAttributeAttrs() method. This method is exposed by each class that extends PersistentObject. If not overridden by the object type class, it inherits the PersistentObject implementation returning the default set of queryable attributes supported by all PersistentObjects.
You can override the default set by specifying the set of allowedAttrs in either the default section or the objectType-specific section of the findObjectsDefaults.xml configuration file. This file resides in the sample directory. Specify each allowed attribute in the sample/findObjectsDefaults.xml file as follows:
Identifies the attribute.
Specifies the attribute name as it is displayed in the Waveset Administrator interface. If not specified, the value of this attribute defaults to the same value as name.
Indicates the data type of attribute value where supported values include string, int, and boolean. If not specified, this value defaults to string.
Indicates whether the attribute supports multiple values. A value of true indicates that attribute supports multiple values. If unspecified, this value defaults to false. This attribute applies only if the attribute syntax is string.
Specifies the name of the Waveset type if the allowed values of the attribute are instances of an Waveset type (for example, Role or Resource). If not specified, this attribute defaults to null.
If the name attribute is an Waveset-defined attribute, then only name is required. If the attribute name is an extended attribute, you must specify at least the name and, optionally, the other attributes unless the defaults are sufficient.
See sample/findObjectsDefaults.xml for example formats for specification of allowed attributes.
You can specify the list of allowedAttrs as either a list of strings, a list of objects, or a combination of both.
Lists the summary attribute names of the specified object types (objectType) to be returned with each object that match the specified attribute query conditions. You can obtain the object type’s set of supported summary attributes by calling the object type’s listSummaryAttributeAttrs() method. (This method is exposed by each class that extends PersistentObject.) If not overridden by the objectType class, it inherits the PersistentObject implementation that returns the default set of summary attributes that are supported by all Persistent Objects.
You can override the default by specifying the list of resultColumnNames in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Lists the attribute conditions that are used to find objects of the specified object type (objectType) that match the specified attribute conditions (attrConditions). Each attribute condition in the list should be specified as follows:
Identifies one of the attribute names from the list of allowed attributes (allowedAttrs).
(Optional) Indicates whether the selected attribute (selectedAttr) can be changed for this attribute condition. A value of true indicates that the selected attribute cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions
(Optional) Identifies the allowedAttrs name to select by default when the list of allowed attributes is displayed in interface.
Lists the operators allowed based on the syntax specified in the selected attribute (selectedAttr). By default, this list is obtained by calling the getAllowedOperators method passing the values of the syntax and multiValued attributes of the selected attribute (selectedAttr). You can override the default by specifying the set of allowed operators (allowedOperators) in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Specifies the name of one operator from the list specified in allowedOperators.
(Optional) Indicates whether the selected operator (selectedOperator) can be changed for this attribute condition. A value of true indicates that the selected operator cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions
(Optional) Specifies the name of the operator (allowedOperators) to select by default when the list of allowed operators (allowedOperators) is displayed in the form.
Indicates the value or operand for the selected attribute name and operator that must be tested when Waveset determines if it should return an object of the specified object type (objectType). You can omit this attribute if the value of selectedOperator is exists or notPresent.
(Optional) Indicates whether the value of the attribute condition can be changed. A value of true indicates that value can be changed. It also indicates that the attribute condition cannot be removed from the list of attribute conditions.
Determines if this attribute condition should be removed or not (internal).
You can specify attribute conditions as view options by using the FindObjects.ATTR_CONDITIONS constant or the attrCondition string. If attrConditions is not specified, Waveset returns all objects of the specified object type.
(Optional) Specifies the maximum number of objects of the specified objectType that Waveset should return from the find request. Defaults to 100 if not specified. You can override the default by specifying the a value for resultMaxRows attribute in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Use of this attribute can improve performance in cases where many Waveset repository objects of the specified type exist.
If the value of attrsToGet is null, the value of result is a list of object names that match the specified attribute condition. If the value of attrsToGet is non-null, results is a list of objects that matched the specified attrConditions, where each object consists of:
columns - Lists displayable column names that match the requested attrsToGet
rows - Lists row objects named from 0 to the number of rows (for example, ”10’)
row - Lists objects that consist of a name from ”0’ to the number of columns (for example, ”6’) and a value for that rows column
(Optional) Indicates the value of the column to sort the results on. Defaults to ’0’ if not specified. You can override the default by specifying a value for resultSortColumn in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
(Optional) Specifies whether more than one result row can be selected simultaneously. A value of true indicates that more than one result row can be selected. The default is false. The default can be overridden by specifying a value for resultSelectEnable in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Used to specify the type of organization created and options for processing it.
The high-level attributes of this view are listed in the following table.
Table 3–34 Org View Attributes
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
orgName |
Read |
String |
System-Generated |
orgDisplayName |
Read/Write |
String |
Yes |
orgType |
Read/Write |
String |
No |
orgId |
Read |
String |
System-Generated |
orgAction |
Write |
String |
No |
orgNewDisplayName |
Write |
String |
No |
orgParentName |
Read/Write |
String |
No |
orgChildOrgNames |
Read |
List |
System-Generated |
orgApprovers |
Read/Write |
List |
No |
allowsOrgApprovers |
Read |
List |
System-Generated |
allowedOrgApproverIds |
Read |
List |
System-Generated |
orgUserForm |
Read/Write |
String |
No |
orgViewUserForm |
Read/Write |
String |
No |
orgPolicies |
Read/Write |
List |
No |
orgAuditPolicies |
Read/Write |
List |
No |
renameCreate |
Read/Write |
String |
No |
renameSaveAs |
Read/Write |
String |
No |
Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.
Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.
Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.
Specifies the ID that is used to uniquely identify the organization within Waveset.
Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.
Specifies the new short name when you are renaming the organization.
Identifies the full pathname of the parent organization.
Lists the Waveset interface names of all direct and indirect child organizations.
Lists the Waveset administrators who are required to approve users added to or modified in this organization.
Lists the potential user names who could be approvers for users added to or modified in this organization.
Lists the potential user IDs who could be approvers for users added to or modified in this organization.
Specifies the userForm used by members users of this organization when creating or editing users.
Specifies the view user form that is used by member users of this organization when viewing users.
Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).
policyName -- Specifies name
id -- Indicates ID
implementation -- Identifies the class that implements this policy.
Specifies the audit policies that apply to all member users of this organization.
When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.
When set to true, renames this organization using the value of orgNewDisplayName.
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
orgContainerId |
Read |
String |
System-generated |
orgContainerTypes |
Read |
List |
System-generated |
orgContainers |
Read |
List |
System-generated |
orgParentContainerId |
Read |
String |
System-generated |
orgResource |
Read/Write |
String |
yes, if directory junction or virtual organization |
orgResourceType |
Read |
String |
System-generated |
orgResourceId |
Read |
String |
System-generated |
orgRefreshAllOrgsUserMembers |
Write |
String |
No |
Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).
Lists the allowed resource object types that can contain other resource objects.
Lists the base containers for the resource used by the Waveset interface to display a list to choose from.
Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).
Specifies the name of the Waveset resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).
Indicates the type of Waveset Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).
Specifies the ID of the Waveset resource that is used to synchronize directory junctions and virtual organizations.
If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
orgUserMembersRule |
Read/Write |
String |
No |
orgUserMembersRuleCacheTimeout |
Read/Write |
String |
No |
Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.
Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.
Used by administrators to change passwords of the Waveset user or their resource accounts.
This view contains one top-level attribute.
This attribute contains the following attributes.
Table 3–37 ResourceAccounts Attributes (Password View)
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
id |
Read/Write |
String |
Yes |
selectAll |
Read/Write |
Boolean |
No |
currentResourceAccounts |
Read |
List (object) |
No |
tobeCreatedResourceAccounts |
Read |
List (object) |
No |
tobeDeletedResourceAccounts |
Read |
List (object) |
No |
password |
Read/Write |
encrypted |
Yes |
confirmPassword |
Read/Write |
encrypted |
Yes, if view is being used interactively |
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Specifies the account ID of the Waveset user whose passwords are being changed. Typically set by the view handler and never modified by the form.
Controls whether all password are selected.
Represents the set of accounts that are currently being managed by Waveset (including the Waveset account itself).
Represents the accounts that are assigned to this Waveset user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
Represents the set of resources assigned to this user that are not yet being managed by Waveset (for example, they do not have an associated resinfo object). Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts
Both resource account lists are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.
Attribute |
Editable? |
Data Type |
---|---|---|
selected |
Read/Write |
Boolean |
name |
Read |
String |
accountId |
Read |
String |
type |
Read |
String |
exists |
Read |
Boolean (only in currentResourceAccounts |
disabled |
Read |
Boolean (only in currentResourceAccounts) |
passwordPolicy |
Read |
Object |
authenticator |
Read |
Boolean |
changePasswordLocation |
Read |
String (only in currentResourceAccounts) |
expirePassword |
Read/Write |
Boolean |
Specifies the new password you want to assign to the Waveset account or the resource accounts.
Confirms the password specified in the password attribute. When the view is used interactively, the form requires you to enter the same values in the password and confirmPassword fields. When the view is used programmatically, such as within a workflow, the confirmPassword attribute is ignored. If you are using this view interactively, you must set this attribute.
Indicates that the specified resource should receive the new password.
Specifies the name of resource. This corresponds to the name of a resource object in the Waveset repository.
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Waveset Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
Specifies the identity of the account on this resource, if one has been created.
Indicates whether the account already exists on the resource.
Indicates whether the account is currently disabled.
When set, describes the password policy for this resource. Can be null. It contains these attributes.
Table 3–38 passwordPolicy Attributes (PasswordView)
Attribute |
Description |
---|---|
name |
String |
summary |
String |
In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as defined in the policy.
The summary string contains a pre-formatted description of the policy attributes.
If true, indicates that this resource is serving as the pass-through authentication resource for Waveset.
(Optional) Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.
Can be set to a non-null Boolean value to control whether the password is marked as expiring immediately after it has been changed. If null, the password expires by the default if the user whose password is being changed differs from the user that is changing the password.
Represents the accounts that are assigned to this Waveset user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Used to launch tasks such as workflows or reports. The task to be launched must be defined by a TaskDefinition or TaskTemplate object in Waveset. Launching the task results in the creation of a TaskInstance object.
This view contains one top-level attribute named task. All other top-level attributes are arbitrary and are passed as inputs to the task.
This top-level attribute defines how the task is to be launched.
Table 3–39 Process View Attributes
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
process |
Read/Write |
String |
Yes |
taskName |
Read/Write |
String |
Yes |
organization |
Read/Write |
String |
Yes |
taskDisplay |
Read/Write |
String |
No |
description |
Read/Write |
String |
No |
execMode |
Read/Write |
String |
No |
result |
Read/Write |
WavesetResult |
No |
owner |
Read/Write |
String |
No |
Names the process to launch. This can be the name of a TaskDefinition or TaskTemplate object in Waveset. It can also be an abstract process name mapped through the process settings in the System Configuration object. This attribute is required.
Specifies the name given to the TaskInstance object that is created to hold the runtime state of the task. If this attribute is not set, a random name is generated.
Names the organization in which to place the TaskInstance. If this attribute is not set, the TaskInstance is placed in Top.
Specifies a display name for the TaskInstance.
Specifies a descriptive string for the TaskInstance. This string is displayed in the Manage Tasks table in the product interface.
Specifies execution mode. This is typically not specified, in which case the execution mode is determined by the TaskDefinition. Setting this attribute overrides the value in the TaskDefinition.
Allowed execMode values are:
Table 3–40 execMode Attribute Values (Process View)
Value |
Description |
---|---|
sync |
Specifies synchronous or foreground execution |
async |
Specifies asynchronous or background execution |
asyncImmediate |
Specifies asynchronous with immediate thread launch |
Use the asyncImmediate execution mode only for special system tasks that must pass non-serializable values into the task through the view. The task thread is started immediately. The default behavior is to save the TaskInstance temporarily in the repository and have the Scheduler resume it later.
Specifies the initial result for the TaskInstance. You can use this setting to pass information into the task that you eventually want displayed with the task results when the task completes.
Specifies the user name that is considered to be the owner of the task. If not set, the currently logged-in user is designated as the owner.
The following options are recognized by the createView and checkinView methods.
Specifies that the task is being launched from the Waveset User Interface. This allows users with no formal privileges to launch specially designated end-user tasks.
Names the process to launch. This name is recognized by the createView method and becomes the value of the process attribute in the view.
When set to true, suppresses a default message that is added to the task result when an asynchronous task is launched. The default English text is, The task is being executed in the background.
The following named result items can be found in the WavesetResult object that is returned by the checkinView method.
Table 3–41 Checkin View Results
Result |
Description |
---|---|
taskId |
Identifies the repository ID of the TaskInstance |
taskState |
Identifies the current state of the TaskInstance. It will be one of: ready, executing, suspended or finished |
extendedResults |
When set to true, indicates that the TaskInstance will have extended results. |
Used to request or cancel reconciliation operations on a resource. This view is used to perform on-demand reconciliation as part of a workflow. It can also be used when implementing a custom scheduler for reconciliation.
This view is write-only. get and checkout operations are not supported.
Specifies the operation to perform. You must specify one of the following valid operations:
Table 3–42 Valid Operations for request Attribute (Reconcile View)
Operation |
Description |
---|---|
FULL |
Starts a full reconciliation of the resource |
INCREMENTAL |
Starts an incremental reconciliation of the resource |
ACCOUNT |
Starts a reconciliation of the account |
CANCEL |
Cancels the currently active resource reconciliation process |
Identifies the account to reconcile. This string is ignored if the request is not ACCOUNT.
To request a reconciliation of a single account on a resource (in this case, an Active Directory resource):
request = “ACCOUNT” accountId = “cn=maurelius, ou=Austin, DC=Waveset, DC=com”
To cancel the pending or currently active reconciliation process on a resource:
request = “CANCEL”
Used to view and modify reconciliation policy, which is stored as part of the Waveset system configuration object.
Reconciliation policy settings are stored in a tree structure with the following general structure:
default, or global, policy (Default). This is the root policy level.
resource type (ResType:) policy
resource policy (Resource:)
Settings can be specified at any point in the tree. If a level does not specify a value for a policy, it is inherited from the next highest policy.
The view represents an effective policy at a specified point in the policy tree, which is identified by the view name.
Table 3–43 ReconcilePolicy Tree and View Names
View Name |
Description |
---|---|
Default |
Addresses the root of the policy tree |
ResType:resource type |
Addresses the specified resource type beneath the root |
Resource:resource name |
Addresses the specified resource beneath the resource’s resource type |
Values of policy settings are always policy values. Policy values can contain up to three components, as described in the following table.
Table 3–44 Policy Value Settings Attributes (ReconcilePolicy View)
Policy Value Settings |
Description |
---|---|
value |
Specifies the value of the setting. |
scope |
Identifies the scope from which this setting is derived. Values of scope include Local, ResType, and Default, indicating which level is specifying this policy. For example, a value of SCOPE_LOCAL indicates the value is set at the current policy level. SCOPE_LOCAL -- Policy is set at the resource level or current policy level SCOPE_RESTYPE -- Policy is set at the restype, or resource type, level SCOPE_GLOBAL. -- Policy is set at the global level |
inheritance |
Identifies the policy setting that is inherited at this level. If the scope is not Local, the inheritance will match the effective value. Not present on policy settings at the Default level. |
To modify the view, users require Reconcile Administrator Capability.
To access the view, users require Reconcile Administrator or Reconcile Request Administrator capabilities.
The following table lists the high-level attributes of this view.
Table 3–45 ReconcilePolicy View Attributes
Attribute |
Description |
---|---|
scheduling |
Contains information about automated scheduling of reconciles. |
correlation |
Contains information about how ownership of resource accounts is determined. |
workflow |
Contains information about user-supplied extensions to the reconciliation process. |
response |
Contains information about how reconciliation should respond to discovered situations. |
resource |
Contains information about how reconciliation interacts with the resource. |
Attribute |
Editable? |
Data Type |
---|---|---|
reconcileServer |
Read/Write |
String |
reconcileModes |
Read/Write |
String |
fullSchedule |
Read/Write |
Schedule |
incrementalSchedule |
Read/Write |
Schedule |
nextFull |
Read |
Date |
nextIncremental |
Read |
Date |
Specifies the reconciliation server that should be used to perform scheduled reconciliations.
Specifies the reconciliation modes that are enabled. Valid values are: BOTH, FULL, NONE.
Identifies the schedule for full reconciles when enabled.
Identifies the schedule for incremental reconciles when enabled.
Containing the time of the next incremental reconcile, if enabled.
Specifies the repetition count for the schedule. Schedule values are GenericObjects with the following attributes:
count -- Specifies the repetition count for the schedule
units -- Specifies the repetition unit for the schedule
time -- Specifies the start time for the schedule
Identifies the name of the correlation rule.
Table 3–47 correlation rules (ReconcilePolicy View)
Attribute |
Editable? |
Data Type |
---|---|---|
correlationRule |
Read/Write |
String |
confirmationRule |
Read/Write |
String |
Identifies the name of the correlation rule to use when correlating accounts to users.
Identifies the name of the confirmation rule to use when confirming correlated users against accounts. When no confirmation is required, specify the value CONFIRMATION_RULE_NONE.
Attribute |
Editable? |
Data Type |
---|---|---|
proxyAdministrator |
Read/Write |
String |
preReconWorkflow |
Read/Write |
String |
perAccountWorkflow |
Read/Write |
String |
postReconWorkflow |
Read/Write |
String |
Specifies the name of the user with administrative capabilities.
Specifies the name of the workflow to run at appropriate point in reconciliation processing. To specify that no workflow be run, use the value AR_WORKFLOW_NONE.
Attribute |
Editable? |
Data Type |
---|---|---|
situations |
Read/Write |
List |
explanations |
Read/Write |
Boolean |
Specifies the automated response to perform for the specified situation. Valid responses are:
Table 3–50 situations Options (ReconcilePolicy View
Response |
Description |
---|---|
DO_NOTHING |
Performs no automated response |
CREATE_NEW_USER |
Creates new user based on the resource account |
LINK_ACCOUNT |
Assigns the account to the claiming user |
CREATE_ACCOUNT |
Recreates the account on the resource |
DELETE_ACCOUNT |
Removes the account from the resource |
DISABLE_ACCOUNT |
Disables the account on the resource |
Specifies whether reconciliation should record detailed explanations of actions in the Account Index.
Attribute |
Editable? |
Data Type |
---|---|---|
reconcileNativeChanges |
Read/Write |
Boolean |
reconciledAttributes |
Read/Write |
List (of Strings) |
listTimeout |
Read/Write |
Integer |
fetchTimeout |
Read/Write |
Integer |
Specifies whether native changes to account attributes should be reconciled.
Specifies the list of account attributes that should be monitored for native changes
Specifies (in milliseconds) how long reconciliation should wait for a response when enumerating the accounts present on the resource.
Specifies (in milliseconds) how long reconciliation process should wait for a response when fetching an account from a resource.
Used to obtain the status of the last requested reconciliation operation. This view is read-only.
Indicates the status code request (string). Valid status codes include:
Table 3–52 ReconcileStatus View Attributes
Status Code |
Description |
---|---|
UNKNOWN |
Status cannot be determined. The value of the other attribute is unspecified. |
PENDING |
Request was received, but has not been processed yet. |
RUNNING |
Request is currently being processed. |
COMPLETE |
Request has completed. Consult the attributes to determine the success or failure of the other request. |
CANCELLED |
Request was cancelled by an administrator. |
Indicates the reconciliation mode of the request. Either FULL or INCREMENTAL.
Identifies the Waveset server that is processing the reconciliation request.
Indicates the date on which the request was received.
Specifies a date on which the reconciliation operation started. If the reconciliation operation has not yet started or was cancelled while still pending, this value is null.
Indicates the date on which the reconciliation operation completed. If the reconciliation process has not yet completed, this value is null.
Describes the error (if any) that terminated the reconciliation operation. Errors are returned as a list of strings.
Describes any non-fatal errors that are encountered during the reconciliation operation. Errors are returned as a list of strings.
Identifies the number of accounts that is found on the resource at the time of the reconciliation operation.
Identifies the number of accounts in the specified reconciliation situation after responses have been performed (successfully or not).
Valid situations are any of the following:
CONFIRMED
FOUND
DELETED
MISSING
COLLISION
UNMATCHED
UNASSIGNED
DISPUTED
Used to rename the Waveset and resource account identities. This view is typically used when a user in a company has a name change. The other main use for this view is to change the identity of a directory user that essentially causes a move in the directory structure.
Table 3–53 RenameUser View Attributes
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
newAccountId |
Read/Write |
String | |
toRename |
Read |
List | |
noRename |
Read |
List | |
resourceAccounts |
Read | ||
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Specifies the new accountId to be set on the Waveset user and used in the Identity templates for resource accounts.
Specifies a list of accounts in the currentResourceAccounts list that support the rename operation.
Specifies a list of accounts that do not support the rename functionality.
Contains mostly read-only information about the resource accounts. Use the following attributes to rename resource accounts:
Table 3–54 resourceAccounts Attributes
Attribute |
Type |
Description |
---|---|---|
selectAll |
Boolean |
Controls whether all accounts are renamed. |
currentResourceAccounts [<resourcename>].selected |
Boolean |
Indicates that the new accountId should be used to rename the identity of this resource account. |
currentResourceAccounts [Lighthouse].selected |
Boolean |
Controls whether the Waveset account is renamed. selectAll=true overrides this setting. |
Overrides the use of the Identity Template to create the accountId for this resource account.
Used when not specifying the accounts[<resourcename>].identity attribute to pass attributes to the Identity Template for the creation of the new accountId.
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
renameView.newAccountId="saurelius" renameView.resourceAccounts.selectAll="false" renameView.resourceAccounts.currentResourceAccounts[Lighthouse].selected="true" renameView.accounts[AD].identity="cn=saurelius,OU=Austin,DC=Waveset,DC=com" renameView.resourceAccounts.currentResourceAccounts[AD].selected="true" renameView.accounts[LDAP].identity="CN=saurelius,CN=Users,DC=us,DC=com" renameView.resourceAccounts.currentResourceAccounts[LDAP].selected="true" renameView.accounts[AD].identity="Marcus Aurelius" renameView.resourceAccounts.currentResourceAccounts[AD].selected="true" |
Used to present and select the list of resources to be reprovisioned. This view contains one top-level attribute (resourceAccounts).
This attribute contains the following attributes.
Table 3–55 resourceAccounts Attributes (Reprovision View)
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
id |
Read |
String | |
selectAll |
Read/Write |
Boolean | |
currentResourceAccounts |
Read |
List (objects) | |
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Specifies the unique identifier for the account.
Controls whether all resources are selected.
Represents the set of accounts that are currently being managed by Waveset (including the Waveset account itself).
All account lists are indexed by resource name.
Table 3–56 currentResourceAccounts Attributes (Reprovision View)
Name |
Editable? |
Data Type |
---|---|---|
selected |
Read/Write |
Boolean |
name |
Read |
String |
type |
Read |
String |
accountId |
Read |
String |
exists |
Read |
Boolean |
disabled |
Read |
Boolean |
authenticator |
Read |
Boolean |
If set to true, indicates that for a given resource, the associated account should be reprovisioned. If the selected account is Lighthouse, the Waveset user and all associated resource assignments will be reprovisioned unless they are also selected. However, the associated resource accounts will not be reprovisioned.
Specifies the name of the resource. This corresponds to the name of a resource object in the Waveset repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Waveset Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
Specifies the identity of the resource account.
Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).
Indicates whether the account is one that the user is configured to login.
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all assigned resources.
See Setting View Options in Forms in this chapter for more information.
Used by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts.
Defines characteristics of resource accounts. This attribute contains the following attributes.
Table 3–57 resourceAccounts Attributes (Reset User Password View)
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
id |
Read |
String | |
selectAll |
Read/Write |
Boolean | |
currentResourceAccounts |
Read |
List (object) | |
tobeCreatedResourceAccounts |
Read |
List (object) | |
tobeDeletedResourceAccounts |
Read |
List (object) |
Specifies the account ID of the Waveset user whose passwords are being changed.
Controls whether all passwords are selected.
Represents the set of accounts that are currently being managed by Waveset (including the Waveset account itself).
Represents the accounts that are assigned to this Waveset user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are scheduled for deletion.
The three account list attributes -- tobeDeletedResourceAccounts, tobeCreatedResourceAccounts, and currentResourceAccounts -- contain the attributes described in the following table. These attributes describe the state of the account on each resource and allow you to individually select accounts.
Table 3–58 tobeDeletedResourceAccounts Attributes (Reset User Password View
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
selected |
Read/Write |
Boolean | |
name |
Read |
String | |
type |
Read |
String | |
accountId |
Read |
String (only in currentResourceAccounts) | |
exists |
Read |
Boolean (only in currentResourceAccounts | |
disabled |
Read |
Boolean (only in currentResourceAccounts) | |
passwordPolicy |
Read |
Object | |
authenticator |
Read |
Boolean | |
changePasswordLocation |
Read |
String |
Set to true if this account is to have its password reset.
Specifies the name of resource. This corresponds to the name of a Resource object in the Waveset repository.
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Waveset Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
Specifies the identity of the account on this resource, if one has been created.
Indicates whether the account already exists on the resource.
Indicates whether the account is currently disabled.
When set, describes the password policy for this resource. Can be null. It contains these attributes.
Table 3–59 Reset User Password Attributes (Reset User Password View)
Attribute |
Data Type |
Editable? |
Required? |
---|---|---|---|
name |
String | ||
summary |
String |
In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as the WSAttribute in the Policy.
The summary string contains a pre-formatted description of the policy attributes.
If true, indicates that this resource is serving as the pass-through authentication resource for Waveset.
Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.
Used when modifying resources.
Specifically, the view handler that creates this view instantiates resource parameters for the various view methods as follows:
The createView method requires a typeString option, which is used to locate the correct prototypeXML for the resource type. The prototypeXML contains the initial set of resource parameters and their initial values. Thus, the view is populated with this list of initial resource parameters and their default values.
The getView and checkoutView methods return only the resource parameters that exist in the resource object. The prototypeXML is not used to fill in this list if any resource parameters are missing in the actual resource object.
The checkinView method replaces the list of resource parameters in the stored resource object in the repository. Again, the prototypeXML is not used to fill in any missing resource parameters that are not supplied during the checkinView operation.
The checkinView method launches the Manage Resource workflow, which actually commits the changes to the repository. You can modify this workflow to include approvals or notifications.
Top level attributes of this view include:
Table 3–60 Resource View Attributes
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
accountAttributes |
Read/Write |
List (Views) |
No |
accountId |
Read/Write |
String |
No |
accountPolicy |
Read/Write |
String |
No |
adapterClassName |
Read/Write |
String |
Yes |
allowedApprovers |
Read |
List (Strings) |
No |
allowedApproversIds |
Read |
List (Strings) |
No |
approvers |
Read/Write |
List (Strings) |
No |
available |
Read |
View |
N/A |
description |
Read |
String |
No |
displayName |
Read |
String |
No |
excludedAccountsRule |
Read/Write |
String |
No |
facets |
Read |
String |
No |
identityTemplate |
Read/Write |
String |
No |
name |
Read/Write |
String |
Yes |
organizations |
Read/Write |
List (Strings) |
Yes |
passwordPolicy |
Read/Write |
String |
No |
resourceAttributes |
Read/Write |
List (Views) |
No |
resourcePasswordPolicy |
Read/Write |
String |
No |
retryMax |
Read/Write |
Integer |
No |
retryDelay |
Read/Write |
Integer |
No |
retryEmail |
Read/Write |
String |
No |
retryEmailThreshold |
Read/Write |
Integer |
No |
startupType |
Read/Write |
String |
No |
syncSource |
Read/Write |
Boolean |
No |
typeDisplayString |
Read/Write |
String |
Yes |
typeString |
Read/Write |
String |
Yes |
Define the accounts managed on this resource. Attributes vary depending on the resource type, and correspond directly to the schema map. Each element in this list corresponds to an element in the List that resourceAttributes comprises.
Each element of the list contains the following attributes
Table 3–61 Attributes of the accountAttribute Resource View Attribute
Attribute |
Type |
Description |
---|---|---|
attributeName |
String |
Specifies the name of the attribute as seen by Waveset forms and workflows. |
syntax |
String |
Declares the type of value. Valid values include string, int, boolean, encrypted, or binary. |
name |
String |
Specifies an auto-generated value. Ignore this value. |
mapName |
String |
Specifies the name of the attribute recognized by the resource adapter. |
required |
Boolean |
If true, this account attribute is required. |
audittable |
Boolean |
If true, this account attribute should always be audited when auditing user events. |
multi |
Boolean |
If true, this account attribute is expected to possibly contains more than one value. |
ordered |
Boolean |
If true, the values of account attribute must be maintained in order. |
readonly |
Boolean |
If true, this account attribute can only be read, and cannot be changed. |
writeonly |
Boolean |
If true, this account attribute can only be written, and cannot be read. |
Specifies the ID by which the resource identifies this account.
Specifies the policy for account IDs on this resource.
Identifies the Resource Adapter class to be used to provision to the resource.
(Computed read-only value) Lists display names of users who have the permission to perform resource approvals. Edit the UserUIConfig object to specify the user attribute to be used as the display attribute. By default, Waveset uses the administrator’s name attribute.
(Computed read-only value). Computed only if the display attribute used for allowedApprovers is something other than name.
Lists the administrator approvers for this resource.
Specifies available attributes as indicated in the following table.
Table 3–62 Attributes of the available Attribute of the Resource View
Attributes of available Attribute |
Description |
---|---|
available.formFieldNames |
Specifies the names of attributes found that start with “global.” or “accounts[<resourcename>].”. These attributes are included in the dropdown list of optional names for the left schema map name. |
available.extendedAttributes |
Specifies the attributes that are read from the #ID#Configuration:UserExtendedAttributes Configuration object. These attributes are included in the dropdown list of optional names for the left schema map name. |
Provides a textual description of the resource.
Specifies the name that Waveset displays on the user edit and password pages.
Specifies the policy for excluding resource accounts from account lists.
Comma-separated list of values that can contain any of these values: provision, activesync, or none. If this string contains activesync, then the resource has active sync processing enabled (that is, not disabled). If this string contains provision, then Waveset displays the basic connection-related resource parameters.
Specifies the identity template used to generate a user’s identity on this resource.
Externally identifies the resource. This user-supplied name is unique among resource objects.
Lists the organizations available to the resource.
Specifies the password policy for accounts on this resource.
Lists Views. Each element of this List contains the attributes below.
Certain attributes depend upon the type of adapter being configured. At a minimum, these attributes specify how to connect to the resource.
The following attributes uniquely identify the resource object.
Table 3–63 resourceAttributes Attributes
Attribute |
Type |
Description |
---|---|---|
name |
String |
Specifies attribute name. |
displayName |
String |
Specifies I18N-ed label for display. |
type |
String |
Declares the type of value. Valid values include string, int, boolean, encrypted, or binary. |
multivalued |
Boolean |
If true, this attribute can contain more than one value. |
description |
String |
Provides help text to describe the purpose of the attribute. |
noTrim |
Boolean |
If true, leading and trailing white space will be deleted. |
provision |
Boolean |
If true, this is a standard configuration attribute. |
activesync |
Boolean |
If true, this attribute is needed to configure ActiveSync. |
value |
Object or ListObject |
current values |
For example, <Field name=’resourceAttributes[Display Name Attribute].value’>.
Indicates the resource password policy for resource accounts on this resource.
Indicates the maximum number of retries that will be tried on errors attempting to manage objects on a resource.
Specifies the number of seconds between retries.
Identifies the email addresses to send notifications to after reaching the retry notification threshold.
Specifies the number of retries after which an email is sent.
Specifies whether the activeSync resource starts up automatically or manually.
If set to true, indicates that the resource supports synchronization events.
Identifies the display name for the resource type. This should be a message key or ID to be found in the message catalog.
Specifies the internal name for the resource type.
Used when modifying resource objects.
All attributes are editable, except <resourceobjectType>.oldAttributes, which are used to calculate attribute-level changes for updates.
In practice, replace <resourceobjectType> with the lowercase name of a resource-specific object type (for example, group, organizationalunit, organization, or role).
Table 3–64 ResourceObject View Attributes
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
resourceType |
Read/Write |
String | |
resourceName |
Read/Write |
String | |
resourceId |
Read/Write |
String | |
objectType |
Read/Write |
String | |
objectName |
Read/Write |
String | |
objectId |
Read/Write |
String | |
requestor |
Read/Write |
String | |
attributes |
Read/Write |
Object | |
oldAttributes |
Read |
Object | |
organization |
Read/Write |
String | |
attrstoget |
Read/Write |
List | |
searchContext |
Read/Write |
Object | |
searchAttributes |
Read/Write |
List |
Lists the Waveset resource type name (for example, LDAP, Active Directory).
Lists the Waveset resource name.
Lists the Waveset resource ID or name.
Indicates the resource-specific object type (for example, Group).
Lists the name of the resource object.
Specifies the fully qualified name of the resource object (for example, dn).
Specifies the ID of the user who is requesting the view.
Indicates new or updated resource object attribute name/value pairs (object). This attribute has the following subattribute:
resourceattrname -- String used to get or set the value of a specified resource attribute (for example, <objectType>.attributes.cn, where cn is the resource attribute common name).
Specifies the fetched resource object attribute name/value pairs (object). You cannot edit this value. The view uses this attribute to calculate attribute-level changes for update.
Identifies the list of organizations of which the resource is a member. This list is used to determine which organizations should have access to the associated audit event record when available for future analysis and reporting.
List of object-type-specific attributes to return when requesting an object with the checkoutView or getView methods.
Specifies the context used to search for non-fully qualified names in resources with hierarchical namespaces.
Lists the resource object type-specific attribute names that will be used to search within the specified searchContext for names of resources with hierarchical namespaces.
Specifies the maximum time spent searching for a name input to a form (if supported by the resource).
Used to define Waveset role objects.
When checked in, this view launches the Manage Role workflow. By default, this workflow simply commits the view changes to the repository, but it also provides hooks for approvals and other customizations.
The following table lists the high-level attributes of this view.
Table 3–65 Role View Attributes
Attribute |
Editable? |
Data Type |
Required |
---|---|---|---|
applications |
Read/Write |
List |
No |
approvers |
Read/Write |
List |
No |
approversRule |
Read/Write |
String |
No |
assignedResources |
Read/Write |
List |
No |
containedRoles |
Read/Write |
List |
No |
description |
Read/Write |
String |
No |
disabled |
Read/Write |
Boolean |
No |
name |
Read/Write |
String |
Yes |
notifications |
Read/Write |
List |
No |
notificationsRule |
Read/Write |
String |
No |
organizations |
Read/Write |
List |
Yes |
owners |
Read/Write |
List |
No |
ownersRule |
Read/Write |
String |
No |
properties |
Read/Write |
List |
No |
resources |
Read/Write |
List |
No |
roles |
Read/Write |
List |
No |
type |
Read/Write |
String |
No |
types |
Read |
List |
No |
Specifies the names of locally assigned applications (Resource Groups).
Specifies the names of the approvers that must approve the assignment of this role to a user.
Specifies a rule that returns a list of one or more users who are approvers when this role is assigned and provisioned on a user.
Flattened list of all assigned resources via resources, resource groups, and roles.
Table 3–66 Attributes of assignedResource Attribute (Role View)
Attribute |
Editable? |
Data Type |
---|---|---|
resourceName |
No |
String |
name |
No |
String |
attributes |
No |
Object |
Identifies the name of the assigned resource.
Identifies the resource name or ID (preferably ID).
Identifies the characteristics of the resource. All subattributes are strings and are editable.
Table 3–67 attribute Options (Role View)
Attribute |
Description |
---|---|
name |
Name of resource attribute |
valueType |
Type of value set for this attribute. Allowed values include Rule, text, or none. |
requirement |
Type of value set by this attribute. Allowed values include Default value, Set to value, Merge with Value, Remove from Value, Merge with Value clear existing, Authoritative set to value, Authoritative merge with value, Authoritative merge with value clear existing. |
rule |
Specifies rule name if value type is Rule. |
value |
Specifies value if rule type is Text. |
Lists objects that contain information about each contained role.
Table 3–68 Attributes of containedRoles Attribute (Role View)
Attribute |
Editable? |
Data Type |
---|---|---|
name |
No |
String |
info |
No |
String |
associationType |
Yes |
String |
approvalRequired |
Yes |
Boolean |
condition |
Yes |
Object |
Specifies the role name.
Specifies the following information about the role: description, id, name, noApprovers, and type.
Specifies whether the association is required, conditional, or optional.
If associationType is optional, this is a Boolean flag that indicates whether approval is required when this role is requested by the user.
If associationType is conditional, this is the condition that determines whether this role is assigned to a given user.
Describes this role.
Indicates whether the specified role is disabled. The default value is false.
Identifies the name of the role. This corresponds to the name of a Role object in the Waveset repository.
Lists the names of administrators that must approve the assignment of this role to a user.
Specifies a rule that returns a list of one or more users who will be notified when this role is assigned and provisioned on a user.
Lists organizations of which this role is a member.
Lists one or more users who are specified as approvers for changes to this role.
Specifies a rule that returns a list of one or more users who are approvers for changes to this role.
Identifies the user-defined properties that are stored on this role.
Specifies the names of locally assigned resources.
Specifies the names of locally assigned roles.
Identifies this role’s type as defined in the Role Configuration object.
Cached type information from the Role Configuration object for use by the view (read-only).
Use to create and modify TaskSchedule objects.
This view contains the following attributes:
Table 3–69 Task Schedule View Attributes
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
Read/Write |
String | ||
task |
Read/Write |
Boolean |
Contains attributes that are related to the scheduler itself, which are common to all scheduled tasks. The attributes are:
Table 3–70 Attributes of scheduler Attribute (Task Schedule View)
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
name |
Read/Write |
String |
No |
id |
Read |
String |
No |
definition |
Read/Write |
String |
No |
template |
Read/Write |
String |
No |
taskOrganization |
Read/Write |
String |
No |
taskName |
Read/Write |
String |
No |
description |
Read/Write |
String |
No |
disabled |
Read/Write |
Boolean |
No |
skipMissed |
Read/Write |
Boolean |
No |
start |
Read/Write |
Date |
No |
repeatCount |
Read/Write |
Int |
No |
repeatUnit |
Read/Write |
String |
No |
resultOption |
Read/Write |
String |
No |
allowMultiple |
Read/Write |
Boolean |
No |
Typically, you supply a value for either scheduler.definition or scheduler.template. If you do not specify either value, Waveset creates a TaskSchedule object that you can later edit to specify the definition or template.
Specifies the name of an existing TaskSchedule object or the desired name for a new TaskSchedule object. It is not required, but if not specified, the system will generate a random identifier.
Uniquely identifies the existing TaskSchedule object.
Defines the name a TaskDefinition object to be scheduled.
Specifies the name of a TaskTemplate object to be scheduled. If both definition and template are specified, template has priority.
Contains the name of the organization in which the TaskInstance will be placed when the schedule task is launched.
Specifies the name of the TaskInstance that is created when the schedule task is launched.
Contains descriptive text that will be saved in the TaskInstance that will be created when the schedule task is launched. The description will appear in the task tables in the product interface.
Controls whether the task scheduler will process the TaskSchedule object. The scheduler ignores TaskSchedule’s whose disable attribute is true. You can use this to temporarily stop running a schedule task, without having to delete and recreate the TaskSchedule object.
Indicates the date and time at which to launch the task.
Combined with repeatUnit, determines how frequently tasks will be run. If repeatCount is zero or not specified a scheduled task will only run once. If repeatCount is a positive number, the task will be run more than once at the interval specified by repeatUnit.
Defines the interval of time between running tasks that have a positive repeatCount value. Valid values include: second, minute, hour, day, week, month. For example, to schedule a task to run once a week for a year set repeatUnit to week, repeatCount to 52, and start to the first day that the task is to run.
Specifies what the scheduler will do if a TaskInstance with the desired name already exists when the scheduled task is run. The possible values are: wait, delete, rename, and terminate.
Indicates whether the scheduler should run the task again or wait for another repetition. This attribute is only meaningful if you have set repeatCount and repeatUnit.
Tells the scheduler to delete the existing TaskInstance, if it has finished.
Indicates that the scheduler should rename the existing TaskInstance, if it has finished.
Indicates whether Waveset attempts to immediately make up a missed schedule time (false) or simply wait until the next scheduled time (true).
When set to false, Waveset immediately attempts to make up a missed schedule time. When set to true, Waveset instead waits until the next scheduled time. The default is false.
Similar to delete, but will also terminate the existing task, if it is still running.
Controls whether more than one instance of the same task definition or task template are allowed to run. If true (the default), the scheduler will always create a new instance of the task. If false, the scheduler will not create a new instance if there is one already running.
Contains task-specific attributes. Each task defines its own attributes, and the task’s form should reference them relative to the task namespace.
Used to unlock accounts for those resources that support native account locking. This view presents and selects the list of resource accounts to be unlocked.
Use the Unlock view instead of the Disable view for accounts whose resources support native account locking.
Contains the following high-level attributes:
Table 3–71 Unlock View Attributes
Name |
Editable? |
Data Type |
Required? |
---|---|---|---|
id |
Read |
String |
Yes |
selectAll |
Read/Write |
Boolean |
No |
currentResourceAccounts |
Read |
List (objects) |
No |
tobeCreatedResourceAccounts |
Read |
List (objects) |
No |
tobeDeletedResourceAccounts |
Read |
List (objects) |
No |
fetchAccounts |
Read/Write |
Boolean | |
fetchAccountResources |
Read/Write |
List |
Specifies the account ID of the Waveset user whose passwords are being unlocked.
Controls whether all password are unlocked.
Represents the set of accounts that are currently being managed by Waveset (including the Waveset account itself).
Represents the accounts that are assigned to this Waveset user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts.
Both resource account list are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.
Table 3–72 tobeDeletedResourceAccounts Attributes (Unlock View)
Name |
Editable? |
Data Type |
---|---|---|
selected |
Read/Write |
Boolean |
name |
Read/Write |
String |
type |
Read/Write |
String |
accountId |
Read/Write |
String |
exists |
Read/Write |
Boolean |
locked |
Read/Write |
Boolean |
authenticator |
Read/Write |
Boolean |
Identifies that this resource has been selected to be unlocked.
Specifies the name of resource. This corresponds to the name of a resource object in the Waveset repository
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Waveset Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
Specifies the identity of the account on this resource, if one has been created.
Indicates whether the account already exists on the resource (only in currentResourceAccounts).
Indicates whether the account is currently locked or not (unlocked). The value of exists indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
If true, indicates that this resource serves as the pass-through authentication resource for Waveset.
Causes the view to include account attributes for the resources assigned to the user.
See Setting View Options in Forms in this chapter for more information.
Lists resource names from which to fetch. If unspecified, Waveset uses all.
See Setting View Options in Forms in this chapter for more information.
Use to create and modify UserEntitlement objects.
This view has the following top-level attributes:
Table 3–73 Top-Level Attributes of User Entitlement View
Name |
Editable? |
Type |
Required? |
---|---|---|---|
name |
String |
Yes |
|
status |
String |
Yes |
|
user |
String |
Yes |
|
userId |
String |
Yes |
|
attestorHint |
String |
No |
|
userView |
GenericObject |
Yes |
|
reviewInstanceId |
String |
Yes |
|
reviewStartDate |
String |
Yes |
|
scanId |
String |
Yes |
|
scanInstanceId |
String |
Yes |
|
approvalWorkflowName |
String |
Yes |
|
organizationId |
String |
Yes |
|
attestorComments.name |
String |
No |
|
attestorComments.attestor |
String |
No |
|
attestorComments.time |
String |
No |
|
attestorComments.timestamp |
String |
No |
|
attestorComments.status |
No |
Identifies the User Entitlement (by a unique identifier).
Specifies the state of User Entitlement object. Valid states include PENDING, ACCEPTED, REJECTED, REMEDIATING, CANCELLED.
Identifies the name of the associated WSUser for this entitlement.
Specifies the ID of the associated WSUser.
Displays the (String) hint to the attestor that is provided by the Review Determination Rule. This hints acts as “advice” from the rule to the attestor.
Contains the User view that is captured by User Entitlement scanner. This view contains zero or more resource accounts depending on the configuration of the Access Scan object.
Specifies the ID of the PAR Task instance.
Indicates the (String) start date of the PAR task (in canonical format).
Specifies the ID of AccessScan Task definition.
Specifies the ID of AccessScan Task instance.
Identifies the name of workflow to be run for approval. This value comes from the Access Scan Task definition.
Specifies the ID of the WSUser’s organization at the time of the scan.
Lists attestation records for the entitlement. Each attestation record indicates an action or statement made about the entitlement, including approval, rejection, and rescan.
Timestamp used to identify this element in the list.
Identifies the WSUser name of the attestor making the comment on the entitlement.
Specifies the time at which the attestor attested this record. May differ from the timestamp.
Indicates the status assigned by the attestor. This can be any string, but typically is a string that indicates the action taken by the attestor -- for example, approve, reject, rescan, remediate.
Contains comments added by attestor.
Used to view and modify WorkItem objects in the repository.
A WorkItem object is created whenever a manual action that is defined in a workflow process is activated. The WorkItem view contains a few attributes that describe the WorkItem object itself, as well as values of selected workflow variables copied from the workflow task.
Waveset returns information about the work items in the Work Item view under the workItem.related attribute.
This view provides the ability to return information about all work items that are currently active in a workflow task. By default, Waveset returns information about only a specified work item, not related work items. However, you can use other options to filter work items, and the attributes of the related work items you want to display.
Table 3–74 WorkItem View Form Properties
If you want to ... |
Use this form property |
---|---|
Return all related items by default... |
includeRelatedItems form property |
Request additional attributes to be returned... |
relatedItemAttributes form property |
Limit which items are returned... |
relatedItemFilter form property |
By default, Waveset uses the Approval form to display work items. Edit this form by adding the includeRelatedItems element to include related work items:
<Properties> <Property name=’includeRelatedItems’ value=’true’/> </Properties>
You can also request additional attributes with the relatedItemAttributes option. This option can be a CSV string of names or a list of names. You can request the following standard attributes:
request
requester
description
activityName
If you request an attribute name that is not on this list, Waveset assumes that it is an arbitrary workflow variable, and the value will be returned if it exists in the work item. Common variables found in the standard workflows include:
accountId
objectType
objectName
diagramLabel
To include the request and description attributes, add these properties to the Approval form:
<Properties> <Property name=’includeRelatedItems’ value=’true’/> <Property name=’relatedItemAttributes’ value=’request,description’/> </Properties>
You can specify the following filter attributes.
Table 3–75 relatedItemFilter Option Values
relatedItemFilter Option Values |
Results of Filtering |
---|---|
itemType |
Only work items with a matching itemType are returned |
activityName |
Only work items created from the same activity are returned |
request |
Only work items with the same user defined request string are returned |
locked |
Only work items that are currently locked for editing are returned |
If more than one filter attribute is on the list, they will be logically AND’ed together. For example, to return only work items with the same request string that are current locked, add this property to the Approval form:
<Properties> <Property name=’includeRelatedItems’ value=’true’/> <Property name=’relatedItemAttributes’value=’request,description’/> <Property name=’relatedItemFilter’ value=’request,locked’/> </Properties> |
An example field that displays a table of information about the related work items was added to the Approval Library form library, the field name is Related Approvers. You can reference this field from the standard Approval form as follows:
<FieldRef name=’Related Approvers’/>
The default time-out interval for locking work items in the repository is five minutes. You can change this value by adding the following element to the RelocatedTypes element of the RepositoryConfiguration Configuration object:
<TypeDataStore typeName=’WorkItem’ lockTimeoutMillis=’10000’/>
The following table lists the top-level WorkItem view attributes.
Table 3–76 WorkItem View Attributes
Attribute |
Editable? |
Data Type |
Required? |
---|---|---|---|
id |
Read |
String | |
name |
Read |
String | |
taskId |
Read |
String | |
taskName |
Read |
String | |
processName |
Read |
String | |
activityName |
Read |
String | |
description |
Read/Write |
String | |
owner |
Read/Write |
String | |
complete |
Read/Write |
Boolean | |
variables | |||
workItem |
Identifies the repository ID of the WorkItem object. Typically generated by Waveset and not displayed.
Identifies the repository name of the WorkItem object.
Identifies the repository ID of the workflow TaskInstance. This attribute is used by the system to correlate the work item with the workflow task and must not be changed.
Identifies the repository name of the workflow TaskInstance. This name is typically set to an informative value and can be displayed. Do not modify it. A typical example task name for a user update would be Updating User jdoe.
Identifies the name of the workflow process definition that contains the manual action.
Specifies the name of the workflow activity that contains the manual action.
Contains a textual description of the work item. Its contents are defined by the workflow process definition. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.
Identifies the name of the current Waveset administrator or user that created the workflow process. This attribute is typically the name of an Waveset user. If this work item is assigned to an anonymous user, the name will have the prefix Temp:.
Set to true when the manual action has completed and the workflow is to be resumed. Assignment of the complete attribute must be performed in the Work Item form.
You can edit this Boolean value.
Contains another object whose attributes contain copies of variables from the workflow task. By default, every workflow variable that is in scope when the manual action is activated is copied into the work item. This can be controlled with the Exposed Variables and Editable Variables options in the process definition. Most work item forms display information found under the variables attribute. See the section Using the variables Attribute later in this chapter for more information on using this attribute.
Specifies additional information about the work item. Contains the following attributes:
Contains a list of workflow variables whose values are views. The system uses this attribute to cause view-specific refresh operations when the work item view is refreshed.
Do not change this value.
Contains a list of attributes that describe the specified work item.
Table 3–77 Subattributes of the workItem.related Attribute (Work Item View
Attribute |
Description |
---|---|
name |
Specifies the repository ID of the work item. |
owner |
Identifies the owner of the item. |
locked |
Indicates whether the work item is being edited. A value of true indicates that the work item is currently being edited. |
complete |
Specifies whether the work item has completed. A value of true indicates that the work item completed. |
itemType |
Identifies item type as defined by the process. The default is approval. |
Succinctly describes the purpose of the work item. This description is typically shorter than the value of the description attribute and is often displayed in summary tables.
Identifies the user that initiated the approval.
Indicates whether the time out should be ignored. A value of true (assigned by the system) indicates that this is a read-only work item that may timeout while being viewed. This is a signal to the system that a check-in failure of the Work Item view should be ignored if the work item no longer exists, rather than displaying an error message. This can be useful for work items that are intended only for status messages that time out immediately so the workflow can continue while the user views the messages.
Do not change this value.
When writing a work item form, the most common attributes to reference are complete and variables. The complete attribute must be set to the value true in order for the workflow to be resumed. It is typically set by a hidden field in response to pressing button fields with labels such as Approve and Reject.
The variables attribute contains an object whose values are copies of variables from the workflow task. One of the most common workflow variables used in work items is user, which contains a user view. For example, to reference the global.email attribute from a work item form, use the following path expression:
variables.user.global.email
This differs from attribute paths used in a standard user form. First, the entire view is stored in a workflow variable named user, which results in the user. prefix being required in the attribute path. Next, the workflow variables are stored under the variables attribute in the Work Item view, which results in an additional variables. prefix being required in the attribute path.
Because of this nesting of the user view attributes, you cannot use a standard user form with the Work Item view without modification. However, you can define a work item form that references the user form with the base context option.
<Form name=’WorkItemForm’> <Include> <ObjectRef Type=’UserForm’ name=’Default User Form’/> </Include> <FormRef name=’Default User Form’ baseContext=’variables.user’/> </Form> |
Although in practice the work item form requires additional fields for buttons such as Approve and Reject, you may not want everything displayed by Default User Form displayed in the work item form. Typically, you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms.
Used to view information about collections of work items in the repository and to perform operations on multiple work items at a time.
This view handler gathers information about:
all work items assigned to a selected user
users whose work items can be viewed
users to whom the work items can be forwarded
The view is used in the Approvals page of the Waveset Administrator Interface. The default form used with this view is named Work Item List.
The following table lists the top-level WorkItem List view attributes.
Table 3–78 WorkItem View Attributes
Attribute |
Editable? |
Data Type |
---|---|---|
authType |
Read/Write |
String |
userId |
Read |
String |
user |
Read/Write |
String |
self |
Read |
Boolean |
forwardedUser |
Read |
Boolean |
itemType |
Read/Write |
String |
users |
Read |
List |
userIds |
Read |
String |
forwardingApproverStyle |
Read | |
forwardingUsers |
Read |
List |
forwardingUserIds |
Read |
List |
workItems |
Read/Write |
String |
selectedWorkItems |
Read/Write |
String |
forwardTo |
Read/Write |
Boolean |
forwardToNow |
Read/Write |
String |
variables |
Read/Write |
String |
action |
Read/Write |
Boolean |
confirm |
Read/Write |
Boolean |
Specifies access to work items by type. For example, there is a built-in authorization type called EndUserRule. All end-users implicitly get access to all rules tagged with the EndUserRule authorization type.
Specifies the name of the Waveset user whose work items are contained in the workItem list. Initially, this value is the name of the current session user. The value can be null to indicate that the work items for all controlled users with approver rights should be displayed. This is always the Waveset user name, never a display name.
The form must not be modify this value. To change users, set the user attribute.
Specifies the display name of the Waveset user whose work items are listed. This value is the same as userId if display names are not used. The form can modify this value, which causes the system to recalculate the work item list during refresh. A null value indicates that all work items are being displayed.
Set to true if the userId is the same as the current session user.
When set, indicates that the user named by userId has elected to have work items forwarded to another user. The other user is identified by its display name.
Lists the display names of Waveset users that the current user controls and which have work item capabilities. This value is typically used to build an user select box. If a custom form wants to compute the user list in a different way, you can specify the view option CustomUserLists as either a view option or form property.
Typically null. If you are configured to use alternate display names, then the users list contains display names, and this list contains the true repository names.
Lists the display names of Waveset users to which the current user can forward work items. This value depends on the value of the ForwardingApproverStyle attribute, which defaults to peers.
When set, the work items in the list will be filtered to contain only those whose item type matches this value. This gives the WorkItemList view the ability to filter the item list based on the work item type.
Typically null. If you are configured to use alternate display names, then the forwardingUsers list will have display names, and this list will have the true repository names.
Lists the objects that contain information about the work items for the selected user(s). The object names are the repository IDs of the work items.
Specifies the display name of the owner. Set only if user is null and all work items are displayed.
Supplies a brief description of the object being requested. This value is computed by the WorkItemRequest expression of the manual action in the workflow process.
Identifies the display name of the user that made the request.
Provides a more detailed description of the work item. The value is computed by the WorkItemDescription expression of the manual action in the workflow process. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.
Individual item selection flag. An alternative to selectedWorkItems.
Lists the work item IDs that represent the items to be processed by the next action. An alternative to setting the selected attribute inside the work item object, which is easier for SortingTable components. If both this attribute and individual select flags are set, the value of this attribute takes precedence.
Identifies the name of an Waveset user to which all selected work items will be forwarded when the action attribute is set to Forward.
Similar to forwardTo, but is also an action attribute. It copies its value to forwardTo, set action=Forward and process the refresh as if forwardTo and action were set independently. Use this attribute if you want to have the form process the forwarding immediately after a user is selected from a form component. If you would rather have forwarding controlled with a button, then have the form component set the forwardTo attribute and have the button post an action value of Forward.
(Boolean) When non-null, initiates an operation on the selected work items.
Valid values include:
approve
reject
forward
refresh
If the NoConfirm option is set, the action is processed immediately. Otherwise, Waveset waits for the confirm attribute to be set to true. The form is expected to define its own confirmation page rendering.
(Boolean) Indicates that the operation specified in the action attribute can be performed.
When editing an individual work item, the form can set work item variables, such as comments, to pass additional information about the approval or rejection into the workflow process for auditing.
You can also set arbitrary work item variables when performing actions in the WorkItemList view. The value of the attribute variables can be set to an object whose attributes will be copied into the work item when it is approved or rejected. For example, if the variables object contains an attribute named comments, the same comments will be saved with every selected work item.
<Form name=’variables.comments’> <Default> <concat> <s>Approval performed on </s> <invoke class=’com.waveset.util.Util’ name=’dateToString’> <new class=’java.util.Date’/> </invoke> </concat> </Default> </Form> |
Although in practice the work item form requires additional fields for buttons such as Approve and Reject, you may not want everything displayed by Default User Form displayed in the work item form. Typically, you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms.
You can specify the following options when the view is created or refreshed to control the behavior of the WorkItemList viewer.
Identifies the name of the initial user whose work items are to be displayed. Can be used to override the default, which is the current session user.
When set to true, indicates the form will generate both the users and forwardingUsers lists in a custom way and that the view handler should not generate them. Generating these lists can be time-consuming if there are many approvers in the system. If the form does not intend to use the default users and forwardingUsers lists, enable this option.
Specifies the types of administrators whose names will be available in the Forward to list. The value of this attribute defaults to peers. Can be set to one of these values:
Table 3–79 ForwardingApproverStyle View Option Values
Option Value |
Description |
---|---|
peers |
Specifies administrators at the same organization level as the current user or above |
controlled |
Specifies administrators in organizations that are controlled by the current user |
all |
Specifies both controlled and peers |
You can set this and other view options as form properties:
<Form...> <Properties> <Property name=’ForwardingApproverStyle" value=’peers’/> </Properties> ... </Form> |
When true, indicates that the view handler should not cache the users and forwardingUsers lists but instead recalculate them every time the form is refreshed. Since calculating the user lists can be expensive, it is generally preferred to cache them and refresh only when explicitly instructed by setting the action attribute to Refresh.
Can be set to the name of an extended user attribute whose value is to be used instead of the repository name in the user lists. This can also be specified in the UserUIConfig object, but it may be more convenient to set in the form.
When true, indicates that display names should not be used even if one is specified in the UserUIConfig object. You can set this option in a form to selectively override the UserUIConfig setting.
When true, indicates that the action specified with the action attribute should be executed immediately without confirmation.
View options can be conveniently set in some forms. The following procedure uses the WorkItem List view as an example.
Copy the form into the Identity Manager IDE or the XML editor of choice.
Change the form name.
Register it in the System Configuration object under the form.workItemList attribute.
In the custom form, you can then specify view options as properties of the form as indicated in the following example.
<Form> <Properties> <Property name=’CustomUserLists’ value=’true’/> </Properties> ... </Form> |
A deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.
If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.
Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.
There are two main steps to defining a deferred attribute:
Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.
Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:
accounts[<resource>].deferredAttributes.<attname>.resource accounts[<resource>].deferredAttributes.<attname>.attribute |
where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.
For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.
The following form fields set the necessary view attributes to define this association.
<Field name=’accounts[HR].deferredAttributes.directoryid.resource’> <Expansion><s>LDAP</s></Expansion> </Field> <Field name=’accounts[HR].deferredAttributes.directoryid <Expansion><s>uid</s></Expansion> </Field> |
Some views that set specific resource account attributes such as the password or the enable flag allow you to set additional account attributes. For security, however, these extended attributes must be registered.
Attributes can be registered in one of two locations:
Table 3–80 Locations for Attribute Registration
Location |
Register attributes here if... |
---|---|
AccountAttributeType definition in the resource |
... the attributes you want to update are specific to a particular resource, rather than to all resources of that type. |
System Configuration Object |
...you want to make global registrations for all resources of a particular type. These registrations must be done in XML format. |
You can register different attributes for different views. For example, you can register the lock attribute for the Password view and the firstname attribute for the Rename view.
To make global registrations (that is, registrations that apply to all resources), add an attribute in the System Configuration object with this path:
updatableAttributes.ViewName.ResourceTypeName
where ViewName is one of Password, Reset, Enable, Disable, Rename, or Delete, and ResourceTypeName is the name of the resource type. The type name all is reserved for registrations that apply to all resources.
The value of this attribute must be a List of Strings. The strings are names of the attributes you want to update.
The following example registers the attribute named delete before action in the Deprovision view for all resources.
<Attribute name=’updatableAttributes’> <Object> <Attribute name=’Delete’> <Object> <Attribute name=’all’> <List> <String>delete before action</String> </List> </Attribute> </Object> </Attribute> <Attribute name=’Enable’> <Object> <Attribute name=’all’> <List> <String>enable before action</String> </List> </Attribute> </Object> </Attribute> </Object> </Attribute> |
To make resource-specific registrations, modify the resource object from the Waveset Debug page and insert a <Views> subelement in the AccountAttributeType element. <Views> must contain a list of strings whose values are the names of the views in which this attribute can be updated.
<AccountAttributeType name=’lastname’ mapName=’sn’mapType=’string’> <Views> <String>Rename</String> </Views> </AccountAttributeType> |
In the view, attributes you want to modify are placed within this object:
resourceAccounts.currentResourceAccounts[ResourceTypeName].attributes
<Field name= ’resourceAccounts.currentResourceAccounts[OS400ResourceName]. attributes.delete before action’ hidden=’true’> <Expansion> <s>os400BeforeDeleteAction</s> </Expansion> </Field> |