Sun Java[TM] System Identity Manager 7.0 Deployment Overview |
Appendix A
Editing Configuration ObjectsThis chapter introduces an Identity Manager component called a configuration object. Editing configuration object properties is one way of implementing persistent changes to Identity Manager behavior.
About Configuration ObjectsConfiguration objects store persistent customizations to Identity Manager. They are cached object types, which means that all configuration objects are brought into memory, and the cache is subsequently flushed, whenever a configuration object is changed.
Viewing and Editing Configuration ObjectsUse the Identity Manager Integrated Development Environment (IDE) to view configuration and generic objects. You can access these miscellaneous configuration objects from the IDE under the Configuration Object category.
For more information on using the Identity Manager IDE, see Introduction to the Identity Manager IDE.
UserUIConfig ObjectThe UserUIConfig object controls Identity Manager User and Administrator Interface displays for account searching and editing, as well as internal system functions.
Configure this object at deployment time to improve performance of Identity Manager.
Use this object to:
- Control the columns that are displayed in the Accounts applet and Find Results pages (SummaryAttrNames)
- Define the attributes that users can search on within your identity deployment -- that is, the queryable attributes (QueryableAttrNames)
- Defines the attributes are stored in a separate column on the userobj table for optimal searching (RepoIndexAttrs)
Viewing and Editing this Object
You can view this object, along with other configuration and generic system objects, using the Identity Manager IDE. For information on using the Identity Manager IDE to access this object, see Chapter 1: “Using the Identity Manager IDE” in Identity Manager Deployment Tools.
Refreshing Users
If you add or delete attributes from the SummaryAttrName, QueryableAttrName, and RepoIndexAttrs sections of this object, you must update all users by subsequently refreshing them as follows:
After editing this object, you must run a refreshType import command on all user objects for the summary attributes to be available. If many users must be refreshed, this can be a time-consuming process.
You can importing a file as follows:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
<ImportCommand type='refreshType' targetType='User' />
</Waveset>
Attribute Types
Summary attributes expose information that users can retrieve using the list command. You can configure these attributes through the SummaryAttrTypes and SummaryAttrNames sections. To include an attribute in the Find Results columns or the applet list columns display, include it as a summary attribute in this section.
Queryable attributes define the attributes that users can search on within Identity Manager. These attributes are defined in the QueryableAttrNames section of this object.
Inline Queryable attributes are stored in the main table (userobj) rather than the associated table (userattr). These attributes must be single-valued. Querying on inline attributes is much faster than accessing the associated attribute table. These attributes are contained in the RepoIndexAttr section of this object.
Object Attributes
The attributes described here comprise a subset of the default UserUIConfig object attributes. The attributes you see in your deployment may vary.
SummaryAttrNames
Attributes that are members of SummaryAttrNames object are designated as summary attributes. Identity Manager displays summary attributes in product list results. These attributes must be a superset of the AppletColumns and Find Results lists, but do not need to be included in the QueryableAttrNames list.
When editing this object, do not remove the MemberObjectGroups attribute. This attribute is used for fast authorizations.
The following attributes are the default summary attributes provided by Identity Manager. name and id are built-in summary attributes and are not described here. You can add attributes to this list.
role
Identifies the Identity Manager roles. Role IDs are separated by a vertical bar (|).
res
Lists resource names separated by a comma. If the number of elements in this list exceeds the value of SummaryAttrResourceCountLimit, this list is truncated, and Identity Manager appends an ellipses (...).
prov
Specifies the provisioning level. This determines how many Identity Manager-assigned resources have been provisioned on the resource. (0 = none, 1 = some, 2 = all)
dis
(Boolean) Indicates whether the user disabled.
MemberObjectGroups
Specifies the organization that this member belongs to. Do not remove this attribute.
fullname, lastname, firstname
Specifies the user’s fullname, lastname, and firstname attribute, respectively.
QueryableAttrNames
Specifies the attributes that users can search on in Identity Manager. You can add attributes to this list.
Default queryable attributes include:
AppletColumns
Specifies the names of the columns to be displayed on the List Accounts page. Edit this list to change the contents of the columns that the List Accounts page displays. Columns named in this list must be included in SummaryAttrNames (or the values will show up blank in the product interface). The list consists of GenericObjects for each column. Supported attributes are:
- width — (Valid for applet implementation only) Specifies the initial width of the column. If omitted (or zero), the applet assigns a default initial width to the column.
- sortBy — (Valid for applet implementation only) If present, identifies the column the applet will sort by initially. If more than one column is designated, the left column is used.
- label — (Valid for both applet and treetable implementations) Specifies the message key to use for the localized column name.
ShowListCache
Indicates whether to show the Clear List Cache button on the List Accounts page.
TemporarySummaryAttrResourceCountLimit
Specifies the number of resources in the resource summary. An excessive number will trigger a resource schema violation. The default value is 3.
PolicyAccountAttributeNames
Defines the attributes that appear in pop ups for an accountId policy. These attributes must match attributes that can be found on the User object. You can add any attribute that is included in a user form. Default values include email, firstname, fullname, and lastname.
PolicyPasswordAttributeNames
Defines the attributes that appear in pop ups for a password policy. These attributes must match attributes that can be found on the User object.You can add any attribute that is included in a user form. Default values include accountId, email, firstname, fullname, and lastname.
PolicyOtherAttributeNames
Defines the attributes that appear in pop ups for other policy types. These attributes must match attributes that can be found on the User object. You can add any attribute that is included in a user form. Default values include accountId, email, firstname, fullname, and lastname
PolicySpecialChars
Specifies the characters to include in the string quality policy for forced exclusion or inclusion. Password and account ID policies allow specifying rules about maximum number of special characters and minimum number of special characters.
TaskBarPages
Defines the paths of the JSP pages in the Identity Manager Administrator interface for which to display the task bar at the bottom of the page. For example, when you create a new user in Identity Manager, you see Create User at the bottom of the accounts page. This is because accounts/list.jsp is included in the TaskBarPages element by default.
RepoIndexAttrs
Defines the attributes that are copied into the waveset.userobj table and indexed to facilitate searching. Any attribute named here must also be queryable.
Edit this object to enhance search performance. This list can contain only five attributes, and these map to the ATTR1-ATTR5 database columns. By default, Identity Manager indexes firstname, lastname, and MemberObjectGroups. You can add an additional two attributes for fast searching, however. For example, if your deployment contains the extended attribute departmentNumber, you could add it here, ensuring that it is included in all repository searches. If you know that you will not need firstname, lastname, or MemberObjectGroups, you can replace these attributes with other attributes.