Sun Java[TM] System Identity Manager 7.0 Workflows, Forms, and Views |
Chapter 4
FormUtil MethodsThis chapter describes the most used FormUtil methods.
The FormUtil class provides a collection of utility methods that are intended to be called from XPRESS expressions within form objects. The FormUtil methods are usually used within the valueMap property of Select and MultiSelect fields to constrain the list of possible values. Additional methods are provided to format string values such as dates and directory DNs.
Related Chapters
- Identity Manager Views — Identity Manager forms interact with an internal Identity Manager data structure called the user view. When customizing a form, you can call view attributes.
- Identity Manager Forms — For examples on using these methods within forms, see the sections titled Using Hidden Components and Populating Lists.
Invoking MethodsUse the following syntax to invoke the FormUtil methods from within a form:
<invoke class = 'com.waveset.ui.FormUtil'
name = 'method_name'>
<ref>:display.session</ref>
<s>arg2</s>
</invoke>
where the name field identifies the name of the method.
Most FormUtil methods require that a LighthouseContext or Session object be passed as the first argument by referencing the view attribute display.session. Since forms are often used with a base context prefix, it is recommended that the display.session reference always be preceded with a colon to remove the base context prefix.
MethodsThis section introduces the most used FormUtil methods.
callResourceMethod Method
callResourceMethod(LighthouseContext s, String resourceName, String methodName, Map args) throws WavesetException {
Description
Invokes the specified method on the resource by passing it the specified arguments.
buildDn Method
buildDn(String name,
String baseContext)
Description
Takes a name and the base context to append to the name. This method returns a string of fully qualified distinguished (DN) names. For example, passing in group1 and dc=example,dc=com returns the string cn=group1, dc=example, dc=com.
Return Value
Returns a single value in the form CN=<name>,<baseContext>
Example
<invoke name='buildDn' class='com.waveset.ui.FormUtil'>
<s>North America</s>
<s>ou=marketing,dc=acme,dc=com</s>
</invoke>
This example returns: <s>CN=North America,ou=marketing,dc=acme,dc=com</s>
In XPRESS, this same function can be represented by:
<concat>
<s>CN=</s>
<s>North America</s>
<s>,</s>
<s>ou=marketing,dc=acme,dc=com</s>
</concat>
buildDns Method
buildDns(List names,
String baseContext)
or
buildDns(String names,
String delimiter,
String baseContext)
Description
Takes a list of names and the base context to append to each token in the list. Both variants of this method return a list of fully qualified DN names.
For example, passing in group1, group2 and dc=example, dc=com returns the list: cn=group1, dc=example, dc=com and cn=group2, dc=example, dc=com
Parameters
The first variant of this method takes the arguments described in the following table:
Table 4-3 buildDns Parameters (First Variant)
Parameter
Description
names
Specifies a list of object names
baseContext
Specifies base context
The second variant of this method takes the three arguments described in the following table.
Return Values
Returns a list of values or strings, where each value is of the form CN=<name>,<baseContext>
Examples
Example 1: List buildDns
<invoke name='buildDns' class='com.waveset.ui.FormUtil'>
<list>
<s>North America</s>
<s>Europe</s>
</list>
<s>ou=marketing,dc=acme,dc=com</s>
</invoke>
This example returns:
<list>
<s>CN=North America,ou=marketing,dc=acme,dc=com</s>
<s>CN=Europe,ou=marketing,dc=acme,dc=com</s>
</list>
</dolist>
Example 2: List buildDns(String names, String delimeter, String baseContext)
<invoke name='buildDns' class='com.waveset.ui.FormUtil'>
<s>North America,Europe,China</s>
<s>,</s>
<s>ou=marketing,dc=acme,dc=com</s>
</invoke>
This example returns:
<list>
<s>CN=North America,ou=marketing,dc=acme,dc=com</s>
<s>CN=Europe,ou=marketing,dc=acme,dc=com</s>
<s>CN=China,ou=marketing,dc=acme,dc=com</s>
</list>
Do not use XPRESS to provide this functionality.
checkStringQualityPolicy Method
checkStringQualityPolicy(LighthouseContext s, String policy, Object value, Map
map, List pwdhistory, String owner)
Description
Checks the value of a designated string against string policy.
Return Values
This method returns a value of true indicates that the string passes the policy test. If the string does not pass the policy test, the method returns an error message. If you have set the returnNull option to true on the map parameter, the method returns a null object upon success.
controlsAtLeastOneOrganization Method
controlsAtLeastOneOrganization(LighthouseContext s, List organizations)
throws WavesetException {
Description
Determines whether a currently authenticated user controls any of the organizations specified on a list of one or more organization (ObjectGroup) names. The supported list of organizations include those returned by listing all objects of type ObjectGroup.
Return Values
true – Indicates that the current authenticated Identity Manager user controls any one of the organizations in the list.
false – Indicates that the current authenticated Identity Manager user does not control any organizations in the list.
getObject Method
getObject(LighthouseContext s,
String typeName,
String id)
Description
Retrieves an object from the repository (subject to authorization).
getObjectNames Method
getObjectNames(LighthouseContext s,
String typeName)
or
getObjectNames(LighthouseContext s,
String typeName,
Map options)
Description
Returns a list of the names of objects of a given type to which the session owner (or currently logged-in user) has access. Additional parameters can be specified in the options map to control the list of names returned.
This method is the preferred way for returning a list of names of objects rather than attempting session.getObjects(). This method first goes to the ObjectCache, then to the repository, if necessary, for searches.
Table 4-9 Options Values
Option
Value
conditions
See Additional Options.
current
See Additional Options.
scopingOrg
See Additional Options.
Return Values
This method returns a list of the names of objects of a given type to which the session owner has access.
getOrganizationsDisplayNames Method
getOrganizationsDisplayNames(LighthouseContext s)
throws WavesetException
or
getOrganizationsDisplayNames(LighthouseContext s, Map options)
throws WavesetException
Description
Returns a list of organization handles that the current administrator has access to. Forms that need select and multiselection lists of organizations should use this method.
Note
This method defaults to the system configuration setting for useOrganizationDisplayNames only if the call to getOrganizationsDisplayNames() does not specify a pathPrefix option.
Parameters
Options consist of a map of key-value pair arguments.
Table 4-11 Option Values
Option
Value
pathPrefixes
true – the list of returned handles contains organization paths.
false – the list of returned handles contains display names
not true (unsupplied) – the handle type defaults to the system configuration useOrganizationsDisplaynames setting.
If your installation of Identity Manager has duplicate organization names, use paths.
excluded
Identifies organizations that will not be included in the return valueMap.
current
If a list of organization names is passed in for this argument, the return list includes these extra organizations. If you are requesting paths, this should be a list of paths. If you are requesting display names, it should be a list of display names.
conditions
See Additional Options.
scopingOrg
filterVirtual
If this argument is true in the options map, the return valueMap will not contain any virtual organizations.
Version-Specific Behavior
This method behaves differently depending upon whether you have installed the v3.1x version or later releases of Identity Manager. The 3.1.x version of this method does not support multiple organizations with the same name. Version 4.x and greater of this product do support multiple organizations with the same name.
Why use the v3.1.x Version of this Method?
Reset this method to not support multiple organizations if your customized installation is characterized by the following features:
- Duplicate organization names are not and will not be used, and the preference is to display organizations using the short display names
- Customizations use methods that previously returned the short name of the organizations
- You use the getOrganizations method to present the list of available organizations, or it used in evaluation expressions
- References to the waveset.organization view attribute (that previously returned the short name of the org) is used in expressions to set additional resource attributes to view attributes
Resetting this Method to v3.1.x Behavior
If you are running a version of Identity Manager that is higher than v3.1.x but want the behavior described above, you can edit the following system configuration object attribute as follows:
<Attribute name='useOrganizationDisplay Names'>
<Boolean>false</Boolean>
</Attribute>
getResources Methods
getResources(LighthouseContext s)
throws WavesetException
or
getResources(LighthouseContext s,
List current)
throws WavesetException
or
getResources(LighthouseContext s,
String matchType,
String value)
throws WavesetException
or
getResources(LighthouseContext s,
String matchType,
String value
List current)
or
getResources(LighthouseContext s,
Map Options)
Description
Builds a list of the names of resources that match a particular resource attribute value (such as type=LDAP). If a current list is passed in, the lists are merged.
- The first variant of this method takes session only and returns all resources that are visible to the administrator.
- The second variant of this method returns all resources and merges in the current list.
- The third variant of this method returns all resources that match a particular attribute value.
- The fourth variant of this method returns all resources that match a particular attribute value and merges in the current list.
For a list of supported resource type names, see Views.
Table 4-13 Options Values
Option
Value
conditions
See Additional Options.
current
See Additional Options.
scopingOrg
See Additional Options.
Valid queryable attribute types for the matchType parameter include the following:
getResourceObjects Methods
getResourceObjects(LighthouseContext session, String objectType, String resourceId, Map options, String cacheList, String cacheTimeout, String clearCacheIfExists)
or
getResourceObjects(LighthouseContext session, String objectType, String resourceId, Map options)
or
getResourceObjects(String subjectString, String objectType, String resourceId, Map options)
or
getResourceObjects(String subjectString, String objectType, String resourceId, Map options, String cacheList, String cacheTimeout, String clearCacheIfExists)
Description
Returns a list of objects where each object contains a set of attributes including type, name, and ID (a DN, or fully qualified name) as well as any requested searchAttrsToGet value. The returned value is a List of GenericObjects. Each GenericObject can be accessed similar to how a Map is accessed. Invoking a get method on each object, which passes in the name of the attribute, returns the attribute value.
Parameters
Table 4-16 Possible Values for Option Parameter
Option
Value
searchContext
Determines the context in which to perform search (ResourceAdapter.RA_SEARCH_CONTEXT). If not specified, the method attempts to get a value from RA_BASE_CONTEXT. If no value is specified, this method searches from the logical top.
searchFilter
(Optional) In LDAP search filter format as specified in RFC 1558, of one or more object tuples either AND'ed or OR'ed together. If not specified, the method constructs a filter using the specified objectType (ResourceAdapter.SEARCH_FILTER).
searchScope
Specifies whether the method should search on the current object within the context of the specified searchContext, or in all subcontexts within the specified searchContext (ResourceAdapter.RA_SEARCH_SCOPE). Valid values are object, oneLevel, or subTree. If object is specified, the searchContext is expected to be the full DN of a single object, so that only one object is returned. oneLevel indicates that one or more objects should be fetched, starting for a particular baseContext (searchContext). subTree executes the oneLevel search recursively. searchContext indicates that the search should be performed on all subcontexts within the specified searchContext.
searchTimeLimit
Indicates the time limit in milliseconds that a search should not exceed (ResourceAdapter.RA_SEARCH_TIME_LIMIT).
searchAttrsToGet
Identifies the list of objectType specific attribute names to get per object.
runAsUser
Specifies the user name that this request is to be run as. If not specified, defaults to resource proxy administrative user.
runAsPassword
Specifies the password of runAsUser. Required to authenticate with resource in order to run the list request as the specified user.
current
See Additional Options.
conditions
See Additional Options.
scopingOrg
See Additional Options.
The second flavor of this method uses a subjectString instead of Session.
getRoles Method
getRoles(LighthouseContext s)
or
getRoles(LighthouseContext s, String current)
or
getRoles(LighthouseContext s, List current)
or
getRoles(LighthouseContext s, Map options)
Description
Returns a list of role names that the current administrator has access to. If a current value or current list is supplied, the role name or names on the list are added to the role names returned.
Table 4-18 Options Values
Option
Value
current
See Additional Options.
conditions
See Additional Options.
scopingOrg
See Additional Options.
Return Values
Returns a list of role names that the current administrator has access to. If a current value or current list is supplied, the role name or names on the list are added to the role names returned.
getUnassignedApplications Method
getUnassignedApplications(LighthouseContext s, Map options)
throws WavesetException {
Description
Builds a list of application names suitable for a user’s private applications. (A private application is an application that is directly assigned to a user.) This is the list of all accessible applications minus the names of the applications that are already assigned to the user through their role.
The resulting list is convenient for use in forms for assigning private applications.
Parameters
getUnassignedApplications takes the following options:
Table 4-19 getUnassignedApplications Parameters
Parameter
Description
context
Identity Manager context object
options
current, currentRoles, conditions. See table below.
getSubordinates Method
getSubordinates(LighthouseContext s, manager, Map options)
throws WavesetException {
Description
Retrieves a list of the specified managerial subordinates of a user.
Table 4-23 Options Values
Option
Value
firstLevel
Specifies the first organizational level to include in the result.
0 means direct reports.
lastLevel
Specifies the last organizational level to include in the result.
-1 indicates all levels.
conditions
(Optional) Map of user attribute conditions that can be used to further filter the list of user names returned. See Additional Options.
Return Values
This method returns a sorted list of subordinates, or throws WavesetException.
Example Rule Using getSubordinates
getUnassignedResources Method
static public List getUnassignedResources(LighthouseContext s, Map
options) throws WavesetException
Description
Build a list of resource names suitable for the private resources of a user. (A private resource is a resource that is directly assigned to a user.) This is the list of all accessible resources minus the names of the resources that are already assigned to the user through their role.
The resulting list is convenient for use in forms for assigning private resources.
Table 4-24 getUnassignedResources Parameters
Parameter
Description
context
Identity Manager context object
options
availableToOrgScope, current, currentRoles, currentResourceGroups, conditions, scopingOrg. See table below.
Table 4-25 Options Values
Option
Value
availableToOrgScope
(List) Specifies organization names (or paths or displayNames, if unique). Resources that are available to organizations on this list, or an organization below the organization’s hierarchy, are returned. Resources on the current list are also always returned.).
current
See Additional Options.
currentRoles
(List) Specifies current role names.The returned list does not contain any resource that is assigned by one of these roles unless that resource name is on the current list.
currentResourceGroups
(List) Specifies current resource group names. The returned list does not contain any resource that is assigned by one of these resource groups unless that resource name is on the current list.
conditions
See Additional Options.
scopingOrg
See Additional Options.
Return Values
This method returns a list of resource names suitable for the private resources of a user.
getUsers Method
getUsers(LighthouseContext s)
or
getusers(LighthouseContext s, Map options)
Description
The first variant of this method returns all users. The second variant by default returns all users, but you can specify a map of options to further filter the list.
Table 4-26 getUsers Parameters
Parameters
Description
s
Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>.
options
current, conditions, exclude, scopingOrg. See table below.
Table 4-27 Options Values
Option
Value
current
See Additional Options.
conditions
See Additional Options.In addition to the supported queryable attribute names for user, you can also use the following pseudo-attributes: userType and similarTo. See the FormUtil javadoc for more information.
exclude
Specifies which types of users will be excluded from the returned list. Value can be either administrators or endUsers.
administrators -- the list of users returned will not contain any users that are either directly or indirectly (via AdminRoles) assigned one or more capabilities and control one or more organizations.
endUsers -- the list returned will include only users directly or indirectly assigned one or more capabilities and controlled organizations.
scopingOrg
See Additional Options.
listResourceObjects Methods
listResourceObjects(LighthouseContext s,
String objectType,
List resourceList,
Map options,
String cacheList)
or
listResourceObjects(LighthouseContext s,
String objectType,
List resourceList,
Map options,
String cacheList,
String clearCacheIfExists)
The two preceding variants are the same except that the second method clears the cache.
listResourceObjects(String subjectString,
String resourceObjectType,
List resourceList,
Map options,
String cacheList)
or
listResourceObjects(String subjectString,
String objectType,
String resourceId,
Map options,
String cacheList)
String clearCacheIfExists)
or
listResourceObjects(String subjectString,
String objectType,
String resourceID,
Map options,
String cacheList)
or
listResourceObjects(String subjectString,
String objectType,
String resourceID,
Map options,
String cacheList)
String cacheTimeout
String clearCacheIfExists)
The two preceding variants are the same except that the second method clears the cache.
listResourceObjects(LighthouseContext session,
String objectType,
String resourceId,
Map options,
String cacheList,
String clearCacheIfExists)
throws WavesetException {
or
listResourceObjects(LighthouseContext session,
String objectType,
String resourceId,
Map options,
String cacheList)
throws WavesetException {
or
listResourceObjects(LighthouseContext session,
String objectType,
String resourceId,
Map options,
String cacheList)
String cacheTimeout
String clearCacheIfExists
throws WavesetException
or
listResourceObjects (String subjectString, String objectType, List resourceList, Map options, String cacheList, String clearCacheIfExists)
Description
Retrieves a list of resource objects of a specified type (for example, group). This method first attempts to get the list from the server's resourceObjectListCache. If found, this list is returned.
If this list is not found, the method invokes the listResourceObjects method on each resource before merging, sorting, and removing duplicates on the resulting lists. Finally, it caches this new list in the server's resourceObjectListCache for any subsequent requests for the same resource object type from the same resource(s).
This method runs as the currently authenticated administrator (for example, subject). Variants take a single resource ID or a subject string and an existing session.
This method has multiple variants that differ on whether:
- The method returns a single resource versus a resource list.
- The cache should be cleared.
- The method is sending a session ID (implemented when the user has already been authenticated) or a subject string (subjectString). Typically, you will use Session.
Table 4-28 listResourceObjects Parameters
Parameter
Description
s
Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
resourceObjectType
Identifies the type of resource object class for this specified (for example, group). If null, this method returns objects of all object types.
resourceList
List of resource to retrieve the objects from.
options
Contains name/value pairs that are specific to the resources used to constrain the search.
cacheList
Specifies the new list that is stored in the server's resourceObjectListCache that is created when the method invokes the listResourceObjects method on each resource before merging, sorting, and removing duplicates on the resulting lists.
clearCacheIfExists
Indicates that the cache in the server's resourceObjectListCache should be cleared after the method has retrieved the list of resource objects.
Return Values
This method returns a list of resource object names of the specified resource object type from the list of resources (resourceList of IDs or names).
testObject Method
testObject(LighthouseContext s,
String typeName,
String id)
Description
Tests to see if a specified object exists, even if the subject is not authorized to view the object. When launching processes to create new users, use this method to prevent attempts to create duplicate objects by an administrator who cannot see the entire tree.
Table 4-29 testObject Parameters
Parameter
Description
s
Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
typeName
Specifies the type of object that the method tests for.
id
Identifies the object by either name or ID. If an ID is used, the value of typeName is ignored. This parameter cannot be null.
Return Values
This method returns:
true – object exists
null – object does not exist
testUser Method
testUser(LighthouseContext s,
String id)
Description
Tests to see if a specified user exists, even if the subject is not authorized to view the object. When launching processes to create new users, use this method to prevent attempts to create duplicate objects by an administrator who cannot see the entire tree.
Table 4-30 testUser Parameters
Parameter
Description
s
Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
id
Identifies the user by either name or ID.This parameter cannot be null.
Return Values
This method returns:
true – user exists
null – user does not exist
hasCapability Method
hasCapability(LighthouseContext s, String capability)
throws WavesetException {
Description
Checks to see if the user has a specified capability (String). This method checks for a capability that is assigned either directly or indirectly through AdminGroups and/or AdminRoles. Requires a session value.
Table 4-31 hasCapability Parameters
Parameter
Description
s
Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>.
capabilities
Identifies the capability that will be queried for.
Return Values
true – Indicates that the currently authenticated Identity Manager user has the specified capability.
false – Indicates that the current user does not have the specified capability.
hasCapabilities Method
hasCapabilities(LighthouseContext s, List capabilities)
throws WavesetException {
Description
Checks to see if the user has a list of specified capabilities (Strings). These capabilities can be assigned either directly or indirectly through AdminGroups and/or AdminRoles. Requires a session value.
Table 4-32 hasCapabilities Parameters
Parameter
Description
s
Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>.
capabilities
Identifies the list of capabilities that will be queried.
Return Values
true – Indicates that the currently authenticated Identity Manager user has all the specified capabilities.
false – Indicates that the user does not have all the specified capabilities.
Additional Options
The following options are used by a subset of the FormUtil methods:
scopingOrg
Used when two or more AdminRoles are assigned to a user. The value should be the name of an organization. This value specifies that the returned names should contain only ones that are available to organizations that are controlled by an AdminRole that controls the scopingOrg organization and is assigned to the logged-in user.
This option is typically used to ensure that when a user is creating or editing another user, the member organization of the user being edited determines which names (for example, Resourcenames) are available for assignment.
Using the scopingOrg Parameter
Set this attribute under these conditions:
For example, if an administrator were assigned both the Engineering AdminRole and Marketing AdminRole, and the administrator is editing a user who is a member of the Engineering organization, the Resources available for assigning to that user should be limited to those available to the organization(s) controlled by the Engineering AdminRole.
Implementing the scopingOrg Attribute
To implement the behavior described above, add the scopingOrg attribute to the waveset.resources field in the user form.
Reference the value of the current organization as follows:
<Field name='waveset.resources'>
<Display class='MultiSelect'>
<Property name='title' value='_FM_PRIVATE_RESOURCES'/>
<Property name='availableTitle'
value='_FM_AVAILABLE_RESOURCES'/>
<Property name='selectedTitle' value='_FM_SELECTED_RESOURCES'/>
<Property name='allowedValues'>
<invoke class='com.waveset.ui.FormUtil'
name='getUnassignedResources'>
<ref>:display.session</ref>
<map>
<s>currentRoles</s>
<ref>waveset.roles</ref>
<s>currentResourceGroups</s>
<ref>waveset.applications</ref>
<s>current</s>
<ref>waveset.original.resources</ref>
<s>scopingOrg</s>
<ref>waveset.organization</ref>
</map>
</invoke>
</Property>
</Display>
</Field>
current
Specifies a list of names to be merged with those returned. For example, this is typically the list of selected names in a MultiSelect field to ensure that all selected names are in the MultiSelect’s list of available names.
conditions
This value can be specified in three ways:
Table 4-33 Values of conditions Attribute
Value Format
Description
Map
The <MapEntry> key is the name of a queryable attribute by this type of object and the second is the value an object of this type must have for the associated queryable attribute in order to be returned (the operator is assumed to be "equals"). If more than one attrname/value pairs are specified, they will be logically and'ed together.
Example
<Map>
<MapEntry key='memberObjectGroups' value='Top'/>
</Map>
map
The first entry is the name of a queryable attribute supported by this type of object. The second entry is the value an object of this type must have for the associated queryable attribute to be returned (the operator is assumed to be "equals").
If more than one attrname/value pairs is specified, they will be logically and'ed together.
Example
<map>
<s>memberObjectGroups</s>
<ref>waveset.organizations</ref>
</map>
list
Lists AttributeCondition objects. If more than one AttributeCondition is specified, they will be logically and'ed together.
Example
<list>
<newclass= 'com.waveset.object.AttributeCondition'>
<s>MemberObjectGroups</s>
<s>equals</s>
<ref>waveset.organization</ref>
</new>
</list>
Using the conditions Attribute
You can specify a list of one or more object type-specific query attribute conditions to filter the list of names returned by certain FormUtil methods. These methods include methods that take an options map as an argument.) You can specify these query attribute conditions as a query option whose key is conditions and whose value can be specified as either a map or list of AttributeConditions.
Examples: Using the condition Attribute to Filter Names
The following examples illustrate the use of the conditions attribute to apply additional filters to the list of names returned by a FormUtil method that takes an options map as an argument.
Example 1
<Field name='waveset.resources'>
<Display class='MultiSelect' action='true'>
...
<Property name='allowedValues'>
<invoke class='com.waveset.ui.FormUtil'
name='getUnassignedResources'>
<ref>:display.session</ref>
<map>
<s>currentRoles</s>
<ref>waveset.roles</ref>
<s>currentResourceGroups</s>
<ref>waveset.applications</ref>
<s>current</s>
<ref>waveset.original.resources</ref>
<s>conditions</s>
<map>
<s>supportsContainerObjectTypes</s>
<s>true</s>
<s>type</s>
<s>LDAP</s>
</map>
</map>
</invoke>
</Property>
</Display>
</Field>
Example 2
<Field name='orgResource'>
<Display class='Select' action='true'>
...
<Property name='allowedValues'>
<invoke class='com.waveset.ui.FormUtil'
name='getResourcesSupportingContainerObjectTypes'>
<ref>:display.session</ref>
<map>
<s>conditions</s>
<list>
<new class='com.waveset.object.AttributeCondition'>
<s>name</s>
<s>starts with</s>
<s>ldap</s>
</new>
</list>
</map>
</invoke>
</Property>
</Display>
</Field>
Example 3
<Field name='accounts[Lighthouse].capabilities'>
<Display class='MultiSelect'>
...
<Property name='allowedValues'>
<invoke class='com.waveset.ui.FormUtil'
name='getUnassignedCapabilities'>
<ref>:display.session</ref>
<ref>waveset.original.capabilities</ref>
<map>
<s>conditions</s>
<list>
<new class='com.waveset.object.AttributeCondition'>
<s>name</s>
<s>starts with</s>
<s>bulk</s>
</new>
</list>
</map>
</invoke>
</Property>
</Display>
</Field>
Supported Queryable Attribute Names
The list of supported queryable attribute names per object type are categorized as follows:
Other queryable attribute names are defined in the UIConfig.xml (for example, firstname and lastname).
Table 4-34 All Object Types
Queryable Attribute
Description
authType
Specifies the authorization type, if applicable (for example, for Types such as Configuration or Rule)
id
Specifies the repository ID for this object
name
Identifies the name for this object
memberObjectGroups
Identifies the ObjectGroups that this object is available to or is a member of
Table 4-35 Account
Queryable Attribute
Description
accountId
Specifies the resource accountId
accountExists
Identifies whether account exists (true|false)
disabled
Indicates whether account is disabled (true|false)
discoveredSituation
Specifies the initial status that was discovered during reconciliation. Status includes confirmed and deleted.
owner
Specifies the repository ID of this user (userid is displayable name)
nativeGUID
Specifies the account GUID, if the resource supports this attribute
resource
Identifies the resource name
resourceId
Specifies the repository ID of this resource (resource is displayable name)
situation
Specifies account status after responses are applied to the discovered situation. Status includes confirmed, missing, deleted.
situationChanged
Specifies the date and time that the situation last changed.
typeString
Specifies the resource type (for example, LDAP)
userid
Uniquely identifies the Identity Manager user with which this account is associated
Table 4-36 AdminGroup
Queryable Attribute
Description
hidden
Identifies whether an AdminGroup is hidden from display
memberAdminGroups
Lists the AdminGroups that are directly assigned to this AdminGroup
Table 4-37 AdminRole
Queryable Attribute
Description
controlledObjectGroups
Lists the ObjectGroups that are controlled by this Admin Role
memberAdminGroups
Lists the AdminGroups that are assigned to this Admin Role
adminGroupsRule
Specifies the name of the capabilities rule
controlledObjectGroupsRule
Specifies the name of the controlled organizations rule
Table 4-38 Configuration
Queryable Attribute
Description
configType
Specifies the JAVA class name of the class that extends configuration (for example, UserUIConfig, UserForm)
Table 4-39 Event
Queryable Attribute
Description
eventType
Specifies the type of event to enable grouping events that are similar
Table 4-40 LoginApp
Queryable Attribute
Description
hidden
Identifies whether a LoginApp is hidden from display
Table 4-41 LoginModGroup
Queryable Attribute
Description
hidden
Identifies whether a LoginModGroup is hidden from display
Table 4-42 ObjectGroup
Queryable Attribute
Description
directoryJunction
Identifies whether the ObjectGroup is a directory junction
(true|false)
displayName
Specifies the readable name of the object group’s user
Table 4-43 Policy
Queryable Attribute
Description
class
Identifies the JAVA class that implements this policy (for example, StringQualityPolicy)
typeString
Specifies the type of policy (for example, password or accountId)
Table 4-44 Resource
Queryable Attribute
Description
startupType
Indicates startupType. Includes disabled and automatic
supportsContainerObjectTypes
Indicates whether this resource supports container object types (true|false)
supportedObjectTypes
Lists supported object types (for example, group, ou, o, and domain)
supportsScanning
Indicates whether this resource supports scanning
(true|false)
syncSource
Indicates whether this resource can be an Active Sync resource
(true|false)
type
Identifies the resource type (for example, LDAP, AIX, or RACF)
Table 4-45 Role
Queryable Attribute
Description
role_resources
Lists the resources assigned to a role
role_approvers
Lists the approvers assigned to a role
Table 4-46 WorkItem
Queryable Attribute
Description
dirty
itemType
Defines the type of workitem (for example, approval or wizard)
owner
Identifies the user that owns this workitem
taskid
Identifies the repository ID of the taskinstance that created this workitem
Table 4-47 User
Queryable Attribute
Description
adminRoles
Specifies the list of AdminRoles assigned to this user
controlledObjectGroups
Lists (flattened) all ObjectGroups controlled by this user
correlationKey
Identifies the key that is used to identity users during bulk loads
dis
Specifies an integer that represents the current disabled state
0 indicates no accounts
1 indicates some are disabled
2 indicates all are disabled
lhdis
Indicates whether the Identity Manager user is disabled or not (true|false)
memberAdminGroups
Lists (flattened) all AdminGroups that are assigned to this user
prov
Specifies an integer that represents the current provisioning state
1 indicates that an update is needed
2 indicates OK
resourceAccountGuids
Lists resource account GUIDs that are assigned to this user (accountGUID@resourceId)
resourceAccountIds
Lists resource account IDs that are assigned to this user (accountId@resourceId)
role
List the roles that are assigned to this user
user_resources
Lists the resources that are assigned to this user
Supported Operators