Previous      Contents      Index      Next
Sun Java[TM] System Identity Manager 7.0 Workflows, Forms, and Views

Chapter 4
FormUtil Methods

This chapter describes the most used FormUtil methods.

The FormUtil class provides a collection of utility methods that are intended to be called from XPRESS expressions within form objects. The FormUtil methods are usually used within the valueMap property of Select and MultiSelect fields to constrain the list of possible values. Additional methods are provided to format string values such as dates and directory DNs.

Related Chapters

Identity Manager Views — Identity Manager forms interact with an internal Identity Manager data structure called the user view. When customizing a form, you can call view attributes.
Identity Manager Forms — For examples on using these methods within forms, see the sections titled Using Hidden Components and Populating Lists.

---

Invoking Methods

Use the following syntax to invoke the FormUtil methods from within a form:

<invoke class = 'com.waveset.ui.FormUtil'

   name = 'method_name'>

      <ref>:display.session</ref>

      <s>arg2</s>

</invoke>

where the name field identifies the name of the method.

Most FormUtil methods require that a LighthouseContext or Session object be passed as the first argument by referencing the view attribute display.session. Since forms are often used with a base context prefix, it is recommended that the display.session reference always be preceded with a colon to remove the base context prefix.

---

Methods

This section introduces the most used FormUtil methods.

callResourceMethod Method

callResourceMethod(LighthouseContext s, String resourceName, String methodName, Map args) throws WavesetException {

Description

Invokes the specified method on the resource by passing it the specified arguments.

Table 4-1  callResourceMethod Parameters

Parameter	Description
st	Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>
resourceName	Specifies the name of the resource on which to call the method
methodName	Indicates the name of the resource method to call
args	Identifies the map of args that the resource method expects

buildDn Method

buildDn(String name,

String baseContext)

Description

Takes a name and the base context to append to the name. This method returns a string of fully qualified distinguished (DN) names. For example, passing in group1 and dc=example,dc=com returns the string cn=group1, dc=example, dc=com.

Table 4-2  buildDn Parameters

Parameter	Description
name	Specifies the names of the directory object (typically the common name, cn).
baseContext	Identifies the base context or container. This is the value of the base distinguished name to which the common name is concatenated to form the full distinguished name of the directory object.

Return Value

Returns a single value in the form CN=<name>,<baseContext>

Example

<invoke name='buildDn' class='com.waveset.ui.FormUtil'>

   <s>North America</s>

   <s>ou=marketing,dc=acme,dc=com</s>

</invoke>

This example returns: <s>CN=North America,ou=marketing,dc=acme,dc=com</s>

In XPRESS, this same function can be represented by:

<concat>

   <s>CN=</s>

   <s>North America</s>

   <s>,</s>

   <s>ou=marketing,dc=acme,dc=com</s>

</concat>

buildDns Method

buildDns(List names,

String baseContext)

or

buildDns(String names,

String delimiter,

String baseContext)

Description

Takes a list of names and the base context to append to each token in the list. Both variants of this method return a list of fully qualified DN names.

For example, passing in group1, group2 and dc=example, dc=com returns the list: cn=group1, dc=example, dc=com and cn=group2, dc=example, dc=com

Parameters

The first variant of this method takes the arguments described in the following table:

Table 4-3  buildDns Parameters (First Variant)

Parameter	Description
names	Specifies a list of object names
baseContext	Specifies base context

The second variant of this method takes the three arguments described in the following table.

Table 4-4  buildDns Parameters (Second Variant)

Parameter	Description
names	Specifies string containing names that are separated using a delimiter such as a comma or semicolon.
delimiter	Specifies delimiter used in this string of names. The delimiter is typically a coma (,) or a period (.).
baseContext	Identifies base context.

Return Values

Returns a list of values or strings, where each value is of the form CN=<name>,<baseContext>

Examples

Example 1: List buildDns

<invoke name='buildDns' class='com.waveset.ui.FormUtil'>    <list>       <s>North America</s>       <s>Europe</s>    </list>    <s>ou=marketing,dc=acme,dc=com</s> </invoke>

This example returns:

<list>    <s>CN=North America,ou=marketing,dc=acme,dc=com</s>    <s>CN=Europe,ou=marketing,dc=acme,dc=com</s> </list> </dolist>

Example 2: List buildDns(String names, String delimeter, String baseContext)

<invoke name='buildDns' class='com.waveset.ui.FormUtil'>    <s>North America,Europe,China</s>    <s>,</s>    <s>ou=marketing,dc=acme,dc=com</s> </invoke>

This example returns:

<list>    <s>CN=North America,ou=marketing,dc=acme,dc=com</s>    <s>CN=Europe,ou=marketing,dc=acme,dc=com</s>    <s>CN=China,ou=marketing,dc=acme,dc=com</s> </list>

Do not use XPRESS to provide this functionality.

checkStringQualityPolicy Method

checkStringQualityPolicy(LighthouseContext s, String policy, Object value, Map

map, List pwdhistory, String owner)

Description

Checks the value of a designated string against string policy.

Table 4-5  checkStringQualityPolicy Parameters

Parameter	Description
LighthouseContext	Specifies the current user's Lighthouse context.
policy	(Required) Specifies the name of the policy that the string will be tested against.
value	(Required) Identifies the string value to check.
map	(Optional) Provides a map of the data that must not be contained in the string. returnNull -- (Optional) If set to true, the method return a null object upon success
pwdhistory	(Optional) Lists user's previous passwords in uppercase, encrypted format.
owner	(Required) Identifies the user whose string value is being checked.

Return Values

This method returns a value of true indicates that the string passes the policy test. If the string does not pass the policy test, the method returns an error message. If you have set the returnNull option to true on the map parameter, the method returns a null object upon success.

controlsAtLeastOneOrganization Method

controlsAtLeastOneOrganization(LighthouseContext s, List organizations)

    throws WavesetException {

Description

Determines whether a currently authenticated user controls any of the organizations specified on a list of one or more organization (ObjectGroup) names. The supported list of organizations include those returned by listing all objects of type ObjectGroup.

Table 4-6  controlsAtLeastOneOrganization Parameters

Parameter	Description
s	Specifies current user's Lighthouse context (session)
organizations	Specifies a list of one or more organization names. The supported list of organizations include those returned by listing all objects of type ObjectGroup.

Return Values

true – Indicates that the current authenticated Identity Manager user controls any one of the organizations in the list.

false – Indicates that the current authenticated Identity Manager user does not control any organizations in the list.

getObject Method

getObject(LighthouseContext s,

String typeName,

String id)

throws WavesetException

Description

Retrieves an object from the repository (subject to authorization).

Table 4-7  getObject Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
typeName	Specifies object type. Common object types are User, Object Group, Resource. For a complete list of types, see the Types option list on the Debug page.
id	Specifies ID or name of the object you are looking for. For a User object, the accountId would be indicated here.

getObjectNames Method

getObjectNames(LighthouseContext s,

String typeName)

throws WavesetException

or

getObjectNames(LighthouseContext  s,

String typeName,

Map options)

throws WavesetException

Description

Returns a list of the names of objects of a given type to which the session owner (or currently logged-in user) has access. Additional parameters can be specified in the options map to control the list of names returned.

This method is the preferred way for returning a list of names of objects rather than attempting session.getObjects(). This method first goes to the ObjectCache, then to the repository, if necessary, for searches.

Table 4-8  getObjectNames Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
typeName	Specifies object type. Common object types are User, Object Group, Resource. For a complete list of types, see the Types option list on the Debug page.
options	See below

Table 4-9  Options Values

Option	Value
conditions	See Additional Options.
current	See Additional Options.
scopingOrg	See Additional Options.

Return Values

This method returns a list of the names of objects of a given type to which the session owner has access.

getOrganizationsDisplayNames Method

getOrganizationsDisplayNames(LighthouseContext s)

throws WavesetException

or

getOrganizationsDisplayNames(LighthouseContext s, Map options)

throws WavesetException

Description

Returns a list of organization handles that the current administrator has access to. Forms that need select and multiselection lists of organizations should use this method.

Note	This method defaults to the system configuration setting for useOrganizationDisplayNames only if the call to getOrganizationsDisplayNames() does not specify a pathPrefix option.

Parameters

Options consist of a map of key-value pair arguments.

Table 4-10  getOrganizationsDisplayNames Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
options	pathprefixes, excluded, current, filterVirtual, conditions, scopingOrg. See table below.

Table 4-11  Option Values

Option	Value
pathPrefixes	true – the list of returned handles contains organization paths. false – the list of returned handles contains display names not true (unsupplied) – the handle type defaults to the system configuration useOrganizationsDisplaynames setting. If your installation of Identity Manager has duplicate organization names, use paths.
excluded	Identifies organizations that will not be included in the return valueMap.
current	If a list of organization names is passed in for this argument, the return list includes these extra organizations. If you are requesting paths, this should be a list of paths. If you are requesting display names, it should be a list of display names.
conditions	See Additional Options.
scopingOrg	See Additional Options
filterVirtual	If this argument is true in the options map, the return valueMap will not contain any virtual organizations.

Version-Specific Behavior

This method behaves differently depending upon whether you have installed the v3.1x version or later releases of Identity Manager. The 3.1.x version of this method does not support multiple organizations with the same name. Version 4.x and greater of this product do support multiple organizations with the same name.

Why use the v3.1.x Version of this Method?

Reset this method to not support multiple organizations if your customized installation is characterized by the following features:

Duplicate organization names are not and will not be used, and the preference is to display organizations using the short display names
Customizations use methods that previously returned the short name of the organizations
You use the getOrganizations method to present the list of available organizations, or it used in evaluation expressions
References to the waveset.organization view attribute (that previously returned the short name of the org) is used in expressions to set additional resource attributes to view attributes

Resetting this Method to v3.1.x Behavior

If you are running a version of Identity Manager that is higher than v3.1.x but want the behavior described above, you can edit the following system configuration object attribute as follows:

<Attribute name='useOrganizationDisplay Names'>

   <Boolean>false</Boolean>

</Attribute>

getResources Methods

getResources(LighthouseContext s)

throws WavesetException

or

getResources(LighthouseContext s,

List current)

throws WavesetException

or

getResources(LighthouseContext s,

String matchType,

String value)

throws WavesetException

or

getResources(LighthouseContext s,

String matchType,

String value

List current)

or

getResources(LighthouseContext s,

Map Options)

Description

Builds a list of the names of resources that match a particular resource attribute value (such as type=LDAP). If a current list is passed in, the lists are merged.

The first variant of this method takes session only and returns all resources that are visible to the administrator.
The second variant of this method returns all resources and merges in the current list.
The third variant of this method returns all resources that match a particular attribute value.
The fourth variant of this method returns all resources that match a particular attribute value and merges in the current list.

Table 4-12  getResources Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
matchtype	Identifies the resource attribute that this method searches when identifying resources to include in the resourced name list. Must be a queryable attribute of the resource object type. Queryable attributes include type, supportsScanning, supportsContainerObjectTypes, and startupType, which are described below.
value	Specifies the value of the attribute that this method searches on when identifying resources.
options	current, conditions, scopingOrg. See table.

For a list of supported resource type names, see Views.

Table 4-13  Options Values

Option	Value
conditions	See Additional Options.
current	See Additional Options.
scopingOrg	See Additional Options.

Valid queryable attribute types for the matchType parameter include the following:

Table 4-14  Possible Values for matchType Parameters

matchType Parameter	Description
type	Identifies the resource object type. Valid values are found in the XML Prototype for the resource. For example, the object type that designates Active Directory is Windows Active Directory. For Groupwise, it is GroupWise.
supportsScanning	When set to true, specifies that the resource supports scanning.
supportsContainerObjectTypes	When set to true, specifies that the resource supports container objects.
startupType	Indicates the ActiveSync startup type. Valid values include are "Automatic", "Automatic with failover", "Manual", and "Disabled".

getResourceObjects Methods

getResourceObjects(LighthouseContext session, String objectType, String resourceId, Map options, String cacheList, String cacheTimeout, String clearCacheIfExists)

or

getResourceObjects(LighthouseContext session, String objectType, String resourceId, Map options)

or

getResourceObjects(String subjectString, String objectType, String resourceId, Map options)

or

getResourceObjects(String subjectString, String objectType, String resourceId, Map options, String cacheList, String cacheTimeout, String clearCacheIfExists)

Description

Returns a list of objects where each object contains a set of attributes including type, name, and ID (a DN, or fully qualified name) as well as any requested searchAttrsToGet value. The returned value is a List of GenericObjects. Each GenericObject can be accessed similar to how a Map is accessed. Invoking a get method on each object, which passes in the name of the attribute, returns the attribute value.

Parameters

Table 4-15  getResourceObjects Parameters

Parameter	Description
session	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
subjectString	Presents the serialized XML representation of the user object. This representation is useful in workflow where there is no current session. For example, to retrieve a subject: <invoke name='getSubject'>    <ref>WF_CONTEXT</ref> </invoke>
objectType	Specifies the name of a valid object class for this specified resId. If null, this method returns objects of all object types that are defined by the specified resId found within the specified search container and scope.
resourceId	Identifies the resource from which to get the objects.
cacheList	If true, then will cache the result on the server. (This is essential for queries that take a long time to return, such as listing profiles on a mainframe).
cacheTimeout	If true, sets the number of milliseconds before the cache times out. When the cache times out, the objects from the search results are automatically retrieved from the resource the next time that the request is made (for example, 6000 = 1 minute).
clearCacheIfExists	Forces the cache to be cleared and the objects of the search to be re-fetched from the resource the next time they are requested.
options	Contains name/value pairs that are specific to the resources used to constrain the search. See table below.

Table 4-16  Possible Values for Option Parameter

Option	Value
searchContext	Determines the context in which to perform search (ResourceAdapter.RA_SEARCH_CONTEXT). If not specified, the method attempts to get a value from RA_BASE_CONTEXT. If no value is specified, this method searches from the logical top.
searchFilter	(Optional) In LDAP search filter format as specified in RFC 1558, of one or more object tuples either AND'ed or OR'ed together. If not specified, the method constructs a filter using the specified objectType (ResourceAdapter.SEARCH_FILTER).
searchScope	Specifies whether the method should search on the current object within the context of the specified searchContext, or in all subcontexts within the specified searchContext (ResourceAdapter.RA_SEARCH_SCOPE). Valid values are object, oneLevel, or subTree. If object is specified, the searchContext is expected to be the full DN of a single object, so that only one object is returned. oneLevel indicates that one or more objects should be fetched, starting for a particular baseContext (searchContext). subTree executes the oneLevel search recursively. searchContext indicates that the search should be performed on all subcontexts within the specified searchContext.
searchTimeLimit	Indicates the time limit in milliseconds that a search should not exceed (ResourceAdapter.RA_SEARCH_TIME_LIMIT).
searchAttrsToGet	Identifies the list of objectType specific attribute names to get per object.
runAsUser	Specifies the user name that this request is to be run as. If not specified, defaults to resource proxy administrative user.
runAsPassword	Specifies the password of runAsUser. Required to authenticate with resource in order to run the list request as the specified user.
current	See Additional Options.
conditions	See Additional Options.
scopingOrg	See Additional Options.

The second flavor of this method uses a subjectString instead of Session.

getRoles Method

getRoles(LighthouseContext s)

or

getRoles(LighthouseContext s, String current)

or

getRoles(LighthouseContext s, List current)

or

getRoles(LighthouseContext s, Map options)

Description

Returns a list of role names that the current administrator has access to. If a current value or current list is supplied, the role name or names on the list are added to the role names returned.

Table 4-17  getRoles Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
options	current, conditions, and scopingOrg. See table.

Table 4-18  Options Values

Option	Value
current	See Additional Options.
conditions	See Additional Options.
scopingOrg	See Additional Options.

Return Values

Returns a list of role names that the current administrator has access to. If a current value or current list is supplied, the role name or names on the list are added to the role names returned.

getUnassignedApplications Method

getUnassignedApplications(LighthouseContext s, Map options)

throws WavesetException {

Description

Builds a list of application names suitable for a user’s private applications. (A private application is an application that is directly assigned to a user.) This is the list of all accessible applications minus the names of the applications that are already assigned to the user through their role.

The resulting list is convenient for use in forms for assigning private applications.

Parameters

getUnassignedApplications takes the following options:

Table 4-19  getUnassignedApplications Parameters

Parameter	Description
context	Identity Manager context object
options	current, currentRoles, conditions. See table below.

Table 4-20  Options Values

Option	Value
current	List of current application names. The returned list always contains each of these applications regardless of the other options.
currentRoles	List of current role names. The returned list will not contain any applications that are assigned through one of these roles unless that application name is on the current list.
conditions	Can be represented as either a Map or List, as shown below.

Table 4-21  Possible Values for conditions Parameter

Parameter	Description
<map>	first map entry – the name of a queryable attribute supported by this type of object second map entry – the value an object of this type must have for the associated queryable attribute in order to be returned (the operator is assumed to be equals). If more than one attrname/value pair is specified, they will be logically and'ed together.
<list>	as a list of AttributeCondition objects. For example <list>   <newclass='com.waveset.object.AttributeCondition'>      <s>MemberObjectGroups</s>      <s>equals</s>      <ref>waveset.organization</ref>    </new> </list> If more than one AttributeCondition is specified, they will be logically and'ed together.

getSubordinates Method

getSubordinates(LighthouseContext s, manager, Map options)

throws WavesetException {

Description

Retrieves a list of the specified managerial subordinates of a user.

Table 4-22  getSubordinates Parameters

Parameter	Description
s	Identity Manager context object
manager	Identifies the manager whose subordinates are being requested.
options	firstlevel, lastLevel, conditions. See table below.

Table 4-23  Options Values

Option	Value
firstLevel	Specifies the first organizational level to include in the result. 0 means direct reports.
lastLevel	Specifies the last organizational level to include in the result. -1 indicates all levels.
conditions	(Optional) Map of user attribute conditions that can be used to further filter the list of user names returned. See Additional Options.

Return Values

This method returns a sorted list of subordinates, or throws WavesetException.

Example Rule Using getSubordinates

<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'> <Rule name='testGetSubordinates'>    <invoke name='getSubordinates' class='com.waveset.ui.FormUtil'>       <ref>:display.session</ref>       <ref>waveset.accountId</ref>       <map>         <s>firstLevel</s>         <i>0</i>         <s>lastLevel</s>         <i>0</i>         <s>conditions</s>         <map>      </map>     </map>   </invoke> </Rule>

getUnassignedResources Method

static public List getUnassignedResources(LighthouseContext s, Map

options) throws WavesetException

Description

Build a list of resource names suitable for the private resources of a user. (A private resource is a resource that is directly assigned to a user.) This is the list of all accessible resources minus the names of the resources that are already assigned to the user through their role.

The resulting list is convenient for use in forms for assigning private resources.

Table 4-24  getUnassignedResources Parameters

Parameter	Description
context	Identity Manager context object
options	availableToOrgScope, current, currentRoles, currentResourceGroups, conditions, scopingOrg. See table below.

Table 4-25  Options Values

Option	Value
availableToOrgScope	(List) Specifies organization names (or paths or displayNames, if unique). Resources that are available to organizations on this list, or an organization below the organization’s hierarchy, are returned. Resources on the current list are also always returned.).
current	See Additional Options.
currentRoles	(List) Specifies current role names.The returned list does not contain any resource that is assigned by one of these roles unless that resource name is on the current list.
currentResourceGroups	(List) Specifies current resource group names. The returned list does not contain any resource that is assigned by one of these resource groups unless that resource name is on the current list.
conditions	See Additional Options.
scopingOrg	See Additional Options.

Return Values

This method returns a list of resource names suitable for the private resources of a user.

getUsers Method

getUsers(LighthouseContext s)

or

getusers(LighthouseContext s, Map options)

Description

The first variant of this method returns all users. The second variant by default returns all users, but you can specify a map of options to further filter the list.

Table 4-26  getUsers Parameters

Parameters	Description
s	Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>.
options	current, conditions, exclude, scopingOrg. See table below.

Table 4-27  Options Values

Option	Value
current	See Additional Options.
conditions	See Additional Options.In addition to the supported queryable attribute names for user, you can also use the following pseudo-attributes: userType and similarTo. See the FormUtil javadoc for more information.
exclude	Specifies which types of users will be excluded from the returned list. Value can be either administrators or endUsers. administrators -- the list of users returned will not contain any users that are either directly or indirectly (via AdminRoles) assigned one or more capabilities and control one or more organizations. endUsers -- the list returned will include only users directly or indirectly assigned one or more capabilities and controlled organizations.
scopingOrg	See Additional Options.

listResourceObjects Methods

listResourceObjects(LighthouseContext s,

String objectType,

List resourceList,

Map options,

String cacheList)

or

listResourceObjects(LighthouseContext s,

String objectType,

List resourceList,

Map options,

String cacheList,

String clearCacheIfExists)

The two preceding variants are the same except that the second method clears the cache.

listResourceObjects(String subjectString,

String resourceObjectType,

List resourceList,

Map options,

String cacheList)

or

listResourceObjects(String subjectString,

String objectType,

String resourceId,

Map options,

String cacheList)

String clearCacheIfExists)

or

listResourceObjects(String subjectString,

String objectType,

String resourceID,

Map options,

String cacheList)

or

listResourceObjects(String subjectString,

String objectType,

String resourceID,

Map options,

String cacheList)

String cacheTimeout

String clearCacheIfExists)

The two preceding variants are the same except that the second method clears the cache.

listResourceObjects(LighthouseContext session,

String objectType,

String resourceId,

Map options,

String cacheList,

String clearCacheIfExists)

throws WavesetException {

or

listResourceObjects(LighthouseContext session,

String objectType,

String resourceId,

Map options,

String cacheList)

throws WavesetException {

or

listResourceObjects(LighthouseContext session,

String objectType,

String resourceId,

Map options,

String cacheList)

String cacheTimeout

String clearCacheIfExists

throws WavesetException

or

listResourceObjects (String subjectString, String objectType, List resourceList, Map options, String cacheList, String clearCacheIfExists)

Description

Retrieves a list of resource objects of a specified type (for example, group). This method first attempts to get the list from the server's resourceObjectListCache. If found, this list is returned.

If this list is not found, the method invokes the listResourceObjects method on each resource before merging, sorting, and removing duplicates on the resulting lists. Finally, it caches this new list in the server's resourceObjectListCache for any subsequent requests for the same resource object type from the same resource(s).

This method runs as the currently authenticated administrator (for example, subject). Variants take a single resource ID or a subject string and an existing session.

This method has multiple variants that differ on whether:

The method returns a single resource versus a resource list.
The cache should be cleared.
The method is sending a session ID (implemented when the user has already been authenticated) or a subject string (subjectString). Typically, you will use Session.

Table 4-28  listResourceObjects Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
resourceObjectType	Identifies the type of resource object class for this specified (for example, group). If null, this method returns objects of all object types.
resourceList	List of resource to retrieve the objects from.
options	Contains name/value pairs that are specific to the resources used to constrain the search.
cacheList	Specifies the new list that is stored in the server's resourceObjectListCache that is created when the method invokes the listResourceObjects method on each resource before merging, sorting, and removing duplicates on the resulting lists.
clearCacheIfExists	Indicates that the cache in the server's resourceObjectListCache should be cleared after the method has retrieved the list of resource objects.

Return Values

This method returns a list of resource object names of the specified resource object type from the list of resources (resourceList of IDs or names).

testObject Method

testObject(LighthouseContext  s,

String typeName,

String id)

Description

Tests to see if a specified object exists, even if the subject is not authorized to view the object. When launching processes to create new users, use this method to prevent attempts to create duplicate objects by an administrator who cannot see the entire tree.

Table 4-29  testObject Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
typeName	Specifies the type of object that the method tests for.
id	Identifies the object by either name or ID. If an ID is used, the value of typeName is ignored. This parameter cannot be null.

Return Values

This method returns:

true – object exists

null – object does not exist

testUser Method

testUser(LighthouseContext  s,

String id)

Description

Tests to see if a specified user exists, even if the subject is not authorized to view the object. When launching processes to create new users, use this method to prevent attempts to create duplicate objects by an administrator who cannot see the entire tree.

Table 4-30  testUser Parameters

Parameter	Description
s	Identifies a valid Identity Manager session, typically referred to in forms as <ref>:display.session</ref>.
id	Identifies the user by either name or ID.This parameter cannot be null.

Return Values

This method returns:

true – user exists

null – user does not exist

hasCapability Method

hasCapability(LighthouseContext s, String capability)

throws WavesetException {

Description

Checks to see if the user has a specified capability (String). This method checks for a capability that is assigned either directly or indirectly through AdminGroups and/or AdminRoles. Requires a session value.

Table 4-31  hasCapability Parameters

Parameter	Description
s	Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>.
capabilities	Identifies the capability that will be queried for.

Return Values

true – Indicates that the currently authenticated Identity Manager user has the specified capability.

false – Indicates that the current user does not have the specified capability.

hasCapabilities Method

hasCapabilities(LighthouseContext s, List capabilities)

throws WavesetException {

Description

Checks to see if the user has a list of specified capabilities (Strings). These capabilities can be assigned either directly or indirectly through AdminGroups and/or AdminRoles. Requires a session value.

Table 4-32  hasCapabilities Parameters

Parameter	Description
s	Identifies a valid Identity Manager context, typically referred to in forms as <ref>:display.session</ref>.
capabilities	Identifies the list of capabilities that will be queried.

Return Values

true – Indicates that the currently authenticated Identity Manager user has all the specified capabilities.

false – Indicates that the user does not have all the specified capabilities.

Additional Options

The following options are used by a subset of the FormUtil methods:

scopingOrg
conditions
current

scopingOrg

Used when two or more AdminRoles are assigned to a user. The value should be the name of an organization. This value specifies that the returned names should contain only ones that are available to organizations that are controlled by an AdminRole that controls the scopingOrg organization and is assigned to the logged-in user.

This option is typically used to ensure that when a user is creating or editing another user, the member organization of the user being edited determines which names (for example, Resourcenames) are available for assignment.

Using the scopingOrg Parameter

Set this attribute under these conditions:

The specified user is assigned more than one AdminRole
You want to ensure that when the administrator is creating or editing a user, the member organization of the user being created or edited determines which object names of the requested type are available for assignment.

For example, if an administrator were assigned both the Engineering AdminRole and Marketing AdminRole, and the administrator is editing a user who is a member of the Engineering organization, the Resources available for assigning to that user should be limited to those available to the organization(s) controlled by the Engineering AdminRole.

Implementing the scopingOrg Attribute

To implement the behavior described above, add the scopingOrg attribute to the waveset.resources field in the user form.

Reference the value of the current organization as follows:

<Field name='waveset.resources'>    <Display class='MultiSelect'>       <Property name='title' value='_FM_PRIVATE_RESOURCES'/>       <Property name='availableTitle'           value='_FM_AVAILABLE_RESOURCES'/>       <Property name='selectedTitle' value='_FM_SELECTED_RESOURCES'/>       <Property name='allowedValues'>          <invoke class='com.waveset.ui.FormUtil'            name='getUnassignedResources'>              <ref>:display.session</ref>                <map>                   <s>currentRoles</s>                   <ref>waveset.roles</ref>                   <s>currentResourceGroups</s>                   <ref>waveset.applications</ref>                   <s>current</s>                   <ref>waveset.original.resources</ref>                   <s>scopingOrg</s>                   <ref>waveset.organization</ref>                </map>          </invoke>       </Property>    </Display> </Field>

current

Specifies a list of names to be merged with those returned. For example, this is typically the list of selected names in a MultiSelect field to ensure that all selected names are in the MultiSelect’s list of available names.

conditions

This value can be specified in three ways:

Table 4-33  Values of conditions Attribute

Value Format	Description
Map	The <MapEntry> key is the name of a queryable attribute by this type of object and the second is the value an object of this type must have for the associated queryable attribute in order to be returned (the operator is assumed to be "equals"). If more than one attrname/value pairs are specified, they will be logically and'ed together. Example <Map>    <MapEntry key='memberObjectGroups' value='Top'/> </Map>
map	The first entry is the name of a queryable attribute supported by this type of object. The second entry is the value an object of this type must have for the associated queryable attribute to be returned (the operator is assumed to be "equals"). If more than one attrname/value pairs is specified, they will be logically and'ed together. Example <map>    <s>memberObjectGroups</s> <ref>waveset.organizations</ref> </map>
list	Lists AttributeCondition objects. If more than one AttributeCondition is specified, they will be logically and'ed together. Example <list>   <newclass= 'com.waveset.object.AttributeCondition'>      <s>MemberObjectGroups</s>      <s>equals</s>       <ref>waveset.organization</ref>   </new> </list>

Using the conditions Attribute

You can specify a list of one or more object type-specific query attribute conditions to filter the list of names returned by certain FormUtil methods. These methods include methods that take an options map as an argument.) You can specify these query attribute conditions as a query option whose key is conditions and whose value can be specified as either a map or list of AttributeConditions.

Examples: Using the condition Attribute to Filter Names

The following examples illustrate the use of the conditions attribute to apply additional filters to the list of names returned by a FormUtil method that takes an options map as an argument.

Example 1

<Field name='waveset.resources'>    <Display class='MultiSelect' action='true'> ...      <Property name='allowedValues'>        <invoke class='com.waveset.ui.FormUtil'          name='getUnassignedResources'>            <ref>:display.session</ref>                <map>                <s>currentRoles</s>                <ref>waveset.roles</ref>                <s>currentResourceGroups</s>                <ref>waveset.applications</ref>                <s>current</s>                <ref>waveset.original.resources</ref>                <s>conditions</s>                  <map>                <s>supportsContainerObjectTypes</s>                <s>true</s>                <s>type</s>                <s>LDAP</s>                  </map>                </map>        </invoke>      </Property>    </Display> </Field>

Example 2

<Field name='orgResource'>    <Display class='Select' action='true'>        ...       <Property name='allowedValues'>         <invoke class='com.waveset.ui.FormUtil'            name='getResourcesSupportingContainerObjectTypes'>            <ref>:display.session</ref>              <map>                 <s>conditions</s>                 <list>                    <new class='com.waveset.object.AttributeCondition'>                       <s>name</s>                       <s>starts with</s>                       <s>ldap</s>                    </new>                 </list>              </map>         </invoke>       </Property>    </Display> </Field>

Example 3

<Field name='accounts[Lighthouse].capabilities'>    <Display class='MultiSelect'>          ...      <Property name='allowedValues'>         <invoke class='com.waveset.ui.FormUtil'            name='getUnassignedCapabilities'>            <ref>:display.session</ref>            <ref>waveset.original.capabilities</ref>              <map>              <s>conditions</s>                <list>                   <new class='com.waveset.object.AttributeCondition'>                     <s>name</s>                     <s>starts with</s>                     <s>bulk</s>                   </new>                </list>              </map>         </invoke>      </Property>    </Display> </Field>

Supported Queryable Attribute Names

The list of supported queryable attribute names per object type are categorized as follows:

all object types
Account
AdminGroups
AdminRole
Configuration
Event
LoginApp
LoginModGroup
ObjectGroup
Policy
ResourceRole
WorkItem
User

Other queryable attribute names are defined in the UIConfig.xml (for example, firstname and lastname).

Table 4-34  All Object Types

Queryable Attribute	Description
authType	Specifies the authorization type, if applicable (for example, for Types such as Configuration or Rule)
id	Specifies the repository ID for this object
name	Identifies the name for this object
memberObjectGroups	Identifies the ObjectGroups that this object is available to or is a member of

Table 4-35  Account

Queryable Attribute	Description
accountId	Specifies the resource accountId
accountExists	Identifies whether account exists (true|false)
disabled	Indicates whether account is disabled (true|false)
discoveredSituation	Specifies the initial status that was discovered during reconciliation. Status includes confirmed and deleted.
owner	Specifies the repository ID of this user (userid is displayable name)
nativeGUID	Specifies the account GUID, if the resource supports this attribute
resource	Identifies the resource name
resourceId	Specifies the repository ID of this resource (resource is displayable name)
situation	Specifies account status after responses are applied to the discovered situation. Status includes confirmed, missing, deleted.
situationChanged	Specifies the date and time that the situation last changed.
typeString	Specifies the resource type (for example, LDAP)
userid	Uniquely identifies the Identity Manager user with which this account is associated

Table 4-36  AdminGroup

Queryable Attribute	Description
hidden	Identifies whether an AdminGroup is hidden from display
memberAdminGroups	Lists the AdminGroups that are directly assigned to this AdminGroup

Table 4-37  AdminRole

Queryable Attribute	Description
controlledObjectGroups	Lists the ObjectGroups that are controlled by this Admin Role
memberAdminGroups	Lists the AdminGroups that are assigned to this Admin Role
adminGroupsRule	Specifies the name of the capabilities rule
controlledObjectGroupsRule	Specifies the name of the controlled organizations rule

Table 4-38  Configuration

Queryable Attribute	Description
configType	Specifies the JAVA class name of the class that extends configuration (for example, UserUIConfig, UserForm)

Table 4-39  Event

Queryable Attribute	Description
eventType	Specifies the type of event to enable grouping events that are similar

Table 4-40  LoginApp

Queryable Attribute	Description
hidden	Identifies whether a LoginApp is hidden from display

Table 4-41  LoginModGroup

Queryable Attribute	Description
hidden	Identifies whether a LoginModGroup is hidden from display

Table 4-42  ObjectGroup

Queryable Attribute	Description
directoryJunction	Identifies whether the ObjectGroup is a directory junction (true|false)
displayName	Specifies the readable name of the object group’s user

Table 4-43  Policy

Queryable Attribute	Description
class	Identifies the JAVA class that implements this policy (for example, StringQualityPolicy)
typeString	Specifies the type of policy (for example, password or accountId)

Table 4-44  Resource

Queryable Attribute	Description
startupType	Indicates startupType. Includes disabled and automatic
supportsContainerObjectTypes	Indicates whether this resource supports container object types (true|false)
supportedObjectTypes	Lists supported object types (for example, group, ou, o, and domain)
supportsScanning	Indicates whether this resource supports scanning (true|false)
syncSource	Indicates whether this resource can be an Active Sync resource (true|false)
type	Identifies the resource type (for example, LDAP, AIX, or RACF)

Table 4-45  Role

Queryable Attribute	Description
role_resources	Lists the resources assigned to a role
role_approvers	Lists the approvers assigned to a role

Table 4-46  WorkItem

Queryable Attribute	Description
dirty
itemType	Defines the type of workitem (for example, approval or wizard)
owner	Identifies the user that owns this workitem
taskid	Identifies the repository ID of the taskinstance that created this workitem

Table 4-47  User

Queryable Attribute	Description
adminRoles	Specifies the list of AdminRoles assigned to this user
controlledObjectGroups	Lists (flattened) all ObjectGroups controlled by this user
correlationKey	Identifies the key that is used to identity users during bulk loads
dis	Specifies an integer that represents the current disabled state 0 indicates no accounts 1 indicates some are disabled 2 indicates all are disabled
lhdis	Indicates whether the Identity Manager user is disabled or not (true|false)
memberAdminGroups	Lists (flattened) all AdminGroups that are assigned to this user
prov	Specifies an integer that represents the current provisioning state 1 indicates that an update is needed 2 indicates OK
resourceAccountGuids	Lists resource account GUIDs that are assigned to this user (accountGUID@resourceId)
resourceAccountIds	Lists resource account IDs that are assigned to this user (accountId@resourceId)
role	List the roles that are assigned to this user
user_resources	Lists the resources that are assigned to this user

Supported Operators

equals or is
notEquals or is not
greaterThan or greater than
greaterThanOrEqualTo or not less than
lessThan or less than
lessThanOrEqualTo or not greater than
startsWith or starts with
endsWith or ends with
contains or contains'
isPresent or exists
notPresent'
isOneOf or is one of'
containsAll

Previous      Contents      Index      Next

---

Part No: 819-6131-10.   Copyright 2006 Sun Microsystems, Inc. All rights reserved.