Access Manager Repository Attributes

The following attributes are used to configure an Access Manager Repository plug-in:

Class Name

Specifies the location of the class file which implements the Access Manager repository plug-in.

Access Manager Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

• group — read, create, edit, delete

• user — read, create, edit, delete, service

• agent — read, create, edit, delete

You can remove permissions from the above list based on your LDAP server settings and the tasks, but you can not add more permissions.

If the configured LDAPv3 Repository plug—in is pointing to an instance of Sun Java Systems Directory Server, then permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles. The permission for the type 'role' is:

• role — read, create, edit, delete

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, edit, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets Access Manager services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations areassignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

Organization DN Value

Defines the DN that points to an organization in the Directory Server to be managed by Access Manager. This will be the base DN of all operations performed in the data store.

People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

People Container Value

Specifies the value of the people container. The default is people.

Agent Container Naming Attribute

The naming attribute of agent container if the agent resides in a agent container. This field is left blank if the agent does not reside in agent container.

Agent Container Value

Specifies the value of the agent container. The default is agents.

Recursive Search

If enabled, the search performed in the Access Manager repository will conduct a recursive search for the specified identities. For example, a recursive search performed on the following data structure:

root
realm1
    subrealm11
        user5
    subrealm12
        user6
realm2
    user1
    user2
    subrealm21
        user3
        user4

will produce the following results:

• If a search is performed from the root and no users are defined at this level (aside from amadmin and anonymous), the search will return users 1–6.

• If a search is performed from realm1 and no users are defined, the search will return user5 and user6.

• If a search is performed from realm2 (two users defined), the search will return users 1–4.

Copy Realm Configuration

When this attribute is enabled in a realm-mode installation, Access Manager will create an equivalent organization and sub-organization for each realm and sub-realm that exists in the repository. In addition, the services that are registered to the realm/sub-realm will be registered to the new created organization/sub-organization. Both the realm DIT and the organization DIT exist within the datastore.