Sun Java System Identity Manager 6.0 Workflows, Forms, and Views 2005Q4M3 |
5
Identity Manager Views
This chapter introduces Sun Java System Identity Manager views, which are data structures used in Identity Manager. It provides background for views, including an overview of how to implement views with Identity Manager workflows and forms as well as reference information.
Topics in this Chapter
This chapter contains the following sections:
Related Topics
Identity Manager Forms
Identity Manager Workflow
Understanding Identity Manager ViewsAn Identity Manager view is a collection of attributes that is assembled from one or more objects managed by Identity Manager. Views are transient, dynamic, and not stored in the repository. The data in a view can change if the view is refreshed to reflect a new role or resource assignment.
If you are using Identity Manager, you will encounter views primarily in forms and workflows. An Identity Manager form is an object that describes how to display view attributes in a browser for editing. The form can also contain the rules by which hidden attributes are calculated from the displayed attributes. A workflow process is a logical, repeatable, series of activities during which documents, information, or tasks are passed from one participant to another for action, according to a set of procedural rules.
When working with views, it helps to first understand:
What Is a View?
The most important view is the user view, which contains the user attributes that are stored in Identity Manager and attributes that are read from accounts managed by Identity Manager. Some attributes in the user view are visible in the forms that are presented by the Identity Manager User and Administrator Interfaces. Other attributes are hidden or read-only. Hidden attributes are typically used by rules that derive other visible attributes or calculate field values.
For example, when creating a user (represented as a user view), an administrator enters a first and last name in the appropriate form fields on the Create User page. When the administrator saves the form, the system can calculate the user’s full name in a hidden field by concatenating the first and last name. This full name can then be saved to one or more resources, including Identity Manager. Once approved (where approval is required), the system converts the user view back into one or more objects in the Identity Manager repository and sends the view to the resources assigned to the user to create or update the user’s resource accounts.
View Attributes
A view is a collection of name/value pairs that are assembled from one or more objects stored in the repository, or read from resources. The value of a view attribute can be atomic such as a string, a collection such as a list, or reference to another object.
Any Boolean attribute can be omitted from a view. If omitted, the attribute is considered logically false.
What is a View Handler?
View handlers are Java classes that contain the logic necessary to create a view and perform actions specified by setting attributes of the view. View handlers also can include information for the convenience of interactive forms. When a view is checked in, the view handler reads the view attributes and converts them into operations on repository objects. The view handler will often launch a workflow to perform more complex tasks such as approvals or provisioning. Most view handlers that operate on users prevent you from checking in the view if there is already a workflow in progress for that user.
Views and Forms
Identity Manager forms contain rules for transforming data in views and describe how the view attributes are to be displayed and edited in a browser. The Identity Manager user interface processes the view and form to generate an HTML form. When the user submits the HTML form, Identity Manager merges the submitted values into the view, then asks the view handler to refresh the view. The view can be refreshed several times during an interactive editing session, and different HTML fields can be generated based on logic in the form. When the user is finished interacting, the view is checked in which typically results in the view being passed as input to a workflow process.
Views and Workflow
Checking in a view often results in a new workflow process being launched to complete the modifications specified in the view. The workflow can perform time-intensive tasks in the background, launch approval processes, query resources, or take whatever action is appropriate. During approvals, the administrator is able to examine the contents of the view and make changes if desired. After approvals, the view attributes are converted into modifications of one or more repository objects. For views related to users, provisioning may occur to propagate the changes to selected resource accounts.
Common Views
The following views are frequently used with both customized forms and workflows.
Using the Business Process Editor to Display ViewsThe Business Process Editor (BPE) application is a standalone, Swing-based Java application that provides a graphical view of Identity Manager forms, rules, workflows, and email templates. It also permits the display of view attributes for reference while you customize forms and rules.
Note Browsing views in the BPE will reveal both published, supported views and views implemented for internal use only.
To display information about views in the BPE:
The following sections provide specific information and procedures for each of these general steps.
Starting the Business Process Editor
To run the BPE, you must have:
To start the BPE on either Windows NT or UNIX:
- From a command line, change to the Identity Manager installation directory.
Set environment variables with these commands:
set WSHOME=<Path_to_idm_directory>
set JAVA_HOME=<path_to_jdk>
Note If you are starting the BPE on a UNIX system, you must also enter
export WSHOME JAVA_HOME
- To start the BPE from the idm\bin directory:
lh config
The BPE interface appears.
Loading View Information
Unlike other objects that you can display and manipulate in the BPE, views are not objects in Identity Manager that you can access without specifying additional information. To display view information, you must specify the user or object whose information you want to display as well as the type of information.
To load view attributes:
- Select File Open View from the menu bar. The Select View dialog opens.
- In the Type field, enter the name of the view type you want to display. (For example, enter User if you want to see the User View attributes associated with a particular user.) The mostly commonly used views are listed below this procedure in Commonly Used Views.
- In the Name field, enter the name of the user or object whose view attributes you want to display. Note: Enter the name of a user whose account information you have access to.
- Click OK. The right pane of the BPE displays the attributes for the specified user or object.
Commonly Used Views
You can enter one of the following view names in the Types field of the Open View dialog:
Getting Around in the Business Process Editor
Before you display a view, you should know how to enter information and make selections in the BPE.
The BPE interface includes a menu bar and dialogs for selections. The primary display is divided into two panes: the tree view and the diagram view.
Tree View
The tree view (in the left interface pane) shows a hierarchical view of a task, form, view, or rule. In the case of a view, it lists each attribute that belongs to the view.
Figure 1. BPE Tree View
Tree View Icons
Icons that display in the tree view represent the expanded and unexpanded elements of the view.
This icon…
Represents this process element…
view or attribute that contains subattributes (unexpanded)
attribute (with no subattributes)
attribute (expanded)
Table 1. View Element Icons
Main Display of View Attribute Information
The right pane presents the main display of view attributes. View attributes are displayed in a property sheet style as shown below. You can use these for reference as you customize a form or rule.
Figure 2. Main Display of View Attribute Information
This display lists all attributes in the view for the selected user or object, including the following basic information about each attribute:
- Name — Identifies the name of the view attribute. Double-clicking on an attribute name in the main display opens the attribute popup window, which displays subattributes for this attribute.
- Type — Identifies the data type of the attribute. Valid data types include List, Object, and String.
- Value — Displays the current value of the attribute.
Note The BPE does not currently support editing view attributes.
Viewing Attribute Information: Attribute Dialog
Each view attribute has an associated dialog that describes the attribute’s primary characteristics.
You can display this dialog for any attribute by double-clicking the attribute name in either the tree view or main (diagram) view.
Figure 3. Attribute Popup Dialog
This attribute dialog contains the same type of attribute information that is presented in the main display (right pane). For example, double-clicking on the accountInfo attribute name in the display of attributes in the right-hand pane opens the accountInfo pop-up window.
Understanding the User ViewThe User view is the collection of attributes that contain information about an Identity Manager user, including:
The user view is most often used with forms that are designed for the pages that create or edit users. These pages launch workflow processes that store a changed user view until it is necessary to push the updated view information back out to Identity Manager and associated resources. While the user view is stored in a workflow process, the workflow process can manipulate attribute values through workflow actions. Workflow can also expose attribute values for user input through manual actions and approval forms.
How the User View Is Integrated with Forms
The user view is often used in conjunction with a form. Forms contain rules that control how data is presented through HTML fields and is processed after the HTML page rendering the form is submitted. A system component called the form generator combines a form definition and a view to produce HTML that a browser then displays.
View attribute values are displayed by assigning them to an HTML component in the form. (See HTML Display Components for more information on how view attributes can be displayed.)
Views are implemented as instances of the GenericObject class. This class provides a mechanism for the representation of name/value pairs and utilities for traversing complex hierarchies of objects through path expressions. A path expression is a string that is interpreted at runtime to traverse an object hierarchy and retrieve or assign the value of an attribute.
You must understand how to write path expressions to assign valid form field names. For more information on using path expressions, refer to the section titled Path Expressions.
How the User View Is Integrated with Workflow
Workflow processes that contain a user view typically store it in a workflow variable named user. You can reference a view in the workflow expressions by prefixing user to a user view path (for example, user.waveset.accountId). The string waveset identifies the attribute named accountId as belonging to another object named waveset, which itself belongs to the user view object.
Approval forms are written for a view known as the WorkItem view. The Work Item view by default contains all the workflow variables under an attribute named variables. If the approval form is written for a workflow that contains a user view, the prefix variables.user. is used to reference attributes in the user view (for example, variables.user.waveset.roles). See WorkItem View later in this chapter for more information.
Generic Object Class
At a high level, objects are simply named collections of attributes, which are name/value pairs. The value of an attribute can be an atomic value such as a string, a collection such as a list, or a reference to another object. You can represent almost any object abstractly with the Map, List, and String Java classes.
Within the Identity Manager system, the GenericObject class provides a simple memory model for the representation of arbitrary objects and collections. It includes features for easily navigating object hierarchies to access or modify attribute values.
The GenericObject class implements the java.util.Map interface and internally uses a java.util.HashMap to manage a collection of name/value pairs. The entries in this map are called attributes. The value of an attribute can be any Java object that is able to serialize itself as XML. The most common attribute values found in a GenericObject:
The following are instances of the following classes:
You can construct complex hierarchies of objects by assigning Lists or GenericObjects as attribute values. Once you have assigned attribute values, you traverse this hierarchy to access the values of an attribute.
Path Expressions
A path expression is a string that is interpreted at runtime by the GenericObject class to traverse an object hierarchy and retrieve or assign the value of an attribute. Identity Manager uses a system of dots and brackets to represent objects and attributes in the hierarchy.
You use path expressions as the value of the name attribute in form fields when customizing a form (for example, <Field name='user.waveset.roles'/>).
Traversing Objects
The following simple example illustrates a GenericObject with two attributes:
To create a path expression to the street attribute of the address object, use address.street.
Path expressions use the dot character (.) to indicate traversal from one object to another. This is similar to the way dot is used in Java or the '->' operator is used in C. Paths can be long, as illustrated by this example:
user.role.approver.department.name
Traversing Lists
You can also use path expressions to traverse values that are lists. Consider an object that has an attribute children whose value is a java.util.List. Each object in the list is itself a GenericObject with a name attribute and an age attribute. Write the path to the name of the first child as:
children[#0].name
Path expressions use square brackets to indicate the indexing of a list. The token between brackets is the index expression. In the simplest case, this is a positive integer that is used to index the list by element position.
Typically, the position of an object in a list is arbitrary. Index expressions can also specify simple search criteria to identify one object in the list. Objects in a list typically have a name attribute, which serves to uniquely identify this object among its peers. Path expressions support an implicit reference to an object's name attribute within the index expression.
For example:
children[hannah].age
The preceding path expression obtains the list of objects stored under the children attribute. This list is searched until an object with a name attribute equal to hannah is found. If a matching object is found, the value of the age attribute is returned. The previous example is shorthand for the more general form.
children[name=hannah].age
Calculating Lists
You can also write path expressions that calculate List values that are not stored in the object. For example:
accounts[*].name
When an asterisk is found as an index expression, it implies an iteration over each element of the list. The result of the expression is a list that contains the results of applying the remaining path expression to each element of the list. In the previous example, the result would be a list of String objects. The strings would be taken from the name attribute of each object in the accounts list.
Path expressions with * (asterisk) are commonly used with the FieldLoop construct in forms to replicate a collection of fields.
User View Attributes
Whenever you create or modify a user account from a web browser, you are indirectly working with the user view. From the perspective of altering user account information, it is the most significant view in the Identity Manager system.
Workflow processes also interact with the user view. When a request is passed to a workflow process, the attributes are sent to the process as a view. When a manual process is requested during a workflow process, the attributes in the user view can be displayed and modified further.
MetaView Attributes
If your deployment uses Identity attributes, Identity Manager creates an additional namespace in the User view. This additional namespace, called metaView, contains identity attribute-related information. Identity Manager creates this MetaView object to store meta view/identity attribute information in the Identity Manager repository.
For each Identity attribute that is defined, there is an attribute in the metaView namespace that contains the value of this attribute. For example, for the firstname, lastname, and waveset.roles Identity attributes, the User view has corresponding attributes called metaView.firstname, metaView.lastname, and metaView.waveset.roles that contain the calculated values for each of these attributes.
For more information, see Working with Attributes in the Identity Manager Technical Deployment Overview
Introduction
Like all views, the user view is implemented as a GenericObject that contains a set of attributes. The values of the attributes in the root object are themselves GenericObjects. Attributes can be nested.
The user view contains the attributes described in the following table, which are further defined in subsequent sections.
Table 2. Top-Level User View Attributes
When you design a form, the field names are typically paths into the user view objects waveset. global, and account attributes (for example, global.firstname).
Selecting the Appropriate Variable Namespaces
The user view provides several namespaces for deriving account-related information. The following table summarizes these variable namespaces.
Table 3. Account-Related User View Attributes
Referencing Attributes
Within a form, you can reference attributes in two ways:
- Use the name attribute of a Field element by adding the complete attribute pathname as follows:
<Field name='waveset.accountId'>
For more information on setting the Field name element in a form field, see the chapter titled Identity Manager Forms.
- Reference an attribute from within another field:
<Expansion>
<concat>
<ref>global.firstname</ref><s> </s>
<ref>global.lastname</ref>
</concat>
</Expansion>
Within workflow, you can reference Field attributes as process variables (that is, variables that are visible to the workflow engine) or in XPRESS statements for actions and transitions. When referencing these attributes in workflow, you must prefix the path with the name of the workflow variable where the view is stored (for example, user.waveset.accountId).
Attributes with Transient Values
You can define fields that store values at the top-level of the user view, but these values are transient. Although they exist throughout the life of the in-memory user view (typically the life of the process), the values of these fields are not stored in the Identity Manager repository or propagated to a resource account.
For example, a phone number value is the result of concatenating the values of three form fields. In the following example, p1 refers to the area code, p2 and p3 refer to the rest of the phone number. These are then combined by a field named global.workPhone. Because the combined phone number is the only value you want propagated to the resources, only that field is prepended with global.
In general, use the top-level field syntax if you are:
Any field that is to be passed to the next level must have one of the path prefixes defined in the preceding table, User View Attributes.
<Field name='p1' required='true'>
<Display class='Text'>
<Property name='title' value='Work Phone Number'/>
<Property name='size' value='3'/>
<Property name='maxLength' value='3'/>
</Display>
</Field>
<Field name='p2' display='true' required='true'>
<Display class='Text'>
<Property name='rowHold' value='true'/>
<Property name='noNewRow' value='true'/>
<Property name='size' value='3'/>
<Property name='maxLength' value='3'/>
</Display>
</Field>
<Field name='p3' display='true' required='true'>
<Display class='Text'>
<Property name='rowHold' value='true'/>
<Property name='noNewRow' value='true'/>
<Property name='size' value='4'/>
<Property name='maxLength' value='4'/>
</Display>
</Field>
<Field name='global.workPhone' required='true' hidden='true'>
<Expansion>
<concat>
<ref>p1</ref>
<s>-</s>
<ref>p2</ref>
<s>-</s>
<ref>p3</ref>
</concat>
</Expansion>
</Field>
waveset Attribute
The waveset attribute set contains the information that is stored in a WSUser object in the Identity Manager repository. Some attributes nested within this attribute set are not intended for direct manipulation in the form but are provided so that Identity Manager can fully represent all information in the WSUser object in the view.
Most Commonly Used Attributes
Not all attributes are necessary when creating a new user. The following list contains the waveset attributes that are most often visible during creation or editing. Some attributes are read-only, but their values are used when calculating the values of other attributes. All waveset attributes are described in the sections that follow this table.
Table 4. Most Commonly Used Attributes of the waveset Attribute (User View)
waveset.accountId
Specifies the visible name of the Identity Manager user object. It must be set during user creation. Once the user has been created, modifications to this attribute will trigger the renaming of the Identity Manager account.
For information on renaming a user, see Identity Manager Administration.
waveset.applications
Contains a list of the names of each application (also called resource group in the Identity Manager user interface) assigned directly to the user. This does not include applications that are assigned to a user through a role.
waveset.attributes
Collection of arbitrary attributes that is stored with the WSUser in the Identity Manager repository. The value of the waveset.attributes attribute is either null or another object. The names of the attributes in this object are defined by a system configuration object named Extended User Attributes. Common examples of extended attributes are firstname, lastname, and fullname. You can reference these attributes in the following ways:
waveset.attributes.fullname
or
accounts[Lighthouse].fullname
Note You typically do not modify the contents of the waveset.attributes attribute. Instead, modify the values of the accounts[Lighthouse] attributes. When the attribute is stored, values in accounts[Lighthouse] are copied into waveset.attributes before storage. waveset.attributes is used to record the original values of the attributes. The system compares the values here to the ones in accounts[Lighthouse] to generate an update summary report. See the section on the account[Lighthouse] attribute for an example of how to extend the extended user attributes.
waveset.correlationKey
Contains the correlation value used to identify a user during reconciliation and discovery of users. You can directly edit it, although it is generally not exposed.
waveset.creator
Contains the name of the administrator that created this user.
This attribute is read-only.
waveset.createDate
Contains the date on which this account was created. Dates are rendered in the following format: MM/dd/yy HH:mm:ss z
Example
05/21/02 14:34:30 CST
This attribute is set once only and is read-only.
waveset.disabled
Contains the disabled status of the Identity Manager user. It is set to a value that is logically true if the account is disabled. In the memory model, it is either a Boolean object or the string true or false. When accessed through forms, you can assume it is a string.
You can modify this attribute to enable or disable the Identity Manager user, although it is more common to use the global.disable. (Prepending global. to a variable name ensures that the system applies the value of that variable to all resources that recognize the variable, including Identity Manager.)
Once this value becomes true, the user cannot log in to the Identity Manager user interface.
waveset.email
Specifies the email address stored for a user in the Identity Manager repository. Typically, it is the same email address that is propagated to the resource accounts.
Modifications to this attribute apply to the Identity Manager repository only. If you want to synchronize email values across resources, you must use the global.email attribute.
You can modify this attribute.
waveset.exclusions
List the names of the resource that will be excluded from provisioning, even if the resource is assigned to the user through a role, resource group, or directly.
waveset.id
Identifies the repository ID of the Identity Manager user object. Once the user has been created in Identity Manager, this value is non-null. You can test this value to see if the user is being created or edited. This attribute is tested with logic in the form. You can use it to customize the displayed fields depending on whether a new user is being created (waveset.id is null) or an existing user account is being edited (waveset.id is non-null).
Example
The following example shows an XPRESS statement that tests to see if waveset.id is null:
<isnull><ref>waveset.id</ref></isnull>
waveset.lastModDate
Contains the date at which the last modification was made. It represents the date by the number of milliseconds since midnight, January 1970 GMT. This attribute is updated each time a user account is modified.
This attribute is read-only.
waveset.lastModifier
Contains the name of the administrator or user that last modified this user account.
This attribute is read-only.
waveset.lock
Indicates whether the user is locked. A value of true indicates that the user is locked.
waveset.lockExpiry
Specifies when the user lock expires if the user's Lighthouse Account policy contains a non-zero value for the locked account expiry date. This attribute value is a human-readable date and time.
waveset.organization
Contains the name of the organization (or ObjectGroup) in which a user resides. An administrator can modify this attribute if he has sufficient privileges for the new organization.
Since changing an organization is a significant event, the original value of the organization is also stored in the waveset.original attribute, which can be used for later comparison.
waveset.original
Contains information about the original values of several important attributes in the waveset attribute. The system sets this value when the view is constructed and should never be modified. The system uses this information to construct summary reports and audit log records.
Not all of the original waveset attributes are saved here. The attributes currently defined for change tracking are:
To reference these attributes, prepend waveset.original. to the attribute name (for example, waveset.original.role).
password
Specifies the Identity Manager user password. When the view is first constructed, this attribute does not contain the decrypted user password. Instead, it contains a randomly generated string.
The password attribute set contains the attributes described in the following table.
Table 5. Attributes of the password Attribute (User View)
waveset.passwordExpiry
Contains the date on which the Identity Manager password will expire. When the view is initially constructed, the memory representation will be a java.util.Date object. As the view is processed with the form, the value can either be a Date object or a String object that contains a text representation of the date in the format mm/dd/yy.
waveset.passwordExpiryWarning
Contains the date on which warning messages will start being displayed whenever the user logs into the Identity Manager User Interface. This is typically a date prior to the waveset.passwordExpiry date in the same format (mm/dd/yy).
waveset.questions
Contains information about the authentication questions and answers assigned to this user. The value of the attribute is a List whose elements are waveset.questions attributes.
The waveset.questions attribute set contains the attributes described in the following table.
Table 6. waveset.questions Attributes (User View)
The name attribute is not stored. The system generates the name by transforming the id. This is necessary because question IDs are typically numbers, and numbers that are used to index an array in a path expression are considered absolute indexes rather than object names.
For example, the path waveset.questions[#1].question addresses the second element of the questions list (list indexes start from zero). However, since there may be only one question on the list whose ID is the number 1, the ID is not necessarily suitable as a list index. To reliably address the elements of the list, the system manufactures a name for each question that consists of the letter Q followed by the ID (in this example, Q1). The path waveset.questions[Q1].question then always correctly addresses the question.
waveset.resources
Contains a list of the names of each resource assigned directly to the user. This does not include resources that are assigned to a user through a role or through applications. For a way to find all resources that are assigned to a user, see the section on the accountInfo attribute.
waveset.roles
Contains the names of the roles assigned to this user. An administrator can modify this attribute if he has sufficient privileges for the new roles.
Since changing a role is a significant event, the original value of the role attribute is also stored in the original view, which can be used for later comparison.
accounts Attribute
The accounts attribute contains a list of objects for each account linked to the Identity Manager user. Each account object contains the values of the account attributes retrieved from the resource.
The name of each account object is typically the name of the associated resource. If more than one account exists for a given resource, the object names take a suffix of the form |n where n is an integer. The first account on a resource has no suffix. The second account has the suffix |2. The third account on a resource has |3, etc.
For example, if you have a resource named Exchange Server that defines an account attribute named Profile, the view path to this attribute would be:
accounts[Exchange Server].Profile
If this view path were used in a form field, it would prevent the value of the global.Profile attribute from being propagated to the Exchange Server account.
Note You may want to use account-specific attributes in forms rather than global attributes to prevent propagation of values to all resources
Overriding Resource Attributes
In addition to setting account attributes, you can also specify resource attribute overrides for each account. Resource attributes are attributes that are defined for the resource definition in Identity Manager, and consequently for the resource type. They are not attributes associated with an individual account. Examples of resource attributes include the host name of the server, or the base context in a directory.
You may want to create an account on a resource, but use a different value for one of the resource attributes. You could do this by duplicating the resource and changing the value, but excessive resource duplication can be confusing. Instead, resource attributes can be overridden on a per-account basis in the view.
Resource attribute overrides are stored in the attribute object under an attribute named resourceAttributes. If, for example, the resource defined an attribute named host, this could be specified in the view with the path:
accounts[Exchange Server].resourceAttributes.host
Note Although overriding resource attributes is not recommended, sometimes you cannot avoid it. You might choose to overwrite a resource to avoid creating duplicate resources that point to the same physical resource but differ by one attribute. For example, in a customer environment that has multiple Exchange 5.5 servers, it may make more sense to override the resource attribute Exchange Server in the form than to create a new resource. Contact your Identity Manager support representative for more information.
accounts[Lighthouse]
Sets the values of only the attributes stored in the Identity Manager repository. When a view is created, it contains a copy of the attributes in the waveset.attributes attribute set. When the view is saved, the system compares the contents of accounts[Lighthouse] with waveset.attributes to generate and update reports and audit log entries. Although this attribute is stored in the Identity Manager repository, changes to this attribute are not automatically propagated to resources.
The Extended User Attributes Configuration object defines the attributes that are allowed in this view. The system ignores any name found in this set of attributes that is not registered in the configuration object.
The following code is a sample of the Extended User Attributes Configuration object. This object maintains the list of attributes that are managed by the waveset.attribute set.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'>
<!-- id="#ID#Configuration:UserExtendedAttributes" name="User Extended Attributes"-->
<Configuration id='#ID#Configuration:UserExtendedAttributes' name='User Extended Attributes' creator='Configurator' createDate='1019603369733' lastMod='2' counter='0'>
<Extension>
<List>
<String>firstname</String>
<String>lastname</String>
<String>fullname</String>
<!—add string values here - - >
<String>SSN</String>
</List>
</Extension>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</Configuration>
This object can be modified to extend the list from the default firstname, lastname, and fullname attributes. In this case, an attribute called SSN has been added.
accounts[Lighthouse].properties
The value of this attribute is an object whose attribute names correspond to the properties defined by the user. User properties allow arbitrary custom data to be stored with the user in the Identity Manager repository. Properties can then be used in forms and workflows. A property is similar in some ways to an Extended User Attribute, but are not limited to primitive data types such as strings or integers.
Identity Manager defines the tasks system property, which is used by the Deferred Task Scanner to cause workflow tasks to be run at some date in the future. The value of the tasks property is a list of objects. The following table defines the attributes that belong to objects in the list.
Sample Use
You can use the accounts[Lighthouse].properties value to display a table of the deferred tasks assigned to a user. This list is added to the form library named Default User Library, which is found in sample/formlib.xml.
The field that displays the deferred task table is named Deferred Tasks. After modifying the waveset.properties attribute, the deferred task table is now referenced by the default Tabbed User Form. If any deferred tasks exist, the table will be displayed at the bottom of the Identity tab panel.
accounts[Lighthouse].viewUserForm
Used to display a view-only User form. This view-only form displays field information as Labels, to ensure that the administrator cannot change values, although he can list, view, and search on this user information. (The administrator selects a user from the accounts list, then clicks View to see user details.)
accounts[<resource>].properties
Used to store account properties in the Identity Manager repository. Use this attribute if you have some information about the account -- for example the date it was created -- that cannot be stored as a native account attribute on the resource.
global Attribute
You can use the global attribute set of the user view to conveniently assign attributes to many resource accounts (including Identity Manager). The value of the global attribute is an object whose attributes are referred to as global attributes. When the view is saved, the system assigns the value of each global attribute to all resource accounts that define the global attribute name in their schema map. These values are also propagated to the Identity Manager repository if there is an extended attribute with the same name.
For example, two resources R1 and R2 define an attribute named fullname. When the attribute global.fullname is stored in the view, this value is automatically copied into attributes accounts[R1].fullname and accounts[R2].fullname.
You can also use global attributes to assign extended attributes that are stored in the Identity Manager repository. If a global attribute is also declared as an extended Identity Manager attribute, it is copied into accounts[Lighthouse].
Note Do not use global.accountId when creating accounts. The account ID is created by the DN templates on the resources. Using global.accountId overrides this, which may cause problems.
Referencing Two Different Fullname Attributes
The global attribute can be used in combination with the account attribute for the same attribute name. For example, on an Active Directory resource, the structure of the fullname is lastname, firstname. But all other resources that have a fullname use firstname lastname.
The following example shows how you can reference these two fields in a form.
<Field name='global.fullname'>
<Expansion>
<concat>
<ref>global.firstname</ref><s> </s>
<ref>global.lastname</ref>
</concat>
</Expansion>
</Field>
<Field name='accounts[ActiveDir].fullname'>
<Expansion>
<concat>
<ref>global.lastname</ref><s>, </s>
<ref>global.firstname</ref>
</concat>
</Expansion>
</Field>
In the preceding example, creating a new user works as expected. However, when you load the user, the fullname attribute from the Active Directory resource can be used to populate the global.fullname field.
A more accurate implementation for this scenario would be to declare one resource to be the authoritative source for an attribute and create a Derivation rule such as the following:
<Field name='global.fullname'>
<Derivation>
<or>
<ref>accounts[LDAP res].fullname</ref>
<ref>accounts[NT res].fullname</ref>
</or>
</Derivation>
<Expansion>
<concat>
<ref>global.firstname</ref><s> </s>
<ref>global.lastname</ref>
</concat>
</Expansion>
</Field>
By defining a Derivation rule, the value of the fullname attribute in the LDAP resource will be used first to populate the fullname field. If the value does not exist on LDAP, then the value will be set from the NT resource.
accountInfo Attribute
Contains read-only information about resource accounts associated with the user. It is used within system views besides the user view. Some information in this view is a duplicate of the information found in the waveset.accounts attribute. There are two reasons for this duplication:
Most account information is stored in the accountsInfo.accounts attribute. Other attributes simply contain lists of account names. It is common to use a FieldLoop in a form to iterate over the names in one of the name list attributes, then use this name to index the account list attribute.
For example, the following form element generates a list of labels that contain the names of each resource that is assigned indirectly through a role.
<FieldLoop for='name' in='accountInfo.fromRole'>
<Field name='accountInfo.accounts[$(name)].name>
<Display class='Label'/>
</Field>
</FieldLoop>
The following tables shows the accountInfo view attributes, which describe characteristics about the user.
Table 7. accountInfo Attributes (User View)
accountInfo.accounts
Contains a list of objects that themselves contain information about each associated resource account. Elements in the accounts list are referenced by name, where the name is the name of the resource.
Example
accountInfo.accounts[Microsoft Exchange].type
Objects found in the accountInfo.accounts list have the following attributes, as defined in the following table.
Table 8. accountInfo.accounts. Attributes (User View)
accountInfo.accounts[ ].attributes[ ]
Contains information about all the account attributes defined by this resource. These attributes are listed on the schema map page of the resource. The value of the attribute is a List of objects.
The following table defines the attributes that these objects contain.
Table 9. accountInfo.accounts. Attributes (User View)
If you are designing a form, do not worry about the declared resource account attribute types. The user view processing system makes the appropriate type coercions when necessary.
accountInfo.accounts[].passwordPolicy
A resource can be assigned a password policy. If an attribute has an assigned password policy, the value of this attribute will contain information about it.
The following table defines the attributes in the accountInfo.accounts[resname].passwordPolicy.
Table 10. accountInfo.accounts[resname].passwordPolicy Attributes (User VIew)
Applications that display policy information typically display the summary text, but if you need more fine-grained control over the display of each policy attribute, you can use the attributes map.
Forms that provide an interface for changing and synchronizing passwords often use this information.
accountInfo.accounts[Lighthouse]
This special entry in the accountInfo list is used to hold information about the Identity Manager default password policy. This is convenient when displaying password forms since information about the Identity Manager password and policies must be displayed along with the information for resource accounts.
This element is present only when pass-through authentication is not being used. The resource type is Lighthouse.
accountInfo Resource Name Lists
The accountInfo view includes attributes that contain lists of resource names. Each list is intended to be used in forms with FieldLoop constructs to iterate over resources with certain characteristics.
The accountInfo attributes that can contain resource names are:
accountInfo.assigned
Identifies the resources that are assigned to the user. If you are designing a form, you can call this attribute to display a list of resources that are assigned from the role, applications, and that are directly assigned to a user.
accountInfo.typeNames
A list of unique type names for every assigned resource. This is commonly used in Disable expressions in forms where you want to disable fields unless a resource of a particular type is selected.
Example
<Field name='HomeDirectory' prompt='Home Directory'>
<Display class='Text'/>
<Disable>
<not>
<contains>
<ref>accountInfo.typeNames</ref>
<s>Solaris</s>
</contains>
</not>
</Disable>
</Field>
This returns the same information as the path accountInfo.types[*].name but is more efficient, which is important when used with Disable expressions. This list can include common resource types.
You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator Interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountInfo.types
This attribute contains information about each type of resource that is currently assigned. The value of the attribute is a List (objects).
The following table shows the attributes that belong to each object.
Attribute
Description
accounts
List of accountIds for each account assigned to the user that is of this type
name
Resource type name
Table 11. accountInfo.types Attributes (User VIew)
For example, you can determine a list of IDs for all UNIX accounts with the following path: accountInfo.types[Unix].accounts
display Attribute
The display attribute contains information that relates to the context in which the view is being processed. Most of the attributes are valid only during interactive form processing.
The following table shows the most commonly used display view attributes.
Table 12. Most Commonly Used display Attributes (User VIew)
Default itemType Behavior
Typically, only wizard itemTypes cause a workflow to transition directly to a WorkItem if the requester is the owner of the workItem.
When itemType is set as follows, the workflow will not transition into a WorkItem, but will instead appear under the Approval tab:
Overriding Default Behavior
You can override behavior in the User view by setting the allowedWorkItemTransitions option as a property of the form as follows:
<Form ......>
<Properties>
<Property name='allowedWorkItemTransitions'>
<list>
<s>myCustomType</s>
</list>
</Property>
</Properties>
Deferred Attributes
A deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.
If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.
When to Use Deferred Attributes
Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.
Using Deferred Attributes
There are two main steps to defining a deferred attribute:
- Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.
- Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:
accounts[<resource>].deferredAttributes.<attname>.resource
accounts[<resource>].deferredAttributes.<attname>.attribute
where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.
For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.
The following form fields set the necessary view attributes to define this association.
<Field name='accounts[HR].deferredAttributes.directoryid.resource'>
<Expansion><s>LDAP</s></Expansion>
</Field>
<Field name='accounts[HR].deferredAttributes.directoryid
<Expansion><s>uid</s></Expansion>
</Field>
Debugging the User View
When debugging the User view, you might find it useful to dump the contents of the view into a new file. To create a dump file, add the following Derivation statement to the User view:
<Field name='DumpView'>
<Derivation>
<invoke name='dumpFile'>
<ref>form_inputs</ref>
<s>c:/temp/view.xml</s>
</invoke>
</Derivation>
</Field>
This Derivation expression invokes the dumpFile method, which generates the file after the User form is displayed for the first time. The form_inputs variable is automatically bound to the view that is being used with this form.
In the preceding example, the String argument to the dumpFile method is a file system path, where you substitute a valid path for c:/temp/view.xml.
Account Correlation ViewUsed to search for users correlating to a specified account (or account attributes). This view is used as part of the account reconciliation process.
This view contains the root attributes listed below. The values of these attributes are GenericObjects. The new ID is <account_name>@<resource_name>
Attribute
Description
correlation
Contains information about how correlation should be done
matches
Contains the result of the correlation
The correlation request is executed on both the view get operation and refresh request. In the case of a refresh, the request specified in the view is used (with the exception of accountId and resource, as these values are overridden by the view ID). In the case of a get request, view options of the same name as the view attribute (for example, correlator) can be used to specify the view-supplied portion of the request.
Note accountAttributes, when provided as a view option, can be supplied as a WSUser (as returned by resource adapter methods) or as a GenericObject.
Correlation
accountId
Specifies the name of the account to correlate. This is automatically obtained from the view ID.
accountGUID
Specifies the GUID of the account to correlate. Required only if accountId and resource cannot clearly and unambiguously identify the resource.
resource
Specifies the name of the resource where the account resides. This value is automatically obtained from the view ID.
accountAttributes
Specifies the attributes of the account. If present, the viewer will not fetch the current account attributes to pass to the correlation/confirmation rules. Instead, these attributes will be passed in.
correlator
Specifies the correlation rule to use. If not present, the correlation rule specified by reconciliation policy for the resource will be used. If present, but null, no correlation rule is used.
confirmer
Specifies the confirmation rule to use. If not present, the confirmation rule specified by reconciliation policy for the resource will be used. If present, but null, no confirmation rule is used.
These lists consist of GenericObjects that contain the summary attributes of users.
claimant
Lists claimants that are calculated independent of the correlation algorithm, so claimants may also appear in another of the lists. Claimant discovery can be disabled by setting ignoreClaimants to true in the view options. A user claims an account if it has a ResourceInfo explicitly referencing the account.
correlated
Lists the users who were correlated to the resource account.
unconfirmed
Lists users who were selected by the correlation rule, but were rejected by the confirmation rule. This list is only present if the includeUnconfirmed is set to true in the view options.
Admin Role ViewUsed when creating or updating an admin role to a user. Admin roles enable you to define a unique set of capabilities for each set of organizations. Capabilities and controlled organizations can be assigned directly or indirectly through roles.
One or more admin roles can be assigned to a single user and one or more users can be assigned the same admin role.
Figure 4. Admin Role View Attributes
id
Uniquely identifies the AdminRole object in Identity Manager. System-generated.
name
Specifies the name of the admin role.
capabilities
Identifies the list of capability names that are assigned to this admin role.
capabilitiesRule
Specifies the name of the rule to be evaluated that will return a list of zero or more capability names to be assigned.
controlledOrganizations
Lists organization names over which the associated capabilities are allowed.
controlledOrganizationsRule
Specifies the name of the rule to be evaluated. This rule will return a list of zero of more controlled organizations names to be assigned.
controlledOrganizationsUserform
Specifies the userform that will be used when editing or creating users in the scope of organizations controlled by this admin role. Valid if the userform is not directly assigned to the user that is assigned this Admin role.
controlledSubOrganizations
Lists the controlled organizations for which a subset of the objects available has been either included or excluded. The value of this attribute consists of a list of controlledSubOrganization objects. Each ControlledOrganization object view is as follows.
Figure 5. controlledSubOrganizations View Attributes (Admin Role view)
types is a list of objects, where the list of objects to include or exclude are organized by type (for example, Resource, Role, and Policy). The view for each object type is as follows:
Figure 6. controlledSubOrganizations View Attribute Object Types (Admin Role view)
name
Specifies the name of the object type.
include
Lists object names of the associated object type to include.
exclude
Lists object names of the associated type to exclude.
memberObjectGroup
Lists the ObjectGroups of which this Admin role is a member. These are the object groups (organizations) that this Admin role is available to.
Change User Answers ViewUsed to change an existing user's authentication answers for one or more login interfaces.
Contains two high-level attributes.
Figure 7. Change User Answers View Attributes
questions
Describes the question. Contains the following attributes:
Figure 8. questions Attributes (Change User Answers View)
qid
Uniquely identifies a question that is used to associate this question with one defined in the policy.
question
Specifies the question string as defined in the policy.
answer
Specifies the user's answer, if specified, associated with the qid.
answerObfuscated
Specifies whether the answer is displayed or encrypted.
loginInterface
Identifies the login interface with which this question is associated. Its value is a unique message catalog key for each login interface.
Contains the following attributes:
Figure 9. loginInterface Attributes (Change User Answers View)
name
Identifies the name of the login interface that the question is associated with.
Valid values include:
- UI_LOGIN_CONFIG_DISPLAY_NAME_ALL_INTERFACES
- UI_LOGIN_CONFIG_DISPLAY_NAME_ADMIN_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_BPE
- UI_LOGIN_CONFIG_DISPLAY_NAME_CLI_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_DEFAULT_USER_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_IVR_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_QUESTION_INTERFACE
- UI_LOGIN_CONFIG_DISPLAY_NAME_USER_INTERFACE
questionPolicy
Specifies the policy that this question is associated with (for example, All, Random, Any, or RoundRobin).
questionCount
Set only if the questionPolicy attribute is set to Any or Random.
Change User Capabilities ViewUsed to change an Identity Manager user's capabilities.
Attribute
Editable?
Data Type
Required
adminRoles
List [String]
capabilities
List [String]
controlledOrganizations
List [String]
Figure 10. Change User Capabilities View Attributes
adminRoles
Lists the Admin roles that are assigned to the user.
capabilities
Lists capabilities assigned to this user.
controlledOrganizations
Lists the organizations that this user controls with the assigned capabilities.
Deprovision ViewUsed to present and select a list of resources to be deprovisioned. Contains one single top-level attribute.
resourceAccounts
This attribute contain the following attributes.
Name
Editable?
Data Type
Required?
id
Read/Write
String
selectAll
Read/Write
Boolean
unassignAll
Read/Write
Boolean
unlinkAll
Read/Write
Boolean
currentResourceAccounts
Read
List (objects)
Figure 11. resourceAccounts Attributes (Deprovision View)
id
Specifies the unique identifier for the account.
selectAll
Controls whether all resources are selected.
unassignAll
Specifies that all resources should be removed from the user's list of private resources.
unlinkAll
Specifies that all resources should be unlinked from the Identity Manager user.
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
All account lists are indexed by resource name.
Figure 12. currentResourceAccounts Attributes (Deprovision View)
selected
If set to true, indicates that for a given resource, the associated account should be deprovisioned. If the selected account is Lighthouse, the Identity Manager user and all associated resource assignments will be deleted unless they are also selected. However, the associated resource accounts will not be deleted.
unassign
If set to true, indicates that the specified resource should be removed from the user's list of private resources (for example, waveset.resources).
unlink
If set to true, indicates that the specified resource should be unlinked from the Identity Manager user (for example, remove the associated ResourceInfo object).
Note If selected or unassign are set to true, this suggests that unlink will also be true. However, the converse is not true. unlink can be true and selected and unassign can be set to false.
name
Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the resource account.
exists
Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
disabled
Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).
authenticator
Indicates whether the account is one that the user is configured to log in.
directlyAssigned
If true, indicates that the account is directly assigned to the user. A value of false indicates that the account is indirectly assigned by a role or application.
Disable ViewUsed to disable accounts on the Identity Manager user. This view is often used in custom workflows.
resourceAccounts
Represents the top-level attribute when accessing attributes in this view.
Name
Editable?
Type
Required?
id
Read
String
selectAll
Read
Boolean
currentResourcesAccount
Read
String
id
Identifies the Identity Manager ID of the user.
selectAll
When set, causes all resource accounts to be disabled, including the Identity Manager account.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager, including the Identity Manager account itself. Use the selected field to signify that the specific resource should be enabled.
Name
Editable?
Type
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
selected
Read/Write
Boolean
Table 13. resourceAccounts.currentResourceAccounts Attributes (Disable View)
Enable ViewUsed to enable accounts on the Identity Manager user. This view is often used in custom workflows.
resourceAccounts
Represents the top-level attribute when accessing attributes in this view.
Name
Editable?
Type
Required?
id
Read
String
selectAll
Read
Boolean
currentResourcesAccount
Read
String
id
Identifies the user’s Identity Manager ID.
selectAll
When set, all resource accounts will be enabled, including the Identity Manager account.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager, including the Identity Manager account itself. Use the selected field to signify that the specific resource should be enabled.
Name
Editable?
Type
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
selected
Read/Write
Boolean
Table 14. resourceAccount.currentResourceAccounts Attributes (Enable View)
Find Objects ViewProvides a customizable, generic Identity Manager repository search interface for any object type defined in Identity Manager that has rights and is not deprecated or restricted to internal use. The Find Objects view handler provides the associated forms for specifying one or more attribute query conditions and parameters and for the display of the find results. In addition, you can use view options to specify attribute query conditions and parameters.
This view contain the following attributes.
Table 15. Top-Level Attributes (Find Objects View)
objectType
Specifies the Identity Manager repository object type to find (for example, Role, User, or Resource).
allowedAttrs
Lists the specified object types (specified by the objectType attribute) allowed queryable attribute names that are obtained by default by calling the objectType's listQueryableAttributeAttrs() method. This method is exposed by each class that extends PersistentObject. If not overridden by the object type class, it inherits the PersistentObject implementation returning the default set of queryable attributes supported by all PersistentObjects.
You can override the default set by specifying the set of allowedAttrs in either the default section or the objectType-specific section of the findObjectsDefaults.xml configuration file. This file resides in the sample directory. Specify each allowed attribute in the sample/findObjectsDefaults.xml file as follows:
name
Identifies the attribute.
displayName
Specifies the attribute name as it is displayed in the Identity Manager Administrator interface. If not specified, the value of this attribute defaults to the same value as name.
syntax
Indicates the data type of attribute value where supported values include string, int, and boolean. If not specified, this value defaults to string.
multiValued
Indicates whether the attribute supports multiple values. A value of true indicates that attribute supports multiple values. If unspecified, this value defaults to false. This attribute applies only if the attribute syntax is string.
allowedValuesType
Specifies the name of the Identity Manager type if the allowed values of the attribute are instances of an Identity Manager type (for example, Role or Resource). If not specified, this attribute defaults to null.
If the name attribute is an Identity Manager-defined attribute, then only name is required. If the attribute name is an extended attribute, you must specify at least the name and, optionally, the other attributes unless the defaults are sufficient.
See sample/findObjectsDefaults.xml for example formats for specification of allowed attributes.
You can specify the list of allowedAttrs as either a list of strings, a list of objects, or a combination of both.
attrsToGet
Lists the summary attribute names of the specified object types (objectType) to be returned with each object that match the specified attribute query conditions. You can obtain the object type's set of supported summary attributes by calling the object type's listSummaryAttributeAttrs() method. (This method is exposed by each class that extends PersistentObject.) If not overridden by the objectType class, it inherits the PersistentObject implementation that returns the default set of summary attributes that are supported by all Persistent Objects.
You can override the default by specifying the list of resultColumnNames in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
attrConditions
Lists the attribute conditions that are used to find objects of the specified object type (objectType) that match the specified attribute conditions (attrConditions). Each attribute condition in the list should be specified as follows:
selectedAttr
Identifies one of the attribute names from the list of allowed attributes (allowedAttrs).
selectedAttrRequired
(Optional) Indicates whether the selected attribute (selectedAttr) can be changed for this attribute condition. A value of true indicates that the selected attribute cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions
defaultAttr
(Optional) Identifies the allowedAttrs name to select by default when the list of allowed attributes is displayed in interface.
allowedOperators
Lists the operators allowed based on the syntax specified in the selected attribute (selectedAttr). By default, this list is obtained by calling the getAllowedOperators method passing the values of the syntax and multiValued attributes of the selected attribute (selectedAttr). You can override the default by specifying the set of allowed operators (allowedOperators) in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
selectedOperator
Specifies the name of one operator from the list specified in allowedOperators.
selectedOperatorRequired
(Optional) Indicates whether the selected operator (selectedOperator) can be changed for this attribute condition. A value of true indicates that the selected operator cannot be changed for this attribute condition, and the attribute condition cannot be removed from the list of attribute conditions
defaultOperator
(Optional) Specifies the name of the operator (allowedOperators) to select by default when the list of allowed operators (allowedOperators) is displayed in the form.
value
Indicates the value or operand for the selected attribute name and operator that must be tested when Identity Manager determines if it should return an object of the specified object type (objectType). You can omit this attribute if the value of selectedOperator is exists or notPresent.
valueRequired
(Optional) Indicates whether the value of the attribute condition can be changed. A value of true indicates that value can be changed. It also indicates that the attribute condition cannot be removed from the list of attribute conditions.
removeAttrCond
Determines if this attribute condition should be removed or not (internal).
You can specify attribute conditions as view options by using the FindObjects.ATTR_CONDITIONS constant or the attrCondition string. If attrConditions is not specified, Identity Manager returns all objects of the specified object type.
maxResults
(Optional) Specifies the maximum number of objects of the specified objectType that Identity Manager should return from the find request. Defaults to 100 if not specified. You can override the default by specifying the a value for resultMaxRows attribute in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Use of this attribute can improve performance in cases where many Identity Manager repository objects of the specified type exist.
results
If the value of attrsToGet is null, the value of result is a list of object names that match the specified attribute condition. If the value of attrsToGet is non-null, results is a list of objects that matched the specified attrConditions, where each object consists of:
sortColumn
(Optional) Indicates the value of the column to sort the results on. Defaults to '0' if not specified. You can override the default by specifying a value for resultSortColumn in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
selectEnable
(Optional) Specifies whether more than one result row can be selected simultaneously. A value of true indicates that more than one result row can be selected. The default is false. The default can be overridden by specifying a value for resultSelectEnable in either the default section or the objectType-specific section of the sample/findObjectsDefaults.xml configuration file.
Org ViewUsed to specify the type of organization created and options for processing it.
Common Attributes
The high-level attributes of this view are listed in the following table.
Table 16. Org View Attributes
Additional attributes are valid depending on how the orgType field is set.
orgName
Identifies the UID for the organization.
orgDisplayName
Specifies the short name of the organization. This value is used for display purposes only and must be unique.
orgId
Specifies the ID that is used to uniquely identify the organization within Identity Manager.
orgParent
Identifies the parent organization for this organization. Null if the organization resides in the Top directory.
orgChildOrgNames
List the names of all child organizations of this organization.
orgApprovers
Lists the administrators who approve users added to this organization.
orgUserForm
Specifies the userForm for administrators who are in this organization.
orgViewUserForm
Specifies a read-only userForm for administrators who are in this organization.
orgPolicies
Identifies policies for users in this organization. This is a map keyed by type string, with lists of policies:
orgType
Defines the organization type, which can the values defined in the following table.
Figure 13. Valid Values for orgType Attribute (Org View)
Table 17. Valid Attributes when orgType is Set (Org View)
orgUserMembersRule
Identifies the name of rule to be evaluated to determine rule-driven user members.
orgUserMembersCacheTimeout
Specifies the number of milliseconds before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.
orgDisplayName
Specifies the organization’s display name. Must be unique within its parent organization only.
orgContainerType
Specifies the type of directory resource container to create (for example, o, ou, dc). This view attribute value is required when creating a new virtual organization.
orgRefreshAllOrgs
If true, synchronizes all child containers of the selected container. If false, syncs only child containers that are immediate children of the selected container. Defaults to false if not specified.
orgRefreshAllOrgsUserMembers
If true, synchronizes container user membership in all child containers of the selected container. If false, syncs only container user membership in child containers that are immediate children of the selected container. Defaults to false if not specified.
orgResource
If junction or virtual option is true, specifies the name or ID of the Identity Manager directory resource from which to synchronize containers and user membership.
Using an Organizational Path Name Instead of a System-Generated ID
When calling this view in workflow, you can use either the system-generated ID or supply an organizational path expression as a value for checkoutView (for example, top:us:central:texas).
Sample Workflow
<Activity id="1" name="Refresh Organization">
<Variable name="orgView"/>
<Action name="Get Organization"
Application="com.waveset.session.WorkflowServices">
<Argument name="op" value="checkoutView"/>
<Argument name="subject" value="#ID#Configurator"/>
<Argument name="viewId" value="OrgViewer:top:us:central:texas"/>
</Argument>
<Return from="view" to="orgView"/>
</Action>
Password ViewUsed by administrators to change passwords of the Identity Manager user or their resource accounts.
This view contains one top-level attribute.
resourceAccounts
This attribute contains the following attributes.
Figure 14. resourceAccounts Attributes (Password View)
id
Specifies the account ID of the Identity Manager user whose passwords are being changed. Typically set by the view handler and never modified by the form.
selectAll
Controls whether all password are selected.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the set of resources assigned to this user that are not yet being managed by Identity Manager (for example, they do not have an associated resinfo object). Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts
Both resource account list are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.
Figure 15. tobeDeletedResourceAccounts Attributes (PasswordView)
password
Specifies the new password you want to assign to the Identity Manager account or the resource accounts.
confirmPassword
Confirms the password specified in the password attribute. When the view is used interactively, the form requires you to enter the same values in the password and confirmPassword fields. When the view is used programmatically, such as within a workflow, the confirmPassword attribute is ignored. If you are using this view interactively, you must set this attribute.
selected
Indicates that the specified resource should receive the new password.
name
Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the account on this resource, if one has been created.
exists
Indicates whether the account already exists on the resource.
disabled
Indicates whether the account is currently disabled.
passwordPolicy
When set, describes the password policy for this resource. Can be null. It contains these attributes.
Figure 16. passwordPolicy Attributes (PasswordView)
In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as defined in the policy.
The summary string contains a pre-formatted description of the policy attributes.
authenticator
If true, indicates that this resource is serving as the pass-through authentication resource for Identity Manager.
changePasswordLocation
(Optional) Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.
expirePassword
Can be set to a non-null Boolean value to control whether the password is marked as expiring immediately after it has been changed. If null, the password expires by the default if the user whose password is being changed differs from the user that is changing the password.
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
Process ViewUsed to launch tasks such as workflows or reports. The task to be launched must be defined by a TaskDefinition or TaskTemplate object in Identity Manager. Launching the task results in the creation of a TaskInstance object.
This view contains one top-level attribute named task. All other top-level attributes are arbitrary and are passed as inputs to the task.
task
This top-level attribute defines how the task is to be launched.
Figure 17. Process View Attributes
process
Names the process to launch. This can be the name of a TaskDefinition or TaskTemplate object in Identity Manager. It can also be an abstract process name mapped through the process settings in the System Configuration object. This attribute is required.
taskName
Specifies the name given to the TaskInstance object that is created to hold the runtime state of the task. If this attribute is not set, a random name is generated.
organization
Names the organization in which to place the TaskInstance. If this attribute is not set, the TaskInstance is placed in Top.
taskDisplay
Specifies a display name for the TaskInstance.
description
Specifies a descriptive string for the TaskInstance. This string is displayed in the Manage Tasks table in the product interface.
execMode
Specifies execution mode. This is typically not specified, in which case the execution mode is determined by the TaskDefinition. Setting this attribute overrides the value in the TaskDefinition.
Allowed execMode values are:
Value
Description
sync
Specifies synchronous or foreground execution
async
Specifies asynchronous or background execution
asyncImmediate
Specifies asynchronous with immediate thread launch
Figure 18. execMode Attribute Values (Process View)
Use the asyncImmediate execution mode only for special system tasks that must pass non-serializable values into the task through the view. The task thread is started immediately. The default behavior is to save the TaskInstance temporarily in the repository and have the Scheduler resume it later.
result
Specifies the initial result for the TaskInstance. You can use this setting to pass information into the task that you eventually want displayed with the task results when the task completes.
owner
Specifies the user name that is considered to be the owner of the task. If not set, the currently logged-in user is designated as the owner.
View Options
The following options are recognized by the createView and checkinView methods.
endUser
Specifies that the task is being launched from the Identity Manager User Interface. This allows users with no formal privileges to launch specially designated end-user tasks.
process
Names the process to launch. This name is recognized by the createView method and becomes the value of the process attribute in the view.
suppressExecuteMessage
When set to true, suppresses a default message that is added to the task result when an asynchronous task is launched. The default English text is, The task is being executed in the background.
Checkin View Results
The following named result items can be found in the WavesetResult object that is returned by the checkinView method.
Figure 19. Checkin View Results
Reconcile ViewUsed to request or cancel reconciliation operations on a resource. This view is used to perform on-demand reconciliation as part of a workflow. It can also be used when implementing a custom scheduler for reconciliation.
This view is write-only. get and checkout operations are not supported.
request
Specifies the operation to perform. You must specify one of the following valid operations:
Table 18. Valid Operations for request Attribute (Reconcile View)
accountId
Identifies the account to reconcile. This string is ignored if the request is not ACCOUNT.
Examples
Reconcile Policy ViewUsed to view and modify reconciliation policy, which is stored as part of the Identity Manager system configuration object.
Reconciliation Policies and the Reconcile Policy View
Reconciliation policy settings are stored in a tree structure with the following general structure:
Settings can be specified at any point in the tree. If a level does not specify a value for a policy, it is inherited from the next highest policy.
The view represents an effective policy at a specified point in the policy tree, which is identified by the view name.
Table 19. ReconcilePolicy Tree and View Names
Policy Values
Values of policy settings are always policy values. Policy values can contain up to three components, as described in the following table.
Table 20. Policy Value Settings Attributes (ReconcilePolicy View)
Authorization Required
To modify the view, users require Reconcile Administrator Capability.
To access the view, users require Reconcile Administrator or Reconcile Request Administrator capabilities.
View Attributes
The following table lists the high-level attributes of this view.
Table 21. ReconcilePolicy View Attributes
scheduling
Table 22. scheduling Attributes (ReconcilePolicy View)
reconcileServer
Specifies the reconciliation server that should be used to perform scheduled reconciliations.
reconcileModes
Specifies the reconciliation modes that are enabled. Valid values are: BOTH, FULL, NONE.
fullSchedule
Identifies the schedule for full reconciles when enabled.
incrementalSchedule
Identifies the schedule for incremental reconciles when enabled.
nextFull
Containing the time of the next incremental reconcile, if enabled.
nextIncremental
Specifies the repetition count for the schedule. Schedule values are GenericObjects with the following attributes:
correlation
Identifies the name of the correlation rule.
Table 23. correlation rules (ReconcilePolicy View)
correlationRule
Identifies the name of the correlation rule to use when correlating accounts to users.
confirmationRule
Identifies the name of the confirmation rule to use when confirming correlated users against accounts. When no confirmation is required, specify the value CONFIRMATION_RULE_NONE.
workflow
Attribute
Editable?
Data Type
proxyAdministrator
Read/Write
String
preReconWorkflow
Read/Write
String
perAccountWorkflow
Read/Write
String
postReconWorkflow
Read/Write
String
Table 24. workflow Attributes (ReconcilePolicy View)
proxyAdministrator
Specifies the name of the user with administrative capabilities.
preReconWorkflow, perAccountWorkflow, postReconWorkflow
Specifies the name of the workflow to run at appropriate point in reconciliation processing. To specify that no workflow be run, use the value AR_WORKFLOW_NONE.
response
Table 25. response Attributes (ReconcilePolicy View)
situations
Specifies the automated response to perform for the specified situation. Valid responses are:
Table 26. situations Options (ReconcilePolicy View)
explainActions
Specifies whether reconciliation should record detailed explanations of actions in the Account Index.
resource
Attribute
Editable?
Data Type
reconcileNativeChanges
Read/Write
Boolean
reconciledAttributes
Read/Write
List (of Strings)
listTimeout
Read/Write
Integer
fetchTimeout
Read/Write
Integer
Table 27. resource Attributes (ReconcilePolicy View)
reconcileNativeChanges
Specifies whether native changes to account attributes should be reconciled.
reconciledAttributes
Specifies the list of account attributes that should be monitored for native changes
listTimeout
Specifies (in milliseconds) how long reconciliation should wait for a response when enumerating the accounts present on the resource.
fetchTimeout
Specifies (in milliseconds) how long reconciliation process should wait for a response when fetching an account from a resource.
Reconcile Status ViewUsed to obtain the status of the last requested reconciliation operation. This view is read-only.
status
Indicates the status code request (string). Valid status codes include:
Table 28. ReconcileStatus View Attributes
reconcileMode
Indicates the reconciliation mode of the request. Either FULL or INCREMENTAL.
reconciler
Identifies the Identity Manager server that is processing the reconciliation request.
requestedAt
Indicates the date on which the request was received.
startedAt
Specifies a date on which the reconciliation operation started. If the reconciliation operation has not yet started or was cancelled while still pending, this value is null.
finishedAt
Indicates the date on which the reconciliation operation completed. If the reconciliation process has not yet completed, this value is null.
errors.fatal
Describes the error (if any) that terminated the reconciliation operation. Errors are returned as a list of strings.
errors.warnings
Describes any non-fatal errors that are encountered during the reconciliation operation. Errors are returned as a list of strings.
statistics.accounts.discovered
Identifies the number of accounts that is found on the resource at the time of the reconciliation operation.
statistics.situation[<situation>].resulting
Identifies the number of accounts in the specified reconciliation situation after responses have been performed (successfully or not).
Valid situations are any of the following:
Rename User ViewUsed to rename the Identity Manager and resource account identities. This view is typically used when a user in a company has a name change. The other main use for this view is to change the identity of a directory user that essentially causes a move in the directory structure.
Name
Editable?
Data Type
Required?
newAccountId
Read/Write
String
toRename
Read
List
noRename
Read
List
resourceAccounts
Read
Table 29. RenameUser View Attributes
newAccountId
Specifies the new accountId to be set on the Identity Manager user and used in the Identity templates for resource accounts.
toRename
Specifies a list of accounts in the currentResourceAccounts list that support the rename operation.
noRename
Specifies a list of accounts that do not support the rename functionality.
resourceAccounts
Contains mostly read-only information about the resource accounts. Use the following attributes to rename resource accounts:
Table 30. resourceAccounts Attributes
accounts[<resourcename>].identity
Overrides the use of the Identity Template to create the accountId for this resource account.
accounts[<resourcename>].<attribute>
Used when not specifying the accounts[<resourcename>].identity attribute to pass attributes to the Identity Template for the creation of the new accountId.
Example
renameView.newAccountId="saurelius"
renameView.resourceAccounts.selectAll="false"
renameView.resourceAccounts.currentResourceAccounts[Lighthouse].select ed="true"
renameView.accounts[AD].identity="cn=saurelius,OU=Austin,DC=Waveset,DC =com"
renameView.resourceAccounts.currentResourceAccounts[AD].selected="true "
renameView.accounts[LDAP].identity="CN=saurelius,CN=Users,DC=us,DC=com "
renameView.resourceAccounts.currentResourceAccounts[LDAP].selected="tr ue"
renameView.accounts[NT].identity="Marcus Aurelius"
renameView.resourceAccounts.currentResourceAccounts[NT].selected="true "
Reprovision ViewUsed to present and select the list of resources to be reprovisioned. This view contains one top-level attribute (resourceAccounts).
resourceAccounts
This attribute contains the following attributes.
Name
Editable?
Data Type
Required?
id
Read
String
selectAll
Read/Write
Boolean
currentResourceAccounts
Read
List (objects)
Figure 20. resourceAccounts Attributes (Reprovision View)
id
Specifies the unique identifier for the account.
selectAll
Controls whether all resources are selected.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
All account lists are indexed by resource name.
Name
Editable?
Data Type
selected
Read/Write
Boolean
name
Read
String
type
Read
String
accountId
Read
String
exists
Read
Boolean
disabled
Read
Boolean
authenticator
Read
Boolean
Figure 21. currentResourceAccounts Attributes (Reprovision View)
selected
If set to true, indicates that for a given resource, the associated account should be reprovisioned. If the selected account is Lighthouse, the Identity Manager user and all associated resource assignments will be reprovisioned unless they are also selected. However, the associated resource accounts will not be reprovisioned.
name
Specifies the name of the resource. This corresponds to the name of a resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the resource account.
exists
Indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
disabled
Indicates whether the account is currently disabled or enabled (only in currentResourceAccount).
authenticator
Indicates whether the account is one that the user is configured to login.
Reset User Password ViewUsed by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts.
resourceAccounts
Defines characteristics of resource accounts. This attribute contains the following attributes.
Figure 22. resourceAccounts Attributes (Reset User Password View)
id
Specifies the account ID of the Identity Manager user whose passwords are being changed.
selectAll
Controls whether all passwords are selected.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be changed on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are scheduled for deletion.
The three account list attributes -- tobeDeletedResourceAccounts, tobeCreatedResourceAccounts, and currentResourceAccounts -- contain the attributes described in the following table. These attributes describe the state of the account on each resource and allow you to individually select accounts.
Figure 23. tobeDeletedResourceAccounts Attributes (Reset User Password View)
selected
Set to true if this account is to have its password reset.
name
Specifies the name of resource. This corresponds to the name of a Resource object in the Identity Manager repository.
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the account on this resource, if one has been created.
exists
Indicates whether the account already exists on the resource.
disabled
Indicates whether the account is currently disabled.
passwordPolicy
When set, describes the password policy for this resource. Can be null. It contains these attributes.
Figure 24. Reset User Password Attributes (Reset User Password View)
In addition, it contains view attributes for each of the declared policy attributes. The names of the view attributes will be the same as the WSAttribute in the Policy.
The summary string contains a pre-formatted description of the policy attributes.
authenticator
If true, indicates that this resource is serving as the pass-through authentication resource for Identity Manager.
changePasswordLocation
Describes the location where the password change should occur (for example, the DNS name of a domain controller for Active Directory). The format of the value of this field can vary from resource to resource.
Resource ViewUsed when modifying resources.
The resource viewer instantiates the resource parameters for the various view methods as follows:
- The createView method requires a typeString option, which is used to locate the correct prototypeXML for the resource type. The prototypeXML contains the initial set of resource parameters and their initial values. Thus, the view is populated with this list of initial resource parameters and their default values.
- The getView and checkoutView methods return only the resource parameters that exist in the resource object. The prototypeXML is not used to fill in this list if any resource parameters are missing in the actual resource object.
- The checkinView method replaces the list of resource parameters in the stored resource object in the repository. Again, the prototypeXML is not used to fill in any missing resource parameters that are not supplied during the checkinView operation.
Resource Parameters
Resource parameters vary depending on the type of resource adapter being configured. Each resource contains a prototypeXML string that the resource viewer uses to determine the default set of resource parameters and their default values. Once Identity Manager creates a resource object, the resource viewer no longer uses the prototypeXML string, but rather uses the resource parameters from the actual object.
The following attributes uniquely identify the resource object.
name
Externally identifies the resource. This user-supplied name is unique among resource objects.
adapterClassName
Identifies the Resource Adapter class to be used to provision to the resource.
type
Identifies the data type of the attribute.
typeString
Specifies the internal name for the resource type.
typeDisplayString
Identifies the display name for the resource type. This should be a message key or ID to be found in the message catalog.
syncSource
If set to true, indicates that the resource supports synchronization events.
facets
description
Provides a textual description of the resource.
startupType
Specifies whether the activeSync resource starts up automatically or manually.
Additional attributes depend upon the type of adapter being configured. At a minimum, these attributes specify how to connect to the resource. Typical parameters include TCP port, user, and password.
host
Uniquely identifies the host.
password
Specifies the password of the user (host administrator) to connect as.
TCPPort
Identifies the port on the host to connect to.
user
Identifies the user (host Administrator) to connect as.
Account Attributes
These attributes define the accounts managed on this resource. Attributes vary depending on the resource type.
Typical attributes are:
accountId
Specifies the ID by which the resource identifies this account.
roles
Identifies the roles the account will have on the resource.
Identity Template
The identity template is used to generate a user's identity on this resource.
Identity Manager Parameters
Identity Manager parameters are used by Identity Manager to help manage the resource.
resourceName
Specifies the name by which Identity Manager identifies this resource object.
displayName
Specifies the display name that will display on the Identity Manager user edit and password pages to help identify users.
retryMax
Indicates the maximum number of retries that will be tried on errors attempting to manage objects on a resource.
retryDelay
Specifies the number of seconds between retries.
retryEmail
Identifies the email addresses to send notifications to after reaching the retry notification threshold.
retryEmailThreshold
Specifies the number of retries after which an email is sent.
form
Identifies the user form that is used in workflows that edit accounts on the resource.
passwordPolicy
Specifies the password policy for accounts on this resource.
resourcePasswordPolicy
Indicates the resource password policy for resource accounts on this resource.
accountPolicy
Specifies the policy for account IDs on this resource.
excludedResourceAccountsPolicy
Specifies the policy for excluding resource accounts from account lists.
approvers
Lists the administrator approvers for this resource.
organizations
Lists the organizations available to the resource.
Resource Object ViewUsed when modifying resource objects.
All attributes are editable, except <resourceobjectType>.oldAttributes, which are used to calculate attribute-level changes for updates.
In practice, replace <resourceobjectType> with the lowercase name of a resource-specific object type (for example, group, organizationalunit, organization, or role).
Table 31. ResourceObject View Attributes
<resourceobjectType>.resourceType
Lists the Identity Manager resource type name (for example, LDAP, Active Directory).
<resourceobjectType>.resourceName
Lists the Identity Manager resource name.
<resourceobjectType>.resourceId
Lists the Identity Manager resource ID or name.
<resourceobjectType>.objectType
Indicates the resource-specific object type (for example, Group).
<resourceobjectType>.objectName
Lists the name of the resource object.
<resourceobjectType>.objectId
Specifies the fully qualified name of the resource object (for example, dn).
<resourceobjectType>.requestor
Specifies the ID of the user who is requesting the view.
<resourceobjectType>.attributes
Indicates new or updated resource object attribute name/value pairs (object). This attribute has the following subattribute:
resourceattrname -- String used to get or set the value of a specified resource attribute (for example, <objectType>.attributes.cn, where cn is the resource attribute common name).
<resourceobjectType>.oldAttributes
Specifies the fetched resource object attribute name/value pairs (object). You cannot edit this value. The view uses this attribute to calculate attribute-level changes for update.
<resourceobjectType>.organization
Identifies the list of organizations of which the resource is a member. This list is used to determine which organizations should have access to the associated audit event record when available for future analysis and reporting.
<resourceobjectType>.attrstoget
List of object-type-specific attributes to return when requesting an object with the checkoutView or getView methods.
<resourceobjectType>.searchContext
Specifies the context used to search for non-fully qualified names in resources with hierarchical namespaces.
<resourceobjectType>.searchAttributes
Lists the resource object type-specific attribute names that will be used to search within the specified searchContext for names of resources with hierarchical namespaces.
<resourceobjectType>.searchTimelimit
Specifies the maximum time spent searching for a name input to a form (if supported by the resource).
Role ViewUsed to define Identity Manager role objects.
When checked in, this view launches the Manage Role workflow. By default, this workflow simply commits the view changes to the repository, but it also provides hooks for approvals and other customizations.
The following table lists the high-level attributes of this view.
Table 32. Role View Attributes
name
Identifies the name of the role. This corresponds to the name of a Role object in the Identity Manager repository.
resources
Specifies the names of locally assigned resources.
applications
Specifies the names of locally assigned applications (Resource Groups).
roles
Specifies the names of locally assigned roles.
assignedResources
Flattened list of all assigned resources via resources, applications, and roles.
resource name
Identifies the name of the assigned resource.
attributes
Identifies the characteristics of the resource. All subattributes are strings and are editable.
Table 33. attribute Options (Role View)
notifications
Lists the names of administrators that must approve the assignment of this role to a user.
approvers
Specifies the names of the approvers that must approve the assignment of this role to a user.
properties
Identifies the user-defined properties that are stored on this role.
organizations
Lists organizations of which this role is a member.
Task Schedule ViewUse to create and modify TaskSchedule objects.
This view contains the following attributes:
Figure 25. Task Schedule View Attributes
scheduler
Contains attributes that are related to the scheduler itself, which are common to all scheduled tasks. The attributes are:
Figure 26. scheduler Attributes (Task Schedule View)
Note Typically, you supply a value for either scheduler.definition or scheduler.template. If you do not specify either value, Identity Manager creates a TaskSchedule object that you can later edit to specify the definition or template.
name
Specifies the name of an existing TaskSchedule object or the desired name for a new TaskSchedule object. It is not required, but if not specified, the system will generate a random identifier.
id
Uniquely identifies the existing TaskSchedule object.
definition
Defines the name a TaskDefinition object to be scheduled.
template
Specifies the name of a TaskTemplate object to be scheduled. If both definition and template are specified, template has priority.
taskOrganization
Contains the name of the organization in which the TaskInstance will be placed when the schedule task is launched.
taskName
Specifies the name of the TaskInstance that is created when the schedule task is launched.
description
Contains descriptive text that will be saved in the TaskInstance that will be created when the schedule task is launched. The description will appear in the task tables in the product interface.
disabled
Controls whether the task scheduler will process the TaskSchedule object. The scheduler ignores TaskSchedule's whose disable attribute is true. You can use this to temporarily stop running a schedule task, without having to delete and recreate the TaskSchedule object.
start
Indicates the date and time at which to launch the task.
repeatCount
Combined with repeatUnit, determines how frequently tasks will be run. If repeatCount is zero or not specified a scheduled task will only run once. If repeatCount is a positive number, the task will be run more than once at the interval specified by repeatUnit.
repeatUnit
Defines the interval of time between running tasks that have a positive repeatCount value. Valid values include: second, minute, hour, day, week, month. For example, to schedule a task to run once a week for a year set repeatUnit to week, repeatCount to 52, and start to the first day that the task is to run.
resultOption
Specifies what the scheduler will do if a TaskInstance with the desired name already exists when the scheduled task is run. The possible values are: wait, delete, rename, and terminate.
wait
Indicates whether the scheduler should run the task again or wait for another repetition. This attribute is only meaningful if you have set repeatCount and repeatUnit.
delete
Tells the scheduler to delete the existing TaskInstance, if it has finished.
rename
Indicates that the scheduler should rename the existing TaskInstance, if it has finished.
skipMissed
Indicates whether Identity Manager attempts to immediately make up a missed schedule time (false) or simply wait until the next scheduled time (true).
When set to false, Identity Manager immediately attempts to make up a missed schedule time. When set to true, Identity Manager instead waits until the next scheduled time. The default is false.
terminate
Similar to delete, but will also terminate the existing task, if it is still running.
allowMultiple
Controls whether more than one instance of the same task definition or task template are allowed to run. If true (the default), the scheduler will always create a new instance of the task. If false, the scheduler will not create a new instance if there is one already running.
task
Contains task-specific attributes. Each task defines its own attributes, and the task's form should reference them relative to the task namespace.
Unlock ViewUsed to unlock accounts for those resources that support native account locking. This view presents and selects the list of resource accounts to be unlocked.
Note Use the Unlock view instead of the Disable view for accounts whose resources support native account locking.
Contains the following high-level attributes:
Figure 27. Unlock View Attributes
id
Specifies the account ID of the Identity Manager user whose passwords are being unlocked.
selectAll
Controls whether all password are unlocked.
currentResourceAccounts
Represents the set of accounts that are currently being managed by Identity Manager (including the Identity Manager account itself).
tobeCreatedResourceAccounts
Represents the accounts that are assigned to this Identity Manager user but which have not been created. Passwords cannot be unlocked on accounts that have not yet been created.
tobeDeletedResourceAccounts
Represents the accounts that have been created but are no longer assigned to this user. Passwords cannot be changed on accounts that are going to be deleted.
All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts.
Both resource account list are indexed by resource name, and will contain objects that describe the resources on which this user has accounts.
Figure 28. tobeDeletedResourceAccounts Attributes (Unlock View)
selected
Identifies that this resource has been selected to be unlocked.
name
Specifies the name of resource. This corresponds to the name of a resource object in the Identity Manager repository
type
Identifies the type of resource, such as Solaris. You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface. The Type column on this page contains the names of the type of currently defined resources. The options list next to New Resource also contains the names of the resource adapters that are currently installed.
accountId
Specifies the identity of the account on this resource, if one has been created.
exists
Indicates whether the account already exists on the resource (only in currentResourceAccounts).
locked
Indicates whether the account is currently locked or not (unlocked). The value of exists indicates whether the account already exists on the resource or not (only in currentResourceAccounts).
authenticator
If true, indicates that this resource serves as the pass-through authentication resource for Identity Manager.
WorkItem ViewUsed to view and modify WorkItem objects in the repository.
A WorkItem object is created whenever a manual action that is defined in a workflow process is activated. The WorkItem view contains a few attributes that describe the WorkItem object itself, as well as values of selected workflow variables copied from the workflow task.
Identity Manager returns information about the work items in the Work Item view under the workItem.related attribute.
Returning Information about All Active Work Items
This view provides the ability to return information about all work items that are currently active in a workflow task. By default, Identity Manager returns information about only a specified work item, not related work items. However, you can use other options to filter work items, and the attributes of the related work items you want to display.
Use the following three form properties to change the default behavior of this view:
Example: Using the includeRelatedItems Form Property
By default, Identity Manager uses the Approval form to display work items. Edit this form by adding the includeRelatedItems element to include related work items:
<Properties>
<Property name='includeRelatedItems' value='true'/>
</Properties>Example: Using the relatedItemAttributes Form Property
You can also request additional attributes with the relatedItemAttributes option. This option can be a CSV string of names or a list of names. You can request the following standard attributes:
If you request an attribute name that is not on this list, Identity Manager assumes that it is an arbitrary workflow variable, and the value will be returned if it exists in the work item. Common variables found in the standard workflows include:
Example: Using the includeRelatedItems Form Property
To include the request and description attributes, add these properties to the Approval form:
<Properties>
<Property name='includeRelatedItems' value='true'/>
<Property name='relatedItemAttributes' value='request,description'/>
</Properties>
Example: Using relatedItemFilter Form Property
You can specify the following filter attributes.
If more than one filter attribute is on the list, they will be logically AND'd together. For example, to return only work items with the same request string that are current locked, add this property to the Approval form:
<Properties>
<Property name='includeRelatedItems' value='true'/>
<Property name='relatedItemAttributes'value='request,description'/>
<Property name='relatedItemFilter' value='request,locked'/>
</Properties>
An example field that displays a table of information about the related work items was added to the Approval Library form library, the field name is Related Approvers. You can reference this field from the standard Approval form as follows:
<FieldRef name='Related Approvers'/>
Changing the Repository Lock Timeout for Work Items
The default time-out interval for locking work items in the repository is five minutes. You can change this value by adding the following element to the RelocatedTypes element of the RepositoryConfiguration Configuration object:
<TypeDataStore typeName='WorkItem' lockTimeoutMillis='10000'/>
Top-Level Attributes
The following table lists the top-level WorkItem view attributes.
Table 34. WorkItem View Attributes
id
Identifies the repository ID of the WorkItem object. Typically generated by Identity Manager and not displayed.
name
Identifies the repository name of the WorkItem object.
taskId
Identifies the repository ID of the workflow TaskInstance. This attribute is used by the system to correlate the work item with the workflow task and must not be changed.
taskName
Identifies the repository name of the workflow TaskInstance. This name is typically set to an informative value and can be displayed. Do not modify it. A typical example task name for a user update would be Updating User jdoe.
processName
Identifies the name of the workflow process definition that contains the manual action.
activityName
Specifies the name of the workflow activity that contains the manual action.
description
Contains a textual description of the work item. Its contents are defined by the workflow process definition. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.
owner
Identifies the name of the current Identity Manager administrator or user that created the workflow process. This attribute is typically the name of an Identity Manager user. If this work item is assigned to an anonymous user, the name will have the prefix Temp:.
complete
Set to true when the manual action has completed and the workflow is to be resumed. Assignment of the complete attribute must be performed in the Work Item form.
You can edit this Boolean value.
variables
Contains another object whose attributes contain copies of variables from the workflow task. By default, every workflow variable that is in scope when the manual action is activated is copied into the work item. This can be controlled with the Exposed Variables and Editable Variables options in the process definition. Most work item forms display information found under the variables attribute. See the section Using the variables Attribute later in this chapter for more information on using this attribute.
workItem
Specifies additional information about the work item. Contains the following attributes:
views
Contains a list of workflow variables whose values are views. The system uses this attribute to cause view-specific refresh operations when the work item view is refreshed.
Do not change this value.
related
Contains a list of attributes that describe the specified work item.
Table 35. Subattributes of the workItem.related Attribute (Work Item View)
request
Succinctly describes the purpose of the work item. This description is typically shorter than the value of the description attribute and is often displayed in summary tables.
requester
Identifies the user that initiated the approval.
ignoreTimeOut
Indicates whether the time out should be ignored. A value of true (assigned by the system) indicates that this is a read-only work item that may timeout while being viewed. This is a signal to the system that a check-in failure of the Work Item view should be ignored if the work item no longer exists, rather than displaying an error message. This can be useful for work items that are intended only for status messages that time out immediately so the workflow can continue while the user views the messages.
Do not change this value.
Using the variables Attribute
When writing a work item form, the most common attributes to reference are complete and variables. The complete attribute must be set to the value true in order for the workflow to be resumed. It is typically set by a hidden field in response to pressing button fields with labels such as Approve and Reject.
The variables attribute contains an object whose values are copies of variables from the workflow task. One of the most common workflow variables used in work items is user, which contains a user view. For example, to reference the global.email attribute from a work item form, use the following path expression:
variables.user.global.email
This differs from attribute paths used in a standard user form. First, the entire view is stored in a workflow variable named user, which results in the user. prefix being required in the attribute path. Next, the workflow variables are stored under the variables attribute in the Work Item view, which results in an additional variables. prefix being required in the attribute path.
Because of this nesting of the user view attributes, you cannot use a standard user form with the Work Item view without modification. However, you can define a work item form that references the user form with the base context option.
Example
<Form name='WorkItemForm'>
<Include>
<ObjectRef Type='UserForm' name='Default User Form'/>
</Include>
<FormRef name='Default User Form' baseContext='variables.user'/> </Form>
Note Although in practice the work item form requires additional fields for buttons such as Approve and Reject, you may not want everything displayed by Default User Form displayed in the work item form. Typically, you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms.
WorkItem List ViewUsed to view information about collections of work items in the repository and to perform operations on multiple work items at a time.
This view handler gathers information about:
The view is used in the Approvals page of the Identity Manager Administrator Interface. The default form used with this view is named Work Item List.
The following table lists the top-level WorkItem List view attributes.
Table 36. WorkItem View Attributes
authType
Specifies access to work items by type. For example, there is a built-in authorization type called EndUserRule. All end-users implicitly get access to all rules tagged with the EndUserRule authorization type.
userId
Specifies the name of the Identity Manager user whose work items are contained in the workItem list. Initially, this value is the name of the current session user. The value can be null to indicate that the work items for all controlled users with approver rights should be displayed. This is always the Identity Manager user name, never a display name.
The form must not be modify this value. To change users, set the user attribute.
user
Specifies the display name of the Identity Manager user whose work items are listed. This value is the same as userId if display names are not used. The form can modify this value, which causes the system to recalculate the work item list during refresh. A null value indicates that all work items are being displayed.
self
Set to true if the userId is the same as the current session user.
forwardedUser
When set, indicates that the user named by userId has elected to have work items forwarded to another user. The other user is identified by its display name.
users
Lists the display names of Identity Manager users that the current user controls and which have work item capabilities. This value is typically used to build an user select box. If a custom form wants to compute the user list in a different way, you can specify the view option CustomUserLists as either a view option or form property.
userIds
Typically null. If you are configured to use alternate display names, then the users list contains display names, and this list contains the true repository names.
forwardingUsers
Lists the display names of Identity Manager users to which the current user can forward work items. This is defined as similar users who have both WorkItem rights and control at least one of the same organizations as the current user.
itemType
When set, the work items in the list will be filtered to contain only those whose item type matches this value. This gives the WorkItemList view the ability to filter the item list based on the work item type.
forwardingUserIds
Typically null. If you are configured to use alternate display names, then the forwardingUsers list will have display names, and this list will have the true repository names.
workItems
Lists the objects that contain information about the work items for the selected user(s). The object names are the repository IDs of the work items.
workItems[].owner
Specifies the display name of the owner. Set only if user is null and all work items are displayed.
workItems[].request
Supplies a brief description of the object being requested. This value is computed by the WorkItemRequest expression of the manual action in the workflow process.
workItems[].requester
Identifies the display name of the user that made the request.
workItems[].description
Provides a more detailed description of the work item. The value is computed by the WorkItemDescription expression of the manual action in the workflow process. The description is typically displayed in tables that summarize the work items for a user, and is often displayed in a work item form.
workItems[].selected
Individual item selection flag. An alternative to selectedWorkItems.
selectedWorkItems
Lists the work item IDs that represent the items to be processed by the next action. An alternative to setting the selected attribute inside the work item object, which is easier for SortingTable components. If both this attribute and individual select flags are set, the value of this attribute takes precedence.
forwardTo
Identifies the name of an Identity Manager user to which all selected work items will be forwarded when the action attribute is set to Forward.
forwardToNow
Similar to forwardTo, but is also an action attribute. It copies its value to forwardTo, set action=Forward and process the refresh as if forwardTo and action were set independently. Use this attribute if you want to have the form process the forwarding immediately after a user is selected from a form component. If you would rather have forwarding controlled with a button, then have the form component set the forwardTo attribute and have the button post an action value of Forward.
action
(Boolean) When non-null, initiates an operation on the selected work items.
Valid values include:
If the NoConfirm option is set, the action is processed immediately. Otherwise, Identity Manager waits for the confirm attribute to be set to true. The form is expected to define its own confirmation page rendering.
confirm
(Boolean) Indicates that the operation specified in the action attribute can be performed.
Using the variables Attribute
When editing an individual work item, the form can set work item variables, such as comments, to pass additional information about the approval or rejection into the workflow process for auditing.
You can also set arbitrary work item variables when performing actions in the WorkItemList view. The value of the attribute variables can be set to an object whose attributes will be copied into the work item when it is approved or rejected. For example, if the variables object contains an attribute named comments, the same comments will be saved with every selected work item.
Example
<Form name='variables.comments'>
<Default>
<concat>
<s>Approval performed on </s>
<invoke class='com.waveset.util.Util' name='dateToString'>
<new class='java.util.Date'/>
</invoke>
</concat>
</Default>
</Form>
Note Although in practice the work item form requires additional fields for buttons such as Approve and Reject, you may not want everything displayed by Default User Form displayed in the work item form. Typically, you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms.
View Options
You can specify the following options when the view is created or refreshed to control the behavior of the WorkItemList viewer.
userId
Identifies the name of the initial user whose work items are to be displayed. Can be used to override the default, which is the current session user.
CustomUserLists
When set to true, indicates the form will generate both the users and forwardingUsers lists in a custom way and that the view handler should not generate them. Generating these lists can be time-consuming if there are many approvers in the system. If the form does not intend to use the default users and forwardingUsers lists, enable this option.
ForwardingApproverStyle
Specifies the types of administrators whose names will be available in the Forward to list. Can be set to one of these values:
You can set this and other view options as form properties:
<Form...>
<Properties>
<Property name='ForwardingApproverStyle" value='peers'/>
</Properties>
...
</Form>
NoUserListCache
When true, indicates that the view handler should not cache the users and forwardingUsers lists but instead recalculate them every time the form is refreshed. Since calculating the user lists can be expensive, it is generally preferred to cache them and refresh only when explicitly instructed by setting the action attribute to Refresh.
UserDisplayName
Can be set to the name of an extended user attribute whose value is to be used instead of the repository name in the user lists. This can also be specified in the UserUIConfig object, but it may be more convenient to set in the form.
NoUserDisplayName
When true, indicates that display names should not be used even if one is specified in the UserUIConfig object. You can set this option in a form to selectively override the UserUIConfig setting.
NoConfirm
When true, indicates that the action specified with the action attribute should be executed immediately without confirmation.
Setting View Options in Forms
View options can be conveniently set in the form used to render the Approvals page. To customize this form
In the custom form, you can then specify view options as properties of the form.
Example
<Form>
<Properties>
<Property name='CustomUserLists' value='true'/>
</Properties>
...
</Form>
Deferred AttributesA deferred attribute is an attribute that derives its value from an attribute value on a different account. You declare the deferred attribute in a view (and the WSUser model), and the provisioning engine performs this substitution immediately before calling the adapter.
If the deferred attribute derives its value from another resource’s GUID attribute, the source adapter does not need to take action. However, if the source attribute is not the GUID, the adapter must return the attribute in the ResourceInfo._resultsAttributes map as a side effect of the realCreate operation. If the adapter does not return the attribute, the provisioning engine will fetch the account to get the value. This is less efficient than modifying the adapter to return the value.
When to Use Deferred Attributes
Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created. One common example is to set an attribute to the value of the generated unique identifier.
Using Deferred Attributes
There are two main steps to defining a deferred attribute:
- Ensure that the account is created on the source resource before the second account is created. Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user.
- Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario. Each deferred attribute requires two view attributes: one that identifies the source account, and one that identifies the source attribute. Set these using paths of the following form:
accounts[<resource>].deferredAttributes.<attname>.resource
accounts[<resource>].deferredAttributes.<attname>.attribute
where <resource> would be replaced with an actual resource name and <attname> replaced with an actual attribute name.
For example, assume a scenario in which the following two resources are created: 1) a resource named LDAP that generates a uid attribute when an account is created; 2)a resource named HR, which contains a directoryid attribute named directoryid, whose value is to be the same as uid in the LDAP resource.
The following form fields set the necessary view attributes to define this association.
<Field name='accounts[HR].deferredAttributes.directoryid.resource'>
<Expansion><s>LDAP</s></Expansion>
</Field>
<Field name='accounts[HR].deferredAttributes.directoryid
<Expansion><s>uid</s></Expansion>
</Field>
Extending ViewsSome views that set specific resource account attributes such as the password or the enable flag allow you to set additional account attributes. For security, however, these extended attributes must be registered.
Attribute Registration
Attributes can be registered in one of two locations:
Table 37. Locations for Attribute Registration
You can register different attributes for different views. For example, you can register the lock attribute for the Password view and the firstname attribute for the Rename view.
Global Registration
To make global registrations (that is, registrations that apply to all resources), add an attribute in the System Configuration object with this path:
updatableAttributes.ViewName.ResourceTypeName
where ViewName is one of Password, Reset, Enable, Disable, Rename, or Delete, and ResourceTypeName is the name of the resource type. The type name all is reserved for registrations that apply to all resources.
The value of this attribute must be a List of Strings. The strings are names of the attributes you want to update.
The following example registers the attribute named delete before action in the Deprovision view for all resources.
<Attribute name='updatableAttributes'>
<Object>
<Attribute name='Delete'>
<Object>
<Attribute name='all'>
<List>
<String>delete before action</String>
</List>
</Attribute>
</Object>
</Attribute>
<Attribute name='Enable'>
<Object>
<Attribute name='all'>
<List>
<String>enable before action</String>
</List>
</Attribute>
</Object>
</Attribute>
</Object>
</Attribute>
Resource-Specific Registration
To make resource-specific registrations, modify the resource object from the Identity Manager Debug page and insert a <Views> subelement in the AccountAttributeType element. <Views> must contain a list of strings whose values are the names of the views in which this attribute can be updated.
<AccountAttributeType name='lastname' mapName='sn'mapType='string'>
<Views>
<String>Rename</String>
</Views>
</AccountAttributeType>
In the view, attributes you want to modify are placed within this object:
resourceAccounts.currentResourceAccounts[ResourceTypeName].attributes
Example
<Field name= 'resourceAccounts.currentResourceAccounts[OS400ResourceName].attribut es.delete before action' hidden='true'>
<Expansion>
<s>os400BeforeDeleteAction</s>
</Expansion>
</Field>