Sun Java System Identity Manager 2005Q4M3 Technical Deployment Overview |
A
Editing Configuration Objects
This chapter introduces an Identity Manager component called configuration objects. Editing configuration object properties is one way of implementing persistent changes to Identity Manager behavior.
About Configuration ObjectsConfiguration objects are store persistent customizations to Identity Manager. They are cached object types, which means that all configuration objects are brought into memory, and the cache is subsequently flushed, whenever a configuration object is changed.
See the Identity Manager Architectural Overview chapter for a discussion of the Identity Manager object architecture and how configuration objects interact with other Identity Manager components.
Viewing and Editing Configuration ObjectsUse the Business Process Editor to view configuration and generic objects. You can access these miscellaneous configuration objects from the BPE under the Configuration Object category.
- From the Business Process Editor main window, select File > Open Repository Object from the menu bar.
Tip You can also use the Ctrl-O shortcut.
- If prompted, enter the Identity Manager Configurator name and password in the login dialog, and then click Login. The Select objects to edit dialog displays.
- Double-click an object type to display all the objects that you have permission to view for that type.
- Select a process or object, and then click OK. The Object window for the selected object displays, providing the following object views (tabs): Main, Repository, and XML.
For more information on using the Business Process Editor (BPE), see Introduction to the Business Process Editor in Identity Manager Deployment Tools
UserUIConfig ObjectThe UserUIConfig object controls Identity Manager User and Administrator Interface displays for account searching and editing, as well as internal system functions.
Configure this object at deployment time to improve performance of Identity Manager.
Use this object to:
- Control the columns that are displayed in the Accounts applet and Find Results pages (SummaryAttrNames)
- Define the attributes that users can search on within your identity deployment -- that is, the queryable attributes (QueryableAttrNames)
- Defines the attributes are stored in a separate column on the userobj table for optimal searching (RepoIndexAttrs)
Note This object controls system behavior at a fundamental level. Editing this object has widespread effects on system performance. Edit cautiously.
Viewing and Editing this Object
You can view this object, along with other configuration and generic system objects, using the Business Process Editor (BPE). For information on using the BPE to access this object, see Introduction to the Business Process Editor in Identity Manager Deployment Tools.
Refreshing Users
If you add or delete attributes from the SummaryAttrName, QueryableAttrName, and RepoIndexAttrs sections of this object, you must update all users by subsequently refreshing them as follows:
After editing this object, you must run a refreshType import command on all user objects for the summary attributes to be available. If many users must be refreshed, this can be a time-consuming process.
You can importing a file as follows:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
<ImportCommand type='refreshType' targetType='User' />
</Waveset>
Attribute Types
Summary attributes expose information that users can retrieve using the list command. You can configure these attributes through the SummaryAttrTypes and SummaryAttrNames sections. To include an attribute in the Find Results columns or the applet list columns display, include it as a summary attribute in this section.
Queryable attributes define the attributes that users can search on within Identity Manager. These attributes are defined in the QueryableAttrNames section of this object.
Inline Queryable attributes are stored in the main table (userobj) rather than the associated table (userattr). These attributes must be single-valued. Querying on inline attributes is much faster than accessing the associated attribute table. These attributes are contained in the RepoIndexAttr section of this object.
Object Attributes
The attributes described here comprise a subset of the default UserUIConfig object attributes. The attributes you see in your deployment may vary.
SummaryAttrNames
Attributes that are members of SummaryAttrNames object are designated as summary attributes. Identity Manager displays summary attributes in product list results. These attributes must be a superset of the AppletColumns and Find Results lists, but do not need to be included in the QueryableAttrNames list.
When editing this object, do not remove the MemberObjectGroups attribute. This attribute is used for fast authorizations.
The following attributes are the default summary attributes provided by Identity Manager. name and id are built-in summary attributes and are not described here. You can add attributes to this list.
role
Identifies the Identity Manager roles. Role IDs are separated by a vertical bar (|).
res
Lists resource names separated by a comma. If the number of elements in this list exceeds the value of SummaryAttrResourceCountLimit, this list is truncated, and Identity Manager appends an ellipses (...).
prov
Specifies the provisioning level. This determines how many Identity Manager-assigned resources have been provisioned on the resource. (0 = none, 1 = some, 2 = all)
dis
(Boolean) Indicates whether the user disabled.
MemberObjectGroups
Specifies the organization that this member belongs to. Do not remove this attribute.
fullname, lastname, firstname
Specifies the user’s fullname, lastname, and firstname attribute, respectively.
QueryableAttrNames
Specifies the attributes that users can search on in Identity Manager. You can add attributes to this list.
Default queryable attributes include:
AppletColumns
Specifies the names of the columns to be displayed on the List Accounts page. Edit this list to change the contents of the columns that the List Accounts page displays. Columns named in this list must be included in SummaryAttrNames (or the values will show up blank in the product interface). The list consists of GenericObjects for each column. Supported attributes are:
- width — (Valid for applet implementation only) Specifies the initial width of the column. If omitted (or zero), the applet assigns a default initial width to the column.
- sortBy — (Valid for applet implementation only) If present, identifies the column the applet will sort by initially. If more than one column is designated, the left column is used.
- label — (Valid for both applet and treetable implementations) Specifies the message key to use for the localized column name.
ShowListCache
Indicates whether to show the Clear List Cache button on the List Accounts page.
TemporarySummaryAttrResourceCountLimit
Specifies the number of resources in the resource summary. An excessive number will trigger a resource schema violation. The default value is 3.
PolicyAccountAttributeNames
Defines the attributes that appear in pop ups for an accountId policy. These attributes must match attributes that can be found on the User object. You can add any attribute that is included in a user form. Default values include email, firstname, fullname, and lastname.
PolicyPasswordAttributeNames
Defines the attributes that appear in pop ups for a password policy. These attributes must match attributes that can be found on the User object.You can add any attribute that is included in a user form. Default values include accountId, email, firstname, fullname, and lastname.
PolicyOtherAttributeNames
Defines the attributes that appear in pop ups for other policy types. These attributes must match attributes that can be found on the User object. You can add any attribute that is included in a user form. Default values include accountId, email, firstname, fullname, and lastname
PolicySpecialChars
Specifies the characters to include in the string quality policy for forced exclusion or inclusion. Password and account ID policies allow specifying rules about maximum number of special characters and minimum number of special characters.
TaskBarPages
Defines the paths of the JSP pages in the Identity Manager Administrator interface for which to display the task bar at the bottom of the page. For example, when you create a new user in Identity Manager, you see Create User at the bottom of the accounts page. This is because accounts/list.jsp is included in the TaskBarPages element by default.
RepoIndexAttrs
Defines the attributes that are copied into the waveset.userobj table and indexed to facilitate searching. Any attribute named here must also be queryable.
Edit this object to enhance search performance. This list can contain only five attributes, and these map to the ATTR1-ATTR5 database columns. By default, IDM indexes firstname, lastname, and MemberObjectGroups. You can add an additional two attributes for fast searching, however. For example, if your deployment contains the extended attribute departmentNumber, you could add it here, ensuring that it is included in all repository searches. If you know that you will not need firstname, lastname, or MemberObjectGroups, you can replace these attributes with other attributes.
Note If you don't index a queryable attribute, you can still use it in a search, but the performance may be much slower depending upon how many users are in the database and how many people are running searches simultaneously.