The atg.userdirectory package contains the following interfaces, which represent each of the different types of objects that can exist in a user directory:
- atg.userdirectory.User
- atg.userdirectory.Organization
- atg.userdirectory.Role
- atg.userdirectory.RelativeRole(represents organizational roles)
- atg.userdirectory.DirectoryPrincipal
- atg.userdirectory.OrganizationalEntity
- atg.userdirectory.RoleFolder
Note that each of these interfaces contains methods that you can use to search for items in a user directory. These methods provide alternative and in some cases more flexible techniques for sorting user directory items than the implementations in the atg.userdirectory.droplet package described in the next section. For example, the atg.userdirectory.organizations interface contains methods for finding all users associated with a directory and for sorting them by first name, last name, login ID, or e-mail address.
In addition to the interfaces described above, the atg.userdirectory package contains the interface atg.userdirectory.UserDirectory, which manages the organizational tree, and the following additional classes:
- atg.userdirectory.RoleNotAssignableException
- atg.userdirectory.DirectoryModificationException
For information about the atg.userdirectory package, refer to the ATG Platform API Reference.
atg.userdirectory.UserDirectoryUserAuthority
A user authority (an implementation of the atg.security.UserAuthority interface) produces Persona objects that can be used as part of a security model to identify users and associate them with any roles that they may have. The atg.userdirectory.UserDirectoryUserAuthority class is a user authority that is designed for creating Persona objects specific to a user directory.
The UserDirectoryUserAuthority class supports the following items for identity lookup:
- user
- org
- role
- login
- orgpath
- rolepath
These identities can be included as PRINCIPAL_TYPE access control entries in Access Control Lists and then extracted, for example by an ACL parser. Access Control Entries use the following format:
UD_NAME '$' PRINCIPAL_TYPE '$' UD_PRINCIPAL_KEY
where UD_NAME is the name of the user directory (for example, Profile), and UD_PRINCIPAL_KEY is the primary key used for looking up the principal in the given user directory. The following table gives example access control entries for the identities that the UserDirectoryUserAuthority class supports:
| PRINCIPAL_TYPE | UD_PRINCIPAL_KEY | Example | 
|---|---|---|
| 
 | Profile ID | 
 | 
| 
 | Profile ID | 
 | 
| 
 | Profile ID | 
 | 
| 
 | Login name | 
 | 
| 
 | The path to the organization | 
 | 
| 
 | The organizational role, by organizational path and function name | 
 | 
| 
 | The path to the role | 
 | 
For more information on access control entries, refer to ACL Syntax in the Repository Guide.
The /atg/dynamo/security/UserAuthority component is the default implementation of the UserDirectoryUserAuthority class. Use the PrincipalResolver interface and the addPrincipalResolver() method in the UserDirectoryUserAuthority API to extend the UserDirectoryUserAuthority.

