The section provides definitions for the properties for the following abstraction layer nodes:
You can set the following kinds of properties on entities:
Access Properties control how the user application interacts with the entity.
NOTE:You can also access the access properties by selecting
.Table 3-6 Entity Access Properties
Table 3-7 Entity General Properties
Table 3-8 Entity Search Properties
Property Name |
Description |
---|---|
Search Container |
The distinguished name of the LDAP node or container where searching starts (the search root). For example: ou=sample,o=ourOrg You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters. |
Search Scope |
Specifies where the search occurs in relation to the search root. Values are: <Default>: This search scope is the same as selecting . Container: Search occurs in the search root DN and all entries at the search root level. Container and subcontainers: Search occurs in the search root DN and all subcontainers. This is the same as selecting <Default>. Object: Limits the search to the object specified. This search is used to verify the existence of the specified object. |
Search Time Limit [ms] |
Specify a value in milliseconds or specify 0 for no time limit. |
Max Search Entries |
Specify the maximum number of search result entries you want returned for a search. Specify 0 if you want to use the runtime setting. Recommendations: Set between 100 and 200 for greatest efficiency. Do not set over 1000 |
Table 3-9 Entity Create Properties
Property Name |
Definition |
---|---|
Create Container |
The name of the container where a new entity of this type is created. You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters. If you do not specify this value, then the Create portlet prompts the user to specify a container for the new object. The portlet uses the search root specified in the entity definition as the base and allows the user to drill down from there. If there is no search-root specified in the entity definition then it uses the root DN specified during the user application installation. |
Naming Attribute |
The naming attribute of the entity. It is the relative distinguished name (RDN). This value is only necessary for entities where the access parameter Create is selected. |
The directory abstraction layer editor allows you to use predefined parameters for certain values.
Table 3-12 Predefined Parameters
You can set the following kinds of properties on attributes:
NOTE:You can set attribute access for all of an entity’s attributes selecting
.Table 3-13 Attribute Access Properties
Table 3-16 Attribute UI Control Properties
Property Name |
Description |
---|---|
Data Type |
Choose a data type from the following list:
|
Format Type |
Used by the user application to format data. Format types include:
The Format Types are dependent on the data type. For example, a Time data type can only be associated with Date and DateTime formats. |
Control Type |
Types include: DNLookup—Defines that this attribute contains a DN reference. Use when you want to:
The user application uses this information to generate special user interface elements (such as an object selector), and to perform optimized searches based on the DNLookup definition. For more information on defining this property, see the DNLookup Property Reference. For more information on the object selector dialog box, see Section 6.6.2, Controlling the Object Selector. |
Global List—Display this attribute as a drop-down list whose contents are defined in a file outside of this attribute definition. For more information, see Section 3.3, Working with Lists. |
|
Local List—Display this attribute as a drop-down list whose contents are defined with this attribute. To define a local list:
|
|
Range—Use the Range control type with Integer data types to restrict user input to a sequential range of values. You supply the range’s start and end values. |
Table 3-17 DNLookup Display Properties
Table 3-18 DNLookup Detail Properties
The DNLookup Relational Integrity properties are used for synchronizing data between two objects such as groups and group members.
Table 3-19 DNLookup Relational Integrity Properties
When you define an attribute as a DNLookup control type, it means that:
This attribute can be used in an object selector dialog which allows users to select from a list of possible values when searching on this attribute.
When this attribute is created, populated, or deleted through the user application, an attribute on a related entity is updated appropriately depending on the user action (create, delete, update) to maintain referential integrity.
The DNLookup Display properties for a particular attribute define the contents of the object selectors in the user application. Object selectors are displayed by the Identity Self-Service portlets and in workflow request and approval forms. They provide a convenient way for users for users to search and select objects that represent DNs (such as users or groups). The object selector displays a drop-down list of attributes; the user can select one of the attributes and then enter search criteria for that attribute. In this example, the user searches for groups by group description.
Figure 3-2 Sample Object Selector
The result of the users selection looks like this:
Figure 3-3 Sample Object Selector Results
The DNLookup display properties control the contents of the object selector and the result set. The object selector, shown above, displays this way because it was based on the group attribute of the user entity. The group attribute is defined as a DNLookup control type as shown here:
Figure 3-4 Group DNLookup Definition
This definition also controls the way identity portlets provide a selection lists of groups for a user. For example, a user might choose to do a Directory Search to find a user in a group, but the group name is unknown. The user would select User as the object to search for and select group as the search critieria like this:
Because the members attribute is a DNLookup for the user entity, the
icon displays. If the user selects it, then a list of possible groups displays.The user can select a group from the list and all of the members of that group are displayed.
NOTE:When the Perform Automatic Query property is not selected (false), the object selector is not populated when first displayed to the user and the user must enter selection criteria. The example above illustrates the object selector that displays when the Perform Automatic Query property is selected (true).
DNLookups for updates and synchronization are important because LDAP allows group relationships to map in both directions. For example, your data might be set up so that:
The User object contains a group attribute. The group attribute is multi-valued and lists all of the groups to which a user belongs.
The Group object contains a user attribute. The user attribute is multi-valued and lists all of the users that belong to the group.
This means that you can have an attribute on the user object that shows all the groups a user belongs to, and on the Group object you have a DN attribute that includes all the members of that group.
When the user requests an update, the user application must honor the relationships and ensure that the target and source attributes are synchronized. In the DNLookup, you specify both attributes that must be synchronized. You can use this technique to provide synchronization between any objects that are related not just group structural objects. Create this kind of DNLookup control type by specifying the advanced DNLookup properties described in the DNLookup Relational Integrity properties reference.
Table 3-20 Relationship Properties
NOTE:The Org Chart portlet does not fully support dynamic groups; you cannot define a dynamic group as the Parent entity, but you can define a dynamic group as the child entity.