Novell Doc: Identity Manager User Application: Design Guide - Directory Abstraction Layer Property Reference

3.7 Directory Abstraction Layer Property Reference

The section provides definitions for the properties for the following abstraction layer nodes:

3.7.1 Entity Properties

You can set the following kinds of properties on entities:

Entity Access Properties

Access Properties control how the user application interacts with the entity.

NOTE:You can also access the access properties by selecting DAL > Set Global Access.

Table 3-6 Entity Access Properties

Property Name	Description
Create	When selected, this object can be created by the user application.
Edit	When deselected, this object is not changeable by the user application regardless of the underlying ACLs. When selected, this object might be changeable, but the Identity Vault ACLs are used to determine this.
View	When selected, this object can be displayed by the user application.
Remove	When selected, this object can be deleted by the user application.

Entity General Properties

Table 3-7 Entity General Properties

Property Name	Description
Key	The unique identifier for this entity. It defines the way the user application references this object.
Display Label	Defines how the object is shown in the user interface.
Class Name	The eDirectory object class name.
LDAP Name	The LDAP object class name.
Include in Search	When selected, this entity is searchable in the user application. Entities used in queries by identity portlets (such as Entity Search List or Entity Org Chart) must be selected (true).
Auxiliary Classes	A list of zero or more auxiliary classes for this entity. If adding auxiliary classes, you must specify the auxiliary class LDAP Name, Class Name, and whether or not it can be searched.

Entity Search Properties

Table 3-8 Entity Search Properties

Property Name	Description
Search Container	The distinguished name of the LDAP node or container where searching starts (the search root). For example: ou=sample,o=ourOrg You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters.
Search Scope	Specifies where the search occurs in relation to the search root. Values are: <Default>: This search scope is the same as selecting Containers and subcontainers. Container: Search occurs in the search root DN and all entries at the search root level. Container and subcontainers: Search occurs in the search root DN and all subcontainers. This is the same as selecting <Default>. Object: Limits the search to the object specified. This search is used to verify the existence of the specified object.
Search Time Limit [ms]	Specify a value in milliseconds or specify 0 for no time limit.
Max Search Entries	Specify the maximum number of search result entries you want returned for a search. Specify 0 if you want to use the runtime setting. Recommendations: Set between 100 and 200 for greatest efficiency. Do not set over 1000

Entity Create Properties

Table 3-9 Entity Create Properties

Property Name	Definition
Create Container	The name of the container where a new entity of this type is created. You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters. If you do not specify this value, then the Create portlet prompts the user to specify a container for the new object. The portlet uses the search root specified in the entity definition as the base and allows the user to drill down from there. If there is no search-root specified in the entity definition then it uses the root DN specified during the user application installation.
Naming Attribute	The naming attribute of the entity. It is the relative distinguished name (RDN). This value is only necessary for entities where the access parameter Create is selected.

Property Name

Definition

Create Container

The name of the container where a new entity of this type is created.

You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters.

If you do not specify this value, then the Create portlet prompts the user to specify a container for the new object. The portlet uses the search root specified in the entity definition as the base and allows the user to drill down from there. If there is no search-root specified in the entity definition then it uses the root DN specified during the user application installation.

Naming Attribute

The naming attribute of the entity. It is the relative distinguished name (RDN). This value is only necessary for entities where the access parameter Create is selected.

Entity Edit Properties

Table 3-10 Entity Edit Properties

Property Name	Definition
Alternate Edit Entity	This entity defines the attributes displayed in the edit mode of the Detail portlet. Select a name from the drop-down list, or select None if this entity is not displayed by the Detail portlet.

Property Name

Definition

Alternate Edit Entity

This entity defines the attributes displayed in the edit mode of the Detail portlet.

Select a name from the drop-down list, or select None if this entity is not displayed by the Detail portlet.

Entity Password Management Properties

Table 3-11 Entity Password Management Properties

Property Name	Definition
Password Attribute	Choose the attribute for storing the password for this entity.
Password required when attribute is created	If this property is selected, a password is required when this entity is created.

Using Predefined Parameters

The directory abstraction layer editor allows you to use predefined parameters for certain values.

Table 3-12 Predefined Parameters

Predefined Parameter	Description
%driver-root%	Represents the Provisioning Driver DN. This value is specified during the user application configuration during installation or a later configuration. It is stored in the user application’s realm configuration.
%user-root%	Represents the User Container DN. This value is specified during the user application configuration during installation or a later configuration. It is stored in the user application’s realm configuration.
%group-root%	Represents the Group Container DN.This value is specified during the user application configuration during installation or a later configuration. It is stored in the user application’s realm configuration.

3.7.2 Attribute Properties

You can set the following kinds of properties on attributes:

Attribute Access Properties

NOTE:You can set attribute access for all of an entity’s attributes selecting DAL > Set Attribute Access.

Table 3-13 Attribute Access Properties

Name	Description
Edit	When selected, this attribute can be edited/modified by the user application. Even if it is selected (true), the attribute might still not be editable if the underlying Identity Vault ACLs/effective rights prevent it.
Enable	When deselected, this attribute cannot be used by the user application. It is the same as removing the entry from the file.
Hide	Controls whether the Hide check box in the user application is enabled or disabled. The Hide check box allows users to control whether an attribute (such as their photo) is displayed by the application. When deselected, the Hide check box is disabled for this attribute, so the user cannot choose to hide this attribute. When selected, the Hide check box can be enabled in the user application. However, the following must also be true of the logged-in user. They: Are either the owner of the attribute or a User Application Administrator. Have Trustee rights to update the srvprvHideAttributes attribute on the Identity Vault. If these requirements are not met, then the Hide check box is disabled in the user interface even if this setting is selected (true). HINT:When a user hides an attribute that contains an image, users who have viewed the image might continue to see it until their browser cache is refreshed.
Multivalue	Specifies whether this attribute can be multivalued, for example, a phone number. When selected, the attribute can be multivalued.
Read	When selected, the user application can query this attribute. For most attributes this should be selected (true), but for some attributes, like password, it should be deselected.
Require	When selected, the attribute must be supplied.
Search	When selected, the user application can search on this attribute. Attributes that are used in queries by identity portlets (such as Entity Search List or Entity Org Chart) or request and approval forms must be selected. HINT:If an attribute used in a search is also indexed in eDirectory, the search is faster.
View	When selected, the user application can display this attribute. In most cases this is selected, but for attributes like password, it should be deselected. If you specify it in a request or approval form, view must be selected.

Attribute Required Properties

Table 3-14 Attribute Required Properties

Property Name	Description
Key	The unique identifier for the attribute.
Display Label	The label that is displayed in the user application.
Attribute Name	The eDirectory name for this attribute.
LDAP Name	The LDAP name for this attribute.

Attribute Filter and Format Properties

Table 3-15 Attribute Filter and Format Properties

Property Name	Description
Filter: WHERE Attribute	Lets you specify an LDAP filter on the Identity Vault search for this attribute.
Enable	When selected, the filter is enabled.

Attribute UI Control Properties

Table 3-16 Attribute UI Control Properties

Property Name	Description
Data Type	Choose a data type from the following list: Binary Boolean DN Integer LocalizedString String Time
Format Type	Used by the user application to format data. Format types include: None AOL IM Email Groupwise IM Image Phone Number Yahoo IM Image URL Date DateTime The Format Types are dependent on the data type. For example, a Time data type can only be associated with Date and DateTime formats.
Control Type	Types include: DNLookup—Defines that this attribute contains a DN reference. Use when you want to: Populate a list with the results of a DN search among related entities. Maintain referential integrity across DN referenced attributes during updates and deletes. Use the attribute in an object selector dialog box. Object selectors are used by certain identity portlets, such as detail, and are also availabl to the form controls you can define for provisioning request and approval forms. The user application uses this information to generate special user interface elements (such as an object selector), and to perform optimized searches based on the DNLookup definition. For more information on defining this property, see the DNLookup Property Reference. For more information on the object selector dialog box, see Section 6.6.2, Controlling the Object Selector.
	Global List—Display this attribute as a drop-down list whose contents are defined in a file outside of this attribute definition. For more information, see Section 3.3, Working with Lists.
	Local List—Display this attribute as a drop-down list whose contents are defined with this attribute. To define a local list: With the attribute selected, set the control type to Local List. Click the Add button to add more values. Use the up-arrow and down-arrow buttons to change the position of the item in the list. In the Value column, type the value to write to the Identity Vault. It can include letters, numbers, and underscore (_) character. In the Labels column, type the text you want displayed in the user interface.
	Range—Use the Range control type with Integer data types to restrict user input to a sequential range of values. You supply the range’s start and end values.

DNLookup Property Reference

Table 3-17 DNLookup Display Properties

Property Name	Description
Lookup Entity	The name of the entity to search, for example, the Task Group entity contains an attribute for Task Manager. To populate that field, you’d need to know which users are Task Managers.
Lookup Attributes	Choose one or more attributes to display when a search is performed.
Perform Automatic Query	Defines how the Lookup Attributes are displayed. When selected, the form or portlet performs an automatic query of the entity and presents the results in a selectable list. This option is not recommended if a large amount of data can be returned because it forces the user to scroll through a large result set. When deselected, allows the user to specify the search criteria for the entity query, then presents the results in a selectable list.

Table 3-18 DNLookup Detail Properties

Property Name	Description
Detail entity	The key of the entity whose details you want displayed if the user requests more information by clicking a hypertext link in the user application. When you define a DNLookup, the identity portlets are able to provide a hypertext link that allows users to display the details of the linked object.

The DNLookup Relational Integrity properties are used for synchronizing data between two objects such as groups and group members.

Table 3-19 DNLookup Relational Integrity Properties

Property Name	Description
Source Attributes to Update	Name of the attribute to update. The attribute must contain a DN reference to the Target Attributes to Update. This is required to synchronize attributes on two different objects.
Target Attributes to Update	Name of the attribute that must be updated along with the Source Attributes to Update. This is an LDAP attribute name. This is required to synchronize attributes on two different objects. The attribute must contain a DN reference.
Target Auxiliary Classes Needed, if any	Name of the auxiliary class that contains the Target Attributes to Update.

Understanding DNLookup Attributes

When you define an attribute as a DNLookup control type, it means that:

This attribute can be used in an object selector dialog which allows users to select from a list of possible values when searching on this attribute.
When this attribute is created, populated, or deleted through the user application, an attribute on a related entity is updated appropriately depending on the user action (create, delete, update) to maintain referential integrity.

DNLookups for Object Selectors

The DNLookup Display properties for a particular attribute define the contents of the object selectors in the user application. Object selectors are displayed by the Identity Self-Service portlets and in workflow request and approval forms. They provide a convenient way for users for users to search and select objects that represent DNs (such as users or groups). The object selector displays a drop-down list of attributes; the user can select one of the attributes and then enter search criteria for that attribute. In this example, the user searches for groups by group description.

Figure 3-2 Sample Object Selector

The result of the users selection looks like this:

Figure 3-3 Sample Object Selector Results

The DNLookup display properties control the contents of the object selector and the result set. The object selector, shown above, displays this way because it was based on the group attribute of the user entity. The group attribute is defined as a DNLookup control type as shown here:

Figure 3-4 Group DNLookup Definition

This definition also controls the way identity portlets provide a selection lists of groups for a user. For example, a user might choose to do a Directory Search to find a user in a group, but the group name is unknown. The user would select User as the object to search for and select group as the search critieria like this:

Because the members attribute is a DNLookup for the user entity, the Lookup icon displays. If the user selects it, then a list of possible groups displays.

The user can select a group from the list and all of the members of that group are displayed.

NOTE:When the Perform Automatic Query property is not selected (false), the object selector is not populated when first displayed to the user and the user must enter selection criteria. The example above illustrates the object selector that displays when the Perform Automatic Query property is selected (true).

DNLookups for Referential Integrity

DNLookups for updates and synchronization are important because LDAP allows group relationships to map in both directions. For example, your data might be set up so that:

The User object contains a group attribute. The group attribute is multi-valued and lists all of the groups to which a user belongs.
The Group object contains a user attribute. The user attribute is multi-valued and lists all of the users that belong to the group.

This means that you can have an attribute on the user object that shows all the groups a user belongs to, and on the Group object you have a DN attribute that includes all the members of that group.

When the user requests an update, the user application must honor the relationships and ensure that the target and source attributes are synchronized. In the DNLookup, you specify both attributes that must be synchronized. You can use this technique to provide synchronization between any objects that are related not just group structural objects. Create this kind of DNLookup control type by specifying the advanced DNLookup properties described in the DNLookup Relational Integrity properties reference.

3.7.3 Relationship Properties

Table 3-20 Relationship Properties

Property Name	Description
Key	The read-only unique identifier for the relationship. HINT:You specify this value in the Org Chart Portlet preference sheet.
Display Label	Specify a name to display when this relationship is displayed in the user application. For example, this value is displayed when users click Choose Org Chart from the Detail portlet. Click Localize to provide the translation for the display label text.
Parent Entity	Choose an entity from the drop-down list. The entity that you choose becomes the parent object in the organization chart hierarchy. In a Manager-Employee relationship, the Parent Entity is User. For a Group-Member relationship, the Parent Entity is Group. Directory abstraction layer requirements—The entities in this list are a subset of the entities defined in the directory abstraction layer. Parent entities must have the view access property selected (true).
Parent Attribute	Choose an attribute from the drop-down list. This attribute is used to find matching child entities. When the value of this attribute matches a corresponding value on an attribute of the child entity (see Child Attribute below), then a relationship can be established. Directory abstraction layer requirements—This list of attributes is populated using the selected Parent Entity’s attributes. It includes only the attributes defined as the DNLookup control type
Child Entity	Choose the entity for the child object in the hierarchy. In a Manager-Employee relationship, it is user. For an Employee-Resources relationship, it is Devices. This entity must contain the attribute that is related to the Parent attribute.
Child Attribute	Choose the attribute that matches the Parent Attribute. This is the child entity’s attribute used to find matching parent entities. When the value of this attribute matches a corresponding value on the parent entity (see Parent Attribute above), then a relationship can be established.

NOTE:The Org Chart portlet does not fully support dynamic groups; you cannot define a dynamic group as the Parent entity, but you can define a dynamic group as the child entity.