3.1 About the Directory Abstraction Layer

The directory abstraction layer is a set of XML-based files that define a logical view of an Identity Vault for the User Application. The User Application uses the directory abstraction layer definitions to determine:

The User Application ships with a default set of entities, relationships, and lists that it needs to function, but you can add new or modify existing directory abstraction layer objects to customize the User Application for your own business needs. You use the directory abstraction layer editor (described in Section 3.1.2, About the Directory Abstraction Layer Editor) to define the contents of the directory abstraction layer.

3.1.1 Analyzing the User Application’s Data Needs

Before you make changes to the directory abstraction layer objects, analyze how you want to display your Identity Vault data in the User Application. Consider:

  • What parts of the Identity Vault you want to make available to the User Application.

    For example, what objects do you want your users to be allowed to search and display? Check this list against the base set of abstraction layer definitions to determine if you need to add any new objects.

  • What is the structure of your Identity Vault schema? Have you added custom extensions and auxiliary classes?

  • What is the structure of your data?

    • What is required and what is optional?

    • What validation rules are in place?

    • What are the relationships between objects (DN references)?

    • How are the attributes defined? (For example, an attribute that represents a phone number might be multi-valued for home, office, and cell phone numbers)

  • Who sees the data? Is the User Application available as a public or private site?

Use the information about your data needs to map your Identity Vault objects to abstraction layer entities.

3.1.2 About the Directory Abstraction Layer Editor

The directory abstraction layer editor is a graphical tool for defining the directory abstraction layer files. When you add a User Application driver to an Identity Manager project and run the configuration wizard, Designer creates an initial set of directory abstraction layer files. If you do not run the configuration wizard, the initial files are not created. These base files are displayed when you start the directory abstraction layer editor.

To start the directory abstraction layer editor:

  1. Open the Provisioning view and double-click the Directory Abstraction Layer node.

    Designer displays the directory abstraction layer tree containing nodes for Entities, Lists, Queries, Relationships, and Configuration.

    Node

    Description

    Entities

    Entities represent the Identity Vault objects available to the User Application. There are two types of entities:

    • Entities mapped from the schema: Entities that represent Identity Vault objects directly exposed to users via the User Application. Users can typically create, search, and modify the attributes of these entities.

    • Entities representing LDAP relationships: Called DN lookups, these entities represent indexed searches and are used to support particular types of attributes in the User Application. DN lookup entities provide information about relationships between LDAP objects. DN lookup entities are:

      • Used by the Org Chart portlet to determine relationships.

      • Used in the Search List, Create, and Detail portlets to provide selection lists and DN contexts.

      • Available to the workflow request and approval flow forms you define using the provisioning request definition editor.

    Lists

    Defines the contents of global lists. Global lists are:

    • Associated with an attribute. The User Application displays the attribute values as a drop-down list in the User Application.

    • Used to display Resource Request categories.

    Queries

    Lets you define LDAP search criteria that can be run from a workflow form.

    Relationships

    Lets you map hierarchical relationships among schema-based entities. Used by the Organization Chart action of the Identity Self-Service tab of the User Application and in iManager when defining provisioning teams.

    Configuration

    General configuration parameters.

  2. Use the left pane to navigate the directory abstraction layer nodes. When you select an item in the left pane, the right pane displays the properties for the selection.

  3. Use the right pane to define the properties for the selection. For more information about the properties, see Section 3.7, Directory Abstraction Layer Property Reference.

The following table describes the directory abstraction layer toolbar:

Table 3-1 Directory Abstraction Layer Toolbar

Toolbar Button

Description

Launches the Add Entity Wizard.

Launches the Add Attribute Wizard.

Launches the New List Wizard.

Launches the New Query Wizard

Launches the New Relationship Wizard.

Launches the Set Global Access Modifiers dialog box.

Launches the Set Global Localization dialog box.

Expands and collapses the directory abstraction layer tree.

3.1.3 About Directory Abstraction Layer Editor Files

The directory abstraction layer files you work with are stored in the Designer project’s Provisioning\AppConfig\DirectoryModel directory. The filenames are derived from the object key.

Table 3-2 Local Directory Abstraction Layer Directories

Directory name

Description

ChoiceDefs

Contains the files that define global lists. Files have the choice extension.

EntityDefs

Contains the files that define the entities and attributes. Files have the entity extension.

QueryDefs

Contains the files that define queries. Files have the query extension.

RelationshipDefs

Contains the files that define the relationships available to the Org Chart portlet and iManager provisioning teams configuration. These files have the relation extension.

Designer creates the base set of directory abstraction layer files for each provisioning project. An identical set is deployed to the User Application driver when the User Application is installed.

To customize the Identity Manager User Application, you change the directory abstraction layer objects and deploy the changes to the User Application driver. Some entities, attributes, lists, and relationships are required for the User Application to function properly. The editor displays a lock next to the definitions that you should not delete. From the list below, you can see that you should not delete the Group, User or User Lookup entities.

Figure 3-1 DAL User Application Default Entities, Lists, and Relationships

If you define multiple User Application drivers in a single project, Designer creates multiple AppConfig folders and names them AppConfig, AppConfig1, AppConfig2, and so on.