The directory abstraction layer is a set of XML-based files that define a logical view of an Identity Vault for the User Application. The User Application uses the directory abstraction layer definitions to determine:
The Identity Vault objects and attributes that the User Application can display or modify.
How the User Application displays Identity Vault data.
The relationships the User Application can display.
The provisioning request categories, email notification types, and delegate relationships the User Application can display.
The User Application ships with a default set of entities, relationships, and lists that it needs to function, but you can add new or modify existing directory abstraction layer objects to customize the User Application for your own business needs. You use the directory abstraction layer editor to define the contents of the directory abstraction layer.
IMPORTANT:While defining an entity in the directory abstraction layer, ensure that the definition of the entity and its attributes in DAL is a replica of the Identity Vault schema. For example, if an attribute is configured as mandatory in the Identity Vault, ensure that the attribute is selected as “require” in the DAL also. A mismatch in object definition can lead to an internal error.
Before you make changes to the directory abstraction layer objects, analyze how you want to display your Identity Vault data in the User Application. Consider:
What parts of the Identity Vault you want to make available to the User Application.
For example, what objects do you want your users to be allowed to search and display? Check this list against the base set of abstraction layer definitions to determine if you need to add any new objects.
What is the structure of your Identity Vault schema? Have you added custom extensions and auxiliary classes?
What is the structure of your data?
What is required and what is optional?
What validation rules are in place?
What are the relationships between objects (DN references)?
How are the attributes defined? (For example, an attribute that represents a phone number might be multi-valued for home, office, and cell phone numbers)
Who sees the data? Is the User Application available as a public or private site?
Use the information about your data needs to map your Identity Vault objects to abstraction layer entities.
The directory abstraction layer editor is a graphical tool for defining the directory abstraction layer files. When you add a User Application driver to an Identity Manager project and run the configuration wizard, Designer creates an initial set of directory abstraction layer files. If you do not run the configuration wizard, the initial files are not created. These base files are displayed when you start the directory abstraction layer editor.
To start the directory abstraction layer editor:
Open the Provisioning view and double-click the Directory Abstraction Layer node.
Designer displays the directory abstraction layer tree containing nodes for Entities, Lists, Queries, Relationships, and Configuration.
Node |
Description |
---|---|
Entities |
Entities represent the Identity Vault objects available to the User Application. There are two types of entities:
|
Lists |
Defines the contents of global lists. Global lists are:
|
Queries |
Lets you define LDAP search criteria that can be run from a workflow form. |
Relationships |
Lets you map hierarchical relationships among schema-based entities. Used by the Organization Chart action of the Identity Self-Service tab of the User Application and in iManager when defining provisioning. |
Configuration |
General configuration parameters. |
Use the left pane to navigate the directory abstraction layer nodes. When you select an item in the left pane, the right pane displays the properties for the selection.
Use the right pane to define the properties for the selection. For more information about the properties, see Directory Abstraction Layer Property Reference.
The following table describes the directory abstraction layer toolbar:
Table 3-1 Directory Abstraction Layer Toolbar
Toolbar Button |
Description |
---|---|
Launches the Add Entity Wizard. |
|
Launches the Add Attribute Wizard. |
|
Launches the New List Wizard. |
|
Launches the New Query Wizard |
|
Launches the New Relationship Wizard. |
|
Launches the Set Global Access Modifiers dialog box. |
|
Launches the Set Global Localization dialog box. |
|
Expands and collapses the directory abstraction layer tree. |
The directory abstraction layer files you work with are stored in the Designer project’s Provisioning\AppConfig\DirectoryModel directory. The filenames are derived from the object key.
Table 3-2 Local Directory Abstraction Layer Directories
Directory name |
Description |
---|---|
ChoiceDefs |
Contains the files that define global lists. Files have the choice extension. |
EntityDefs |
Contains the files that define the entities and attributes. Files have the entity extension. |
QueryDefs |
Contains the files that define queries. Files have the query extension. |
RelationshipDefs |
Contains the files that define the relationships available to the Org Chart portlet and iManager provisioning configuration. These files have the relation extension. |
Designer creates the base set of directory abstraction layer files for each provisioning project. An identical set is added to the User Application driver when the User Application is installed.
To customize the Identity Manager User Application, you change the directory abstraction layer objects and the changes to the User Application driver. Some entities, attributes, lists, and relationships are required for the User Application to function properly. The editor displays a lock next to the definitions that you should not delete. From the list below, you can see that you should not delete the Group, User or User Lookup entities.
Figure 3-1 DAL User Application Default Entities, Lists, and Relationships
If you define multiple User Application drivers in a single project, Designer creates multiple AppConfig folders and names them AppConfig, AppConfig1, AppConfig2, and so on.