3.2 Working with Entities and Attributes

You can customize your User Application by adding objects and their attributes based on the content of your own Identity Vault. You do this by adding new entities and attributes to the directory abstraction layer and deploying them to the User Application driver.

To modify the entity files installed by default, see Adding Entities and Adding Attributes. To modify the entity files of an already deployed project or a set of files defined by another developer, you must first import the files to your design environment. For information on importing files, see Importing Provisioning Objects.

3.2.1 About Entities and Attributes

Any Identity Vault object that you want users to search, display, or edit in the Identity Manager User Application must be defined as an entity in the directory abstraction layer. For example, to use the inetOrgPerson Identity Vault object in the User Application, you must create an entity definition for it. There are two logical kinds of entities (but you create them the same way):

  • Entities that are mapped from schema: These entities represent objects that exist in the Identity Vault that are directly exposed to users in the User Application. When defining this type of entity, expose all of the attributes that you want your users to work with. Examples of this entity type include User and Group. You can create more than one entity definition for the same object to expose different sets of attributes to different kinds of users. For more information, see Creating Multiple Entity Definitions for a Single Object.

  • Entities that represent LDAP relationships: This type of entity is known as a DNLookup and it is used by the User Application to:

    • Populate a list with the results of a DN search among related entities

    • Maintain referential integrity across DN referenced attributes during updates and deletes

    Entities that support DNLookups are used by the Org Chart portlet to determine relationships and are also used by the Search, Create, and Detail portlets to provide pop-up selection lists and DN contexts. The User Lookup entity is an example of this type of entity. For more information, see Attributes and DNLookup Properties.

Creating Multiple Entity Definitions for a Single Object

You can create more than one entity definition that represents the same Identity Vault object but provides a different view of the data. Within the entity definitions, you can define different attributes for each entity definition, or you can define the same attributes but specify different access properties that control how the attributes are searched, viewed, edited, or hidden.

NOTE:You can optionally define a filter to hide certain entities from the result set.

You can then use these different entity definitions in different parts of the user interface. For example, suppose that you want to create a directory of employees; one for a public site and one for an internal site. On the public site you want to supply first and last names and a phone number, but on the internal site, you want to list additional information like title, managers, and so on. Here’s how you can accomplish this:

  1. Create two entity definitions (with different keys).

    Both entity definitions expose the same Identity Vault object, but one entity definition key is public-staff-information, and the other is internal-staff-information.

  2. Within each entity definition, define a different set of attributes: one for public-staff-information, the other for internal-staff-information.

  3. Deploy both the entities to make them available in the Identity Manager User Application.

  4. Use the Customization option in the Settings page of Identity Manager Dashboard to create and configure the attributes for each entity individually. These attributes determine how the entities can be searched, viewed, and edited by the user.

    For more information, see Entity Settings in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

3.2.2 Adding Entities

You add entities through the Add Entity Wizard (described in the next procedure) or by clicking Add Entity (from the toolbar).

NOTE:When using the Add Entity button, you are prompted to select the object class of the entity to create, and the editor automatically adds the required attributes to the entity. Use the Add Attribute dialog box to complete the entity definition.

To add an entity using the Add Entity Wizard:

  1. Launch the Add Entity Wizard in one of these ways:

    From Designer’s menus:

    • Select File > New > Provisioning. Choose Directory Abstraction Layer Entity, then click Next.

    From the Provisioning view:

    • Right-click the Entities node, then choose New.

    From the directory abstraction layer editor:

    • Select DAL > New > Entity

      or

    • Right-click the Entities node, then choose New Entity-Attributes Wizard.

    The New Entity dialog box displays.

    NOTE:If launched from the File menu, the dialog box contains the additional fields shown below.

  2. Fill in the fields as follows:

    Field

    Description

    Identity Manager Project and Provisioning Application

    The Identity Manager project and the provisioning application where you want to add the entity and attributes.

    NOTE:These fields display when you launch the wizard from the File menu.

    Entity Key

    A unique identifier for the entity.

    Display Label

    The string displayed when the entity is displayed by the User Application. You can localize this label. For more information, see Localizing Provisioning Objects.

  3. Click Next. The New Entity dialog box displays:

  4. Choose the entity’s object class and add the attributes you want by double-clicking them in the Available Attributes for Entity list. Mandatory attributes are added when you select an Object Class, and you cannot remove them from the Selected Attributes in Entity list.

    HINT:

    • If the entity’s object class is not shown in the Select Object Class list, you should update Designer’s local schema file by following the steps described in Updating the Schema Elements List.

    • When you import any attribute into Designer, the directory abstraction layer editor defaults the attribute type to String. You must manually modify the attribute type to the correct value.

  5. Click Finish.

    The property page displays for editing. For more information, see Entity Properties. You must deploy the entity before it is available to the User Application.

Filter the Object Class List

You can limit the object classes shown in the New Entity dialog box by adding a filter. To add a filter:

  1. Click Configure Filter to launch the Class List Filters dialog box.

    By default, Designer does not apply any class filters. The Class Filter dialog box contains two predefined filters (starts-with "DirXML" and starts-with "srvprv"). To activate them, click Select All, then click OK. The filters are immediately applied to the object class list. Filters are applied until you deselect them.

  2. Use the buttons as follows:

    Button

    Description

    Choose one of the string comparison operators, such as contains, starts-with, ends-with, then type the string to compare against.

    Adds a filter. Enabled when you define the filter comparison value.

    Removes the selected filter.

    Click this option when you want to use all of the filters. It selects all of the defined filters.

    Click this option when you want to deselect all of the defined filters. If you apply this change, no filters are used.

Adding Entity Filters

In the Directory Abstraction Layer Editor, you can define an entity filter to limit the entries returned for the specified entity. You define the filter based on attributes and their comparison to another value that you specify. For example, you can create a filter so that the User entity includes only those entries whose Region attribute contains Northeast.

  1. Click Add Condition Grouping.

  2. Use the drop-down list on the left to select an attribute.

  3. Use the drop-down list in the middle to select a comparison operation.

  4. Use the entry on the right to specify a value for comparison.

  5. To specify multiple condition groupings, repeat this procedure. Within a condition grouping, you specify each criterion that you want and connect them by using the logical operations: and, or.

The conditions are evaluated in the order in which you define them.

3.2.3 Adding Attributes

  1. Select an entity.

  2. Do any of the following to add an attribute:

    • Right-click an entity, then select Add Attribute.

    • Click the Add Attribute button.

    • Click DAL > New > Attribute.

    You are prompted to choose the entity class that contains the attributes that you want to add to the entity. You can also add (and remove) auxiliary classes if you need to add a class that contains the attribute you are looking for.

  3. Add attributes by double-clicking them in the Available Attributes for Entity Class list.

    LDAP operational attributes are supported by the directory abstraction layer editor and User Application; however, when you add an operational attribute, the Edit, Required, and Hidden properties are set to false and are disabled so you cannot change these property values.

    HINT:If the attribute you want to add is not displayed in the Available Attributes from Entity Class list, you should update Designer’s local schema file by following the procedure in Updating the Schema Elements List.

  4. Click OK. The property page displays for editing.

    For more information, see Attribute Properties. To make an attribute available to the User Application, you must deploy it.

Adding DAL Calculated Attributes

You can create an attribute that is derived from an expression. For example, you can concatenate two or more attributes to produce a single calculated value. The expressions are ECMAScript compatible and conform to the ECMA 262 Language specification.

Restrictions: Because this attribute type does not map to a specific attribute in the Identity Vault, these attributes cannot be updated, removed, multivalued, required, or searched.

To create a calculated attribute:

  1. Add an attribute as instructed in Adding Attributes and make sure to select DAL Calculated Attribute from the Available Attributes for Entity Class list.

Designer adds the Attribute with the following restrictions:

Table 3-3 Calculated Attribute Properties

Property Name

Description

Expression

Click Build ECMAScript Expression to launch the ECMA Expression Builder. To learn more about how to use the ECMA Expression Builder, see Section 9.0, Working with ECMA Expressions.

3.2.4 Updating the Schema Elements List

  1. With the Identity Manager project open, right-click your Identity Vault, then select Live > Import Schema.

  2. Choose Import from eDirectory and provide the specifications for the eDirectory host.

  3. Click Next.

  4. Select the classes and attributes to import, then click Finish.