Novell Doc: User Application: Design Guide - Directory Abstraction Layer Property Reference

3.7 Directory Abstraction Layer Property Reference

The section provides definitions for the properties for the following abstraction layer nodes:

3.7.1 Entity Properties

You can set the following kinds of properties on entities:

Entity Access Properties

Access properties control how the User Application interacts with the entity.

NOTE:You can also access the access properties by selecting DAL > Set Global Access.

Table 3-6 Entity Access Properties

Property Name	Description
Create	When selected, this object can be created by the User Application.
Edit	When deselected, this object cannot be changed by the User Application regardless of the underlying ACLs. When selected, this object is editable, but the Identity Vault ACLs are used to determine this.
View	When selected, this object can be displayed by the User Application.
Remove	When selected, this object can be deleted by the User Application.

Entity General Properties

Table 3-7 Entity General Properties

Property Name	Description
Key	The unique identifier for this entity. It defines the way the User Application references this object. It is defined when the entity is created and cannot be modified after the entity is created.
Display Label	Defines how the object is shown in the user interface.
Class Name	The eDirectory object class name.
LDAP Name	The LDAP object class name.
Include in Search	When selected, this entity is searchable in the User Application. Entities used in queries by identity portlets (such as Entity Search List or Entity Org Chart) must be selected (True).

Entity Auxiliary Properties

Table 3-8 Entity Auxiliary Properties

Property Name	Description
Auxiliary Classes	A list of zero or more auxiliary classes for this entity. If you are adding auxiliary classes, you are prompted to define: The auxiliary class by selecting from the list of those available Whether it is searchable. Setting searchable to True applies a filter to LDAP searches that involve directory abstraction layer relationships. For example, if you added an aux class to the user entity and specified that the aux class was searchable, the Org Chart (using the manager-employee relationship) would display only the employees that have the aux class. Whether to Add Always. When True (selected), the object class is automatically added when the entity is modified in the User Application. Modification includes create or update operations. When False, the object class is only added if an attribute associated with the auxiliary class is modified.

Property Name

Description

Auxiliary Classes

A list of zero or more auxiliary classes for this entity. If you are adding auxiliary classes, you are prompted to define:

The auxiliary class by selecting from the list of those available
Whether it is searchable. Setting searchable to True applies a filter to LDAP searches that involve directory abstraction layer relationships. For example, if you added an aux class to the user entity and specified that the aux class was searchable, the Org Chart (using the manager-employee relationship) would display only the employees that have the aux class.
Whether to Add Always. When True (selected), the object class is automatically added when the entity is modified in the User Application. Modification includes create or update operations. When False, the object class is only added if an attribute associated with the auxiliary class is modified.

Entity Search Properties

Table 3-9 Entity Search Properties

Property Name	Description
Search Container	The distinguished name of the LDAP node or container where searching starts (the search root). For example: ou=sample,o=ourOrg You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters.
Search Scope	Specifies where the search occurs in relation to the search root. Values are: <Default>: This search scope is the same as selecting Containers and subcontainers. Container: The search occurs in the search root DN and all entries at the search root level. Container and subcontainers: The search occurs in the search root DN and all subcontainers. This is the same as selecting <Default>. Object: Limits the search to the object specified. This search is used to verify the existence of the specified object.
Search Time Limit [ms]	Specify a value in milliseconds or specify 0 for no time limit.
Max Search Entries	Specify the maximum number of search result entries you want returned for a search. Specify 0 if you want to use the runtime setting. Recommendations: Set it between 100 and 200 for greatest efficiency. Do not set it over 1000.
Perform Automatic Query	When selected, performs an automatic query of the entity and presents the results in a selectable list. Do not choose this option if the data returned will be a large number because it forces the user to scroll through a large result set. When not selected, allows the user to specify the search criteria for the entity query, then presents the results in a selectable list.

Entity Create Properties

Table 3-10 Entity Create Properties

Property Name	Definition
Create Container	The name of the container where a new entity of this type is created. You can browse the Identity Vault to select the container, or you can use one of the predefined parameters described in Using Predefined Parameters. If you do not specify this value, then the Create portlet prompts the user to specify a container for the new object. The portlet uses the search root specified in the entity definition as the base and allows the user to drill down from there. If there is no search root specified in the entity definition then it uses the root DN specified during the User Application installation.
Create Naming Attribute	The naming attribute of the entity. It is the relative distinguished name (RDN). This value is only necessary for entities where the access parameter Create is selected.
LDAP attribute	The LDAP attribute for the Create Naming Attribute.
Create Naming Label	Display label displayed in the User Application for the Create Naming Attribute.

Entity Password Management Properties

Table 3-11 Entity Password Management Properties

Property Name	Definition
Password required when entity is created	If the password attribute is required, set this value to True (selected) to ensure that one is required by the Create portlet. If a password is required, then you cannot create this entity in a workflow.

Using Predefined Parameters

The directory abstraction layer editor allows you to use predefined parameters for certain values.

Table 3-12 Predefined Parameters

Predefined Parameter	Description
%driver-root%	Represents the Provisioning Driver DN. This value is specified during the User Application configuration during installation or a later configuration. It is stored in the User Application’s realm configuration.
%user-root%	Represents the User Container DN. This value is specified during the User Application configuration during installation or a later configuration. It is stored in the User Application’s realm configuration.
%group-root%	Represents the Group Container DN.This value is specified during the User Application configuration during installation or a later configuration. It is stored in the User Application’s realm configuration.

3.7.2 Attribute Properties

You can set the following kinds of properties on attributes:

Attribute Access Properties

NOTE:You can set attribute access for all of an entity’s attributes by selecting DAL > Set Attribute Access, right-clicking an entity, and selecting Set Attribute Access.

Table 3-13 Attribute Access Properties

Name	Description
Edit	When selected, this attribute can be edited/modified by the User Application. Even if it is selected (True), the attribute might still not be editable if the underlying Identity Vault ACLs/effective rights prevent it.
Enable	When deselected, this attribute cannot be used by the User Application. It is the same as removing the entry from the file.
Hide	Controls whether the Hide check box in the User Application is enabled or disabled. The Hide check box allows users to control whether an attribute (such as a photo) is displayed by the application. When deselected, the Hide check box is disabled for this attribute, so the user cannot choose to hide this attribute. When selected, the Hide check box can be enabled in the User Application. However, the following must also be true of the logged-in user. He or she is either the owner of the attribute or a User Application Administrator. He or she has Trustee rights to update the srvprvHideAttributes attribute on the Identity Vault. If these requirements are not met, then the Hide check box is disabled in the user interface even if this setting is selected (True). HINT:When a user hides an attribute that contains an image, users who have viewed the image might continue to see it until their browser cache is refreshed. The Search and Hide properties are mutually exclusive. If Hide is selected (True), Search cannot also be selected (True). If Search is selected (True), Hide cannot be selected (True).
Multivalue	Specifies whether this attribute can be multivalued, for example, a phone number. When selected, the attribute can be multivalued.
Read	When this option is selected, the User Application can query this attribute. For most attributes this should be selected (True), but for some attributes, like password, it should be deselected.
Require	When this option is selected, the attribute must be supplied.
Search	When this option is selected, the User Application can search on this attribute. Attributes that are used in queries by identity portlets (such as Entity Search List or Entity Org Chart) or request and approval forms must be selected. HINT:If an attribute used in a search is also indexed in eDirectory, the search is faster. The Search and Hide properties are mutually exclusive. If Hide is selected (True), Search cannot also be selected (True). If Search is selected (True), Hide cannot be selected (True).
View	When this option is selected, the User Application can display this attribute. In most cases this is selected, but for attributes like password, it should be deselected. If you specify it in a request or approval form, view must be selected.

Attribute General Properties

Table 3-14 Attribute General Properties

Property Name	Description
Key	The unique identifier for the attribute.
Display Label	The label that is displayed in the User Application.
Attribute Name	The eDirectory name for this attribute.
LDAP Name	The LDAP name for this attribute.

Attribute Default Value Properties

This value is used when an object is created via the Create identity portlet or through a workflow. You can express the default value as a literal or an ECMAScript expression. You cannot use a default value as part of a calculated attribute. If defined as an ECMAScript expression, it is resolved at runtime. If you define both the literal and an expression, the expression takes precedence.

HINT:If you want the default value to be displayed by the Create portlet, you must define the access property viewable as True (selected). If you want the user to be able to change the value, you must set the editable property to True.

Attribute UI Control Properties

Table 3-15 Attribute UI Control Properties

Property Name	Description
Data Type	Choose a data type from the following list: Binary Boolean DN Integer LocalizedString String Time
Format Type	Used by the User Application to format data. Format types include: None AOL IM Email Groupwise IM Image Phone Number Yahoo IM Image URL Date DateTime The Format Types are dependent on the data type. For example, a Time data type can only be associated with Date and DateTime formats.
Control Type	Types include: DNLookup: Defines that this attribute contains a DN reference. Use when you want to: Populate a list with the results of a DN search among related entities. Maintain referential integrity across DN referenced attributes during updates and deletes. Use the attribute in an object selector dialog box. Object selectors are used by certain identity portlets, such as Detail, and are also available to the form controls you can define for provisioning request and approval forms. The User Application uses this information to generate special user interface elements (such as an object selector), and to perform optimized searches based on the DNLookup definition. For more information on defining this property, see the Attributes and DNLookup Properties. For more information on the object selector dialog box for request and approval forms, see Section 5.6.2, Working with Object Selectors.
	Global List: Display this attribute as a drop-down list whose contents are defined in a file outside of this attribute definition. Click Go to list to access the Global List editor for the selected list. For more information, see Section 3.3, Working with Lists.
	Local List: Display this attribute as a drop-down list whose contents are defined with this attribute. To define a local list: With the attribute selected, set the control type to Local List. Use the buttons to add or remove list items. Use the up-arrow and down-arrow buttons to change the position of the item in the list. In the Value column, type the value to write to the Identity Vault. It can include letters, numbers, and the underscore (_) character. In the Labels column, type the text you want displayed in the user interface.
	Range: Use the Range control type with Integer data types to restrict user input to a sequential range of values. Define the range’s start and end values.

Attributes and DNLookup Properties

When you define an attribute as a DNLookup control type, it means that:

This attribute can be used in an object selector dialog box that allows users to select from a list of possible values when searching on this attribute.
When this attribute is created, populated, or deleted through the User Application, an attribute on a related entity is updated appropriately depending on the user action (create, delete, update) to maintain referential integrity.

DNLookups for Object Selectors

The DNLookup Display properties for a particular attribute define the contents of the object selectors in the User Application. Object selectors are displayed by the Identity Self-Service portlets and in workflow request and approval forms. They provide a convenient way for users for users to search and select objects that represent DNs (such as users or groups). The object selector displays a drop-down list of attributes; the user can select one of the attributes and then enter search criteria for that attribute. In this example, the user searches for groups by group description.

Figure 3-2 Sample Object Selector

The result of the user’s selection looks like this:

Figure 3-3 Sample Object Selector Results

The DNLookup display properties control the contents of the object selector and the result set. The object selector, shown above, displays this way because it was based on the group attribute of the user entity. The group attribute is defined as a DNLookup control type as shown here:

Figure 3-4 Group DNLookup Definition

This definition also controls the way identity portlets provide a selection list of groups for a user. For example, a user might choose to do a Directory Search to find a user in a group, but the group name is unknown. The user would select User as the object to search for and select group as the search criteria, as follows:

Figure 3-5 Search Criteria

Because the members attribute is a DNLookup for the user entity, the Lookup icon displays. If the user selects it, then a list of possible groups displays.

Figure 3-6 Object Lookup

When the user picks a group, then he or she can select a group from the list and all of the members of that group are displayed.

NOTE:When the Perform Automatic Query property is not selected (False), the object selector is not populated when first displayed to the user and the user must enter selection criteria. The example above illustrates the object selector that displays when the Perform Automatic Query property is selected (True).

DNLookups for Referential Integrity

DNLookups for updates and synchronization are important because LDAP allows group relationships to map in both directions. For example, your data might be set up so that:

The User object contains a group attribute. The group attribute is multi-valued and lists all of the groups to which a user belongs.
The Group object contains a user attribute. The user attribute is multi-valued and lists all of the users that belong to the group.

This means that you can have an attribute on the user object that shows all the groups a user belongs to, and on the Group object you have a DN attribute that includes all the members of that group.

When the user requests an update, the User Application must honor the relationships and ensure that the target and source attributes are synchronized. In the DNLookup, you specify both attributes that must be synchronized. You can use this technique to provide synchronization between any objects that are related not just group structural objects. Create this kind of DNLookup control type by specifying the advanced DNLookup properties described in the DNLookup Relational Integrity properties reference.

DNLookup Property Reference

Table 3-16 DNLookup Display Properties

Property Name	Description
Lookup Entity	The name of the entity to search. For example, suppose that the User entity contains an attribute for Manager. To populate that field, you’d need to know which users are Managers.
Lookup Attributes	Choose one or more attributes to display when a search is performed.
Perform Automatic Query	Defines how the Lookup Attributes are displayed. When this option is selected, the form or portlet performs an automatic query of the entity and presents the results in a selectable list. This option is not recommended if a large amount of data can be returned because it forces the user to scroll through a large result set. When this option is deselected, allows the user to specify the search criteria for the entity query, then presents the results in a selectable list.

Table 3-17 DNLookup Detail Properties

Property Name	Description
Detail entity	The key of the entity whose details you want displayed if the user requests more information by clicking a hypertext link in the User Application. When you define a DNLookup, the identity portlets are able to provide a hypertext link that allows users to display the details of the linked object.

The DNLookup Relational Integrity properties are used for synchronizing data between two objects such as groups and group members.

Table 3-18 DNLookup Relational Integrity Properties

Property Name	Description
Source Attributes to Update	Name of the attribute to update. The attribute must contain a DN reference to the Target Attributes to Update. This is required to synchronize attributes on two different objects.
Target Attributes to Update	Name of the attribute that must be updated along with the Source Attributes to Update. This is an LDAP attribute name. This is required to synchronize attributes on two different objects. The attribute must contain a DN reference.
Target Auxiliary Classes Needed, if any	Name of the auxiliary class that contains the Target Attributes to Update.

3.7.3 Queries Properties

You can set the following kinds of Queries properties:

Queries General Properties

Table 3-19 Queries General Properties

Property Name	Description
Key	A unique value for the query key. This value is used in the Expression Builder to identify the query. The key is specified at the query creation time. It cannot be modified after the query is created.
Query Entity	Select an entity from the drop-down list box. The resulting LDAP search is on this entity.
Display Label	Type a string to display in the directory abstraction layer editor and Provisioning view. This value is not visible in the Expression Builder.

Query Parameters Properties

Table 3-20 Queries Parameters Properties

Property Name	Description
Parameter Keys	A unique identifier for the key. You pass this key when calling the globalQuery() method on a form.
Parameter Display Labels	A label to identify the key.

Query Search Properties

If left blank, the query search properties default to the search properties specified for the selected entity. Specify the query search properties to further refine the search scope already defined for the entity. You cannot specify predefined parameters (for example,%user-root%) in the query’s search properties.

Table 3-21 Query Search Properties

Property Name	Description
Search Root	Specifies the location in the LDAP tree where the LDAP search defined by the query begins.
Search Scope	Specifies where the search occurs in relation to the search root. Values are: <Default>: This search scope is the same as selecting Containers and subcontainers. Container: The search occurs in the search root DN and all entries at the search root level. Container and subcontainers: The search occurs in the search root DN and all subcontainers. This is the same as selecting <Default>. Object: Limits the search to the object specified. This search is used to verify the existence of the specified object.
Max Search Entries	Specify the maximum number of search result entries you want returned for a search. Specify 0 if you want to use the runtime setting. Recommendations: Set it between 100 and 200 for greatest efficiency. Do not set it over 1000

Property Name

Description

Search Root

Specifies the location in the LDAP tree where the LDAP search defined by the query begins.

Search Scope

Specifies where the search occurs in relation to the search root. Values are:

<Default>: This search scope is the same as selecting Containers and subcontainers.

Container: The search occurs in the search root DN and all entries at the search root level.

Container and subcontainers: The search occurs in the search root DN and all subcontainers. This is the same as selecting <Default>.

Object: Limits the search to the object specified. This search is used to verify the existence of the specified object.

Max Search Entries

Specify the maximum number of search result entries you want returned for a search. Specify 0 if you want to use the runtime setting. Recommendations: Set it between 100 and 200 for greatest efficiency. Do not set it over 1000

3.7.4 Relationship Properties

Relationship properties include:

Relationship Access Properties

Table 3-22 Relationship Access Properties

Property Name	Description
Used by Organizational Chart	When selected, this relationship can be used by the Org Chart portlet.
Used by Team Management	When selected, this relationship can be used to define the provisioning team members in iManager. For example, if Used by Team Management is selected for the manager-employee relationship, then the provisioning application administrator can use this relationship to define the team members as all users that report to the team manager. If Enable Cascading Relationship is selected, then the team can include several levels within the organization. You define the number of levels via Maximum Levels to Cascade.

Property Name

Description

Used by Organizational Chart

When selected, this relationship can be used by the Org Chart portlet.

Used by Team Management

When selected, this relationship can be used to define the provisioning team members in iManager.

For example, if Used by Team Management is selected for the manager-employee relationship, then the provisioning application administrator can use this relationship to define the team members as all users that report to the team manager.

If Enable Cascading Relationship is selected, then the team can include several levels within the organization. You define the number of levels via Maximum Levels to Cascade.

Relationship Properties

Table 3-23 Relationship Properties

Property Name	Description
Key	The read-only unique identifier for the relationship. HINT:You specify this value in the Org Chart Portlet preference sheet.
Display Label	Specify a name to display when this relationship is displayed in the User Application. For example, this value is displayed when users click Choose Org Chart from the Detail portlet. Click Localize to provide the translation for the display label text.
Source Entity	Choose an entity from the drop-down list. The entity that you choose becomes the parent or source object in the organization chart hierarchy. In a Manager-Employee relationship, the Source Entity is User. For a Group-Member relationship, the source entity is Group. Directory abstraction layer requirements: The entities in this list are a subset of the entities defined in the directory abstraction layer. Source entities must have the view access property selected (True).
Source Attribute	Choose an attribute from the drop-down list. This attribute is used to find matching target entities. When the value of this attribute matches a corresponding value on an attribute of the target entity (see Target Attribute below), then a relationship can be established. Directory abstraction layer requirements: This list of attributes is populated using the selected Source Entity’s attributes. It includes any attributes that are searchable and readable.
Target Entity	Choose an entity for the child object in the hierarchy. In a Manager-Employee relationship, it is user. This entity must contain the attribute that is related to the Source attribute.
Target Attribute	Choose the attribute that matches the Source Attribute. This is the target entity’s attribute used to find matching source entities. When the value of this attribute matches a corresponding value on the source entity (see Source Attribute above), then a relationship can be established.

NOTE:The Org Chart portlet does not fully support dynamic groups; you cannot define a dynamic group as the Source entity, but you can define a dynamic group as the target entity.