Sun Java System Identity Manager 7.0 Workflows, Forms, and Views
Contents
1. linkParameter Specifies the name of the post data parameter that will have the value of the link row id The default value is id selectEnable Indicates whether a column of checkboxes is displayed along a MultiSelect table s left margin When set to true Identity Manager displays a column of checkboxes Boolean columns Lists table column headers List of strings pageSize Specifies that the table should display at most _pageSize entries simultaneously If more than _pageSize entries exist then interface elements allow paging through the results If _pageSize is less than 1 the default setting then all entries are displayed at once Integer Workflows Forms and Views useSavedPage If the value of pageSize exceeds 0 then the sorting table saves the current sorting table page on the HTTP session in the lt fieldName gt _currentPag attribute The _useSavedPage property indicates whether the current page should be retrieved from the HTTP session and displayed By making the value of this property the result of an XPRESS expression the form or view can control when the current page is recalled after when returning back to the JSP containing the Sort ingTable component Boolean For example if the SortingTable component displays the results of a query containing editable items to ensure that Identity Manager displays the results page that contains the edited item after the user has edited an item in2. relatedItemFilter Option Results of Filtering Values request Only work items with the same user defined request string are returned locked Only work items that are currently locked for editing are returned If more than one filter attribute is on the list they will be logically AND ed together For example to return only work items with the same request string that are current locked add this property to the Approval form lt Properties gt lt Property name includeRelatedItems value true gt lt Property name relatedItemAttributes value request description gt lt Property name relatedItemFilter value request locked gt lt Properties gt An example field that displays a table of information about the related work items was added to the Approval Library form library the field name is Related Approvers You can reference this field from the standard Approval form as follows lt FieldRef name Related Approvers gt Changing the Repository Lock Timeout for Work Items The default time out interval for locking work items in the repository is five minutes You can change this value by adding the following element to the RelocatedTypes element of the RepositoryConfiguration Configuration object lt TypeDataStore typeName WorkItem lockTimeoutMillis 10000 gt Top Level Attributes The following table lists the top level WorkItem view attributes Table 5 70 WorklItem View Attributes Attribute Ed
3. lt map gt lt s gt cu lt s gt cu lt s gt cu E r E ren ren ren lt map gt lt Field name waveset resources gt lt Display class MultiSelect action true gt lt Property name allowedValues gt lt invoke class com waveset ui FormUtil name getUnassignedResources gt lt ref gt display session lt ref gt tRoles lt s gt lt ref gt waveset roles lt ref gt tResourceGroups lt s gt lt ref gt waveset applications lt ref gt t lt s gt lt ref gt waveset original resources lt ref gt lt s gt conditions lt s gt lt s gt supportsContainerObjectTypes lt s gt lt s gt true lt s gt lt s gt type lt s gt lt s gt LDAP lt s gt lt map gt lt map gt lt invoke gt lt Property gt lt Display gt lt Field gt 299 Example 2 lt Field name orgResource gt lt Display class Select action true gt lt Property name allowedValues gt lt invoke class com waveset ui FormUtil name getResourcesSupportingContainerObjectTypes gt lt ref gt display session lt ref gt lt map gt lt s gt conditions lt s gt lt list gt lt new class com waveset object AttributeCondition gt lt s gt name lt s gt lt s gt starts with lt s gt lt s gt ldap lt s gt lt new gt lt list gt lt map gt lt invoke gt lt Property gt lt Display gt lt Field gt Identity Manager 7 0 Work
4. Name Editable Data Type Required id Read Write String selectAll Read Write Boolean unassignAll Read Write Boolean unlinkAll Read Write Boolean currentResourceAccounts Read List objects fetchAccounts Read Write Boolean fetchAccountResources Read Write List id Specifies the unique identifier for the account selectAll Controls whether all resources are selected unassignAll Specifies that all resources should be removed from the user s list of private resources unlinkAll Specifies that all resources should be unlinked from the Identity Manager user 359 tobeCreatedResourceAccounts Represents the accounts that are assigned to this Identity Manager user but which have not been created Passwords cannot be unlocked on accounts that have not yet been created tobeDeletedResourceAccounts Represents the accounts that have been created but are no longer assigned to this user Passwords cannot be changed on accounts that are going to be deleted All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts currentResourceAccounts Represents the set of accounts that are currently being managed by Identity Manager including the Identity Manager account itself All account lists are indexed by resource name Table 5 25 currentResourceAccounts Attributes Deprovision View Name Editable Data Type selected Read Write Boolean
5. Values include value true false Example lt Property name noNewRow value true gt Identity Manager 7 0 Workflows Forms and Views location Use if the container defines more than one display area and the component must be added to a specific area Some containers allow the placement of components to be controlled by assigning a value to the Location property For example the BorderedPanel container supports five different display areas north south east west and center The recognized values for the location property are defined by the container If you do not assign a location or assign a location name that is not recognized the container places the component in the default location help Specifies text that may be displayed to assist the user in understanding purpose of the field In most Identity Manager pages this will cause the lt icon gt icon to be displayed next to the component title Moving the mouse over this icon will cause the help text to be displayed in the left margin The value of the property can either be literal text to be displayed or it can be a message catalog key Literal text can include HTML markup For more information on adding help to your custom form see Adding Guidance Help to Your Form in the chapter titled Identity Manager Forms inlineHelp Specifies the text that can be rendered beneath a component in Identity Manager pages The value of the property can eith
6. lt Form gt NOTE Although in practice the work item form requires additional fields for buttons such as Approve and Reject you may not want everything displayed by Default User Form displayed in the work item form Typically you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms View Options You can specify the following options when the view is created or refreshed to control the behavior of the WorkItemList viewer Identity Manager 7 0 Workflows Forms and Views userld Identifies the name of the initial user whose work items are to be displayed Can be used to override the default which is the current session user CustomUserLists When set to true indicates the form will generate both the users and forwardingUsers lists in a custom way and that the view handler should not generate them Generating these lists can be time consuming if there are many approvers in the system If the form does not intend to use the default users and forwardingUsers lists enable this option ForwardingApproverStyle Specifies the types of administrators whose names will be available in the Forward to list The value of this attribute defaults to peers Can be set to one of these values Table 5 73 ForwardingApproverStyle View Option Values Option Value Description peers Specifies administrators at the same organization level as t
7. lt Rule name testGetSubordinates gt lt invoke name getSubordinates class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt ref gt waveset accountId lt ref gt lt map gt lt s gt firstLevel lt s gt lt i gt 0 lt i gt lt s gt lastLevel lt s gt lt i gt 0 lt i gt lt s gt conditions lt s gt lt map gt lt map gt lt map gt lt invoke gt lt Rule gt 282 Identity Manager 7 0 Workflows Forms and Views getUnassignedResources Method static public List getUnassignedResources LighthouseContext s Map options throws WavesetException Description Build a list of resource names suitable for the private resources of a user A private resource is a resource that is directly assigned to a user This is the list of all accessible resources minus the names of the resources that are already assigned to the user through their role The resulting list is convenient for use in forms for assigning private resources Table 4 24 getUnassignedResources Parameters Parameter Description context Identity Manager context object options availableToOrgScope current currentRoles currentResourceGroups conditions scopingOrg See table below Table 4 25 Options Values Option Value availableToOrgScope List Specifies organization names or paths or displayNames if unique Resources that are available to organizations on this list or an organizati
8. lt concat gt lt Expansion gt lt Field gt By defining a Derivation rule the value of the fullname attribute in the LDAP resource will be used first to populate the fullname field If the value does not exist on LDAP then the value will be set from the NT resource accountInfo Attribute Contains read only information about resource accounts associated with the user It is used within system views besides the user view Some information in this view is a duplicate of the information found in the waveset accounts attribute There are two reasons for this duplication Information in this view is structured so that it is easier to use in forms e This view can be used as a component of other views without including the entire waveset view Most account information is stored in the accountsInfo accounts attribute Other attributes simply contain lists of account names It is common to use a FieldLoop ina form to iterate over the names in one of the name list attributes then use this name to index the account list attribute Identity Manager 7 0 Workflows Forms and Views For example the following form element generates a list of labels that contain the names of each resource that is assigned indirectly through a role lt FieldLoop for name in accountInfo fromRole gt lt Field name accountInfo accounts name name gt lt Display class Label gt lt Field gt lt FieldLoop gt The f
9. lt set name subset gt lt dolist name el gt lt cond gt lt gt gt lt ref gt el lt ref gt lt i gt 10 lt i gt lt gt gt lt ref gt el lt ref gt lt cond gt lt dolist gt lt set gt Example 2 The following expression returns apples lt switch gt lt s gt A lt s gt lt case default true gt lt s gt unknown lt s gt lt case gt lt case gt lt s gt A lt s gt lt s gt apples lt s gt lt case gt lt case gt lt s gt B lt s gt lt s gt oranges lt s gt lt case gt lt switch gt 514 Identity Manager 7 0 Workflows Forms and Views select Function Returns the first non null value in a list Use this function when you need to obtain the correct context from for example a workflow Example lt select gt lt ref gt display session lt ref gt lt ref gt context lt ref gt lt select gt 515 while Function Repeats a set of expressions until a condition is met The first subexpression is called the conditional and will be evaluated each time through the loop The loop terminates when the conditional is logically false The value of the while expression is the value of the last expression in the loop during the last iteration Example The following expression returns null lt while gt lt gt gt lt ref gt counter lt ref gt lt i gt 0 lt i gt lt gt gt lt set name counter gt lt sub gt lt ref gt counter lt ref gt lt i gt 1 lt i gt lt
10. 0 c eee cece ene 425 WorkHemiList View 4 064 uarias was abe wee ehaeedenae cad dad aed areeieatanged a E adawe 432 Wie Ww ONOUIOMS porgrap hiriari in be adeeb sain E E SUD ae Gare Tees Aa aa Ge aie edad EEEE 437 Seitine View Ophons m Orne a enesele ieg etd eae od God Odeo dom cae dat dee de a Aa 438 Dererred Abts 6 5 as tase aacea dens es gee nay Sa see ha DAS Sa SS Mga sas Pade EOE eens 439 Where Use Deferred Ati utes ci iadaada ncdiad deeded ages Day i e e e eaedaddaeuiy wale ede we 440 Usne Dered Aries dea cca ane sea dake he ba Se SE e Bea Aa eas RENER RER 440 ERUCHOMNO VIEWS oo cde he echt piehs Shs Ge a ods dane Sd ee 20 Sd ee ee ee es 441 Ati Ite Regitra o cow ad ahha dehy eG Raa a Sa EA a aE ee ae Seta eat GEREN 441 Chapter 6 XPRESS Languate csssrisisoissi s ts ES ESETI ELENE EE eee drei s Dr 445 Topics inthis Chapter scrise ach obs de thes Sets doi dTe EnaA An EE E e dod 445 About the XPRESS Language 0 cee e been etn t REE REES EES 445 Prefix NOHO ciau ep yin tans Odea tes ae DONS R ad ahd hee dak Shot DPE aden ae 446 XML Syntax and Example ose csc aioe ane a Bea ace EEs EEA TRENE REI DEER TRE w Om aie 446 Integration with Identity Mander 202i csacod dos dog enswadeote dba DES KONDEEN E ae baad diae 447 Why Use Bxpresst006 sc reccsenies pact dlecsenind eshit Bamba acne des Rad REE RR Ree MAGE h Pai 447 Working with Expressions ss cu ciicse ole bias eee rbn belek weak d Os dog whew dewaawhadian 448 Controlling Field Visibility
11. 572 Identity Manager 7 0 Workflows Forms and Views lt invoke class com waveset ui FormUtil name getOrganizationsDisplayNames gt lt ref gt display session lt ref gt lt map gt lt s gt filterVirtual lt s gt lt o gt lt Boolean gt true lt Boolean gt lt o gt lt s gt current lt s gt lt list gt lt ref gt original orgParentName lt ref gt lt list gt lt s gt excluded lt s gt lt list gt lt ref gt orgName lt ref gt lt list gt lt map gt lt invoke gt 573 574 LinkForm Renders a bulleted list of links resembling a menu NameValueTable A component that renders a collection of name value pairs in a simple two column table This component directly renders the data it contains Data can be specified in several forms e flat list The list is expected to contain name value pairs such that element 0 is a name element is a value element 2 is a name e map The entries in the map are emitted in alphabetical order e GenericObject The object is flattened to and emitted as a map Properties include _hideEmptyRows which when set to true hides rows for which no value exists MultiSelect Displays a multiselection text box which displays as a two part object in which a defined set of values in one box can be moved to a selected box Values in the left box are defined by the allowedValues property values are often obtained dynamically by calling a
12. Text Fields You can include both single line and multi line text entry boxes in a form To create a single line text entry field use the lt Text gt element To create a multi line text entry field use the lt TextArea gt element lt Display class Text gt lt Property name title value Zip Code gt lt Property name size value 10 gt lt Property name maxLength value 10 gt lt Property name required value true gt lt Display gt 179 180 Assigning or Changing a Field Label When defining a text field or area its label is identified by the value property of the label property as indicated below lt Display class Text gt lt Property name label value Input gt The browser displays the preceding code as a text entry field labeled Input Containers Some display elements are contained within components called container components Container components offer a way to e Collect multiple components to visually organize in a particular way Simple containers can concatenate the components horizontally or vertically Other containers allow more flexible positioning of components and can add ornamentation around the components e Group components that you want to hide or disable on a form Creating a container class typically results in the generation of an HTML table tag Typical container components are described in the following table Table 3 12 Typical Container Components Com
13. View associated with the form All forms are used with views The most common view used with forms is the user view The view defines the data that is available when the form is evaluated Undefined attributes The Tabbed User Form provides a mechanism for automatically generating text fields to edit resource account attributes for which fields are not explicitly defined You can disable this feature in the form How forms interact with other Identity Manager components This includes the process by which Identity Manager evaluates the form or form evaluation All form driven pages are processed similarly For an overview of how Identity Manager evaluates a form see Form Evaluation in this chapter Display components used in the form Form fields can be associated with a display component that determines how the field is displayed in the browser Workflows Forms and Views User View and Forms The user view is a data structure that contains all available information about an Identity Manager user It includes e Attributes stored in the Identity Manager repository Attributes fetched from resource accounts Information derived from other sources such as resources roles and organizations Views contain many attributes and a view attribute is a named value within the view for example waveset account Id is the attribute in the user view whose value is the Identity Manager account name Most form field names are associated
14. lt s gt Dallas lt s gt lt s gt DAL lt s gt lt case gt lt switch gt lt Expansion gt lt Field gt 157 158 Validation Element Determines whether a value entered in a form is valid Validation rules are evaluated whenever the form is submitted This example Validation rule checks to make sure that a user s zip code is five digits lt Validation gt lt cond gt lt and gt lt eq gt lt length gt lt ref gt global zipcode lt ref gt lt length gt lt i gt 5 lt i gt lt eq gt lt gt gt lt ref gt global zipcode lt ref gt lt i gt 99999 lt i gt lt gt gt lt and gt lt null gt lt s gt zip codes must be five digits long lt s gt lt cond gt lt Validation gt Editing and Container Fields When the Display element appears with the Field element it describes the component that will be used to render that field There are two types of fields e editing fields These are associated with a particular value to modify e container fields These surround one or more fields Editing fields must have names and are always used with one of the editing components such as Text or Checkbox Example Editing Field lt Field name waveset email gt lt Display class Text gt lt Property title Email Address gt lt Property size 60 gt Identity Manager 7 0 Workflows Forms and Views lt Property maxLength 128 gt lt Display gt lt Field g
15. statistics accounts discovered Identifies the number of accounts that is found on the resource at the time of the reconciliation operation statistics situation lt situation gt resulting Identifies the number of accounts in the specified reconciliation situation after responses have been performed successfully or not Valid situations are any of the following e CONFIRMED FOUND e DELETED e MISSING e COLLISION UNMATCHED e UNASSIGNED e DISPUTED 394 Identity Manager 7 0 Workflows Forms and Views Rename User View Used to rename the Identity Manager and resource account identities This view is typically used when a user in a company has a name change The other main use for this view is to change the identity of a directory user that essentially causes a move in the directory structure Table 5 51 RenameUser View Attributes Name Editable Data Type Required newAccountId Read Write String toRename Read List noRename Read List resourceAccounts Read fetchAccounts Read Write Boolean fetchAccountResources Read Write List newAccountld Specifies the new account Id to be set on the Identity Manager user and used in the Identity templates for resource accounts toRename Specifies a list of accounts in the currentResourceAccounts list that support the rename operation noRename Specifies a list of accounts that do not support the rename functionality resourceAccounts Contains mostl
16. Identity Manager currently supports the following session workflow services The op argument to the session workflow services call must be one of these values addDeferredTask audit authenticateUserCredentials 7 authorize e checkinObject b checkinView e checkoutObject 47 e checkoutView e checkStringQualityPolicy e createView e disableUser e enableUser findUser e getObject s getProperty getResource e getView e getViewForm e listResourceObjects e queryObjectNames e queryObjects e queryReferencingRoles e refreshView e removeDeferredTask removeProperty setProperty e unlockObject e unlockView If an op argument is given that is not on the above list the workflow services return Unknown WorkflowServices op and the workflow context variable WF_ACTION_ERROR will be non null 48 Identity Manager 7 0 Workflows Forms and Views addDeferredTask Session Workflow Service Used to set up the properties that are recognized by the Deferred Task Scanner task Deferred Task Scanner typically iterates over WSUser objects looking for a property When using this method to set a deferred task on a user you can set arbitrary values using the taskDefinition argument This argument must be an object that contains the arbitrary values These values will be passed into the workflow that is run when the deferred task is triggered Adding Multiple Versions of the Same Ta
17. Populating Lists Lists are frequently populated with options that are dynamically calculated from information that resides in the user object or an external resource When creating this type of list you must first create the HTML list components in the form before populating the list For additional information on using the HTML text box components see the sections titled Creating a Single Selection List and Creating a Multiselection List There are two ways to populate these lists including the methods covered in this section e Populating lists with the al lowedValues property 187 188 e Using FormUtil methods to populate either single selection or multiselection lists with information dynamically derived from an external resource See the section titled Representing Lists in XML Object Language and XPRESS for a discussion of the advantages to using XML Object language rather than XPRESS for certain tasks Populating Lists of Allowed Values The most typical way of populating lists in forms is through the use of the allowedValues property From this property you can specify an optional list of permitted values for lt Select gt and lt MultiSelect gt elements The value of this component is always a list and usually contains strings lt Field name department gt lt Display class Select action true gt lt Property name title value Department gt lt Property name allowedValues gt lt List gt lt S
18. See Setting View Options in Forms in this chapter for more information 366 Identity Manager 7 0 Workflows Forms and Views Find Objects View Provides a customizable generic Identity Manager repository search interface for any object type defined in Identity Manager that has rights and is not deprecated or restricted to internal use The Find Objects view handler provides the associated forms for specifying one or more attribute query conditions and parameters and for the display of the find results In addition you can use view options to specify attribute query conditions and parameters This view contain the following attributes Table 5 30 Top Level Attributes Find Objects View Name Editable Type Required object Type Read Write String Yes allowedAttrs Read Write List No attrsToGet Read Write List No attrConditions Read Write List No maxResults Read Write String No results Read List No sortColumn Read Write String No selectEnable Read Write Boolean No objectType Specifies the Identity Manager repository object type to find for example Role User or Resource allowedAttrs Lists the specified object types specified by the objectType attribute allowed queryable attribute names that are obtained by default by calling the objectType s listQueryableAttributeAttrs method This method is exposed by each class that extends PersistentObject If not overridden by the object type class it inherits
19. This example returns CN jdoe dc example dc com Getting a List of Unassigned Resources To retrieve a list of all resources to which the user ID could potentially have permission to view but is currently unassigned call the getUnassignedResources method The lt ref gt statements identify the view attribute that contains information about the specified user Example lt invoke name getUnassignedResources class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt ref gt waveset role lt ref gt lt ref gt waveset original resources lt ref gt lt invoke gt Retrieving a List of Accessible Object Types To get a list of object types that the session owner currently has access to use the getObjectNames method You can request the following object types e Account e Administrator e Configuration e EmailTemplate e Resource e Role e System e TaskInstance 217 218 e User e UserForm For a complete list of object types see the List Objects option on the Debug page Example lt invoke name getObjectNames class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt s gt UserForm lt s gt lt invoke gt Retrieving a List of Object Types Accessible by the Session Owner To get a list of object names for which the session owner has access use the getObjectNames method Example lt invoke name getObjectNames class com waveset ui FormUtil gt lt ref gt d
20. deferred attributes 345 439 defining workflowAuditAttrConds list 38 defun function 520 defvar function 518 Delegate Approvers view 358 deleteResourceAccount workflow service 93 deleteResourceObject workflow service 94 deleteUser workflow service 96 Deprovision view 360 deProvision workflow service 95 derivation element field 157 derivation statement 208 deriving field values 451 disable element field 155 Disable view 364 disable workflow service 97 disableUser workflow service 62 display attribute 343 display components align 561 allowedValues 557 BackLink 562 base component class 555 basic classes 547 Button 563 Checkbox 564 colspan 561 command 560 container classes 547 data types 555 DatePicker 565 help 559 hidden parameters 546 Html 566 HtmlPage 567 JavaScript 569 Label 570 Link 571 location 559 MultiSelect 574 name 556 naming conventions 554 noNewRow 558 nowrap 561 onChange 561 onClick 560 overview 545 page processor requiremenets 546 primaryKey 558 Radio 576 required 558 SectionHead 578 Select 578 SimpleTable 551 subclasses 554 Text 579 TextArea 580 title 556 value 557 width 561 Section div funtion 464 DN strings building 219 dolist function 514 downcase function 485 Dynamic Tabbed User form 240 E Edit User form 238 EditForm display component 548 editing fields 160 editing forms 178 Enable view 366 enable workflow service 98 enableUser workflow service 64 enabling t
21. lockedBy No Gives an alternate name to use to record the lock lockWait No Indicates the number of seconds to wait if there is contention on a lock Return Values and Side Effects If the checkout is successful the object checked out will be placed in the variable object If the lock timed out WF_ACTION_TIMEOUT will be set to true for the checkout action If any other error occurred including administrator not authorized to check out the object WF_ACTION_ERROR will be true and the WavesetResult will contain the error Identity Manager 7 0 Workflows Forms and Views checkoutView Session Workflow Service Fetches and locks an Identity Manager view Table 2 9 checkoutView Method Arguments Name Required Valid Values Description op yes checkoutVie w viewid no Identifies the ID of the view to checkout If this argument is not specified both the type and ID must be specified Type and ID may be easier to use from workflows name yes Specifies the name of the object that is being checked out type no Identifies the type for the view id No The ID of the object being manipulated in the view For example if you are creating a view to manipulate an account object this would be the accountId raiseViewErro no Specifies that display errors is promoted to TS WF_ACTION_ERROR When set to true errors in the display errors attribute of the view are automatically extracted and returned to the workflow engine as errors
22. lt sub gt lt defvar gt lt concat gt lt substr gt lt upcase gt A ref gt global lastn lt upcase gt lt s gt 0 lt s gt lt s gt 1 lt s gt lt substr gt lt substr gt lt ref gt lname lt ref gt lt s gt 1 lt s gt lt ref gt nlength lt ref gt lt substr gt lt concat gt lt block gt lt Expansion gt lt Field gt ame lt ref gt As the preceding XPRESS logic could be implemented in multiple fields consider presenting it in a rule Example 2 In the following example this field is also hidden by the absence of any Display class definition The lack of Display class definition prevents the field from being displayed in the form but the field is still considered to values for resource attributes through its lt 1 be an active part of the form and will generate Expansion gt expression 207 208 lt Field name accounts Oracle locCode gt lt Expansion gt lt switch gt lt ref gt location lt ref gt lt case gt lt s gt Austin lt s gt lt s gt AUS lt s gt lt case gt lt case gt lt s gt Houston lt s gt lt s gt HOU lt s gt lt case gt lt case gt lt s gt Dallas lt s gt lt s gt DAL lt s gt lt case gt lt switch gt lt Expansion gt lt Field gt In this example it performs the reverse of the mapping performed by the location field Example of lt Validation gt Statement Validation e
23. 222 Identity Manager 7 0 Workflows Forms and Views lt Field name waveset role gt lt Display class Select action true gt lt Property name title value Role gt lt Property name nullLabel value None gt lt Property name allowedValues gt lt expression gt lt invoke class com waveset ui FormUtil name getRoles gt lt ref gt display session lt ref gt lt ref gt waveset original role lt ref gt lt invoke gt lt expression gt lt Property gt lt Display gt lt Field gt Adding Guidance Help to Your Form Identity Manager supplies two types of online help e Help which is task related help and information available from the Identity Manager menu bar You cannot configure this help e Guidance pop up help which is field level help that is available left of the field or area that is marked with a guidance icon lil How to Specify Guidance Help for a Component You can associate guidance help text with any component although it is currently displayed only by the EditForm container You can specify guidance text in one of three ways e Explicitly assign it the component with the help property See the section titled Using the help Property e Indirectly assign it to the component with the helpKey property which references an entry in a help catalog See the section titled Using the helpKey Property 223 224 e Indirectly associate it with the component by matching
24. Identity Manager makes available the account type as well as the account Id When working with the user oriented views including the User Enable Disable and Deprovision views follow these addressing guidelines e Use a value of null to indicate an account of the default type Reference an accounts of the default type by resource name for example accounts corp ad e Use atype qualified name instead of the resource name to reference an account of a specific type The type qualified resource name takes this form lt resource name gt lt type of account gt To reference the account data for the account of type Admin on the resource corp ad reference accounts corp ad Admin User View Attributes Whenever you create or modify a user account from a web browser you are indirectly working with the user view From the perspective of altering user account information it is the most significant view in the Identity Manager system Workflow processes also interact with the user view When a request is passed to a workflow process the attributes are sent to the process as a view When a manual process is requested during a workflow process the attributes in the user view can be displayed and modified further MetaView Attributes If your deployment uses dentity attributes Identity Manager creates an additional namespace in the User view This additional namespace called metaView contains identity attribute related information Ident
25. Indicates the complete task definition object This argument can be used in lieu of specifying all of the other task arguments below If both a complete task object and any of the other arguments are provided the singleton arguments override the value of that argument in the task definition object Identifies the name of the TaskInstance to create Specifies the date on which you want the deferred task to run Indicates the organization to put the TaskInstance in Indicates the name of the effective owner of the TaskInstance used for later management Specifies optional descriptive text to include with the TaskInstance for the Task Management page 77 removeProperty Session Workflow Service Removes an Identity Manager object property Identity Manager makes sure that the administrator that launched the workflow is authorized to view the object Table 2 25 removeProperty Method Arguments Name Required Valid Values Description name yes Indicates the name of the object whose property is to be set propertyName no Specifies the name of the property to modify in the object Ifno propertyName is given the service has no effect or return Return Values and Side Effects The Identity Manager object s property is removed If any error occurs including administrator not authorized to view the object WF_ACTION_ERROR will be true and the WavesetResult will contain the error 78 Identity Manager 7 0 e Workfl
26. Nested elements are the arguments to the function In addition there are beginning and end tags for each element in this case lt add gt lt add gt Example lt add gt lt ref gt counter lt ref gt lt i gt 10 lt i gt lt add gt In the preceding example the lt add gt element represents a call to the function named add This function is passed two arguments e first argument value is determined by calling a function named ref The argument to the ref function is a literal string that is assumed to be the name of a variable The value returned by the ref function is the current value of the variable counter e second argument value is determined by calling a function named i The argument to the i function is a literal string that is an integer The value that the i function returns is the integer 10 Identity Manager 7 0 Workflows Forms and Views The value returned by the add function will then be the result of adding the integer 10 to the current value of the variable counter Every function call either returns a value or performs an operation on one of its arguments For example if the ref call returns the value of the counter then the lt i gt call returns the integer 10 and the lt add gt call returns the addition of the two calls Another example is the classic Hello World program which is written in XPRESS as follows lt print gt lt s gt Hello World lt s gt lt print gt Integration with Id
27. eint estring boolean encrypted binary complex Refer to the Identity Manager Resources Reference to determine if binary or complex attributes are supported for the resource An exception is thrown if you attempt to send binary or complex attributes to a resource that does not support these attributes Binary attributes should be kept as small as possible Identity Manager will throw an exception if you attempt to manage a binary attribute that is larger than 350 KB Contact Customer Support for guidance if you need to manage attributes larger than 350 KB multi True if the attribute allows multiple values If you are designing a form do not worry about the declared resource account attribute types The user view processing system makes the appropriate type coercions when necessary accountInfo accounts passwordPolicy A resource can be assigned a password policy If an attribute has an assigned password policy the value of this attribute will contain information about it The following table defines the attributes in the account Info accounts resname passwordPolicy Table 5 10 accountInfo accounts resname passwordPolicy Attributes User View Attribute Description name The name of policy This corresponds to the name of a policy object in the Identity Manager repository 339 340 Table 5 10 accountInfo accounts resname passwordPolicy Attributes User View Attribute Description summ
28. lt 00 00d ccetedyeesdes bes cee eeu henedabdugend ass ede mee Ea ia 545 What Age HTML Componente is cattle seh awe ans ase ee aa dade eae desde held R S 546 Specifying Display Components cre 9 26 00 eed ae eas Oey oe ewan abe a a a S a ea tds 546 Page Processor Requirements for HTML Components 0 0 0 cece eee eee e eens 546 Component Classes ses asa oles eda cade eared oadowe a deadandedaohaaduebnde ves ade eebt 547 Basie Component Classes o i4 0 00h20h2inkawe tunes ade ese tas mataeiemdda dea ted aad aR a 547 Container Class s i o s 0 so dg degistir Pavey dbs aoe ee Sachs Phy ee dad eae aden ag tie Ded 547 Component Subelasses cc onson ouaaa DEEDE iad agssesiaadass to dads ee eeae sae eaase aes 554 Naming COnyentiONs seoses ade wed ot bias dini Soya Deatdadwaded dus eke wen ede nde weenie 554 Pata Types x2 o 20e veda pa dated es ga Enon ETSER RE eas EAR ada ake wea ade eee ee 555 10 ice OT CN ABS aaa ase ete EEEE ewe abs aie cee E ase aoe ee ee E 555 Basic COMpoOnerts tac tas gad aad nisip serege eanit e a aa e eda daadadealbdutenah iA 562 Poet Mapp arerp e a abel ned cane tn sacks aad Yee ees haw E E EERE 583 Process Mappings sy bcee Gad eek Adee tad ase lade dy ak adv aad ar Pade tne dah oi iaatiaadas 587 MMAR ss sari a ck al Sze cacao ayaa E E E aNiRY ox a gr s E E EE E E EEE EE E E 589 Identity Manager 7 0 Workflows Forms and Views Preface This Sun Java System Identity Manager Workflows Forms and Views publicat
29. lt lte gt 477 nemp Function Performs case insensitive comparison of two string values This function returns e negative number indicates that the value of the first argument is lexically less than the second e positive number indicates that the first argument is lexically greater than the second e 0 Zero indicates that the arguments are equal Arguments are coerced to strings if necessary Example The following expression returns 0 lt ncemp gt lt s gt Daryl lt s gt lt s gt daryl lt s gt lt nemp gt 478 Identity Manager 7 0 Workflows Forms and Views neq Function Performs an inequality test Its behavior is simply the negation of the equality test performed by the eq function This function returns e 0 the two arguments are equal e 1 the two arguments are not equal Example lt neq gt lt ref gt role lt ref gt lt s gt management lt s gt lt neq gt 479 not Function Reverses the logic of the nested expression This function returns e 1 the value of the argument is logically false e 0 argument is logically true Example The following example returns 0 lt not gt lt eq gt lt i gt 42 lt i gt lt i gt 24 lt i gt lt eq gt lt not gt 480 Identity Manager 7 0 Workflows Forms and Views or Function Takes multiple arguments This function returns null all arguments are logically false Value of the first argument expression that results
30. lt Property name title value Organization gt lt Property name autoSelect value true gt lt Property name allowedValues gt lt expression gt lt invoke class com waveset ui FormUtil name getOrganizationsWithPrefixes gt lt ref gt display session lt ref gt lt invoke gt lt expression gt lt Property gt lt Display gt lt Field gt XPRESS also supports the ability to invoke calls to Java methods from within a resource or ActiveSync adapter The results of the calls can then be used to populate multiselection or select lists For information on invoking methods from an expression see XPRESS Language Creating a Label Field Labels are useful components for displaying the value of a read only field Properties of the lt Label gt component permit you to define the display characteristics of the label including color value string and font style lt Field gt lt Display class Label gt lt Property name text value Primary Corporate LDAP Server gt lt Display gt lt Field gt 198 Identity Manager 7 0 Workflows Forms and Views The value attribute is always a string Working with Other Display Elements Other display elements that you might want to incorporate into a form include e section header e calendar icon e back link Adding a Section Heading to a Form Section heads are useful to separate sections of long forms with a prominent label The lt SectionHea
31. lt list gt element can slow the execution of the form in which it is included This degradation in performance is typically not noticeable unless the list contains many elements It is permissible and common for forms to use lt list gt The following example uses the lt s gt string constants in the XPRESS list but you can also use the lt invoke gt or lt concat gt elements to dynamically build the list elements Identity Manager 7 0 Workflows Forms and Views Example lt list gt lt s gt cat lt s gt lt s gt dog lt s gt lt list gt Using XML Object Language to Represent a List The XML Object language uses the lt List gt element to represent lists The contents of the lt List gt element can be only other XML Objects In the following example the content of the lt List gt element are lt String gt elements Example lt List gt lt String gt cat lt String gt lt String gt dog lt String gt lt List gt Example Form Using Both Types of Syntax The following form incorporates fields containing lists defined by both XML Object syntax and XPRESS lt Form gt lt Field name department gt lt Display class Select gt lt Property name allowedValues gt lt List gt lt String gt Engineering lt String gt lt String gt Marketing lt String gt lt String gt Sales lt String gt lt List gt lt Property gt lt Display gt lt Field gt lt Field name department2 gt lt
32. ref gt lt s gt Solaris lt s gt lt contains gt lt not gt lt Disable gt lt Field gt The lt Disable gt element is part of the Form XML language The contents of the lt Disable gt element can be any expression in the XPRESS language In this case the expression is testing to see if the string Solaris appears in a list stored in the external variable named account Info typeNames With forms this variable contains a list of all resource types currently assigned to the user When the form is processed for display the expression in the lt Disable gt element is evaluated If it returns true this field is not displayed The values null and 0 are logically false Non null or non zero fields are logically true This means that the sting represented with the expression lt s gt false lt s gt is logically true because it is non null Field values can be calculated by XPRESS using one of three elements specified in the field declaration Derivation Default and Expansion Calculating Default Field Values Field values can be calculated from other fields or simply set to an initial value using the lt Default gt element The lt Default gt element is typically used to initialize an editable field and is evaluated only if the field does not already have a value assigned to it The lt Default gt element is often used to calculate an account ID based on the first and last name of the user The following example sho
33. resultLimit resultOption Specifies the limit in seconds that a task instance is allowed to live after the task has completed Default is 0 Once a task has completed or terminated the TaskInstance containing the task result is typically kept in the repository for a designated period of time after which it is automatically deleted 0 Indicates that the TaskInstance will be deleted immediately after the task is complete 1 Indicates that the TaskInstance will never be automatically deleted though it can be manually deleted by the user This parameter is typically set to a value that is equivalent to a few days for tasks that generate reports for later analysis Set to zero for tasks that are run only for side effect and do not generate any meaningful result String Specifies the options how the results of prior executions of repetitive tasks are handled This object defines that data and how to ask for it Default is delete wait Prevents the task from being run until the old result is manually deleted or expires If this is a non scheduled task it results in an error at the time it is launched If this is a scheduled task the scheduler simply ignores it delete Automatically deletes old results before executing the task The old tasks must be in a finished state rename Renames old results before executing the task The old task must be in a finished state terminate Terminates and deletes any
34. runAsPassword cache cacheTimeout clearCache Specifies whether the search should be done on the current object only within the context of the specified searchContext or in all subcontext within the specified searchContext Valid values include object oneLevel or subTree subTree indicates that the search should be performed on all sub contexts within the specified searchContext Indicates the time limit in milliseconds that a search should not exceed Specifies the list of object Type specific attribute names to get per object Specifies the user name this request is to be run as If not specified defaults to resource proxy admin user Indicates the password of runAsUser Required to authenticate with resource to run the list request as the specified user Specifies whether the server caches the returned list of objects A value of true causes the server to cache the returned list of objects The default is false Set the number of milliseconds before the cache times out valid only if cacheList is true When the cache times out the object will automatically be retrieved from the resource the next time objects are requested Force the caches to be cleared and the objects to be refetched from the resource the next time they are requested 72 Identity Manager 7 0 e Workflows Forms and Views queryObjectNames Session Workflow Service Returns a list of names that match the query attributes specified Tabl
35. scr 005 siseses aed ee teed aed er Er REER EREE aiaaeaaeas EREE 448 Identity Manager 7 0 Workflows Forms and Views Calculating Default Field Values oi oc ccs cece tas ee sees ns ees eee aad Henao wae ee 449 Derying Field Wales e soca sas os cade eee dd Babe aara geen dua E E e alee Cag Seal E 451 Generating Pield VaWiess lt 3 aac nnd sans tae ede a Oa oe dae a ee a k seeded si med eames 453 Workilow Transition Conditions seres fa ody ta ack de Phe vee Qe rasi Bode iaraa nek sada tas 454 Workilow Actions erraitera onea E sa adaxeiodigadags de dad EPEE REPRES EDER nes 455 Invoking Java Methods from Workflow Actions 0 0 cc cee cece cee eee tence ences 455 Testing Expressions lt 3 Goad has bs das ease Seek Se Sew hae aw daa tarde EER EEREN REENE 456 PUNGENS wc 2 hn ji renei Hir poate aden dae A ae Sea ede aioe eae eed tah alg ads vee 459 Value Constructor Expressions vss 555 24045 da SEEDER EREE EEE ETE DA essay ade 459 Arithimetie EXPTESSIONS fc 4 lt lense ei werent stb daeta aie AAE EE E EA ada EO EEE 463 Lose ERPE SOS pecao tah hard sana iae a a n a ea a a died haan a a 468 String Manipulation Expressions 24 9 6 2d tds ad da dika pe a eae ka ae ia n aa ha e tanga 483 List Manipulation Expressions 4 s s0s 345 44a c4 Donnen eta KERRE ee tee AEE REE DA OEE 495 Conditional Iteration and Block Expressions 22 0 04 cos cca dence da tenrias es adinik tuad Las 510 Variables and Function Definition Expressions 4
36. sub gt lt set gt lt while gt 516 Identity Manager 7 0 Workflows Forms and Views Variables and Function Definition Expressions Use the following functions to reference and define variables and functions within expressions ref Function References the value of a variable The variable can either be an external variable supported by the host application or an internal variable defined with lt defvar gt Example lt ref gt waveset role lt ref gt 517 518 defvar Function Defines a new variable The variable can then be referenced by any expression within and below the containing expression in which the variable was defined The variable must be given a name using the XML attribute name A defvar statement should not reference itself If it does it will cause a loop To change the value of an existing variable see the description of the set function in this section NOTE Avoid the following constructions lt defvar name fullname gt lt ref gt fullname lt ref gt lt defvar gt or lt defvar name counter gt lt add gt lt ref gt counter lt ref gt lt i gt 0 lt i gt lt add gt lt defvar gt Example 1 The following expression defines a variable and initializes its value to a list of two elements lt defvar name theList gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt lt defvar gt Example 2 The following expression defines
37. unassign Read Write Boolean unlink Read Write Boolean name Read String type Read String accountld Read String exists Read Boolean disabled Read Boolean authenticator Read Boolean directly Assigned Read Boolean 360 Identity Manager 7 0 Workflows Forms and Views selected If set to true indicates that for a given resource the associated account should be deprovisioned If the selected account is Lighthouse the Identity Manager user and all associated resource assignments will be deleted unless they are also selected However the associated resource accounts will not be deleted unassign If set to true indicates that the specified resource should be removed from the user s list of private resources for example waveset resources unlink If set to true indicates that the specified resource should be unlinked from the Identity Manager user for example remove the associated ResourcelInfo object NOTE If selected or unassign are set to true this suggests that unlink will also be true However the converse is not true unlink can be true and selected and unassign can be set to false name Specifies the name of resource This corresponds to the name of a resource object in the Identity Manager repository type Identifies the type of resource such as Solaris You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface The Type column on th
38. 5 checkStringQualityPolicy Method Arguments Name Required Valid Values Description policy yes Identifies the policy String map no Provides a map of the data that the string must not contain Map returnNull Optional If set to true the method return a null object upon success value yes Specifies the value of the string to be checked pwdhistory no owner yes Object Lists user s previous passwords in uppercase encrypted format Identifies the user whose string value is being checked Return Values and Side Effects The method returns a checkPolicyResult object A value of true indicates that the string passes the policy test If the string does not pass the policy test the method returns an error message If you have set the returnNull option to true on the map parameter the method returns a null object upon success 55 checkinObject Session Workflow Service Persists the current memory representation of the given object Identity Manager makes sure that the administrator that launched the workflow is authorized to check in the object NOTE Using views is more convenient than using objects Try using views to modify objects For information on Views see the chapter titled Identity Manager Views Table 2 6 checkinObject Method Arguments Name Required Valid Values Description op yes checkinObject object no Indicates the object that is being checked in If no object is supplied the w
39. 5 ure dr Acie tes clas oles gles Mine Gifts Denis auth eos eee ve ee ee A see ed eee Ne asec ae 358 delegateApproverslO 23 hn s4 a dsasnie das E edasddwta shades vestedaatadiaaetea erase nae eae 358 delegateApproversSelected c 4 cine stbeiaxedtaes dey teats E tas dus eis eeneds eda eee nes 358 delegateA pproversSiariOate cy acs cae Sas Pee eek SA Raw aaa EE dated aaa esate dwergs 359 delegate pprovers Bnd Date no ihc odie dass Sa a a Od Sede we Wiehe edad ee Gade cee 359 DEPTOVISION VIEW casicsc didarra te barede deeded wid eda aA aaa nesses sae dae tee anes 360 GESOUPCEA COOUMIS osil wee hens ete dea taled sad ada o n a aea ead tes alana dane 360 Disa Wty E oi deaevcds aod dau dada dyed s Maas een ak OE Oe RNS E eae es Aaa ae oan ees 364 TESO CACONDE te lasts oes ols S E Sly ad Sede Ga eae aa ey tee Pat es Ms teas 364 Enable VIEW xs f lt tc cig daca ehe dyed ye oy Bie AA sa DAS eA saa aes teeta eae eee ae Baa wee 366 PESOUPCCACOOUMIS oaea a cty cde Wea tke yt thee SOG add a pees Gebede Bedstead as 366 BiG OU Sets VOW s lt 0 9 lt cdc dw acn ned ass Seated ais Nes See See E ee Sa saad Bare a Seen aaa 368 ODETI GIO 20 S alse onc ees cols ien gaen SE eddies Oo eee eee eae ae amanda s tia 368 OAC WEOIMITS 2 3 5 2 ca ciciiichwscd edas eae da haw hte Mis asa saatadeed ae GEED a HOES 368 airs TOG saactusuad cakeadwahedeerawaass addy a a i seacsaged salbaadusbadies ale Ee ark 370 Abit COMES sc ve cies veceaew Sack Head Aas Vas RAS LSE SE aw Ras
40. LDAP resource The following form fields set the necessary view attributes to define this association lt Field name accounts HR deferredAttributes directoryid resource gt lt Expansion gt lt s gt LDAP lt s gt lt Expansion gt lt Field gt lt Field name accounts HR deferredAttributes directoryid lt Expansion gt lt s gt uid lt s gt lt Expansion gt lt Field gt Extending Views 438 Some views that set specific resource account attributes such as the password or the enable flag allow you to set additional account attributes For security however these extended attributes must be registered Attribute Registration Attributes can be registered in one of two locations Table 5 74 Locations for Attribute Registration Location Register attributes here if AccountAttributeTyp _ the attributes you want to update are specific to a particular e definition in the resource rather than to all resources of that type resource System Configuration you want to make global registrations for all resources of a Object particular type These registrations must be done in XML format Identity Manager 7 0 Workflows Forms and Views You can register different attributes for different views For example you can register the lock attribute for the Password view and the firstname attribute for the Rename view Global Registration To make global registrations that is registrations that
41. Name Required Valid Values Description resourceName yes Specifies the name of the resource to authenticate against accountld yes Specifies the ID of this account as it appears on the named resource accountPassword yes Specifies the password for this account an unencrypted string Return Values Returns the result of the call to authenticate Sets a variable in the WFContext passwordIsValid to true on success or anything else on failure 88 Identity Manager 7 0 Workflows Forms and Views changeResourceAccountPassword Provision Workflow Service Changes the password for one or more resource accounts Table 2 33 changeResourceAccountPassword Method Arguments Name Required Valid Values Description op yes resources yes Specifies the list of resources for which to change the password options no Specifies options to specify provisioning characteristics See the javadocs for com waveset provision ProvisioningOptions Return Values and Side Effects A WavesetResult object containing the result of the password change 89 cleanupResult Provision Workflow Service Removes null ResultErrors from the task result This method takes the op argument with a valid value of cleanupResult Return Values and Side Effects A WavesetResult object containing the result of the cleanup 90 Identity Manager 7 0 e Workflows Forms and Views checkDeProvision Provision Workflow Service Determines if an acc
42. Naming and Directory Interface JavaMail JavaHelp J2SE iPlanet the Duke logo the Java Coffee Cup logo the Solaris logo the SunTone Certified logo and the Sun ONE logo are trademarks or registered trademarks of Sun Microsystems Inc in the USS and other countries All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International Inc in the U S and other countries Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems Inc Legato and the Legato logo are registered trademarks and Legato NetWorker are trademarks or registered trademarks of Legato Systems Inc The Netscape Communications Corp logo is a trademark or registered trademark of Netscape Communications Corporation The OPEN LOOK and Sun TM Graphical User Interface was developed by Sun Microsystems Inc for its users and licensees Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry Sun holds a non exclusive license from Xerox to the Xerox Graphical User Interface which license also covers Sun s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun s written license agreements Products covered by and information contained in this service manual are controlled by U S Export Control laws and may be subject to the export or import laws in other countries Nuclear missile chemical bio
43. Oracle USERS ROLE PROFILE Natural account Group NDS account Group PeopleSoft account RACF account Group SAP account table profiles activitygroups SecurID UnassignedTokens 211 Table 3 17 Supported Object Types Resource Supported Object Types SP2 Nodes Solaris account Group shell TopSecret account VMS account Windows Active account Group Directory You can specify any Active Directory valid object class name as an object type A list of object class names can be found in the Active Directory schema documentation The list returned contains the distinguished names of the objects By default the method searches in the container that is specified by the Container resource attribute However you can specify a container as an option to the listResourceOb jects call Its value should be the distinguished name of a container Only objects within that container are listed Windows NT account Group Obtaining a List of Resource Objects without Map Options To obtain a list of resource objects without map options specify the resource object type and resource name Note Some resources support acting on a subset of a list You can do this by specifying a starting directory In the following example e The lt UnassignedTokens gt string identifies the resource object type that you want to get Other common resource object types are groups distribution lists and accounts e The lt SecurID gt string
44. Processes Related Chapters e Workflow Services Describes the workflow service methods that are available to the Identity Manager implementer who is customizing Identity Manager e XPRESS Language Lists and describes use expressions written in the XPRESS language to include logic in workflows and forms Introduction to the Identity Manager Integrated Development Environment in Identity Manager Deployment Tools Introduces the Identity Manager Integrated Development Environment IDE and describes how to start the tool set editor options save and debug forms NOTE To better understand a typical workflow use the Identity Manager IDE to view run and debug sample workflows Understanding Workflow 18 Identity Manager workflow defines a sequence of actions and tasks that are performed consistently according to a defined rule set Using the Identity Manager Integrated Development Environment IDE graphical interface you can customize each workflow launched by Identity Manager Before working with workflow develop an understanding of e General workflow concepts e How workflow is used in Identity Manager What is Workflow In general terms a workflow is a logical repeatable process during which documents information or tasks are passed from one participant to another for action according to a set of procedural rules A participant is a person machine or both In Identity Manager this concept is specif
45. Property gt lt Property name title value Identity ID gt lt Property name size value 32 gt lt Property name maxLength value 128 gt lt Property name submitOnEnter value Save gt lt Display gt lt Field gt TextArea Displays a multi line text entry box Properties for this display component are e rows Specifies the number of text area rows Integer e columns Specifies the number of text area columns Integer 580 Identity Manager 7 0 Workflows Forms and Views e readOnly Displays read only text in the text entry box When set to true this component will not have a border Boolean e format Set to control how setValue behaves and determine the type of object returned by getPostData String e sorted Enables sorting of lines in the text area when set to true This feature is convenient when the area is used to display a list of selections not free form text Boolean e noTrim Specifies whether text posted from the HTML form is trimmed The default is to trim white space To preserve white space set this value to true Example To display a text box with five visible rows that wraps after each 70 characters specify lt Field name Description gt lt Display class TextArea gt lt Property name rows value 5 gt lt Property name columns value 70 gt lt Display gt lt Field gt If the user enters text beyon
46. Schedule view 418 understanding 310 Unlock view 422 user See user view WorkItem List view 432 WorkItem view 425 W waveset attributes accountId 324 applications 324 attributes 324 correlationKey 324 createDate 325 creator 324 disabled 325 email 325 exclusions 325 id 326 lastModDate 326 lastModifier 326 lock 326 lockExpiry 326 most common 323 organization 326 original 327 passwordExpiry 328 passwordExpiryWarning 328 597 Section questions 328 resources 329 roles 330 while function 516 width display component 561 wizard forms 235 WizardPanel display component 553 workflow See also workflow process actions 455 adding applications 38 built in variables 45 components 23 configuration properties 38 engine 23 integrating with user view 314 integrating with views 311 Java 455 manual actions 22 overview 18 repository objects 23 task 34 TaskDefinition object 19 parameters 19 toolbox default activities 29 tracking progress 35 transitions conditions 454 creating 28 understanding 18 workflow auditing information collected 37 workflow process See also workflow customizing 29 default 25 editing in production 28 overview 19 TaskInstance object 22 updating 28 workflow services addDeferredTask 49 approveProvision 85 audit 52 auditNativeChangetoAccountAttributes 86 598 Identity Manager 7 0 Workflows Forms and Views authenticateUserCredentials 88 authorize 54 55 bulkReprovision 87 call str
47. Select action true gt onClick When specified the value is expected to contain JavaScript that will be assigned as the value of the onClick attribute of the input element generated for this component Not all components support the onClick property Use of this property is rare and requires detailed knowledge of the generated HTML If you use this property the page must typically contain a Javascript component that defines JavaScript functions you call from within the onClick value Example lt Property name onClick value Uncheck this form resourceAccounts selectAll gt NOTE Once forms are stored in the repository Identity Manager always uses single quotes to surround attribute values If single quotes appear within the attribute value they will be replaced with amp 039 To prevent this escaping you can represent the string in an XPRESS s expression lt Property name onClick gt lt s gt Uncheck this form resourceAccounts selectAll lt s gt lt Property gt Identity Manager 7 0 Workflows Forms and Views onChange Similar to command The value can be an arbitrary JavaScript statement to run when the field is modified Not all components support the onChange property Use of this property is rare and requires detailed knowledge of the generated HTML If you use this property the page must typically contain a Javascript component that defines JavaScript functions you call from within
48. Set Password Expiration Date gt lt Display gt lt Field gt The field defined below displays the password expiration date as found in the etc security user file It also displays any new date selected by the aix_account_expire field if the refresh or recalculate is performed after selecting a new date Identity Manager looks to see if the aix_account_expire date field has been set not null from the DatePicker field If this date field has been set Identity Manager calls an invoke method to convert the date object into a string in the specified format MMddHHmmyy Otherwise display the current date as set on the AIX OS accounts AIX aix_expires Identity Manager 7 0 Workflows Forms and Views lt Field name accounts AIX aix_expires gt lt Display class Text gt lt Property name title value Current Password Expiration Date gt lt Property name noNewRow value true gt lt Property name readOnly value true gt lt Property name size value 10 gt lt Display gt lt Expansion gt lt cond gt lt notnull gt lt ref gt aix_account_expire lt ref gt lt notnull gt lt invoke name dateToString class com waveset util Util gt lt First argument to dateToString method is a date object gt lt ref gt aix_account_expire lt ref gt lt Second argument is the format you want the converted date string in gt lt s gt MMddHHmmyy lt s gt lt invok
49. Specifies the account ID of the Identity Manager user whose passwords are being unlocked selectAll Controls whether all password are unlocked currentResourceAccounts Represents the set of accounts that are currently being managed by Identity Manager including the Identity Manager account itself tobeCreatedResourceAccounts Represents the accounts that are assigned to this Identity Manager user but which have not been created Passwords cannot be unlocked on accounts that have not yet been created Identity Manager 7 0 Workflows Forms and Views tobeDeletedResourceAccounts Represents the accounts that have been created but are no longer assigned to this user Passwords cannot be changed on accounts that are going to be deleted All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts Both resource account list are indexed by resource name and will contain objects that describe the resources on which this user has accounts Table 5 67 tobeDeletedResourceAccounts Attributes Unlock View Name Editable Data Type selected Read Write Boolean name Read Write String type Read Write String accountid Read Write String exists Read Write Boolean locked Read Write Boolean authenticator Read Write Boolean selected Identifies that this resource has been selected to be unlocked name Specifies the name of resource This correspo
50. The following expression results in an integer 42 lt mult gt lt i gt 7 lt i gt lt i gt 3 lt i gt lt i gt 2 lt i gt lt mult gt 466 Identity Manager 7 0 Workflows Forms and Views sub Function Performs successive integer subtraction over the values of all arguments Arguments that are not integers are coerced to integers Example The following expression results in an integer 42 lt sub gt lt i gt 50 lt i gt lt i gt 6 lt i gt lt i gt 2 lt i gt lt sub gt 467 Logical Expressions Use the following functions to perform logical operations within expressions Most logical functions return 1 and 0 to indicate true or false The exceptions are cmp ncmp and and or and Function Takes any number of arguments and returns zero if any argument values are logically false If all arguments are logically true the function returns the value of the last argument Zero lt i gt 0 lt i gt or lt s gt 0 lt s gt and lt null gt are considered logically false Example 1 The following expression returns zero lt and gt lt i gt 42 lt i gt lt s gt cat lt s gt lt i gt null lt i gt lt and gt Example 2 The following expression returns cat lt and gt lt i gt 42 lt i gt lt s gt cat lt s gt lt and gt 468 Identity Manager 7 0 Workflows Forms and Views cmp Function Compares two string values You can use this function to sort a list of strings The function returns e negat
51. Transition Defines the movement from one activity to the next Split Defines the movement from a single activity to more than one activity Splits are further defined as o OR Split Tests each transition path The first path with a value of TRUE is taken o AND Split Takes each transition path Join Defines the movement from multiple activities to a single activity Join components are further defined as o OR Join Specifies that the first path to complete causes the next activity to begin o AND Join Specifies that the next activity cannot begin until all paths are complete Subprocess Defines a set of activities actions and transitions that can be called from other activities in the process 23 Figure 1 1 General Workflow Process and Components Default Workflow Processes Using the Identity Manager IDE you can edit the default Identity Manager processes to follow a custom set of steps The Identity Manager workflow capability includes a library of default workflow processes which includes e User workflows Define the steps for tasks related to Identity Manager users including creating deleting updating enabling disabling and renaming users e Identity Manager object workflows Define the steps for all tasks related to Identity Manager objects including resources resource groups organizations and organizational units For example some workflows such as the Manage Role
52. WorkflowServices op and the workflow context variable WF_ACTION_ERROR will be non null 84 Identity Manager 7 0 Workflows Forms and Views approveProvision Provision Workflow Service Records the approval of a user account Table 2 29 approveProvision Method Argument Name Required Valid Values Description op yes approve user waveset accountId yes or accountId options no Indicates the name of the Identity Manager user to approve Indicates the options to specify provisioning characteristics See the javadocs for com waveset provisio n ProvisioningOptions Return Values and Side Effects A WavesetResult object containing the result of the approval 85 86 auditNativeChangeToAccountAttributes Provision Workflow Service Reports native changes to one or more auditable attributes of a resource account Table 2 30 auditNativeChangeToAccountAttributes Method Arguments Name Required Valid Values Description op yes auditNativeChan geToAccountAtt ributes user waveset accountId or yes Indicates the name of the Identity accountld Manager user to audit resource yes Specifies the resource where native changes took place that are being audited prevAttributes no Map Identifies the map of name value pairs of the attributes before the change newAttributes no Map Identifies the map of name value pairs of the attributes after the change formattedChanges no Map Spec
53. a comma and a space such as lastname firstname The lt s gt tag designates a string lt Field name global firstname gt lt Display class Text gt lt Field gt lt Field name global lastname gt lt Display class Text gt lt Field gt lt Field name global fullname gt lt Expansion gt lt concat gt lt ref gt global lastname lt ref gt lt s gt lt s gt lt ref gt global firstname lt ref gt lt concat gt lt Expansion gt lt Field gt Not all Field names represent path expressions for the view Some fields are defined to represent containers of other fields and do not correspond to any one attribute of the view In these cases the Field name is used to identify the field so that it can be referenced by a FieldRef element If the field does not need to be referenced you do not need to specify the name For example a form button performs an action but does not contain a value or need to be referenced by another form Therefore it does not need a field name lt Field gt lt Display class Button gt lt Property name label value Recalculate gt 148 Identity Manager 7 0 Workflows Forms and Views lt Property name command value Recalculate gt lt Display gt lt Field gt For more information on user views see the section titled User View and Forms Field Display Properties The Display element is common to all visible form fields Display elem
54. a variable and initializes its value to the integer zero lt defvar name counter gt lt i gt 0 lt i gt lt defvar gt Identity Manager 7 0 Workflows Forms and Views defarg Function Defines an argument within a function defined with lt defun gt Arguments are similar to variables but they must be defined in the order in which arguments are passed to the function Example lt defarg name arg1 gt lt defarg name arg2 gt 519 defun Function Defines a new function The lt defarg gt function must be used to declare the arguments to a function Use the lt cal1 gt function to execute the function Functions are typically defined within forms Example lt defun name add1l00 gt lt defarg name input gt lt add gt lt ref gt input lt ref gt lt i gt 100 lt i gt lt add gt lt defun gt 520 Identity Manager 7 0 Workflows Forms and Views call Function Calls a user defined function The arguments to call are assigned to arguments with lt defarg gt in the so called function The order of the call arguments must match the order of the lt defarg gt s In previous releases the call function could be used to call rules Now use the rule function for that purpose Example The following expression returns 142 lt call name add100 gt lt i gt 42 lt i gt lt call gt 521 522 rule Function Calls a rule The arguments to rule are passed by name using the argument eleme
55. a workflow exists as a configuration object typically of Type WFProcess The single exception to this object definition is the Create User workflow which is defined as a ProvisioningTask object The taskType is always Workflow NOTE Identity Manager does not lock the repository while a workflow is executing This is because workflows can run for days and the repository cannot remain unlocked for that long However Identity Manager prevents you from launching another update workflow on the same user Workflow Engine The workflow engine is a software service that provides the run time execution for a workflow process The functions provided by the workflow engine to support a workflow process include e Interpreting the process definition e Creating process instances and managing their execution e Navigating between activities and creating work items for their processing Identity Manager 7 0 Workflows Forms and Views Workflow Components Workflow processes represent the steps that must be followed to reach a desired goal Processes define Workflow activities Relationships between activities Criteria needed to start advance and complete a process Each workflow process is defined by one or more of these components Activity Represents a single logical step in the process Action Defines how an activity is accomplished An action can be a simple expression evaluation or a call to a complex Java class
56. alphabetically noApplet Specifies whether the MultiSelect component will be implemented with an applet or with a pair of standard HTML select boxes The default is to use an applet which is better able to handle long lists of values See preceding note for information on using this option on systems running the Safari browser typeSelectThreshold Available only when the noApplet property is set to true Controls whether a type ahead select box appears under the allowedValue list When the number of entries in the left select box reaches the threshold defined by this property an additional text entry field appears under the select box As you type characters into this text field the select box will scroll to display the matching entry if one exists For example if you enter w the select box scrolls to the first entry that begins with w width Specifies the width of the selected box in pixels The default value is 150 height Specifies the width of the selected box in pixels The default value is 400 575 576 Example lt Field name accounts LDAP LDAPDept type string gt lt Display class MultiSelect action true gt lt Property name title value LDAP Department gt lt Display gt lt Constraints gt KOF lt List gt lt String gt Sales lt String gt lt String gt Marketing lt String gt lt String gt International Sales lt String gt lt List gt lt o gt lt Constrain
57. an Identity Manager user s capabilities Used to generate a list of work items and processes in the Identity Manager User Interface Used to specify the type of organization created and options for processing it Used to change an Identity Manager user s password and optionally propagate the password to resource accounts Used to launch tasks such as workflows or reports Used to request or cancel reconciliation operations Used to obtain the status of the last requested reconciliation operation Used to rename the Identity Manager and resource account identities Used to present and select the list of resources to be reprovisioned ResetUserPassword Used by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts Resource Used to manipulate resources ResourceOb ject A family of views used to manipulate arbitrary objects supported by a resource for example groups and mailing lists Role Used to specify the types of Identity Manager roles created TaskSchedule Used to create and modify TaskSchedule objects Unlock Used to unlock accounts for those resources that support native account locking WorkItem Used when writing a workflow approval form WorkltemList Used to view information about collections of work items in the repository and to perform operations on multiple work items at a time Understanding the User View The User view is
58. are used to specify the characteristics of the component beyond those implied by the Component base class For example the Label component supports a font property which can be used to specify the font used when rendering the label Naming Conventions Properties always begin with a lowercase letter and use camel case to separate adjacent words Access method names are formed by capitalizing the property name and prefixing either get or set For example the property named font is accessible from Java using the get font and set font methods The data type for each property varies and is documented with the property the terminology used to describe property value types is described in the following table Identity Manager 7 0 Workflows Forms and Views Data Types This table lists the data types allowed in component properties Table 8 2 HTML Component Property Data Types Type Description null Indicates that a property has no value String Represents the most common data type String values are usually represented by an instance of the Java String class Some components are values of any class These are implicitly coerced to strings with the toString method Unless otherwise specified you can assume that all properties are of type string Example lt String gt Hello World lt String gt List of string Indicates that the value is expected to be a list of one or more strings In Java this value is always implemented
59. as an instance of the List class The elements of the list are then expected to be instances of the String class Example lt List gt lt String gt choice one lt String gt lt String gt choice two lt String gt lt List gt Base Component Class The Component class is the base class for all HTML components It contains the properties that are common to most components Not all Component properties are relevant in every subclass For example Component defines a property allowedValues that can contain a list of value constraints This property is relevant only in subclasses that allow value editing such as Select or MultiSelect Further Container classes almost never directly represent an editable value Consequently any properties related to the component value are irrelevant Some properties are relevant only if the component is contained within a specific Container class 555 556 name Specifies the internal name of a field All editing components must have a name which is typically unique among all components displayed on the page name is a string that is usually a path to a view attribute Container components do not require names and any assigned names are ignored When building components from Java component names are defined by the application When building components from XML forms component names are derived from the names of Field elements in the form Field names are in turn path expressions within the vie
60. as unqualified in waveset resources Even if a user is assigned only an account of non default type the resource will appear in waveset resources Identity Manager 7 0 Workflows Forms and Views You can add new assignments made to either waveset resource or waveset resourceAssignments with the lists automatically resynchronizing when the view is refreshed This adds an assignment for an account of default type You can add both qualified and unqualified resource names to waveset resourceAssignments This adds an account of the specified type based on the qualifier waveset roles Contains the names of the roles assigned to this user An administrator can modify this attribute if he has sufficient privileges for the new roles Since changing a role is a significant event the original value of the role attribute is also stored in the original view which can be used for later comparison waveset serverld Use to set unique server names when your deployment includes multiple Identity Manager instances that point to one repository on a single physical server See Identity Manager Installation for more information accounts Attribute The accounts attribute contains a list of objects for each account linked to the Identity Manager user Each account object contains the values of the account attributes retrieved from the resource The name of each account object is typically the name of the associated resource If more than on
61. associated with a user Account Link Library Fields related to account linking and multiple accounts per resource User Security Library Fields related to user security including capabilities form assignment and approval forwarding 243 244 User Form Library This library contains only fields that are related to the Resource Accounts views which include ChangeUserPassword Deprovision Disable Enable Password RenameUser ResetPassword ResetUserPassword ResourceAccounts The library primarily consists of tables that display information about the resource accounts associated with an Identity Manager user and allows them to be selected for various operations Sample Forms The following table lists the sample forms that are shipped with Identity Manager and their location All are located in the sample forms Table 3 22 Sample Forms User Form Name File Name Active Directory Active ActiveDirectoryActiveSyncForm xml Sync AD User Form ADUserForm xml Domino User Form DominoUserForm xml GroupWise User Form GroupWiseUserForm xml HP UX User Form HP UXUserForm xml LDAP Active Sync SkeletonDatabaseActiveSyncForm xml Linux User Form Linux UserForm xml Identity Manager 7 0 Workflows Forms and Views Table 3 22 Sample Forms User Form Name File Name Netegrity Siteminder Admin Netegrity Siteminder LDAP Netegrity Siteminder ExampleTable NDS User Form NT User Form Ope
62. can be integrated with workflow using XPRESS 455 456 lt Activity name Log Status gt lt Action gt lt expression gt lt invoke name logStatus class custom OracleStatusLog gt lt ref gt accountId lt ref gt lt ref gt email lt ref gt lt ref gt status lt ref gt lt invoke gt lt expression gt lt Action gt lt Transition to Next gt lt Activity gt In this example the XPRESS invoke function is used to call a static method named logStatus which is defined in the custom Java class custom OracleStatusLog Three arguments are passed to this method the values of which are taken from workflow variables In these types of cases the primary computation is performed in the Java class while XPRESS acts to integrate the class into the workflow Testing Expressions Testing expressions involves two steps 1 Checking XML Syntax with the lh Command 2 Tracing XPRESS Evaluation Checking Expression Syntax with lh Command To check the XML syntax of expressions without actually evaluating their logic 1 Confirm that you have 3WSHOME bin in your PATH environment variable For information on changing environment variables to work with Identity Manager see the section of Identity Manager Installation that describes using command line tools Identity Manager 7 0 Workflows Forms and Views If SWSHOME bin is not in your path then you must change to SWSHOME bin before you
63. contain long lists of constant or static data This syntax builds a static list once and reuses it on each reference lt defvar name states gt lt List gt lt String gt Alabama lt String gt lt List gt lt defvar gt The former syntax is preferable to lt list gt lt s gt Alabama lt s gt lt list gt which builds a new list each time it is referenced 145 146 Defining Fields This section describes procedures you perform when customizing any form These procedures include e Defining field names e Defining field elements e Adding a visible field e Hiding a field When you hide a field the field and any fields nested within it is not displayed on the page but its value is included in the form processing e Disabling a field When you disable a field the field and any fields nested within it is not displayed in the page and its value expressions are not evaluated If the view already contains a value for the disabled field the value will not be modified e Setting a field value e Calling functions The following sections discuss in more detail the field characteristics you will set Defining Field Names You use the field name to match the attribute defined on the resource to the text entry field that is displayed on the web page When the resource is defined the system sets up a schema map that maps resource account attributes to Identity Manager attributes For example your Active Directory res
64. currently being managed by Identity Manager including the Identity Manager account itself tobeCreatedResourceAccounts Represents the accounts that are assigned to this Identity Manager user but which have not been created Passwords cannot be changed on accounts that have not yet been created tobeDeletedResourceAccounts Represents the accounts that have been created but are no longer assigned to this user Passwords cannot be changed on accounts that are scheduled for deletion 401 402 The three account list attributes tobeDeletedResourceAccounts tobeCreatedResourceAccounts and currentResourceAccounts contain the attributes described in the following table These attributes describe the state of the account on each resource and allow you to individually select accounts Table 5 56 tobeDeletedResourceAccounts Attributes Reset User Password View Attribute Editable Data Type Required selected Read Write Boolean name Read String type Read String accountId Read String only in currentResourceAccou nts exists Read Boolean only in currentResourceAccou nts disabled Read Boolean only in currentResourceAccou nts passwordPolicy Read Object authenticator Read Boolean changePasswordLocation Read String selected Set to true if this account is to have its password reset name Specifies the name of resource This corresponds to the name of a Resource object in the Identity Manager repositor
65. currently executing task This is similar to the DELETE option but it also automatically terminates the task if it is running Identity Manager 7 0 Workflows Forms and Views Table 1 1 Standard Workflow Configuration Parameters Parameter Description ayncExec When set to true specifies that the workflow continues to run after the completion of the action until the next manual action and displays the next work item to the user immediately This setting supports wizard style workflows When set to false the workflow continues execution in the background and the user must go to a different page typically the approvals page when he needs to perform the next step in the workflow visibility String Declares the visibility of this task definition Default is run schedule Other options include invisible run task and schedule task progressiInterval Specifies the interval in milliseconds that Identity Manager should check for progress updates The task can specify an interval at which the task will be updating its progress Defaults to 5000 milliseconds five seconds Specifying a shorter interval will give you more current task status but increases the load on the server About Manual Actions A manual action is part of the workflow process definition that defines a manual interaction When the workflow engine processes a manual action a WorkItem object created in the repository The work item must be marke
66. delegateApproversRule accounts Lighthouse delegateApproversSelected e IfselectedUsers is the value of delegateApproversRule lists the selected user names 331 332 e If delegatedApproversRule is the value of delegateApproversTo identifies the selected rule e Ifmanager is the value of delegateApproversTo this attribute has no value accounts Lighthouse delegateApproversStartDate Specifies the date on which to start approval delegation By default the selected start date s hours and minutes are 12 01 am of that day accounts Lighthouse delegateApproversEndDate Specifies the date to end approval delegation By default the selected end date s hours and minutes are 11 59 pm of that day accounts Lighthouse properties The value of this attribute is an object whose attribute names correspond to the properties defined by the user User properties allow arbitrary custom data to be stored with the user in the Identity Manager repository You can then use properties in forms and workflows A property is similar in some ways to an Extended User Attribute but are not limited to primitive data types such as strings or integers Identity Manager defines the tasks system property which is used by the Deferred Task Scanner to cause workflow tasks to be run at some date in the future The value of the tasks property is a list of objects The following table defines the attributes that belong to objects in the list Ta
67. eee eee e ee neene 77 removeProperty Session Workflow Service sis issacs aac dai badawiiadadaddad ane nPE RSE s wea de aan 78 setProperty Session Workflow Service 1 0 2 0 0c n nnn nee e eens 79 wnlockObject Session Workflow S rvice sucses oe oe ee hak ee ded oad ohbwa toda dated edness 80 unlockView Session Workflow Service 0 cc cece tee tet e teen eee tenes 81 Provision Workflow Services csc os cs dis tos des dad aad datant d aio Roads EANES dad dba ee aoa 82 General Provision Workflow Services Call Structure 2 0 ccc ccc ce eect een eae 82 Supported Provision Wotkflow Servites 0 eisai ed cheek TE TS T RE SEE ea ee on 83 approveProvision Provision Workflow Service 0 cece cee cece eee e ene ene 85 Identity Manager 7 0 Workflows Forms and Views auditNativeChangeToAccountAttributes Provision Workflow Service 0 0 e eee ee eee ee 86 bulkReprovision Provision Workflow Service 000 c cece cee ce tee bee b eee nse sonini iias 87 authenticateUserCredentials Provision Workflow Service 0 0 0 eee cee e ene 88 changeResourceAccountPassword Provision Workflow Service 0 0 eee eee ee eee eee 89 cleanupResult Provision Workflow Service 50 405 eea ccd ecedeeaeeaee REEE EIEE EEE EEES 90 checkDeProvision Provision Workflow Service 0 cece eee ertan tos cece eee ence eens 91 createResourceObject Provision Workflow Service 0 cece eect eee e eee 92 deleteR
68. flag off so we do not attempt synchronization Necessary because it sometimes is set to true by the view handler lt Comments gt lt Expansion gt lt s gt false lt s gt lt Expansion gt lt Field gt lt FieldLoop for res gt lt expression gt lt remove gt lt ref gt password targets lt ref gt lt s gt Lighthouse lt s gt lt remove gt lt expression gt lt Comment s gt Also must force the individual selection flags to false and display a password prompt for each resource since the view handler will default to true for new accounts lt Comments gt lt Field name password accounts res selected gt lt Expansion gt lt s gt false lt s gt lt Expansion gt lt Field gt lt FieldLoop gt Step Three Add Resource Specific Password Fields to Attributes Page Write resource specific password fields for each resource as follows lt Field name accounts resname password gt 241 Testing Your Customized Form 242 You can gather information about edited forms before implementing them in your runtime environment through the following ways e Check for errors with the expression statements within your form fields through the use of error logging e Use the Form Editor to validate the syntax of individual expression statements The Form Editor displays syntax error messages from the parser in a pop up window For information on using the Form Editor see the online help that is associat
69. further defined in subsequent sections Table 5 1 Top Level Attributes User View Attribute Description waveset Contains information stored in the Identity Manager repository the WSUser object This is sometimes referred to as the basic view accounts Contains the values of all resource account attributes fetched from resources These are typically the values that are edited with forms account Info Contains read only information about the resources and accounts associated with the user display Contains the read only runtime state for the interface It is used only during interactive editing of the user display session describes login and access information display subject identifies the account under which the user is logged in display eventType indicates whether the user view is Servicing a create or an update operation Identity Manager 7 0 Workflows Forms and Views Table 5 1 Top Level Attributes User View Attribute Description global Contains attributes that are synchronized across all resource accounts password Contains attribute values that are specific to the user s password password expiration and target systems When you design a form the field names are typically paths into the user view objects waveset global and account attributes for example global firstname Selecting the Appropriate Variable Namespaces The user view provides several namespaces for deriving account related i
70. gt lt list gt lt dolist gt 262 Identity Manager 7 0 Workflows Forms and Views Example 2 List buildDns String names String delimeter String baseContext lt invoke name buildDns class com waveset ui FormUtil gt lt s gt North America Europe China lt s gt lt s gt lt s gt lt s gt ou marketing dc acme dc com lt s gt lt invoke gt This example returns lt list gt lt s gt CN North America ou marketing dc acme dc com lt s gt lt s gt CN Europe ou market ing dc acme dc com lt s gt lt s gt CN China ou marketing dc acme dc com lt s gt lt list gt Do not use XPRESS to provide this functionality 263 264 checkStringQualityPolicy Method checkStringQualityPolicy LighthouseContext s String policy Object value Map map List pwdhistory String owner Description Checks the value of a designated string against string policy Table 4 5 checkStringQualityPolicy Parameters Parameter Description LighthouseContext Specifies the current user s Lighthouse context policy Required Specifies the name of the policy that the string will be tested against value Required Identifies the string value to check map Optional Provides a map of the data that must not be contained in the string returnNul11 Optional If set to true the method return a null object upon success pwdhistory Optional Lists user s previous p
71. gt lt concat gt lt ref gt global firstname lt ref gt lt s gt lt s gt lt ref gt global lastname lt ref gt lt concat gt lt cond gt lt Expansion gt lt Field gt In the following example the lt FieldRef gt element identifies the name of the attribute you want to reference lt Field gt lt Disable gt lt isnull gt lt ref gt waveset id lt ref gt lt isnull gt lt Disable gt lt FieldRef name DynamicChangePasswordFields gt lt Field gt 174 Identity Manager 7 0 Workflows Forms and Views Editing a Form You can edit a form to change its display characteristics or add logical processing to select fields or components This section divides form related editing tasks into these two categories e Working with display elements This section discusses changing the display characteristics of basic page components when editing an Identity Manager form especially one that is visible to users These components include buttons radio buttons and checkboxes e Working with hidden components These components are the HTML elements you add to Identity Manager forms that are used for background processing or for adding logical processing to visible forms These elements include the lt Disable gt and lt Expansion gt components and the FormUtil methods The HTML components described in this task oriented section are listed in alphabetical order in HTML Display Components Workin
72. gt apples lt s gt lt s gt oranges lt s gt lt list gt lt s gt oranges lt s gt lt indexOf gt 504 Identity Manager 7 0 Workflows Forms and Views insert Function Inserts a value into the list Elements following the insertion index down are shifted to make room for the new element first argument a list to which an element is inserted second argument integer specifying position in the list at which to insert the new element third argument value to insert into the list Example lt insert gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt lt i gt 1l lt i gt lt s gt wiper blades lt s gt lt insert gt This expression returns the following list lt list gt lt s gt apples lt s gt lt s gt wiper blades lt s gt lt s gt oranges lt s gt lt list gt 505 length Function Returns the number of elements in the list You can also use this function to return the length of a string first argument list or string Example 1 The following expression returns 2 lt length gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt lt length gt Example 2 lt length gt lt s gt Hello world lt s gt lt length gt This expression returns a value of 11 506 Identity Manager 7 0 Workflows Forms and Views remove Function Removes one or more elements from a list The argument list takes one of tw
73. identifies the resource from which the object type is retrieved e null value indicates no map options e value of true tells the server to cache the results lt invoke name listResourceObjects class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt s gt UnassignedTokens lt s gt 212 Identity Manager 7 0 Workflows Forms and Views lt s gt SecurID lt s gt lt null gt lt s gt false lt s gt lt invoke gt Obtaining a List of Resource Objects with Map Options To obtain a list of resource objects with map options specify the resource object type resource name and a map option that defines the directory to start the search in The resource must be directory based For example you can get a list of all Active Directory groups in the Software Access directory by building a map option that performs the search in the directory path ou Software Access dc mydomain dc com Example In the following example The Group string identifies the resource object type that you want to get Strings that identify resource object types are identified in the table titled Available Resource Object Types The AD string identifies the resource name from which to retrieve the object type Map options specify the directory from which to retrieve the list A value of true tells the server to cache the results A value of false tells the server not to cache the results 213 214 lt invoke name lis
74. in the workflow process workltems requester Identifies the display name of the user that made the request workItems description Provides a more detailed description of the work item The value is computed by the WorkItemDescription expression of the manual action in the workflow process The description is typically displayed in tables that summarize the work items for a user and is often displayed in a work item form Identity Manager 7 0 Workflows Forms and Views workltems selected Individual item selection flag An alternative to selectedWorkItems selectedWorkItems Lists the work item IDs that represent the items to be processed by the next action An alternative to setting the selected attribute inside the work item object which is easier for SortingTable components If both this attribute and individual select flags are set the value of this attribute takes precedence forwardTo Identifies the name of an Identity Manager user to which all selected work items will be forwarded when the action attribute is set to Forward forwardToNow Similar to forwardTo but is also an action attribute It copies its value to forwardTo set action Forward and process the refresh as if forwardTo and action were set independently Use this attribute if you want to have the form process the forwarding immediately after a user is selected from a form component If you would rather have forwarding controlled with a button then ha
75. is not specified the refreshView workflow service has no effect raiseView no true or false Specifies that display errors is promoted to Errors WF_ACTION_ERROR When set to true errors in the display errors attribute of the view are automatically extracted and returned to the workflow engine as errors The WF_ACTION_ERROR workflow variable is set Return Values and Side Effects If the refresh is successful the refreshed view is placed in the variable view If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error Identity Manager 7 0 Workflows Forms and Views removeDeferredTask Session Workflow Service Used to remove a deferred task from an Identity Manager object Identity Manager will ensure that the administrator that launched the workflow is authorized to view the object Table 2 24 removeDeferredTask Method Arguments Name type name task taskDefinition instanceName date organization owner description Required Valid Values no valid values are the list of types yes no no no no Can be either a java util Date object or a string in the usual format no no no Description Identifies the type of the object that the deferred task will be added to If not supplied the type is defaulted to user Specifies the name of the object that the deferred task will be added to Specifies the name of the TaskDefinition to run
76. item rejects When one work item rejects all other work items are canceled 32 Identity Manager 7 0 Workflows Forms and Views Table 1 7 Default Auditor Workflows Activity Description Launch Access Scan Either launches or schedules an Access Scan Task depending upon the setting provided by the Access Review task It is directly called from the Access Review Workflow Task Workflow Task Table 1 8 Activity Description Add Result Adds a named data item to the task result Add Result Error Adds an error message to the task result Add Result Message Adds an informational message to the task result Background Task Forces the workflow into the background if it was launched Get Resource Result Get Resource Result Item Rename Task Set Result Set Result Limit from the Identity Manager Administrator interface Retrieves the result object returned by a resource adapter on the last provisioning operation Retrieves one result item from the result object returned by a resource adapter on the last provisioning operation Renames the task instance in the repository Adds an entry to the task entrance result This will appear in the workflow summary report Sets the number of seconds the task instance should be retained in the repository when it finishes A non negative value indicates that the task instance will be kept for this many seconds after the task has completed A negative va
77. lists in forms from information retrieved dynamically from an external resource This section discusses the following tasks which permit you to process data and optionally hide this processing in forms Typical tasks include e Including XPRESS Logic Using Derivation and Expansion elements e Calling Methods to Populate Lists o Building DN strings o Getting a list of object types for which the session owner has access Identity Manager 7 0 Workflows Forms and Views e O 0 Getting a list of organizations Getting a list of unassigned resources Obtaining a list of resource object names e Disabling components e Hiding components Including XPRESS Logic Using the Derivation and Expansion Elements Typically a field will have either a Derivation rule or an Expansion rule If a field includes both types of rules make sure that these fields do not conflict with each other You implement the lt Expansion gt and lt Derivation gt components to use XPRESS to calculate values for form fields These expressions are similar differing only in the time at which the expression is evaluated Derivation rules are typically used to set the value of the field when the form is loaded Expansion rules are used to set the value of the field whenever the page is recalculated or the form is saved Table 3 15 Derivation and Expansion Expressions Component Description Evaluation lt Derivation gt Unconditiona
78. lt ref gt waveset roles lt ref gt lt s gt currentResourceGroups lt s gt lt ref gt waveset applications lt ref gt lt s gt current lt s gt lt ref gt waveset original resources lt ref gt lt s gt scopingOrg lt s gt lt ref gt waveset organization lt ref gt lt map gt lt invoke gt lt Property gt lt Display gt lt Field gt current Specifies a list of names to be merged with those returned For example this is typically the list of selected names in a MultiSelect field to ensure that all selected names are in the MultiSelect s list of available names Identity Manager 7 0 Workflows Forms and Views conditions This value can be specified in three ways Table 4 33 Values of conditions Attribute Value Format Description Map map The lt MapEnt ry gt key is the name of a queryable attribute by this type of object and the second is the value an object of this type must have for the associated queryable attribute in order to be returned the operator is assumed to be equals If more than one attrname Vvalue pairs are specified they will be logically and ed together Example lt Map gt lt MapEntry key memberObjectGroups value Top gt lt Map gt The first entry is the name of a queryable attribute supported by this type of object The second entry is the value an object of this type must have for the associated queryable attribut
79. objects that contain strings See the section titled Data Types for more information on component value types Most container classes do not have values If you assign a value it is ignored Some containers do allow values for example TabPanel and WizardPanel When building components from XML forms the value is usually derived by using the component name as a path into the underlying view object which contains all the values being edited Example lt Property name value value false gt allowed Values Specifies an optional list of allowed values for the component If specified the component allows you to select from only values that are on the list If the component supports value restrictions the list of allowed values is stored here The value is always a list and usually contains strings For convenience when setting properties from XML forms you can also specify the allowed values as a comma list Example lt Property name allowedValues value Mon Tue Wed Thurs Fri gt lt Property name allowedValues gt lt expression gt lt call name DaysoftheWeek gt lt expression gt lt Property gt 557 558 primaryKey This property is recognized only by the SortingTable container The SortingTable container organizes components into a table with each column expected to contain components of the same class Sort ingTable allows the rows to be sorted according to the values in any colum
80. of resource accounts is determined workflow Contains information about user supplied extensions to the reconciliation process Identity Manager 7 0 Workflows Forms and Views Table 5 43 ReconcilePolicy View Attributes Attribute Description response Contains information about how reconciliation should respond to discovered situations resource Contains information about how reconciliation interacts with the resource scheduling Table 5 44 scheduling Attributes ReconcilePolicy View Attribute Editable Data Type reconcileServer Read Write String reconcileModes Read Write String fullSchedule Read Write Schedule incrementalSchedule Read Write Schedule nextFull Read Date nextIncremental Read Date reconcileServer Specifies the reconciliation server that should be used to perform scheduled reconciliations reconcileModes Specifies the reconciliation modes that are enabled Valid values are BOTH FULL NONE fullSchedule Identifies the schedule for full reconciles when enabled incrementalSchedule Identifies the schedule for incremental reconciles when enabled nextFull Containing the time of the next incremental reconcile if enabled 389 nextIncremental Specifies the repetition count for the schedule Schedule values are GenericObjects with the following attributes e count Specifies the repetition count for the schedule e units Specifies the repetition unit for the sche
81. overridden on a per account basis in the view Resource attribute overrides are stored in the attribute object under an attribute named resourceAttributes If for example the resource defined an attribute named host this could be specified in the view with the path accounts Exchange Server resourceAttributes host NOTE Although overriding resource attributes is not recommended sometimes you cannot avoid it You might choose to overwrite a resource to avoid creating duplicate resources that point to the same physical resource but differ by one attribute For example in a customer environment that has multiple Exchange 5 5 servers it may make more sense to override the resource attribute Exchange Server in the form than to create a new resource Contact your Identity Manager support representative for more information accounts Lighthouse Sets the values of only the attributes stored in the Identity Manager repository When a view is created it contains a copy of the attributes in the waveset attributes attribute set When the view is saved the system compares the contents of accounts Lighthouse with waveset attributes to generate and update reports and audit log entries Although this attribute is stored in the Identity Manager repository changes to this attribute are not automatically propagated to resources The Extended User Attributes Configuration object defines the attributes that are allowed in this view The
82. pad gt lt s gt email lt s gt lt i gt 10 lt i gt lt pad gt 488 Identity Manager 7 0 Workflows Forms and Views rtrim Function Takes a single argument which is coerced to a string It returns a copy of the argument with the trailing white space removed Example This example returns 0 zero lt cmp gt lt s gt hello lt s gt lt rtrim gt lt s gt hello lt s gt lt rtrim gt lt cmp gt 489 split Function Splits a string into a list of strings first argument string to be split second argument a set of one or more string delimiters Each character in this string will cause a break A list is created that contains each substring between delimiters Example 1 lt split gt lt s gt Austin City Limits lt s gt lt s gt lt s gt lt split gt This expression returns the following list lt list gt lt s gt Austin lt s gt lt s gt City lt s gt lt s gt Limits lt s gt lt list gt Example 2 The following expression uses multiple delimiters lt split gt lt s gt 512 338 1818 lt s gt lt s gt lt s gt lt split gt This expression returns the following list lt list gt lt s gt 512 lt s gt lt s gt 338 lt s gt lt s gt 1818 lt s gt lt list gt 490 Identity Manager 7 0 Workflows Forms and Views substr Function Extracts ranges of characters from a string This function takes two forms e start and length are specified as argument
83. provides the current set of edited values The server may insert more values into the view by reading data from the repository or the resources Derivation expressions are evaluated Typically derivation expressions are not evaluated when a view is refreshed In some complex cases the system can request derivations after the refresh The system processes the refreshed view and form and builds another HTML page which is returned to the browser The user sees the effects of the refresh and continues editing The user can cause the view to be refreshed any number of times repeating steps 7 through 12 each time until the user either saves or cancels the changes A If the edit is canceled all the data accumulated in the view is discarded and the server is informed As a result the server can release any repository locks and control passes to a different page B If the edit is saved the interface receives the values that have been modified and assimilates them into the view see step 8 Validation expressions are evaluated If field values do not meet required specifications then an error is presented and the field values can be corrected Once the changes have been made the process returns to step 13 Workflows Forms and Views 16 Expansion expressions are evaluated one last time see step 9 17 Ifthe server saves the view this typically results in the modification of one or more objects in the repository With user views
84. resource accounts may also be updated Several of the preceding steps require iteration over all the fields in the form These include the evaluation of Derivation expressions the evaluation of Default and Validation expressions the generation of HTML and the evaluation of Expansion expressions During all field iterations Disable expressions are evaluated to determine if this field should be processed If a Disable expression evaluates to true the field and any nested fields it contains is ignored See Defining Field Names in this chapter for more information on these special types of expressions Customizing Forms After familiarizing yourself with the default operation of the Identity Manager product you can identify pages you d like to customize 1 Consult the section titled Edited Forms for a list of editable pages and their corresponding forms 2 To edit a form launch the Identity Manager IDE and select Open Repository Object Select the form you want to edit from the popup dialog that is displayed This section covers the following topics e Overview of Customization e Additional Customization Related Topics o Form Structure o What is a Form Field o Guidelines for Structuring a Form Defining Field Display o Optimizing Expressions in Form Fields o Disabling Automatic Linking of New Resources and Users o Preventing an Attribute from being Displayed in Clear Text on Results Pages o Adding Guidance Help to a Form 12
85. s4cs0s89s6a sags seeriasse ak t Kirru ets 517 Object Manipulation Ex pressiOns o e sestsaadik oak ees Bos 8 ee ee Oe be cack oe deeds 524 Java and JavaScript Expressions si4 543 064 440 dinsaedanetastastadtautaatetedaesaebaaaees 531 Debugging and Testing Expressions io c cc42 dang nat ate agen enged Galheadbwabads tae ohare 534 OE PGS Sieh ened coords aot aoe ayes ae ch beh a MOSS DO eae aaa aaed ae ha E hae ganas 536 Chapter 7 XML Object Language lt ssccsesresrsssrsrss dansens nis e ek pai iere stss cue 537 Topics in this Chapek issi 6d sos din cee care ce MG Hee bed Gad Ga Bade EEEE S Daae 537 Related Chapsi sea aics wag a gate a a hi ehiaahh nla pnele pha als a E ane ea aa e ate wls Swe alert 537 Understanding XML Object Language onc ccc cnc cacaedaess ada dies codes ded ae eda eee awd 537 ME ANA ao cas cca A E E E paws duet diet erase Kum hesn iach died ces T Minaceeien hace EEN bate Dake 537 XML Object Language and Corresponding XPRESS 0 0 0 cece eee cece tenn esses 538 Using XML Objects in XPRESS asso eee dee nea dies ayed ana ESTRET nea a eae wee we wee 539 When to Use XML Object Language Instead of XPRESS 2 cece eee cee eee disita ete 540 Representing Lists in XML Object Language and XPRESS 0 cee eee cee eee 540 Chapter 8 HTML Display Components ccc cece cece cee cee cence ener eeeeees 545 Topics mths Chapter cesa aha dasa hasta ae Daa e aS a Ss GEE e Hee ea eH E oa 545 HTML Display Components 2s
86. see FormUtil Methods lt invoke class com waveset ui FormUtil name listResourceObjects gt lt invoke gt where the name field identifies the name of the method For examples on using these methods within forms see the section titled Using Hidden Components Inserting JavaScript into a Form To insert pre formatted Javascript into a form use the lt JavaScript gt component especially when using the onClick or onChange properties in components and want to call custom Javascript functions The component has an extended property named script that can contain the JavaScript text Alternatively you can include JavaScript by setting the source property This should be a string that contains a URL fragment relative to the base context It is the JavaScript contained in the indicated file to be loaded by the browser Testing if an Object or User Exists You might want to check whether an object exists before performing an action For example you could look to see if a user name exists in Identity Manager before creating a new user or validate whether a manager name entered in a field is valid To test if an object exists use the testObject method To specify an object type when using this method use the object types listed in the section titled Retrieving a List of Accessible Object Types on page 222 In the following example the user type is identified as lt s gt User lt s gt The second string gives the value of
87. set separately from other resources 239 240 Default Password Policy Display By default Identity Manager displays password policy information on the Accounts gt Identity tab as shown below To move the password fields from their default position on the Identity area to the Attribute area you must disable the default Identity Manager password synchronization mechanism by following these three steps 1 Set the manualPasswordSynchronization checkout property 2 Add Field and FieldLoop components to the Tabbed User form 3 Add resource specific password fields to the Tabbed User form These steps are described in more detail below Step One Set the manualPasswordSynchronization Checkout Property Specify the manualPasswordSynchronization view check out option by adding the following property to the form lt Form gt lt Properties gt lt Property name manualPasswordSynchronization value true gt lt Properties gt lt Form gt When manualPasswordSynchronization is set to true Identity Manager displays per resource password fields rather than using the password synchronizer Step Two Turn Off Password Synchronization You can disable password synchronization by turning off the selectAll flag under the Password view To do this add the following fields to the default forms Identity Manager 7 0 Workflows Forms and Views lt Field name password selectAll gt lt Comment s gt Force the selectAll
88. specify at least the name and optionally the other attributes unless the defaults are sufficient See sample findObjectsDefaults xml for example formats for specification of allowed attributes You can specify the list of allowedAttrs as either a list of strings a list of objects or a combination of both Identity Manager 7 0 Workflows Forms and Views attrs ToGet Lists the summary attribute names of the specified object types ob ject Type to be returned with each object that match the specified attribute query conditions You can obtain the object type s set of supported summary attributes by calling the object type s listSummaryAttributeAttrs method This method is exposed by each class that extends PersistentObject If not overridden by the objectType class it inherits the PersistentObject implementation that returns the default set of summary attributes that are supported by all Persistent Objects You can override the default by specifying the list of resultColumnNames in either the default section or the object Type specific section of the sample findObjectsDefaults xml configuration file attrConditions Lists the attribute conditions that are used to find objects of the specified object type objectType that match the specified attribute conditions att rConditions Each attribute condition in the list should be specified as follows selectedAttr Identifies one of the attribute names from the list of allowed
89. string or a message object This property is valid for InlineAlert or InlineAlertS AlertItem value Specifies the alert message to display This value can either be a string or a message object This property is valid for InlineAlert or InlineAlert AlertItem linkURL Specifies an optional URL to display at the bottom of the alert This property is valid for InlineAlert or InlineAlertSAlertItem linkText Specifies the text for the 1inkURL This can be either a string or a message object This property is valid for InlineAlert or InlineAlert AlertItem linkTitle Specifies the title for the 1inkURL This can be either a string or a message object This property is valid for InlineAlert or InlineAlertSAlertItem 567 568 Example of Single Alert Message lt Field gt lt Display class InlineAlert gt lt Property name alertType value warning gt lt Property name header value Data not Saved gt lt Property name value value The data entered is not yet saved Please click Save to save the information gt lt Display gt lt Field gt Example of Multiple Alert Messages Define alertType only within the InlineAlert property You can define other properties in the InlineAlert AlertItems lt Field gt lt Display class InlineAlert gt lt Property name alertType value error gt lt Display gt lt Field gt lt Display class InlineAlert AlertItem g
90. task is being executed in the background Checkin View Results The following named result items can be found in the WavesetResult object that is returned by the checkinView method Table 5 39 Checkin View Results Result Description taskId Identifies the repository ID of the TaskInstance taskState Identifies the current state of the TaskInstance It will be one of ready executing suspended or finished extendedResults When set to true indicates that the TaskInstance will have extended results 385 Reconcile View 386 Used to request or cancel reconciliation operations on a resource This view is used to perform on demand reconciliation as part of a workflow It can also be used when implementing a custom scheduler for reconciliation This view is write only get and checkout operations are not supported request Specifies the operation to perform You must specify one of the following valid operations Table 5 40 Valid Operations for request Attribute Reconcile View Operation Description FULL Starts a full reconciliation of the resource INCREMENTAL Starts an incremental reconciliation of the resource ACCOUNT Starts a reconciliation of the account CANCEL Cancels the currently active resource reconciliation process accountld Identifies the account to reconcile This string is ignored if the request is not ACCOUNT Examples e To request a reconciliation of a single account on a re
91. text to specify fonts or insert line breaks When presenting help text this way it is usually more convenient to wrap the text in what XML calls a CDATA marked section for example see the Passwords item of the preceding example The text is not part of the help text Instead they are special XML declarations that cause the parser to treat the content as unparsed character data This means that elements such as lt b gt found within the marked section are not to be interpreted as XML elements but as literal text Identity Manager 7 0 Workflows Forms and Views If you do not use a CDATA marked section you must escape every use of the less than character in the help text by substituting the string amp 1t as indicated by the following example amp lt b gt Passwords lt b gt amp lt br gt Enter and confirm a new password Overriding Guidance Help You can use a custom message catalog to override the guidance text that displays in a pop up window If you name your custom message catalog defaultCustomCatalog Identity Manager recognizes and uses it automatically Alternatively you can choose a different name and then specify that name in System Configuration object under the customMessageCatalog name For example lt Attribute name customMessageCatalog value sampleCustomCatalog gt The following sample custom catalog displays Waveset Lighthouse 4 1 SP2 as the flyover text for the Help tab 227
92. that are assigned to the user If you are designing a form you can call this attribute to display a list of resources that are assigned from the role applications and that are directly assigned to a user accountInfo typeNames A list of unique type names for every assigned resource This is used in Disable expressions in forms where you want to disable fields unless a resource of a particular type is selected lt Field name HomeDirectory prompt Home Directory gt lt Display class Text gt lt Disable gt lt not gt lt contains gt lt ref gt accountInfo typeNames lt ref gt lt s gt Solaris lt s gt lt contains gt lt not gt lt Disable gt lt Field gt This returns the same information as the path account Info types name but is more efficient which is important when used with Disable expressions This list can include common resource types You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator Interface The Type column on this page contains the names of the type of currently defined resources The options list next to New Resource also contains the names of the resource adapters that are currently installed accountInfo types This attribute contains information about each type of resource that is currently assigned The value of the attribute is a List objects 341 342 The following table shows the attributes that belon
93. that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created One common example is to set an attribute to the value of the generated unique identifier Using Deferred Attributes There are two main steps to defining a deferred attribute 1 Ensure that the account is created on the source resource before the second account is created Do this by creating an ordered Resource Group that contains both resources and assigning the Resource Group to the user 2 Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario Each deferred attribute requires two view attributes one that identifies the source account and one that identifies the source attribute Set these using paths of the following form accounts lt resource gt deferredAttributes lt attname gt resource 437 accounts lt resource gt deferredAttributes lt attname gt attribute where lt resource gt would be replaced with an actual resource name and lt attname gt replaced with an actual attribute name For example assume a scenario in which the following two resources are created 1 a resource named LDAP that generates a uid attribute when an account is created 2 a resource named HR which contains a directoryid attribute named directoryid whose value is to be the same as uid in the
94. the value of this checkbox is changed the sync ed checkbox s value is set to the same value syncUncheck Set to the name of another checkbox field that should stay in sync when the value of the checkbox field on which this property is set is changed to false If this is set whenever the value of this checkbox is changed to false the synchronized checkbox s value will also be set to false unselected syncCheckAl1To Indicates that all Select All checkboxes matching the regular expression will be kept in sync with the value of the checkbox field on which this property is set when its value is changed to false The value of this property is a regular expression that represents one or more of the Select All checkboxes syncUncheckA11 Set to the name of another checkbox field that should stay in sync when the value of the checkbox field on which this property is set is changed to false If this is set whenever the value of this checkbox is changed to false the synchronized checkbox s value will also be set to false unselected syncCheckTo Indicates that all checkboxes matching the regular expression will be kept in sync with the value of the checkbox field on which this property is set Whenever the value of the checkbox field on which this property is set is changed the sync ed checkbox s value will be set to the same value The value of the property is a regular expression Workflows Forms and Views e value Determi
95. the object type in this example jdoe Example 229 230 lt invoke name testObject class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt s gt User lt s gt lt s gt jdoe lt s gt lt invoke gt The testObject method returns true on successful find of an object Otherwise this method returns null To test if a user exists use the testUser method The lt s gt element identifies the name of the user object to find Example lt invoke name testUser class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt s gt jdoe lt s gt lt invoke gt This method returns true on successful find Otherwise this method returns null Wizard and Tabbed Forms Both wizard and tabbed forms are mechanisms for structuring unwieldy single page forms into more easily managed multiple paned forms Both contain separators between logical sections or pages These page separators can be tabs located at the top of the form like the tabbed user form or a wizard form which guide the user through the pages using the next back navigation buttons See Tabbed User Form in this chapter for the XML version of the default Tabbed User Form What Is a Wizard Form Wizard forms can be a convenient alternative to launching multiple forms from a task when Transition logic between pages is simple e Privileged system calls between pages are required Wizard forms contain the two row
96. the onChange value nowrap align width valign and colspan Most containers position subcomponents by surrounding them with an HTML table tag The HTML generated for each component then is typically contained in a td tag Some containers can recognize the nowrap align width and colspan properties and use them when generating the surrounding table cell tag You can use these components to adjust the position and size of the component within the container nowrap Specifies how some components are displayed if they contain a long string of text If the value of nowrap is false or unspecified the browser can break up the component text into multiple lines when it is displayed If the value of noWrap is true the browser will try to keep the component text on a single line e align Rarely used Adjusts the element horizontally on the form Allowed values are left right and center e valign Rarely used Specifies where components are rendered vertically Allowed values are top bottom and middle e colspan Deprecated Example lt Property name width value 3 gt lt Field name Start Day prompt Day nowrap true gt htmlFormName Allows you to set the name attribute of the HTML lt FORM gt tag in which the component will be rendered This ensures that JavaScript functions used by the component reference the desired HTML form Because the default value is mainform this property is useful only if the compon
97. the page processor In most cases these are defined by a view that is used with the XML form Form designers must be aware of the view with which the form will be used and only reference attributes defined by that view Disable Element Calculates a Boolean value If true the field and all its nested fields will be ignored during current form processing Example This example illustrates a field definition that uses an expression within the lt Disable gt element to control the visibility of the field account Info typeNames is used to find the type of all resources that a user is assigned to The type returned is a list of all the user s resource types for example Windows NT If the list of returned type names contains Solaris then this field is displayed on the screen Otherwise this field is disabled 153 154 lt Field name HomeDirectory prompt Home Directory gt lt Display class Text gt lt Disable gt lt not gt lt contains gt lt ref gt accountInfo typeNames lt ref gt lt s gt Solaris lt s gt lt contains gt lt not gt lt Disable gt lt Field gt Default Element Calculates a value to be used as the value of this field but only if the field does not already have a non null value Default is essentially the same as Derivation except that the value applies only if the current value is non null Default expressions are calculated when e the form is first loaded e data is retri
98. those allowed by the user s Lighthouse Account policy Argument lock Boolean Indicates whether the user is locked t rue indicates locked Return Values and Side Effects This method returns null if it is a lock request If it is an unlock request this method returns a WavesetResult that contains the unlock results 100 Identity Manager 7 0 Workflows Forms and Views notify Provision Workflow Service Sends a notification which is almost always an email Table 2 43 notify Method Arguments Name Required Valid Values Description op yes notify type yes Indicates the type of notification If not entered email type will be used various other no but Identifies the arguments passed to the notifier arguments should be Map of name value pairs supplied Return Values and Side Effects A WavesetResult object containing the result of the notify 101 provision Provision Workflow Service Creates a new Identity Manager account and optionally resource accounts Table 2 44 provision Method Arguments Name Required Valid Values Description op yes Provision user yes GenericObject Specifies the GenericObject that contains the view that is to be provisioned various no Identifies the options to specify provisioning provisioning characteristics See the javadocs for options com waveset provision ProvisioningOptions Return Values and Side Effects A WavesetResult object containing the result of the prov
99. true Boolean e horizontalPad Specifies the number of pixels to use for the cell padding attribute of the table surrounding horizontal components e verticalPad Specifies the number of blank lines added between components Boolean The default orientation is vertical but can be set to horizontal Selector Provides a single or multi valued field similar to Text or ListEditor components respectively with search fields below After a search is executed Identity Manager displays results beneath the search fields and populates the results into the value field 549 550 Unlike other container components Selector has a value the field we are populating with search results The contained fields are typically search criteria fields Selector implements a property to display the contents of the search results Properties include e fixedWidth Specifies whether the component should have a fixed width same behavior as Multiselect Boolean e multivalued Indicates whether the value is a List or a String The value of this property determines whether a ListEditor or Text field is rendered for the value Boolean e allowTextEntry Indicates whether values must be selected from the supplied list or can be entered manually Boolean e valueTitle Specifies the label to use on the value component String e pickListTitle Specifies the label to use on the picklist component String e pickValue
100. updated lt AccountAttributeType name lastname mapName sn mapType string gt 440 Identity Manager 7 0 Workflows Forms and Views lt Views gt lt String gt Rename lt String gt lt Views gt lt AccountAttributeType gt In the view attributes you want to modify are placed within this object resourceAccounts currentResourceAccounts ResourceTypeName attributes lt Field name resourceAccounts currentResourceAccounts OS400ResourceName attributes delete before action hidden true gt lt Expansion gt lt lt s gt os400BeforeDeleteAction lt s gt Expansion gt lt Field gt 441 442 Identity Manager 7 0 Workflows Forms and Views 443 444 Identity Manager 7 0 Workflows Forms and Views Chapter 6 XPRESS Language This chapter introduces the basic features of XPRESS an XML based expression and scripting language Statements written in this language called expressions are used throughout Identity Manager to add data transformation capabilities to forms and to incorporate state transition logic within objects such as workflow and forms Topics in this Chapter Read this chapter to understand these basic topics e Essential features of the XPRESS language including its use of prefix notation and XML syntax e Examples of typical expressions within Identity Manager e Library of functions that ships with Identity Manager e Possible data types that functio
101. variable with that name The argument to the set function will become the new value for the variable If the name attribute is not specified the behavior is defined by the type of the first argument If the type of the first argument is a string the string is assumed to be the name of a variable and the variable value is changed to the value of the second set argument This can be used to compute the name of the variable that is to be modified If the first argument is a list the second argument is expected to be an integer list index and the third argument is a value to be placed in the list If the list size is greater than the index the current list element at that index is replaced If the index is greater than or equal to the list size the list is extended and the new value is added If the first argument is a Map the second argument is expected to be a map key and the third argument is a map value An entry is placed in the map with that key and value Example In the following example the variable var_name is set to the first argument lt set name var_name gt lt s gt new value lt s gt lt set gt 523 524 Object Manipulation Expressions Use the following functions to manipulate arbitrary object values within expressions get Function Accesses attributes of an object or to extract an element from a list first argument an object second argument name of accessor function to call on object fo
102. waveset session WorkflowServices op disableUser e Set com waveset session WorkflowServices op checkoutView with arguments type DisableViewer id lt user account id gt The second and third option are essentially the same The second option checks out and checks in the Disable view This is the equivalent of disabling a user from the Identity Manager interface It launches the Disable User workflow as a side effect Use the provision WorkflowServices method if you are implementing a customized Disable User process Use one of the other approaches if you are implementing some other process and want to use the standard Disable User process to accomplish the disable NOTE By default Identity Manager disables the accounts To not disable an account add the following argument to the disableUser workflow lt Argument name doWaveset value false gt Table 2 11 disableUser Method Arguments Name Required Valid Values Description op yes disableUser Specifies the ID of the view to be created If this argument is not specified both the type and ID must be specified Type and ID can be easier to use from workflows Identity Manager 7 0 Workflows Forms and Views Table 2 11 disableUser Method Arguments Name Required Valid Values Description doWaveset no true false Identifies a list of resources to disable To not disable an account set the value of this argument to false lt Argu
103. with a view attribute You associate a field with a view attribute by specifying the name of the view attribute as the name of the form field For more information see Defining Field Names For more information about the user view including a reference for all attributes in the user view see Identity Manager Views Undefined Attributes When a resource or role is assigned to a user through the administrative interface a refresh occurs The new resource account attributes are then defined in the User view lt FormRef name Missing Fields gt in the Tabbed User Form indicates to the form generator that text fields should be generated for any resource account attributes that do not have a corresponding field explicitly defined in the form To disable this feature in the Tabbed User Form delete lt FormRef name Missing Fields gt Form Evaluation How the system processes a form helps determine the behavior of the form in the browser All form driven pages are processed similarly as described below 1 A page is requested from the Identity Manager User or Administrator Interface 2 The interface requests a view from the server A view is a collection of named values that can be edited Each view is associated with a form that defines how the values in the view are displayed to the user 3 The server assembles a view by reading data from one or more objects in the repository In the case of the user view account attributes are als
104. with the titles Multiple components can be concatenated on a single row Identity Manager 7 0 Workflows Forms and Views Most edited properties include title subTitle and adjacentTitleWidth lt Form name Default User Form help account modify help xml gt lt Display class EditForm gt lt Property name titleWidth value 120 gt lt Property name adjacentTitleWidth value 60 gt lt Display gt Additional EditForm properties include e adjacentTitleWidth Specifies the width of the titles of adjacent fields If this property is not defined it defaults to zero If you define adjacentTitleWidth as equal to zero columns titles will automatically resize If set to a non zero value then the title width of adjacent columns for example the second and third columns will be the value of adjacentTitleWidth e componentTableWidth Specifies the width in pixels of the EditForm If not specified this defaults to either 400 pixels or the value of the defaultComponentTableWidth global property for EditForm e noAlternatingRowColors Specifies whether rows in the EditForm are rendered in the same color When noAlternatingRowColors is set to true every row in the EditForm is rendered the same color If not specified this defaults to false Panel Defines the most basic container Panel renders its children in a simple linear list Properties include e horizontal Aligns components horizontally when set to
105. 265 266 getObject Method getObject LighthouseContext s String typeName String id throws WavesetException Description Retrieves an object from the repository subject to authorization Table 4 7 getObject Parameters Parameter S typeName Description Identifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt Specifies object type Common object types are User Object Group Resource For a complete list of types see the Types option list on the Debug page Specifies ID or name of the object you are looking for For a User object the account Id would be indicated here Identity Manager 7 0 Workflows Forms and Views getObjectNames Method getObjectNames LighthouseContext s String typeName throws WavesetException or getObjectNames LighthouseContext s String typeName Map options throws WavesetException Description Returns a list of the names of objects of a given type to which the session owner or currently logged in user has access Additional parameters can be specified in the options map to control the list of names returned This method is the preferred way for returning a list of names of objects rather than attempting session getObjects This method first goes to the ObjectCache then to the repository if necessary for searches Table 4 8 getObjectNames Parameters Parameter Description s Iden
106. 293 hasCupabilities Method oi teins dn daeeeleeaee nee Vek Sheed akd abs E E howe te baboons 294 Additional OPTS eresi sae at Sias caves aang ce aie op wns wen ERE da a alae wa Gadd RERET REEE E TEA 294 Chapter 5 Identity Manager Views ccc cee cece cece eee c cece eee e eee eee eenees 309 Topi inthis haptel s cc duds heed AOE ea ne ee ae Te E RR E Ramee Rare dave 309 Relaredha piers yo ans a e aerie Gag Odes Daeg Bd ed ad aha oa ed ae hd ee Ae es IS 309 Understanding Identity Manager Views 4 63 s065 accaecaieda ed Enia wanes asaasaated sad sa taeda areas 310 Wha Ta VEW oc ees oes cess dd gat aui diy cde na ada salad aaaea ai a e adea 310 Welsatag a View Hamer 5 lt ayhc nian ais daa nee chs Sah eee Sods aed Gee ee ae E EEE E ears 311 Views and POIS srs stds ens otrie dead owas agi Bah dy ae R Dee as was Veh ee bd Spaces 311 Views and Worktlow 2 csa5 c20s9odo hed caw NEE EREET EREEREER EEE HEERES HN 311 Common VIEWS sisi ogas ise desde bet we eds ai Vere e eaaa a a wae EANET 312 Understandine the User VIEW 2 od cnd c dace nee ae eae kane ed in E whee A ana i E ai 313 6 Identity Manager 7 0 Workflows Forms and Views How the User View Is Integrated with Forms 0 e cece eee eect e ene enee 314 How the User View Is Integrated with Workflow 0 03 s 6 e0 0ch eee ned oad oip eisiaa di iei 314 Generic OD Ect CMS orce not habs eas aes eas eRe SSS ew Ra Ras ee waa edad a Dae aed waa 315 Pah PR RTSSSIONS 5 2 fst la
107. 7 128 Overview of Customization You can customize a form to make it more user friendly change its display characteristics or include logic for processing field data Basic Steps The basic steps for customizing any form in the Identity Manager system include Selecting a form to customize Describes how to identify which form to customize Editing and saving the form Presents basic information about modifying the default end user and administrator forms shipped with the product Testing your changes Suggests guidelines for testing your changes before loading them into your production environment and turning on error logging Typical Tasks When you edit a form you typically perform the following tasks Add and remove fields in the form Typical tasks include removing some default fields or adding additional fields that have been customized for your environment Define how a field is displayed within a form This requires using a library of HTML components shipped with Identity Manager For information on editing a field s display characteristics see the section titled Field Display Properties Set the logical expressions that define the field s value To do this you must create logical expressions using the XPRESS language For information on working with XPRESS see XPRESS Language Table 3 2 Form Elements Property Description Title Specifies the text that displays adjacent to the form field Class Ident
108. ALL INTERFACES e UI LOGIN CONFIG DISPLAY NAME ADMIN _ INTERFACE e ULLOGIN CONFIG DISPLAY NAME CLI INTERFACE e UL LOGIN CONFIG DISPLAY NAME DEFAULT USER INTERFACE e UILLOGIN CONFIG DISPLAY NAME IVR INTERFACE e ULLOGIN CONFIG DISPLAY NAME QUESTION_INTERFACE e ULLOGIN CONFIG DISPLAY NAME USER INTERFACE questionPolicy Specifies the policy that this question is associated with for example All Random Any or RoundRobin Identity Manager 7 0 Workflows Forms and Views questionCount Set only if the questionPolicy attribute is set to Any or Random 355 Change User Capabilities View Used to change an Identity Manager user s capabilities Table 5 22 Change User Capabilities View Attributes Attribute Editable Data Type Required adminRoles List String capabilities List String controlledOrganizations List String adminRoles Lists the Admin roles that are assigned to the user capabilities Lists capabilities assigned to this user controlledOrganizations Lists the organizations that this user controls with the assigned capabilities 356 Identity Manager 7 0 Workflows Forms and Views Delegate Approvers View Use this view to assign one or more Identity Manager users as delegate approvers to an existing approver This enables an approver to delegate his approval capabilities for a specified period of time to users who may not be approvers themselves Top level attr
109. Default User Form 1 From the menu bar select Configure gt Configure Form and Process Mappings 2 Inthe Form Mappings section locate userForm under the Form Type column 3 Specify Dynamic Tabbed User Form in the box provided under the Form Name Mapped To column Assign Scalable User Form per Administrator 1 From the menu bar select Accounts gt Edit User 2 Select a user in one of these two ways o Click on user name then click Edit or o Right click on the user name to display a pop up menu then select the Edit menu option 3 After the Default Edit User Form appears click on the Security tab 4 Find the User Form field and select Dynamic Tabbed User Form 5 Click Save to save the settings Identity Manager 7 0 Workflows Forms and Views Resource Table User Form The Resource Table User Form contains most of the driving logic of the scalable version of the Edit User form This form implements incremental fetching and multiple resource editing based on resource type For additional implementation information see the comments in WSHOME samples resourcetableformsinit xml Importing and Mapping the Form Five forms are involved in the substitution of Resource Table User form for the default Tabbed User form Table 3 21 Forms Associated with Resource Table User Form Form Description Resource Table User Form Resource Table User Form Library Resource Table Account Info Form Resourc
110. Disable View Name Editable Type Required id Read String selectAll Read Boolean currentResourcesAccount Read String fetchAccounts Read Write Boolean fetchAccountResources Read Write List id Identifies the Identity Manager ID of the user selectAll When set causes all resource accounts to be disabled including the Identity Manager account currentResourceAccounts Represents the set of accounts that are currently being managed by Identity Manager including the Identity Manager account itself Use the selected field to signify that the specific resource should be enabled Table 5 27 resourceAccounts currentResourceAccounts Attributes Disable View Name Editable Type name Read String type Read String 363 Table 5 27 _ resourceAccounts currentResourceAccounts Attributes Disable View Name Editable Type accountId Read String exists Read Boolean disabled Read Boolean selected Read Write Boolean fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all assigned resources See Setting View Options in Forms in this chapter for more information 364 Identity Manager 7 0 Workflows Forms and Views Enable View Used to enable accounts on the Identity Manager
111. Display class Select gt lt Property name allowedValues gt lt expression gt lt list gt lt s gt Engineering lt s gt lt s gt Market ing lt s gt lt s gt Sales lt s gt 541 542 lt list gt lt expression gt lt Property gt lt Display gt lt Field gt lt Form gt The allowedValues list in the department field is defined as a static list built with lt List gt No matter how many times this form is used only one list is created In contrast the al lowedValues list in the department2 field is defined with a lt list gt expression A new list is created every time this form is used Defining Map Objects with XML Object Syntax and XPRESS You can use either the XML Object syntax or XPRESS to dynamically construct Map objects Using the XPRESS lt map gt element is similar to using the XML Object language lt Map gt and lt MapEntry gt elements These elements differ in that the contents of lt map gt can be calculated using expressions In contrast the lt Map gt element can only define static maps NOTE Maps are sometimes used as arguments to methods that are called with an lt invoke gt expression For example certain methods in the FormUtil class require maps as arguments For more information on using map arguments with FormUtil methods see the chapter titled FormUtil Methods Using XPRESS to Represent a Map The contents of the XPRESS lt map gt element are pairs of name value expr
112. End User Menu createDate 1012185191296 lastModifier Configurator lastModDate 1013190499093 lastMod 44 counter 0 wstype UserForm gt lt Extension gt lt Form name End User Menu gt lt Display class LinkForm gt lt Property name title value User Self Service gt lt Property name subtitle value Select one of the following options gt lt Display gt Field content lt Form gt lt Extension gt lt MemberObject Groups gt lt ObjectRef type ObjectGroup id ID Top name Top gt lt MemberOb ject Groups gt lt Configuration gt 138 Identity Manager 7 0 Workflows Forms and Views NOTE The Identity Manager User Interfacepages implement a second XPRESS form that contains the navigation bar This means that the rendered page has two lt FORM gt tags each with a different name attribute lt form name endUserNavigation gt and ee lt form name mainform gt Form Components The following table identifies form components in the order in which they appear in the form Each form component is discussed in greater detail below Table 3 7 Form Components Form Component Purpose header Introduces information about the form object definition Includes start tags for lt Form gt lt Extension gt and lt Configuration gt elements and defines form properties such as title subtitle titleWidth displayed when the form is launched fo
113. Gb C4 ay Sa ed he PS Ys he aad BEd aa e a aa aa 316 Account Types and User Oriented Views 0 0c 0cs0ssc0saesaeeteseeeeeesbaeeeebeee ees 317 User View ADUSS oy eck ndencs wea dy does aa haya eave Qa Qed dolewus Seaweed adds 318 ACCOUIS ANDAS Ss 4 cv dcdae teed gE TEE EE eas eae Ady ddd eae SMA Reda ae wees 330 Defend AWADUES S 3c occ terse Co n 2 Daw ees ee ae adie eaa a tN Boas tole Sas 345 Account Correlation VIEW 22 2i5 cca hase Seca e ds oe Soa wae ean EE 4s aa oe dea ee eee wa 348 CONEANON a dads cid eu wate nde detente ata aceasaataasedawbenbaes ade web adateans 348 PGI ROIS VIEW S505 dace cedid asad trace treed aig ea pce SED See SEN ea ha aa ease ale ae hed naan enc aes 351 Change User Answers View otis cls 295 4 des ede gon nik gay Sd eee ade hed Me del aaa aa o ta tad 354 UC a es osc Sey edie Sd Sides ed os BA A ADS D LH Soe Sede Sea ged ea Eee ae eae Sa wel Bas 354 IORINMLORIACE oa perena mam e ote at dds a Dey ace edu es aaa tangas wae Eee adh neds 355 Change User Capabilities View scsi 02208accu ae va baw Sens eee wee hase de tad taeda vae sa weanes 357 AUMERE S 2 sere aied ae Sad saves s 1G Sides SN Gad eg See ee ee ne eaea oe tals tole Gad 357 CAPACITIES EAE E E E EE E EE da haw Ady dear whan asa eead ako hacked yecdsiec seat 357 controlledOroanizanons a4 caaca dade ee deed deuda acetate aay atone wiead web ada wes edad 357 Delevate Appre vers View 5 2 c hi 08 bo bdadas taeda e Sos exe Sr bee haw E E E aaah aan aes 358 KUME 2 53 a
114. Java method such as FormUtil getResources The values displayed in the right side of a multiselection box are populated from the current value of the associated view attribute which is identified through the field name The form titles for this two part object are set through the availabletitle and selectedtitle properties If you want a MultiSelect component that does not use an applet set the noApplet property to true NOTE If you are running Identity Manager on a system running the Safari browser you must customize all forms containing MultiSelect components to set the noApplet option Set this option as follows lt Display class MultiSelect gt lt Property name noApplet value true gt Identity Manager 7 0 Workflows Forms and Views Properties for this display component are availableTitle Specifies the title of the available box selectedTitle Specifies the title of the selected box ordered Defines whether selected items can be moved up or down within the list of items in the text box A true value indicates that additional buttons will be rendered to permit selected items to be moved up or down allowedValues Specifies the values associated with the left side of the multiselection box This value must be a list of strings Note The lt Constraints gt element can be used to populate this box but its use is deprecated sorted Specifies that the values in both boxes will be sorted
115. No available extendedAttributes Read List Strings No available formFieldNames Read List Strings No host password TCPPort user The resource viewer instantiates the resource parameters for the various view methods as follows e The createView method requires a typeString option which is used to locate the correct prototypeXML for the resource type The prototypeXML contains the initial set of resource parameters and their initial values Thus the view is populated with this list of initial resource parameters and their default values e The getView and checkoutView methods return only the resource parameters that exist in the resource object The prototypeXML is not used to fill in this list if any resource parameters are missing in the actual resource object e The checkinView method replaces the list of resource parameters in the stored resource object in the repository Again the prototypeXML is not used to fill in any missing resource parameters that are not supplied during the checkinView operation 405 406 Resource Parameters Resource parameters vary depending on the type of resource adapter being configured Each resource contains a prototypeXML string that the resource viewer uses to determine the default set of resource parameters and their default values Once Identity Manager creates a resource object the resource viewer no longer uses the prototypeXML string but rather uses the resource parameters from the
116. Qo Sun microsystems Sun Java System Identity Manager 7 0 Workflows Forms and Views Sun Microsystems Inc 4150 Network Circle Santa Clara CA 95054 U S A Part No 819 6131 10 Copyright 2006 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved Sun Microsystems Inc has intellectual property rights relating to technology embodied in the product that is described in this document In particular and without limitation these intellectual property rights may include one or more of the U S patents listed at http www sun com patents and one or more additional patents or pending patent applications in the U S and in other countries THIS PRODUCT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SUN MICROSYSTEMS INC USE DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR EXPRESS WRITTEN PERMISSION OF SUN MICROSYSTEMS INC U S Government Rights Commercial software Government users are subject to the Sun Microsystems Inc standard license agreement and applicable provisions of the FAR and its supplements This distribution may include materials developed by third parties Parts of the product may be derived from Berkeley BSD systems licensed from the University of California UNIX is a registered trademark in the U S and in other countries exclusively licensed through X Open Company Ltd Sun Sun Microsystems the Sun logo Java Solaris JDK Java
117. RLs Help Catalog Syntax The syntax of a help catalog file is relatively simple You must use the document element WebHelp which contains one or more Page elements These Page elements in turn contain one or more Item elements Each Item element must have a key attribute which is the catalog key for the help text The content of the Item element is the help text Although the syntax of the help catalog allows you to specify more than one Page element no page processing system currently supports more than one element Example Simple Help Catalog File An example of a simple help catalog file follows 225 226 lt xml version 1 0 encoding UTF 8 gt lt DOCTYPE WebHelp gt lt WebHelp gt lt Page name user changeAll jsp gt lt Item key Account Information gt Miscellaneous information about your accounts lt Item gt lt Item key Passwords gt lt CDATA lt b gt Passwords lt b gt lt br gt Enter and confirm a new password gt lt Item gt lt Page gt lt WebHelp gt Specifying Help Text within the Item Element You can specify the help text within the Item element in two ways Working with simple text If you are working with simple text enter the text between the Item tags as shown in the Account Information item of the preceding example The browser removes any leading or trailing new line characters in the help text Including embedded HTML markup in the help
118. STEMS INC Cette distribution peut comprendre des composants d velopp s par des tierces parties Des parties de ce produit peuvent tre d riv es des syst mes Berkeley BSD licenci s par l Universit de Californie UNIX est une marque d pos e aux Etats Unis et dans d autres pays et licenci e exclusivement par X Open Company Ltd Sun Sun Microsystems le logo Sun Java Solaris JDK Java Naming and Directory Interface JavaMail JavaHelp J2SE iPlanet le logo Duke le logo Java Coffee Cup le logo Solaris le logo SunTone Certified et le logo Sun tm ONE sont des marques de fabrique ou des marques d pos es de Sun Microsystems Inc aux Etats Unis et dans d autres pays Toutes les marques SPARC sont utilis es sous licence et sont des marques de fabrique ou des marques d pos es de SPARC International Inc aux Etats Unis et dans d autres pays Les produits portant les marques SPARC sont bas s sur une architecture d velopp e par Sun Microsystems Inc Legato le logo Legato et Legato NetWorker sont des marques de fabrique ou des marques d pos es de Legato Systems Inc Le logo Netscape Communications Corp est une marque de fabrique ou une marque d pos e de Netscape Communications Corporation L interface d utilisation graphique OPEN LOOK et Sun TM a t d velopp e par Sun Microsystems Inc pour ses utilisateurs et licenci s Sun reconnait les efforts de pionniers de Xerox pour la recherche et le d veloppement du concept
119. S_XML_SCHED_MONTHS lt String gt lt List gt lt Property gt lt Property name allowedValues gt lt List gt lt String gt minutes lt String gt lt String gt hours lt String gt lt String gt days lt String gt lt String gt weeks lt String gt lt String gt months lt String gt lt List gt lt Property gt lt Display gt lt Field gt 578 SectionHead Displays a new section heading defined by the value of the text property It is an extension of the Labe1 class that sets the font property to a style that results in large bold text It also sets the pad property to zero to eliminate the default 2 space padding Use it to break up long forms into sections separated by a prominent label The only property for this display component is text which specifies the text to be displayed Example lt Field gt lt Display class SectionHead gt lt Property name text value Calculated Fields gt lt Display gt lt Field gt Select Displays a single selection list box Values for the list box must be supplied by the allowedValues property Properties for this display component are e allowedValues Specifies the list of selectable values for display in the list box e allowedOthers When set specifies that initial values that were not on the allowedValues list should be tolerated and silently added to the list e autoSelect When set to true this property causes t
120. Set the default field types to more helpful select boxes checkboxes and multi value fields By default every attribute defined on a resource assigned to a user will appear on the Create User and Edit User pages as a text box or as a checkbox for Boolean values Include additional forms to allow common forms to be used on multiple pages Tabbed User Form contains these fields accountId firstname Identity Manager 7 0 Workflows Forms and Views lastname role e organization password e confirm password e email e resource list application list e MissingFields NOTE The MissingFields field is not actually a field but an element that indicates to the form generator that it should automatically generate text fields in the global namespace for all attributes that can be pushed to the assigned resources that are not explicitly declared in the Tabbed User Form Remove this field if you do not want the form locator to explicitly generate these fields By default every attribute defined on a resource that is assigned to a user appears on the Create User and Edit User pages as a text box or checkbox for Boolean values End User Form End User Form controls the page that the system displays when a user selects Change Other Attributes from the user main jsp on the Identity Manager User interface From this page a user can change his password authentication questions and email address You can custo
121. Specifies an optional value for an id parameter to be included in the form post data Example lt Display class Button gt Identity Manager 7 0 Workflows Forms and Views lt Property name label value Change Password gt lt Property name value value Recalculate gt lt Display gt 563 564 Checkbox Displays a checkbox When selected the box represents a value of true An unselected box represents a false value Properties for this display component are Identity Manager 7 0 e label Optional Specifies a label that is displayed to the right of the checkbox It is displayed adjacent to the component but is not displayed in the title column left Label Specifies that the label should appear to the left of the checkbox checkA11 Set when this checkbox is serving as a Select All checkbox which should then propagate its value to a set of other checkboxes The value of the property is a regular expression that is used to match the names of other checkboxes on the HTML page uncheck Set to the name of another checkbox field that represents the Select All checkbox in a collection of synchronized checkboxes If this is set whenever the selected status of this checkbox is changed the Select All checkbox is unselected syncCheck Set to the name of another checkbox field that must stay in sync with the value of the checkbox field on which this property is set If this is set whenever
122. Status gt lt s gt custom string lt s gt lt Status gt or lt Status gt lt block gt lt s gt not appearing lt s gt lt s gt custom string lt s gt lt block gt lt Status gt The results of this expression if any are displayed in the Status column when a result is pending for example pending custom status 35 Enabling Workflow Auditing Workflow auditing is similar to regular auditing except that workflow auditing stores additional information to enable time computations Regular auditing reports that an event occurred but does not indicate when the event started and ended See Identity Manager Audit Logging for more information about Identity Manager auditing Workflow auditing is enabled by adding the audit attribute to a workflow or one or more of its Activities Once the attribute is in place activate workflow auditing by selecting the Audit entire workflow checkbox in the appropriate task template of the Administrator interface See the chapter titled Task Templates in Identity Manager Administration for procedural information about turning on auditing in a task template Overview Workflow auditing operations store predefined attribute names and their values per audit event You can enable auditing within a workflow by adding the audit attribute set to true to the WFProcess element or to one or more Activity elements Setting the attribute at the WFProcess level causes the entire workflow
123. TES SONT FORMELLEMENT EXCLUES DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE A L APTITUDE A UNE UTILISATION PARTICULIERE OU A L ABSENCE DE CONTREFACON Contents Prelate ois seis Susie ps tens oitir ensar an E s Xie Sass eave eh veiels Sera NA E ey ee gues sie rere area EA 11 Who Should Use This BOOK s s4 3 4 0 084 och ne haa da ao EE ase d Gladys teas E E 11 How This Book IB Orgamized o corciscieciaridad ae a a E E ale eee eee wee ae aes 11 Conventions Used inm This Book eree rris tensi Toru EON EOR RE de tee E EE EEE E EES 12 Typographie Conyenhons iesse td tae iy a A ka ee ie aaa a D n a 12 PYUDOIS 3 5 x ennt teehee E a sales As aa BA eae RE E E E E ENE 13 SNE POMP oa ereignet ee niaan aa a a a a ea a e a ee a ai 13 Related Documentation and HEP occisis rasers iaren EERE REEE EEE E EEE EENEN E ES 14 Accessing Sun Resources ONNE 6 5 20 nis ua gdi Sid a d a Ped ae a 4h da hd aaa aaa d 15 Contacting Sun Technical SUpport 1 04 0 24 0 c adacenday daa dawsaeseasdage NEARE EI EHET HEDHI OEA 15 Related Third Party Web Site References crucen edit ae Sav a eeta ea aA a EA wee ede ede ees ad des 16 Sun Welcomes Your Comments si eiren tEn Gas eae el ws EOE EER ERE TRT EEE EE ER EES 16 Chapter 1 Worki 556555 55g cs disaings sine en n wut Hy ase Rm E E T T fgnera ere 17 Topi s if this Chapter s iecisssrersiss iesit io eis etd ead adda baked dd wana baad aida dees 17 R
124. The WF _ACTION_ERROR workflow variable is set subject no The Identity Manager administrator to check out the view under If this is not supplied the administrator that launched the workflow will be used WF_CASE OWNER 59 60 Table 2 9 checkoutView Method Arguments Name Required Valid Values Description options no View specific options The values you can pass are specific to the view being used The most common is the user view Options can be found in session UserViewConstants The simpler views should declare their option constants in the Viewer java file Probably the second most common view used from workflow is ProcessViewer followed by PasswordViewer DisableViewer EnableViewer and RenameViewer These have comparatively few options Return Values and Side Effects If the checkout is successful the view checked out will be placed in the variable view If the lock timed out WF_ACTION_TIMEOUT will be set to true for the checkout action If any other error occurred including administrator not authorized to check out the view WF_ACTION_ERROR will be true and the WavesetResult will contain the error Identity Manager 7 0 Workflows Forms and Views create View Session Workflow Service Creates an empty object of the type given with the appropriate form Table 2 10 createView Method Arguments Name Required Valid Values Description op yes createView viewid no Indicates the ID of the v
125. This can be used in Actions implemented in XPRESS or JavaScript to get a hold of the result For Actions implemented as WorkflowApplication classes they can obtain the result through the WorkflowContext Since the entire WorkflowContext is exposed through the WF_CONTEXT variable this is not absolutely necessary but convenient A built in variable that contains a WorkflowContext object This can be used in Actions implemented in XPRESS or JavaScript to get a hold of the WorkflowContext For Actions implemented as WorkflowApplication classes the context is passed in Identity Manager 7 0 Workflows Forms and Views General Session Workflow Services Call Structure Workflow services are called from workflow actions The general form of a session workflow service action is shown in the following code example Code Example 2 1 lt Action class com waveset session WorkflowServices gt lt Condition gt lt Argument name op value workflowServiceOp gt lt Argument name argnamel gt lt expression gt valuelexpression lt expression gt lt Argument gt lt Argument name argname2 gt lt expression gt value2expression lt expression gt lt Argument gt lt Argument name argnameN gt lt expression gt valueNexpression lt expression gt lt Argument gt lt Action gt Each of the supported workflow services has a variable number of required and optional arguments Supported Session Workflow Services
126. This function returns 0 statement is logically false 1 statement is logically true Example lt eq gt lt ref gt role lt ref gt lt s gt engineering lt s gt lt eq gt 470 Identity Manager 7 0 Workflows Forms and Views gt Function Takes two arguments This function returns e 0 the first argument is numerically less than or equal to the second e 1 the first argument is numerically greater than the second Example lt gt gt lt ref gt age lt ref gt lt i gt 42 lt i gt lt gt gt 471 gte Function Takes two arguments This function returns e 0 first argument is less than the second e 1 the first argument is numerically greater than or equal to the second Example The following expression returns 1 lt gte gt lt i gt 10 lt i gt lt i gt 5 lt i gt lt gte gt 472 Identity Manager 7 0 Workflows Forms and Views isFalse Function Used when referencing Boolean values that are represented with the strings true and false rather than the numbers 0 and 1 Takes two arguments This function returns e 0 the argument is logically true non zero and non null and not the string false e 1 the argument is logically false or returns the string false Example The following expression returns 1 lt isFalse gt lt s gt false lt s gt lt isFalse gt 473 isnull Function Takes one argument This function returns e 0 statement is non null e 1 statement is null Exa
127. User Update My Updates the group assignments on resources that support Groups groups assigned to the logged in account End User Update Roles Updates the role assignments for one of a manager s reports End User Update My Updates the role assignments assigned to the logged in Roles account End User Update Updates the resource assignments and associated attributes Resources for one of a manager s reports End User Update My Updates the resource assignments and associated attributes Resources for the logged in account Table 1 7 Default Auditor Workflows Activity Description Scan Notification Standard Attestation Attestation Notifies Attestors at the end of each Access Scan that they have pending Attestation workitems Sends one notification to each Attestor regardless of the number of pendng workitems Also notifies the can owner if any that the scan has started and completed This workflow takes the following input escanName name of access scan escanOwner name of access scan owner recipients list of IDM user names which should be notified snotificationT ype Valid types include begin end attest euserCount number of users to be scanned only on begin Creates an Attestation Subprocess for each attestor specified Creates a work item for each Attestor and marks the User entitlement record as APPROVED when all work items complete with approved status or REJECTED as soon as the first work
128. a S AS SNS SND ae RAM ada a tad eed assed arenes 109 Bight Names apse 0 he hts hg ols odes 0 aes Ya ala a a a g eaten aaa lg ls tak hss 111 Acon NAMES sred 2 8 8 2h che dba eb eek areal dys de we aA a Sa Sa aA ESAT E VRE 112 Chapter 3 Identity Manager Forms 63 0 ceceec cede cde cie cides send ond cesses noa oea assins 113 TOpies in this Chaplet osc ak sak d co diel den Ode dk aaa E dese Oe ded Meade ada e Vokes 113 Related st bapiets oso sho eae ernier adda eine Soe Sond wae edad ates ea ad kohe is wares allele wide 113 Understanding POMS cick ind cade dd nedreeek hbk baba ahd des Rea ale dais Pela ada E 114 Wha Are ForS nc0 sans shake Es DEU REE vases acs mia nied dag dagdea wea x E Eaa 114 Customizing PORN cc occtacha dia einans dad dae ENE REES des ddadad dad sad daedae aes ad R 127 Overview of Customization 0 ccc eee rnrn errearen 128 Additional Customization Related Topics 2 00 c ccc ete t ete dirdir issin 137 Edimeg POD oriras Kae teal aE aed ale date hale wie ean aon een Lee EASA aa Deke Ens 178 Working with Display Elements ccs icsaadottwdawir dis des bos aed dee esir dud MoM dade 178 Working with Other Display Elements oc ce asec seas sas esncguee arad Sheep eo rir asr ads 204 Calculating Values eserini nerui ra abet ebe pe hod dad da dedinw ad okarsis Hod Had wade cane 225 Adding Guidance Help to Your Form 0 ccc cece ene e eee eeneeae 228 Other Form Re lated Tasks ccs csi ded awa swe aes Gas des wed
129. abling tracing can result in a large amount of trace data Use the following functions to enable expression trace or print text to help diagnose problems in an expression NOTE Globally enabling trace may result in a large amount of trace data being printed If it is usually better to enable trace at the block level by setting the trace attribute of the block element to true trace Function Enables or disables expression tracing If the argument evaluates to true tracing is enabled If tracing is enabled it will go to standard output Example 1 lt trace gt lt i gt 1 lt i gt lt trace gt Example 2 lt trace gt lt i gt 0 lt i gt lt trace gt Identity Manager 7 0 Workflows Forms and Views print Function Prints the value of each subexpression to standard output Example lt print gt lt s gt Ashley World lt s gt lt print gt 535 Data Types All functions return a value that has one of the data types listed in the following table 536 Table 6 1 Return Value Data Types Data Type Definition integer list null object string Represents a signed integral value The precision of the value is at least 32 bits Represents ordered lists of other values The values in a list are called elements List elements can be null A list lacking elements is not considered to have a null value Represents the absence of a value A function might return null if it is called on
130. acters that are visible in the text entry box The box size is recalculated depending upon the length of the text in the box e notrim Specifies whether text posted from the HTML form is trimmed Set to true to not trim white space To preserve white space set this option noTranslate When set to true causes values that are message keys to be display as is rather than substituted Default is false e maxLength Specifies the maximum length of the string that can be edited in the text box e multiValued Displays text boxes with Add and Remove buttons to add and remove values when set to true e secret Displays asterisks in the place of entered text This option is most often used in password fields e readonly Displays read only text This text cannot be edited by the user You might use this property if for example you want to display resource attribute information that an administrator needs to view when creating or editing user accounts e submitOnEnter When this property is set and the Text field has focus then when the user presses the Enter key the form is submitted using the command that is specified in the property value In the following example the form is submitted exactly as though the user has clicked Save Example lt Field name variables identityID gt lt Display class Text gt lt Property name required gt lt Boolean gt t rue lt Boolean gt lt
131. actual object The following attributes uniquely identify the resource object name Externally identifies the resource This user supplied name is unique among resource objects adapterClassName Identifies the Resource Adapter class to be used to provision to the resource type Identifies the data type of the resource typeString Specifies the internal name for the resource type typeDisplayString Identifies the display name for the resource type This should be a message key or ID to be found in the message catalog syncSource If set to true indicates that the resource supports synchronization events facets description Provides a textual description of the resource startup Type Specifies whether the activeSync resource starts up automatically or manually Identity Manager 7 0 Workflows Forms and Views Additional Attributes Additional attributes depend upon the type of adapter being configured At a minimum these attributes specify how to connect to the resource Typical parameters include TCP port user and password host Uniquely identifies the host password Specifies the password of the user host administrator to connect as TCPPort Identifies the port on the host to connect to user Identifies the user host Administrator to connect as accountAttributes Define the accounts managed on this resource Attributes vary depending on the resource type Typical attributes are accoun
132. ad Write List No approvers Read Write List No properties Read Write List organizations Read Write List Yes name Identifies the name of the role This corresponds to the name of a Role object in the Identity Manager repository resources Specifies the names of locally assigned resources applications Specifies the names of locally assigned applications Resource Groups roles Specifies the names of locally assigned roles 413 414 assignedResources Flattened list of all assigned resources via resources applications and roles Table 5 62 Attributes of assignedResource Attribute Role View Attribute Editable Data Type resourceName String name String attributes Object resourceName Identifies the name of the assigned resource name Identifies the resource name or ID preferably ID attributes Identifies the characteristics of the resource All subattributes are strings and are editable Table 5 63 attribute Options Role View Attribute Description name Name of resource attribute valueType Type of value set for this attribute Allowed values include Rule text or none requirement Type of value set by this attribute allowed values include Rule Text None Value Merge with Value Remove with Value Merge with Value clear existing Authoritative set to value Authoritative merge with value Authoritative merge with value clear existing rule Specifies rule name if value typ
133. ains both resources and assigning the Resource Group to the user Set the special attributes in the User view for the accounts that are to be created as indicated by the following sample scenario Each deferred attribute requires two view attributes one that identifies the source account and one that identifies the source attribute Set these using paths of the following form accounts lt resource gt deferredAttributes lt attname gt resource accounts lt resource gt deferredAttributes lt attname gt attribute where lt resource gt would be replaced with an actual resource name and lt attname gt replaced with an actual attribute name For example assume a scenario in which the following two resources are created 1 a resource named LDAP that generates a uid attribute when an account is created 2 a resource named HR which contains a directoryid attribute named directoryid whose value is to be the same as uid in the LDAP resource The following form fields set the necessary view attributes to define this association lt Field name accounts HR deferredAttributes directoryid resource gt lt Expansion gt lt s gt LDAP lt s gt lt Expansion gt lt Field gt lt Field name accounts HR deferredAttributes directoryid lt Expansion gt lt s gt uid lt s gt lt Expansion gt lt Field gt 345 346 Debugging the User View When debugging the User view you might find it useful to dump
134. ame and the base context to append to the name This method returns a string of fully qualified distinguished DN names For example passing in group1 and dc example dc com returns the string cn group1 dc example dc com Table 4 2 buildDn Parameters Parameter Description name Specifies the names of the directory object typically the common name cn baseContext Identifies the base context or container This is the value of the base distinguished name to which the common name is concatenated to form the full distinguished name of the directory object Return Value Returns a single value in the form CN lt name gt lt baseContext gt Example lt invoke name buildDn class com waveset ui FormUtil gt lt s gt North America lt s gt lt s gt ou marketing dc acme dc com lt s gt lt invoke gt This example returns lt s gt CN North America ou marketing dc acme dc com lt s gt 259 In XPRESS this same function can be represented by lt concat gt lt s gt CN lt s gt lt s gt North America lt s gt lt s gt lt s gt lt s gt ou marketing dc acme dc com lt s gt lt concat gt 260 Identity Manager 7 0 Workflows Forms and Views buildDns Method buildDns List names String baseContext or buildDns String names String delimiter String baseContext Description Takes a list of names and the base context to append to each token in the list Both variants of t
135. ample on an Active Directory resource the structure of the fullname is lastname firstname But all other resources that have a fullname use firstname lastname The following example shows how you can reference these two fields in a form lt Field name global fullname gt lt Expansion gt lt concat gt lt ref gt global firstname lt ref gt lt s gt lt s gt lt ref gt global lastname lt ref gt lt concat gt lt Expansion gt lt Field gt lt Field name accounts ActiveDir fullname gt lt Expansion gt lt concat gt lt ref gt global lastname lt ref gt lt s gt lt s gt lt ref gt global firstname lt ref gt lt concat gt lt Expansion gt lt Field gt In the preceding example creating a new user works as expected However when you load the user the fullname attribute from the Active Directory resource can be used to populate the global fullname field A more accurate implementation for this scenario would be to declare one resource to be the authoritative source for an attribute and create a Derivation rule such as the following 335 336 lt Field name global fullname gt lt Derivation gt lt or gt lt ref gt accounts LDAP res fullname lt ref gt lt ref gt accounts NT res fullname lt ref gt lt or gt lt Derivation gt lt Expansion gt lt concat gt lt ref gt global firstname lt ref gt lt s gt lt s gt lt ref gt global lastname lt ref gt
136. ample rules NamingRules xml o sample rules RegionalConstants xml Sample resource rule file names are o sample rules ADRules xml o sample rules NDSRules xml o sample rules NTRules xml o sample rules OS400UserFormRules xml o sample rules RACFUserFormRules xml o sample rules TopSecretUserFormRules xml Click Import Identity Manager responds with a message indicating that the import was successful Step 2 Import the Form Use the Identity Manager Administrator Interface to load the sample form To do this 1 2 Identity Manager 7 0 e From the Identity Manager menu bar select Configure gt Import Exchange File Enter the sample file name or click Browse to locate the file in the idm sample forms directory Sample form file names are o sample forms ACF2UserForm xml o sample forms AIXUserForm xml Workflows Forms and Views o sample forms Exchange55UserForm xml o sample forms HP UXUserForm xml o sample forms NDSUserForm xml o sample forms NTform xml o sample forms OS400UserForm xml o sample forms SecurIDUserForm xml o sample forms SolarisUserForm xml o sample forms TopSecretUserForm xml o sample forms vitalStatform xml Click Import Identity Manager responds with a message indicating that the import was successful Step 3 Update the Tabbed User Form Add Include References Add an include reference to the sample form from the Tabbed User Form or a main form you created To do th
137. an Identity Manager administrator can set up pass through authentication for an Active Directory resource As a result any person who has an Active Directory account can log in to the Identity Manager User interface You can customize those pages so that when a user who does not have a Identity Manager account logs in an Identity Manager user object is created and the Active Directory resource is added Subsequently through a series of questions the system can set up the user s role organization and other resources You can customize Anonymous User Menu Form to launch workflow processes to request services before an Identity Manager user exists Tabbed User Form Tabbed User Form is the default form used for user creation and modification in the Identity Manager Administrator Interface You can customize a copy of this form by extending it with a form of your design TIP Do not directly edit the Tabbed User Form Instead Sun recommends that you make a copy of this form give it a unique name and edit the renamed copy This will prevent your customized copy from being overwritten during service pack updates and upgrades Customize your copy of Tabbed User Form to Restrict the number of attributes that are displayed on the Edit User page By default this page displays every attribute that is defined on the schema map for a resource which can result in an overwhelming list of attributes for a hiring manager to fill out
138. an be an atomic value such as a string a collection such as a list or a reference to another object You can represent almost any object abstractly with the Map List and String Java classes Identity Manager 7 0 Workflows Forms and Views Within the Identity Manager system the GenericObject class provides a simple memory model for the representation of arbitrary objects and collections It includes features for easily navigating object hierarchies to access or modify attribute values The GenericObject class implements the java util Map interface and internally uses a java util HashMap to manage a collection of name value pairs The entries in this map are called attributes The value of an attribute can be any Java object that is able to serialize itself as XML The most common attribute values found in a GenericObject The following are instances of the following classes String e Integer e Boolean e EncryptedData e List Date e GenericObject e xX509cert You can construct complex hierarchies of objects by assigning Lists or GenericObjects as attribute values Once you have assigned attribute values you traverse this hierarchy to access the values of an attribute Path Expressions A path expression is a string that is interpreted at runtime by the GenericObject class to traverse an object hierarchy and retrieve or assign the value of an attribute Identity Manager uses a system of dots and brackets to represent
139. anager installation directory color Specifies the label color Use standard HTML color formatting xxxxxx to specify the color value Link Places a link on the page Properties include URL Specifies the target Uniform Resource Locator URL imageURL Optional Specifies the URL to an icon or image that will be rendered to the right of the link imageURL2 Optional Specifies the URL to an icon or image used will be rendered to the right of the first image hoverText Specifies text to display when the mouse rests over the first or second image id Optional Specifies a value to be included as the id query argument in the link arguments Optional Specifies a set of name value pairs to be included as query arguments 571 e extraURL Optional Specifies an additional URL fragment to be included after the base URL and arguments Example lt Field gt lt Display class Link gt lt Property name name value Request Group Access gt lt Property name URL value user processLaunch jsp newView t rue gt lt Property name id value Group Request Process gt lt Display gt lt Field gt NOTE Link components are one place in your form where you might use a lt map gt element to pass name value pairs In the following example the lt map gt element contains several pairs a mapping of a String to a Boolean value and a String to a List
140. and Manage Workflows workflows simply commit view changes to the repository while providing hooks for approvals and other customizations e Miscellaneous workflows Define the steps for various Identity Manager features and objects such as reconciliation Remedy templates and other custom tasks 24 Identity Manager 7 0 Workflows Forms and Views Example The following Create User workflow has been modified to call an escalate activity if a timeout value is reached If the timeout is not reached then the results of the APPROVED variable are evaluated The results of the evaluation determines whether to transition to the approved or rejected activity lt Activity name Wai lt ManualAction na lt Owner name A t gt me approve timeout 180 gt PPROVER gt lt Variable name APPROVAL value false gt lt Return from AP lt FormRef gt lt ObjectRef typ lt FormRef gt lt ReportTitle gt lt concat gt lt s gt Awaiting lt ref gt APPROVE lt concat gt lt ReportTitle gt lt ManualAction gt lt Transition to lt eq gt lt ref gt WF_ACTI lt s gt true lt s gt lt eq gt lt Transition gt PROVAL to APPROVED gt e UserForm id ID UserForm ApprovalForm gt approval from n lt s gt R lt ref gt Escalate gt ON_TIMEOUT lt ref gt lt Transition to Approved gt lt eq gt lt ref gt APPROVED lt ref gt lt s gt tr
141. angeLog ActiveSync Create Person Form LDAP ChangeLog ActiveSync Update Group Form LDAP ChangeLog ActiveSync Update Organization Form LDAP ChangeLog ActiveSync Update Organizational Unit Form LDAP ChangeLog ActiveSync Update Person Form LDAP Listener ActiveSync Create Group Form LDAP Listener ActiveSync Create Organization Form LDAP Listener ActiveSync Create Organizational Unit Form LDAP Listener ActiveSync Create Person Form LDAP Listener ActiveSync Update Group Form LDAP Listener ActiveSync Update Organization Form LDAP Listener ActiveSync Update Organizational Unit Form LDAP Listener ActiveSync Update Person Form UserEntitlementForm Windows Active Directory ActiveSync Create Container Form Windows Active Directory ActiveSync Create Group Form LDAP Create Organization Form LDAP Create Organizational Unit Form LDAP Create Person Form LDAP Update Group Form LDAP Update Organization Form LDAP Update Organizational Unit Form LDAP Update Person Form LDAP Create Group Form LDAP Create Organization Form LDAP Create Organizational Unit Form LDAP Create Person Form LDAP Update Group Form LDAP Update Organization Form LDAP Update Organizational Unit Form LDAP Update Person Form UserEntitlementForm Windows Active Directory Create Container Form Windows Active Directory Create Group Form Identity Manager 7 0 Workflows Forms and Views Table 0 1 Form System and Product Int
142. anges its components in a horizontal row with padding in between Typically used to display a row of Button components Container Displays a calendar icon on the page The user can click this icon to select a calendar date and populate a page field The default container for forms Displays component titles in one column and components in another Each row has an alternating gray or white background Variant of the Text component used for specifying the name of a file to be uploaded A component used to include data into the HTML page that is not displayed Inserts pre formatted HTML into the page Defines JavaScript functions Displays read only text Places a link on the page Places components in a bulleted vertical list with no titles Typically used for pages that contain lists of Link components Alternative to EditForm container Container Displays a multiselection box which displays as a two part object in which a defined set of values in one box can be moved to a selected box Displays a list of name value pairs in a simple table with a beige background Organizes its components in either a horizontal or vertical line Container Displays a horizontal list of one or more radio buttons A user can select only one radio button at a time If the component value is null or does not match any of the allowed values no button is selected 133 134 Table 3 4 Options for Display Class HTML Componen
143. apply to all resources add an attribute in the System Configuration object with this path updatableAttributes ViewName ResourceTypeName where ViewName is one of Password Reset Enable Disable Rename or Delete and ResourceTypeName is the name of the resource type The type name a11 is reserved for registrations that apply to all resources The value of this attribute must be a List of Strings The strings are names of the attributes you want to update The following example registers the attribute named delete before action in the Deprovision view for all resources 439 lt Attribute name updatableAttributes gt lt Object gt lt Attribute name Delete gt lt Object gt lt Attribute name all gt lt List gt lt String gt delete before action lt String gt lt List gt lt Attribute gt lt Object gt lt Attribute gt lt Attribute name Enable gt lt Object gt lt Attribute name all gt lt List gt lt String gt enable before action lt String gt lt List gt lt Attribute gt lt Object gt lt Attribute gt lt Object gt lt Attribute gt Resource Specific Registration To make resource specific registrations modify the resource object from the Identity Manager Debug page and insert a lt Views gt subelement in the AccountAttributeType element lt Views gt must contain a list of strings whose values are the names of the views in which this attribute can be
144. ary A brief text description of the policy including information about each of the policy attributes attributes The value of this attribute is another object that contains the names and values of each policy attribute Applications that display policy information typically display the summary text but if you need more fine grained control over the display of each policy attribute you can use the attributes map Forms that provide an interface for changing and synchronizing passwords often use this information accountInfo accounts Lighthouse This special entry in the account Info list is used to hold information about the Identity Manager default password policy This is convenient when displaying password forms since information about the Identity Manager password and policies must be displayed along with the information for resource accounts This element is present only when pass through authentication is not being used The resource type is Lighthouse accountInfo Resource Name Lists The account Info view includes attributes that contain lists of resource names Each list is intended to be used in forms with FieldLoop constructs to iterate over resources with certain characteristics The account Info attributes that can contain resource names are assigned e created fromRole e private toCreate toDelete Identity Manager 7 0 Workflows Forms and Views accountInfo assigned Identifies the resources
145. assignment Using the scopingOrg Parameter Set this attribute under these conditions e The specified user is assigned more than one AdminRole e You want to ensure that when the administrator is creating or editing a user the member organization of the user being created or edited determines which object names of the requested type are available for assignment For example if an administrator were assigned both the Engineering AdminRole and Marketing AdminRole and the administrator is editing a user who is a member of the Engineering organization the Resources available for assigning to that user should be limited to those available to the organization s controlled by the Engineering AdminRole Implementing the scopingOrg Attribute To implement the behavior described above add the scopingOrg attribute to the waveset resources field in the user form Reference the value of the current organization as follows 295 296 lt Field name waveset resources gt lt Display class MultiSelect gt lt Property name title value _FM_PRIVATE_RESOURCES gt lt Property name availableTitle value _FM_AVAILABLE_ RESOURCES gt lt Property name selectedTitle value _FM_SELECTED_RESOURCES gt lt Property name allowedValues gt lt invoke class com waveset ui FormUtil name getUnassignedResources gt lt ref gt display session lt ref gt lt map gt lt s gt currentRoles lt s gt
146. asswords in uppercase encrypted format owner Required Identifies the user whose string value is being checked Return Values This method returns a value of true indicates that the string passes the policy test If the string does not pass the policy test the method returns an error message If you have set the returnNu11 option to true on the map parameter the method returns a null object upon success Identity Manager 7 0 Workflows Forms and Views controlsAtLeastOneOrganization Method controlsAtLeastOneOrganization LighthouseContext s List organizations throws WavesetException Description Determines whether a currently authenticated user controls any of the organizations specified on a list of one or more organization ObjectGroup names The supported list of organizations include those returned by listing all objects of type ObjectGroup Table 4 6 controlsAtLeastOneOrganization Parameters Parameter Description s Specifies current user s Lighthouse context session organizations Specifies a list of one or more organization names The supported list of organizations include those returned by listing all objects of type ObjectGroup Return Values true Indicates that the current authenticated Identity Manager user controls any one of the organizations in the list false Indicates that the current authenticated Identity Manager user does not control any organizations in the list
147. ated even if the current field value is non null The derivation expression is evaluated before the form is first displayed and then again each time the form is refreshed Specify logic to determine whether a value entered in a form is valid Validation expressions return null to indicate success or a string containing a readable error message to indicate failure Specify an expression to calculate the value of the field after the form has been submitted Expansion expressions are typically used with fields that are also marked hidden Since hidden fields are not directly editable by the user the value can be calculated with an Expansion expression See Hiding Fields 131 132 Table 3 3 Characteristics Set from Main Tab View Field Description Disable Display Class size maxLength Specify an expression that if evaluated to true disables the field and any of its nested fields A disabled field does not display on the form It is used to determine if a user has a specific type of resource If the user does the form then displays the appropriate fields for that resource Identify the HTML component class used to render this form component in the browser By default the Display Class selection is EditForm If the form is a link form such as the End User menu then select LinkForm from the Display Class options See the HTML Display Class table in HTML Display Components Controls the character width of the c
148. attributes allowedAttrs selectedAttrRequired Optional Indicates whether the selected attribute selectedAttr can be changed for this attribute condition A value of true indicates that the selected attribute cannot be changed for this attribute condition and the attribute condition cannot be removed from the list of attribute conditions defaultAttr Optional Identifies the allowedAttrs name to select by default when the list of allowed attributes is displayed in interface allowedOperators Lists the operators allowed based on the syntax specified in the selected attribute selectedAttr By default this list is obtained by calling the getAllowedOperators method passing the values of the syntax and mult iValued attributes of the selected attribute selectedAttr You can override the default by specifying the set of allowed operators al lowedOperators in either the default section or the object Type specific section of the sample findObjectsDefaults xml configuration file 369 370 selectedOperator Specifies the name of one operator from the list specified in allowedOperators selectedOperatorRequired Optional Indicates whether the selected operator selectedOperator can be changed for this attribute condition A value of true indicates that the selected operator cannot be changed for this attribute condition and the attribute condition cannot be removed from the list of attribute conditions defaultOperator O
149. be used throughout Identity Manager 221 Example Expression In the following example the lt add gt element represents a call to the XPRESS function named add lt add gt lt ref gt counter lt ref gt lt i gt 10 lt i gt lt add gt This function is passed two arguments e first argument value is determined by calling a function named ref The argument to the ref function is a literal string that is assumed to be the name of a variable The value returned by the ref function is the current value of the variable counter e second argument value is determined by calling a function named i The argument to the i function is a literal string that is an integer The value that the i function returns is the integer 10 The value returned by the add function will then be the result of adding the integer 10 to the current value of the variable counter Every function call returns a value for the next operation to use For example if the ref call returns the value of the counter then the lt i gt call returns the integer 10 then the lt add gt call returns the addition of the two calls Example of Expression Embedded within Form The following example shows the use of XPRESS logic embedded within an Identity Manager form XPRESS is used to invoke one of the FormUtil Java methods that will produce the relevant role related choices for display in the browser Note that the expression is surrounded by the lt expression gt tag
150. before they are displayed For example department or division codes that are stored as acronyms or by numeric ID in your resource can be represented with more human readable full names to your user e Post process user view attributes data entry For example you can automatically create a mail account based on the value of a location field e Control screen real estate by positioning multiple fields on one line By customizing the arrangement of fields in an Identity Manager form you can make it more closely resemble a printed form or pre existing web form Define rules for the way hidden attributes are calculated For example a user s email address can be calculated to be the user s first name a period their last name then the mail domain joe user sun com Example Scenario Forms are especially useful in environments where people with varying needs and purposes must access the same data For example you can create a form that hiring managers at your company will use to create anew employee account The default Tabbed User Form displays more information than the hiring managers need Rather than displaying all 99 fields in a distractingly busy form that might complicate the user s task you can create a form in which the hiring managers must fill in only 10 attribute fields and the other 89 attributes are set based on rules that you the administrator define Identity Manager Pages that Use Forms Identity Manager forms ar
151. bject argument resourceld yes Specifies the object ID for the resource on which to update the object Return Values and Side Effects A WavesetResult object containing the result of the object update 107 Type Names These are the valid type names that are used by Identity Manager e AdminGroup e Administrator e Application e AttributeDefinition e AuditConfig e AuditLog e AuditLogPrunerTask e AuditQuery e Configuration e DataStore e DataType e Discovery e Encryptionkey e EmailTemplate e Event e Extract e LoadConfig Log e LoginConfig e NotifyConfig e ObjectGroup e Policy e RemedyConfig e ReportCounter e ReportLog 108 Identity Manager 7 0 Workflows Forms and Views Resource ResourceAccount ResourceObject Role RoleAttribute Rule TaskDefinition TaskInstance TaskResult TaskResultPage TaskSchedule TaskTemplate TestItem UsageReport User UserExternalAttribute WorklItem 109 Right Names These are the valid right names that are used by Identity Manager e Approve e Bypass Verify e Change Password e Configure e Connect e Create e Delete e Deprovision e Disable e Disconnect e Enable e Execute e Export Import e List e Modify e Provision e Reject e Rename e Reset Password e Unlock e View 110 Identity Manager 7 0 Workflows Forms and Views Action Names These are the valid action names that are used by Identity Manager Approve CancelReconcil
152. ble 5 6 Attribute Description name Identifies the name of the TaskDefinition object to run date Specifies the date on which to run the task taskName Identifies the TaskInstance that is created If none is specified Identity Manager generates a random name owner Identifies the name of an Identity Manager administrator that is considered to be the owner of the task If none is specified the default owner is Configurator organization Identifies the Identity Manager organization that the TaskInstance will be placed in If none is specified an organization controlled by the task owner is selected at random Identity Manager 7 0 Workflows Forms and Views Table 5 6 Attribute Description description Descriptive text that will be stored in the TaskInstance when it is created This text is displayed in the task status page of the Identity Manager Administrator Interface Sample Use You can use the accounts Lighthouse properties value to display a table of the deferred tasks assigned to a user This list is added to the form library named Default User Library which is found in sample formlib xml The field that displays the deferred task table is named Deferred Tasks After modifying the waveset properties attribute the deferred task table is now referenced by the default Tabbed User Form If any deferred tasks exist the table will be displayed at the bottom of the Identity tab panel accounts Lighthouse viewU
153. bute Name Data Type Default Value consoleTrace String false fileTrace null maxSteps String 5000 resultTrace String false retainHistory String false traceAllObjects String false traceLevel String 1 validationLevel String CRITICAL consoleTrace Specifies whether trace messages are emitted to the console When set to true trace messages are emitted Default is false fileTrace Specifies whether trace messages are emitted to a named file To send trace messages to a specific file enter the file name maxSteps Specifies the maximum number of steps allowed in any workflow process or subprocess Once this level is exceeded Identity Manager terminates the workflow This setting is used as a safeguard for detecting when a workflow is stuck in an infinite loop The default is 5000 steps resultTrace Specifies whether trace messages should be retained in the task s result object When set to true trace messages accumulate in the task s result object retainHistory Indicates whether the entire history should be returned after the task has completed When set to true Identity Manager returns the entire case history Although it can useful to examine the history when diagnosing process problems complete results can be large 38 Identity Manager 7 0 Workflows Forms and Views traceAllObjects Indicates whether generic objects should be included in workflow trace operations traceLevel Specifies the level of detail included
154. by using the invoke method The invoke method is called by specifying the class name and name of the method Arguments can also be passed to the method within the invoke tags as shown in the following example lt Default gt lt block gt lt defvar name vmsResName gt lt index i 0 gt lt ref gt accountInfo accounts type vms name lt ref gt lt index gt lt defvar gt lt invoke name callResourceMethod class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt ref gt vmsResName lt ref gt lt null gt lt invoke gt lt Default gt 171 172 From the Form Element dialog for the field 1 Select Javascript from the Display Class menu 2 Click OK Referencing a Form from Another Form You can reference particular fields in a separate form rather than a complete form through the use of the lt FormRef gt element Use the lt FormRef gt element to include another form from within an external form The following example calls the form named MissingFields lt FormRef name MissingFields gt lt FieldRef name AuthenticationAnswers gt lt FieldRef name AccountInformation gt lt Field name waveset backgroundSave gt lt Display class Hidden gt lt Field gt Referencing Fields from Another Form You can reference particular fields in a separate form rather than a complete form through the use of the lt FieldRef gt element Use the
155. cally used to build an user select box If a custom form wants to compute the user list in a different way you can specify the view option CustomUserLists as either a view option or form property 431 432 userlds Typically null If you are configured to use alternate display names then the users list contains display names and this list contains the true repository names forwardingUsers Lists the display names of Identity Manager users to which the current user can forward work items This value depends on the value of the ForwardingApproverStyle attribute which defaults to peers itemType When set the work items in the list will be filtered to contain only those whose item type matches this value This gives the WorkItemList view the ability to filter the item list based on the work item type forwardingUserlds Typically null If you are configured to use alternate display names then the forwardingUsers list will have display names and this list will have the true repository names workItems Lists the objects that contain information about the work items for the selected user s The object names are the repository IDs of the work items workItems owner Specifies the display name of the owner Set only if user is null and all work items are displayed workltems request Supplies a brief description of the object being requested This value is computed by the WorkItemRequest expression of the manual action
156. can run the tools 2 From the command line enter 1h xmlparse lt xpress_file gt where xpress_file represents the name of the file that contains the XML you want to test This command parses the file for XML correctness and displays error messages in the console NOTE Consider putting WSHOME o bin in your PATH environment variable This will permit you to use whichever directory you are currently in as your working directory This will also allow you to run the Identity Manager Ih command from any current working directory Tracing XPRESS Evaluation Once you have written and successfully stored an expression in the repository you can turn on XPRESS tracing to determine if the expression is functioning correctly XPRESS trace messages are sent to the standard output device Since XPRESS is typically evaluated within the application server the trace messages are sent to the console window or log file that was active when the application server was started There are two forms of XPRESS tracing e Global trace When global trace is enabled all XPRESS expressions are traced e Block level trace When block level tracing is used only expressions within designated blocks are traced Block tracing can be set only within a field element in a form or within an expression in a workflow Typically block level tracing is preferable because it reduces the amount of trace output which is then easier to analyze Enabling Tracing To enab
157. ccount linking Passing the NoLinking view option to the checkinView call prevents automatic linking You can specify this option in several ways e Pass it as an argument to the WorkflowServices method as follows lt Action application com waveset provision WorkflowServices gt lt Argument name op value checkinView gt lt Argument name view value user gt lt Argument name NoLinking value true gt lt Action gt e Setting the option as attributes in the view In this case name the view attribute viewOptions NoLinking You can then set it in a workflow with XPRESS logic like this lt set name user viewOptions NoLinking gt lt s gt true lt s gt lt set gt Preventing an Attribute from being Displayed in Clear Text on Results Pages Identity Manager displays the value of an attribute in clear text on Results pages even when you have set the attribute for display with asterisks in an Edit form Identity Manager 7 0 Workflows Forms and Views To prevent an attribute from being displayed in clear text on Results pages you must register it as a secret attribute To register a secret attribute add it as follows to the System Configuration object lt Attribute name secretAttributes gt lt List gt lt String gt email lt String gt lt String gt myAttribute lt String gt lt List gt lt Attribute gt Calling Resource Methods from Forms You can invoke methods on a resource from a form
158. cent text box When the user selects the Other option from the selection box the page presents a new field in which the user can enter custom information Identity Manager 7 0 Workflows Forms and Views e Implements the defvar element to create a variable that defines a list of job positions from which a user can select a relevant position NOTE Consider putting into a rule any variables that will be referenced in a form multiple times In the following example a list of items to select from is stored in a variable in the example tit leList which allows the Derivation rule to search through it The following example is interspersed with descriptive text lt defvar name titleList gt lt list gt lt s gt Manager lt s gt lt s gt Accountant lt s gt lt s gt Programmer lt s gt lt s gt Assistant lt s gt lt s gt Travel Agent lt s gt lt s gt Other lt s gt lt list gt lt defvar gt The next part of this example contains two visible fields called title and otherTitle The otherTit le field is displayed only if the user chooses the other option on the selection list The third hidden field is global Title which is set from either Title or otherTitle The Title field is the main field that the user will select from If the user cannot find the item that he wants in the list he can select Other This is a transient field and is not stored or passed to the workflow process when you click Save A Derivation rul
159. chronous or foreground execution async Specifies asynchronous or background execution asyncImmediate Specifies asynchronous with immediate thread launch Use the asyncImmediate execution mode only for special system tasks that must pass non serializable values into the task through the view The task thread is started immediately The default behavior is to save the TaskInstance temporarily in the repository and have the Scheduler resume it later result Specifies the initial result for the TaskInstance You can use this setting to pass information into the task that you eventually want displayed with the task results when the task completes owner Specifies the user name that is considered to be the owner of the task If not set the currently logged in user is designated as the owner View Options The following options are recognized by the createView and checkinView methods Identity Manager 7 0 Workflows Forms and Views endUser Specifies that the task is being launched from the Identity Manager User Interface This allows users with no formal privileges to launch specially designated end user tasks process Names the process to launch This name is recognized by the createView method and becomes the value of the process attribute in the view suppressExecuteMessage When set to true suppresses a default message that is added to the task result when an asynchronous task is launched The default English text is The
160. ci reksi ate ots nni haan dated bas adh adaduadasdad dade adawed 38 Comisuring Workitow Properties ericsi ti asd cana th eae aew ety aad ease nde R E He DDE ES 38 Synchronize User Password WOrktlow lt 04c04 6 tiie Pee tb Ged dad ie Pe odas eae oki iana aed 40 a sia ce that ged wees eee eh EET odes yen dare aa eaease ee dae sesh eee way ee 40 POUWWIES sees dT Gaus tab dule end wale wee woke Beane tage Sad oe a tae de e ta aae meie ee dads 42 Chapter 2 Workflow Services ooo 6 oes aie ese a6 5 016 64 6 6 9 10 008 dis aco E Vinnis CIENI ERNER Wee ered ene 45 Related Chaptets sssr 5 4 naranai mea gama a gaia actin adie a E a a naa leased 45 Workflow Built in Vanables ic iciusa dss cians derini Dir us Dis ae EEEN ENEE GRT d 45 General Session Workflow Services Call Structure 2 0 2 0 0 0 e ees 47 Supported Session Workflow Services oi ii bdsadsaas dadend dala titrat ta toba rsr ona EE RAI 47 addDeferredTask Session Workflow Service 0 0 ccc cece teen ene e ne ne eae 49 audit Session Workdtlow Service ai5 i 0 ccsadnowsraey dose bene buaa Ds ERLAR TOF SPIE aes 52 authorize Session Workflow Service 0 cc cae nena se eee snd wae Keene Rea ea eee ee 54 checkStringQualityPolicy Session Workflow Service 0c ccc cece eee ene eee 55 checkinObject Session Workflow Service 0 cece cece eee e eee e ene ene 56 checkin View Session Workflow Service ss cow devised oad atit E Siste kde kes aie dae coe eS 57 checko
161. cile Policy View 00 0 cece eee e eee ee ee 389 MidwoAtinbUles 5 ccsda aad daiwas ace deg addvadeamednd aiden aves caataenad a e E 390 Reconcile Stats View 2 4 hc scca dds desta datasane bases aan ae yaa ery Rew E wdad Raharemars 395 Rename User VEW actor stintine aaaea eet bye AN ede be ale cee te or ee alls 397 Reproy rion View ooreo asa nian ease uses gen EEE sae Age Sasa Bade eae Haare sens 400 PESOUNCEACCOUNIG iesea i wale Re ede eee aaa Day aay add aeaadataaawea wel ace we 400 Reset User Password View 20 0hcvadcsaanvhasasaatante ts sansa O wea dew lede TEENER RERA 403 TESOUNESACEOUNES oy oog Ate ht gda Cis Gao ode Dae PEA cds Pv Se ee Glee a ah Sees 403 GsOUICE View asec can ria nidaou a Seas ale dae ea Ea Pa meade ed ESOR 406 Resource Object View sas sad wah tatwals ade cis wha nieces adaay aad ewes aaia aaa a abwabade ts 412 ROS NS es sees ssn ien en ee mia E eed ci ae wich sigh ws EE ee ahs a Ses ST eee ale alah ae caudate NEER 415 Task Schedule VEW atos at hd ae al baw ted Pew a a ek ee Pd Pd ee cs fe le 418 S n e sy lt 4 0 ciy asada e ooaas oye vas oH BOS SA eae anda Aa dasa Ae adagataeo wad wae EET 418 TABI S Snee awed qe gad dale ean tndacn dawn od deen nth etuns bata Eee dataa tds eas earn edad 421 WE ViCW 5 d5 6 2 5 ccrady Deana MIA MBDA HERE SRS DEED so se aa haha ae nam awa as 422 Workiterni WIG posre sormiin a aes Cla os Dae tas PA ds a da hed hes ale tas 425 Returning Information about All Active Work Items
162. complex notification process The structure is expected to be the same as that defined for Approval Evaluator In the standard workflow approval definitions and notification definitions are maintained in the same structure This is not required for a customized workflow Standard process for notifying administrators after a provisioning operation has completed Table 1 5 Default User Workflows Activity Description DeProvision Provision Set Password Update User Object Update User View Update View Performs the standard steps to deprovision an existing Identity Manager user with granular control over resource account deletion Identity Manager user deletion unlinking and de assignment Individual resource operations are re tried until successful Performs the standard steps to create a new Identity Manager user and provision resource accounts Individual resource operations are re tried until successful Changes the password of the Identity Manager account and resource accounts Checks out a WSUser object applies a set of changes and checks in the object Checks out the user view applies a set of supplied updates and checks in the user view Applies a collection of changes to any view 31 Table 1 6 Default End User Workflows Activity Description End User Update Groups Updates the group assignments on resources that support groups assigned to one of a manager s reports End
163. containers for the resource used by the Identity Manager interface to display a list to choose from orgParentContainerld Specifies the dn of the associated parent LDAP directory container for example ou bar o foobar com 375 376 orgResource Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations for example West Directory Server orgResourceType Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations for example LDAP orgResourceld Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations orgRefreshAllOrgsUserMembers If true and if the value of orgAction is refresh synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations If false resource container user membership will not be synchronized only the resource containers to Identity organizations for the selected organization and all child organizations Dynamic Organization Attributes Table 5 33 Dynamic Organization Attributes Name Editable Data Type Required orgUserMembersRule Read Write String No orgUserMembersRuleCacheTimeout Read Write String No orgUserMembersRule Identifies by name or UID the rule whose authType is UserMembersRule which is evaluated at
164. copy of the list contained in the variable srclist then appends one element lt append gt lt ref gt srclist lt ref gt lt s gt oranges lt s gt lt append gt Example 2 The following expression modifies an existing list by appending a value lt set name somelist gt lt List gt lt s gt We lt s gt lt s gt say lt s gt lt List gt lt set gt lt append name somelist gt lt s gt Hello lt s gt lt s gt World lt s gt lt append gt lt ref gt someList lt ref gt Identity Manager 7 0 Workflows Forms and Views appendAll Function Merges the elements in multiple lists If the name attribute is specified an existing list is modified Otherwise a new list is created Example 1 The following expression creates a new list by combining the elements in srclist with three additional elements lt appendA11 gt lt ref gt srclist lt ref gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt peaches lt s gt lt list gt lt appendAll gt Example 2 The following expression adds three elements to the list stored in the variable srciist lt appendAll name srclist gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt peaches lt s gt lt list gt lt appendAll gt 497 498 contains Function first argument list second argument any object to search for in the list This function returns 1 list contains a giv
165. creating resource type tabs on the user form Dynamic Forms Rule Contains the rule library for dynamically printing out Library attributes for resources that have no specified user form Dynamic Resource Contains all forms that are currently compatible with the Forms Dynamic Tabbed User form Users can customize this list Installing Dynamic Tabbed User form involves two steps importing the form and changing the form mapping 235 236 Step 1 Import the Form 1 From the Identity Manager menu bar select Configure gt Import Exchange File 2 Enter the file name dynamicformsinit xml1 or click Browse to locate the dynamicformsinit xml file in the sample directory 3 Click Import Identity Manager responds with a message that indicates that the import was successful Step 2 Change Form Mapping There are two methods of assigning a user form to an end user Select a method to edit these form mapping depending upon how administrators in your environment will be using these forms These methods include e Assign Scalable User Form as the default User Form for all administrators If this is your choice see Assign Scalable User Form as the Default User Form Identity Manager administrators can assign one form that all administrators will use e Separately assign the Scalable User Form to a particular administrator s If this is your choice see Assign Scalable User Form per Administrator Assign Scalable User Form as the
166. ct that is being unlocked lockedBy no Indicates the alternate lock name that was used when locking the object Return Values and Side Effects If successful the object specified is unlocked If any error occurred WF_ACTION_ ERROR will be true and the WavesetResult will contain the error 80 Identity Manager 7 0 Workflows Forms and Views unlock View Session Workflow Service Unlocks an Identity Manager view Table 2 28 unlockView Method Arguments Name Required Valid Values Description op yes unlockview view no Indicates the view that is to be unlocked If this argument is not specified the unlockView workflow service will have no effect Return Values and Side Effects If successful the view specified is unlocked If any error occurred WF_ACTION ERROR will be true and the WavesetResult will contain the error 81 Provision Workflow Services There is also a set of services in com waveset provision WorkflowServices although they are used less often than the methods in com waveset session WorkflowServices These are the low level primitives for performing account management They are called by the stock workflows In a custom workflow you might want to use these or you might want to use the higher level views with checkout View checkinView which will in turn launch the stock workflows General Provision Workflow Services Call Structure Workflow services are called from workflow actions The g
167. cts String subjectString String objectType String resourcelId Map options or getResourceObjects String subjectString String objectType String resourcelId Map options String cacheList String cacheTimeout String clearCacheIfExists Description Returns a list of objects where each object contains a set of attributes including type name and ID a DN or fully qualified name as well as any requested searchAttrsToGet value The returned value is a List of GenericObjects Each GenericObject can be accessed similar to how a Map is accessed Invoking a get method on each object which passes in the name of the attribute returns the attribute value Parameters Table 4 15 getResourceObjects Parameters Parameter Description session Identifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt subjectString Presents the serialized XML representation of the user object This representation is useful in workflow where there is no current session For example to retrieve a subject lt invoke name getSubject gt lt ref gt WF_CONTEXT lt ref gt lt invoke gt 275 276 Table 4 15 getResourceObjects Parameters Parameter Description objectType resourceld cacheList cacheTimeout clearCacheIfExists options Specifies the name of a valid object class for this specified resId Ifnull this method returns objects
168. d Map options String cacheList String clearCacheIfExists or listResourceObjects String subjectString String objectType 287 288 Stri ng resourcelD Map options Stri or list Stri Stri Stri Stri Stri ng cacheList ResourceObjects String subjectString ng objectType ng resourceID Map options ng cacheList ng cacheTimeout ng clearCacheIfExists The two preceding variants are the same except that the second method clears the cache list Stri Stri Stri Stri or list Stri Seri ResourceObjects LighthouseContext session ng objectType ng resourceld Map options ng cacheList ng clearCacheIfExists throws WavesetException ResourceObjects LighthouseContext session ng objectType ng resourceld Map options Stri or ng cacheList throws WavesetException listResourceObjects LighthouseContext session String objectType Identity Manager 7 0 Workflows Forms and Views String resourceld Map options String cacheList String cacheTimeout String clearCacheIfExists throws WavesetException or listResourceObjects String subjectString String objectType List resourceList Map options String cacheList String clearCachelIfExists Description Retrieves a list of resource objects of a specified type for example group This method first attempts to get the list from the server s resou
169. d s value This is a valuable design feature if the resource attribute value is encoded and would not be obvious to the user 451 The following example shows a field definition that uses conditional logic to map one set of values into another set lt Field name location prompt Location gt lt Display class Text gt lt Derivation gt lt switch gt lt ref gt accounts Oracle locCode lt ref gt lt case gt lt s gt AUS lt s gt lt s gt Austin lt s gt lt case gt lt case gt lt s gt HOU lt s gt lt s gt Houston lt s gt lt case gt lt case gt lt s gt DAL lt s gt lt s gt Dallas lt s gt lt case gt lt case default true gt lt s gt unknown lt s gt lt case gt lt switch gt lt Derivation gt lt Field gt The lt Derivation gt element is part of the Form XML language that can contain an expression When this field is processed the expression in the lt Derivation gt element is evaluated to determine the value to be displayed for this field In the preceding example the value of the resource account attribute accounts Oracle locCode is compared to the first value in each case expression Ifa match is found the result of the switch expression is the second value in the matching case expression If no matches are found the result of the switch is the value within the default case 452 Identity Manager 7 0 Workflows Forms and Views Generating Field Value
170. d complete before the workflow can proceed Since most manual actions are used to solicit approvals the work item table is under the Approvals tab Any manual action that belongs to a workflow is represented by a WorkItem object in the repository TaskInstances Once a workflow task is launched the workflow engine creates a TaskInstance in the repository A TaskInstance is an object in the repository that holds the runtime state of an executing workflow process It stores context variables and immediate transition information for the TaskDefinition from which it was spawned 21 22 The TaskInstance references the descriptive TaskDefinition object through the TaskDefinition object s generated ID If you edit a TaskDefinition TaskInstances already in execution will continue to use the old TaskDefinition object but new ones will use the modified TaskDefinition with its newly generated ID When Are Task Instances Deleted The life of a TaskInstance is determined by the resultLimit parameter If the result limit is zero the task will be deleted immediately after completion If it is positive the value is the number of minutes that the TaskInstance is kept To delete a suspended workflow TaskInstance 1 Click the Manage Tasks tab in the Identity Manager Administrator Interface 2 Select View All Tasks 3 Select the suspended TaskInstance then click Terminate Workflows in the Repository Within the Identity Manager repository
171. d asterisk appearing to the right of the field Message text at the bottom of the form indicates that red asterisk denotes fields that must have a value for submission to proceed Button Causes the field to display in a single horizontal row at the bottom of the form Otherwise it displays on the next line of the form This is most set with fields that use the display class Button Action When set a change causes the page to refresh any Select or MultiSelect controls In the Identity Manager Administrator Interface this causes the underlying view to be refreshed Role selection exemplifies this behavior When a new role is selected in the Tabbed User Form the view is refreshed to reflect the resources that are assigned through that role during that edit session After the view has been refreshed resource account attributes on those newly assigned resources can be explicitly set Library Indicates that a field should only display when it is referenced rather than when it is declared This is useful when the order in which fields are evaluated on a form may differ from the order in which they are displayed to the user Specify an expression to calculate a default value for the field The default expression is called before the form is displayed if the current value for this field is null Specify an expression to calculate the value of a field before it is displayed It is similar to a Default expression except that it is evalu
172. d gt element displays a new section heading defined by the value of the title prompt property It is an extension of the Label class that sets the font property to a style that results in large bold text It also sets the pad property to zero to eliminate the default two space padding lt Field gt lt Display class SectionHead gt lt Property name title value Calculated Fields gt lt Display gt lt Field gt Adding a Calendar Icon to a Form You can add a calendar icon to a page with the DatePicker element The user can click this icon to select a calendar date and populate a page field For example the Identity Manager Create Audit Report page uses this component to select start and end dates The DatePicker element returns a date object Most resource attributes that you set using DatePicker require a date in the form of a string The extra text field performs the conversion of the new date object into a string or displays the current setting You can obtain the date in one of several formats by passing a different format string to the invoke dateToString method as indicated in the following table Table 3 14 Expiration Date Formats Expiration Date Field Format AIX MMddHHmmyy 199 200 Table 3 14 Expiration Date Formats Expiration Date Field Format HPUX MM dd yy Solaris MM dd yyyy lt Field name aix_account_expire gt lt Display class DatePicker gt lt Property name title value
173. d responses are Table 5 48 situations Options ReconcilePolicy View Response Description DO_NOTHING Performs no automated response CREATE NEW USER Creates new user based on the resource account LINK_ ACCOUNT Assigns the account to the claiming user CREATE ACCOUNT Recreates the account on the resource DELETE ACCOUNT Removes the account from the resource DISABLE ACCOUNT Disables the account on the resource explainActions Specifies whether reconciliation should record detailed explanations of actions in the Account Index 391 resource Table 5 49 resource Attributes ReconcilePolicy View Attribute Editable Data Type reconcileNativeChan Read Write Boolean ges reconciledAttribute Read Write List of Strings s listTimeout Read Write Integer fetchTimeout Read Write Integer reconcileNativeChanges Specifies whether native changes to account attributes should be reconciled reconciledAttributes Specifies the list of account attributes that should be monitored for native changes listTimeout Specifies in milliseconds how long reconciliation should wait for a response when enumerating the accounts present on the resource fetchTimeout Specifies in milliseconds how long reconciliation process should wait for a response when fetching an account from a resource 392 Identity Manager 7 0 Workflows Forms and Views Reconcile Status View Used to obtain the status of the last requested reconcilia
174. d the defined visible rows the text area displays a scroll bar 581 582 Identity Manager 7 0 Workflows Forms and Views Appendix A Form and Process Mappings This appendix lists the forms and workflow processes used in Identity Manager and their corresponding system names For information on the Identity Manager Integrated Development Environment Identity Manager IDE see Using the Identity Manager IDE in Identity Manager Deployment Tools Form Mappings The following table shows each form s system name and the name by which it appears in the product interface The Form Mappings column lists the system name of the form The name listed in the Form Name Mapped To column is the name by which the form is identified in Identity Manager IDE and in the Debug page of Identity Manager Table 0 1 Form System and Product Interface Names System Name Mapped to accessApprovalList Access Approval List accessReviewDeleteConfirmation Access Review Delete Confirmation Form accessReviewDashboard Access Review Dashboard accessReviewSummary Access Review Summary accessReviewDetail Access Review Detail accessScanForm Access Scan Form LDAP ChangeLog ActiveSync Create Group LDAP Create Group Form Form 583 584 Table 0 1 Form System and Product Interface Names System Name Mapped to LDAP ChangeLog ActiveSync Create Organization Form LDAP ChangeLog ActiveSync Create Organizational Unit Form LDAP Ch
175. d uses a subject String instead of Session 277 278 getRoles Method getRoles LighthouseContext s or getRoles LighthouseContext s String current or getRoles LighthouseContext s List current or getRoles LighthouseContext s Map options Description Returns a list of role names that the current administrator has access to If a current value or current list is supplied the role name or names on the list are added to the role names returned Table 4 17 getRoles Parameters Parameter Description s Identifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt options current conditions and scopingOrg See table Table 4 18 Options Values Option Value current See Additional Options conditions See Additional Options scopingOrg See Additional Options Return Values Returns a list of role names that the current administrator has access to If a current value or current list is supplied the role name or names on the list are added to the role names returned Identity Manager 7 0 Workflows Forms and Views getUnassignedApplications Method getUnassignedApplications LighthouseContext s Map options throws WavesetException Description Builds a list of application names suitable for a user s private applications A private application is an application that is directly assigned to a user T
176. dLoop 551 552 This component respects the align valign and width properties of the children components when rendering the table cells Properties include Identity Manager 7 0 e pageButtonAlign Determines position of buttons relative to page content Valid values include left right bottom and center The default value is right sortEnable Enables column sorting when set to true Boolean sortURL Identifies the URL that Identity Manager posts to when column sorting is selected If column sorting is not set Identity Manager uses the _postURL of the HtmlPage String sortURLParams Specifies the parameters that get passed along with the sortURL String sortColumn Specifies the number of the column that we are currently sorting by The default is to set this value to the first column Integer sortOrder Specifies the sort order Values includes asc for ascending or desc for descending Default value is asc String linkEnable Indicates if this table is to be generated with the first column as links Boolean linkURL Specifies the URL that Identity Manager links to when generating links If not specified defaults to the post URL of the containing HtmlPage String linkURLArguments Indicates the arguments to include in the link URL linkColumn Specifies the column number that will be used for the generated links as specified by the 1inkURL attribute Integer
177. dd a FormRef for each sample form to add it to the main form 1 Add the following line for each sample form in an appropriate location in the main form lt FormRef name UserFormName gt 2 Remove the following line lt FormRef name MissingFields gt Identity Manager 7 0 Workflows Forms and Views 3 Click Save to save form changes 249 250 Identity Manager 7 0 Workflows Forms and Views 251 252 Identity Manager 7 0 Workflows Forms and Views 253 254 Identity Manager 7 0 Workflows Forms and Views 255 256 Identity Manager 7 0 Workflows Forms and Views Chapter 4 FormUtil Methods This chapter describes the most used FormUtil methods The FormUtil class provides a collection of utility methods that are intended to be called from XPRESS expressions within form objects The FormUtil methods are usually used within the valueMap property of Select and MultiSelect fields to constrain the list of possible values Additional methods are provided to format string values such as dates and directory DNs Related Chapters e Identity Manager Views Identity Manager forms interact with an internal Identity Manager data structure called the user view When customizing a form you can call view attributes e Identity Manager Forms For examples on using these methods within forms see the sections titled Using Hidden Components and Populating Lists Invoking Methods Use the following syn
178. ded dk MES KE EE aS as 233 Alternatives to the Default Create and Edit User Forms 0 0 cece eee eee eee teenies 238 Availabl Scalable Forms i064 ccc oes cee Moree rie ed aed a OSes Ae Dee A eh es eee one 240 Customizing Tabbed User Form Moving Password Fields to the Attributes Area 245 Testing Your Customized For 2c adee soe eee eee nae baa sa awa sie say ea qe EEEE Rea aaR ge 248 Sample Forme and Form Fields osc nes ada dies coca diesen gud dahlg ang aegieda daa dad aalbaadenab adage 249 ser FOr LIDA i59hcaccs cas dee aes dash cans edness aber gees SMa eaTee Daaledae Hany eas 250 Chapter 4 FormUtil Methods ssscsssississessisscsvissrsssn ni anse niens tu esis tas eee eco 257 Related Chape ies aano irnn RE EE Ea Ohba el EAE E 257 Miao Methodi sereen rnesa sessar aad eana sete ENE E a wig divin OE EE Gace E Paced eo aia 257 Meola eriep Sea Genny ete Sages Bd sick a aa dew aaa nE dad sided Bde lad wed Se 258 eallResour eMethiod Metbh d oso csad oad obcsais bine bad eee es ameneed dad wie Eaa aoa Sse peiiewemabuaetes 258 puldDi Metod 2 1ki ceeded cia sian diradi Enna lee de oie dba detidiotaws deta dag 259 RUS NENOd osis atta cid nan ciedoesese ales ala wath daly epalene E ayes EE E E 261 Reins Vanes nied tetiGe Goda cha dha dtd ETE E O EE AE E O nabs ahd 262 Examples i s Gis oss saa ae ache ban Pashia plein arena diaud eas ears eaiane lhe ed Rach me Enah mare meas 262 check SirinsOualtyPoliey Method soisacssi
179. dentity Manager repository Some attributes nested within this attribute set are not intended for direct manipulation in the form but are provided so that Identity Manager can fully represent all information in the WSUser object in the view Most Used Attributes Not all attributes are necessary when creating a new user The following list contains the waveset attributes that are most often visible during creation or editing Some attributes are read only but their values are used when calculating the values of other attributes All waveset attributes are described in the sections that follow this table Table 5 3 Most Used Attributes of the waveset Attribute User View Attribute Editable Data type waveset accountId Read Write String waveset applications Read Write String waveset correlationKkey Read Write String waveset creator Read only String waveset createDat Read only String waveset disabled Read Write String waveset email Read Write String waveset exclusions Read Write List waveset id Read String waveset lastModDate Read String waveset lastModifier Read String waveset locked Read String waveset lockExpiry Read Write String waveset organization Read Write String waveset questions Read Write List 322 Identity Manager 7 0 Workflows Forms and Views Table 5 3 Most Used Attributes of the waveset Attribute User View Attribute Editable Data type waveset resources Read Write List waveset resourceAssignme
180. des interfaces d utilisation visuelle ou graphique pour l industrie de l informatique Sun d tient une license non exclusive de Xerox sur l interface d utilisation graphique Xerox cette licence couvrant galement les licenci s de Sun qui mettent en place l interface d utilisation graphique OPEN LOOK et qui en outre se conforment aux licences crites de Sun Les produits qui font l objet de ce manuel d entretien et les informations qu il contient sont regis par la legislation americaine en matiere de controle des exportations et peuvent etre soumis au droit d autres pays dans le domaine des exportations et importations Les utilisations finales ou utilisateurs finaux pour des armes nucleaires des missiles des armes biologiques et chimiques ou du nucleaire maritime directement ou indirectement sont strictement interdites Les exportations ou reexportations vers des pays sous embargo des Etats Unis ou vers des entites figurant sur les listes d exclusion d exportation americaines y compris mais de maniere non exclusive la liste de personnes qui font objet d un ordre de ne pas participer d une facon directe ou indirecte aux exportations des produits ou des services qui sont regi par la legislation americaine en matiere de controle des exportations et la liste de ressortissants specifiquement designes sont rigoureusement interdites LA DOCUMENTATION EST FOURNIE EN L ETAT ET TOUTES AUTRES CONDITIONS DECLARATIONS ET GARANTIES EXPRESSES OU TACI
181. dify Selective Browsing Selective browsing another feature incorporated into scalable forms permits an administrator to incrementally view resources based on their owning role on their resource type or from a list of resources Multiple Resource Editing Multiple resource editing allows an administrator to select subsets of resources for editing resource attributes An administrator can select subsets based on roles resource types or from a list of resources When to Use Scalable Forms Consider using scalable forms when e Administrators are manually editing users who have many resource accounts Implementing a scalable form under these circumstances allows administrators to selectively edit specific resource accounts without incurring the overhead of fetching the user s data for all resource accounts This mechanism is particularly useful when a certain type of resource responds much slower than the other resource types associated with a user e Custom provisioning processes such as ActiveSync target only specific resources for updates NOTE Do not use scalable forms when form logic includes attributes that reference other resources In this configuration these cross reference attributes will either not be populated with the latest data or these resources should be fetched together Do not use scalable forms when form logic includes attributes that reference other resources In this configuration these cross referenc
182. ding upon whether the name attribute is included in the function element If included in the function element the name is expected to resolve to a variable containing a list In this case the referenced variable is destructively modified The following example modifies the list stored in the someList variable and adds two elements lt append name someList gt lt s gt Hello lt s gt lt s gt World lt s gt lt append gt If the name is not included in the function element a new list is constructed In the following example a new list is created by combining the elements of the list stored in the someList variable with two additional elements The value of the someList variable is not modified lt append gt lt ref gt someList lt ref gt lt s gt Hello lt s gt lt s gt World lt s gt lt append gt Use the following functions to manipulate list elements 495 496 append Function Appends a value to a list The argument list takes one of two forms depending on the presence of the name attribute If name is not specified then the first argument must be a list and the remaining arguments are elements to append to that list A copy of the list is returned the original list is not modified If the name argument used then all arguments are considered objects to be appended to the list contained in the variable with that name The list is modified without being copied Example 1 The following expression makes a
183. dit Associated JSP Associated Form Create Edit User account modify jsp Tabbed User Form Change User Account user changeAll jsp End User Form Attributes Welcome user anonmmain jsp Anonymous User Menu Edit Work Item approval itemEdit jsp Approval Form Edited Forms Of the default forms that ship with Identity Manager you will probably edit one of the following five forms End User Menu Form Anonymous User Menu Form Tabbed User Form End User Form Approval Form These edited forms control the creation and modification of users and the display of the main menu that the user sees They are described in greater detail in the following sections 119 End User Menu Form End User Menu Form controls the display of the main menu in the Identity Manager User interface Typically this form contains links for changing the user s password editing account attributes and changing answers to authentication questions You can customize End User Menu Form to add links to launch special workflow processes that are accessible to the user for example a process to request access to a system 120 Identity Manager 7 0 Workflows Forms and Views For example to present the End User Test Process as a link to click from the end user pages add the entries shown in the following code example Code Example 3 1 Adding End User Test Process link to End User Menu Form lt Configuration id ID Configuration EndUserTasks name End User Tas
184. dule e time Specifies the start time for the schedule correlation Identifies the name of the correlation rule Table 5 45 correlation rules ReconcilePolicy View Attribute Editable Data Type correlationRule Read Write String confirmationRule Read Write String correlationRule Identifies the name of the correlation rule to use when correlating accounts to users confirmationRule Identifies the name of the confirmation rule to use when confirming correlated users against accounts When no confirmation is required specify the value CONFIRMATION RULE NONE workflow Table 5 46 workflow Attributes ReconcilePolicy View Attribute Editable Data Type proxyAdministrator Read Write String preReconWorkflow Read Write String perAccountWorkflow Read Write String postRecon Workflow Read Write String 390 Identity Manager 7 0 Workflows Forms and Views proxyAdministrator Specifies the name of the user with administrative capabilities preReconWorkflow perAccountWorkflow postReconWorkflow Specifies the name of the workflow to run at appropriate point in reconciliation processing To specify that no workflow be run use the value AR WORKFLOW _ NONE response Table 5 47 response Attributes ReconcilePolicy View Attribute Editable Data Type situations Read Write List explanations Read Write Boolean situations Specifies the automated response to perform for the specified situation Vali
185. e ChangePassword Configure Connect Create CredentialsExpired Delete Deprovision Disable Disconnect Enable Load Login Logout Modify NativeChange Provision Reject RequestReconcile Terminate View 111 112 Identity Manager 7 0 Workflows Forms and Views Chapter 3 Identity Manager Forms This chapter describes how you can customize the appearance and behavior of selected pages in Sun Java System Identity Manager Administrator and User Interfaces by customizing the forms that define these pages Topics in this Chapter This chapter is organized into the following sections Understanding Forms Introduces basic form concepts and describes how forms are integrated into Identity Manager Customizing Forms Describes form programming syntax and logical guidelines to use when working with forms and provides examples of different form elements Testing Your Customized Form Provides techniques to use when verifying your form syntax and tracing field logic in your custom forms Related Chapters Identity Manager Views Identity Manager forms interact with an internal Identity Manager data structure called the user view When customizing a form you can call view attributes HTML Display Components You use the HTML component language to create field definitions when editing a form XPRESS Language You use expressions to include logic in your forms 113 Introduction to the Identity Ma
186. e The function takes one argument which must be literal text Length is constrained only by the amount of contiguous memory available in your Java environment Example lt s gt Now is the time lt s gt 462 Identity Manager 7 0 Workflows Forms and Views Arithmetic Expressions Use the following functions to perform arithmetic processing within expressions add Function Performs integer summation over the values of all arguments Arguments that are not integers are coerced to integers Example The following expression results in an integer 42 lt add gt lt i gt 40 lt i gt lt i gt 1 lt i gt lt s gt 1l lt s gt lt add gt 463 div Function Performs successive integer division over the values of all arguments Arguments that are not integers are coerced to integers Example The following expression results in an integer 42 lt div gt lt i gt 84 lt i gt lt i gt 2 lt i gt lt div gt 464 Identity Manager 7 0 Workflows Forms and Views mod Function Performs successive integer modulo over the values of all arguments Arguments are coerced to integers Arguments of type nu11 are ignored Example The following expression results in an integer 42 lt mod gt lt i gt 142 lt i gt lt i gt 100 lt i gt lt mod gt 465 mult Function Performs successive integer multiplication over the values of all arguments Arguments that are not integers are coerced to integers Example
187. e selectedtitle and the name of the resource as needed NOTE In the following example the colon that precedes display session indicates that you can ignore the base context of the form and reference objects from the root of the workflow context In the following example the colon that precedes display session indicates that you can ignore the base context of the form and reference objects from the root of the workflow context lt Field name global AD Groups gt lt Display class MultiSelect action true gt lt Property name title value AD Group Membership gt lt Property name availableTitle value Available AD Groups gt lt Property name selectedTitle value Selected AD Groups gt lt Property name allowedValues gt lt invoke class com waveset ui FormUtil name listResourceObjects gt lt send session information which will be used by the method to validate authorization user gt lt ref gt display session lt ref gt lt resource object type This will differ from resource to resource but common types are account group and distribution list gt lt s gt Group lt s gt lt Name of resource being called gt 189 190 lt s gt AD Resource Name lt s gt lt options map Some resources have options like the context that the group is listed in For example active directory has multiple containers By default the container used wi
188. e to be returned the operator is assumed to be equals If more than one attrname value pairs is specified they will be logically and ed together Example lt map gt lt s gt memberOb ject Groups lt s gt lt ref gt waveset organizations lt ref gt lt map gt 297 Table 4 33 Values of conditions Attribute Value Format Description list Lists AttributeCondition objects If more than one AttributeCondition is specified they will be logically and ed together Example lt list gt lt newclass com waveset object AttributeCondition gt lt s gt MemberObjectGroups lt s gt lt s gt equals lt s gt lt ref gt waveset organization lt ref gt lt new gt lt list gt Using the conditions Attribute You can specify a list of one or more object type specific query attribute conditions to filter the list of names returned by certain FormUtil methods These methods include methods that take an options map as an argument You can specify these query attribute conditions as a query option whose key is conditions and whose value can be specified as either a map or list of AttributeConditions Examples Using the condition Attribute to Filter Names The following examples illustrate the use of the conditions attribute to apply additional filters to the list of names returned by a FormUtil method that takes an options map as an argument 298 Identity Manager 7 0 Workflows Forms and Views Example 1
189. e value Office Phone Number gt lt Property name size value 3 gt lt Property name maxLength value 3 gt lt Display gt lt Field gt lt Field name P2 gt lt Display class Text gt lt Property name title value gt lt Property name size value 3 gt lt Property name maxLength value 3 gt lt Display gt lt Field gt lt Field name P3 gt lt Display class Text gt lt Property name title value gt lt Property name size value 4 gt lt Property name maxLength value 4 gt lt Display gt 162 Identity Manager 7 0 Workflows Forms and Views lt Field gt lt Field name global OfficePhone gt lt Expansion gt lt concat gt lt ref gt P1 lt ref gt lt s gt lt s gt lt ref gt P2 lt ref gt lt s gt lt s gt lt ref gt P3 lt ref gt lt concat gt lt Expansion gt lt Field gt Example The following example expands on the field definition for the field P1 defined above It defines how a phone number attribute is read into the form and consequently expands into the three field displays lt Field name P1 gt lt Display class Text gt lt Property name title value Office Number gt lt Property name size value 3 gt lt Property name maxlength value 3 gt lt Display gt lt Field gt When a user enters data into Identity Manager the form can ensure the data is entered pro
190. e 2 21 queryObjectNames Method Arguments Name Required Valid Values Description op yes queryObjectNames type yes Identifies the object type for which the search is performed attributes no Indicates a list or map of queryable attribute name value pairs to use to query objects If not supplied all objects of the given type are returned single no true If true the query will return the name of the first object that matches the query specified if false or not supplied the query will return the names of all objects that match the query specified false Return Values and Side Effects If single is false or unspecified the list of object names that satisfies the query attributes specified is placed into the variable gueryResult If single is true the name of the first object that satisfies the query attributes specified is placed into the variable queryResult If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 73 74 queryObjects Session Workflow Service Returns a list of objects that match the query attributes specified This method accepts either Table 2 22 queryObjects Method Arguments Name Required Valid Values Description op yes queryObject s type yes Indicates the object type for which the search is performed attributes no Specifies either Map containing elements of type WSAttribute List containing elements of type AttributeCondition If not sup
191. e Effects A WavesetResult object containing the result of the enable 98 Identity Manager 7 0 e Workflows Forms and Views getApprovals Provision Workflow Service Determines the lists of approvals for the assigned role organization and resources for an existing account Table 2 42 getApprovals Method Arguments Name Required Valid Values Description op yes getApprovers user yes GenericObject Identifies the view that represents the user Return Values and Side Effects If the getApprovals workflow is successful a GenericOb ject describing the approvals necessary for the user is returned in the approvals variable If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 99 lockOrUnlock Provision Workflow Service Locks or unlocks a specified user if the Lighthouse Account Policy associated with the user specifies a lock expiration time The user is unlocked when one of these conditions is met e auser who is assigned the Unlock User capability unlocks the user s Lighthouse account e the current date and time is later than the user s lock expiration date and time if one was set While a user is locked the user cannot log in by any login application interface for example the User or Administrator Interfaces By default the Lock service is called by the Failure activity of the Password Login process that is invoked when the number of failed password login attempts exceeds
192. e Indicates whether or not to disable the Identity Manager account doResources no true false Indicates whether or not to disable the user s resources doAuthenticators no true false If true disables all pass through authentication resources Return Values and Side Effects A WavesetResult object containing the result of the disable 97 enable Provision Workflow Service Enables an Identity Manager account and or resource accounts Table 2 41 enable Method Arguments Name Required Valid Values Description op yes enable subject no Indicates the effective subject for the call If not supplied the task s subject is used If the value of this argument is none then no authorization is performed options no Map A value map of option name option value pairs If not supplied specific arguments below are used If supplied any specific arguments below will override the same argument contained in this options map accountld no Identifies the name of the Identity Manager user to enable adminName no Indicates the name of the administrator loginAppName no doLighthouse no true false doResources no true false doAuthenticators no true false performing the operation Specifies the login application name Indicates whether or not to enable the Identity Manager account Indicates whether or not to enable the user s resources If true enables all pass through authentication resources Return Values and Sid
193. e Table Rule Library Resource Table Utility Library Contains all globally available fields that are used for navigation incremental fetching and form layout This main form drives all the other resource related scalable forms Contains primary fields for the Resource Table User form Includes bread crumb and navigation fields Contains Fields for account information section of Resource Table form Contains the rule library for retrieving counting analyzing a user s resources This is mostly used by the User Form Library and to build table data on roles and resources Contains the rules used during the selection process on Resource Table Form for example these rules retrieve resources per role or per type Installing Resource Table User form involves two steps importing the form and changing the form mapping Step 1 Import the Form 1 From the Identity Manager menu bar select Configure gt Import Exchange File 2 Enter the file name or click Browse to locate WSHOME sample resourcetableforms xml Importing this file also imports 237 Step 2 Change Form Mapping 1 From the menu bar select Configure gt Configure Form and Process Mappings 2 Inthe Form Mappings section locate userForm under the Form Type column 3 Specify Resource Table User Form in the box provided under the Form Name Mapped To column Customizing Scalable Forms After importing and mapping the scalable user form you must c
194. e a workflowAuditAttrConds list assumed to be a list of GenericObjects If you define an attrName attribute within the workflowAuditAttrConds list Identity Manager pulls attrName out of the object within the code first using att rName as the key and then storing the att rName value All keys and values are stored as uppercase values Adding Applications You can register your own Java methods so that they can be accessed from the Identity Manager IDE To do this 1 Edit the idm config workflowregistry xml file 2 Add the application definition in a form similar to this example lt WorkflowApplication name Increment Counter class com waveset util RandomGen op nextInt gt lt ArgumentDefinition name start value 10 gt lt Comments gt Get the next counter lt Comments gt lt ArgumentDefinition gt lt WorkflowApplication gt 3 Restart the Identity Manager IDE The new application is added to the application menu Configuring Workflow Properties The System Configuration object controls workflow configuration properties The following table lists the most frequently configured properties For information on using the Identity Manager Integrated Development Environment to view or edit the System Configuration object see Introduction to the Identity Manager Integrated Development Environment in Identity Manager Deployment Tools 37 Table 1 9 Workflow Properties in System Configuration Object Attri
195. e account exists for a given resource the object names take a suffix of the form n where n is an integer The first account on a resource has no suffix The second account has the suffix 2 The third account on a resource has 3 etc For example if you have a resource named Exchange Server that defines an account attribute named Profile the view path to this attribute would be accounts Exchange Server Profile If this view path were used in a form field it would prevent the value of the global Profile attribute from being propagated to the Exchange Server account NOTE You may want to use account specific attributes in forms rather than global attributes to prevent propagation of values to all resources 329 330 Overriding Resource Attributes In addition to setting account attributes you can also specify resource attribute overrides for each account Resource attributes are attributes that are defined for the resource definition in Identity Manager and consequently for the resource type They are not attributes associated with an individual account Examples of resource attributes include the host name of the server or the base context in a directory You may want to create an account on a resource but use a different value for one of the resource attributes You could do this by duplicating the resource and changing the value but excessive resource duplication can be confusing Instead resource attributes can be
196. e attributes will either not be populated with the latest data or these resources should be fetched together In addition the scalable version of the Create User form provides limited benefit over the standard default version because a new user has no resources to begin with Identity Manager 7 0 Workflows Forms and Views Available Scalable Forms Identity Manager ships the following two scalable user forms which are described below e Dynamic Tabbed User form which provides an alternative to the default Tabbed User form e Resource Table User form which provides an alternative to the default Tabbed User form Edit User form Dynamic Tabbed User Form Provides an alternative to the default Tabbed User form which fetches all resources as soon as an administrator begins editing In contrast Dynamic Tabbed User form features incremental fetching and editing of multiple resources based on resource type NOTE For detailed implementation information see the comments associated with each user form in WSHOME samples form_name xml Importing and Mapping the Form Three forms are involved in the substitution of Dynamic Tabbed User form for the default Tabbed User form Table 3 20 Forms associated with Dynamic Tabbed User Forms Form Description Dynamic Tabbed User Contains the features of the default Tabbed User Form but Forms dynamically creates one tab per resource type Dynamic User Forms Contains fields for
197. e gt lt ref gt accounts AIX aix_expires lt ref gt lt cond gt lt Expansion gt lt Field gt 201 202 Adding a Back Link You can add a component that behaves the same as the browser Back button This component permits you to add a back link anywhere on the form lt Field name back gt lt Display class BackLink gt lt Property name title value Back gt lt Property name value value previous page gt lt Display gt lt Field gt Positioning Components on a Form The location of a component on a form is determined by the following factors The Java Service Page JSP associated with this form The title and subtitle of the form can be set here e Order in which the components are listed in the form The browser will display form fields in the order in which they are included in the form e Use of container forms For example to create a vertical row of buttons use the lt ButtonRow gt container component Using Hidden Components Many forms are not visible to the user but help process data from an external resource through the resource adapter before passing it into Identity Manager In visible forms too some components can be hidden These hidden components are used to process this incoming data as well as to transform data in visible forms Some hidden processing within forms is carried out by the methods in the FormUtil Java class These are frequently used when populating
198. e guidelines in the section titled Using a Java Class to Obtain Field Data Identity Manager 7 0 Workflows Forms and Views Example Scenario The following example illustrates a type of expression optimization If you want to query a database for information that is not stored in Identity Manager or accessible as a resource account attribute follow these general steps 1 Write a Java class that performs the database access 2 Define a form field that uses a default expression to call the Java class 3 Reference the hidden variable Using a Java Class to Obtain Field Data You will need to write a Java class that has methods that can be called to retrieve information The example in the following section Defining a Hidden Form Field uses the get JobGrade method which is a custom method You should locate this custom class in the idm WEB INF classes com waveset custom directory structure If these directories do not exist on your system you must create them Follow these guidelines when writing this class Ifthe method performs an expensive operation such as a database request you should make the call in the Default expression of a hidden form field This will cause the value to be stored in the view when the form is first loaded The value can then be referenced many times without incurring database overhead e Ifthe method being called has not been declared static use the new element to instantiate the class fir
199. e is Rule value Specifies value if rule type is Text notifications Lists the names of administrators that must approve the assignment of this role to a user Identity Manager 7 0 Workflows Forms and Views approvers Specifies the names of the approvers that must approve the assignment of this role to a user properties Identifies the user defined properties that are stored on this role organizations Lists organizations of which this role is a member 415 Task Schedule View Use to create and modify TaskSchedule objects This view contains the following attributes Table 5 64 Task Schedule View Attributes Name Editable Data Type Required scheduler Read Write String task Read Write Boolean scheduler Contains attributes that are related to the scheduler itself which are common to all scheduled tasks The attributes are Table 5 65 Attributes of scheduler Attribute Task Schedule View Name Editable Data Type Required name Read Write String No id Read String No definition Read Write String No template Read Write String No taskOrganization Read Write String No taskName Read Write String No description Read Write String No disabled Read Write Boolean No skipMissed Read Write Boolean No start Read Write Date No repeatCount Read Write Int No repeatUnit Read Write String No resultOption Read Write String No allowMultiple Read Write Boolean No 416 Identity Manager 7 0 Work
200. e is used to send the value from the resource and determine if the value is in the list NOTE In the following example action is set to true to ensure that form fields populate automatically 191 lt Field name Title gt lt Display class Select action true gt lt Property name title value Title gt lt Property name allowedValues gt lt Property name nullLabel value Select gt lt expression gt lt ref gt titleList lt ref gt lt expression gt lt Property gt lt Display gt lt Derivation gt lt cond gt lt isnull gt lt ref gt global Title lt ref gt lt isnull gt lt null gt lt cond gt lt eq gt lt contains gt lt ref gt titleList lt ref gt lt ref gt global Title lt ref gt lt contains gt lt i gt 1 lt i gt lt eq gt lt ref gt global Title lt ref gt lt s gt Other lt s gt lt cond gt lt cond gt lt Derivation gt lt Field gt 192 Identity Manager 7 0 Workflows Forms and Views The Other field will appear on the form only if the user has selected Other from the title field The value of the Other field is set when the form is loaded It is based upon the value of the Title field and the global title field lt Field name otherTitle gt lt Display class Text gt lt Property name title value Other Title gt lt Property name rowHold value true gt lt Property name noWrap value true gt lt Property
201. e object 417 418 start Indicates the date and time at which to launch the task repeatCount Combined with repeat Unit determines how frequently tasks will be run If repeatCount is zero or not specified a scheduled task will only run once If repeatCount is a positive number the task will be run more than once at the interval specified by repeatUnit repeatUnit Defines the interval of time between running tasks that have a positive repeatCount value Valid values include second minute hour day week month For example to schedule a task to run once a week for a year set repeatUnit to week repeatCount to 52 and start to the first day that the task is to run resultOption Specifies what the scheduler will do if a TaskInstance with the desired name already exists when the scheduled task is run The possible values are wait delete rename and terminate wait Indicates whether the scheduler should run the task again or wait for another repetition This attribute is only meaningful if you have set repeatCount and repeatUnit delete Tells the scheduler to delete the existing TaskInstance if it has finished rename Indicates that the scheduler should rename the existing TaskInstance if it has finished skipMissed Indicates whether Identity Manager attempts to immediately make up a missed schedule time false or simply wait until the next scheduled time true When set to false Identity Manager immediatel
202. e password at next login gt A Property name alignment value left gt lt Display gt lt Field gt Creating a Radio Button Use the lt Radio gt component to display a horizontal list of one or more radio buttons A user can select only one radio button at a time If the component value is null or does not match any of the allowed values no button is selected lt Field name global EmployeeType gt lt Display class Radio gt lt Property name title value EmployeeType gt lt Property name labels value Employee Contractor Temporary Part Time gt A Property name required value true gt lt Display gt lt Field gt Creating a Single Selection List Along with the lt MultiSelect gt component the lt Select gt component provides a list of items to select from With longer lists of values to select from the radio buttons can begin to take up precious space on a form Alternatively select lists can provide a way for the user to select from a long list of possible values This list supports type ahead if the list is ordered You can use the allowedValues property to specify the choices from which the user can pick Identity Manager 7 0 Workflows Forms and Views lt Field name global title gt lt Display class Select gt lt Property name title value Title gt lt Property name allowedValues gt lt List gt lt String gt Staff lt String gt lt Str
203. e provisioner and resource adapter global Attribute You can use the global attribute set of the user view to conveniently assign attributes to many resource accounts including Identity Manager The value of the global attribute is an object whose attributes are referred to as global attributes When the view is saved the system assigns the value of each global attribute to all resource accounts that define the global attribute name in their schema map These values are also propagated to the Identity Manager repository if there is an extended attribute with the same name For example two resources R and R2 define an attribute named fullname When the attribute global fullname is stored in the view this value is automatically copied into attributes accounts R1 fullname and accounts R2 fullname You can also use global attributes to assign extended attributes that are stored in the Identity Manager repository If a global attribute is also declared as an extended Identity Manager attribute it is copied into accounts Lighthouse NOTE Do not use global account Id when creating accounts The account ID is created by the DN templates on the resources Using global accountId overrides this which may cause problems Identity Manager 7 0 Workflows Forms and Views Referencing Two Different Fullname Attributes The global attribute can be used in combination with the account attribute for the same attribute name For ex
204. e request Valid keys include searchAttrsToGet which specifies a list List of objectType specific attribute names to get Return Values and Side Effects Returns the object specified by objectType and objectid from the specified resource Identity Manager 7 0 Workflows Forms and Views getView Session Workflow Service Fetches an Identity Manager view The administrator that launched the workflow WF_CASE_ OWNER will be check to see if it is authorized to get the view Table 2 17 get View Method Arguments Name Required Valid Values Description op yes getView viewld no Identifies the ID of the view to fetch If this argument is not specified both the type and ID must be specified Type and ID may be easier to use from workflows type no Indicates the type for the view id no Specifies the ID of the object being fetched in the view For example if you are fetching a view to view an account object this would be the accountld raiseViewErrors no true or Specifies that display errors is promoted to false WF_ACTION_ERROR When set to true errors in the display errors attribute of the view are automatically extracted and returned to the workflow engine as errors The WF_ACTION_ERROR workflow variable is set options no getView Gives view specific options The values you can pass are specific to the view being used The most common is the user view These options can be found in session UserViewConstants The
205. e typically classified into one of two categories e Forms that drive the graphical user interfaces These forms which can be part of either the Identity Manager Administrator or Identity Manager User Interface include the pages that users use when o Changing passwords o Performing self service o Administrative tasks that involve account creation system configuration and workflow tasks Identity Manager 7 0 Workflows Forms and Views You can use the default forms that ship with Identity Manager as springboards for creating your own custom forms While you will probably want to copy and directly edit only a subset of these forms see the section titled Edited Forms you can peruse other forms for examples of how to encode particular attributes or behaviors Forms that perform background processing on information being imported into Identity Manager from an external resource For example as part of the process of reading information from a PeopleSoft database into Identity Manager a form checks employee status on incoming records If the employee status is not active A the form defines a field that disables the Identity Manager account for that user The following table shows some of the Identity Manager pages that use forms of the first type Use this table to identify the form that controls the display characteristics of the page you want to edit Table 3 1 Pages and Associated JSPs and Forms Page You Want to E
206. e within Identity Manager This allows the TaskDefinition to keep its unique ID which is referenced inside suspended tasks Standard Workflows Identity Manager ships with standard workflows that are mapped to used processes See Default Workflow Activities for a brief introduction to these default workflows To display and edit a default workflow 1 Open the Identity Manager IDE For information on using the Identity Manager IDE see Introduction to the Identity Manager IDE in Identity Manager Deployment Tools 2 Select File gt Open Repository Object gt Workflow Processes The Identity Manager IDE displays the Workflow Processes list which contains the standard workflow processes and any custom workflows in your deployment 3 Double click on the name of the workflow you want to display or edit You can view process mappings by selecting Configure gt Form and Process Mappings from the Identity Manager Administrator Interface Customizing a Process You can change one or more of the Identity Manager processes to eliminate steps include new steps or customize existing steps Each step in the process is represented by an activity 28 Identity Manager 7 0 Workflows Forms and Views The Workflow Toolbox facilitates workflow changes by providing pre defined activities you can use when editing or creating a workflow To open the toolbox right click in the diagram view and select the toolbox option Default Workflow Ac
207. eAccounts disabled Indicates whether the account is currently disabled or enabled only in currentResourceAccount authenticator Indicates whether the account is one that the user is configured to login 399 fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all assigned resources See Setting View Options in Forms in this chapter for more information 400 Identity Manager 7 0 Workflows Forms and Views Reset User Password View Used by administrators to reset a password to a randomly generated password and optionally propagate the new password to resource accounts resourceAccounts Defines characteristics of resource accounts This attribute contains the following attributes Table 5 55 resourceAccounts Attributes Reset User Password View Attribute Editable Data Type Required id Read String selectAll Read Write Boolean currentResourceAccounts Read List object tobeCreatedResourceAccounts Read List object tobeDeletedResourceAccounts Read List object id Specifies the account ID of the Identity Manager user whose passwords are being changed selectAll Controls whether all passwords are selected currentResourceAccounts Represents the set of accounts that are
208. eVi com renameView renameVi renameView e renameVi ew 1 ew LEW renameVi LEW ew newAccountId saurelius resourceAccounts selectAll false resourceAccounts currentResourceAccounts Lighthouse selecte resourceAccounts currentResourceAccou resourceAccounts currentResourceAccou accounts NT identity Marcus Aureliu resourceAccounts currentResourceAccou accounts AD identity cn saurelius OU Austin DC Waveset DC nts AD selected true accounts LDAP identity CN saurelius CN Users DC us DC com nts LDAP selected tru s nts NT selected true 397 Reprovision View 398 Used to present and select the list of resources to be reprovisioned This view contains one top level attribute resourceAccounts resourceAccounts This attribute contains the following attributes Table 5 53 resourceAccounts Attributes Reprovision View Name Editable Data Type Required id Read String selectAll Read Write Boolean currentResourceAccounts Read List objects fetchAccounts Read Write Boolean fetchAccountResources Read Write List id Specifies the unique identifier for the account selectAll Controls whether all resources are selected currentResourceAccounts Represents the set of accounts that are currently being managed by Identity Manager including the Identity Manager account itself All account lists are i
209. ecord by the audit system in the following format namel valuel name2 value2 It is typically used to log changes to specific account attributes Specifies a list of the organizations also known as Ob jectGroups associated with the object being audited Return Values and Side Effects An audit log is entered with the supplied information 53 54 authorize Session Workflow Service Requests that Identity Manager checks if the subject of the workflow is authorized with the given right for the given action on the given object The subject of the workflow is the administrator that the workflow is running under This will be the value of the WF_ CASE OWNER built in variable Table 2 4 authorize Method Arguments Name op type name right action Required Valid Values Description yes authorize yes see Type Names Specifies the type of the object that is being authorized yes Indicates the name of the object that is being authorized yes see Right Names Indicates the right to authorize yes see Action Names Specifies the action to authorize Return Values and Side Effects If the WF_CASE_OWNER is not authorized to for the given right or action on the given object WF_ACTION_ERROR will be true The WavesetResult will contain the error Identity Manager 7 0 Workflows Forms and Views checkStringQualityPolicy Session Workflow Service Checks string quality against a specified policy Table 2
210. ed Attribute Work Item View Attribute Description name Specifies the repository ID of the work item owner Identifies the owner of the item locked Indicates whether the work item is being edited A value of true indicates that the work item is currently being edited complete Specifies whether the work item has completed A value of true indicates that the work item completed itemType Identifies item type as defined by the process The default is approval request Succinctly describes the purpose of the work item This description is typically shorter than the value of the description attribute and is often displayed in summary tables requester Identifies the user that initiated the approval ignoreTimeOut Indicates whether the time out should be ignored A value of true assigned by the system indicates that this is a read only work item that may timeout while being viewed This is a signal to the system that a check in failure of the Work Item view should be ignored if the work item no longer exists rather than displaying an error message This can be useful for work items that are intended only for status messages that time out immediately so the workflow can continue while the user views the messages Do not change this value Using the variables Attribute When writing a work item form the most common attributes to reference are complete and variables The complete attribute must be set to the value true
211. ed expression and scripting language used throughout Identity Manager e Chapter 6 XML Object Language Introduces the basic features of the XML Object language which is a collection of XML elements that you can use to represent common Java objects such as strings lists and maps e Chapter 7 Identity Manager Views Introduces Identity Manager views which are data structures used in Identity Manager e Chapter 8 HTML Display Components Describes the Identity Manager HTML display component library HTML display components are used when customizing forms e Appendix A Form and Process Mappings Lists the forms and workflow processes used in Identity Manager and their corresponding system names Conventions Used in This Book The tables in this section describe the conventions used in this book including e Typographic Conventions e Symbols e Shell Prompts Typographic Conventions The following table describes the typographic conventions used in this book Table 1 Typographic Conventions Typeface Meaning Examples AaBbCc123 API and language elements HTML tags Web Edit your login file Monospace site URLs command names file names directory path names onscreen computer output sample code AaBbCc123 What you type when contrasted with onscreen Monospace bold computer output Use ls a to list all files o You have mail su Password 12 Identity Mana
212. ed to uniquely identify the organization within Identity Manager orgAction Supported only for directory junctions virtual organizations and dynamic organizations Allowed value is refresh When an organization is a directory junction or virtual organization the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers orgNewDisplayName Specifies the new short name when you are renaming the organization orgParentName Identifies the full pathname of the parent organization orgChildOrgNames Lists the Identity Manager interface names of all direct and indirect child organizations orgApprovers Lists the Identity Manager administrators who are required to approve users added to or modified in this organization allowedOrgApprovers Lists the potential user names who could be approvers for users added to or modified in this organization 373 374 allowedOrgApproverlds Lists the potential user IDs who could be approvers for users added to or modified in this organization orgUserForm Specifies the userForm used by members users of this organization when creating or editing users org ViewUserForm Specifies the view user form that is used by member users of this organization when viewing users orgPolicies Identifies policies that apply to all member users of this organization This is a list of objects that are keyed by type string Each policy object contains the following v
213. ed with the Form Editor Turning On and Off Error Logging The Identity Manager error logging utility reports to standard output any problems with the syntax of form expressions Once XPRESS tracing is turned on you can limit log messages to XPRESS statements for a subset of the form with the lt block gt tag To obtain more information about the processing of XPRESS statements a configuration option in the waveset properties file xpress trace can be set to true When this option is set to true all evaluations of XPRESS statements will generate trace messages to the console This can be used to debug statements that are evaluated inside a running application whose code cannot be changed to enable tracing through the XPRESS API You can turn on XPRESS tracing for all XPRESS fields through either the command line or the Identity Manager Administrator Interface Turning on tracing this way affects all fields To limit log messages to a subset of the form use the lt block gt tag set to limit error tracing to only code within the lt block gt lt block gt tags To turn on error logging from the command line for all expression evaluations in Identity Manager 1 Open the config waveset properties file for editing 2 Search on the line xpress trace false 3 Change the false value to true 4 Save the file 5 Restart the application server Alternatively you can use the Identity Manager Administrator Interface to turn on and off err
214. eed a computed value to remain relevant beyond one field iteration use a hidden form field instead Hidden field values are stored in the view and will persist until the editing session is either canceled or saved Identity Manager 7 0 Workflows Forms and Views Disabling Automatic Linking of New Resources and Users Identity Manager provides a way to control the linking of existing accounts when new resources are assigned to a user When you assign a new resource to a user and an account with the assigned ID already exists on the resource Identity Manager by default automatically links that account to the Identity Manager user and proceeds with provisioning Alternatively you can disable this automatic linking and enter an alternative account ID when creating a new account for the user There are two ways to control how new accounts are linked to user Enabling manual linking of this information in the user form e Preventing automatic linking during provisioning Enabling Manual Linking in the User Form To enable manual linking 1 Include a property definition in each user form 2 Reference a field in the standard form library Step One Include a Property Definition Define the property definition at the top of the form as follows lt Form gt lt Properties gt lt Property name InteractiveLinking value true gt lt Properties gt lt Form gt Step Two Reference the Field in the Standard Form Library Add a field
215. een changed If null the password expires by the default if the user whose password is being changed differs from the user that is changing the password tobeCreatedResourceAccounts Represents the accounts that are assigned to this Identity Manager user but which have not been created Passwords cannot be changed on accounts that have not yet been created tobeDeletedResourceAccounts Represents the accounts that have been created but are no longer assigned to this user Passwords cannot be changed on accounts that are going to be deleted fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information 381 fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all assigned resources See Setting View Options in Forms in this chapter for more information 382 Identity Manager 7 0 Workflows Forms and Views Process View Used to launch tasks such as workflows or reports The task to be launched must be defined by a TaskDefinition or TaskTemplate object in Identity Manager Launching the task results in the creation of a TaskInstance object This view contains one top level attribute named task All other top level attributes are arbitrary and are passed as inputs to the task task This top level attribute defines how the task is to be launched Table 5 37 Process V
216. elated Capt 1G enee sot ed a canst seemcn gona dno cgi gy aap Slag gerd are eng an aye Mase aalan a aa 17 Understanding Workdhlow i i64 044 dii co nicsdas Soba terati dar a a one Eaa eda D donde 18 Whatis WorkNoWw esi sacha dee does norena ya Hane ssai Sanies arain BEE Hac NIE viaoa naaa iad 18 Workdlew Componente 6 ica oedsdanu de eoded Erei raua Ein EERE been P RE E 23 Weraule Workflow PROCESSES cia sense eens Wieew have ide ba sa era Seale een BETREE aie Gag alee a ee 25 Creating Transitions s cicsas is baniaded tod dah dad taaawhs dds dosed Gol deka bs dbaadaauns aad 28 Updating a Process for Identity Manager Use 2 eee cece teen ene encase 28 Editing a Workilow in Production scis esscciesiscisaisaini bad odd s tesic akaaka diadia Dorais 28 Standard Workflows ssis aes scion ula a area EErEE TOTEE diag eyed eens RE REE RE CESA EAE EEE 29 C st mizing a Process a0 iobada wha ded duid dodaa tinia E a E E EEE E EE EEE 29 Default Workflow Activities usunn unnn ar nneur teen n ete eee e een ee eens 29 Wiorktlowe TAS t 9 3 doi idan Oak aol Rhde E E dwesdoedwwephak pelRaiadi aswel 34 Tracking Workflow Progress os assis gg ween beg wagon gale ped gels mee Re RE RGR eA Ga eee eS 35 Enabling Workflow Auditing issussisicsiesecres tnt ioi toia bis ain ESE nE EEEE REEERE EE EEA 37 MONO EEEE E TT E E E E E E E EE E E E EE 37 4 What Information Is Stored and Where Is It 2 0 ce cee een etn eens 37 Adding Applications ecs csres
217. elds for buttons such as Approve and Reject you may not want everything displayed by Default User Form displayed in the work item form Typically you can factor out the fields in the user form into a form library that can be referenced by both the user forms and the work item forms 429 WorkItem List View Used to view information about collections of work items in the repository and to perform operations on multiple work items at a time This view handler gathers information about e all work items assigned to a selected user e users whose work items can be viewed e users to whom the work items can be forwarded The view is used in the Approvals page of the Identity Manager Administrator Interface The default form used with this view is named Work Item List The following table lists the top level WorkItem List view attributes Table 5 72 WorklItem View Attributes Attribute Editable Data Type authT ype Read Write String userId Read String user Read Write String self Read Boolean forwardedUser Read Boolean itemType Read Write String users Read List userlds Read String forwardingApproverStyle Read forwardingUsers Read List forwardingUserlds Read List workItems Read Write String selectedWorkItems Read Write String forwardTo Read Write Boolean forwardToNow Read Write String variables Read Write String Identity Manager 7 0 Workflows Forms and Views Table 5 72 WorklItem View Attributes Attribu
218. en value Example The following expression returns 1 lt contains gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt lt s gt apples lt s gt lt contains gt Identity Manager 7 0 Workflows Forms and Views containsAll Function Takes two list arguments This function returns 1 the list contains all elements contained in another list 0 zero the list does not contain all elements contained in the second list Example The following expression returns 0 lt containsAll gt lt ref gt fruitlist lt ref gt lt list gt lt s gt oranges lt s gt lt s gt wiper blades lt s gt lt list gt lt containsAll gt 499 containsAny Function first argument list to be searched second argument an element or a list of elements to search for in the first list This function returns 1 first list contains any elements that are contained in a second list O zero first list does not contain any elements that are contained in a second list Example The following expression returns 1 lt containsAny gt lt ref gt fruitlist lt ref gt lt list gt lt s gt oranges lt s gt lt s gt wiper blades lt s gt lt list gt lt containsAny gt 500 Identity Manager 7 0 Workflows Forms and Views filterdup Function Filters duplicate elements from a list Given a list it returns a new list in which duplicate entries have been removed Example lt filte
219. eneral form of a provision workflow service action is lt Action class com waveset provision WorkflowServices gt lt Condition gt lt Argument name op value workflowServiceOp gt lt Argument name argnamel gt lt expression gt valuelexpression lt expression gt lt Argument gt lt Argument name argname2 gt lt expression gt value2expression lt expression gt lt Argument gt lt Argument name argnameN gt lt expression gt valueNexpression lt expression gt lt Argument gt lt Action gt Each of the supported workflow services will have a variable number of required and optional arguments 82 Identity Manager 7 0 Workflows Forms and Views Supported Provision Workflow Services Following is the list of provision workflow services that Identity Manager currently supports The op argument to the workflow services call must be one of these values approve e auditNativeChangeToAccountAttributes e bulkReprovision e changeResourceAccountPassword e checkDeProvision e cleanupResult e createResourceObject e deleteResourceAccount e deProvision e disable e enable e getApprovals e getApprovers e lockOrUnlock e notify e provision e questionLock e reject e reProvision e runResourceAction e unlinkResourceAccountsFromUser e updateResourceObject e validate If an op argument is given that is not on the preceding list the workflow services return Unknown
220. enerating values 453 including in forms 226 integration with Identity Manager 447 iteration expressions 510 Java Javascript expressions 531 list expressions 495 lists 540 logical expressions 468 map objects 542 notation 446 object expressions 524 Section overview 445 string expressions 483 syntax 445 446 testing 456 testing expressions 534 tracing 457 value constructors 459 variable expressions 517 workflow actions 455 workflow transition conditions 454 XML object language and 538 XML objects in 539 599 Section 600 Identity Manager 7 0 Workflows Forms and Views
221. ent is to be rendered in a form other than mainform Example lt Property name htmlFormName value endUserNavigation gt 561 562 Basic Components BackLink Displays a link that returns to the previous page The behavior of this component is the same as that of the browser Back button However you may want to place this link in a convenient position on the page Properties for this display component e text Specifies the text of the link If you do not specify text the link defaults to Back Example lt Field name back gt lt Display class BackLink gt lt Property name value value previous page gt lt Display gt lt Field gt Button Displays a button Buttons typically submit the surrounding form but they can also be defined to run arbitrary JavaScript Properties for this display component are e name Specifies the name of the parameter that will be posted when the user clicks this button This property is optional if not specified the default value is command e value Specifies the value of the parameter posted when the user clicks this button e label Specifies the visible text that displays on the button command Specifies an optional value to submit along with the name parameter for example Save Cancel Recalculate e postURL Specifies an alternate target URL to which the form will be posted This value overrides the URL specified in the JSP e hiddenID
222. entity Manager Although XPRESS can be used with a standalone interpreter it is typically embedded within an application that wants to use XPRESS statements to control or customize their behavior This application is called the host application Two of the more important host applications within the Identity Manager system are workflow and forms The host application makes calls to the XPRESS interpreter and supplies services to the interpreter One of the more important services that the host application provides is the resolution of external variable references Expressions often reference variables that are not defined within the expression and the host application must then provide the values of these variables In the case of the workflow host application an expression can reference any variable defined within the workflow process In the forms host application an expression can reference the value of any form field or defvar whose value is set before the expression is evaluated Why Use Expressions Expressions are used primarily for the following tasks e Customizing the User Interface and Administrator Interface forms Forms use XPRESS to control the visibility of fields and to transform the data to be displayed Defining flow of control in workflow Workflow uses XPRESS to define transition conditions which determine the order in which steps in the workflow process are performed e Implementing workflow actions Workflow actio
223. ently customized views What Is a View The most important view is the user view which contains the user attributes that are stored in Identity Manager and attributes that are read from accounts managed by Identity Manager Some attributes in the user view are visible in the forms that are presented by the Identity Manager User and Administrator Interfaces Other attributes are hidden or read only Hidden attributes are typically used by rules that derive other visible attributes or calculate field values For example when creating a user represented as a user view an administrator enters a first and last name in the appropriate form fields on the Create User page When the administrator saves the form the system can calculate the user s full name in a hidden field by concatenating the first and last name This full name can then be saved to one or more resources including Identity Manager Once approved where approval is required the system converts the user view back into one or more objects in the Identity Manager repository and sends the view to the resources assigned to the user to create or update the user s resource accounts Identity Manager 7 0 Workflows Forms and Views View Attributes A view is a collection of name value pairs that are assembled from one or more objects stored in the repository or read from resources The value of a view attribute can be atomic such as a string a collection such as a list or refe
224. ents contain Property elements that define the characteristics of the field rendered by the browser By defining a Display element for a form it will be visible on the screen unless there is a Disable element in the field that evaluates to true There can be conditions in which the form is displayed until another field or value is set and when the form recalculates the field can become hidden from the screen See the section titled Disabling Fields Display Describes class and properties of the visible field This element specifies a component class to instantiate and a set of property values to assign to the instance lt Display class Text gt lt Property name size value 20 gt lt Property name maxLength value 100 gt lt Display gt The class attribute of the Display element must be the name of a Component class By default these classes are expected to reside in the com waveset ui util html package and include Applet Button and DatePicker among others A list of all the default classes and their descriptions can be found in the Base Component Class section of HTML Display Components To reference a class that is not in this package you must use a fully qualified class name for the class attribute All classes described in this document are in the default package and do not require qualified names Property Occurs within the Display element The property value defines the names and values of properties that are to be as
225. eprovision Primitive Run Resource Actions Set Property Unlock Object Unlock View Update Resource Object Searches for objects with matching attributes Searches for objects with matching attributes Refreshes a view that was previously checked out Removes deferred task scanner information from an object Removes an extended property on an object Reprovisions resource accounts Adds an extended property to an object Unlocks an object that was previously checked out Unlocks a view that was previously checked out Modifies an object managed by a resource Table 1 4 Default Approval Workflows Activity Description Approval Approval Evaluator Performs the fundamental single approver process Recursively evaluates an Approval Definition Object to implement a complex approval process Allows the form and template to be used to be passed in but those can be overridden if specified in the set Identity Manager 7 0 Workflows Forms and Views Table 1 4 Default Approval Workflows Activity Description Lighthouse Approval Performs the default Identity Manager approval process for assigned organizations roles and resources Uses the Approval Evaluator process Multi Approval Distributes approvals among multiple approvers Users the Notification Evaluator Provisioning Notification Approval process for each approver Recursively evaluates an Approval Definition Object to implement a
226. eption or getResources LighthouseContext s String matchType String value List current or getResources LighthouseContext s Map Options Description Builds a list of the names of resources that match a particular resource attribute value such as type LDAP If a current list is passed in the lists are merged e The first variant of this method takes session only and returns all resources that are visible to the administrator The second variant of this method returns all resources and merges in the current list The third variant of this method returns all resources that match a particular attribute value Identity Manager 7 0 Workflows Forms and Views e The fourth variant of this method returns all resources that match a particular attribute value and merges in the current list Table 4 12 getResources Parameters Parameter Description s Identifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt matchtype Identifies the resource attribute that this method searches when identifying resources to include in the resourced name list Must be a queryable attribute of the resource object type Queryable attributes include type supportsScanning supportsContainerObjectTypes and startupType which are described below value Specifies the value of the attribute that this method searches on when identifying resources options current condition
227. er 7 0 Workflows Forms and Views deleteResourceAccount Provision Workflow Service Deletes a resource account Table 2 36 deleteResourceAccount Method Arguments Name Required Valid Values Description op yes deleteResourceAccount user waveset accountld or yes Indicates the name of accountld the Identity Manager user to delete resource yes Identifies the name of the resource whose account needs to be deleted Return Values and Side Effects A WavesetResult object containing the result of the account deletion 93 deleteResourceObject Provision Workflow Service Deletes a resource object for example a group Table 2 37 deleteResourceObject Method Arguments Name Required Valid Values Description op yes deleteResourceObject objectType yes object no GenericObject resourceld yes Identity Manager resources can specify object types that they manage This is specified by the Object Type element list defined in the resource s prototype XML This argument is the name of one of those ObjectTypes If not specified the service looks for an argument named after the ObjectType For example if a resource supports managing a group Object Type and if the object argument is not supplied then the service will expect the resource object to be in an argument called group Preferred practice is to use the object argument Specifies the object ID for the resource on which to delete the
228. er be literal text to be displayed or it can be a message catalog key Literal text can include HTML markup command Specifies a command to submit when a component is modified When a user makes a change to a value form output is recalculated This property is typically used with the Button component Some components must cause immediate submission of the surrounding HTML form when they are modified so that the application can regenerate the page based on that modification Setting the command property to a non null value causes this behavior When the command property is set and the component is modified the form is posted and an extra hidden parameter named command is posted whose value is the value of the command property The command specifies how the system will process the edits that have been made to a view The command property must have one of the following values 559 560 Table 8 3 Values of command Property Value Description Save Causes the edits to be saved Cancel Causes the edits to be discarded Recalculate Causes the page to be regenerated SaveNoValidate Causes the edits to be saved but no form validation to be performed Because specifying a command value of Recalculate is so common in forms an shorter alterative syntax is available The Display element has an attribute named action that when set to true has the same effect as setting the command property to Recalculate lt Display class
229. er type of the object that is being audited logResultErrors no true false If false this method logs the single error indicated by the other parameters If true it creates a log record for each error message in the task results The task result is obtained from the workflow context This is a convenient way to log all the errors accumulated during workflow execution name no Identifies the name of the object that is being audited status no success Indicates the audit status If no status is supplied the status is assumed to be failure failure reason no Currently hard coded to DATABASE_ACCESS_FAILED any value you use will be ignored action yes see Action Indicates the Identity Manager action Names to audit resource no Specifies the resource that is being audited accountId no Identifies the accountld that is being audited error no Indicates the error that is being audited 52 Identity Manager 7 0 Workflows Forms and Views Table 2 3 audit Method Arguments Name Required Valid Values Description parameters no attributes no organizations no This is expected to be a java util Map object that contains name value pairs These pairs are specific to each event For example the parameter named RoleName is typically set for log records that are related to users This is expected to be a java util Map object that contains name value pairs This is formatted in the log r
230. erence and procedural information that provides guidance for tuning Sun Java System Identity Manager provide instructions for tracing and troubleshooting problems and describe the error messages and exceptions you might encounter as you work with the product Identity Manager Service Provider Edition Deployment Reference and procedural information that describes how to plan and implement Sun Java System Identity Manager Service Provider Edition Identity Manager 7 0 Workflows Forms and Views Identity Manager Help Online guidance and information that offer complete procedural reference and terminology information about Identity Manager You can access help by clicking the Help link from the Identity Manager menu bar Guidance field specific information is available on key fields Accessing Sun Resources Online For product downloads professional services patches and support and additional developer information go to the following Download Center ttp wwws sun com software download rofessional Services ttp www sun com service sunps sunone index html un Enterprise Services Solaris Patches and Support ttp sunsolve sun com TN a g peg Developer Information http developers sun com prodtech index html Contacting Sun Technical Support If you have technical questions about this product that are not answered in the product documentation contact customer support using one of the following mechanism
231. erface Names System Name Mapped to Windows Active Directory ActiveSync Create Organizational Unit Form Windows Active Directory ActiveSync Create User Form Windows Active Directory ActiveSync Update Container Form Windows Active Directory ActiveSync Update Group Form Windows Active Directory ActiveSync Update Organizational Unit Form Windows Active Directory ActiveSync Update User Form accountOwnerSelection anonymousUserMenu changeAnswers changeCapabilities changeMyPassword changePassword changePasswordSelection confirmDeletes deprovisionUser disableUser editArgument editField editForm editRule enableUser endUserChangePassword endUserForm Windows Active Directory Create Organizational Unit Form Windows Active Directory Create User Form Windows Active Directory Update Container Form Windows Active Directory Update Group Form Windows Active Directory Update Organizational Unit Form Windows Active Directory Update User Form Account Owner Selection Form Anonymous User Menu Change User Answers Form Change User Capabilities Form Change My Password Form Change User Password Form User Selection Form Confirm Deletes Deprovision Form Disable Form Edit Argument Edit Field Edit Form Edit Rule Enable Form Change Password Form End User Form 585 586 Table 0 1 Form System and Product Interface Names System Name Mapped to endUserLaunchList End User Launch Li
232. es no e id string e lastPasswordUpdate string e resource string e selected true false 196 Identity Manager 7 0 Workflows Forms and Views e type string e userPwdRequired yes no Example Excluding an LDAP Resource Type from a List of Resource Accounts To exclude from the list of any given form all resource accounts of type LDAP that are not directly assigned set the Exclude property as follows lt Property name Exclude gt lt list gt lt new class com waveset object AttributeCondition gt lt s gt type lt s gt lt s gt equals lt s gt lt s gt LDAP lt s gt lt new gt lt new class com waveset object AttributeCondition gt lt s gt direct lyAssigned lt s gt lt s gt equals lt s gt lt s gt false lt s gt lt new gt lt list gt lt Property gt Calling a FormUtil Method from within the allowedValues Property From within the allowedValues property you can also call FormUtil methods that permit you to dynamically retrieve and process information from a resource external to Identity Manager such as a database This example shows how to call a FormUtil method to populate a lt Select gt list In the following example the method is called from within the allowedValues property The getOrganizationsWithPrefixes method or any FormUtil method is invoked from within an expression 197 lt Field name waveset organization gt lt Display class Select gt
233. esource Queryable Attribute Description startupType Indicates startupType Includes disabled and automatic supportsContainerOb Indicates whether this resource supports container object types true false jectTypes supportedObjectType Lists supported object types for example group ou o and domain S supportsScanning Indicates whether this resource supports scanning true false syncSource Indicates whether this resource can be an Active Sync resource true false type Identifies the resource type for example LDAP AIX or RACF Table 4 45 Role Queryable Attribute Description role_resources role_approvers Lists the resources assigned to a role Lists the approvers assigned to a role Table 4 46 WorkItem Queryable Attribute Description dirty 305 306 Table 4 46 Workltem Queryable Attribute Description itemType Defines the type of workitem for example approval or wizard owner Identifies the user that owns this workitem taskid Identifies the repository ID of the taskinstance that created this workitem Table 4 47 User Queryable Attribute Description adminRoles controlledObjectGroup s correlationKey dis lhdis memberAdminGroups prov resourceAccountGuids resourceAccount Ids role user_resources Specifies the list of AdminRoles assigned to this user Lists flattened all ObjectGroups controlled by this user Identifies the key that is used to
234. esourceAccount Provision Workflow Service 2 2 2 4 005 cee cee cece eeu eeueaueneeeete 93 deleteResourceObject Provision Workflow Service 0 cece cee teen eee eens 94 deProvision Provision Workflow Service csib dca ed led acta cdateacehaabedbaes ole eae needa eee 95 deleteUser Provision Workflow Service iss cscs yan yaasere daaeadee ete edad Qa wad Hea EENE ees 96 disable Provision Workilow Service 402 45 0 5 be bbs BOG a hae eas da dae Alaa deeded tase 97 enable Provision Worktlow S fvice s v 34 os4s d4adaeda piawesasaasaa ee Pode Rea eee eae bay ees 98 getApprovals Provision Workflow Service 22cc04 hee eee eda eca eda scapes was cee aea neuad ens 99 leckOrUalock Provision Workflow Sermice 4 62 5 s 53 5eawsca eae una ede PEER ee hws RENREN 100 notify Provision Worktlow Series s c5 4 dacs goaid ees os 88 ee ee Ode hy each a ead dk 101 provision Provision Workflow Service c006 5 ds024 eissesessassasiasadatebedaweawtawas eas 102 questionLock Provision Workflow Service ic cdeeg cad cea seas cageh Gabe ab nab ads tae euaicndie 103 teject Provision Worklon Service 25 6 0 Cisaak sad ena eae daa REEE aed eda aed eee 104 reProvision Provision Workflow Servite essas tes dd dad heed destos d atiak daa nannu Day o tas 105 runResourceAction Provision Workflow Service susuununnsn unune r rrene 106 updateResourceObject Provision Workflow Service 0 c ccc teen e ences 108 Type AMOS coed conic eee pE Des ns Sos
235. essions The even numbered expressions define map keys and odd numbered expressions define map values If any key expression evaluates to null the entry is ignored You can use the XPRESS lt map gt element to dynamically construct java util HashMap objects lt map gt lt name lt s gt lt s gt Jeff lt s gt lt s gt phone lt s gt lt s gt 338 1818 lt s gt lt map gt Using XML Object Syntax to Map Objects You can use XML Object syntax to define map objects as follows Identity Manager 7 0 Workflows Forms and Views lt Map gt lt MapEntry key name value Jeff gt lt MapEntry key phone value 338 1818 gt lt Map gt 543 544 Identity Manager 7 0 Workflows Forms and Views Chapter 8 HTML Display Components This chapter describes the Identity Manager HTML display component library HTML display components are used when customizing forms See Identity Manager Forms for a discussion of the larger topic of customizing forms Topics in this Chapter This section covers the following topics e What Are HTML Components e Component Classes e Container Classes e Component Subclasses HTML Display Components If you are designing forms you will use the HTML components described in this section To create a form you can use the Identity Manager Form XML language also called forms to describe HTML display components This language is then interpreted at runtime to build the necessary component
236. estion name Read Name used to identify this question question Read Text of the authentication question The name attribute is not stored The system generates the name by transforming the id This is necessary because question IDs are typically numbers and numbers that are used to index an array in a path expression are considered absolute indexes rather than object names For example the path waveset questions 1 question addresses the second element of the questions list list indexes start from zero However since there may be only one question on the list whose ID is the number 1 the ID is not necessarily suitable as a list index To reliably address the elements of the list the system manufactures a name for each question that consists of the letter Q followed by the ID in this example Q1 The path waveset questions Q1 question then always correctly addresses the question waveset resources Contains a list of the names of each resource that is assigned directly to the user This list does not include resources that are assigned to a user through a role or through applications You can add only unqualified resource names to this attribute To find all resources that are assigned to a user see the section on the account Info attribute waveset resourceAssignments Qualifies the assigned resource list This attribute parallels the existing attribute waveset resources attribute All resources in this attribute appear
237. eved from one or more resources e the form is recalculated or saved until the field value is non null Example This example shows a field definition that uses string manipulation expressions to return a default account ID composed of the first initial of the first name plus the user s last name Identity Manager 7 0 Workflows Forms and Views lt Field name waveset accountId gt lt Display class Text gt lt Property name title value AccountID gt lt Display gt lt Default gt lt concat gt lt substr gt lt ref gt accounts Exchange firstname lt ref gt lt i gt 0 lt i gt lt i gt l lt i gt lt ref gt accounts Exchange lastname lt ref gt lt substr gt lt concat gt lt Default gt lt Field gt Derivation Element Unconditionally calculates a value for the field Whenever a Derivation expression is evaluated the current field value is replaced Derivation expressions are calculated when the form is first loaded or data is returned from one or more resources The following example shows a field definition that uses conditional logic to map one set of values into another set When this field is processed the expression in the lt Derivation gt element is evaluated to determine the descriptive value to be displayed for this field based on the location code returned from the resource 155 lt Field name location gt lt Display class Text gt lt Propert
238. f the field 453 454 In this example this element performs the reverse of the mapping performed by the location field This field is also hidden by the absence of an assigned Display class This lack of Display class prevents the field from being displayed in the form but the field is still considered to be an active part of the form and will generate values for resource attributes through its lt Expansion gt expression NOTE For all forms except the User view Expansion rules are run whenever the page is recalculated or the form is saved For the User view an lt Expansion gt tag runs when the userform is first loaded as well Workflow Transition Conditions When defining a workflow process you must specify the rules by which control passes from one workflow activity to another A path between two activities is called a transition A tule that governs the use of the transition is called a transition condition For example consider the following activity definition lt Activity name Check Results gt lt Transition to Log Errors gt lt gt gt lt ref gt ERROR_COUNT lt ref gt lt i gt 0 lt i gt lt gt gt lt Transition gt lt Transition to end gt lt Activity gt This activity defines two distinct transitions to separate activities an activity named Log Errors and another named end When workflow processes this activity it will take the first transition for which the trans
239. fixes e Geta list of organizations display names with prefixes e Retrieve a list of applications unassigned to the user For information on the lt Select gt and lt MultiSelect gt components and the allowedValues property see the section titled Populating Lists 209 210 Understanding Resource Object Names To search for or request information on a resource and import it into Identity Manager you must use object definitions supported by Identity Manager The following table lists the object types supported by Identity Manager Table 3 16 Supported Object Types Description account List of user accounts IDs Administrator_Groups Applications Distribution Lists Entitlements group Group groupofNames Nodes PostOffices profile PROFILE ROLE shell Template USERS UnassignedTokens User_Properties Names of the administrative groups to which a user can belong List of applications List of email distribution aliases List of PKI entitlements List of security and distribution list group objects Security groups List of email Distribution aliases for Exchange 5 5 List of SP2 nodes List of GroupWise post offices List of top secret profiles List of Oracle profiles from the DBA_ PROFILES table List of Oracle roles from the DBA_ROLES table List of available UNIX shells List of NDS Templates List of Oracle profiles from the DBA_USERS table List of available unassigned tokens List of user property defin
240. flows Forms and Views NOTE Typically you supply a value for either scheduler definition or scheduler template If you do not specify either value Identity Manager creates a TaskSchedule object that you can later edit to specify the definition or template name Specifies the name of an existing TaskSchedule object or the desired name for a new TaskSchedule object It is not required but if not specified the system will generate a random identifier id Uniquely identifies the existing TaskSchedule object definition Defines the name a TaskDefinition object to be scheduled template Specifies the name of a TaskTemplate object to be scheduled If both definition and template are specified template has priority taskOrganization Contains the name of the organization in which the TaskInstance will be placed when the schedule task is launched taskName Specifies the name of the TaskInstance that is created when the schedule task is launched description Contains descriptive text that will be saved in the TaskInstance that will be created when the schedule task is launched The description will appear in the task tables in the product interface disabled Controls whether the task scheduler will process the TaskSchedule object The scheduler ignores TaskSchedule s whose disable attribute is true You can use this to temporarily stop running a schedule task without having to delete and recreate the TaskSchedul
241. flows Forms and Views Example 3 lt Field name accounts Lighthouse capabilities gt lt Display class MultiSelect gt lt Property name allowedValues gt lt invoke class com waveset ui FormUtil name getUnassignedCapabilities gt lt ref gt display session lt ref gt lt ref gt waveset original capabilities lt ref gt lt map gt lt s gt conditions lt s gt lt list gt lt s gt name lt s gt lt s gt starts with lt s gt lt s gt bulk lt s gt lt new gt lt list gt lt map gt lt invoke gt lt Property gt lt Display gt lt Field gt lt new class com waveset object AttributeCondition gt Supported Queryable Attribute Names The list of supported queryable attribute names per object type are categorized as follows e all object types Account 301 302 e AdminGroups e AdminRole e Configuration s Event e LoginApp e LoginModGroup e ObjectGroup Policy e ResourceRole e WorkItem User Other queryable attribute names are defined in the UIConfig xml for example firstname and lastname Table 4 34 All Object Types Queryable Attribute Description authType Specifies the authorization type if applicable for example for Types such as Configuration or Rule id Specifies the repository ID for this object name Identifies the name for this object memberObjectGroups Identifies the ObjectGroups that this object is available t
242. g gt Wisconsin lt String gt tring gt Wyoming lt String gt t gt lt Property gt lt Display gt lt Field gt is created every time the form is displayed expressions if available Table 7 1 Basic XML Objects and Equivalent XPRESS Expressions XML Object Language XPRESS Language lt String gt cat lt String gt lt s gt cat lt s gt lt Integer gt 10 lt Integer gt lt i gt 10 lt i gt lt Boolean gt true lt Boolean gt lt i gt 1 lt i gt lt Boolean gt false lt Boolean lt i gt 0 lt i gt lt null gt lt null gt Identity Manager 7 0 Workflows Forms and Views Table 7 1 Basic XML Objects and Equivalent XPRESS Expressions XML Object Language XPRESS Language lt Map gt lt map gt lt MapEntry key name lt s gt name lt s gt value neko gt lt s gt neko lt s gt a 2 pend eee ai lt s gt ID lt s gt zians lt i gt 123 lt i gt lt map gt lt List gt lt list gt lt String gt cat lt String gt lt s gt cat lt s gt lt String gt dog lt String gt lt s gt dog lt s gt lt integer gt 673 lt Integer gt lt i gt 673 lt i gt lt List gt lt list gt lt Long gt 123456789 lt Long gt N A lt Date gt 20020911 09 15 00 lt Date gt N A You cannot use XPRESS statements within an XML object Using XML Objects in XPRESS You can use XML objects within XPRESS anywhere an expression is allowed In the example below a map is passed as an argument to an i
243. g to each object Table 5 11 _accountInfo types Attributes User Vlew Attribute Description accounts List of account Ids for each account assigned to the user that is of this type name Resource type name For example you can determine a list of IDs for all UNIX accounts with the following path account Info types Unix accounts display Attribute The display attribute contains information that relates to the context in which the view is being processed Most of the attributes are valid only during interactive form processing The following table shows the most used display view attributes Table 5 12 Most Used display Attributes User VIew Attribute Description eventType Indicates whether the user view is servicing a create or update request as indicated by the values create or update read only Identity Manager 7 0 Workflows Forms and Views Table 5 12 Most Used display Attributes User VIew Attribute Description session A handle to an authenticated Identity Manager session This attribute is valid only during interactive editing session in the Identity Manager Administrator Interface It is provided as an access point into the Identity Manager repository The value of this attribute can be passed to methods in the com waveset ui FormUtil class The display session attribute is not valid in the following cases where form processing may occur in the bulk loader during background
244. g with Display Elements The display elements you will most modify or add to an Identity Manager form are buttons fields and text entry boxes Other display elements include tables and section headers Any display element that does not have a specified Display class will be hidden Buttons To create a typical push button use the lt Button gt component To align multiple buttons in a horizontal row use the lt But tonRow gt component 175 176 lt Field gt lt Display class Button gt lt Property name location value true gt lt Property name label value Cancel gt lt Property name command value Cancel gt lt Display gt lt Field gt To position the button in a button row include the following code in your button definition lt Property name location value button gt If you do not set this Property field the button will appear in the form in the order in which you include it in the form Assigning or Changing a Button Label When defining a button its label is identified by the value setting in the label property as indicated below lt Display class Button gt lt Property name label value Cancel gt The browser displays the preceding code as a button labeled Cancel Overwriting Default Button Names Two buttons typically are displayed at the bottom of Identity Manager forms By default the buttons are labeled Save and Cancel To change the names of these buttons modify t
245. ger 7 0 Workflows Forms and Views Table 1 Typographic Conventions Continued Typeface Meaning Examples AaBbCc123 Book titles new terms words to be Read Chapter 6 in the User s Guide Italic emphasized A placeholder in a command or path name to be replaced with a real name or value These are called class options Do not save the file The file is located in the install dir bin directory Symbols The following table describes the symbol conventions used in this book Table 2 Symbol Conventions Symbol Description Example Meaning Contains optional command ls 1 The 1 option is not required options Joins simultaneous multiple Control A Press the Control key while keystrokes you press the A key Joins consecutive multiple CtrI A N Press the Control key release keystrokes it and then press the subsequent keys gt Indicates menu item selection File gt New gt Templates From the File menu choose in a graphical user interface New From the New submenu choose Templates Shell Prompts The following table describes the shell prompts used in this book Table 3 Shell Prompts Shell Prompt C shell on UNIX or Linux C shell superuser on UNIX or Linux Bourne shell and Korn shell on UNIX or Linux Bourne shell and Korn shell superuser on UNIX or Linux machine name machine name 13 Table 3 Shell Prompts Shell Prompt Windows command l
246. gt lt Display gt lt Field gt Alternative Display Values in a Select List You can create a Select list that displays a different set of values than the values that will actually be assigned to the field This is often used to provide more recognizable names for cryptic values or to perform internationalization This is accomplished by using the valueMap property to associate the displayed value with the actual value as shown in the following example Identity Manager 7 0 Workflows Forms and Views Code Example 3 3 Changing Values for Select Lists Using the valueMap property lt Field name waveset organization gt lt Display class Select gt lt Property name title value Add Account gt lt Property name nullLabel value Select gt lt Property name valueMap gt lt list gt lt s gt Top lt s gt lt s gt Top Level lt s gt lt s gt Top OrgB lt s gt lt s gt Ted s Organization lt s gt lt s gt Top OrgC lt s gt lt s gt Super Secret Org lt s gt lt list gt lt Property gt lt Display gt lt Field gt In the preceding example the value map is specified as a list of pairs of strings The odd numbered strings are the actual values that are assigned to this field The even numbered strings are the values that are displayed in the select list For example if the select list entry Ted s Organization is selected the value of this field becomes Top Orgb
247. gt lt s gt peaches lt s gt lt list gt lt removeAl1 gt Example 2 The following expression removes three elements in the list stored in the variable srclist lt removeAll name srclist gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt peaches lt s gt lt list gt lt removeAll gt This expression results in the following list lt list gt lt s gt wiper blades lt s gt lt list gt 508 Identity Manager 7 0 Workflows Forms and Views set Function Assigns a value into a specified position in a list overwriting its current value If necessary the list is extended to contain the indexed element New elements created during list extension will be null first argument list second argument integer specifying position in the list at which to insert the new element starting with zero third argument element Example 1 lt set gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt wiper blades lt s gt lt list gt lt i gt 2 lt i gt lt s gt bassoons lt s gt lt set gt This expression results in the following list and returns null lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt bassoons lt s gt lt list gt Example 2 lt set gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt wiper blades lt s gt lt list gt lt i gt 5 lt i gt lt s gt bassoo
248. h form field elements refer to the section titled Defining Fields The following example creates an editing field with the label Email address lt Field name waveset email gt lt Display class Text gt A Property title Email Address gt lt Property size 60 gt lt Property maxLength 128 gt lt Display gt lt Field gt The name of an editing field is typically a path expression within a view that is being used with the form In this example waveset email refers to the email address associated with a user object in the Identity Manager repository Footer The footer contains information about the Identity Manager object group or organization with which the form is associated It also contains the closing tags for the lt Form gt lt Extension gt and lt Configuration gt elements or other elements opened in the header The footer in the preceding example is lt Form gt lt Extension gt lt MemberObjectGroups gt lt ObjectRef type ObjectGroup id ID Top name Top gt lt MemberOb ject Groups gt lt Configuration gt lt MemberOb jectGroups gt identifies the object group or organization into which the system stores an object If you do not specify an object group by default the system assigns the object to the Top organization For Configuration objects that contain forms are typically found in the A11 group with this syntax lt MemberObjectGroups gt Identity Manage
249. hat the system uses Configuration internally when processing the form object id 1D UserF orm EndUser including the date of last modification and loginof Menu name End User the user who last modified this form Most of this Menu information is typically associated with any createDate 1012185191296 persistent object that is stored in the Identity lastModifier Configurator Manager repository You typically do not need to _lastModDate 10131904990 edit this information 93 lastMod 44 counter 0 wstype UserForm gt Form Body The form body is composed of e Form properties which include title subtitle and width These properties are defined in the table titled Form Properties e Field elements which you use to determine the appearance and function of the fields as they appear to the user in the product interface Fields can also contain XPRESS logic to calculate information For more information on using the XPRESS language refer to XPRESS Language The following table lists form header properties 140 Identity Manager 7 0 Workflows Forms and Views Table 3 9 Form Header Properties Property Purpose title Identifies the text that appears at the top of the form Typically this title is in a bold font typically larger than the other font on the screen The form title appears under the Identity Manager page You cannot edit the display characteristics of title In the example given in t
250. he current user or above controlled Specifies administrators in organizations that are controlled by the current user all Specifies both controlled and peers You can set this and other view options as form properties lt Form gt lt Properties gt lt Property name ForwardingApproverStyle value peers gt lt Properties gt lt Form gt 435 436 NoUserListCache When true indicates that the view handler should not cache the users and forwardingUsers lists but instead recalculate them every time the form is refreshed Since calculating the user lists can be expensive it is generally preferred to cache them and refresh only when explicitly instructed by setting the action attribute to Refresh UserDisplayName Can be set to the name of an extended user attribute whose value is to be used instead of the repository name in the user lists This can also be specified in the UserUIConfig object but it may be more convenient to set in the form NoUserDisplayName When true indicates that display names should not be used even if one is specified in the UserUIConfig object You can set this option in a form to selectively override the UserUIConfig setting NoConfirm When true indicates that the action specified with the action attribute should be executed immediately without confirmation Setting View Options in Forms View options can be conveniently set in some forms To set view options in a form follow
251. he form as follows 1 On the line that defines the form name in the header change the name field lt Form name Anonymous User Menu gt to lt Form name Anonymous User Menu noDefaultButtons true gt At the bottom of the form add the following fields for the Save and Cancel buttons and change the labels as desired Identity Manager 7 0 Workflows Forms and Views lt Field gt lt Display class Button gt lt Property name label value Submit gt lt Property name name value submitButton gt lt Property name value value true gt lt Property name command value Save gt lt Display gt lt Field gt lt Field gt lt Display class Button gt lt Property name label value Cancel gt lt Property name command value Cancel gt lt Property name location value true gt lt Display lt Field gt Command Values and Buttons NOTE This section is important only if you are building Button objects If you are building components from XML forms you can assume that the values in the following table are recognized All pages in the Identity Manager interfaces have used the post data parameter named command as a mechanism to convey which form submission button was pressed Page processing systems using components are not required to follow the same convention but there are some components that contain special support for the command parameter in particula
252. he first value in the allowedValues list to be automatically selected if the initial value for the field is null multiple When set to true allows more than one value to be selected e nullLabel Specifies the text that displays at the top of the list box when no value is selected e optionGroupMap Allows the selector to render options in groups using the lt optgroup gt tag Format the map such that the keys of the maps are the group labels and the elements are lists of items to be selectable Values must be members of allowedValues in order to render e size Optional Specifies the maximum number of rows to display If the number of rows exceeds this size a scroll bar is added Identity Manager 7 0 Workflows Forms and Views e sorted When set to true causes the values in the list to be sorted e valueMap Maps raw values to displayed values The component supports the command and onChange properties Example lt Field name city type string gt lt Display class Select gt lt Property name title value City gt lt Property name allowedValues gt lt List gt lt String gt Austin lt String gt lt String gt Portland lt String gt lt String gt New York lt String gt lt List gt lt Property gt lt Display gt lt Field gt Text Displays a regular text entry box Common properties for this display component are e size Specifies the number of char
253. he following table Table 5 8 accountinfo accounts Attributes User View Attribute Description attributes Information about all the account attributes defined by this resource name Name of the resource where the account exists or will be created id Repository ID of the resource type Resource type name accountId Name of the user s account on this resource assigned True if the account is currently assigned Accounts that are not assigned can be deleted by Identity Manager protected True if the account is currently protected This means that update or delete operations on the account are ignored passwordPolicy Information about the password policy defined for this resource accountInfo accounts attributes Contains information about all the account attributes defined by this resource These attributes are listed on the schema map page of the resource The value of the attribute is a List of objects The following table defines the attributes that these objects contain Table 5 9 accountInfo accounts Attributes User View Attribute Description name The name of the Identity Manager resource account attribute This name is defined in the resource schema map Identity Manager 7 0 Workflows Forms and Views Table 5 9 accountInfo accounts Attributes User View Attribute Description syntax The syntax of the attribute value The value of the syntax attribute is one of the following values
254. he format expected by the resource or established by a rule For example a free form text box in which a user enters a name can include an Expansion rule that capitalizes the first initial and lowercases the others The use of the global attribute in fields sets any of the resources that have this value when the form is saved When you load this form Identity Manager loads the values from each resource unless the field is disabled The last resource load sets the value in the form Ifa user has made a local change this change may not show up Consequently to ensure that the correct value for the attribute is used you can use a Derivation rule to specify one or more of the resources as an authoritative source for the field lt Field name global lastname gt lt Display class Text gt lt Property name title value Last Name gt lt Property name size value 32 gt lt Property name maxLength value 128 gt lt Property name noNewRow value true gt lt Property name required gt lt Boolean gt false lt Boolean gt lt Property gt lt Display gt lt Expansion gt lt block gt lt defvar name lname gt lt downcase gt lt ref gt global lastname lt ref gt lt downcase gt lt defvar gt lt defvar name nlength gt lt sub gt lt length gt lt ref gt global lastname lt ref gt 206 Identity Manager 7 0 Workflows Forms and Views lt length gt lt s gt 1 lt s gt
255. he helpKey is set and searches the catalog for an entry with that key If the helpKey property is not set or there is no matching key in the catalog the system will then try to use the component title as a help key How to Use Help Catalogs A help catalog is a file that contains XML text The system determines which help catalog to use for a component in the following way e The page processing system can specify the catalog by assigning its name to the helpCatalog property of the HtmlPage object before HTML is generated e Ifno helpCatalog property value has been assigned HtmlPage next attempts to locate a catalog through a naming convention that is based upon the request URL HtmlPage takes the URL typically the URL of a jsp page strips off the trailing jsp and the leading base context prefixes this with the Identity Manager installation directory and suffixes it with help xml Identity Manager 7 0 Workflows Forms and Views For XML form designers the form processing system automatically locates a suitable catalog Occasionally though you might prefer more explicit control over which catalog file is used You can use the help attribute of the Form element to specify the help catalog to be used by that form For example lt Form name Task Launch Form help task common help xml gt lt Form gt You might find this useful when sharing a single help catalog among forms that can be referenced through several request U
256. he section titled Form Components the value of title is User Self Servic subtitle Identifies text that appears under title of the form on the page defined by this form You cannot edit the display characteristics of title In the preceding example the value of subtitle is Select one of th following options titleWidth Defines the width in pixels of the value of title in the browser window Example lt Display gt lt Property name titleWidth gt lt Integer gt 120 lt Integer gt lt Property gt lt Display gt The following table lists all elements that can occur within the form body Table 3 10 Elements that Can Occur within the Form Body Component Definition Example defun Defines an XPRESS function This lt defun name add100 gt element can be called by any field i lt def arg name x gt element in a form def arg name lt add gt lt i gt x lt i gt lt i gt 100 lt i gt lt add gt lt defun gt 141 Table 3 10 Elements that Can Occur within the Form Body Component Definition Example defvar Defines an XPRESS variable thatis lt defvar name nameLength Display Field FieldRef Include FormRef Namespace used to hold the results of a computation Identifies the display components that will define the appearance of the field See the section titled Display Element for more information Main element used within the form body See the section titled Field Element for more informat
257. his is the list of all accessible applications minus the names of the applications that are already assigned to the user through their role The resulting list is convenient for use in forms for assigning private applications Parameters getUnassignedApplications takes the following options Table 4 19 getUnassignedApplications Parameters Parameter Description context Identity Manager context object options current currentRoles conditions See table below Table 4 20 Options Values Option Value current List of current application names The returned list always contains each of these applications regardless of the other options currentRoles List of current role names The returned list will not contain any applications that are assigned through one of these roles unless that application name is on the current list conditions Can be represented as either a Map or List as shown below 279 280 Table 4 21 Possible Values for conditions Parameter Parameter Description lt map gt lt list gt first map entry the name of a queryable attribute supported by this type of object second map entry the value an object of this type must have for the associated queryable attribute in order to be returned the operator is assumed to be equals If more than one attrname value pair is specified they will be logically and ed together as a list of AttributeCondition objects For e
258. his method return a list of fully qualified DN names For example passing in group1 group2 and dc example dc com returns the list cn groupl dc example dc com and cn group2 dc example dc com Parameters The first variant of this method takes the arguments described in the following table Table 4 3 buildDns Parameters First Variant Parameter Description names Specifies a list of object names baseContext Specifies base context The second variant of this method takes the three arguments described in the following table Table 4 4 buildDns Parameters Second Variant Parameter Description names Specifies string containing names that are separated using a delimiter such as a comma or semicolon delimiter Specifies delimiter used in this string of names The delimiter is typically a coma or a period baseContext Identifies base context 261 Return Values Returns a list of values or strings where each value is of the form CN lt name gt lt baseContext gt Examples Example 1 List buildDns lt invoke name buildDns class com waveset ui FormUtil gt lt list gt lt s gt North America lt s gt lt s gt Europe lt s gt lt list gt lt s gt ou marketing dc acme dc com lt s gt lt invoke gt This example returns lt list gt lt s gt CN North America ou marketing dc acme dc com lt s gt lt s gt CN Europe ou market ing dc acme dc com lt s
259. ibutes include the following Table 5 23 Delegate Approvers View Attributes Attribute Editable Data Type Required name List String yes delegateApproversTo List String yes delegateApproversSelected List String delegateApproversStartDate String delegateApproversEndDate String name Identifies the user who is delegating approvals delegateApproversTo Specifies to whom the user is delegating approvals where valid values include manager selectedUsers or delegateApproversRule delegateApproversSelected e IfselectedUsers is the value of delegateApproversRule lists the selected user names e If delegatedApproversRule is the value of delegateApproversTo identifies the selected rule e Ifmanager is the value of delegateApproversTo this attribute has no value 357 delegateApproversStartDate Specifies the date on which to start approval delegation By default the selected start date s hours and minutes are 12 01 am of that day delegateApproversEndDate Specifies the date to end approval delegation By default the selected end date s hours and minutes are 11 59 pm of that day 358 Identity Manager 7 0 Workflows Forms and Views Deprovision View Used to present and select a list of resources to be deprovisioned Contains one single top level attribute resourceAccounts This attribute contain the following attributes Table 5 24 resourceAccounts Attributes Deprovision View
260. ically implemented as the Identity Manager workflow capability which comprises multiple processes workflows that control creation update enabling disabling and deletion of user accounts Most Identity Manager tasks you perform are defined as a set of workflow processes When you create a user in Identity Manager for example the corresponding workflow process defines and conducts activities that e Check password policies e Send email to approvers e Evaluate the results of each approval e Create user accounts e Create audit records The Identity Manager Integrated Development Environment allows you to customize each of these activities Workflows are typically launched as a side effect of checking in a view Views are checked in when you click Save on a page that implements forms and views Workflow Processes Depending upon where you are in the product interface workflows are referred as workflows tasks process or TaskDefinitions Identity Manager 7 0 Workflows Forms and Views Task Definitions From the Debug page of the Identity Manager Administrator interface access workflow processes by looking at the list of TaskDefinitions Select TaskDefinition from the Type menu adjacent to the List Objects button then click List Objects Identity Manager displays a list of the TaskDefinitions you have access to When you customize a workflow you are editing its TaskDefinition object The launched instance of a TaskDefini
261. identity users during bulk loads Specifies an integer that represents the current disabled state 0 indicates no accounts 1 indicates some are disabled 2 indicates all are disabled Indicates whether the Identity Manager user is disabled or not true false Lists flattened all AdminGroups that are assigned to this user Specifies an integer that represents the current provisioning state 1 indicates that an update is needed 2 indicates OK Lists resource account GUIDs that are assigned to this user account GUID resourceld Lists resource account IDs that are assigned to this user account Id resourceld List the roles that are assigned to this user Lists the resources that are assigned to this user Supported Operators e equals oris e notEqualsoris not Identity Manager 7 0 Workflows Forms and Views greaterThan or greater than greaterThanOrEqualTo or not less than lessThan or less than lessThanOrEqualTo or not greater than startsWith or starts with endsWith or ends with contains or contains isPresent or exists notPresent isOneOf oris one of containsAll 307 308 Identity Manager 7 0 Workflows Forms and Views Chapter 5 Identity Manager Views This chapter introduces Sun Java System Identity Manager views which are data structures used in Identity Manager It provides background for views including an overview of how to implement views with Identity Manager wor
262. iew attributes which are prefixed by orgPolicies lt type gt lt type gt represents policy type for example Lighthouse account e policyName Specifies name e id Indicates ID e implementation Identifies the class that implements this policy orgAuditPolicies Specifies the audit policies that apply to all member users of this organization renameCreate When set to true clones this organization and creates a new one using the value of orgNewDisplayName renameSaveAs When set to true renames this organization using the value of orgNewDisplayName Identity Manager 7 0 Workflows Forms and Views Directory Junction and Virtual Organization Attributes Table 5 32 Directory Junction and Virtual Organization Attributes Name Editable Data Type Required orgContainerld Read String System generated orgContainerTypes Read List System generated orgContainers Read List System generated orgParentContainerld Read String System generated orgResource Read Write String yes if directory junction or virtual organization orgResourceT ype Read String System generated orgResourceld Read String System generated orgRefreshAllOrgsUserMembers Write String No orgContainerld Specifies the dn of the associated LDAP directory container for example cn foo ou bar o foobar com orgContainerTypes Lists the allowed resource object types that can contain other resource objects orgContainers Lists the base
263. iew Attributes Attribute Editable Data Type Required process Read Write String Yes taskName Read Write String Yes organization Read Write String Yes taskDisplay Read Write String No description Read Write String No execMode Read Write String No result Read Write WavesetResult No owner Read Write String No process Names the process to launch This can be the name of a TaskDefinition or TaskTemplate object in Identity Manager It can also be an abstract process name mapped through the process settings in the System Configuration object This attribute is required taskName Specifies the name given to the TaskInstance object that is created to hold the runtime state of the task If this attribute is not set a random name is generated organization Names the organization in which to place the TaskInstance If this attribute is not set the TaskInstance is placed in Top 383 384 taskDisplay Specifies a display name for the TaskInstance description Specifies a descriptive string for the TaskInstance This string is displayed in the Manage Tasks table in the product interface execMode Specifies execution mode This is typically not specified in which case the execution mode is determined by the TaskDefinition Setting this attribute overrides the value in the TaskDefinition Allowed execMode values are Table 5 38 execMode Attribute Values Process View Value Description sync Specifies syn
264. iew to be created If this argument is not specified both the type and ID must be specified Type and ID can be easier to use from workflows type no Specifies the type for the view id no Identifies the ID of the object being manipulated in the view For example if you are creating a view to manipulate an account object this would be the accountld options no Specifies view specific options The values you can pass are specific to the view being used The most common is the user view Options can be found in session UserViewConstants The simpler views should declare their option constants in the Viewer java file Probably the second most common view used from workflow is ProcessViewer followed by PasswordViewer DisableViewer EnableViewer and RenameViewer These have comparatively few options Return Values and Side Effects If the create is successful the view will be placed in the variable view If any error occurred WF _ACTION_ERROR will be true and the WavesetResult will contain the error 61 62 disableUser Session Workflow Service Disables one or more of a user s resource accounts There are three ways to disable an account e Set com waveset provision WorkflowServices op disable See the disableUser Session Workflow Service in this chapter This is the lowest level disable method It is implemented directly by the provisioning engine No workflow authorization or auditing is involved e Set com
265. ifies the HTML display class to which the element belongs Required Identifies whether the element is required to process the form This field must have a non null value upon submission When set results in a red asterisk appearing to the right of the field Message text at the bottom of the form indicates that red asterisk denotes fields that must have a value for submission to proceed Identity Manager 7 0 Workflows Forms and Views Table 3 2 Form Elements Property Description Action No New Row Hidden Title Class Required When set a change causes the page to refresh any Select or MultiSelect controls In the Identity Manager Administrator Interface this causes the underlying view to be refreshed Role selection exemplifies this behavior When a new role is selected in the Tabbed User Form the view is refreshed to reflect the resources that are assigned through that role during that edit session After the view has been refreshed resource account attributes on those newly assigned resources can be explicitly set Used strictly for form layout When true forces the field to appear to the right of the proceeding field For example Name fields are examples where this is useful where it is desirable to allow the user to enter the last name first name and middle initial from right to left rather than down the page Indicates the field should not be visible to the user The field is typically used
266. ifies the formatted changes to be logged Return Values and Side Effects A WavesetResult object containing the result of the audit Identity Manager 7 0 Workflows Forms and Views bulkReprovision Provision Workflow Service The method executes a set of queries to find all users that match the given conditions It then iterates over this list and reprovisions the users one at a time To use this method to support automatic reprovisioning on every role update add the following field to the Role form lt Field name processInputs reprovision gt lt Expansion gt lt s gt true lt s gt lt Expansion gt lt Field gt Table 2 31 bulkReprovision Method Arguments Parameter Description role Specifies role name roles Lists role names organization Specifies name of organization organizations Lists organization names conditions Provides a map of query options suitable for LighthouseContext list Objects options Specifies provisioning options for example targets and fetches maxErrors Specifies the maximum number of errors to tolerate before halting processing Return Values successes Identifies users that were successfully reprovisioned failures Identifies users that could not be fully reprovisioned 87 authenticateUserCredentials Provision Workflow Service Authenticates the user against the resource using the password Table 2 32 authenticateUserCredentials Method Arguments
267. ime computations 37 End User Form 123 End User Menu Form 120 eq function 470 expansion element field 159 expansion statement 208 expressions 445 in XPRESS 447 testing 456 F fields See forms fields FileUpload display component 566 filterdup function 501 filternull function 502 Find Objects view 368 findUser workflow service 65 form generator 314 forms adding links 207 behavior 124 calculating values 225 591 Section 592 calendar icon 204 calling resource methods 174 component position 207 components body 141 footer 146 header 140 overview 140 Create User 238 customization overview 128 customizing 127 derivation and expansion rules 208 display elements 178 Edit User 238 editing 117 178 evaluation 125 fields calculating default values 449 calculating values 162 components 146 defining 147 defining names 148 deriving values 165 451 disabling 161 225 display properties 151 generating values 453 hiding 162 225 optimizing expressions 170 recalculating 168 visibility 448 guidance help 228 hash maps 224 hidden components 207 integration with user view 314 integration with views 311 Javascript 233 lists 186 overview 114 pages that use 118 referencing fields 176 referencing other forms 175 sample 116 118 249 250 scalable 238 239 240 243 section heading 204 structure 138 structuring guidelines 169 system names mapped to form names 583 Identity Manager 7 0 Workflows Forms and View
268. in a logically true value Example 1 The following expression returns null which is logically false lt or gt lt i gt 0 lt i gt lt i gt 0 lt i gt lt or gt Example 2 The following expression returns the string cat which is also logically true lt or gt lt i gt 0 lt i gt lt s gt cat lt s gt lt or gt 481 notnull Function Takes one argument This function returns 0 null argument 1 non null argument Example 1 The value of the following expression is if the firstname has been set or 0 zero if firstname is null lt notnull gt lt ref gt firstname lt ref gt lt notnull gt Example 2 The value of the following expression is 0 because the value is null lt notnull gt lt null gt lt notnull gt 482 Identity Manager 7 0 Workflows Forms and Views String Manipulation Expressions Use the following functions to perform string manipulation within expressions indexOf Function Returns the position of a string within another string Example The following function returns 3 lt indexOf gt lt s gt Austin City Limits lt s gt lt s gt tin lt s gt lt indexOf gt 483 concat Function Concatenates two or more string values Example The following expression returns lt s gt Now is the time lt s gt lt concat gt lt s gt Now lt s gt lt s gt is lt s gt lt s gt the lt s gt lt s gt time lt s gt lt concat gt 484 Identity Manager 7 0 Workf
269. in order for the workflow to be resumed It is typically set by a hidden field in response to pressing button fields with labels such as Approve and Reject The variables attribute contains an object whose values are copies of variables from the workflow task One of the most common workflow variables used in work items is user which contains a user view For example to reference the global email attribute from a work item form use the following path expression Identity Manager 7 0 Workflows Forms and Views variables user global email This differs from attribute paths used in a standard user form First the entire view is stored in a workflow variable named user which results in the user prefix being required in the attribute path Next the workflow variables are stored under the variables attribute in the Work Item view which results in an additional variables prefix being required in the attribute path Because of this nesting of the user view attributes you cannot use a standard user form with the Work Item view without modification However you can define a work item form that references the user form with the base context option Example lt Form name WorkItemForm gt lt Include gt lt ObjectRef Type UserForm name Default User Form gt lt Include gt lt FormRef name Default User Form baseContext variables user gt lt Form gt NOTE Although in practice the work item form requires additional fi
270. in the break expression 512 Identity Manager 7 0 Workflows Forms and Views cond Function Provides a way to conditionally select the value of one of two expressions It is similar to the ternary conditional operator a b c in C and Java Example The cond function allows three arguments The first argument is called the condition If the value of the condition is logically true the value of the cond will be the value of the second argument If the value of the condition is false the value of the cond will be the value of the third argument Ifthe value of the condition is false and the third argument not present the value of the cond is null lt cond gt lt gt gt lt ref gt age lt ref gt lt i gt 40 lt i gt lt gt gt lt s gt old lt s gt lt s gt young lt s gt lt cond gt 513 dolist Function Iterates over the elements of a list The value of the name attribute will become the name of variable that can be referenced within the loop The value of this variable will be the value of successive list elements The first subexpression returns the list over which to loop The remaining subexpressions are repeated once for each element in the list The value of the dolist function is a list formed by concatenating the values returned by the last subexpression in each iteration Example 1 The following expression creates a list called subset which contains the subset of elements in srclist that exceed 10
271. in the error 66 Identity Manager 7 0 Workflows Forms and Views getProperty Session Workflow Service Obtains a property value from an Identity Manager object Identity Manager makes sure that the administrator that launched the workflow is authorized to view the object Table 2 15 getProperty Method Arguments Name Required Valid Values Description name yes getObject Identifies the name of the object whose property is to be retrieved propertyName no see Type Identifies the name of the property to obtain from Names the object If no propertyName is given the service has no effect or return Return Values and Side Effects If the propertyName is found on the object the property s value will be placed in the variable propertyValue If any error occurs including administrator not being authorized to view the object VWF _ACTION_ERROR will be true and the WavesetResult will contain the error 67 68 getResourceObject Session Workflow Service Retrieves a resource object specified by type and ID from the specified resource Table 2 16 getResourceObject Method Arguments Name Required Valid Values Description resourceld yes Specifies a valid resource object objectType no see Type Names Specifies a valid object type defined in the resource s lt ObjectType gt section objectld Identifies a valid fully qualified object identifier on this resource for example dn options Controls the behavior of th
272. in workflow trace An unspecified or 0 value generates the most detail The default is 1 validationLevel Identifies the level of strictness that is applied when validating workflows prior to running them Errors of this level or greater will result in the workflow not being run Valid values are CRITICAL ERROR WARNING or NONE where NONE turns off validation completely The default is CRITICAL Synchronize User Password Workflow Used by the PasswordSync application to synchronize user passwords Called by the JMS Listener adapter this workflow takes each request sent by the adapter and checks out then subsequently checks in the Change User Password view After the workflow has completed check in the workflow by default launches a confirmation email to the user specifying whether the check in passed or failed Variables The Synchronize User Password workflow contains the following variables IDMAccountId Specifies the Identity Manager Account ID that was resolved by the message mapper Null indicates that the user was not found in Identity Manager password Identifies the password that should be synchronized to all resources sourceResource Identifies the name of the resource where the resources account was found in Identity Manager 39 40 userEmail Specifies the email address of the user This value is derived either from Active Directory If null this is the email address stored in Identity Manager Pas
273. ine GEN Related Documentation and Help 14 Sun Microsystems provides additional documentation and information to help you install use and configure Identity Manager Identity Manager Installation Step by step instructions and reference information to help you install and configure Identity Manager and associated software Identity Manager Upgrade Step by step instructions and reference information to help you upgrade and configure Identity Manager and associated software Identity Manager Administration Procedures tutorials and examples that describe how to use Identity Manager to provide secure user access to your enterprise information systems Identity Manager Deployment Tools Reference and procedural information that describes how to use different Identity Manager deployment tool This information addresses rules and rules libraries common tasks and processes dictionary support and the SOAP based web service interface provided by the Identity Manager server Identity Manager Technical Deployment Overview Conceptual overview of the Identity Manager product including object architectures with an introduction to basic product components Identity Manager Resources Reference Reference and procedural information that describes how to load and synchronize account information from a resource into Sun Java System Identity Manager Identity Manager Tuning Troubleshooting and Error Messages Ref
274. ine which organizations should have access to the associated audit event record when available for future analysis and reporting lt resourceobjectType gt attrstoget List of object type specific attributes to return when requesting an object with the checkout View or get View methods 411 lt resourceobjectType gt searchContext Specifies the context used to search for non fully qualified names in resources with hierarchical namespaces lt resourceobjectType gt searchAttributes Lists the resource object type specific attribute names that will be used to search within the specified searchContext for names of resources with hierarchical namespaces lt resourceobjectType gt searchTimelimit Specifies the maximum time spent searching for a name input to a form if supported by the resource 412 Identity Manager 7 0 Workflows Forms and Views Role View Used to define Identity Manager role objects When checked in this view launches the Manage Role workflow By default this workflow simply commits the view changes to the repository but it also provides hooks for approvals and other customizations The following table lists the high level attributes of this view Table 5 61 Role View Attributes Attribute Editable Data Type Required name Read Write String Yes resources Read Write List No applications Read Write List No roles Read Write List No assignedResources Read Write List No notifications Re
275. ing gt Manager lt String gt lt String gt Director lt String gt lt String gt VP lt String gt lt List gt lt Property gt lt Display gt lt Field gt Creating a Multiselection List The lt MultiSelect gt component displays a multiselection list box This textbox displays as a two part object in which a defined set of values in one box can be moved to a selected box Values for the list box can be supplied by allowedValues elements or obtained dynamically through a method call such as getResources Along with the lt Select gt component the lt MultiSelect gt component can dynamically provide a list of items from which to select These lists are populated by specifying choices within a property called allowedValues or by obtaining values dynamically through a method call to the resource For information on populating lists within a multiselection entry box see the section titled Populating Lists 185 186 lt Field name waveset roles gt lt Display class MultiSelect action true gt lt Property name title value Roles gt lt Property name availableTitle value Available Roles gt lt Property name selectedTitle value Current Roles gt lt Property name allowedValues gt lt invoke name getObjectNames class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt s gt Role lt s gt lt ref gt waveset original roles lt ref gt lt invoke gt lt Property
276. ion Provides a reference to a field defined in an included form Provides a reference to another form object Once included in the current form the fields defined in the form can be referenced and displayed Provides a reference to another form object Provides a way to define a shortcut to a view The shortened name can then be used in field names and references instead of the longer name When using the name substitution use a colon following the name lt length gt lt ref gt fullname lt ref gt lt length gt lt defvar gt lt Display class LinkForm gt lt Property name title value User Self Service gt lt Property name subtitle value Select one of th following options gt lt Display gt lt Field name fullname gt lt FieldRef name fieldName gt lt Include gt lt ObjectRef type UserForm id ID UserForm UserFormLibrar y gt lt Include gt lt FormRef name formName gt lt Namespace name w value waveset gt 142 Identity Manager 7 0 Workflows Forms and Views Form Element The lt Form gt element must surround all Field elements and contains the unique name of the form The elements listed on the previous page are contained within the beginning and ending Form tags lt Form name Create User Form lt Field name waveset accountId gt additional fields lt Form gt Additional example lt Form name Task Launch F
277. ion provides an overview of the reference and procedural information you will use to customize Sun Java System Identity Manager for your environment Who Should Use This Book Sun Java System Identity Manager Workflows Forms and Views was designed for deployers and administrators who will create and update workflows views rules system configurations and other configuration files necessary to customize Identity Manager for a customer installation during different phases of product deployment Deployers should have a background in programming and should be comfortable with XML Java Emacs and or IDEs such as Eclipse or NetBeans How This Book Is Organized Identity Manager Workflows Forms and Views is organized into these chapters e Chapter 1 Identity Manager Workflow Describes the Sun Java System Identity Manager Identity Manager workflow e Chapter 2 Workflow Services Describes the Sun Java System Identity Manager workflow services that are available to implementers who modify or create custom workflows e Chapter 3 Identity Manager Forms Describes how to customize the appearance and behavior of selected pages in Identity Manager Administrator and User Interfaces by customizing the forms that define these pages e Chapter 4 FormUtil Methods Describes the most used FormUtil methods e Chapter 5 XPRESS Language Introduces the basic features of XPRESS an XML bas
278. is 1 Copy the Tabbed User Form and rename it for example lt CompanyName gt tabbedUserForm 2 In your Web browser address line type this URL and then press Enter http ApplicationServerHost Port idm debug 3 After you authenticate Identity Manager displays the System Settings page 4 Select the UserForm option from the Type list and then click List Objects 5 Click Edit next to the lt CompanyName gt t abbedUserForm or the main form you created 6 Change the includes area of the form to add each sample form shown in the following example in bold text lt Include gt lt ObjectRef type UserForm id ID UserForm UserformLibrary name UserForm Library gt lt ObjectRef type UserForm name UserFormName gt lt Include gt Values for UserFormName can be o ACF2 User Form 247 248 O O AIX User Form Exchange55 User Form HP UX User Form LDAP Active Sync User Form Netegrity Siteminder Admin Form Netegrity Siteminder LDAP User Form Netegrity Siteminder ExampleTable User Form NDS User Form NT User Form Open Networks User Form OS400 User Form Oracle ERP User Form RACF User Form RSA ClearTrust User Form SecurID User Form Skeleton Database Active Sync User Form Solaris User Form Tivoli Access Manager Top Secret User Form Global Attributes vitalStatform xml Continue with the next section before saving the form Step 4 Update the Tabbed User Form Add the Form A
279. is available to 352 Identity Manager 7 0 Workflows Forms and Views Change User Answers View Used to change an existing user s authentication answers for one or more login interfaces Contains two high level attributes Table 5 19 Change User Answers View Attributes Attribute Editable Data Type Required questions List loginInterface String questions Describes the question Contains the following attributes Table 5 20 questions Attributes Change User Answers View Attribute Data Type Required qid String question String answer String answerObfuscated Boolean qid Uniquely identifies a question that is used to associate this question with one defined in the policy question Specifies the question string as defined in the policy answer Specifies the user s answer if specified associated with the value of gid 353 354 answerObfuscated Specifies whether the answer is displayed or encrypted loginInterface Identifies the login interface with which this question is associated Its value is a unique message catalog key for each login interface Contains the following attributes Table 5 21 loginInterface Attributes Change User Answers View Attribute Data Type Required name String questionPolicy String questionCount String name Identifies the name of the login interface that the question is associated with Valid values include e ULLOGIN CONFIG DISPLAY NAME
280. is page contains the names of the type of currently defined resources The options list next to New Resource also contains the names of the resource adapters that are currently installed accountld Specifies the identity of the resource account exists Indicates whether the account already exists on the resource or not only in currentResourceAccounts disabled Indicates whether the account is currently disabled or enabled only in currentResourceAccount 361 362 authenticator Indicates whether the account is one that the user is configured to log in directlyAssigned If true indicates that the account is directly assigned to the user A value of false indicates that the account is indirectly assigned by a role or application fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all assigned resources See Setting View Options in Forms in this chapter for more information Identity Manager 7 0 Workflows Forms and Views Disable View Used to disable accounts on the Identity Manager user This view is often used in custom workflows resourceAccounts Represents the top level attribute when accessing attributes in this view Table 5 26 Attributes of resourceAccounts Attribute
281. ision 102 Identity Manager 7 0 Workflows Forms and Views questionLock Provision Workflow Service Locks the user but does not set a lock expiration time or date A user who is locked with this service can be explicitly unlocked by an administrator who has the Unlock User capability If an administrator does not unlock this user his account is automatically unlocked the next time the user s password is changed or reset While a user is locked by this service he can still log in by any other Identity Manager application interface except the Forgot My Password page By default the questionLock service is called by the Failure activity of the Question Login process which is invoked when the number of failed question login attempts exceeds those allowed by the user s Lighthouse Account Policy Return Values and Side Effects Returns null 103 104 reject Provision Workflow Service Records the rejection of a resource account Table 2 45 reject Method Arguments Name Required Description Valid Values op yes reject user waveset accountld yes Identifies the name of the Identity Manager user or accountld to reject options no Map Indicates the options to specify provisioning characteristics See the javadocs for com waveset provision ProvisioningOpt ions Return Values and Side Effects A WavesetResult object containing the result of the rejection Identity Manager 7 0 Workflows Forms and Views reProvisio
282. isplay session lt ref gt lt invoke gt Getting a List of Organizations with Prefixes To get a list of organizations with prefixes for example TOP TOP IT TOP HR use the getOrganizationsWithPrefixes method Example lt invoke name getOrganizationsWithPrefixes class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt invoke gt Getting a List of Organizations without Prefixes To retrieve a list of organizations without prefixes for example TOP TOP TOP use the getOrganizations method Example lt invoke name getOrganizations class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt invoke gt Getting a List of Organizations Display Names with Prefixes To retrieve a list of organization display names with prefixes use the getOrganizationsDisplayNamesWithPrefixes method Identity Manager 7 0 Workflows Forms and Views lt invoke name getOrganizationsDisplayNamesWithPrefixes class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt invoke gt Retrieving a List of Applications Unassigned to the User To get a list of applications to which the user is not currently assigned use the getUnassignedApplication method Example lt invoke name getUnassignedApplications class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt ref gt waveset roles lt ref gt lt ref gt waveset original applications lt ref g
283. ists null object does not exist 291 testUser Method testUser LighthouseContext sS String id Description Tests to see if a specified user exists even if the subject is not authorized to view the object When launching processes to create new users use this method to prevent attempts to create duplicate objects by an administrator who cannot see the entire tree Table 4 30 testUser Parameters Parameter Description s dentifies a valid Identity Manager session typically referred o in forms as lt ref gt display session lt ref gt id Identifies the user by either name or ID This parameter cannot be null Return Values This method returns true user exists null user does not exist 292 Identity Manager 7 0 Workflows Forms and Views hasCapability Method hasCapability LighthouseContext String capability throws WavesetException Description Checks to see if the user has a specified capability String This method checks for a capability that is assigned either directly or indirectly through AdminGroups and or AdminRoles Requires a session value Table 4 31 hasCapability Parameters Parameter Description S capabi lities Identifies the capability that will be queried for Return Values true Indicates that the currently authenticated Identity Manager user has the specified capability false Indicates that the current user does not have
284. itable Data Type Required id Read String 425 426 Table 5 70 WorklItem View Attributes Attribute Editable Data Type Required name Read String taskId Read String taskName Read String processName Read String activityName Read String description Read Write String owner Read Write String complete Read Write Boolean variables workItem id Identifies the repository ID of the WorkItem object Typically generated by Identity Manager and not displayed name Identifies the repository name of the WorkItem object taskId Identifies the repository ID of the workflow TaskInstance This attribute is used by the system to correlate the work item with the workflow task and must not be changed taskName Identifies the repository name of the workflow TaskInstance This name is typically set to an informative value and can be displayed Do not modify it A typical example task name for a user update would be Updating User jdoe processName Identifies the name of the workflow process definition that contains the manual action Identity Manager 7 0 Workflows Forms and Views activityName Specifies the name of the workflow activity that contains the manual action description Contains a textual description of the work item Its contents are defined by the workflow process definition The description is typically displayed in tables that summarize the work items for a user and is often displayed in a wor
285. ition condition returns true In this example the first transition has a condition that tests the value of the variable ERROR_COUNT to see if it is greater than zero That transition is taken only if there is a positive error count The second transition has no condition and consequently will always be taken if the first transition condition is false Identity Manager 7 0 Workflows Forms and Views Workflow Actions A workflow activity can perform one or more actions One possible action is the evaluation of an XPRESS expression as shown in the example below lt Activity name Increment Counter gt lt Action gt lt expression gt lt set name counter gt lt add gt lt ref gt counter lt ref gt lt i gt 1l lt i gt lt add gt lt set gt lt expression gt lt Action gt lt Transition to Next gt lt Activity gt When a workflow action is implemented in XPRESS an XPRESS expression is wrapped in an expression element that is then placed within an Action element In this example the expression references the current value of a variable named counter adds one to that value then assigns the incremented value to the variable with the same name Invoking Java Methods from Workflow Actions Complex workflow actions can be implemented in Java Typical examples of complex workflow actions include storing data in a relational database or sending a message to a help desk system These Java classes
286. itions properties that can be set on the user Identity Manager 7 0 Workflows Forms and Views Obtaining a List of Resource Object Names To obtain a list of object names defined for your particular resource use the listResourceOb jects method You can obtain a list with or without map options Map options are used only on resources that have a directory structure that permit the filtering of returned values to a single container instead of returning the complete list To ensure that you get the resource object list from the resource and not from the server s cache first invoke the clearResourceObjectListCache method or set the cacheList argument to false However using the cache improves performance on large lists The resource is contacted only once and the results are stored on the cache Consequently Sun recommends using the cache In addition you can specify a set of one or more key string value pairs that are specific to the resource from which the object list is being requested The following table lists the object types that are supported by each resource Table 3 17 Supported Object Types Resource Supported Object Types AIX account Group ACF2 account ClearTrust account Group group Administrator_Groups Applications Entitlements User_Properties Entrust Group Role Exchange5 5 groupofNames Group Wise account Distribution Lists PostOffices HP UX account Group shell LDAP account Group
287. ity Manager creates this MetaView object to store meta view identity attribute information in the Identity Manager repository 317 318 For each Identity attribute that is defined there is an attribute in the metaView namespace that contains the value of this attribute For example for the firstname lastname and waveset roles Identity attributes the User view has corresponding attributes called metaView firstname metaView lastname and metaView waveset roles that contain the calculated values for each of these attributes When populating a User view for Reconciliation Load from Resource or Load from File the Meta view supports loading only the resource account data from the resources assigned to an Identity Manager user that are also targets sourced from the resource being loaded therefore subject to being changed The Identity Manager user s operational attributes that don t affect accounts for example account ID and organization are always in the view as are user extended attributes such as firstname and lastname For more information see Working with Attributes in the Identity Manager Technical Deployment Overview Introduction Like all views the user view is implemented as a GenericOb ject that contains a set of attributes The values of the attributes in the root object are themselves GenericObjects Attributes can be nested The user view contains the attributes described in the following table which are
288. ity Manager session typically referred to in forms as lt ref gt display session lt ref gt options pathprefixes excluded current filterVirtual conditions scopingOrg See table below 269 270 Table 4 11 Option Values Option Value pathPrefixes excluded current conditions scopingOrg filterVirtual true the list of returned handles contains organization paths false the list of returned handles contains display names not true unsupplied the handle type defaults to the system configuration useOrganizat ionsDisplaynames setting If your installation of Identity Manager has duplicate organization names use paths Identifies organizations that will not be included in the return valueMap If a list of organization names is passed in for this argument the return list includes these extra organizations If you are requesting paths this should be a list of paths If you are requesting display names it should be a list of display names See Additional Options See Additional Options If this argument is true in the options map the return valueMap will not contain any virtual organizations Version Specific Behavior This method behaves differently depending upon whether you have installed the v3 1x version or later releases of Identity Manager The 3 1 x version of this method does not support multiple organizations with the same name Version 4 x and greater of this prod
289. ity Manager user interface waveset email Specifies the email address stored for a user in the Identity Manager repository Typically it is the same email address that is propagated to the resource accounts Modifications to this attribute apply to the Identity Manager repository only If you want to synchronize email values across resources you must use the global email attribute You can modify this attribute waveset exclusions List the names of the resource that will be excluded from provisioning even if the resource is assigned to the user through a role resource group or directly Identity Manager 7 0 Workflows Forms and Views waveset id Identifies the repository ID of the Identity Manager user object Once the user has been created in Identity Manager this value is non null You can test this value to see if the user is being created or edited This attribute is tested with logic in the form You can use it to customize the displayed fields depending on whether a new user is being created waveset id is null or an existing user account is being edited waveset id is non null Example The following example shows an XPRESS statement that tests to see if waveset id is null lt isnull gt lt ref gt waveset id lt ref gt lt isnull gt waveset lastModDate Contains the date at which the last modification was made It represents the date by the number of milliseconds since midnight January 1970 GMT This at
290. ive number value of the first argument is lexically less than the second e positive number first argument is lexically greater than the second e 0 zero arguments are equal Arguments are coerced to strings if necessary Example 1 The following expression returns 1 lt cmp gt lt i gt 20 lt i gt lt i gt 100 lt i gt lt cmp gt Example 2 The following expression returns 16 This expression returns a number that indicates the difference between the letters r and b when presented in alphabetical order Since there are 16 letters between the letters b and r when bob is compared to ray the value is 16 Alternatively if r were compared to b the value returned would be 16 lt cmp gt lt s gt bob lt s gt lt s gt ray lt s gt lt cmp gt Example 3 The following expression returns 0 zero lt cmp gt lt s gt daryl lt s gt lt s gt daryl lt s gt lt cmp gt 469 eq Function Performs an equality test The function can take multiple arguments although typically it has only two The data type of the first argument defines how the equality test is performed If the first argument is of type e string all subsequent arguments are coerced to strings and string comparison is performed e integer all subsequent arguments are coerced to integers and numeric comparison is performed object all subsequent arguments must be of type object and they must reference the same object
291. ject names 215 specific registration 442 Resource Table User Form 242 Resource view 406 ResourceObject view 412 right names 111 Role view 415 Row display component 552 rtrim function 489 rule function 522 rules including in forms 226 run resource action workflow service 106 S s function 462 scalable forms 238 239 240 243 scheduler 418 scopingOrg option 294 script function 533 section heading adding to form 204 SectionHead display component 578 Select display component 578 select function 515 selective browsing 239 Selector display component 550 session workflow servies 47 set function 509 523 527 setlist function 528 setProperty workflow service 79 setvar function 529 SimpleTable display component 551 596 Identity Manager 7 0 Workflows Forms and Views Solaris patches 15 support 15 SortingTable display component 552 split function 490 split workflow transition 24 string manipulation 483 sub function 467 subclasses component 554 substr function 491 support Solaris 15 T tabbed forms 235 Tabbed User Form 122 table tag 547 TabPanel display component 551 Task Schedule view 418 TaskDefinition object overview 19 parameters 19 TaskInstance object 22 deleting 22 testing customized forms 248 testing expressions 456 534 testObject method 291 testUser method 292 Text display component 579 text fields 182 TextArea display component 580 time computations enabling 37 ti
292. jectType yes Identifies the name of a valid object class for this specified resourceld If null the method returns objects of all object types as defined by the specified res d found within the specified search container the scope and the specified search filter resourceld no Identifies a single resourceld This value is derived from the named resource If this is null the method looks for resourceldsList argument resourceldList yes Lists resourcelds These IDs are derived from the named resources This is only used if the resourceld argument is null undefined options no Indicates a map of options that control the behavior of the search Options are described in the following table Table 2 20 Option Values for listResourceObjects Method Option Description searchContext Specifies the context within which to perform the search If not specified the method attempts to get a value from RA_BASE CONTEXT If no value is available in RA_BASE CONTEXT the method searches from the logical top searchFilter Optional in LDAP search filter format as specified in RFC 1558 of one or more object lt attr name gt lt condition gt lt value gt tuples either and ed or or ed together If not specified a filter will be constructed using the specified objectT ype 71 Table 2 20 Option Values for listResourceObjects Method Option Description searchScope searchTimeLimit searchAttrsToGet runAsUser
293. k item form owner Identifies the name of the current Identity Manager administrator or user that created the workflow process This attribute is typically the name of an Identity Manager user If this work item is assigned to an anonymous user the name will have the prefix Temp complete Set to true when the manual action has completed and the workflow is to be resumed Assignment of the complete attribute must be performed in the Work Item form You can edit this Boolean value variables Contains another object whose attributes contain copies of variables from the workflow task By default every workflow variable that is in scope when the manual action is activated is copied into the work item This can be controlled with the Exposed Variables and Editable Variables options in the process definition Most work item forms display information found under the variables attribute See the section Using the variables Attribute later in this chapter for more information on using this attribute worklItem Specifies additional information about the work item Contains the following attributes views Contains a list of workflow variables whose values are views The system uses this attribute to cause view specific refresh operations when the work item view is refreshed Do not change this value related Contains a list of attributes that describe the specified work item 427 428 Table 5 71 Subattributes of the workItem relat
294. kflows Forms and Views Use of this attribute can improve performance in cases where many Identity Manager repository objects of the specified type exist results If the value of attrsToGet is null the value of result is a list of object names that match the specified attribute condition If the value of attrsToGet is non null results is a list of objects that matched the specified att rConditions where each object consists of e columns Lists displayable column names that match the requested att rsToGet e rows Lists row objects named from 0 to the number of rows for example 10 e row Lists objects that consist of a name from 0 to the number of columns for example 6 and a value for that rows column sortColumn Optional Indicates the value of the column to sort the results on Defaults to 0 if not specified You can override the default by specifying a value for result SortColumn in either the default section or the ob ject Type specific section of the sample findObjectsDefaults xml configuration file selectEnable Optional Specifies whether more than one result row can be selected simultaneously A value of true indicates that more than one result row can be selected The default is false The default can be overridden by specifying a value for result SelectEnable in either the default section or the object Type specific section of the sample findObjectsDefaults xml configuration file 371 O
295. kflows and forms as well as reference information Topics in this Chapter This chapter is organized into the following sections Understanding Identity Manager Views Understanding the User View Common Views View Options Deferred Attributes Extending Views Related Chapters Identity Manager Forms Identity Manager forms interact with an internal Identity Manager data structure called the user view When customizing a form you can call view attributes 309 Understanding Identity Manager Views 310 An Identity Manager view is a collection of attributes that is assembled from one or more objects managed by Identity Manager Views are transient dynamic and not stored in the repository The data in a view can change if the view is refreshed to reflect a new role or resource assignment If you are using Identity Manager you will encounter views primarily in forms and workflows An Identity Manager form is an object that describes how to display view attributes in a browser for editing The form can also contain the rules by which hidden attributes are calculated from the displayed attributes A workflow process is a logical repeatable series of activities during which documents information or tasks are passed from one participant to another for action according to a set of procedural rules When working with views it helps to first understand e general view concepts e how views are used in Identity Manager e frequ
296. ks adding to forms 207 list function 460 list manipulation 495 594 Identity Manager 7 0 Workflows Forms and Views listResourceObjects method 287 lists alternate display values 190 calculating 317 calling methods to populate 214 multi selection creating 189 populating 191 single selection creating 188 traversing 316 working with 186 XML object language 541 XPRESS 540 location display component 559 lockOrUnlock workflow service 100 logattr table 38 logging turning on and off 248 logical expressions 468 It function 476 Ite function 477 Itrim function 486 M manual actions 22 authorization types 27 example 25 Workltem types 26 27 map objects 542 match function 487 methods See also FormUtil methods buildDn 259 buildDns 261 calling to populate lists 214 callResourceMethod 258 checkStringQualityPolicy 264 controlsAtLeastOneOrganization 265 getObject 266 getObjectNames 267 getOrganizationsDisplayNames 269 getResourceObjects 275 getResources 272 getRoles 278 getSubordinates 281 getUnassignedApplications 279 getUnassignedResources 283 getUsers 285 hasCapabilities 294 hasCapability 293 listResourceObjects 287 testObject 291 testUser 292 miscellaneous workflows 25 mod function 465 moving password fields 244 mult function 466 multiple resource editing 239 MultiSelect display component 574 N name display component 556 NameValueTable display component 574 nemp function 478 neq function 479
297. ks gt lt Extension gt lt List gt lt List gt lt String gt End User Test Process lt String gt lt String gt An example end user workflow lt String gt lt List gt lt List gt The Identity Manager User Interface displays a list of self service processes for selection This is expected to be a list of lists The first element of the sublist displays the process name and the second element describes what the process does NOTE Identity Manager re evaluates this form s lt Default gt expressions whenever the page is refreshed You can disable this forced regeneration of the form by adding the doNotRegenerateEndUserMenu property set to true on the End User Menu form Identity Manager re evaluates this form s lt Default gt expressions whenever the page is refreshed You can disable this forced regeneration of the form by adding the doNotRegenerateEndUserMenu property set to true on the End User Menu form as follows lt Properties gt lt Property name doNotRegenerateEndUserMenu gt lt Boolean gt true lt Boolean gt lt Property gt lt Properties gt 121 122 Anonymous User Menu Form Anonymous User Menu Form controls the display of the main menu in the Identity Manager User interface when an unknown user logs in Identity Manager uses the anonymous end user pages for users who are not defined in the system through the process of user self provisioning For example
298. l to the attribute name for example waveset original role password Specifies the Identity Manager user password When the view is first constructed this attribute does not contain the decrypted user password Instead it contains a randomly generated string The password attribute set contains the attributes described in the following table Table 5 4 Attributes of the password Attribute User View Attribute Description password Identifies the password to be set confirmPassword Confirms the password to be set The password should match the value of password password targets Specifies a list of resources that can have their password changed selectAll Specifies a Boolean flag that signifies that the password should be pushed to all of the resources accounts Specifies a list of objects that contains information about each of the resources This attribute contains two attributes which are described below accounts lt resource gt Boolean When set indicates that the password should be selected changed on the resource Identity Manager 7 0 Workflows Forms and Views Table 5 4 Attributes of the password Attribute User View Attribute Description accounts lt resource gt Boolean When set indicates that the password will expire expire This attribute is set to false if the user changes his own password However if an administrator changes another user s passwords the flag is set to t
299. l Options conditions See Additional Options In addition to the supported queryable attribute names for user you can also use the following pseudo attributes userType and similarTo See the FormUtil javadoc for more information exclude Specifies which types of users will be excluded from the returned list Value can be either administrators or endUsers administrators the list of users returned will not contain any users that are either directly or indirectly via AdminRoles assigned one or more capabilities and control one or more organizations endusers the list returned will include only users directly or indirectly assigned one or more capabilities and controlled organizations 285 Table 4 27 Options Values Option Value scopingOrg See Additional Options 286 Identity Manager 7 0 Workflows Forms and Views listResourceObjects Methods listResourceObjects LighthouseContext s String objectType List resourceList Map options String cacheList or listResourceObjects LighthouseContext s String objectType List resourceList Map options String cacheList String clearCacheIfExists The two preceding variants are the same except that the second method clears the cache listResourceObjects String subjectString String resourceObjectType List resourceList Map options String cacheList or listResourceObjects String subjectString String objectType String resourcel
300. l expressions 458 Identity Manager 7 0 Workflows Forms and Views String manipulation expressions e List manipulation expressions e Conditional iteration and block expressions e Variable and function definition expressions e Object manipulation expressions e Java and JavaScript expressions e Debugging and testing expressions Value Constructor Expressions In XPRESS literal values are written as text contained with an XML element The element name is the name of a function and the literal text is the argument to the function The following functions are provided for constructing simple atomic data types i Function Constructs an integer value The function takes one argument which must be literal text The text should contain only numeric digits and can be optionally preceded by a plus or minus Example 1 lt i gt 0 lt i gt Example 2 lt i gt 42 lt i gt Example 3 lt i gt 1234 lt i gt 459 list Function Builds a value of type list by evaluating each of the argument expressions and concatenating the return values The expression can take multiple arguments Example lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt wiper blades lt s gt lt list gt 460 Identity Manager 7 0 Workflows Forms and Views null Function Constructs a null value Example 1 lt null gt Example 2 lt null gt lt null gt 461 s Function Constructs a string valu
301. le 2 13 findUser Method Arguments Name Required Valid Values Description op yes findUser attribute yes Identifies the name of the Identity Manager Name queryable attribute to search for the user on attribute yes true false Specifies the value of the queryable attribute to Value search for the user on Return Values and Side Effects The account Id of the first user found that contains the given value for the given attribute will be placed in the accountld variable If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 65 getObject Session Workflow Service Returns the Identity Manager object of the given name and type The administrator that launched the workflow WF_CASE_ OWNER will be check to see if it is authorized to get the object NOTE Using views is more convenient than using objects Try using views to view objects See Identity Manager Views for more information Table 2 14 getObject Method Arguments Name Required Valid Values Description op yes getObject type yes see Type Names Identifies the type of the object that is being fetched from Identity Manager name yes Specifies the name of the object that is being fetched from Identity Manager Return Values and Side Effects The Identity Manager object with the given type and name will be placed in the object variable If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will conta
302. le 5 59 Attributes of Resource View Attribute Description Attributes of available Attribute available organizations Identity Manager 7 0 Workflows Forms and Views Table 5 59 Attributes of Resource View Attribute Description Attributes of available Attribute available formFieldNames available metaViewAttributes available extendedAttributes approvers Lists the administrator approvers for this resource allowedApprovers allowedApproverslIds organizations Lists the organizations available to the resource licensedProducts 409 Resource Object View 410 Used when modifying resource objects All attributes are editable except lt resourceobjectType gt oldAttributes which are used to calculate attribute level changes for updates In practice replace lt resourceobjectType gt with the lowercase name of a resource specific object type for example group organizationalunit organization or role Table 5 60 ResourceObject View Attributes Attribute Editable Data Type Required resourceType Read Write String resourceName Read Write String resourceld Read Write String objectType Read Write String objectName Read Write String objectId Read Write String requestor Read Write String attributes Read Write Object oldAttributes Read Object organization Read Write String attrstoget Read Write List searchContext Read Write Object searchAttributes Read Write List lt resou
303. le expression relatively simple Do not call a Java class that performs an expensive computation such as a database lookup Hiding Fields When you hide a field the field and any fields nested within it is not displayed on the page but its value is included in the form processing To hide a field specify that a particular field is hidden by not defining a Display property for the field This is not conditional lt Field name field A gt Calculating Values Methods for dynamically calculating values within forms include e Generating field values e Including rules in forms e Including XPRESS statements in a form Generating Field Values In some forms you might want to first display a set of abstract derived fields to the user then generate a different set of concrete resource account attribute values when the form is submitted This is known as form expansion Expanded fields are often used in conjunction with derived fields Identity Manager 7 0 Workflows Forms and Views Including Rules in Forms In forms you typically call a rule to calculate the allowedValues display property or within a lt Disable gt expression to control field visibility Within forms rules could be the most efficient mechanism for storage and reuse of e alist of corporate departments e default values e alist of office buildings For a comprehensive discussion of rules see the chapter titled Rules in Identity Manager Deploymen
304. le global trace set a Waveset properties file entry named xpress trace to the value true If you change the Waveset properties file while the application server is running you must either restart the application server or go to the Debug Page and click Reload Properties To perform block level trace wrap the expressions you want to trace in a lt block gt expression and include the attribute trace true in the block start tag lt block trace true gt lt invoke name getTime class java util Date gt lt block gt or 457 lt Default gt lt block trace true gt lt ref gt global accountId lt ref gt lt block gt lt Default gt Invalid Examples Do not use the lt block gt element in the following ways lt block trace true gt lt Field name fieldl gt lt Field gt lt block gt or lt Field name Field2 gt lt block trace true gt lt Default gt lt ref gt global accounts lt ref gt lt Default gt lt block gt lt Field gt The trace messages include the names of the functions the values of each argument and the return values To turn tracing off for XPRESS set the xpress trace value to false and reload the Waveset properties file Functions Identity Manager ships with a library of XPRESS functions that can be used in expressions These functions are classified into the following categories e Value constructor expressions e Arithmetic expressions e Logica
305. le list e border Determines the width of the table border Set to 0 to create invisible borders e noItemsMessage Specifies the message to display in the table when there are no rows TabPanel Use to render a tabbed panel that displays a row of tabs as shown below By default the tabs are aligned horizontally Properties include e leftTabs When set to true aligns tabs along left margin not along the top Boolean border Draws a border around the main panel under the tabs when set to true Boolean e renderTabsAsSelect Renders tabs as a Select drop down rather than tabs when set to true This is useful when a form contains many tabs that would cause the browser to scroll horizontally Do not use in conjunction with aligning the tabs on the left e tabAlignment Determines the position of the tabs relative to the page content Valid values include left default setting top right bottom center and middle lt Field name MainTabs gt lt Display class TabPanel gt lt Property name leftTabs value false gt lt Property name tabAlignment value left gt lt Field gt Row Use to create a Panel capable of horizontal alignment SortingTable Use to create a table whose contents can be sorted by column header Child components determine the content of this table Create one child component per column defined by the columns property Columns are typically contained within a Fiel
306. le search criteria to identify one object in the list Objects in a list typically have a name attribute which serves to uniquely identify this object among its peers Path expressions support an implicit reference to an object s name attribute within the index expression For example children hannah age The preceding path expression obtains the list of objects stored under the children attribute This list is searched until an object with a name attribute equal to hannah is found If a matching object is found the value of the age attribute is returned The previous example is shorthand for the more general form children name hannah age Calculating Lists You can also write path expressions that calculate List values that are not stored in the object For example accounts name Identity Manager 7 0 Workflows Forms and Views When an asterisk is found as an index expression it implies an iteration over each element of the list The result of the expression is a list that contains the results of applying the remaining path expression to each element of the list In the previous example the result would be a list of String objects The strings would be taken from the name attribute of each object in the accounts list Path expressions with asterisk are used with the FieldLoop construct in forms to replicate a collection of fields Account Types and User Oriented Views When you assign an account type to a user
307. ll sel inchange return sel inchange true var textField sel form elements textFieldName if textField null return textField value sel value sel selectedIndex 0 sel inchange false setTextFromSelect sel textFieldName lt String gt lt Property gt lt Property name noNewRow value true gt lt Display gt The component has an extended property named script that can contain the JavaScript text Label Displays a string of text Properties for this display component are e value Defines the text to be displayed The value can be either a string or a list of strings When the value is a list each string in the list is displayed on a separate line e leftPad Specifies the number of spaces to insert to the left of the label pad Specifies the number of spaces to insert to the left and right of the label e rightPad Specifies the number of spaces to insert to the right of the label Identity Manager 7 0 Workflows Forms and Views NOTE If no padding is specified the default padding is leftPad 2 rightPad 2 lt Field gt lt Display class Label gt lt Property name title value Account ID gt lt Property name value gt lt ref gt waveset accountId ref gt lt Property gt lt Display gt lt Field gt font Specifies the font style The value must be one of the styles defined in the styles style css file of the Identity M
308. ll be the one specified on the resource The value can be overridden by specifying it here If the resource does not support options the value should be lt null gt gt lt Map gt lt MapEntry key context value ou Austin ou Texas dc Sun dc com gt lt Map gt lt cacheList specify true or false whether you would like this list to appear in the Resource Object List Cache gt lt s gt true lt s gt lt invoke gt lt Property gt lt Display gt lt Field gt NOTES If the resource does not support options the value of options map should be nu11 Some resources have options such as the context that the group is listed in For example Active Directory has multiple containers By default the container used will be the one specified on the resource This value can be overridden by specifying it here Specify the value of cacheList as true or false to designate whether this list should be stored in the Resource Object List Cache This will cause the method to be run once and the results are stored on the server Creating a Text Entry Field in a Selection List There are some conditions under which you d like to include an option in a selection list in which the user can enter a value instead of choosing from the list You can create this feature by implementing the three fields as shown in the following example e This example creates a selection box with the text string Other in it and an adja
309. ller for Active Directory The format of the value of this field can vary from resource to resource 403 Resource View Used when modifying resources 404 Table 5 58 Resource View Attributes Attribute Editable Data Type Required name Read Write String Yes adapterClassName Read Write String Yes typeString Read Write String Yes typeDisplayString Read Write String Yes startupType Read Write String No organizations Read Write List Strings Yes resourceAttributes Read Write List Strings No displayName Read String No type Read String No multivalued Read String No syncSource Read Write Boolean No facets Read String No description Read String No noTrim Read String No accountAttributes Read Write List Strings No identityTemplate Read Write String No approvers Read Write List Strings No allowedApprovers Read List Strings No allowedApproversIds Read List Strings No passwordPolicy Read Write String No accountPolicy Read Write String No resourcePasswordPolicy Read Write String No respolExcludeAccountsRule Read Write String No retryMax Read Write Integer No Identity Manager 7 0 Workflows Forms and Views Table 5 58 Resource View Attributes Attribute Editable Data Type Required retryDelay Read Write Integer No retryEmail Read Write String No retryEmailThreshold Read Write Integer No form Read String No licensedProducts Read List Strings No available MetaViewAttribute Read List Strings
310. lly calculates an Derivation rules are run when arbitrary value to be used as the the form is first loaded or data value of this field Whenever a is fetched from one or more Derivation expression is evaluated resources the current field value is replaced lt Expansion gt Unconditionally calculates a value Expansion rules are run for the field whenever the page is recalculated or the form is saved For all forms except the User view Expansion rules are run whenever the page is recalculated or the form is saved For the User view an lt Expansion gt tag runs when the user form is first loaded as well lt Validation gt Determines whether a value Validation rules are evaluated entered in a form is valid whenever the form is submitted 203 204 Examples of lt Derivation gt Statements The following two examples illustrate the potential use for the Derivation e Example 1 Specifying an authoritative source for a global field e Example 2 Mapping one set of values into another set Example 1 The following example uses the first value if defined If the first value is not defined then it uses the second value lt Derivation gt lt or gt lt ref gt accounts AD fullname lt ref gt lt ref gt accounts LDAP fullname lt ref gt lt or gt lt Derivation gt Example 2 The following example of using the lt Derivation gt element shows a field definition that uses conditional logic to map one set of value
311. logical weapons or nuclear maritime end uses or end users whether direct or indirect are strictly prohibited Export or reexport to countries subject to U S embargo or to entities identified on U S export exclusion lists including but not limited to the denied persons and specially designated nationals lists is strictly prohibited DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS REPRESENTATIONS AND WARRANTIES INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID Copyright 2006 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 Etats Unis Tous droits r serv s Sun Microsystems Inc d tient les droits de propri t intellectuels relatifs la technologie incorpor e dans le produit qui est d crit dans ce document En particulier et ce sans limitation ces droits de propri t intellectuelle peuvent inclure un ou plusieurs des brevets am ricains list s a l adresse http www sun com patents et un ou des brevets suppl mentaires ou des applications de brevet en attente aux Etats Unis et dans les autres pays CE PRODUIT CONTIENT DES INFORMATIONS CONFIDENTIELLES ET DES SECRETS COMMERCIAUX DE SUN MICROSYSTEMS INC SON UTILISATION SA DIVULGATION ET SA REPRODUCTION SONT INTERDITES SANS L AUTORISATION EXPRESSE ECRITE ET PREALABLE DE SUN MICROSY
312. lows Forms and Views downcase Function Takes a single argument which is coerced to a string It returns a copy of the argument with all upper case letters converted to lower case Example The following expression returns lt s gt abc lt s gt lt downcase gt lt s gt ABC lt s gt lt downcase gt 485 Itrim Function Takes a single argument which is coerced to a string It returns a copy of the argument with the leading white space removed Example The following expression returns lt s gt hello lt s gt lt ltrim gt lt s gt hello lt s gt lt ltrim gt 486 Identity Manager 7 0 Workflows Forms and Views match Function Tests for a substring within a string Similar to the indexOf function this function is more convenient to use in conditional expressions If the substring starts at the first position in the string indexOf would return 0 which is logically false This function returns 0 substring is not found 1 substring is found Example The following expression returns 1 lt match gt lt s gt Austin City Limits lt s gt lt s gt tin lt s gt lt match gt 487 pad Function Pads a string with spaces so that it reaches a desired length first argument the string to pad second argument desired length third argument optional specifies the pad character which by default is a space Example The following expression results in lt s gt email lt s gt lt
313. lt FieldRef gt element to include a specific field from within an external form Include e the name of the form in which the field resides This form name must be listed in the include section of the form header with the lt ObjectRef gt element The property type specifies the name of the form UserForm and its unique configuration ID The name property identifies the name of the field you will later reference e the field name itself inserted in the section of the form that matches the location on the page you would like it to be displayed Identity Manager 7 0 Workflows Forms and Views lt Include gt lt ObjectRef type U id ID 04F5F14 name Password lt ObjectRef type U id ID 04F5F14 lt ObjectRef type U E01 Lib E01 id ID UserForm U lt ObjectRef type U lt Include gt ser SOLE sere sert orm 889DFE 2E5C94 F131DD723D 7FE4 rary gt orm 889DFE 2E5C94 F131DD723D 7FE3 name Account Summary Library gt orm serFormLibrary gt Form name Global Attributes gt In the following example the field name itself inserted in the section of the form that matches the location on the page you would like it to be displayed 173 lt Field name global fullname hidden true gt lt Expansion gt lt cond gt lt and gt lt ref gt global firstname lt ref gt lt ref gt global lastname lt ref gt lt and
314. lt User form to edit a user all resources that are owned by a user are fetched at the moment an administrator begins editing a user account In environments where users have accounts on many resources this potentially time intensive operation can result in performance degradation If you are deploying Identity Manager in this type of environment consider using scalable forms as an alternative to the default Create and Edit User interfaces Overview Scalable Forms Scalable forms are customized forms that help improve the performance of Identity Manager s Edit and Create User interfaces in environments with many users and resources This improved performance results from several features including e incremental resource fetching e selective browsing of a user s resources e multiple resource editing Identity Manager provides scalable versions of the default Edit and Create User forms 233 234 Incremental Resource Fetching Incremental resource fetching describes one method used by the Identity Manager server to directly query a resource for information over a network connection or by other means Typically when an administrator edits a user using the default user form all resources that are owned by a user are fetched at the moment an administrator begins editing a user account In contrast the intent behind the design of scalable forms is to limit fetching by fetching only those resources that the administrator wants to view or mo
315. lt Waveset gt lt Configuration name sampleCustomCatalog gt lt Extension gt lt CustomCatalog id defaultCustomCatalog enabled true gt lt MessageSet language en country US gt lt Msg id UI_END_USER_VERSION gt Waveset Lighthouse 4 1 SP2 lt Msg gt lt MessageSet gt lt MessageSet language es country ES variant Traditional gt lt Msg id UI_END_USER_VERSION gt Sun Lighthouse 4 1 SP2 lt Msg gt lt MessageSet gt lt MessageSet language fr gt lt Msg id UI_END_USER_VERSION gt Waveset Lighthouse 4 1 SP2 lt Msg gt lt MessageSet gt lt CustomCatalog gt lt Extension gt lt Configuration gt lt Waveset gt NOTE To override display of the version number in flyover text you can replace the UL END_USER_VERSION message with an empty string Other Form Related Tasks Miscellaneous form related tasks include Invoking the FormUtil methods Inserting Javascript into a form 228 Identity Manager 7 0 Workflows Forms and Views e Testing whether a user or object exists Invoking the FormUtil Methods The FormUtil class is a collection of utility methods that you can call from XPRESS expressions with form objects They can be used to populate lists of allowed values and validate input The FormUtil methods are typically called to assist the definition of the allowed values in a list or field For a list and description of these methods
316. lue indicates that the task instance will never be removed automatically However you can remove it manually 33 34 Using the Default Rename Task To use the default rename task without customization include the following action in your workflow lt Action process Rename Task gt lt Argument name name value New Task Name gt lt Action gt Tracking Workflow Progress The designated owner of a task can always check on the status of a Workflow task The owner is usually the person that initiated the task but ownership can be redefined Because tasks are objects in the repository they will also be visible to anyone else with sufficient permissions Workflow status is typically represented in the Task List State column by the strings executing pending creating and suspended You can add additional more informative strings summarizing workflow status to this column display Implement this feature by adding one of two possible expressions to the WFProcess file Identity Manager 7 0 Workflows Forms and Views lt WFProcess name queryRoleTask maxSteps 0 gt lt Status gt lt s gt Customized Status lt s gt lt Status gt lt Activity id 0 name start gt lt Transition to GetReferencingRoles gt lt Activity gt lt Activity name GetReferencingRoles gt lt Action id 0 gt lt expression gt lt Status gt can be any XPRESS statement that results in a string For example lt
317. lue of the associated view attribute which is identified through the field name Displays a checkbox When checked the box represents a value of true An unselected box represents a false value Displays a multi line text entry box Displays a horizontal list of one or more radio buttons A user can select only one radio button at a time If the component value is null or does not match any of the allowed values no button is selected Places a link on the page Displays a button Refers to a variable that is defined by the view that is used with this form Displays a multi line text entry box Additional Customization Related Topics The following topics are covered in this section e Form structure e Form components e Defining fields e Guidelines for structuring a form Form Structure Forms are stored as XML objects within the Identity Manager repository Each form is stored as its own object with the following structure 137 NOTE You do not need to know the XML structure of a form Identity Manager IDE simplifies working with form structure This information is supplied for your reference only The following stub form illustrates the general structure of a form lt xml version 1 0 encoding UTF 8 gt lt DOCTYPE Configuration PUBLIC waveset dtd waveset dtd gt lt id ID UserForm EndUserMenu name End User Menu gt lt Configuration id ID UserForm EndUserMenu name
318. ly for side effect or if it cannot compute a meaningful value from the given arguments The way a null value is handled depends on the function being passed a null argument In general a null value is considered to be logically false and is ignored in arithmetic expressions Represents references to arbitrary objects that are defined outside the XPRESS language Represents a string of characters Since XML syntax is used strings always use the Unicode character set A string value can contain no characters Such a string is considered empty but it is not null Some functions treat the values of their arguments as being logically true or false XPRESS does not use a Boolean data type Instead a value of null or an integer value of zero is considered false Any other value is considered true Logical functions such as eq that return a Boolean value will return the integer zero to represent false and the integer 1 to represent true Identity Manager 7 0 Workflows Forms and Views Chapter 7 XML Object Language The XML Object Language is a collection of XML elements that you can use to represent common Java objects such as strings lists and maps Topics in this Chapter e Understanding XML Object Language e XML Object Language and Corresponding XPRESS Related Chapters e XPRESS Language You use expressions to include logic in your forms Understanding XML Object Language XML Objects are often used in forms but
319. me includeRelatediItems value true gt lt Properties gt 423 424 Example Using the relatedItemAttributes Form Property You can also request additional attributes with the relatedItemAttributes option This option can be a CSV string of names or a list of names You can request the following standard attributes request requester 7 description activityName If you request an attribute name that is not on this list Identity Manager assumes that it is an arbitrary workflow variable and the value will be returned if it exists in the work item Common variables found in the standard workflows include e accountId e objectType e objectName e diagramLabel Example Using the includeRelatedItems Form Property To include the request and description attributes add these properties to the Approval form lt Properties gt lt Property name includeRelatedItems value true gt lt Property name relatedItemAttributes value request description gt lt Properties gt Example Using relatedItemFilter Form Property You can specify the following filter attributes Table 5 69 relatedItemFilter Option Values relatedItemFilter Option Results of Filtering Values itemType Only work items with a matching itemType are returned activityName Only work items created from the same activity are returned Identity Manager 7 0 Workflows Forms and Views Table 5 69 relatedItemFilter Option Values
320. ment is the name of the GenericObject that will be placed on the property list Generic Object If this argument takes the form of a Generic Object the taskDefinition argument is a preconstructed property listObject Identifies the name of the TaskInstance to create Specifies the date on which you want the deferred task to run Indicates the organization in which to put the TaskInstance Specifies the name of the effective owner of the TaskInstance used for later management Specifies optional descriptive text to include with the TaskInstance for the task management page Identity Manager 7 0 Workflows Forms and Views Table 2 2 AddDeferredTask Method Arguments Name Required Valid Values Description executeOnce no When set to true indicates that the deferred task will be successfully executed only once If an error occurs during task execution the task will continue to be executable by the deferred task scanner until the task completes successfully one time or is removed manually through a call to the removeDeferredTask method 51 audit Session Workflow Service Requests Identity Manager to record an audit event using Identity Manager s audit services The audit will be logged under the workflow administrator that launched the workflow WF_CASE_ OWNER Table 2 3 audit Method Arguments Name Required Valid Values Description op yes audit type yes see Type Names The Identity Manag
321. ment name doWaveset value false gt services no Specifies the ID of the view to be created If this argument is not specified both the type and ID must be specified Type and ID can be easier to use from workflows Return Values and Side Effects The specified resource accounts are disabled If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 63 64 enableUser Session Workflow Service Enables one or more of a user s resource accounts Table 2 12 enableUser Method Arguments Name Required Valid Values Description op yes enableUser accountld yes Identifies the Identity Manager user to enable accounts for doWaveset no true false If true the Identity Manager account is enabled for this user If not supplied it defaults to true and the account is enabled services no Identifies a list of resources to enable If this argument is not supplied all of the user s resource accounts will be enabled Return Values and Side Effects The specified resource accounts are enabled If any error occurred WF_ACTION_ ERROR will be true and the WavesetResult will contain the error Identity Manager 7 0 Workflows Forms and Views findUser Session Workflow Service Finds a user in the Identity Manager repository This functionality is older than the more flexible query method workflow services Consider using the query method workflow services Tab
322. mize End User Form to grant users control over other fields such as those that handle phone numbers addresses and physical office locations For example you can add a field through which users can request access to additional NT groups through the Identity Manager pages Approval Form Approval Form controls the information that is presented to a resource role or organization owner when he is designated an approver of user requests By default this page displays a set of read only fields that contain the name of the administrator that started the process It also displays information about the user including the account ID role organization and email address 123 This form ensures that the resource owner gets a last chance to change a user value before the user is created By default approving a user displays all the user attributes in read only fields You can customize Approval Form to Add and remove information about a user Assign the approver the ability to edit this information so that he can modify the information entered on the initial user form Create your own approval forms for different purposes For example you can create different approval forms for use when an administrator or resource owner initiates account creation or deletes a user How Do Forms Work Various factors affect how the browser displays a form However form behavior within the browser is primarily determined by 124 Identity Manager 7 0
323. modified in the browser Example lt Field name Region gt lt Display class Select action true gt lt Property name title value Geographic Region gt lt Property name allowedvalues value North South Central Midwest gt lt Property name nullValue value Select a region gt lt Display gt lt Field gt Guidelines for Structuring a Form Use the following guidelines when creating the structure of your new form or editing an existing form e List field elements in the order in which you want them displayed on the page The order of the field elements in the form determines the order in which the elements are displayed in the browser e Place the referenced field before the field referencing it If a field has an expression that references a value in another field place the referencing field after the referenced field e Disabled fields are ignored when logically true If any field defines a Disable expression it is evaluated If the result of the Disable expression is logically true the field will be ignored during form evaluation Optimizing Expressions in Form Fields Some activities performed in forms can call out to resources external to Identity Manager Accessing these resources can affect Identity Manager performance especially if the results are long lists of values for example compiling a list of groups or email distribution lists To improve performance during these types of calls follow th
324. mple 1 The following expression returns 1 lt isnull gt lt null gt lt isnull gt Example 2 The following expression returns 0 lt isnull gt lt i gt 0 lt i gt lt isnull gt 474 Identity Manager 7 0 Workflows Forms and Views isTrue Function Used when referencing Boolean values that are represented with the strings true and false rather than the numbers 0 and 1 Takes two arguments This function returns e 0 the argument is logically false non zero and non null or if the argument is the string false e 1 the argument is logically true and not the string false Example The following expression returns 0 lt isTrue gt lt s gt false lt s gt lt isTrue gt 475 It Function Takes two arguments This function returns e 0 first argument is numerically greater than or equal to the second e 1 first argument is numerically less than the second Example 1 The following expression returns 0 zero lt lt gt lt i gt 10 lt i gt lt i gt 5 lt i gt lt 1t gt Example 2 The following expression returns 1 lt lt gt lt i gt 5 lt i gt lt i gt 10 lt i gt lt 1t gt 476 Identity Manager 7 0 Workflows Forms and Views Ite Function Takes two arguments This function returns e 0 first argument is numerically greater than the second e 1 first argument is numerically less than or equal to the second Example lt lte gt lt ref gt age lt ref gt lt i gt 42 lt i gt
325. n Typically the sort order is determined from the value of each component in the column There may be cases however where the value of the component is not suitable for sorting or may be inefficient to compare In these cases you can specify an alternate numeric sorting key required If true indicates that the field is expected to have a value before the form is submitted If the component is contained within an EditForm a red asterisk will be placed after the component to indicate that the user must enter a value before saving If the required schema map attribute is selected that is set to a value of true the field is always required The value of the property must be either true or false Example lt Property name required value true gt noNewRow If true the field displays on the Identity Manager page next to the previous field If not specified or set to false the field appears on a new line directly under the previous field The default value is false This Boolean property is recognized only if the field is contained in a form that uses the EditForm display class Typically EditForm renders each component on a new row with the titles aligned in the left column and the component in the right column To conserve space you can concatenate several components on the same row If the component also has a title the title is rendered as non highlighted text between the previous component and this component
326. n use the authType attribute as follows lt ManualAction authType RoleApproval gt Assigning WorkItem Types To specify an item type in the ManualAction definition set the itemType attribute as shown in this example Identity Manager 7 0 Workflows Forms and Views lt ManualAction itemType approval gt Restricting Administrative View Capabilities for WorklItems Typically any administrator with the Approver capability is authorized to view all work items in the organizations they control If you want an administrator to view only a subset of the work items in an organization follow these steps 1 Define new authorization types that extend the WorkItem type For example define the RoleApproval type 2 Define new capabilities that have rights on the new authorization types rather than Workltem itself For example define a Role Approver capability that has rights on the RoleApproval type 3 Assign the Role Approver capability to an administrator rather than the general Approver capability 4 Set appropriate authorization types in each manual action in your workflows Creating Transitions Transitions define the rules by which an activity moves to one or more other activities A transition can be conditional which means that it will be taken only if certain conditions are met Simple activities can contain only one unconditional transition that is taken as soon as the actions within the activity are complete Upda
327. n Networks Oracle ERP OS400 User Form RACF User Form SAP RSA ClearTrust SecurID User Form Solaris User Form AIX User Form Exchange55 User Form Active Directory Active Sync AD User Form Domino User Form Group Wise User Form SiteMinderAdminUserForm xml SiteMinderLDAPUserForm xml SiteMinderExampleTableUserForm xml NDSUserForm xml NTform xml ONTUserForm xml OracleERPUserF orm xml OS400UserForm xml RACFUserForm xml SAPUserForm xml ClearTrustUserForm xml SecurIDUserForm xml SolarisUserForm xml AIXUserForm xml Exchange55UserForm xml vitalStatform xml AccessManagerUserForm xml TopSecretUserForm xml ACF2UserForm xml Using the Sample Forms Library You can include the sample forms shipped with Identity Manager in any of the forms you are customizing through the use of the lt FormRef gt element Follow these general steps to add sample forms to your environment 245 246 Step 1 Import the Rule Step 2 Import the Form Step 3 Create a New Form from the Default Form Add Include References and Add the Form Reference Step 1 Import the Rule Use the Identity Manager Administrator Interface to load the sample rules To do this 1 2 From the Identity Manager menu bar select Configure gt Import Exchange File Enter the sample file name or click Browse to locate the file in the idm sample rules directory Sample common rule file names are o sample rules ListGroups xml o s
328. n Provision Workflow Service Updates an existing Identity Manager account Table 2 46 reProvision Method Arguments Description Name Required Valid Values op yes reProvision user yes GenericObject various no provisioning options Identifies the GenericObject that contains the view that is to be re provisioned Indicates the options to specify provisioning characteristics See the javadocs for com waveset provision P rovisioningOptions Return Values and Side Effects A WavesetResult object containing the result of the reprovision 105 106 runResourceAction Provision Workflow Service Executes a resource action on the specified resource adapter for a resource You can specify the resource action either directly using resourceAction or by ID using resourceld If resourceAction correctly references a resource action it overrides the ID specified in resourceld This method does not contain an authorization check All the rules governing resource actions apply Table 2 47 runResourceAction Method Arguments Name Required Valid Values Description resourceld Identifies the resource to use resourceAction Optional Specifies the resource action to run This value overrides the ID specified in resourceld resourceActionId Identifies by ID the resource action that the adapter runs resourceActionArgs Provides a map of the arguments that this method should use These arguments are passed
329. n associated help catalog specified by the form Specifying a help key causes an icon to appear to the left of the field Moving the mouse over the icon causes the text referenced in the help catalog to display Identity Manager 7 0 Workflows Forms and Views Table 3 5 Form Elements Form Element Description Options Default Derivation Validation Select one or more display options for the field Required An entry or selection in this field is required to process the form Button Causes the field to display in a single horizontal row at the bottom of the form Otherwise it displays on the next line of the form This is most set with fields that use the display class Button Action When set a change causes the page to refresh any Select or MultiSelect controls In the Identity Manager Administrator Interface this causes the underlying view to be refreshed Role selection exemplifies this behavior When a new role is selected in the Tabbed User Form the view is refreshed to reflect the resources that are assigned through that role during that edit session After the view has been refreshed resource account attributes on those newly assigned resources can be explicitly set Library Indicates that a field should only display when it is referenced rather than when it is declared This is useful when the order in which fields are evaluated on a form may differ from the order in which they a
330. n populating text areas with lists see the section titled Populating Lists in this chapter The following table describes typical list types and the HTML display components used to create them Table 3 13 Typical List Types and Associated Display Components Type of List HTML Component Option list that offers lt CheckBox gt mutually exclusive values such as true and false See the section titled Creating a Checkbox Multiple option list in lt RadioButton gt which users can select only one option See the section titled Creating a Radio Button Multiple option list lt Select gt with many options in which users can select only one option See the section titled Creating a Single Selection List Multiple option list in lt MultiSelect gt which multiple options can be selected simultaneously See the section titled Creating a Multiselection List Creating a Checkbox Use the lt Checkbox gt component to display a checkbox When selected the box represents a value of true A cleared box represents a false value You can change the checkbox name by editing the value of the label property Example 1 lt Field name accounts LDAP selected gt 183 184 lt Display class Checkbox gt lt Property name label value LDAP gt lt Display gt lt Field gt Example 2 lt Field name global Password Expired gt lt Display class CheckBox gt lt Property name title value User must chang
331. n the view is used with the exception of accountId and resource as these values are overridden by the view ID In the case of a get request view options of the same name as the view attribute for example correlator can be used to specify the view supplied portion of the request NOTE accountAttributes when provided as a view option can be supplied as a WSUser as returned by resource adapter methods or as a GenericObject Correlation Table 5 14 Attributes of Correlation Attribute Account Correlation View Attribute Editable Data Type Required accountid Read String Yes accountGUID Read Write String No unless if account Id and resource cannot clearly identify the resource resource Read String Yes accountAttribut Read Write String es 347 348 Table 5 14 Attributes of Correlation Attribute Account Correlation View Attribute Editable Data Type Required correlator Read Write String No confirmer Read Write String No accountld Specifies the name of the account to correlate This is automatically obtained from the view ID accountGUID Specifies the GUID of the account to correlate Required only if accountId and resource cannot clearly and unambiguously identify the resource resource Specifies the name of the resource where the account resides This value is automatically obtained from the view ID accountAttributes Specifies the attributes of the account If present the vie
332. nager Integrated Development Environment in the Identity Manager Deployment Tools publication Introduces the Identity Manager Integrated Development Environment IDE and describes how to start the tool set editor options save and debug forms Understanding Forms 114 To customize Identity Manager s Web based user interface appearance and function you must modify the form associated with the web page you want to edit The term form can describe both the web page where users enter information and the object that contains rules about how to display data in the view Throughout this guide the term form typically refers to the object that contains rules about how to display data in the view This section covers the following topics e What are Forms e Why Edit Forms e Identity Manager Pages that Use Forms e Edited Forms How Do Forms Work What Are Forms A form is an object associated with a page that contains rules about how the browser should display user view attributes on that page Forms can incorporate business logic and are often used to manipulate view data before it is presented to the user For example to create a new user account you use the Create User page in which you enter information about the new user This page is generated using an object a form in the Identity Manager repository named Tabbed User Form This form specifies which fields are visible on the Create User page and which HTML form elemen
333. name size value 15 gt lt Property name maxLength value 25 gt lt Display gt lt Disable gt lt neq gt lt ref gt Title lt ref gt lt s gt Other lt s gt lt neg gt lt Disable gt lt Derivation gt lt cond gt lt eq gt lt ref gt Title lt ref gt lt s gt Other lt s gt lt eq gt lt ref gt global Title lt ref gt lt cond gt lt Derivation gt lt Field gt 193 194 The value of Field is based on the value of the Title field If the value of this field is set to Other then the field value is defined by the value of the otherTitle field Otherwise it will be the value of the Title field lt Field name Title gt lt Expansion gt lt cond gt lt eq gt lt ref gt global fieldTitle lt ref gt lt s gt Other lt s gt lt eq gt lt ref gt otherTitle lt ref gt lt ref gt Title lt ref gt lt cond gt lt Expansion gt lt Field gt Filtering the List of Resource Accounts before Display in a Form You can filter the list of resource accounts before displaying them in a form By default no filters are applied except with the Change Password Form in the User Interface which preserves the default behavior of filtering disabled accounts from the list displayed to the user This Exclude filter is defined as a Form property The filter is a list of one or more AttributeConditions that when evaluated determine if a given resource acco
334. nd Views comment Scripts Indicates whether lt script gt tags emitted for JavaScript should be enclosed in comments title Specifies the title of the page Can be a String or Message but typically is a String postUr1 Specifies the URL that Identity Manager posts to when the main form is submitted messages Indicates which informational messages to display comment s Indicates the special comments to include This property is typically used by GenericEditForm and FormConverter when these methods catch exceptions focussedFieldName Specifies the name of the first field to receive focus Typically null The value of this property is calculated as the first text field or if no text fields the first field activeCont rol Specifies the name of the last known active form field String InlineAlert Displays an error warning success or informative alert box This component is typically located at the top of a page You can display multiple alerts in a single alert box by defining child components of type InlineAlertSAlertItem Properties for this display component include alertType Specifies the type of alert to display This property determines the styles and images to use Valid values are error warning success and info The value of this property defaults to info This property is valid only for InlineAlert header Specifies the title to display for the alert box This can be either a
335. ndexed by resource name Table 5 54 currentResourceAccounts Attributes Reprovision View Name Editable Data Type selected Read Write Boolean name Read String Identity Manager 7 0 Workflows Forms and Views Table 5 54 currentResourceAccounts Attributes Reprovision View Name Editable Data Type type Read String accountld Read String exists Read Boolean disabled Read Boolean authenticator Read Boolean selected If set to true indicates that for a given resource the associated account should be reprovisioned If the selected account is Lighthouse the Identity Manager user and all associated resource assignments will be reprovisioned unless they are also selected However the associated resource accounts will not be reprovisioned name Specifies the name of the resource This corresponds to the name of a resource object in the Identity Manager repository type Identifies the type of resource such as Solaris You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface The Type column on this page contains the names of the type of currently defined resources The options list next to New Resource also contains the names of the resource adapters that are currently installed accountld Specifies the identity of the resource account exists Indicates whether the account already exists on the resource or not only in currentResourc
336. nds to the name of a resource object in the Identity Manager repository type Identifies the type of resource such as Solaris You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface The Type column on this page contains the names of the type of currently defined resources The options list next to New Resource also contains the names of the resource adapters that are currently installed accountld Specifies the identity of the account on this resource if one has been created 421 422 exists Indicates whether the account already exists on the resource only in currentResourceAccounts locked Indicates whether the account is currently locked or not unlocked The value of exists indicates whether the account already exists on the resource or not only in currentResourceAccounts authenticator If true indicates that this resource serves as the pass through authentication resource for Identity Manager fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all See Setting View Options in Forms in this chapter for more information Identity Manager 7 0 Workflows Forms and Views WorklItem View Used to view and modify Wo
337. nes the state of the checkbox If the value is logically true the checkmark appears Example lt Field name accounts NT passwordExpired gt lt Display class Checkbox gt lt Property name title value Password is Expired gt lt Display gt lt Field gt DatePicker Allows the user to specify a date using an applet that displays a calendar The field is displayed in the form as a calendar icon When the icon is clicked the calendar applet is launched in a separate window Properties include e format Specifies the date format to use for displaying the date This can be a Java style date formatting string that uses any of the following formatting characters y M or d This can also be the value iso specifying ISO format yyyy MM dd or the value local specifying a locale sensitive format the Java default for the locale If omitted the format MM dd yyyy will be used e multiField Indicates whether separate input fields should be displayed for each element of the date If omitted or false a single text field will be used for input expecting properly formatted date text e value Specifies the date to be highlighted on the calendar as the current date Date can be parsed from either a Date object or a String object Example lt Field name ExpireDate gt lt Display class DatePicker gt lt Property name title value Set Password Expire date gt lt Property name format val
338. new function 532 noNewRow display component 558 not function 480 notify workflow service 101 notNull function 482 nowrap display component 561 null function 461 O object manipulation 524 onChange display component 561 onClick display component 560 or function 481 OR join 24 OR split 24 Org view 374 Section P pad function 488 page processor requirements for display components 546 Panel display component 549 password user view attribute 327 Password view 380 path expressions 314 316 prefix notation 446 primaryKey display component 558 print function 535 Process view 385 provision workflow service 102 provision workflow services 82 putmap function 526 Q queryObjectNames workflow service 73 queryObjects workflow service 74 queryReferencingRoles workflow service 75 questionLock workflow service 103 R radio button creating 188 Radio display component 576 Reconcile Policy view 389 Reconcile view 388 ReconcileStatus view 395 ref function 517 refreshView workflow service 76 registering attributes 441 reject workflow service 104 remove function 507 removeAll function 508 removeDeferred workflow service 77 removeProperty workflow service 78 RenameUser view 397 595 Section Reprovision view 400 reProvision workflow service 105 required display component 558 Reset User Password view 403 resource accounts filtering 199 attributes 408 overriding 331 methods calling from forms 174 ob
339. nformation The following table summarizes these variable namespaces Table 5 2 Account Related User View Attributes Account Related Namespace Description waveset accounts account Info account s accounts global Used internally for difference detection during check in operations It contains the starting values for all account attributes Do not modify this value Derived read only information about the accounts that are linked to the user and their associated resources Use this attribute in forms but do not modify Stores the read write copies of the account attributes Updatable fields should point to this namespace Stores copies of global attributes Values in this area appear only if the form defines global fields or if you are using the special MissingFields reference The form determines how global attributes are processed If you set a global attribute in a workflow you must also define a global field in the form Simply depositing a global value in the view is insufficient Referencing Attributes Within a form you can reference attributes in two ways 319 320 e Use the name attribute of a Field element by adding the complete attribute pathname as follows lt Field name waveset accountId gt For more information on setting the Field name element in a form field see the chapter titled Identity Manager Forms Reference an attribute from within another field lt Expansion g
340. ng table Table 5 42 Policy Value Settings Attributes ReconcilePolicy View Policy Value Settings Description value Specifies the value of the setting 387 388 Table 5 42 Policy Value Settings Attributes ReconcilePolicy View Policy Value Settings Description scope inheritance Identifies the scope from which this setting is derived Values of scope include Local ResType and Default indicating which level is specifying this policy For example a value of SCOPE LOCAL indicates the value is set at the current policy level SCOPE LOCAL Policy is set at the resource level or current policy level SCOPE_RESTYPE Policy is set at the restype or resource type level SCOPE GLOBAL Policy is set at the global level Identifies the policy setting that is inherited at this level If the scope is not Local the inheritance will match the effective value Not present on policy settings at the Default level Authorization Required To modify the view users require Reconcile Administrator Capability To access the view users require Reconcile Administrator or Reconcile Request Administrator capabilities View Attributes The following table lists the high level attributes of this view Table 5 43 ReconcilePolicy View Attributes Attribute Description scheduling Contains information about automated scheduling of reconciles correlation Contains information about how ownership
341. ns can be implemented using XPRESS Action expressions can perform simple calculations or call out to Java classes or JavaScript to perform a complex operation 447 For information on using expressions in workflow scripts or editing forms see the chapter titled Workflow Working with Expressions This section presents examples of some of the more common usages of expressions within Identity Manager in particular 448 Controlling field visibility Calculating default field values Deriving field values Generating field values Workflow transition conditions Workflow actions Invoking Java methods from workflow actions Controlling Field Visibility A common form design problem requires suppressing the display of certain fields until a particular condition is met For example certain resource specific fields are relevant only when a particular resource is assigned to the user These fields should be visible only when the resource is assigned Otherwise these fields should be hidden from view and not evaluated The following example illustrates a field definition that uses an expression within the lt Disable gt element to control the visibility of such a field Identity Manager 7 0 Workflows Forms and Views lt Field name HomeDirectory gt lt Display class Text gt lt Property name title value HomeDirectory gt lt Display gt lt Disable gt lt not gt lt contains gt lt ref gt accountInfo typeNames lt
342. ns lt s gt lt set gt This expression results in the following list and returns null 509 510 lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt wiper lt gt lt null gt lt null gt lt s gt bassoons lt s gt lt list gt Conditional Iteration and Block Expressions Use these functions to perform conditional and block processing within expressions block Function Groups more than one expression into a single expression The value of the block function is the value of its last argument NOTE The lt set gt function does not return a value If the last line in a block statement involves a set operation the block statement will not return a value If you want the block statement to return the value of a variable use lt ref gt variable_name lt ref gt on the last line of the block statement Example lt block gt lt s gt Hello there lt s gt lt add gt lt i gt 100 lt i gt lt i gt 2 lt i gt lt add gt lt i gt 42 lt i gt lt block gt The block returns a value of 42 the value of its last argument For an example of using block with a trace statement see Debugging and Testing Expressions Identity Manager 7 0 Workflows Forms and Views break Function Forces early termination of an expression A break can be used within the following expressions block dolist while and or The value of the break expression becomes the value of the containing exp
343. ns return About the XPRESS Language XPRESS is a functional language that uses syntax based on XML Every statement in the language is a function call that takes zero or more arguments and returns a value Identity Manager provides a rich set of built in functions and you can also define new functions XPRESS also supports the invocation of methods on any Java class and the evaluation of JavaScript within an expression 445 446 Prefix Notation The XPRESS language makes no distinction between a function call and what languages such as C refer to as an expression operator This results in a syntactical style known as prefix notation Prefix notation differs from the more common infix notation in that the operator of an expression is written first followed by the operands For example consider the following simple logical expression written in C using infix notation x 42 If C used prefix notation the previous statement would be written x 42 If C provided no expression operators and instead supplied only functions the statement could be written as follows equals x 42 Prefix notation is easily understood if you think in terms of calling functions rather than writing expressions XML Syntax and Example XPRESS uses an XML syntax that is easy to parse and manipulate and can be embedded naturally in other XML vocabularies used within Identity Manager The names of the XML elements are the names of functions to be called
344. nstrain the search cacheList Specifies the new list that is stored in the server s resourceOb jectListCache that is created when the method invokes the 1istResourceObjects method on each resource before merging sorting and removing duplicates on the resulting lists clearCachelfExists Indicates that the cache in the server s resourceObjectListCache should be cleared after the method has retrieved the list of resource objects Return Values This method returns a list of resource object names of the specified resource object type from the list of resources resourceList of IDs or names Identity Manager 7 0 Workflows Forms and Views testObject Method testObject LighthouseContext s String typeName String id Description Tests to see if a specified object exists even if the subject is not authorized to view the object When launching processes to create new users use this method to prevent attempts to create duplicate objects by an administrator who cannot see the entire tree Table 4 29 testObject Parameters Parameter Description s Identifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt typeName Specifies the type of object that the method tests for id Identifies the object by either name or ID If an ID is used the value of typeName is ignored This parameter cannot be null Return Values This method returns true object ex
345. nt The value of an argument can be specified with the value attribute if it is a simple string The argument value can also be calculated with an expression by omitting the value attribute and instead writing an expression within the body of the argument element A lt rule gt element can also call another rule that dynamically calculate the name of another tule to call For more information on creating or calling rules in forms and workflows see the chapter titled Rules Examples The following expression returns the employee ID of the designated user lt rule name getEmployeelId gt lt argument name accountId value maurelius gt lt rule gt lt rule name getEmployeeld gt lt argument name accountId gt lt ref gt username lt ref gt lt argument gt lt rule gt The following expression calls another rule that calculates the returned value lt rule gt lt cond gt lt eq gt lt ref gt var2 lt ref gt lt s gt specialCase lt s gt lt eq gt lt s gt Rule2 lt s gt lt s gt Rulel lt s gt lt cond gt lt argument name argl gt lt ref gt variable lt ref gt lt argument gt lt rule gt Identity Manager 7 0 Workflows Forms and Views set Function Changes the value of an existing variable The behavior of this function depends upon the type of the first argument The set function takes one of four forms If the name attribute is specified the function modifies the value of the
346. nt 548 buttons aligning 181 assigning or changing a label 179 command values and 180 creating 178 overwriting default names 179 C calendar icon adding to form 204 call function 521 callResourceMethod method 258 Change User Answers view 354 Change User Capabilities view 357 changeResourceAccountPassword workflow service 89 Checkbox display component 564 checkbox creating 187 checkDeProvision workflow service 91 checkinObject workflow service 56 checkinView method 387 checkinView workflow service 57 checkoutObject workflow service 58 checkoutView workflow service 59 checkStringQualityPolicy method 264 cleanupResult workflow service 90 cmp function 469 colspan display component 561 command display component 560 Component class 555 concat function 484 cond function 513 conditional expressions 510 configuration object 23 configuring workflow properties 38 590 Identity Manager 7 0 Workflows Forms and Views container display classes 547 container fields 160 containers 183 contains function 498 containsAll function 499 containsAny function 500 controlsAtLeastOneOrganization method 265 Create User form 238 createResourceObject workflow service 92 createView method 387 createView workflow service 61 D data types display components 555 XPRESS 536 DatePicker display component 565 debugging expressions 534 user view 347 defarg function 519 default element 156 field values 449 workflow processes 25
347. ntifies the name of the variable value specifies the value to assign to the variable Example lt setvar gt lt ref gt var lt ref gt lt s gt text lt s gt lt setvar gt 529 instanceOf Identifies whether an object is an instance of the type specified in the name parameter name identifies the object type you are checking against This function returns or 0 true or false depending on whether the sub expression object is an instance of the type specified in the name parameter Example The following expression returns 1 because ArrayList is a List lt instanceof name List gt lt new class Jjava util ArrayList gt lt instanceof gt 530 Identity Manager 7 0 Workflows Forms and Views Java and JavaScript Expressions Use the following functions to call and manipulate Java classes or JavaScript functions from within expressions invoke Function Invokes a method on a Java object or class To call a method on a Java object the first argument specifies the Java object and the remaining arguments are passed as arguments to the method The method name is specified with the name XML attribute To call a static class method the Java class name is specified with the class XML attribute All arguments are passed as arguments to the class method To use this function you must be familiar with the class and method names you want to call the arguments they take and the method s actions This function is fre
348. nts waveset roles Read Write String waveset serverld Read Write String waveset accountld Specifies the visible name of the Identity Manager user object It must be set during user creation Once the user has been created modifications to this attribute will trigger the renaming of the Identity Manager account For information on renaming a user see Identity Manager Administration waveset applications Contains a list of the names of each application also called resource group in the Identity Manager user interface assigned directly to the user This does not include applications that are assigned to a user through a role waveset attributes Collection of arbitrary attributes that is stored with the WSUser in the Identity Manager repository The value of the waveset attributes attribute is either null or another object The names of the attributes in this object are defined by a system configuration object named Extended User Attributes Common examples of extended attributes are firstname lastname and fullname You can reference these attributes in the following ways waveset attributes fullname or accounts Lighthouse fullname You typically do not modify the contents of the waveset attributes attribute Instead modify the values of the accounts Lighthouse attributes When the attribute is stored values in accounts Lighthouse are copied into waveset attributes before storage waveset attributes is used to record
349. nvoked method lt invoke name printTheMap gt lt ref gt mapPrinter lt ref gt lt Map gt lt Map gt lt invoke gt In releases prior to 2 0 XPRESS required that all XML Objects be wrapped in an lt o gt element While this is no longer required you may still encounter its use in older files containing XPRESS 539 540 When to Use XML Object Language Instead of XPRESS Although both XML Object Language and XPRESS provide ways of representing lists in forms XML Object syntax is more efficient than XPRESS if the list is long and contains static data The list is built in memory once and it is reused every time it is referenced In contrast XPRESS list syntax is re evaluated on every reference and a new list is created each time The XML object language is most typically used when creating lists of the information described in the following table Table 7 2 XML Use for Information Lists Type of Information Lists Where Used Machine names forms Business sites forms Approver names workflow Representing Lists in XML Object Language and XPRESS Both XML Object Language and XPRESS provide ways of representing lists in forms Using XPRESS to Represent a List You use the lt list gt element when representing lists in XPRESS The contents of the lt list gt element can be any XPRESS expression NOTE Use only the lt list gt XPRESS element in forms if the list must contain calculated elements Using the
350. o forms depending on the presence of the name attribute If name is not specified then the first argument must be a list and the remaining arguments are elements that are removed from that list A copy of the list is returned The original list is not modified If the name argument used then all arguments are considered objects to be removed from the list contained in the variable with that name The list is modified without being copied Example 1 The following expression makes a copy of the list contained in the variable srclist then removes one element and returns the copy of the list lt remove gt lt ref gt srclist lt ref gt lt s gt oranges lt s gt lt remove gt Example 2 The following expression modifies an existing list by removing a value lt set name somelist gt lt List gt lt s gt We lt s gt lt s gt say lt s gt lt List gt lt set gt lt remove name somelist gt lt s gt say lt s gt lt s gt say lt s gt lt remove gt lt ref gt someList lt ref gt 507 removeAll Function Removes all elements contained in one list from another list If the name attribute is specified an existing list is modified Otherwise a new list is created Example 1 The following expression creates a new list by removing the elements in srclist along with three additional elements lt removeAl11 gt lt ref gt srclist lt ref gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s
351. o or is a member of Table 4 35 Account Queryable Attribute Description accountId Specifies the resource accountld accountExists Identifies whether account exists true false disabled Indicates whether account is disabled true false discoveredSituation Specifies the initial status that was discovered during reconciliation Status includes confirmed and deleted Identity Manager 7 0 Workflows Forms and Views Table 4 35 Account Queryable Attribute Description owner Specifies the repository ID of this user userid is displayable name nativeGUID Specifies the account GUID if the resource supports this attribute resource Identifies the resource name resourceld Specifies the repository ID of this resource resource is displayable name situation Specifies account status after responses are applied to the discovered situation Status includes confirmed missing deleted situationChanged Specifies the date and time that the situation last changed typeString Specifies the resource type for example LDAP userid Uniquely identifies the Identity Manager user with which this account is associated Table 4 36 AdminGroup Queryable Attribute Description hidden Identifies whether an AdminGroup is hidden from display memberAdminGroups Lists the AdminGroups that are directly assigned to this AdminGroup Table 4 37 AdminRole Queryable Attribute Description controlledObjectGroups membe
352. o retrieved from resources through the resource adapter 125 126 10 11 12 13 14 15 Identity Manager 7 0 e Derivation expressions are evaluated These expressions are used to convert cryptic encoded values from the resource into values that are more meaningful to the user Derivations are evaluated when the form is first loaded or data is fetched from one or more resources Default expressions are evaluated These fields are set to the default value if the field is null HTML code is generated The system processes view data and the form to produce an HTML page During this processing the al lowedValues properties within expressions are evaluated to build Select or MultiSelect HTML components The page is presented in the browser and the user can edit the displayed values During editing the user typically modifies fields which can result in a refresh or recalculation of the page This causes the page to be regenerated but the system does not yet store the edited data in the repository Modified values are assimilated back into the view When a refresh event occurs the interface receives values for all the form fields that were edited in the browser Expansion expressions are evaluated This can result in additional values being placed into the view Expansion rules are run whenever the page is recalculated or the form is saved The view is refreshed The interface asks the server to refresh the view and
353. object Return Values and Side Effects A WavesetResult object containing the result of the object creation 94 Identity Manager 7 0 e Workflows Forms and Views deProvision Provision Workflow Service Deletes an Identity Manager account and or resource accounts Table 2 38 deProvision Method Arguments Name Required Valid Values Description op yes deProvision accountld yes Identifies the name of the Identity Manager user to deprovision subject no Specifies the effective subject for the call If not supplied the task s subject is used If the value of this argument is none then no authorization is performed options no If not supplied specific arguments below are used If supplied any specific arguments below override the same argument contained in this options map Return Values and Side Effects A WavesetResult object containing the result of the deprovision 95 deleteUser Provision Workflow Service Deletes an Identity Manager user Table 2 39 deleteUser Method Arguments Name Required Valid Values Description op yes deleteUser subject no Identifies the effective subject for the call If not supplied the task s subject is used If the value of this argument is none then no authorization is performed user waveset accountld or yes Specifies the name of the Identity accountID Manager user to approve options no Map A value map of option name option value pairs If not supplied
354. objects and attributes in the hierarchy You use path expressions as the value of the name attribute in form fields when customizing a form for example lt Field name user waveset roles gt Traversing Objects The following simple example illustrates a GenericObject with two attributes name String 315 316 e address GenericObject The address object in turn has an attribute named street which is a string To create a path expression to the street attribute of the address object use address street Path expressions use the dot character to indicate traversal from one object to another This is similar to the way dot is used in Java or the gt operator is used in C Paths can be long as illustrated by this example user role approver department name Traversing Lists You can also use path expressions to traverse values that are lists Consider an object that has an attribute children whose value is a java util List Each object in the list is itself a GenericObject with a name attribute and an age attribute Write the path to the name of the first child as children 0 name Path expressions use square brackets to indicate the indexing of a list The token between brackets is the index expression In the simplest case this is a positive integer that is used to index the list by element position Typically the position of an object in a list is arbitrary Index expressions can also specify simp
355. of all object types that are defined by the specified resId found within the specified search container and scope Identifies the resource from which to get the objects If true then will cache the result on the server This is essential for queries that take a long time to return such as listing profiles on a mainframe If true sets the number of milliseconds before the cache times out When the cache times out the objects from the search results are automatically retrieved from the resource the next time that the request is made for example 6000 1 minute Forces the cache to be cleared and the objects of the search to be re fetched from the resource the next time they are requested Contains name value pairs that are specific to the resources used to constrain the search See table below Table 4 16 Possible Values for Option Parameter Option Value searchContext searchFilter Determines the context in which to perform search ResourceAdapter RA_SEARCH_CONTEXT If not specified the method attempts to get a value from RA_BASE_CONTEXT If no value is specified this method searches from the logical top Optional In LDAP search filter format as specified in RFC 1558 of one or more object tuples either AND ed or OR ed together If not specified the method constructs a filter using the specified objectType ResourceAdapter SEARCH_FILTER Identity Manager 7 0 Workfl
356. ollowing tables shows the account Info view attributes which describe characteristics about the user Table 5 7 accountInfo Attributes User View Attribute Description accountInfo account Lists objects that contain information about each resource s account associated with the user for example created disabled accountInfo assigne Lists the resources that are assigned to the user accountInfo fromRol Lists in flat list format resources assigned to the user e through the role accountInfo private Lists in flat list format resources assigned directly to the s user accountInfo toCreat Lists names of all resources currently assigned to the user but e for which accounts do not yet exist in Identity Manager accountInfo toDelet Lists names of resources that are no longer assigned to the e user but that are still known to exist account Info types Lists each type of resource that is currently assigned to the user or through Reserve Groups accountInfo typeNam Lists unique type names for every assigned resource es 337 338 accountInfo accounts Contains a list of objects that themselves contain information about each associated resource account Elements in the accounts list are referenced by name where the name is the name of the resource Example account Info accounts Microsoft Exchange type Objects found in the account Info accounts list have the following attributes as defined in t
357. on below the organization s hierarchy are returned Resources on the current list are also always returned current See Additional Options currentRoles List Specifies current role names The returned list does not contain any resource that is assigned by one of these roles unless that resource name is on the current list currentResourceGrou List Specifies current resource group names The returned ps list does not contain any resource that is assigned by one of these resource groups unless that resource name is on the current list 283 Table 4 25 Options Values Option Value conditions See Additional Options scopingOrg See Additional Options Return Values This method returns a list of resource names suitable for the private resources of a user 284 Identity Manager 7 0 Workflows Forms and Views getUsers Method getUsers LighthouseContext s or getusers LighthouseContext s Map options Description The first variant of this method returns all users The second variant by default returns all users but you can specify a map of options to further filter the list Table 4 26 getUsers Parameters Parameters Description s Identifies a valid Identity Manager context typically referred to in forms as lt ref gt display session lt ref gt options current conditions exclude scopingOrg See table below Table 4 27 Options Values Option Value current See Additiona
358. one lt ref gt lt i gt 0 lt i gt lt i gt 1l lt i gt lt substr gt lt cond gt lt or gt lt Derivation gt lt Field gt When you are calculating fields you must consider the data s current format and quality in the resource It is much easier to ensure the correct field values when creating new users It is much harder to get existing data to conform to the field when reading it off the resource You can use derivation rules for any field to check the format of the attribute as it is being read in Recalculating Fields The system performs field calculations many times when a user is working on a form The field is calculated when it is first displayed which sets any default values and the form is calculated when the user clicks Save Two other actions can cause the form to be evaluated clicking Recalculate on the Edit User page and action fields Example lt Field gt lt Display class Button gt lt Property name label value Recalculate gt lt Property name command value Recalculate gt lt Display gt lt Field gt 165 166 To ensure that the system recalculates the value of a field set action to true in the Display class element as shown below lt Display class Select action true gt Add this value only to fields that the user selects or clicks on Do not add it to test or text area fields When a field has action true set the form recalculates this form whenever the field is
359. ons 349 Admin Role View Used when creating or updating an admin role to a user Admin roles enable you to define a unique set of capabilities for each set of organizations Capabilities and controlled organizations can be assigned directly or indirectly through roles 350 One or more admin roles can be assigned to a single user and one or more users can be assigned the same admin role Table 5 16 Top Level Attributes of Admin Role View Name Editable Type Required id Read Write String No name Read Write String Yes capabilities List Yes capabilitiesRule String Yes controlledOrganizations List Yes controlledOrganizationsRule String Yes controlledOrganizationsUserform String Yes cont rolledSubOrganizations List object No memberObjectGroup List Yes id Uniquely identifies the AdminRole object in Identity Manager System generated name Specifies the name of the admin role capabilities Identifies the list of capability names that are assigned to this admin role capabilitiesRule Specifies the name of the rule to be evaluated that will return a list of zero or more capability names to be assigned Identity Manager 7 0 Workflows Forms and Views controlledOrganizations Lists organization names over which the associated capabilities are allowed controlledOrganizationsRule Specifies the name of the rule to be evaluated This rule will return a list of zero of more controlled organizations name
360. ons in order to ensure compatibility with the scalable forms The following procedure describes some of the steps necessary to ensure compatibility NOTE Refer to any one of the forms in this list as an example of this modification Customizing a Resource Form for Compatibility with Scalable User Forms To add your own customized resource form for use with either the Dynamic Tabbed or Resource Table user forms follow these general steps Step One Modify Dynamic Resource Forms Instructions for adding your own resource form are provided in the dynamicformsinit xml file Search within this file for the Dynamic Resource Form and follow the steps provide with the form NOTE The steps described within the form are presented in comments and are not displayed in the form once it is imported Step Two Modify Your Resource Form If you are not using a form from the preceding list you will need to modify your resource form so that it is compatible Refer to any of the files listed above for examples Instructions are listed on the top of each resource form Customizing Tabbed User Form Moving Password Fields to the Attributes Area To update two resources with different passwords simultaneously you must generate a separate password field for each assigned resource For example you can have an Exchange password field on the Exchange resource Attribute area on the Accounts page that still conforms to password policies that can be
361. ontrol text boxes Specify the maximum number of characters for this element TIP A field name is often a path expression into the view that is being used with this form and is typically associated with a particular attribute on a resource To browse a list of resources and their attributes click Browse resources The Browse resource dialog opens displaying an expandable tree of resource types Click the name of the resource type to display a list of resource instances and the names of their attributes To use the name of resource attribute as your new form field name click the resource attribute name then click OK This inserts the attribute name into the Name field Table 3 4 Options for Display Class HTML Component Purpose Apple BackLink Inserts an applet reference into the page Displays a link that returns to the previous page BorderedPanel A container that organizes its components into 5 regions Button north south east west and center Displays a button Identity Manager 7 0 Workflows Forms and Views Table 3 4 Options for Display Class HTML Component Purpose ButtonRow CheckBox DatePicker EditForm FileUpload Hidden Html Javascript Label Link LinkForm MultiSelect NameValueTable Panel Radio A container that arranges its components in a horizontal row with padding in between Typically used to display a row of Button components Arr
362. operties gt Deferred Attributes A deferred attribute is an attribute that derives its value from an attribute value on a different account You declare the deferred attribute in a view and the WSUser model and the provisioning engine performs this substitution immediately before calling the adapter If the deferred attribute derives its value from another resource s GUID attribute the source adapter does not need to take action However if the source attribute is not the GUID the adapter must return the attribute in the ResourceInfo _resultsAttributes map as a side effect of the realCreate operation If the adapter does not return the attribute the provisioning engine will fetch the account to get the value This is less efficient than modifying the adapter to return the value Identity Manager 7 0 Workflows Forms and Views When to Use Deferred Attributes Use deferred attributes when creating new accounts to specify that the value of an account attribute is to be derived from the value of an attribute on a different account that will not be known until the source account has been created One common example is to set an attribute to the value of the generated unique identifier Using Deferred Attributes There are two main steps to defining a deferred attribute 1 Ensure that the account is created on the source resource before the second account is created Do this by creating an ordered Resource Group that cont
363. or logging 1 Login into Identity Manager as Configurator 2 Select Debug to open the Debug page Identity Manager 7 0 Workflows Forms and Views 3 From the Debug page select Reload Properties To turn tracing off for XPRESS set the xpress trace value to false and reload the waveset properties file Sample Forms and Form Fields This section provides examples of the default forms that ship with the product It also describes how to incorporate sample forms in your environment NOTE The versions of forms that ship with your version of Identity Manager may differ slightly from these samples e Tabbed User Form e End User Menu Form e Anonymous User Menu Form User Form Library A form can be used as a container for a collection of fields rather than being used in its entirety Identity Manager supports this use of forms with an object called User Form Library which contains complex fields related to granular resource selection such as those used for changing passwords The following list summarizes each library associated with User Library User Library The primary user form library It includes the other libraries in this table and also defines the AuthenticationAnswers field for the display and editing of authentication question answers Password Library Fields related to password specification and synchronization Account Summary Fields that display read only summary information about the Library accounts
364. orkflow service has no effect lockedBy no Specifies the alternate lock name that was used when locking the object Return Values and Side Effects The object specified is checked in If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 56 Identity Manager 7 0 Workflows Forms and Views checkinView Session Workflow Service Checks in a view Table 2 7 checkinView Method Arguments Name Required Valid Values Description op yes checkinVie w view no Identifies the view to be checked in If no view is specified the checkinView workflow service has no effect Return Values and Side Effects The specified view is checked in to the Identity Manager repository If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 57 58 checkoutObject Session Workflow Service Obtains and locks a persistent Identity Manager object Identity Manager makes sure that the administrator that launched the workflow is authorized to check out the object NOTE Using views is more convenient than using objects Try using views to modify objects For information on views see Identity Manager Views Table 2 8 checkOutObject Method Arguments Name Required Valid Values Description op yes checkoutObje ct type yes Indicates the type of the object that is being checked out name yes Specifies the name of the object that is being checked out
365. orm gt lt Display class EditForm gt lt Property name title value Task Launch gt lt Property name subTitle value Enter task launch parameters gt lt Display gt lt Form gt Display Element A Display element within the Form element describes the component that will be used to render the form By default this Display element is the used Edit Form component You will rarely need to change the Form component class but you can set component properties The two most common properties to specify are title and subTitle EditForm also supports the adjacent TitleWidth property which can be used to set the width of the titles of adjacent fields If this property is not defined it defaults to zero If you define adjacent Tit leWidth as equal to zero columns titles will automatically resize If set to a non zero value then the title width of adjacent columns for example the second and third columns will be the value of adjacentTitleWidth lt Form name Default User Form help account modify help xml gt lt Display class EditForm gt lt Property name titleWidth value 120 gt lt Property name adjacentTitleWidth value 60 gt lt Display gt 143 144 Field Element The Field element is the main element used within the form body Fields are used to define each of the user s attributes You can use Field elements to include XPRESS logic in form fields For more information on working wit
366. otifyFailure Otherwise it transitions to Notify Notify Notifies the end user of a successful synchronization and uses the PasswordSyncNotice email template This activity always transitions to end NotifyFailure Notifies the end user of a failure synchronization and uses the PasswordSyncNotice email template This activity always transitions to end 41 42 Identity Manager 7 0 Workflows Forms and Views 43 44 Identity Manager 7 0 Workflows Forms and Views Chapter 2 Workflow Services This chapter describes each of the Identity Manager workflow services that are available to the Identity Manager implementer who is modifying or creating custom workflows Identity Manager contains default workflows to define the process for provisioning and manipulating user accounts During a customer implementation you can modify these workflows to reflect the customer s business rules Workflow allows a customer s business rules for account provisioning to be implemented in Identity Manager Related Chapters e Workflow Introduces Identity Manager workflows e Identity Manager Views Identity Manager forms interact with an internal Identity Manager data structure called the user view When customizing a form you can call view attributes Workflow Built in Variables The workflow engine uses several built in variables Most of these variables do not need to be declared in the workflow Built in variables can be
367. otnull gt lt notnull gt lt ref gt accounts Exchange lastname lt ref gt lt notnull gt lt and gt lt concat gt lt substr gt lt ref gt accounts Exchange firstname lt ref gt lt i gt 0 lt i gt lt i gt 1l lt i gt lt substr gt lt ref gt accounts Exchange lastname lt ref gt lt concat gt lt cond gt The preceding code is structured as an if then statement in other programming languages This cond expression has two arguments e conditional expression e then expression First the conditional expression is evaluated If the result of this expression is logically true the value of cond will be the value of the then expression If the result of the conditional expression is false the value of cond will be null In this example the cond statement ensures that values exist for two account attributes before using them to calculate account ID The Default expression will continue to be evaluated each time the form is refreshed or saved until the prerequisites are finally set or until the user provides a value in the field The Default expression will not be evaluated if the associated field contains a non null value Deriving Field Values A lt Derivation gt expression is similar to a lt Default gt expression except that it always calculates a value for the field even if the field already has a non null value This is typically used to display a field whose value is a permutation of another fiel
368. ount needs deprovisioning before deletion Table 2 34 checkDeProvision Method Arguments Name Required Valid Values Description op yes checkDeProvisi Identifies the name of the Identity Manager on user to check for deprovisioning need user waveset accoun yes Indicates the name of the user to check for tId or accountld deprovisioning need Return Values and Side Effects A WavesetResult object containing the result of the cleanup 91 createResourceObject Provision Workflow Service Creates a resource object for example a group Table 2 35 createResourceObject Method Arguments Name Description op object objectType resourceld createResourceObjec GenericObject If not specified the service looks for an argument named after the ObjectType For example if a resource supports managing a group ObjectType and if the object argument is not supplied then the service will expect the resource object to be in an argument called group Preferred practice is to use the object argument Identity Manager resources can specify object types that they manage This is specified by the ObjectType element list defined in the resource s prototype XML This argument is the name of one of those ObjectType Specifies the object ID for the resource on which to create the object Return Values and Side Effects A WavesetResult object containing the result of the object creation Identity Manag
369. ountInfo attribute 337 accounts attribute 330 Action workflow component 23 actions manual 22 activities workflow task 34 Activity workflow component 23 add function 463 addDeferredTask workflow service 49 Admin Role view 351 align display component 561 allowedValues display component 557 and function 468 AND join 24 AND split 24 Anonymous User Menu Form 122 append function 496 appendAll function 497 Approval Form 124 approveProvision workflow service 85 arithmetic expressions 463 attributes See also view attributes accountInfo 337 accounts 330 collected for workflow auditing 37 deferred 345 439 Index display 343 global 335 meta view 318 object 315 password 327 registering 441 registering for views 441 stored in logattr table 38 user view 318 waveset 322 workflowAuditAttrConds 38 attrName 38 audit workflow service 52 auditableAttributesList 38 auditing workflow 37 auditNativeChangeToAccountAttributes workflow service 86 authenticateUserCredentials workflow service 88 authorization types manual actions 27 authorize workflow service 54 55 B BackLink display component 562 base component class 555 basic display classes 547 block expressions 510 block function 510 BorderedPanel display component 548 589 Section break function 511 browsing selective 239 buildDn method 259 buildDns method 261 bulkReprovision workflow service 87 Button display component 563 ButtonRow display compone
370. ource might have attributes that include firstname lastname and Office Phone When referring to these attributes in the form you must know the name of the attribute on the Identity Manager schema plus the path to the attribute from the view There are two ways of defining the name attribute of the Field element e The name attribute typically contains a path to an attribute within the user view e The name attribute is used to identify the field so that it can be referenced by other fields in the form or by a FieldRef element This occurs when fields are defined to represent containers of other fields and do not correspond to any one attribute of the view Determining whether a Field name represents a path expression for the view or is simply a reference name depends on the value of the class attribute selected in the Display element If the display class is the name of an editing component class then the name is expected to be a path expression for the view See the section titled HTML Display Components for a detailed explanation of the component classes Identity Manager 7 0 Workflows Forms and Views Creating a Path Expression to a View Attribute Typically you define a Field name by including the path to an attribute in the user view the path expression For a list of these attributes see Identity Manager Views The following field definition renders a text field to edit the Identity Manager email address lt Field name wa
371. ourceUser createUser deleteAccount deleteResourceGroup deleteResourceObject deleteResourceOrganization deleteResourceOrganizationalUnit deleteResourcePerson deleteResourceUser deleteUser disableUser enableUser handleNativeChangeToAccountAttributes Abort Access Review Access Scan Change Resource Account Password Change User Password Create Resource Group Create Resource Object Create Resource Organization Create Resource Organizational Unit Create Resource Person Create Resource User Create User Delete Resource Account Delete Resource Group Delete Resource Object Delete Resource Organization Delete Resource Organizational Unit Delete Resource Person Delete Resource User Delete User Disable User 587 588 Table 0 2 Process System and Product Interface Names System Name Mapped to lockUser Lock User manageResource Manage Resource manageRole Manage Role questionLogin Question Login renameUser Rename User resetUserPassword Reset User Password unlinkResourceAccountsFromUser unlockUser updateResourceGroup updateResourceObject updateResourceOrganization updateResourceOrganizationalUnit updateResourcePerson Unlink Resource Accounts From User Unlock User Update Resource Group Update Resource Object Update Resource Organization Update Resource Organizational Unit Update Resource Person Identity Manager 7 0 Workflows Forms and Views A Account Correlation view 348 acc
372. owed by a row of form submission buttons You can create this by creating a Panel component using vertical orientation that contains a Label component an EditForm component and a ButtonRow component The EditForm component itself contains some number of subcomponents The ButtonRow component is simply a Pane that uses horizontal orientation and contains a list of Button components BorderedPanel Defines five regions north south east west and center into which items can be placed Components in the north and south regions are positioned horizontally Components in all other regions are positioned vertically Properties include e eastWidth Specifies the width of the east region e westWidth Specifies the width of the west region ButtonRow Sets default options for button placement Extends the Panel component e pad Specifies where to insert this space between the button row and an adjacent component Allowed values are top and bottom If the value is null no space is added Default value is top e divider Specifies whether the divider should be rendered as a horizontal or blank line When true the divider will be rendered as a horizontal line for example an lt hr gt Boolean EditForm This display component is the default display class used to render forms in a browser Form components are positioned in two columns with titles on the left and components on the right Flyover help can be included
373. ows Forms and Views Table 4 16 Possible Values for Option Parameter Option Value searchScope searchTimeLimit searchAttrsToGet runAsUser runAsPassword current conditions scopingOrg Specifies whether the method should search on the current object within the context of the specified searchContext or in all subcontexts within the specified searchContext ResourceAdapter RA_SEARCH_SCOPE Valid values are object oneLevel or subTree If object is specified the searchContext is expected to be the full DN of a single object so that only one object is returned oneLevel indicates that one or more objects should be fetched starting for a particular baseContext searchContext subTree executes the oneLevel search recursively searchContext indicates that the search should be performed on all subcontexts within the specified searchContext Indicates the time limit in milliseconds that a search should not exceed ResourceAdapter RA_SEARCH_TIME_LIMIT Identifies the list of objectType specific attribute names to get per object Specifies the user name that this request is to be run as If not specified defaults to resource proxy administrative user Specifies the password of runAsUser Required to authenticate with resource in order to run the list request as the specified user See Additional Options See Additional Options See Additional Options The second flavor of this metho
374. ows Forms and Views setProperty Session Workflow Service Sets the value of an Identity Manager object s property Identity Manager makes sure that the administrator that launched the workflow is authorized to view the object Table 2 26 setProperty Method Arguments Name Required Valid Values name yes setObject propertyNam no see Type Names e propertyValu no the value to set e the property to Description Indicates the name of the object whose property is wanted Specifies the name of the property to obtain from the object If no propertyName is given the service has no effect or return If no propertyValue is given the property is set to null Return Values and Side Effects The Identity Manager object s property is set to the given value If any error occurs including administrator not authorized to view the object WF_ACTION_ERROR will be true and the WavesetResult will contain the error 79 unlockObject Session Workflow Service Unlocks an Identity Manager object The administrator that launched the workflow WF_CASE_ OWNER is checked to ensure that it is authorized to modify the object Views are more convenient than using objects Try using views to accomplish modifications to objects Table 2 27 unlockObject Method Arguments Name Required Valid Values Description op yes unlockObject type yes Identifies the type of the object that is being unlocked name yes Specifies the name of the obje
375. page contains the names of the type of currently defined resources The options list next to New Resource also contains the names of the resource adapters that are currently installed accountld Specifies the identity of the account on this resource if one has been created exists Indicates whether the account already exists on the resource disabled Indicates whether the account is currently disabled passwordPolicy When set describes the password policy for this resource Can be null It contains these attributes Identity Manager 7 0 Workflows Forms and Views Table 5 36 passwordPolicy Attributes PasswordView Attribute Description name String summary String In addition it contains view attributes for each of the declared policy attributes The names of the view attributes will be the same as defined in the policy The summary string contains a pre formatted description of the policy attributes authenticator If true indicates that this resource is serving as the pass through authentication resource for Identity Manager changePasswordLocation Optional Describes the location where the password change should occur for example the DNS name of a domain controller for Active Directory The format of the value of this field can vary from resource to resource expirePassword Can be set to a non null Boolean value to control whether the password is marked as expiring immediately after it has b
376. perly However Identity Manager cannot ensure that data entered directly into the resource meets the same requirements For example over the years administrators might have entered the phone number as 123 4567 8 characters 123 123 4567 12 characters or 123 123 4567 14 characters 163 Example The definition of the Of ficePhone field remains the same as described previously but each of the three fields P1 P2 and P3 should be updated to use derivation rules as this example illustrates for the P1 field lt defvar name lenOfficePhone gt lt length gt lt ref gt Office Phone lt ref gt lt length gt lt defvar gt lt Field name P1 gt lt Display class Text gt lt Property name title value Office Phone Number gt lt Property name size value 3 gt lt Property name maxLength value 3 gt lt Display gt lt Derivation gt lt or gt lt cond gt lt eq gt lt ref gt lenOfficePhone lt ref gt lt s gt 8 lt s gt lt eq gt lt s gt lt s gt lt eq gt lt cond gt lt cond gt lt eq gt lt ref gt lenOfficePhone lt ref gt lt s gt 12 lt s gt lt eq gt lt substr gt lt ref gt Office Phone lt ref gt lt i gt 0 lt i gt lt i gt 1 lt i gt lt substr gt 164 Identity Manager 7 0 Workflows Forms and Views lt cond gt lt cond gt lt eq gt lt ref gt lenOfficePhone lt ref gt lt s gt 14 lt s gt lt eq gt lt substr gt lt ref gt Office Ph
377. plied all objects of the given type are returned single no true If true the query will return the first object that fal matches the query specified If false or not alse supplied the query will return all objects that match the query specified Return Values and Side Effects If single is false or unspecified the list of objects that satisfies the query attributes specified is placed into the variable queryResult If single is true the first object that satisfies the query attributes specified is placed into the variable queryResult If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error Identity Manager 7 0 Workflows Forms and Views queryReferencingRoles Session Workflow Service Returns a list of all roles that directly or indirectly reference the specified role It requires the role argument which specifies the role for which you want to identify associated roles Return Values and Side Effects For a given role passed as role this method returns the result in variable queryResult which lists all of the Role objects in the Identity Manager repository that directly or indirectly reference the specified role 715 76 refreshView Session Workflow Service Refreshes an Identity Manager view Table 2 23 refreshView Method Arguments Name Required Valid Values Description op yes unlockObject view no Identifies the view that is to be refreshed If this argument
378. ponent Description lt SimpleTable gt Arranges components in a grid with an optional row of column titles at the top lt ButtonRow gt Arranges button in a horizontal row This component is essentially a panel that is preconfigured for horizontal layout lt BorderedPanel gt Positions components into five regions north south east and west lt SortingTable gt Displays a blue and beige table with sortable columns Creating a Simple Table The lt SimpleTable gt component is a frequently used container component in Identity Manager forms It arranges components in a grid with an optional row of column titles at the top The only property for this display component is columns which assigns column titles and defines the width of the table as defined in a list of strings Identity Manager 7 0 Workflows Forms and Views In the following example a field that uses SimpleTable to organize several subfields lt Field name SelectionTable gt lt Display class SimpleTable gt lt Property name columns gt lt List gt lt String gt Account lt String gt lt String gt Description lt String gt lt List gt lt Property gt lt Display gt lt Field name accounts LDAP selected gt lt Display class Checkbox gt lt Property name label value LDAP gt lt Display gt lt Field gt lt Field gt lt Display class Label gt lt Property name text value Primary Corporate LDAP Server gt l
379. ptional Specifies the name of the operator allowedOperators to select by default when the list of allowed operators allowedOperators is displayed in the form value Indicates the value or operand for the selected attribute name and operator that must be tested when Identity Manager determines if it should return an object of the specified object type objectType You can omit this attribute if the value of selectedOperator is exists or notPresent valueRequired Optional Indicates whether the value of the attribute condition can be changed A value of true indicates that value can be changed It also indicates that the attribute condition cannot be removed from the list of attribute conditions removeAttrCond Determines if this attribute condition should be removed or not internal You can specify attribute conditions as view options by using the FindObjects ATTR_CONDITIONS constant or the att rCondition string If attrConditions is not specified Identity Manager returns all objects of the specified object type maxResults Optional Specifies the maximum number of objects of the specified object Type that Identity Manager should return from the find request Defaults to 100 if not specified You can override the default by specifying the a value for resultMaxRows attribute in either the default section or the object Type specific section of the sample findObjectsDefaults xml configuration file Identity Manager 7 0 Wor
380. quently used to call the following Identity Manager classes e FormUtil e LighthouseContext e WorkflowContext e WavesetResult For more information see the available documentation for these classes 531 new Function Creates an instance of a Java class The class name is provided in the XML class attribute and must be fully qualified with the class package name You can also use this function to create a new object and return it as the value of an expression or rule without necessarily invoking methods on it Example lt new class Jjava util Date gt 532 Identity Manager 7 0 Workflows Forms and Views script Function Encapsulates a fragment of JavaScript When this expression is evaluated the JavaScript interpreter is launched to process the script The value of the expression is the value of the last JavaScript statement Within the script the object env can be used to access variables in the host application Avoid using JavaScript in performance critical expressions such as lt Disable gt expressions in forms Short XPRESS expressions are easier to debug using the built in tracing facilities Use JavaScript for complex logic in workflow actions Example lt script gt var argl env get argl argl 100 lt script gt lt script gt importPackage Packages java util var cal Now Calendar getInstance cal Now getTime lt script gt 533 534 Debugging and Testing Expressions En
381. r 7 0 Workflows Forms and Views lt ObjectRef type ObjectGroup name All gt lt MemberOb ject Groups gt What Is a Form Field The form body contains Field elements that define how each element of the Web page appears and behaves Each Field can contain other fields each with its own display component Form fields comprise several parts which are encapsulated by the lt Field gt tag set e Value Expressions The field can contain a number of XPRESS expressions which calculate the value of the field or define the set of allowed values For example lt Default gt is used to define the default value of a field and lt Derivation gt is used to derive the value for the field when the form is first loaded Not all field elements contain expressions See the section titled Defining Field Names e HTML Display Components Display components determine how visible elements are displayed In Identity Manager form fields display components defined in the form by the lt Display gt element determine the behavior and appearance of form fields You can specify only one display component for each field These display components are described in detail in Chapter 8 HTML Display Components e Disable Expressions Fields can be conditionally included in the form by using Disable expressions If the Disable expression evaluates to true the field is ignored Creating Variables Use the following syntax to include variables that
382. r example if the method getName exists this parameter would be lt s gt name lt s gt The function behaves differently if the first argument is a list If the first argument is a list then the second argument is an integer list index The element at that index is returned Example This expression returns a string that is the name of the currently assigned role for the user lt get gt lt ref gt userView lt ref gt lt s gt role lt s gt lt get gt This expression is equivalent to call userView getRole in Java code Identity Manager 7 0 Workflows Forms and Views getObj Function Obtains an object from the Identity Manager repository It is most used to access user objects whose type name would be User The arguments are concatenated together and expected to produce a string that follows the convention lt typename gt lt objectname gt where typename is the name of a repository type and objectname is the name of an object of that type Example This expression retrieves the email address of an Identity Manager user in order to pass it to the notify workflow application lt Action application notify gt lt Argument name template value Provisioning Approval gt lt Argument name toAddress gt lt get gt lt getobj gt lt s gt User lt s gt lt ref gt APPROVER lt ref gt lt getobj gt lt s gt Email lt s gt lt get gt lt Argument gt lt Action gt 525 526 putmap F
383. r the Button component 177 178 Some page processing systems notably the one that processes XML forms expect the command parameter to be used Further several command parameter values have been used to indicate particular actions These values are described in the following table Table 3 11 Possible Values for the command Parameter Parameter Description Save Indicates that the contents of the form should be saved Cancel Indicates that contents of the form should be thrown away Recalculate Indicates that the form should be refreshed based on entered data Any value can be used for the command parameter but you must know which unrecognized command value usually results in a redisplay of the page Aligning Buttons with lt ButtonRow gt Element To align multiple buttons in a row use the But tonRow element Identity Manager 7 0 Workflows Forms and Views lt Field name OrganizeButtons gt lt Display class ButtonRow gt lt Property name title value Choose a Button gt lt Display gt lt Field name ChangePassword gt lt Display class Button gt lt Property name label value Change Password gt lt Property name value value Recalculate gt lt Display gt lt Field gt lt Field name ResetPassword gt lt Display class Button gt lt Property name label value Reset Password gt lt Property name value value Recalculate gt lt Display gt lt Field gt
384. rAdminGroups adminGroupsRule controlledObjectGroupsR ule Lists the ObjectGroups that are controlled by this Admin Role Lists the AdminGroups that are assigned to this Admin Role Specifies the name of the capabilities rule Specifies the name of the controlled organizations rule 303 304 Table 4 38 Configuration Queryable Attribute Description configType Specifies the JAVA class name of the class that extends configuration for example UserUIConfig UserForm Table 4 39 Event Queryable Attribute Description eventType Specifies the type of event to enable grouping events that are similar Table 4 40 LoginApp Queryable Attribute Description hidden Identifies whether a LoginApp is hidden from display Table 4 41 LoginModGroup Queryable Attribute Description hidden Identifies whether a LoginModGroup is hidden from display Table 4 42 ObjectGroup Queryable Attribute Description directoryJunction Identifies whether the ObjectGroup is a directory junction true false displayName Specifies the readable name of the object group s user Identity Manager 7 0 Workflows Forms and Views Table 4 43 Policy Queryable Attribute Description class Identifies the JAVA class that implements this policy for example StringQualityPolicy typeString Specifies the type of policy for example password or account Id Table 4 44 R
385. rceObjectListCache If found this list is returned If this list is not found the method invokes the 1i stResourceObjects method on each resource before merging sorting and removing duplicates on the resulting lists Finally it caches this new list in the server s resourceObjectListCache for any subsequent requests for the same resource object type from the same resource s This method runs as the currently authenticated administrator for example subject Variants take a single resource ID or a subject string and an existing session This method has multiple variants that differ on whether e The method returns a single resource versus a resource list e The cache should be cleared e The method is sending a session ID implemented when the user has already been authenticated or a subject string subject String Typically you will use Session Table 4 28 __ listResourceObjects Parameters Parameter Description s Identifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt resourceObjectType Identifies the type of resource object class for this specified for example group If null this method returns objects of all object types 289 290 Table 4 28 _ listResourceObjects Parameters Parameter Description resourceList List of resource to retrieve the objects from options Contains name value pairs that are specific to the resources used to co
386. rceobjectType gt resourceType Lists the Identity Manager resource type name for example LDAP Active Directory lt resourceobjectType gt resourceName Lists the Identity Manager resource name Identity Manager 7 0 Workflows Forms and Views lt resourceobjectType gt resourceld Lists the Identity Manager resource ID or name lt resourceobjectType gt objectType Indicates the resource specific object type for example Group lt resourceobjectType gt objectName Lists the name of the resource object lt resourceobjectType gt objectld Specifies the fully qualified name of the resource object for example dn lt resourceobjectType gt requestor Specifies the ID of the user who is requesting the view lt resourceobjectType gt attributes Indicates new or updated resource object attribute name value pairs object This attribute has the following subattribute resourceattrname String used to get or set the value of a specified resource attribute for example lt objectType gt attributes cn where cn is the resource attribute common name lt resourceobjectType gt oldA ttributes Specifies the fetched resource object attribute name value pairs object You cannot edit this value The view uses this attribute to calculate attribute level changes for update lt resourceobjectT ype gt organization Identifies the list of organizations of which the resource is a member This list is used to determ
387. rdup gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt s gt apples lt s gt lt list gt lt filterdup gt This expression returns the following list lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt 501 filternull Function Filters null elements from a list This function returns a single list removing all null elements when given one list Example lt filternull gt lt list gt lt s gt apples lt s gt lt null gt lt s gt oranges lt s gt lt null gt lt list gt lt filternull gt This expression returns the following list lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt 502 Identity Manager 7 0 Workflows Forms and Views get Function Retrieves the value of the nth element in the list The list indexes starts count from zero 0 Arguments are a list and an integer Example lt get gt lt list gt lt s gt apples lt s gt lt s gt oranges lt s gt lt list gt lt i gt 1l lt i gt lt get gt This expression returns lt s gt oranges lt s gt 503 indexOf Function first argument a list value to search second argument value for which to search This function returns either the ordinal position of a list element that matches a given value or 1 the given value is not in the list Example The following expression returns 1 lt indexOf gt lt list gt lt s
388. re displayed to the user Specify an expression to calculate a default value for the field The default expression is called before the form is displayed if the current value for this field is null Specify an expression to calculate the value of a field before it is displayed It is similar to a Default expression except that it is evaluated even if the current field value is non null The derivation expression is evaluated before the form is first displayed and then again each time the form is refreshed Specify logic to determine whether a value entered in a form is valid Validation expressions return null to indicate success or a string containing a readable error message to indicate failure Validation rules are evaluated only when a form is submitted not after each refresh or recalculate 135 136 Table 3 5 Form Elements Form Element Description Expansion Disable Display Class value maxLength Specify an expression to calculate the value of the field after the form has been submitted Expansion expressions are typically used with fields that are also marked hidden Since hidden fields are not directly editable by the user the value can be calculated with an Expansion expression Specify an expression that if evaluated to true disables the field and any of its nested fields A disabled field does not display on the form It is used to determine if a user has a specific type of resource If the u
389. reference anywhere in the form For example lt FieldRef name DiscoveredAccountFields gt To reference this field you must have the following Include statement in your user form Typically this Include is present in all user forms lt Include gt lt ObjectRef type UserForm name User Library gt lt Include gt 169 170 With these form changes in place Identity Manager checks for existing accounts each time the form is refreshed and before it is saved If Identity Manager discovers an existing account it displays warning messages at the top of the form and inserts new fields for each discovered account These new fields include a checkbox that can be used to manually indicate that the account should be linked In addition Identity Manager generates a field for each attribute in the resource s Identity template With this field you can specify a different identity for the account Identity Manager fetches the attribute for the existing accounts and includes it in the view You can display these attributes using the MissingFields reference or with your own custom fields You must either supply an alternative identity for an account that does not exist or check the option to allow the existing account to be linked before the form can be saved Preventing Automatic Linking during Provisioning When performing non interactive provisioning from a workflow you can also control whether Identity Manager performs automatic a
390. rence to another object Any Boolean attribute can be omitted from a view If omitted the attribute is considered logically false What is a View Handler View handlers are Java classes that contain the logic necessary to create a view and perform actions specified by setting attributes of the view View handlers also can include information for the convenience of interactive forms When a view is checked in the view handler reads the view attributes and converts them into operations on repository objects The view handler will often launch a workflow to perform more complex tasks such as approvals or provisioning Most view handlers that operate on users prevent you from checking in the view if there is already a workflow in progress for that user Views and Forms Identity Manager forms contain rules for transforming data in views and describe how the view attributes are to be displayed and edited in a browser The Identity Manager user interface processes the view and form to generate an HTML form When the user submits the HTML form Identity Manager merges the submitted values into the view then asks the view handler to refresh the view The view can be refreshed several times during an interactive editing session and different HTML fields can be generated based on logic in the form When the user is finished interacting the view is checked in which typically results in the view being passed as input to a workflow process Views and Wo
391. rentResourceAccounts Read List object No tobeCreatedResourceAccounts Read List object No tobeDeletedResourceAccounts Read List object No password Read Write encrypted Yes confirmPassword Read Write encrypted Yes if view is being used interactively fetchAccounts Read Write Boolean fetchAccountResources Read Write List id Specifies the account ID of the Identity Manager user whose passwords are being changed Typically set by the view handler and never modified by the form selectAll Controls whether all password are selected Identity Manager 7 0 Workflows Forms and Views currentResourceAccounts Represents the set of accounts that are currently being managed by Identity Manager including the Identity Manager account itself tobeCreatedResourceAccounts Represents the accounts that are assigned to this Identity Manager user but which have not been created Passwords cannot be changed on accounts that have not yet been created tobeDeletedResourceAccounts Represents the set of resources assigned to this user that are not yet being managed by Identity Manager for example they do not have an associated resinfo object Passwords cannot be changed on accounts that are going to be deleted All three account lists contain objects that describe the state of the account on each resource and allow you to individually select accounts Both resource account list are indexed by resource name and will contain objec
392. reprovisioning in unsynchronized actions or approvals Best practices suggest using this attribute only within a Property or Constraints element In almost all existing forms display session is used only in Constraints elements subject An object holding information about the credentials of an Identity Manager user or administrator This value is set in almost all cases but is typically used in workflow applications called during background activities where the display session is no longer valid The subject can be used to get a new session In this case it is used for gaining access to the repository state A handle to a_com waveset ui util RequestState_ object that in turn contains handles to objects related to the HTTP request such as the _javax servlet http HttpSession_ Default itemType Behavior Typically only wizard itemTypes cause a workflow to transition directly to a WorkItem if the requester is the owner of the workItem 343 344 When itemType is set as follows the workflow will not transition into a WorkItem but will instead appear under the Approval tab approval custom e itemType Overriding Default Behavior You can override behavior in the User view by setting the al lowedWorkItemTransitions option as a property of the form as follows lt Properties gt lt Property name allowedWorkItemTransitions gt lt list gt lt s gt myCustomType lt s gt lt list gt lt Property gt lt Pr
393. ression The break can cause the termination of several levels of expression when the optional block name is used Example 1 The following expression contains a simple break terminating a loop lt dolist name el gt lt ref gt list lt ref gt lt cond gt lt eq gt lt ref gt el lt ref gt lt s gt 000 lt s gt lt eq gt lt break gt lt ref gt el lt ref gt lt break gt lt cond gt lt null gt lt dolist gt In this example the dolist function iterates over the elements of a list looking for value 000 The value of the dolist function is a list formed by concatenating the values that are returned by the last subexpression in each iteration Example 2 The following expression demonstrates the use of a block name to break through more than one level lt block name outer block gt lt dolist name el gt lt ref gt listOfLists lt ref gt lt dolist name el2 gt lt ref gt el lt ref gt lt cond gt lt eq gt lt ref gt el lt ref gt lt s gt 000 lt s gt lt eq gt lt break name outer block gt lt ref gt el lt ref gt lt break gt lt cond gt lt dolist gt lt null gt lt dolist gt lt block gt 511 This is similar to the previous example except that there are two loops The outer loop iterates over a list whose elements are themselves lists The inner loop iterates over the element lists When the value 000 is found both loops are terminated by referencing the block name outer block
394. rg View Used to specify the type of organization created and options for processing it Common Attributes The high level attributes of this view are listed in the following table Table 5 31 Org View Attributes Name Editable Data Type Required orgName Read String System Generated orgDisplayName Read Write String Yes orgType Read Write String No orgId Read String System Generated orgAction Write String No orgNewDisplayName Write String No orgParentName Read Write String No orgChildOrgNames Read List System Generated orgApprovers Read Write List No allowsOrgApprovers Read List System Generated allowedOrgApproverlds Read List System Generated orgUserForm Read Write String No orgViewUserForm Read Write String No orgPolicies Read Write List No orgAuditPolicies Read Write List No renameCreate Read Write String No renameSaveAs Read Write String No Identity Manager 7 0 Workflows Forms and Views orgName Identifies the UID for the organization This value differs from most view object names because organizations can have the same short name but different parent organizations orgDisplayName Specifies the short name of the organization This value is used for display purposes only and does not need to be unique org Type Defines the organization type where the allowed values are junction or virtual Organizations that are not of types junction or virtual have no value orgld Specifies the ID that is us
395. rkItem objects in the repository A WorkItem object is created whenever a manual action that is defined in a workflow process is activated The WorkItem view contains a few attributes that describe the WorklItem object itself as well as values of selected workflow variables copied from the workflow task Identity Manager returns information about the work items in the Work Item view under the workItem related attribute Returning Information about All Active Work Items This view provides the ability to return information about all work items that are currently active in a workflow task By default Identity Manager returns information about only a specified work item not related work items However you can use other options to filter work items and the attributes of the related work items you want to display Use the following three form properties to change the default behavior of this view Table 5 68 If you want to Use this form property Return all related items includeRelatedItems form property by default Request additional relatedItemAttributes form property attributes to be returned Limit which items are relatedItemFilter form property returned Example Using the includeRelatedItems Form Property By default Identity Manager uses the Approval form to display work items Edit this form by adding the includeRelatedItems element to include related work items lt Properties gt lt Property na
396. rkflow Checking in a view often results in a new workflow process being launched to complete the modifications specified in the view The workflow can perform time intensive tasks in the background launch approval processes query resources or take whatever action is appropriate During approvals the administrator is able to examine the contents of the view and make changes if desired After approvals the view attributes are converted into modifications of one or more repository objects For views related to users provisioning may occur to propagate the changes to selected resource accounts 311 Common Views The following views are frequently used with both customized forms and workflows User AccountCorrelation AdminRole Enable Deprovision Disable ChangeUserAnswers ChangeUserCapabilities List Org Password Process Reconcile ReconcileStatus RenameUser Reprovision Identity Manager 7 0 Workflows Forms and Views Used to manipulate Identity Manager users and provision resource accounts Used to search for users correlating to a specified account or account attributes Used when assigning an Admin role to a user Used to present and select the list of resource accounts to be disabled Used to present and select a list of resources to be deprovisioned Used to present and select the list of resource accounts to be enabled Used to change a user s authentication answers Used to change
397. rm body Contains field definitions form functions form variables This is the part of the form that you will edit footer Closing tags for lt Form gt lt Extension gt and lt Configuration gt elements Header The form header includes e Standard introductory information included in XML files the XML declaration and documentation declaration including the DTD associated with this XML file In the preceding example this introductory information is lt xml version 1 0 encoding UTF 8 gt lt DOCTYPE Configuration PUBLIC waveset dtd waveset dtd gt This system appends this information to the file Do not edit 139 e Start tags for the lt Extension gt and lt Configuration gt elements which surrounds the HTML components that describe the form s appearance and behavior The Configuration element contains attributes that describe the form object properties The header contains information about the form including internal identification such as date of creation login of whoever last modified the file and the form type The page processor typically generates this information NOTE The system generates the following information for internal use only Do not edit these attributes Table 3 8 Form Header Components Element Definition Syntax Example lt Extension gt Required to wrap the lt Form gt element lt Element gt lt Element gt lt Configuration gt Contains information t
398. rs must perform consequently reducing potential data entry errors Likewise by providing option menus in the place of text input fields an administrator can select a department from a list instead of entering the department name For information on the specific HTML components that define the default Identity Manager forms see HTML Display Components Identity Manager background processing Forms are also used within Identity Manager in the background processing For example forms can work in conjunction with resource adapters to process information from an external resource before storing it in the Identity Manager repository When creating forms to manipulate data in the background you focus primarily on encoding logic because the appearance is irrelevant in forms that are not visible to users For more information on using hidden nonvisible components see the section titled Using Hidden Components 115 Sample Form The following XML example defines the form fields that are used by users to enter account ID first name last name and full name It specifies how the user s full name is built out of the information entered into the First Name and Last Name fields lt Field name waveset accountId gt lt Display class text gt lt Property name title value AccountID gt lt Display gt lt Field gt lt Field name global fi lt Display class Tex A Property name lt Property name r
399. rty name text value Primary Corporate LDAP Server gt lt Display gt 150 Identity Manager 7 0 Workflows Forms and Views lt Field gt lt Field name accounts W2K selected gt lt Display class Checkbox gt lt Property name label value Windows 2000 gt lt Display gt lt Field gt lt Field gt lt Display class Label gt lt Property name text value Primary Windows 2000 Server gt lt Display gt lt Field gt lt Field gt Within the Display element are zero or more Property elements These define the names and values of properties that are assigned to the component The Property name is always specified with the name attribute The property value is most specified with the value attribute The value of the value attribute treated as a string but if necessary it will be coerced to the data type desired by the component Use of XML Object Language You can also specify property values using the XML Objects language This approach is useful primarily when specifying list values This language provides a syntax for describing several standard Java objects as well as other objects defined by Identity Manager The more common Java XML objects include List e Map MapEntry e String Integer 151 Boolean Object When you use the XML Object syntax to specify property values an element is placed inside the Property element For more information on the XML Object lang
400. rue To prevent the password from being expired when administrators or proxy accounts other than the user change a password on an account set accounts lt resource gt expire lt s gt false lt s gt This setting ensures that the password is not expired Identity Manager does not force the user to change the password again waveset passwordExpiry Contains the date on which the Identity Manager password will expire When the view is initially constructed the memory representation will be a java util Date object As the view is processed with the form the value can either be a Date object or a String object that contains a text representation of the date in the format mm dd yy waveset passwordExpiry Warning Contains the date on which warning messages will start being displayed whenever the user logs into the Identity Manager User Interface This is typically a date prior to the waveset passwordExpiry date in the same format mm dd yy waveset questions Contains information about the authentication questions and answers assigned to this user The value of the attribute is a List whose elements are waveset questions attributes The waveset questions attribute set contains the attributes described in the following table 327 328 Table 5 5 waveset questions Attributes User View Attribute Editable Description answer Read Write Encrypted answer to the question id Read System generated ID for the qu
401. run time to determine user membership orgUserMembersCacheTimeout Specifies the amount of time in milliseconds before the cache times out if the user members returned by the orgUserMembersRule are to be cached A value of 0 indicates no caching Identity Manager 7 0 Workflows Forms and Views Using an Organizational Path Name Instead of a System Generated ID When calling this view in workflow you can use either the system generated ID or supply an organizational path expression as a value for checkoutView for example top us central texas Sample Workflow lt Activity id 1 name Refresh Organization gt lt Variable name orgView gt lt Action name Get Organization Application com waveset session WorkflowServices gt lt Argument name op value checkoutView gt lt Argument name subject value ID Configurator gt lt Argument name viewId value OrgViewer top us central texas gt lt Argument gt lt Return from view to orgView gt lt Action gt 377 Password View Used by administrators to change passwords of the Identity Manager user or their resource 378 accounts This view contains one top level attribute resourceAccounts This attribute contains the following attributes Table 5 34 ResourceAccounts Attributes Password View Attribute Editable Data Type Required id Read Write String Yes selectAll Read Write Boolean No cur
402. s The online support Web site at http www sun com service online us The telephone dispatch number associated with your maintenance contract Related Third Party Web Site References Sun is not responsible for the availability of third party Web sites mentioned in this document Sun does not endorse and is not responsible or liable for any content advertising products or other materials that are available on or through such sites or resources Sun will not be responsible or liable for any actual or alleged damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content goods or services that are available on or through such sites or resources Sun Welcomes Your Comments Sun is interested in improving its documentation and welcomes your comments and suggestions To share your comments go to http docs sun com and click Send Comments In the online form provide the document title and part number The part number is a seven digit or nine digit number that can be found on the title page of the book or at the top of the document For example the title of this book is Sun Java System Identity Manager Workflows Forms and Views and the part number is 819 6131 10 16 Identity Manager 7 0 Workflows Forms and Views Chapter 1 Workflow This chapter describes Sun Java System Identity Manager workflow Topics in this Chapter e Understanding Workflow e Default Workflow
403. s the available values in the picklist component if null the picklist is not shown List e pickValueMap a map of display labels for the values in the picklist Map or List e searchLabe1l Labels the button next to the input text field with the supplied text If not set the text defaults to e sorted Indicates that the values should be sorted in the picklist if multivalued and not ordered the value list will also be sorted Boolean e clearFields Lists the fields that should be reset when the Clear button is selected List The following properties are valid only in a multi valued component ordered Indicates that the order of values is important Boolean e allowDuplicates Indicates whether the value list can contain duplicates Boolean e valueMap Provides a map of display labels for the values in the list Map These properties are valid only in a single valued component e nullLabel Specifies a label to use to indicate a value of null String SimpleTable Arranges components in a grid with an optional row of column titles at the top Properties include Identity Manager 7 0 Workflows Forms and Views e columns Defines the column headers Usually a list of message keys but can also be simple strings List e rows Defines the cells of the table Each cell must be a component List e columnCount Specifies the number of columns if there is no column tit
404. s In certain forms you might want to first display a set of abstract derived fields to the user then generate a different set of concrete resource account attribute values when the form is submitted This is known as form expansion An lt Expansion gt element is typically used in hidden fields that depend on editable fields in the form One purpose of the lt Expansion gt element is to convert data that is familiar and readable to an end user into data that is recognized by a resource For example a user can see a manager s full name in the form but the system receives a unique ID that it recognizes as belonging to a manager The following example shows a field definition that uses conditional logic to convert the value derived for the location field in the previous example back into a three letter abbreviation lt Field name accounts Oracle locCode gt lt Expansion gt lt switch gt lt ref gt location lt ref gt lt case gt lt s gt Austin lt s gt lt s gt AUS lt s gt lt case gt lt case gt lt s gt Houston lt s gt lt s gt HOU lt s gt lt case gt lt case gt lt s gt Dallas lt s gt lt s gt DAL lt s gt lt case gt lt switch gt lt Expansion gt lt Field gt The lt Expansion gt element is part of the Form XML language and can contain an expression When this field is processed the expression in the lt Expansion gt element is evaluated to determine the value o
405. s checkLastUpdateThreshold Confirms that the LastUpdateSecs variable is less then the PasswordSyncThreshold This activity is used to prevent recursive password resets when a password is changed from the Identity Manager product For example a user changes his resource passwords which include Active Directory Then the password notifier tells Identity Manager that the password had just been changed Without this check Identity Manager would perform an extra password change If the passwordThreshold had been exceeded we would continue to the checkoutView activity CheckoutView Checks out the ChangeUserPassword for the given Identity Manager account If there is a successful check out the workflow transitions to SetPasswordView Otherwise it transitions to NotifyFailure SetPassword View Iterates over the resource accounts and selects all resources that are not either the source resource or in the exclude list All other resources are selected and the expiredPassword flag is set to false to avoid the password having to be changed immediately afterwards This activity always transitions to CheckTargets CheckTargets Checks to assure we got at least one other target to synchronize If Identity Manager does not find any other resource accounts the workflow transitions to UnlockView Unlock View Unlocks the currently checked out view and transitions to end CheckinView Checks the view in if there is a failure transitions to N
406. s tabbed 235 tabbed user form 244 testing 233 248 user view and 125 variable creation 147 wizard 235 FormUtil methods 202 233 234 filtering lists by object type 298 function definition expressions 517 functions add 463 and 468 append 496 appendAll 497 block 510 break 511 call 521 cmp 469 concat 484 cond 513 contains 498 containsAll 499 containsAny 500 defarg 519 defun 520 defvar 518 div 464 dolist 514 downcase 485 eq 470 filterdup 501 filternull 502 get 503 524 getObj 525 gt 471 gte 472 i 459 indexOf 483 504 insert 505 instanceOf 530 invoke 531 isFalse 473 isNull 474 isTrue 475 length 506 list 460 It 476 Ite 477 Itrim 486 match 487 mod 465 mult 466 nemp 478 neq 479 new 532 not 480 notNull 482 null 461 or 481 pad 488 print 535 putmap 526 ref 517 remove 507 removeAll 508 rtrim 489 tule 522 s 462 script 533 select 515 set 509 523 527 setlist 528 setvar 529 split 490 sub 467 substr 491 trace 534 trim 493 upcase 494 while 516 XPRESS 459 G generating field values 453 GenericObject class 314 315 318 get function 503 524 getApprovals workflow service 99 getObj function 525 getObject method 266 getObject workflow service 66 Section getObjectNames method 267 getOrganizationsDisplayNames method 269 getProperty workflow service 67 getResourceObjects method 275 getResources method 272 getRoles method 278 getSubordinates me
407. s It allows new pages to be dynamically generated with little or no additional Java development which greatly simplifies customization 545 546 What Are HTML Components HTML display components are instances of Java classes that generate a string of HTML text Each display component has e A class name defined in the field by the class attribute of the Display element This name identifies the component class which determines the component s fundamental behavior and defines the set of properties recognized by the component e One or more properties defined in the field with Property elements Properties further define field behavior and appearance Specifying Display Components You can specify display components as follows lt Field name Name gt lt Display class Class gt lt Property name Name value Value gt lt Display gt lt Field gt Page Processor Requirements for HTML Components Forms that implement HTML components have the following page processor requirements Hidden Parameters Most components have a name that corresponds to the name of a parameter posted from an HTML form Identity Manager reserves a few parameter names for general use Do not use these names as component names Identity Manager 7 0 Workflows Forms and Views Table 8 1 Hidden Parameters Reserved Name Description id Contains the ID of the object being edited command Contains the value of the button used to
408. s child nodes of the substr element e start and length are specified as attributes of the substr node s for start and 1 for length For example these two invocations are equivalent lt substr gt lt s gt Hello World lt s gt lt i gt 3 lt i gt lt i gt 4 lt i gt lt substr gt and lt substr s 3 1 4 gt lt s gt Hello World lt s gt lt substr gt Both functions return the string lo W lt block gt lt substr s 3 1 4 gt lt s gt Hello World lt s gt gt Hello World lt substr gt gt lo W lt block gt gt lo W The start and length parameters are optional If the start argument is missing either because only the string is specified as a child of the substr node as in lt substr gt lt s gt Hello World lt s gt lt substr gt and the attribute s is also missing from the substr node the start is assumed to be the beginning of the string In other words its value is zero if not specified explicitly first argument string second argument starting position third argument number of characters to retrieve Examples The following expression returns lt s gt Now lt s gt 491 492 lt substr gt lt s gt Now is the time lt s gt lt i gt 0 lt i gt lt 1 gt 3 lt i gt lt substr gt In the following example the start attribute is missing but is assumed to be 0 lt block gt lt substr 1 4 gt lt s gt Hello World lt s gt gt Hello World lt sub
409. s scopingOrg See table For a list of supported resource type names see Views Table 4 13 Options Values Option Value conditions See Additional Options current See Additional Options scopingOrg See Additional Options Valid queryable attribute types for the matchType parameter include the following Table 4 14 Possible Values for matchType Parameters matchType Parameter Description type Identifies the resource object type Valid values are found in the XML Prototype for the resource For example the object type that designates Active Directory is Windows Active Directory For Groupwise it is Group Wise 273 Table 4 14 Possible Values for matchType Parameters matchType Parameter Description supportsScanning When set to true specifies that the resource supports scanning supportsContainerObject When set to true specifies that the resource supports Types container objects startupType Indicates the ActiveSync startup type Valid values include are Automatic Automatic with failover Manual and Disabled 274 Identity Manager 7 0 Workflows Forms and Views getResourceObjects Methods getResourceObjects LighthouseContext session String objectType String resourceld Map options String cacheList String cacheTimeout String clearCacheIfExists or getResourceObjects LighthouseContext session String objectType String resourcelId Map options or getResourceObje
410. s a mechanism for the representation of name value pairs and utilities for traversing complex hierarchies of objects through path expressions A path expression is a string that is interpreted at runtime to traverse an object hierarchy and retrieve or assign the value of an attribute You must understand how to write path expressions to assign valid form field names For more information on using path expressions refer to the section titled Path Expressions How the User View Is Integrated with Workflow Workflow processes that contain a user view typically store it in a workflow variable named user You can reference a view in the workflow expressions by prefixing user to a user view path for example user waveset account Id The string waveset identifies the attribute named account Id as belonging to another object named waveset which itself belongs to the user view object Approval forms are written for a view known as the WorkItem view The Work Item view by default contains all the workflow variables under an attribute named variables Ifthe approval form is written for a workflow that contains a user view the prefix variables user is used to reference attributes in the user view for example variables user waveset roles See WorklItem View later in this chapter for more information Generic Object Class At a high level objects are simply named collections of attributes which are name value pairs The value of an attribute c
411. s ada E eae aes eters 370 ADAIR OSIM 5 2205 ga i oP lena A D Odes Galen Soi adie hae pe eee es ean Oe eek Ae ed eae a tas 372 POSWM EEEE TEE EEEE wad Nae U ade eae dea De Dasa saaatags tesa peyes een eee aaa wae 372 SOCOM cic tatdes vetadewidatdetarede hes haya a aa a das daauas ten a a ie ua aia 372 BelectE nage fic ded c phiana EE EEEE E E dance E EAO NER EE 373 ENIE egra ahah aa a esen Ves T A Rs e k aa aa e Shee tate te o aes ee 374 Common AMIDES oredr enata GEE E E es saa E E EA ERE DEISE 374 Directory Junction and Virtual Organization Attributes 0 eee eee ereere eee 377 Dynamic Organization Ain Duley 2h i sins aena n E EEEE EE E E OEE EED EEN E 378 8 Using an Organizational Path Name Instead of a System Generated ID 000005 379 Password VIEW fc duos atiad wed ad eie Gia eii eda eI Rete a eaten doe baa aa e wea E 380 TESOUECE CCOUUNS o akami ri tral bay ord ch aoc S Gud SE aoe NaKE pave a mae aia dae Hea 380 Process VIEW alas gos weet de aie acaid age Ge 2A V a aed a Fad oa amp dhs Cs ee oe duets 385 Mie w OUCH rero can sca taste od ous ou Eo Saw aly GEASS Dae PaaS ED gaa ga EE ace sre oars 387 Checkin View RESUS oss este meede a dy ad crete ne tna Stak eed ta daaanleuas eae Gawade eae s 387 Reconcile NIEN systrina nia sae on nea Sena Sa eee SN Se PSE oS aa Mead a Reale aubaeea 388 Reconcile Policy VIEW 4 ence ack wad oo a a hang ae BEY de Sad ceed ee eae ee a 389 Reconciliation Policies and the Recon
412. s into another set In this example the resource account attribute accounts Oracle locCode is evaluated against the AUS case element first If it is true then the second value is the value returned and displayed in the location field If no cases are matched then the value of the default case is returned When a matching abbreviation is found as the first expression within a case expression the value of the second expression within the case expression is returned as the result of the switch expression Identity Manager 7 0 Workflows Forms and Views lt Field name location prompt Location gt lt Display class Text gt lt Derivation gt lt switch gt lt ref gt accounts Oracle locCode lt ref gt lt case gt lt s gt AUS lt s gt lt s gt Austin lt s gt lt case gt lt case gt lt s gt HOU lt s gt lt s gt Houston lt s gt lt case gt lt case gt lt s gt DAL lt s gt lt s gt Dallas lt s gt lt case gt lt case default true gt lt s gt unknown lt s gt lt case gt lt switch gt lt Derivation gt lt Field gt Examples of lt Expansion gt Statement The following two examples illustrate the potential use for the Expansion element e Example 1 Implementing a rule to standardize the case of text entered in a field e Example 2 Hiding expansion logic Example 1 Expansion rules transform information that has been entered into a field into values that match t
413. s of buttons described below Identity Manager 7 0 Workflows Forms and Views Table 3 18 First Row of Buttons Row of buttons Description top row Next and Back buttons to traverse through the form panes second row Contains the standard user form buttons listed in the following table You can control the second row by setting noDefaultButtons option to true and implementing your own buttons This second row of button can vary as follows Table 3 19 Second Row of Buttons Wizard page Default buttons first page Next Cancel intermediate pages Prev Next Cancel last page Prev Ok Cancel Implementing a Wizard Form Wizard form syntax closely resembles tabbed user form structure To create a wizard form 1 Assign the WizardPanel display class to the top level container rather than TabbedPanel 2 Set the noCancel property to true 3 Define one or more EditForm fields that contain the pages of the wizard The following example provides comments for guidance purposes 231 lt Form gt lt Display class HtmlPage gt If not set causes indentation and color problems lt Field name MainTabs gt Name of the top container that wraps the tab pages lt Display class TabPanel gt Display class for the top container either TabPanel or WizardPanel lt Field name Identity gt Label of the Tab lt Display class EditForm gt Each page must be an Edit Form lt Proper
414. s to be assigned controlledOrganizationsUserform Specifies the userform that will be used when editing or creating users in the scope of organizations controlled by this admin role Valid if the userform is not directly assigned to the user that is assigned this Admin role controlledSubOrganizations Lists the controlled organizations for which a subset of the objects available has been either included or excluded The value of this attribute consists of a list of cont rolledSubOrganization objects Each ControlledOrganization object view is as follows Table 5 17 _ controlledSubOrganizations View Attributes Admin Role view Attribute Data Type Required name String name of controlled object group types List objects types is a list of objects where the list of objects to include or exclude are organized by type for example Resource Role and Policy The view for each object type is as follows Table 5 18 controlledSubOrganizations View Attribute Object Types Admin Role view Attribute Data Type Required name String include List objects exclude List objects 351 name Specifies the name of the object type include Lists object names of the associated object type to include exclude Lists object names of the associated type to exclude memberObjectGroup Lists the ObjectGroups of which this Admin role is a member These are the object groups organizations that this Admin role
415. scssissisi tuk gee dda dakd dws deedwado ook aniaceiad 264 controlsAtLeastOneOreanization Method osses ees ee deee ed sea yada med R RERE EERS A eee 265 setObject Method s cocci Rial ware cent and Gwe enarwdinas dba gas eabeud aed Ma bdeka dea d 266 getObjectNames Method 0 cece ene eee nee e nent ne enennee 267 petOrganizationsDisplayNames Method 25i0256 256 chee er ohd ais aisa bee eas tesdestaere dead 269 SetResourees Methods sc sss coisas por ae wee died EAE ads Magid E Ree REM RE Tiga Rae wee 272 ge ResourceObjects Methods 55 scc4 sirdis Gadads Soe dod oad iwhd abides EENET ERSU Eii 275 SOCRGlSS Method essesi Yona cag nad rir enrasar tar ha yard omae P ESERE ESE RHE nacha ieia 278 getUnassignedApplications Method sisccsiisessisris iesus weeded has deed waa oka EESE EER 279 setSubordinates Method ress ssc da ewe bee gece wilde bes wad a a ield RSE KERRE ERST RERS EUSE ES 281 getUnassipnedResources Method icc cc4ccacot aad ead daar adiwes tia desanadud uel KEETE iii 283 POSES Melhod s ros cscs en ican aurora kniha poten cbndiin daehen Kg Reda Fadia e Rema Ea Aaaah ias 285 listResourceObjects Methods 5 5 6564c24 dea coven env be irois weak dod odd whe edb eden iiai 287 PESTOD PCE Metod orasi esanaia Ena E weg ely ahetnd dale an ds Gas eyed ee Ete Eames 291 teU Ser MEW iui cbticadetaate aha dtd dodadsdad dobtaltoiaeldaatsateceaabecta ale giad 292 hasCapability Method ss 6 5 cca dad wees ns nana sna seas Sas eed Regen eee Sa pH Sea SE
416. ser does the form then displays the appropriate fields for that resource Identifies the HTML component class used to render this form component in the browser By default the Display Class selection is EditForm If the form is a link form such as the End User menu then select LinkForm from the Display Class options See the HTML Display Class table in HTML Display Components Specifies the property attribute Typically is a string Specifies the maximum number of characters for this element Table 3 6 Default Services in Forms Toolbox Service Description Text Displays a regular text entry box Secret Text Displays text as asterisks Typically used for encrypted data like passwords Select Displays a single selection list box Values for the list box must be supplied by the allowedValues property Identity Manager 7 0 Workflows Forms and Views Table 3 6 Default Services in Forms Toolbox Service Description MultiSelect Checkbox Label TextArea Radio Link Button accountlId Displays a multiselection text box which displays as a two part object in which a defined set of values in one box can be moved to a selected box Values in the left box are defined by the allowedValues property values are often obtained dynamically by calling a Java method such as FormUtil getResources The values displayed in the right side of a multiselection box are populated from the current va
417. serForm Used to display a view only User form This view only form displays field information as Labels to ensure that the administrator cannot change values although he can list view and search on this user information The administrator selects a user from the accounts list then clicks View to see user details accounts lt resource gt properties Used to store account properties in the Identity Manager repository Use this attribute if you have some information about the account for example the date it was created that cannot be stored as a native account attribute on the resource accounts lt resource gt waveset forceUpdate Used to specify a list of resource account attributes that will always be sent to the resource for update when a user is modified and that an attribute value remains available to resource actions This attribute is required for resource actions to be run when a user is unassigned from a resource The following field definition from a user form uses a Solaris resource lt resource gt has been replaced with the name of the resource 333 334 lt Field name accounts waterloo waveset forceUpdate gt lt Default gt lt List gt lt String gt delete after action lt String gt lt String gt Home directory lt String gt lt List gt lt Default gt lt Field gt The preceding code causes Identity Manager to send the delete after action and Home directory attribute to th
418. signed to the component The property name is always specified with the name attribute Specifying Property Values for a Display Element You can specify the Property value for a Display element through the use of e a value attribute e an XML Object language 149 e an expression to specify a value For most property values you can use the value attribute and let the system coerce the value to the appropriate type Use of the value Attribute The most common way of specifying the property value is with the value attribute The value of the value attribute is treated as a string but if necessary the system will coerce it to the data type desired by the component In the previous example the property size is set to the integer value 20 and the property maxLength is set to the integer value 100 The following example creates a field that uses SimpleTable to organize several subfields Within XML forms the most common Container components used are SimpleTable and ButtonRow lt Field name SelectionTable gt lt Display class SimpleTable gt lt Property name columns gt lt List gt lt String gt Account lt String gt lt String gt Description lt String gt lt List gt lt Property gt lt Display gt lt Field name accounts LDAP selected gt lt Display class Checkbox gt lt Property name label value LDAP gt lt Display gt lt Field gt lt Field gt lt Display class Label gt lt Prope
419. simpler views should declare their option constants in the Viewer java file Probably the second most common view used from workflow is ProcessViewer followed by Password Viewer DisableViewer Enable Viewer and RenameViewer These have comparatively few options Return Values and Side Effects If the fetch is successful the view will be placed in the variable view If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 69 getViewForm Session Workflow Service Returns the form associated with the given view Table 2 18 getViewForm Method Arguments Name Required Valid Values Description form no Identifies the argument that has been replaced by formld formld no Identifies the name or ID of the form to get op yes getViewForm view no Indicates the view to fetch the form from If this argument is not supplied the get ViewForm workflow service has no effect Return Values and Side Effects If the fetch is successful the form is placed in the variable form If any error occurred WF_ACTION_ERROR will be true and the WavesetResult will contain the error 70 Identity Manager 7 0 e Workflows Forms and Views listResourceObjects Session Workflow Service Returns a list of resource object names of the specified resource object type from the specified list of resourcelds Table 2 19 _listResourceObjects Method Arguments Name Require Valid Values Description ob
420. sk Definition This method supports the ability to add multiple versions of the same task definition to a user Passing additional arguments in the value of the taskDefinition attribute works only if taskDefinition is defined as a GenericObject You cannot define taskDefinition as either a map or List NOTE The built in arguments such as date and description are already made available to the called workflow Table 2 2 AddDeferredTask Method Arguments Name Required Valid Values Description type no list of types Indicates the type of object that the deferred task will be added to If not supplied the type is defaulted to user name yes Specifies the name of the object to which the deferred task will be added task no Identifies the name of the TaskDefinition to run If the taskDefinition argument is a string then this argument is the name of the GenericObject that will be placed on the property list 49 50 Table 2 2 AddDeferredTask Method Arguments Name Required Valid Values Description taskDefinition instanceName date organization owner description no no no no no no Can be either a java util D ate object ora string in the usual format Specifies the task definition Can be either a string or Generic Object String If this argument takes the form of a string then it defines either the Task Definition or Task Template name and the task argu
421. source in this case an Active Directory resource request ACCOUNT accountId cn maurelius ou Austin DC Waveset DC com e To cancel the pending or currently active reconciliation process on a resource request CANCEL Identity Manager 7 0 Workflows Forms and Views Reconcile Policy View Used to view and modify reconciliation policy which is stored as part of the Identity Manager system configuration object Reconciliation Policies and the Reconcile Policy View Reconciliation policy settings are stored in a tree structure with the following general structure e default or global policy Default This is the root policy level e resource type ResType policy e resource policy Resource Settings can be specified at any point in the tree If a level does not specify a value for a policy it is inherited from the next highest policy The view represents an effective policy at a specified point in the policy tree which is identified by the view name Table 5 41 ReconcilePolicy Tree and View Names View Name Description Default Addresses the root of the policy tree ResType resource type Addresses the specified resource type beneath the root Resource resource Addresses the specified resource beneath the resource s name resource type Policy Values Values of policy settings are always policy values Policy values can contain up to three components as described in the followi
422. st as shown in the following example 167 168 Defining a Hidden Form Field First define a hidden form field that uses a default expression to call the Java class by not including any Display class in the field definition lt Field name jobGrade gt lt Default gt lt invoke name getJobGrade class com waveset custom DatabaseAccessor gt lt ref gt waveset accountId lt ref gt lt invoke gt lt Default gt lt Field gt Default expressions are evaluated only if the view does not contain a value for the attribute jobGrade Once the default expression has been run the result is stored in j obGrade and the expression is not run again From the Form Element dialog for the element 1 Select Hidden from the Display Class menu 2 Click OK Referencing the Hidden Attribute Once you have defined a hidden attribute you can reference it in other expressions such as lt Field name secureKey gt lt Disable gt lt lt gt lt ref gt jobGrade lt ref gt lt i gt 10 lt i gt lt 1t gt lt Disable gt lt Field gt You can use XPRESS defvar variables to hold the results of a computation but the results are typically not as efficient as using a hidden form field Note about Optimizing Variables Beyond a Single Iteration XPRESS variables typically persist for only a single iteration over the form fields As a result you can use a variable within an Expansion phase but not on a subsequent Derivation phase If you n
423. st endUserMenu End User Menu endUserResetPassword Reset User Password Form endUserTaskList End User Task List endUserTaskResults End User Task Results endUserWorkItemEdit End User Work Item Edit endUserWorkItem List End User Work Item List findAccountOwner Find Account Owner Form findUser Find User Form findUserResults Find User Results Form listForms List Forms listRules List Rules loadForm Default User Form loginChangePassword Expired Login Form loginResetPassword Reset User Password Form renameUser Rename User Form reprovisionForm Default User Form resetPassword Reset User Password Form resetPasswordSelection selfDiscovery userForm viewUserForm enableUser endUserChangePassword endUserForm User Selection Form Self Discovery Tabbed User Form Tabbed View User Form Enable Form Change Password Form End User Form Identity Manager 7 0 Workflows Forms and Views Process Mappings The Process Type column lists the system name of the form The name listed in the Process Name Mapped To column is the name by which the process is identified in Identity Manager IDE and in the Debug page of Identity Manager Table 0 2 Process System and Product Interface Names System Name Mapped to abortAccessReview accessReviewScan changeResourceAccountPassword changeUserPassword createResourceGroup createResourceObject createResourceOrganization createResourceOrganizationalUnit createResourcePerson createRes
424. stname gt Ev gt title value First Name gt size value 32 gt lt Property name lt Display gt lt Field gt lt Field name global la lt Display class Tex lt lt A Property name Property name Property name lt lt Di lt Field lt Field Property name splay gt gt maxLength value 128 gt stname gt ETS title value Last Name gt noNewRow value true gt size value 32 gt maxLength value 128 gt name global fullname gt lt Display class Text gt lt A lt lt Di Property name Property name Property name splay gt 116 Identity Manager 7 0 Workflows Forms and Views title value FullName gt size value 32 gt maxLength value 32 gt lt Expansion gt lt concat gt lt ref gt global firstname lt ref gt lt s gt lt s gt lt ref gt global lastname lt ref gt lt concat gt lt Expansion gt lt Field gt Why Edit Forms Why customize the default Identity Manager pages which already provide all the fields that you need to perform actions within the product Customizing the default forms allows you to better enforce your company s policies and processes Preserve privacy by limiting the amount of user account information displayed on the screen You may not want to present all of the information available for a user account depending on who is
425. str gt gt Hell lt block gt gt Hell The ength argument is also optional A missing length argument causes the function to extract the rest of the string length can be unspecified when only the string and start arguments are specified a child nodes of substr such as lt substr gt lt s gt Hello World lt s gt lt i gt 3 lt i gt lt substr gt or when the attribute is missing from the substr node like Note that the length argument is unspecified below but the rest of the string starting from this start is returned lt block gt lt substr s 3 gt lt s gt Hello World lt s gt gt Hello World lt substr gt gt lo World lt block gt gt lo World Identity Manager 7 0 Workflows Forms and Views trim Function Takes a single argument which is coerced to a string It returns a copy of the argument with the leading and trailing white space removed Example The following expression returns lt s gt hello lt s gt lt trim gt lt s gt hello lt s gt lt trim gt 493 upcase Function Takes a single argument which is coerced to a string It returns a copy of the argument with all lower case letters converted to upper case Example The following expression returns lt s gt ABC lt s gt lt upcase gt lt s gt abc lt s gt lt upcase gt 494 Identity Manager 7 0 Workflows Forms and Views List Manipulation Expressions Most list manipulation functions have two forms depen
426. submit the form activeControl Contains the name of the last component that was active on the form message Can contain an informational message to be displayed at the top of the page error Can contain an error message to be displayed at the top of the page Component Classes HTML components are independent objects that can be combined in various ways Related components are organized into classes There are two major groups of component classes e Basic Component classes Components used to display and edit a single value e Container classes Components that can contain one or more components Basic Component Classes Common component classes include the components that are used to display and edit a single value These components are defined in the section titled Basic Components Container Classes A container class defines a collection of components that are visually organized in a certain way Typically creating a container class results in the generation of an HTML table tag Simple containers can concatenate the components horizontally or vertically Other containers allow more flexible positioning of components and may add ornamentation around the components 547 548 Because containers are themselves components any container can be placed inside another container You can use this mechanism to build complex page layouts For example many pages consist of a title followed by a list of editing fields foll
427. such as a database lookup 159 160 Use caution when referencing fields with Disable rules Otherwise fields inside containers might be disabled Hiding Fields When you hide a field the field and any fields nested within it is not displayed on the page but its value is included in the form processing To hide a field simply do not assign a Display class to the field lt Field name field A gt Calculating Field Values Field values can be calculated from the values of other fields or any logical expression For example you can calculate the user s full name from the first name middle initial and last name lt Field name global fullname gt lt Expansion gt lt concat gt lt ref gt global firstname lt ref gt lt s gt lt s gt lt ref gt global middle lt ref gt lt s gt lt s gt lt ref gt global lastname lt ref gt lt concat gt lt Expansion gt lt Field gt Setting Default Values You can set the email address based on the user s first initial and the first seven characters of the user s last name In this example the system performs an additional check to ensure that the values have been set before performing the concatenation This additional check is performed to e Allow the email address to set only when the account is first created Identity Manager 7 0 Workflows Forms and Views Confirm that the first and last name fields have been se
428. swordSyncThreshold Specifies the configured number of seconds to allow before triggering synchronization This setting ensures that passwords updated from the Identity Manager User Interface and sent to source resources will not trigger a recursive synchronization of the user s password lastSourcePasswordUpdate Indicates the last time in milliseconds that Identity Manager updated the source resources password This setting ensures that passwords reset from the Identity Manager User Interface and sent to a resource will not again trigger a synchronization of the user s password lastUpdateSecs Indicates how many seconds ago the password was updated PasswordSyncResourceExcludeList Lists the resource names that should always be excluded from synchronization This setting can be configured by editing the System Configuration object attribute PasswordSyncResourceExcludeList resourceAccountld Specifies the native account Id coming from the source resource Activities checkForIDMAccountID Checks for a null IDMAccount Id If null transitions to an empty activity called noIDMAccountForResourceAccount Ifa non null account exists the workflow then transitions to checkLastUpdateThreshold noIDMAccountForResourceAccount Does nothing by default but is called only if the MessageMapper did not resolve the incoming resource account ID or GUID into an Identity Manager user name Identity Manager 7 0 Workflows Forms and View
429. system ignores any name found in this set of attributes that is not registered in the configuration object The following code is a sample of the Extended User Attributes Configuration object This object maintains the list of attributes that are managed by the waveset attribute set Identity Manager 7 0 Workflows Forms and Views lt xml version 1 0 encoding UTF 8 gt lt DOCTYPE Configuration PUBLIC waveset dtd waveset dtd gt lt id ID Configuration UserExtendedAttributes name User Extended Attributes gt lt Configuration id ID Configuration UserExtendedAttributes name User Extended Attributes creator Configurator createDate 1019603369733 lastMod 2 counter 0 gt lt Extension gt lt List gt lt String gt firstname lt String gt lt String gt lastname lt String gt lt String gt fullname lt String gt lt add string values here gt lt String gt SSN lt String gt lt List gt lt Extension gt lt MemberObjectGroups gt lt ObjectRef type ObjectGroup id ID Top name Top gt lt MemberOb ject Groups gt lt Configuration gt This object can be modified to extend the list from the default firstname lastname and fullname attributes In this case an attribute called SSN has been added accounts Lighthouse delegateApproversTo Specifies to whom the user is delegating approvals where valid values include manager selectedUsers or
430. t lt Field name global email gt lt Default gt lt and gt lt notnull gt lt ref gt global firstname lt ref gt lt notnull gt lt notnull gt lt ref gt global lastname lt ref gt lt notnull gt lt and gt lt concat gt lt downcase gt lt substr gt lt ref gt global firstname lt ref gt lt i gt 0 lt i gt lt i gt l lt i gt lt substr gt lt downcase gt lt downcase gt lt substr gt lt ref gt global lastname lt ref gt lt i gt 0 lt i gt lt i gt 6 lt i gt lt substr gt lt downcase gt lt s gt waveset com lt s gt lt concat gt lt Default gt lt Field gt 161 Deriving Field Values Some fields are used on the form solely to calculate other fields These fields cannot be stored on any resource to which the user belongs When the user record is edited each of the resources is contacted and the field values for the attributes are populated To populate the fields that are used for calculations you can write derivation rules Example A phone number field can be represented on the form as a single text box However a more advanced form might have three fields for the area code and phone number which are used to calculate the phone number that is saved to the resource In the simple case of representing a phone number you can have form fields that resemble the ones listed below lt Field name P1 gt lt Display class Text gt lt Property name titl
431. t lt invoke gt Constructing Hash Maps The listResourceObjects and callResourceMethods methods accept hash maps You can construct hash maps with the lt Map gt element In the following example the lt Map gt element builds a static map that never changes lt Map gt lt MapEntry name keyl value valuel gt lt MapEntry name key2 value value2 gt lt Map gt You can also construct maps with an XPRESS expression through the use of the lt map gt element You can use the lt map gt element to dynamically build a map whose contents are defined by other expressions For information on using the XPRESS language to construct a map see XPRESS Language Disabling Fields When you disable a field the field and any fields nested within it is not displayed in the page and its value expressions are not evaluated If the view already contains a value for the disabled field the value will not be modified lt Disable gt lt Disable gt 219 220 NOTE Keep in mind that global attributes are derived from enabled fields only If a form dynamically disables a field instead of hiding it this field value will not be available through the global attributes Example lt Disable gt lt eq gt lt ref gt userExists lt ref gt lt s gt true lt s gt lt eq gt lt Disable gt NOTE Disable expressions are evaluated more frequently than other types of expression For this reason keep any Disab
432. t The name of an editing field is typically a path expression within a view that is being used with the form In the preceding example waveset email refers to the email address associated with a user object in the Identity Manager repository A Container field may not have a name and is always used with one of the Container components such as ButtonRow SimpleTable or EditForm One common type of container is the EditForm container which builds an HTML table that contains titles in one column and components in another These titles are defined in the title property and are rendered on the Identity Manager page associated with the form Disabling Fields When you disable a field the field and any fields nested within it is not displayed in the page and its value expressions are not evaluated or incorporated in to any global attributes If the view already contains a value for the disabled field the value will not be modified lt Disable gt lt Disable gt Example lt Field name waveset id gt lt Display class Text gt lt Property title accountId gt lt Display gt lt Disable gt lt eg gt lt ref gt userExists lt ref gt lt s gt true lt s gt lt eq gt lt Disable gt lt Field gt NOTE Disable expressions are evaluated more frequently than other types of expression For this reason keep any Disable expression relatively simple Do not call a Java class that performs an expensive computation
433. t Purpose SectionHead Select SimpleTable SubTitle Text TextArea Title Table 3 5 Form Elements Displays a section heading These are recognized by the EditForm container to and are rendered in bold text that spans both the title and component columns Displays a single selection list box Arranges components in a simple grid with a row of column titles Identifies the text that displays below the form title Displays read only text Places a link on the page Identifies the text that displays at the top of the form Form Element Description Name Title Help Key Enter the name for this field A field name is typically a path expression into the view that is being used with this form All fields that display as editing components such as text boxes checkboxes and selects must have a name that specifies a view path Fields that do not display as editing components such as SectionHead and Javascript do not require names However you can give non editing fields names if they need to be referenced by another form through a Field reference Enter a title for the field This title displays adjacent to the field on the form Select the data type of this element from the drop down menu immediately adjacent to this field To edit the text displayed in this field click the adjacent Edit button Enter the help key that associates guidance help with the field This value is the name of an entry in a
434. t lt Property name header value Server Unreachable gt lt Property name value value The specified server could not be contacted Please view the logs for more information gt lt Property name linkURL value viewLogs jsp gt lt Property name linkText value View logs gt lt Property name linkTitle value Open a new window with the server logs gt lt Display gt lt Field gt lt Field gt lt Display class InlineAlert AlertItem gt lt Property name header value Invalid IP Address gt lt Property name value value The IP address entered is in an invalid subnet Please use the 192 168 0 x subnet gt lt Display gt lt Field gt lt Field gt Identity Manager 7 0 Workflows Forms and Views Javascript Use to insert pre formatted JavaScript into the page This is useful if you are using the onClick or onChange properties in components and want to call custom JavaScript functions Though not required consider specifying the name property when building components from XML forms Using features such as field loops and field inclusion you can add more than one JavaScript component containing the same script to the page During HTML generation JavaScript components that have the same name are included only once 569 570 Example lt Display class Javascript gt lt Property name script gt lt String gt function setTextFromSelect sel textFieldName if sel nu
435. t lt concat gt lt ref gt global firstname lt ref gt lt s gt lt s gt lt ref gt global lastname lt ref gt lt concat gt lt Expansion gt Within workflow you can reference Field attributes as process variables that is variables that are visible to the workflow engine or in XPRESS statements for actions and transitions When referencing these attributes in workflow you must prefix the path with the name of the workflow variable where the view is stored for example user waveset accountId Attributes with Transient Values You can define fields that store values at the top level of the user view but these values are transient Although they exist throughout the life of the in memory user view typically the life of the process the values of these fields are not stored in the Identity Manager repository or propagated to a resource account For example a phone number value is the result of concatenating the values of three form fields In the following example p1 refers to the area code p2 and p3 refer to the rest of the phone number These are then combined by a field named global workPhone Because the combined phone number is the only value you want propagated to the resources only that field is prepended with global In general use the top level field syntax if you are e not pushing a field value out to Identity Manager or any other resource e the field is being used only in email notifications or for calculating o
436. t Display gt lt Field gt lt Field name accounts W2K selected gt lt Display class Checkbox gt lt Property name label value Windows 2000 gt lt Display gt lt Field gt 181 182 lt Field gt lt Display class Label gt lt Property name text value Primary Windows 2000 Server gt lt Display gt lt Field gt lt Field gt Grouping Components To group multiple components on a form to hide or disable them use the lt SimpleTable gt container as shown in the following example Code Example 3 2 Grouping Components for a Form lt Field gt lt Disable gt lt not gt lt contains gt lt ref gt accountInfo typeNames lt ref gt lt s gt Windows Active Directory lt s gt lt contains gt lt not gt lt Disable gt lt Field name accounts AD HomeDirectory gt lt Display class Text gt lt Property name title value Home Directory gt lt Display gt lt Field gt lt Field gt Identity Manager 7 0 Workflows Forms and Views Working with Lists The component you use to create a list depends upon list length and whether the user can select more than one option simultaneously Text boxes often supply a list of options from which a user can select These lists are populated by specifying choices within a property called allowedValues or by obtaining values dynamically through a method call FormUtil class methods to the resource For information o
437. t for example text box check box or select box is used to represent each field This form also specifies additional logic for disabling fields populating empty fields with default values and calculating field values from the values of other fields What Forms Control Forms control the following objects and activities Identity Manager 7 0 Workflows Forms and Views Layout and display characteristics of the page Forms are composed of fields Visible field types include simple text boxes radio buttons and selection boxes with multiple values Fields can also have values based on other fields and can be either read only or be hidden from view Data that is used on the page Data can be captured dynamically from a resource or be calculated from other fields With the Identity Manager expression language called XPRESS field data can be calculated concatenated and logically evaluated Data that is coming into the system Forms can be the interface from web pages as well as from noninteractive systems such as ActiveSync resources In this role the form has no visual fields but still provides tules to set default values and other field values For example the Full Name field might not be visible to the administrator using the page but can be set based on the values that the user enters into the First Name Middle Name and Last Name fields Populating fields from other fields reduces the data entry that users and administrato
438. t Tools Including XPRESS Statements The XPRESS language is an XML based expression and scripting language Statements written in this language called expressions are used throughout Identity Manager to add data transformation capabilities to forms and to incorporate state transition logic within Identity Manager objects such as Workflow and forms XPRESS is a functional language that uses syntax based on XML Every statement in the language is a function call that takes zero or more arguments and returns a value Built in functions are provided and you can also define new functions XPRESS also supports the invocation of methods on any Java class and the evaluation of Javascript within an expression For a comprehensive discussion of XPRESS features see XPRESS Language Why Use XPRESS Expressions are used primarily for the following Identity Manager tasks e Customizing the end user and administrator forms Forms use XPRESS to control the visibility of fields and to transform the data to be displayed and saved Defining flow of control in Workflow Workflow uses XPRESS to define transition conditions which determine the order in which steps in the workflow process are performed e Implementing workflow actions Workflow actions can be implemented using XPRESS Action expressions can perform simple calculations or call out to Java classes or JavaScript to perform a complex operation The expressions contained in these elements can
439. tResourceObjects class com waveset ui FormUtil gt lt ref gt display session lt ref gt lt s gt Group lt s gt lt s gt AD lt s gt lt Map gt This allows you to return a list of groups only in and below the specified container organizational unit lt MapEntry key container value LDAP hostX domainX com cn Users dc domainX dc com gt lt Map gt lt s gt false lt s gt lt invoke gt Building DN Strings With a given user ID and base context you can dynamically build a list of distinguished names or a single distinguished name This method does not return a list and is typically used within an Expansion rule Building a Dynamic List of DN strings You can dynamically build a list of DN strings if you specify a user ID and base context The following example shows how to use user IDs and base context to build a dynamic list of DN strings The following code first defines the base context to append to users Identity Manager 7 0 Workflows Forms and Views lt Field name baseMemberContextContractor gt lt Default gt lt s gt ou Contractors dc example dc com lt s gt lt Default gt lt Field gt lt Field name baseMemberContextEmployee gt lt Default gt lt s gt ou Employees dc example dc com lt s gt lt Default gt lt Field gt The user of this form enters data in the following field This is a likely place for providing a dynamically genera
440. tax to invoke the FormUtil methods from within a form lt invoke class com waveset ui FormUtil name method_name gt lt ref gt display session lt ref gt lt s gt arg2 lt s gt lt invoke gt where the name field identifies the name of the method 257 Methods 258 Most FormUtil methods require that a LighthouseContext or Session object be passed as the first argument by referencing the view attribute display session Since forms are often used with a base context prefix it is recommended that the display session reference always be preceded with a colon to remove the base context prefix This section introduces the most used FormUtil methods callResourceMethod Method callResourceMethod LighthouseContext s String resourceName String methodName Map args throws WavesetException Description Invokes the specified method on the resource by passing it the specified arguments Table 4 1 callResourceMethod Parameters Parameter Description st Identifies a valid Identity Manager context typically referred to in forms as lt ref gt display session lt ref gt resourceName Specifies the name of the resource on which to call the method methodName Indicates the name of the resource method to call args Identifies the map of args that the resource method expects Identity Manager 7 0 Workflows Forms and Views buildDn Method buildDn String name String baseContext Description Takes a n
441. te Editable Data Type action Read Write Boolean confirm Read Write Boolean authType Specifies access to work items by type For example there is a built in authorization type called EndUserRule All end users implicitly get access to all rules tagged with the EndUserRule authorization type userId Specifies the name of the Identity Manager user whose work items are contained in the worklItem list Initially this value is the name of the current session user The value can be null to indicate that the work items for all controlled users with approver rights should be displayed This is always the Identity Manager user name never a display name The form must not be modify this value To change users set the user attribute user Specifies the display name of the Identity Manager user whose work items are listed This value is the same as userId if display names are not used The form can modify this value which causes the system to recalculate the work item list during refresh A null value indicates that all work items are being displayed self Set to true if the userId is the same as the current session user forwardedUser When set indicates that the user named by userId has elected to have work items forwarded to another user The other user is identified by its display name users Lists the display names of Identity Manager users that the current user controls and which have work item capabilities This value is typi
442. ted list of user IDs lt Field name userlIds gt lt Display class TextArea gt lt Property name title value UserIds gt lt Display gt lt Field gt The following hidden field includes logic that calculates values 215 lt Field name Members gt lt Expansion gt lt switch gt Look at the role assigned to the users lt ref gt waveset role lt ref gt lt case gt If user has Contractor Role then build DN like this ex CN jsmith ou Contractors dc example dc com lt s gt Contractor Role lt s gt lt invoke name buildDns class com waveset ui FormUtil gt lt ref gt userld lt ref gt lt ref gt baseMemberContextContractor lt ref gt lt invoke gt lt case gt lt case gt Otherwise if user has Employee Role then build DN like this ex CN jdoe ou Employees dc example dc com s gt Employee Role lt s gt lt invoke name buildDns class com waveset ui FormUtil gt lt ref gt userld lt ref gt lt ref gt baseMemberContextEmployee lt ref gt lt invoke gt lt case gt lt switch gt lt Expansion gt lt Field gt 216 Identity Manager 7 0 Workflows Forms and Views Building a Single DN String You can call the buildDn method to populate a list or text area with a single DN Example lt invoke name buildDn class com waveset ui FormUtil gt lt s gt jdoe lt s gt lt s gt dc example dc com lt s gt lt invoke gt
443. the PersistentObject implementation returning the default set of queryable attributes supported by all PersistentObjects 367 368 You can override the default set by specifying the set of allowedAtt rs in either the default section or the objectType specific section of the findObjectsDefaults xml configuration file This file resides in the sample directory Specify each allowed attribute in the sample findObjectsDefaults xml file as follows name Identifies the attribute displayName Specifies the attribute name as it is displayed in the Identity Manager Administrator interface If not specified the value of this attribute defaults to the same value as name syntax Indicates the data type of attribute value where supported values include string int and boolean If not specified this value defaults to string multiValued Indicates whether the attribute supports multiple values A value of true indicates that attribute supports multiple values If unspecified this value defaults to false This attribute applies only if the attribute syntax is string allowedValuesType Specifies the name of the Identity Manager type if the allowed values of the attribute are instances of an Identity Manager type for example Role or Resource If not specified this attribute defaults to null If the name attribute is an Identity Manager defined attribute then only name is required If the attribute name is an extended attribute you must
444. the collection of attributes that contain information about an Identity Manager user including e Attributes stored in the Identity Manager repository Attributes fetched from resource accounts Information derived from other sources such as resources roles and organizations The user view is most often used with forms that are designed for the pages that create or edit users These pages launch workflow processes that store a changed user view until it is necessary to push the updated view information back out to Identity Manager and associated resources While the user view is stored in a workflow process the workflow process can manipulate attribute values through workflow actions Workflow can also expose attribute values for user input through manual actions and approval forms 313 314 How the User View Is Integrated with Forms The user view is often used in conjunction with a form Forms contain rules that control how data is presented through HTML fields and is processed after the HTML page rendering the form is submitted A system component called the form generator combines a form definition and a view to produce HTML that a browser then displays View attribute values are displayed by assigning them to an HTML component in the form See Chapter 8 HTML Display Components for more information on how view attributes can be displayed Views are implemented as instances of the GenericObject class This class provide
445. the component s title property with an entry in a help catalog See the section titled Matching the Component s title Property with a Help Entry Using the help Property The simplest way to define guidance text is to set the help property When using XML forms this means that the help text will be embedded within a potentially large amount of XML which makes review and editing of the help text more difficult An alternative is to use a help catalog to store the help text then reference entries in the catalog from the component Using the helpKey Property Each entry in a help catalog has a unique name or key One way to reference a catalog entry from a component is by setting the helpKey property When set the system assumes that this is the value of a key in the current help catalog and loads the associated help text when rendering the component Matching the Component s title Property with a Help Entry You can also automatically associate help catalog entries with components by using key values in the catalog that are the same as component titles When using XML forms a component title can be specified explicitly with a Property element Otherwise it will be taken from the value of the prompt attribute of the containing Field element How Identity Manager Evaluates Help Resources When the system renders a component it will first check to see if the he 1p property is set If it is it will use that text Next it checks to see if t
446. the contents of the view into a new file To create a dump file add the following Derivation statement to the User view lt Field name DumpView gt lt Derivation gt lt invoke name dumpFile gt lt ref gt form_inputs lt ref gt lt s gt c temp view xml lt s gt lt invoke gt lt Derivation gt lt Field gt This Derivation expression invokes the dumpF ile method which generates the file after the User form is displayed for the first time The form_inputs variable is automatically bound to the view that is being used with this form In the preceding example the String argument to the dumpF ile method is a file system path where you substitute a valid path for c temp view xml Identity Manager 7 0 Workflows Forms and Views Account Correlation View Used to search for users correlating to a specified account or account attributes This view is used as part of the account reconciliation process This view contains the root attributes listed below The values of these attributes are GenericObjects The new ID is lt account_name gt lt resource_name gt Table 5 13 Top Level Attributes of Account Correlation View Attribute Description correlation Contains information about how correlation should be done matches Contains the result of the correlation The correlation request is executed on both the view get operation and refresh request In the case of a refresh the request specified i
447. the original values of the attributes The system compares the values here to the ones in accounts Lighthouse to generate an update summary report See the section on the account Lighthouse attribute for an example of how to extend the extended user attributes 323 324 waveset correlationKey Contains the correlation value used to identify a user during reconciliation and discovery of users You can directly edit it although it is generally not exposed waveset creator Contains the name of the administrator that created this user This attribute is read only waveset createDate Contains the date on which this account was created Dates are rendered in the following format MM dd yy HH mm ss z Example 05 21 02 14 34 30 CST This attribute is set once only and is read only waveset disabled Contains the disabled status of the Identity Manager user It is set to a value that is logically true if the account is disabled In the memory model it is either a Boolean object or the string true or false When accessed through forms you can assume it is a string You can modify this attribute to enable or disable the Identity Manager user although it is more common to use the global disable Prepending global to a variable name ensures that the system applies the value of that variable to all resources that recognize the variable including Identity Manager Once this value becomes true the user cannot log in to the Ident
448. the result table enter a value that exceeds 0 WizardPanel Use to render one of several child components typically EditForms that use wizard style Next and Previous buttons to navigate between components Properties include button Specifies a value for child component s location property that will place it in the button row String next Label Specifies the label to display on the Next button The default text is Next String prevLabel Specifies that the label in the Previous button is displayed String cancelLabel Specifies that the label in the Cancel button is displayed String okLabel Specifies that the label is displayed in the OK button String noOk Specifies that the OK button is not displayed Boolean alwaysOk Determines that the OK button is displayed when set to true Boolean noCancel Specifies that the Cancel button is not displayed when set to true Boolean topButtons Causes the buttons to be rendered at the top of the page rather than the page bottom when set to true Boolean noButtons Suppresses all button rendering when set to true Boolean 553 Component Subclasses 554 All components extend the Component class which defines the properties common to most components In addition some components extend the Container class which gives them the ability to contain other components Each Component subclass defines a number of properties that
449. the specific arguments given below are used If supplied any specific arguments below will override the same argument contained in this options map user waveset accountld or yes Specifies the name of the Identity accountID Manager user to delete adminName no Specifies the name of the administrator performing the deletion loginAppName no Identifies the login application name force no true false If true the user will be deleted regardless of whether there are resource accounts that need to be deprovisioned or not Return Values and Side Effects A WavesetResult object containing the result of the deletion of the user 96 Identity Manager 7 0 Workflows Forms and Views disable Provision Workflow Service Disables an Identity Manager account and or resource accounts Table 2 40 disable Method Arguments Name Required Valid Description Values op yes disable subject no The effective subject for the call If not supplied the task s subject is used If the value of this argument is none then no authorization is performed options no A value map of option name option value pairs If not supplied specific arguments below are used If supplied any specific arguments below will override the same argument contained in this options map accountld no adminName no Specifies the name of the administrator performing the operation loginAppName no Identifies the login application name doLighthouse no true fals
450. the specified capability 293 hasCapabilities Method hasCapabilities LighthouseContext s List capabilities throws WavesetException Description Checks to see if the user has a list of specified capabilities Strings These capabilities can be assigned either directly or indirectly through AdminGroups and or AdminRoles Requires a session value Table 4 32 hasCapabilities Parameters Parameter Description S capabilities Identifies the list of capabilities that will be queried Return Values true Indicates that the currently authenticated Identity Manager user has all the specified capabilities false Indicates that the user does not have all the specified capabilities Additional Options The following options are used by a subset of the FormUtil methods scopingOrg conditions current scopingOrg Used when two or more AdminRoles are assigned to a user The value should be the name of an organization This value specifies that the returned names should contain only ones that are available to organizations that are controlled by an AdminRole that controls the scopingOrg organization and is assigned to the logged in user 294 Identity Manager 7 0 Workflows Forms and Views This option is typically used to ensure that when a user is creating or editing another user the member organization of the user being edited determines which names for example Resourcenames are available for
451. ther fields Any field that is to be passed to the next level must have one of the path prefixes defined in the preceding table User View Attributes Field name pl required true gt Identity Manager 7 0 Workflows Forms and Views lt Display class Text gt lt Property name title value Work Phone Number gt lt Property name size value 3 gt lt Property name maxLength value 3 gt lt Display gt lt Field gt lt Field name p2 display true required true gt lt Display class Text gt lt Property name rowHold value true gt lt Property name noNewRow value true gt lt Property name size value 3 gt lt Property name maxLength value 3 gt lt Display gt lt Field gt lt Field name p3 display true required true gt lt Display class Text gt lt Property name rowHold value true gt lt Property name noNewRow value true gt lt Property name size value 4 gt lt Property name maxLength value 4 gt lt Display gt lt Field gt lt Field name global workPhone required true hidden true gt lt Expansion gt lt concat gt lt ref gt pl lt ref gt lt s gt lt s gt lt ref gt p2 lt ref gt lt s gt lt s gt lt lt ref gt p3 lt ref gt 321 lt concat gt lt Expansion gt lt Field gt waveset Attribute The waveset attribute set contains the information that is stored in a WSUser object in the I
452. these steps The following procedure uses the WorkItem List view as an example 1 Copy the form into the Identity Manager IDE or the XML editor of choice 2 Change the form name 3 Register it in the System Configuration object under the form workItemList attribute In the custom form you can then specify view options as properties of the form as indicated in the following example Example lt Form gt lt Properties gt lt Property name CustomUserLists value true gt Identity Manager 7 0 Workflows Forms and Views lt Properties gt lt Form gt Deferred Attributes A deferred attribute is an attribute that derives its value from an attribute value on a different account You declare the deferred attribute in a view and the WSUser model and the provisioning engine performs this substitution immediately before calling the adapter If the deferred attribute derives its value from another resource s GUID attribute the source adapter does not need to take action However if the source attribute is not the GUID the adapter must return the attribute in the ResourceInfo _resultsAttributes map as a side effect of the realCreate operation If the adapter does not return the attribute the provisioning engine will fetch the account to get the value This is less efficient than modifying the adapter to return the value When to Use Deferred Attributes Use deferred attributes when creating new accounts to specify
453. thod 281 getUnassignedApplications method 279 getUnassignedResources method 283 getUsers method 285 getView workflow service 69 getViewForm workflow service 70 71 global attribute 335 global registration 441 gt function 471 gte function 472 GUID attribute 439 guidance help 228 H hasCapabilities method 294 hasCapability method 293 hash maps constructing 224 header form 140 help adding to forms 228 catalogs 229 display component 559 property 229 helpKey property 229 hidden components in forms 207 HTML display components See display components I ifunction 459 Identity Manager integration with XPRESS 447 593 Section object workflows 25 parameters 409 identity template 409 incremental resource fetching 239 indexOf function 483 504 InlineAlert display component 567 inlineHelp display component 559 insert function 505 instanceOf function 530 invoke function 531 isFalse function 473 isNull function 474 isTrue function 475 iteration expressions 510 J Java class HTML display components as instances 546 class optimizing expressions with 170 expressions 531 methods workflow actions calling 455 JavaScript display component 569 expressions 531 inserting into a form 234 join workflow transition 24 L Label display component 570 label field creating 203 length function 506 Ih command checking XML syntax with 456 Link display component 571 LinkForm display component 574 lin
454. tifies a valid Identity Manager session typically referred to in forms as lt ref gt display session lt ref gt typeName Specifies object type Common object types are User Object Group Resource For a complete list of types see the Types option list on the Debug page options See below Table 4 9 Options Values Option Value conditions See Additional Options current See Additional Options 267 Table 4 9 Options Values Option Value scopingOrg See Additional Options Return Values This method returns a list of the names of objects of a given type to which the session owner has access 268 Identity Manager 7 0 Workflows Forms and Views getOrganizationsDisplayNames Method getOrganizationsDisplayNames LighthouseContext s throws WavesetException or getOrganizationsDisplayNames LighthouseContext s Map options throws WavesetException Description Returns a list of organization handles that the current administrator has access to Forms that need select and multiselection lists of organizations should use this method NOTE This method defaults to the system configuration setting for useOrganizationDisplayNames only if the call to getOrganizationsDisplayNames does not specify a pathPrefix option Parameters Options consist of a map of key value pair arguments Table 4 10 getOrganizationsDisplayNames Parameters Parameter Description s Identifies a valid Ident
455. ting a Process for Identity Manager Use If you customize a process validate and save your changes to ensure that the workflow process completes correctly and as you expect After saving import the modified workflow for use in Identity Manager You can also use the Identity Manager IDE debugger For information on the Identity Manager IDE to edit workflow processes see Using the Identity Manager IDE Editing a Workflow in Production Do not customize a workflow process in a production environment 27 Problems can emerge if you edit workflow activities or actions while instances of the original workflow are running Specifically the TaskInstance contains a reference to the workflow TaskDefinition and stores the current activity or action by ID Changing these IDs may prevent the task from restarting where expected when execution resumes If you cannot avoid editing a workflow in a production environment use the following procedure It will help prevent the loss of pending work items from task instances that are using the old definition 1 Rename the current TaskDefinition to include a time stamp For example to modify the Create User workflow rename the TaskDefinition from Create User to Create User 20030701 You can rename a workflow TaskDefinition with the Identity Manager IDE 2 Save and import the edited workflow Following this procedure will help prevent problems with existing Create User tasks that may be in a suspended stat
456. tion is represented as a TaskInstance object which you can also view from the Debug page Task Definition Parameters The following table lists the standard configuration parameters Table 1 1 Standard Workflow Configuration Parameters Parameter Description name Specifies the user supplied name of the workflow as presented in the Identity Manager interface Names should be unique among objects of this type but objects of different types can have the same name taskType Used for filtering purposes only executor Identifies the name of the class that implements the task By default for workflows this class is com waveset workflow WorkflowExecutor suspendedable Boolean Indicates that the task can be suspended and resumed Default is true syncControlAllowed Boolean Indicates whether the user is permitted to request synchronous or asynchronous execution Default is true execMode Specifies the type of execution we should use by default Default is sync If this value is null or set to ExecMode DEFAULT we treat it as ExecMode ASYNC executionLimit Specifies the limit in seconds that the task is allowed to execute The task can specify a limit on the amount of time it is allowed to execute If it exceeds this limit the scheduler is allowed to terminate it A limit of zero means there is no limit Default is 0 19 20 Table 1 1 Standard Workflow Configuration Parameters Parameter Description
457. tion operation This view is read only status Indicates the status code request string Valid status codes include Table 5 50 ReconcileStatus View Attributes Status Code Description UNKNOWN Status cannot be determined The value of the other attribute is unspecified PENDING Request was received but has not been processed yet RUNNING Request is currently being processed COMPLETE Request has completed Consult the attributes to determine the success or failure of the other request CANCELLED Request was cancelled by an administrator reconcileMode Indicates the reconciliation mode of the request Either FULL or INCREMENTAL reconciler Identifies the Identity Manager server that is processing the reconciliation request requestedAt Indicates the date on which the request was received startedAt Specifies a date on which the reconciliation operation started If the reconciliation operation has not yet started or was cancelled while still pending this value is null finishedAt Indicates the date on which the reconciliation operation completed If the reconciliation process has not yet completed this value is null 393 errors fatal Describes the error if any that terminated the reconciliation operation Errors are returned as a list of strings errors warmings Describes any non fatal errors that are encountered during the reconciliation operation Errors are returned as a list of strings
458. tional Specify text that Identity Manager can display beneath the form title Select the data type of this element from the drop down menu immediately adjacent to this field To edit the text displayed in this field click the adjacent Edit button Enter the help key that associates guidance help with the field This value is the name of an entry in an associated help catalog specified by the form Specifying a help key causes an icon to appear to the left of the field Moving the mouse over the icon causes the text referenced in the help catalog to display Not typically used in standard user forms Enter the base context to avoid the need to specify the full path in every field Base context identifies the underlying Map specifically com waveset object Genericobject and is typically named user or userview In the Identity Manager Administratror Interface the editing context is user so the base context reference is left blank In forms launched from manual actions such as approvals the workflow context is the context of the form Identity Manager 7 0 Workflows Forms and Views Table 3 3 Characteristics Set from Main Tab View Field Description Options Default Derivation Validation Expansion Select one or more display options for the field Required Identifies whether the element is required to process the form This field must have a non null value upon submission When set results in a re
459. tivities By category these default activities are available Table 1 3 Default Workflow Activities Activity Description Add Deferred Task Adds deferred task scanner information to an object Audit Object Creates audit log records Authenticate User Credentials Authorize Object Tests authorization for a subject on an object in the repository Checkin Object Commits changes to an object Checkin View Commits an updated view Checkout Object Locks and retrieves a repository object for editing Adds deferred task scanner information to an object Checkout View Gets an updateable view Create Resource Object Create View Delete Resource Object Deprovision Primitive Disable Primitive Disable User Email Notification Enable Primitive Creates a resource object Initializes a new view Deletes a resource object Deprovisions resource accounts Disables resource accounts Disables an Identity Manager user account resource accounts or both Sends email notification of an action Enables resource accounts 29 30 Table 1 3 Default Workflow Activities Activity Description Enable User Enables an Identity Manager user account resource accounts or both Get Object Retrieves a repository object Get Property Retrieves a property Get View Gets a read only view List Resource Objects Query Object Names Query Objects Query Reference Refresh View Remove Deferred Task Remove Property R
460. tld Specifies the ID by which the resource identifies this account roles Identifies the roles the account will have on the resource identity Template Specifies the identity template used to generate a user s identity on this resource Identity Manager Parameters Identity Manager parameters are used by Identity Manager to help manage the resource resourceName Specifies the name by which Identity Manager identifies this resource object 407 408 displayName Specifies the display name that will display on the Identity Manager user edit and password pages to help identify users retryMax Indicates the maximum number of retries that will be tried on errors attempting to manage objects on a resource retryDelay Specifies the number of seconds between retries retryEmail Identifies the email addresses to send notifications to after reaching the retry notification threshold retryEmailThreshold Specifies the number of retries after which an email is sent form Identifies the user form that is used in workflows that edit accounts on the resource passwordPolicy Specifies the password policy for accounts on this resource resourcePasswordPolicy Indicates the resource password policy for resource accounts on this resource accountPolicy Specifies the policy for account IDs on this resource excludedResourceAccountsPolicy Specifies the policy for excluding resource accounts from account lists available Tab
461. tle display component 556 trace function 534 tracing XPRESS 457 transition conditions workflow 454 Transition workflow component 24 transitions workflow 28 trim function 493 type names 109 U Unlock view 422 unlockObject workflow service 80 unlockView workflow service 81 upcase function 494 update workflow service 108 User Form Library 249 250 user view account related User view namespaces 319 attributes 318 debugging 347 integrating with workflow 314 integration with forms 125 314 metaView attributes 318 overview 310 313 referencing account types 317 User workflows 25 V validation element field 160 validation statement 213 value constructor expressions 459 value display component 557 variables defining 517 variables creating in forms 147 view attributes 125 311 registration 441 View handlers 311 views Account Correlation view 348 Admin Role view 351 Change User Answers view 354 Change User Capabilities view 357 common 312 deferred attributes 439 Delegate Approvers view 358 Deprovision view 360 Disable view 364 Enable view 366 extending 441 Section Find Objects view 368 integrating with workflow 311 integration with forms 311 Org view 374 Password view 380 path expressions 316 Process view 385 Reconcile Policy view 389 Reconcile view 388 ReconcileStatus view 395 RenameUser view 397 Reprovision view 400 Reset User Password view 403 Resource view 406 ResourceObject view 412 Role view 415 Task
462. to be audited while adding the attribute to individual Activity elements causes only certain activities to be audited If the audit attribute is not set then auditing is disabled In addition auditing must be enabled from within task template that calls the workflow The following example enables auditing for the Notify action lt Activity name Notify audit true gt What Information Is Stored and Where Is It By default workflow auditing collects most of the information stored by a regular audit event including the following attributes e WORKFLOW Name of the workflow being executed e PROCESS Name of the current process being executed e INSTANCEID Unique instance ID of the workflow being executed e ACTIVITY Activity in which the event is being logged e MATCH Unique identifier within a workflow instance e ORGANIZATION The name of the user s organization 36 Identity Manager 7 0 e Workflows Forms and Views These attributes are stored in the logattr table and are derived from auditableAttributesList Identity Manager also checks whether the workflowAuditAttrConds attribute is defined You can call certain activities several times within a single instance of a process or a workflow To match the audit events for a particular activity instance Identity Manager stores a unique identifier within a workflow instance in the logattr table To store additional attributes in the logattr table for a workflow you must defin
463. to set attribute values that are calculated form other fields such as constructing the full name from a concatenation of first and last name Controls the character width of the control text boxes Specifies the character width of the control buffer text boxes Characters scroll if the user types in a string greater than the value specified by the size property Identifies the name for this form field typically a path expression in to the view that is used with this form Set the characteristics in the following table from the Main tab view 129 130 Table 3 3 Characteristics Set from Main Tab View Field Description Name Title Sub Title Help Catalog Base Context Enter the name for this field A field name is typically a path expression into the view that is being used with this form All fields that display as editing components such as text boxes checkboxes and selects must have a name that specifies a view path Fields that do not display as editing components such as SectionHead and Javascript do not require names However you can give non editing fields names if they need to be referenced by another form through a Field reference Enter a title for the field This title displays adjacent to the field on the form Select the data type of this element from the drop down menu immediately adjacent to this field To edit the text displayed in this field click the adjacent Edit button Op
464. to the script in the action as environment values where the names of the variables are RESACTIONARG_ lt key gt and the value is the value that corresponds to that key Keys and values should be strings NOTE The variables are accessed as described above with one exception HostAccessResourceAdapter subclasses that support ACTIONS use JavaScript for running actions and the arguments are passed in a global variable called additionalArgs Return Values and Side Effects A WavesetResult object containing the results of the executed action Identity Manager 7 0 Workflows Forms and Views updateResourceObject Provision Workflow Service Updates a resource object for example a group Table 2 48 updateResourceObject Method Arguments Name Required Valid Values Description op yes updateResourceObject objectType yes Identity Manager resources can specify object types that they manage This is specified by the Object Type element list defined in the resource s prototype XML This argument is the name of one of those ObjectTypes group yes GenericObject Specifies the GenericObject to update on the resource If not specified the service looks for an argument named after the Object Type For example if a resource supports managing a group ObjectType If the object argument is not supplied then the service expects the resource object to be in an argument called group Preferred practice is to use the o
465. tribute is updated each time a user account is modified This attribute is read only waveset lastModifier Contains the name of the administrator or user that last modified this user account This attribute is read only waveset locked Indicates whether the user is locked A value of true indicates that the user is locked waveset lockExpiry Specifies when the user lock expires if the user s Lighthouse Account policy contains a non zero value for the locked account expiry date This attribute value is a human readable date and time waveset organization Contains the name of the organization or Ob ject Group in which a user resides An administrator can modify this attribute if he has sufficient privileges for the new organization Since changing an organization is a significant event the original value of the organization is also stored in the waveset original attribute which can be used for later comparison 325 326 waveset original Contains information about the original values of several important attributes in the waveset attribute The system sets this value when the view is constructed and should never be modified The system uses this information to construct summary reports and audit log records Not all of the original waveset attributes are saved here The attributes currently defined for change tracking are e password e role e organization To reference these attributes prepend waveset origina
466. tring gt Accounting lt String gt lt String gt Human Resources lt String gt lt String gt Sales lt String gt lt String gt Engineering lt String gt lt List gt lt Property gt lt Display gt lt Field gt Dynamically Populating a Multiselection List of Groups Multiselection lists typically contain two parts e The left side of the list displays the items that are available for selection These values are defined by the allowedValues property This property can be a list of strings a list of XML object strings or a list of strings returned from a call to a Java method Identity Manager 7 0 Workflows Forms and Views e The right side of the list displays the items that are currently selected These values are set by selecting one or more items from the left side s al lowedValues list and pushing these selections to the selected list The right side of the list is also populated when the form is loaded and the current settings are retrieved Adding a Multiselection List of Groups To add a multiselection list of groups that is populated dynamically from the resource e Add groups to the right side of the schema map The values displayed in the right side of a text area that displays a multiselection list are populated from the current value of the associated view attribute which you identify through the field name e Add the following text to any form changing only the Field name prompt availabletitl
467. ts gt lt Field gt Radio Displays a horizontal list of one or more radio buttons A user can select only one radio button at a time If the component value is null or does not match any of the allowed values no button is selected Properties for this display component are title Specifies the title for all radio buttons labels Specifies an alternate list of button labels The Labels list must be as long as the values in the al lowedValues list Alternate labels can be used in cases where the values are cryptic For example values can be letter codes such as H M and S but you would use this property to identify button labels hours minutes and seconds allowedValues Specifies the value associated with each button This value must be a list of strings value Specifies values for the buttons This value accepts one string If not set then the values are the same as the labels Identity Manager 7 0 Workflows Forms and Views Example lt Field name attributes accountLockExpiry unit gt lt Display class Radio gt lt Property name noNewRow value true gt lt Property name labels gt lt List gt lt String gt UI_TASKS_XML_SCHED_MINUTES lt String gt lt String gt UI_TASKS_XML_SCHED_HOURS lt String gt lt String gt UI_TASKS_XML_SCHED_DAYS lt String gt lt String gt UI_TASKS_XML_SCHED_WEEKS lt String gt lt String gt UI_TASK
468. ts that describe the resources on which this user has accounts Table 5 35 tobeDeletedResourceAccounts Attributes PasswordView Attribute Editable Data Type selected Read Write Boolean name Read String type Read String accountId Read String exists Read Boolean only in currentResourceAccounts disabled Read Boolean only in currentResourceAccounts passwordPolicy Read Object authenticator Read Boolean changePasswordLocation Read String only in currentResourceAccounts expirePassword Read Write Boolean 379 380 password Specifies the new password you want to assign to the Identity Manager account or the resource accounts confirmPassword Confirms the password specified in the password attribute When the view is used interactively the form requires you to enter the same values in the password and confirmPassword fields When the view is used programmatically such as within a workflow the confirmPassword attribute is ignored If you are using this view interactively you must set this attribute selected Indicates that the specified resource should receive the new password name Specifies the name of resource This corresponds to the name of a resource object in the Identity Manager repository type Identifies the type of resource such as Solaris You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface The Type column on this
469. ty name helpKey value Identity and Password Fields gt lt Display gt lt Field name waveset accountId gt lt Display class Text gt lt Property name title value _FM_ACCOUNT_ID gt lt Display gt lt Disable gt lt ref gt waveset id lt ref gt lt Disable gt lt Field gt lt Field gt lt Field gt Tips and Workarounds e Validation errors appear on the last page that the user was on rather than the page on which the attribute appears To work around this include information in the validation message to assist the user in navigating back to the correct page 232 Identity Manager 7 0 Workflows Forms and Views e For complex wizards give users some visual clue as to where they are in the process Using labels or section heads at the top of every page that displays text similar to Page 1 e Avoid using conditional navigation in wizard forms If you must implement it use Disable expressions for each of the immediate children of the WizardPanel For example lt Field name Page2 gt lt Display class EditForm gt lt Disable gt lt neq gt lt ref gt showPage2 lt ref gt lt s gt true lt s gt lt neq gt lt Disable gt lt Field gt e Put fields or buttons on previous pages that cause their gating variables to be set Disabled pages are automatically removed from transition logic Alternatives to the Default Create and Edit User Forms When an administrator uses the defau
470. uage see XML Object Language lt Property name size gt lt Integer gt 10 lt Integer gt lt Property gt lt Property name title gt lt String gt New Password lt String gt lt Property gt lt Property name leftLabel gt lt Boolean gt t rue lt Boolean gt lt Property gt lt Property name allowedValues gt lt List gt lt String gt Texas lt String gt lt String gt Iowa lt String gt lt String gt Berkshire lt String gt lt List gt lt Property gt All properties that expect list values recognize the List element Most attributes in addition recognize the comma list syntax for specifying lists 152 Identity Manager 7 0 Workflows Forms and Views Use of an Expression to Calculate the Value You can also specify a Property value through an expression This allows a value to be calculated at runtime possibly combining fixed literal values with variable values defined by the page processor Example lt Property name title gt lt concat gt lt s gt Welcome lt s gt lt ref gt waveset accountId lt ref gt lt s gt select one of the following options lt s gt lt concat gt lt Property gt In the preceding example waveset accountId is a reference to a variable When the system generates the HTML for this component the page processing system supplies the value for the waveset accountId variable The names of the variables that can be referenced are defined by
471. uct do support multiple organizations with the same name Why use the v3 1 x Version of this Method Reset this method to not support multiple organizations if your customized installation is characterized by the following features e Duplicate organization names are not and will not be used and the preference is to display organizations using the short display names e Customizations use methods that previously returned the short name of the organizations Identity Manager 7 0 Workflows Forms and Views e You use the getOrganizations method to present the list of available organizations or it used in evaluation expressions e References to the waveset organization view attribute that previously returned the short name of the org is used in expressions to set additional resource attributes to view attributes Resetting this Method to v3 1 x Behavior If you are running a version of Identity Manager that is higher than v3 1 x but want the behavior described above you can edit the following system configuration object attribute as follows lt Attribute name useOrganizationDisplay Names gt lt Boolean gt false lt Boolean gt lt Attribute gt 271 272 getResources Methods getResources LighthouseContext s throws WavesetException or getResources LighthouseContext s List current throws WavesetException or getResources LighthouseContext s String matchType String value throws WavesetExc
472. ucture 47 changeResourceAccountPassword 89 checkDeProvision 91 checkinObject 56 checkinView 57 checkoutObject 58 checkoutView 59 cleanupResult 90 createResourceObject 92 createView 61 deleteResourceAccount 93 deleteResourceObject 94 deleteUser 96 deProvision 95 disable 97 disableUser 62 enable 98 enableUser 64 findUser 65 getApprovals 99 getObject 66 getProperty 67 getView 69 getViewForm 70 71 lockOrUnlock 100 notify 101 provision 102 queryObjectNames 73 queryObjects 74 queryReferencingRoles 75 questionLock 103 refreshView 76 reject 104 removeDeferred 77 removeProperty 78 reProvision 105 run resource action 106 setProperty 79 unlockObject 80 unlockView 81 update 108 workflowAuditAttrConds attribute 38 workflowAuditAttrConds list defining 38 WorklItem List view 432 object 22 restricting administrative view capabilities 27 types 26 view 315 425 viewing and modifying 425 WSUser object 322 X XML form structure 138 syntax in XPRESS 445 446 syntax checking 456 XML Object Language lists 541 map objects 542 specifying property values with 153 XPRESS and 538 XPRESS arithmetic expressions 463 block expressions 510 calling Java methods 455 conditional expressions 510 data types 536 debugging expressions 534 default values 449 derivation and expansion elements 208 deriving values 451 expressions 447 field visibility 448 function expressions 517 functions 459 g
473. ue iso gt lt Display gt lt Field gt 565 FileUpload Displays a text field and a Browse button that allows the user to select a file and upload it to the server Use this component to import data into Identity Manager from a file such as users or configuration objects This component supports all the properties that the Text component supports Html Allows you to insert arbitrary HTML markup into a form field or other component contained within an HTML page including JavaScript This component contains one property html which allows you to specify the string s that are rendered into the page Example lt Display class Html gt lt Property name html gt lt concat gt lt s gt lt CDATA lt div class DashAlrtMsgTxt gt gt lt s gt lt ref gt loginWarning lt ref gt lt s gt lt CDATA amp nbsp lt a href gt lt s gt lt s gt user changePassword jsp lt s gt lt s gt lt CDATA gt gt lt s gt lt message name UI_USER_MAIN_CLICK_HERE_INTRO gt lt s gt lt CDATA lt a gt gt lt s gt lt message name UI_USER_MAIN_CLICK_HERE_REMAINDER gt lt s gt lt CDATA lt div gt gt lt s gt lt concat gt lt Property gt lt Display gt HtmlPage Describes the root HTML page This component can contain arbitrary HTML and browser JavaScript Properties include 566 Identity Manager 7 0 Workflows Forms a
474. ue lt s gt lt eq gt 25 26 lt Transition gt lt Transition to Rejected gt lt Activity gt WorkItem Types Manual actions have the ability to assign a type to the work item that is generated when the manual action is executed by the workflow engine You can assign the work item type in a customization to filter the set of work items to be displayed or operated upon The following work item types are recognized by the system Table 1 2 Work Item Types Work Item Type Description approval Indicates that the work item represents an approval wizard Indicates that the work item represents an arbitrary interaction with the user suspend Indicates that the work item is temporary Use this type to force a workflow into background execution In addition you can assign customized work item types For example you might set the work item type to resource to represent a resource approval and role to represent a role approval Authorization Types Manual actions can also specify the authorization type of the WorkItem to be created The authorization type differs from the item type in that the system automatically filters the work items returned in a query to exclude those for which the current administrator is not authorized Typically any administrator with the Approver capability is authorized to view all work items in the organizations they control To specify a work item authorization type in the manual actio
475. unction Assigns map elements to an object map specifies the map key specifies the map key value specifies the value to assign to the map key Example lt putmap gt lt ref gt userView lt ref gt lt s gt waveset role lt s gt lt s gt engineering lt s gt lt putmap gt Identity Manager 7 0 Workflows Forms and Views set Function The behavior of this function depends upon the type of the first argument list you can use the function to assign list elements string the string is assumed to be the name of a variable and the value of the variable is assigned any other object the second argument must be the name of an attribute on that object and the third argument must be the value to assign Example The following expression sets the value of the role attribute to engineering lt set gt lt ref gt userView lt ref gt lt s gt waveset role lt s gt lt s gt engineering lt s gt lt set gt 527 528 setlist Function Assigns list elements to an object list specifies the list index specifies the order of elements in the list value specifies the value to assign to the list element Example lt setlist gt lt ref gt myList lt ref gt lt i gt s lt i gt lt s gt accounts lt s gt lt setlist gt Identity Manager 7 0 Workflows Forms and Views setvar Function Set the value on the variable This function accepts a static variable name name ide
476. unt should be excluded from the displayed list Forms that Support This Feature The following Forms support the specification of an Exclude filter as a Form property Change Password Form User Interface Administrator Interface Forms e Change User Password Form Deprovision Form Identity Manager 7 0 Workflows Forms and Views e Disable Form e Enable Form e Rename Form e Reprovision Form e Reset User Password Form e Unlock Form lt Exclude gt Property Format The Exclude Form Property takes the following form lt Configuration wstype UserForm lt Extension gt lt Form noDefaultButtons true gt lt Properties gt To include disabled resource accounts in the list of displayed accounts remove the disabled attribute condition from the list 195 lt Property name Exclude gt lt list gt lt new class com waveset object AttributeCondition gt lt s gt disabled lt s gt lt s gt equals lt s gt lt s gt yes lt s gt lt new gt lt list gt lt Property gt lt Properties gt lt Form gt lt Extension gt lt Configuration gt Valid View Attributes The list of valid attribute names are those exposed by the views that are associated with each Form listed above for each instance of a currentResourceAccounts object Valid attributes include e accountDisplayName string e accountld string e directlyAssigned true false e disabled yes no e exists y
477. used to find out the state of the workflow execution In addition many variables are set as a side effect of workflow services Table 2 1 Workflow Built In Variables Name Description WF_ACTION_ERROR A built in variable that will be set to true if the previously executed action returned a result containing an error or a thrown exception 45 46 Table 2 1 Workflow Built In Variables Name Description WF_ACTION_RESULT WF_ACTION_SUPPRESSE D WF_ACTION_TIMEOUT WF_CASE_OWNER WF_CASE_ RESULT WF CONTEXT A built in variable that will be set to the WavesetResult object returned by the previous action Use this variable when you want to capture the action s WavesetResult and process it without adding it to the global TaskInstance result It was originally added to support resource retries where you do not necessarily want to keep adding the resource error messages to the task result on every retry It is not used often but can be useful if you ever want to tweak the action result before adding it to the task result This built in variable will be set to true if the action was suppressed due to a lt Condition gt expression evaluating to false A built in variable that will be set to true if the previously executed action timed out A built in variable that contains the name of the administrator that launched the workflow task A built in variable that contains the WavesetResult of the TaskInstance
478. user This view is often used in custom workflows resourceAccounts Represents the top level attribute when accessing attributes in this view Table 5 28 Attributes of resourceAccounts Attribute Enable View Name Editable Type Required id Read String selectAll Read Boolean currentResourcesAccount Read String fetchAccounts Read Write Boolean fetchAccountResources Read Write List id Identifies the user s Identity Manager ID selectAll When set all resource accounts will be enabled including the Identity Manager account currentResourceAccounts Represents the set of accounts that are currently being managed by Identity Manager including the Identity Manager account itself Use the selected field to signify that the specific resource should be enabled Table 5 29 _ resourceAccount currentResourceAccounts Attributes Enable View Name Editable Type name Read String type Read String accountId Read String 365 Table 5 29 _ resourceAccount currentResourceAccounts Attributes Enable View Name Editable Type exists Read Boolean disabled Read Boolean selected Read Write Boolean fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all assigned resources
479. ustomize it To enable incremental fetching you must identify e resources accounts that are initially fetched Use the TargetResources form property to represent the resource names to be included on the fetch e operations that are updated when the final save operation occurs Both the Dynamic User Forms and the Resource Table User Forms use resource specific forms for displaying a user s resource specific attributes The following user forms are located in the WSHOME sample forms directory and have been adapted for use by scalable forms e ACF2UserForm xml e ActivCardUserForm xml e ADUserForm xml e ATXUserForm xml e _ BlackberryUserForm xml e ClearTrustUserForm xml e Exchange55UserForm xml HP UXUserForm xml NDSUserForm xml OS400UserForm xml e _ PeopleSoftCompIntfcUserForm xml e RACFUserForm xml e SAPPortalUserForm xml e SolarisUserForm xml e SunISUserForm xml 238 Identity Manager 7 0 Workflows Forms and Views e TopSecretUserForm xml These forms are automatically imported along with both Dynamic Tabbed User Forms and Resource Table User forms If a deployment is using a resource type other than a type listed above the scalable forms display a default User form that simply lists all attribute name and values specified in the schema mapping To use an existing customized resource user form other than those listed above you must make certain modificati
480. utObject Session Workflow Service 0 cece nnen rre 58 checkout View Session Workflow Servite ics acsaus dotted iw it edadod taitai dae dada eae wes 59 create View Session Workflow Service 0 cece cee een e eee nee eeneeae 61 disableUser Session Workflow Service 2 i i cacscnsas etis susou desde Err ESEE P ETa a 62 enableUser Session Workflow Service 2 ccs ncn sca eae one ween Rae Rae ea ee ee 64 findUser Session Worktlow Service lt i cccacad dad eni dasradawse cde distad dii kal Kagawa dew es 65 getObject Session Workflow Service 0 ccc eee eee e eee n een neene 66 getProperty Session Workflow Servite i bis cisaae bev eee ee as doe dodaadadese atita dt 67 getResourceObject Session Workflow Service 0 cece eect een neces 68 getView Session Workilow Servite seisis decade aes datent nibda Eas Ea NEEE ORDE asa de aes 69 getViewForm Session Workflow Service 2 1 2 0 0 cece cece eet ene n eee nnene 70 listResourceObjects Session Workflow Service csiscesiisississuiecsisiissasi natts u Tsi arris 71 queryObjectNames Session Workflow Service 0 cece cece nran 73 queryObjects Session Workflow Service v 55 co cc wd twas Goa kds Gobel aNd eae oe eae 74 queryReferencingRoles Session Workflow Service 0 0c cece cece eee e ee neeae 75 refresh View Session Workflow Service iscus css ces esv dead oes wea ded heed dees 76 removeDeferredTask Session Workflow Service 0 0 cee cece
481. ve the form component set the forwardTo attribute and have the button post an action value of Forward action Boolean When non null initiates an operation on the selected work items Valid values include approve e reject e forward e refresh If the NoConfirm option is set the action is processed immediately Otherwise Identity Manager waits for the confirm attribute to be set to true The form is expected to define its own confirmation page rendering confirm Boolean Indicates that the operation specified in the action attribute can be performed 433 434 Using the variables Attribute When editing an individual work item the form can set work item variables such as comments to pass additional information about the approval or rejection into the workflow process for auditing You can also set arbitrary work item variables when performing actions in the WorkItemList view The value of the attribute variables can be set to an object whose attributes will be copied into the work item when it is approved or rejected For example if the variables object contains an attribute named comments the same comments will be saved with every selected work item lt Form name variables comments gt lt Default gt lt concat gt lt s gt Approval performed on lt s gt lt invoke class com waveset util Util name dateToString gt lt new class java util Date gt lt invoke gt lt concat gt lt Default gt
482. veset email gt lt Display class Text gt lt Property name size value 60 gt lt Display gt lt Field gt The string waveset email is a path expression for the user view that targets the email address stored in the Identity Manager repository Example This example field edits the email address defined for a particular resource account The field name references a resource in the account lt Field name accounts Microsoft Exchange email gt lt Display class Text gt lt Property name size value 60 gt lt Display gt lt Field gt The string accounts Microsoft Exchange email is a path expression to another location within the user view that holds information about account attributes for a specific resource In this example the resource named Microsoft Exchange Example This example field defines the email address for all resources including Identity Manager that contain an attribute named email on the left side of the schema map lt Field name global email gt lt Display class Text gt lt Property name size value 60 gt lt Display gt lt Field gt 147 Identifying the Field for Reference Naming a field provides you a way to reference the field value in other fields Use the lt ref gt lt ref gt tag set to reference a field value from another field The following example concatenates into the fullname field the firstname and lastname field values with a string
483. viewing the information because of concerns for privacy or to reduce the distraction from nonessential information Provide context specific help on individual fields This can reduce confusion and calls into your help desk Reduce the distraction of nonessential information for users performing a specific task Typically the most effective way to present information is to display only the fields you need to accomplish the current task Customizing the default fields in Identity Manager forms allows you to extend and customize the application for your environment Specifically you can customize the default forms to Address the specific needs of the users in your organization This is particularly important when several different types of administrators must access different portions of the same view data and should not view all data attributes For example a human resources administrator may need to access a different subset of user account attributes than a help desk administrator Control the display and content of the user account attributes particularly attributes displayed on the Create User and Edit User pages These pages contain most of the attributes that need to be controlled 117 118 Define default values for user view attributes and their associated attributes For example you could define a default home directory for a user instead of the administrator having to key in the path e Pre process user view attributes
484. w object that is used with the form Example lt Field name global firstname gt For more information on how the name attribute refers to a specific attribute in the user view see Identity Manager Views title Optional Specifies the external name of a field Titles are typically used with the EditForm container which builds an HTML table that contains titles in one column and components in another Components do not render their own titles Rendering of titles is controlled by the container Many containers ignore titles Example lt Property name title value FirstName gt lt Property name title gt lt expression gt lt concat gt lt s gt Edit User lt s gt lt ref gt waveset accountId lt ref gt lt concat gt lt expression gt lt Property gt Identity Manager 7 0 Workflows Forms and Views In this example the field title is in part derived dynamically from the user s Identity Manager account ID value Editing components have a value that may be null The value is typically set automatically by Identity Manager from an attribute in a view Some components allow you to set the value by explicitly ignoring current view content This value can be null The Component class allows the value to be any Java object The subclass must coerce the value to a particular type when it is assigned or when the HTML is generated Component values are almost always String objects or List
485. wer will not fetch the current account attributes to pass to the correlation confirmation rules Instead these attributes will be passed in correlator Specifies the correlation rule to use If not present the correlation rule specified by reconciliation policy for the resource will be used If present but null no correlation rule is used confirmer Specifies the confirmation rule to use If not present the confirmation rule specified by reconciliation policy for the resource will be used If present but null no confirmation rule is used These lists consist of GenericObjects that contain the summary attributes of users Identity Manager 7 0 Workflows Forms and Views Table 5 15 Attributes of confirmer Attribute Account Correlation View Attribute Editable Data Type claimants Read List correlated Read List unconfirmed Read List claimant Lists claimants that are calculated independent of the correlation algorithm so claimants may also appear in another of the lists Claimant discovery can be disabled by setting ignoreClaimants to true in the view options A user claims an account if it has a ResourcelInfo explicitly referencing the account correlated Lists the users who were correlated to the resource account unconfirmed Lists users who were selected by the correlation rule but were rejected by the confirmation tule This list is only present if the includeUnconfirmed is set to true in the view opti
486. ws a field definition that uses string manipulation expressions to calculate a default account ID consisting of the first letter of the user s first name concatenated with the user s last name 449 450 lt Field name waveset accountId gt lt Display class Text gt lt Property name title value AccountID gt lt Display gt lt Default gt lt concat gt lt substr gt lt ref gt accounts Exchange firstname lt ref gt lt i gt 0 lt i gt lt i gt l lt i gt lt substr gt lt ref gt accounts Exchange lastname lt ref gt lt concat gt lt Default gt lt Field gt The lt Default gt element is part of the Form XML language This element can contain either an XPRESS expression or elements in another language called XML Object For more information on XML Object language see the chapter titled XML Object Language When this field is processed the system checks to see if a value already exists for the waveset account Id attribute If no value exists it evaluates the expression in the lt Default gt element In this case a value is calculated by concatenating the first letter of the first name with the last name You may need to make sure that firstname and lastname fields have values as demonstrated by the following example Identity Manager 7 0 Workflows Forms and Views lt cond gt lt and gt lt notnull gt lt ref gt accounts Exchange firstname lt ref gt lt n
487. xample lt list gt lt newclass com waveset object AttributeCondit ion gt lt s gt MemberOb ject Groups lt s gt lt s gt equals lt s gt lt ref gt waveset organization lt ref gt lt new gt lt list gt If more than one AttributeCondition is specified they will be logically and ed together Identity Manager 7 0 Workflows Forms and Views getSubordinates Method get Subordinates LighthouseContext s manager Map options throws WavesetException Description Retrieves a list of the specified managerial subordinates of a user Table 4 22 getSubordinates Parameters Parameter Description s Identity Manager context object manager Identifies the manager whose subordinates are being requested options firstlevel lastLevel conditions See table below Table 4 23 Options Values Option Value firstLevel Specifies the first organizational level to include in the result 0 means direct reports lastLevel Specifies the last organizational level to include in the result 1 indicates all levels conditions Optional Map of user attribute conditions that can be used to further filter the list of user names returned See Additional Options Return Values This method returns a sorted list of subordinates or throws WavesetException 281 Example Rule Using getSubordinates lt xml version 1 0 encoding UTF 8 gt lt DOCTYPE Rule PUBLIC waveset dtd waveset dtd gt
488. xpressions allow you to specify logic to determine whether a value entered in a form is valid The validation expression returns null to indicate success or a string containing a readable error message to indicate failure The system displays the validation error message in red text at the top of the form The following example contains the logic to determine whether the age entered by user in a field is greater than 0 This expression returns null if the age is greater than or equal to zero Identity Manager 7 0 Workflows Forms and Views lt Field name age gt lt Validation gt lt cond gt lt lt gt lt ref gt age lt ref gt lt i gt 0 lt i gt lt 1t gt lt s gt Age may not be less than zero lt s gt lt cond gt lt Validation gt lt Field gt Calling Methods to Populate Lists Lists in single selection and multiselection text boxes are often populated with choices that are derived from information from external resources You can populate lists dynamically with this information by calling one of the FormUtil methods supplied by Sun These common methods can perform the following tasks e Obtain a list of resource object names e Obtain a List of Resource Objects without Map Options Build DN strings e Retrieve a list of accessible object types e Retrieve a list of object types accessible by the session owner e Geta list of organizations with prefixes e Geta list of organizations without pre
489. y type Identifies the type of resource such as Solaris You can determine the resource type names by bringing up the resource list from the Identity Manager Administrator interface The Type column on this page contains the names of the type of currently defined resources The options list next to New Resource also contains the names of the resource adapters that are currently installed Identity Manager 7 0 Workflows Forms and Views accountld Specifies the identity of the account on this resource if one has been created exists Indicates whether the account already exists on the resource disabled Indicates whether the account is currently disabled passwordPolicy When set describes the password policy for this resource Can be null It contains these attributes Table 5 57 Reset User Password Attributes Reset User Password View Attribute Data Type Editable Required name String summary String In addition it contains view attributes for each of the declared policy attributes The names of the view attributes will be the same as the WSAttribute in the Policy The summary string contains a pre formatted description of the policy attributes authenticator If true indicates that this resource is serving as the pass through authentication resource for Identity Manager changePasswordLocation Describes the location where the password change should occur for example the DNS name of a domain contro
490. y attempts to make up a missed schedule time When set to true Identity Manager instead waits until the next scheduled time The default is false Identity Manager 7 0 Workflows Forms and Views terminate Similar to delete but will also terminate the existing task if it is still running allowMultiple Controls whether more than one instance of the same task definition or task template are allowed to run If true the default the scheduler will always create a new instance of the task If false the scheduler will not create a new instance if there is one already running task Contains task specific attributes Each task defines its own attributes and the task s form should reference them relative to the task namespace 419 Unlock View 420 Used to unlock accounts for those resources that support native account locking This view presents and selects the list of resource accounts to be unlocked NOTE Use the Unlock view instead of the Disable view for accounts whose resources support native account locking Contains the following high level attributes Table 5 66 Unlock View Attributes Name Editable Data Type Required id Read String Yes selectAll Read Write Boolean No currentResourceAccounts Read List objects No tobeCreatedResourceAccounts Read List objects No tobeDeletedResourceAccounts Read List objects No fetchAccounts Read Write Boolean fetchAccountResources Read Write List id
491. y name title value Location gt lt Display gt lt Derivation gt lt switch gt lt ref gt accounts Oracle locCode lt ref gt lt case gt lt s gt AUS lt s gt lt s gt Austin lt s gt lt case gt lt case gt lt s gt HOU lt s gt lt s gt Houston lt s gt lt case gt lt case gt lt s gt DAL lt s gt lt s gt Dallas lt s gt lt case gt lt case default true gt lt s gt unknown lt s gt lt case gt lt switch gt lt Derivation gt lt Field gt 156 Identity Manager 7 0 Workflows Forms and Views Expansion Element Unconditionally calculates a value for the field It differs from Derivation in the time at which the expression is evaluated Expansion statements are calculated when e the page is recalculated e the form is saved The following example shows a field definition that uses conditional logic to convert the value derived for the location field in the previous example back into a three letter abbreviation that will be stored on the Oracle resource Notice the difference in the field names The location field value is not saved on any resource It is used to calculate another field lt Field name accounts Oracle locCode gt lt Expansion gt lt switch gt lt ref gt location lt ref gt lt case gt lt s gt Austin lt s gt lt s gt AUS lt s gt lt case gt lt case gt lt s gt Houston lt s gt lt s gt HOU lt s gt lt case gt lt case gt
492. y read only information about the resource accounts Use the following attributes to rename resource accounts 395 396 Table 5 52 resourceAccounts Attributes Attribute Type Description lt resourcename gt selected Lighthouse selected selectAll Boolean Controls whether all accounts are renamed currentResourceAccounts Boolean Indicates that the new account Id should be used to rename the identity of this resource account currentResourceAccounts Boolean Controls whether the Identity Manager account is renamed selectAll true overrides this setting accounts lt resourcename gt identity Overrides the use of the Identity Template to create the account Id for this resource account accounts lt resourcename gt lt attribute gt Used when not specifying the accounts lt resourcename gt identity attribute to pass attributes to the Identity Template for the creation of the new account Id fetchAccounts Causes the view to include account attributes for the resources assigned to the user See Setting View Options in Forms in this chapter for more information fetchAccountResources Lists resource names from which to fetch If unspecified Identity Manager uses all assigned resources See Setting View Options in Forms in this chapter for more information Identity Manager 7 0 Workflows Forms and Views Example renameVi renameView renameView d true renam
493. you can also use them in workflows and rules One common use is to create a list of allowed values for a Select or MultiSelect field in a form as shown below Example lt Field name global state gt lt Display class Select gt lt Property name title value State gt lt Property name allowedValues gt lt List gt 537 XML Object Language and Corresponding XPRESS The following table lists several basic XML objects and the equivalent XPRESS 538 Elements in the XML Object language are similar to elements in the XPRESS language but it is more efficient to use the XML Object language if the values are static These two languages differ primarily in that XML Object language does not allow the contents of an object to be computed with an expression This restriction allows the system to construct the object more efficiently which will result in faster processing if the object is large When defining lists with XML Object language the list is created once when the form is read from the repository and reused thereafter When defining lists with XPRESS a new list lt S lt S lt S lt S lt S lt S lt S lt S lt S lt S lt Lis tring gt Alabama lt String gt tring gt Alaska lt String gt tring gt Arizona lt String gt tring gt Arkansas lt String gt tring gt California lt String gt tring gt Washington lt String gt tring gt Washington D C lt String gt tring gt West Virginia lt String gt trin
Download Pdf Manuals
Related Search