Preventing a change to a column
You can use value templates to prevent users from changing columns that are filled by a value template. To do this, add the name of this column in the value template in $-notation. The value template now references itself. Any change to the column is immediately overwritten by the value template. Value templates that overwrite themselves only take effect if they have been labeled as “Overwrites”.
Example: Use of templates to prevent changes to data
The user should not be able to change an identity‘s central user account. This should be prevented by the value template.
-
Define a custom value template for the Person.CentralAccount column.
-
For the value templates, enable the Overwrites option.
-
Extend the default value template with the following entry: ’$CentralAccount$.
’$CentralAccount$
If Not CBool(Session.Variables.Get("FULLSYNC")) Then
Value=VI_AE_BuildCentralAccount(GetValue("UID_Person").String,$Lastname$, $Firstname$)
End If
Restricting performance of value templates
To limit the number of objects changed by a value template you can define thresholds.
To define thresholds for a value template
-
In the Designer, select the One Identity Manager Schema category.
-
Select the table and start the Schema Editor with the Show table definition task.
-
Select the column and then the Column properties view.
-
Select the Value calculation tab and edit the following properties.
-
Threshold (asynchron): Enter the maximum number of objects that can be changed directly by the value template. Once this limit has been reached, processing takes place synchronously with the One Identity Manager Service.
-
Threshold (stop): Enter the number of objects after which processing is stopped. Once this limit has been reached, processing is stopped with an error message.
NOTE: If a stop threshold value is specified, it must be larger than the threshold for asynchronous processing.
-
Select the Database > Save to database and click Save.
Example of local value templates within an object
The an identity's full name (Person.Internalname) will be derived from its surname (Person.Lastname) and first name (Person.Firstname). The value template for the Person.Internalname column looks like:
Value = $Lastname$ & ", " & $Firstname$
If the value template is labeled as "Overwrites" then each time Lastname changes a test is done to check for dependent columns that reference this value in a template. If this is the case, the value template is processed and the value is entered into the Internalname column. If the value template cannot overwrite, it only applies if there is no value in the Internalname column.
The Person.Lastname and Person.Firstname columns are the sender and the Person.Internalname column is the subscriber. The mapping for adding a database object in the DialogNotification table is:
person.lastname --> person.internalname
person.firstname --> person.internalname
Example of cross-object value templates
If a value template references a value from another object, it can be accessed using the foreign key (FK) relation.
Figure 9: Effect of cross-object value templates
If, for example, the surname of an Active Directory user account (ADSAccount.Surname) is derived from the surname of an identity (Person.Lastname), enter the template for the ADSAccount.Surname column as follows:
Value = $FK(UID_Person),Person.Lastname$
If the identity’s surname changes, the last name of the Active Directory user also changes. The Person.Lastname column is therefore the sender and the ADSAccount.Surname column is the receiver. The relation is mapped in the DialogNotification table as follows:
Person.Lastname --> ADSAccount.Surname