Chat now with support
Chat with Support

Identity Manager 8.0 - Configuration Guide

One Identity Manager Software Architecture Working with the Designer Customizing the One Identity Manager Default Configuration Checking Data Consistency Compiling a One Identity Manager Database Working with Change Labels Basic System Configuration Data
One Identity Manager Authentication Module Database Connection Data Configuration Parameters for System Configuration Setting up the Mail Notification System Enabling More Languages for Displaying and Maintaining Data Displaying Country Information Setting Up and Configuring Schedules Password Policies in One Identity Manager Reloading Changes Dynamically TimeTrace Databases Machine Roles and Server Functions Files for Software Update Operating Systems in Use System Configuration Reports Using Predefined Database Queries Managing Custom Database Objects within a Database
The One Identity Manager Data Model Granting One Identity Manager Schema Permissions Working with the User Interface
Object definitions for the User Interface User Interface Navigation Forms for the User Interface Statistics in the One Identity Manager Extending the Launchpad Task Definitions for the User Interface Applications for Configuring the User Interface Icons and Images for Configuring the User Interface Language Dependent Data Representation
Process Orchestration in One Identity Manager
Declaring the Job Server One Identity Manager Service Configuration Handling Processes in the One Identity Manager
Tracking Changes with Process Monitoring Conditional Compilation using Preprocessor Conditions One Identity Manager Scripts Maintaining Mail Templates Reports in the One Identity Manager Custom schema extensions Transporting One Identity Manager Schema Customizations Importing Data Web Service Integration SOAP Web Service One Identity Manager as SPML Provisioning Service Provider Searching for Errors in the One Identity Manager Processing DBQueue Tasks One Identity Manager Configuration Files

Templates

Value templates are implemented in the One Identity Manager for generating user data or for transforming values. You can use these templates to fill object properties with default values or to form property values from other properties. Value templates can take effect within an object as well as between objects. Value templates without dependencies take effect when the value is queried in the column and the column does not have a value assigned. Value templates that refer to other columns are affected when these columns change.

Value templates take effect without regard to the current rights situation.No explicit rights need to be assigned to the dependent columns. When value templates are in use, all the columns that are effected are therefore also loaded if they are not on the current form in the "Manager" program.

NOTE: You can get an overview of existing columns with value template in the category One Identity Manager Schema | Templates in Designer.

Column dependencies due to value templates are mapped in the table DialogNotification. The connected properties are shown in the table as sender-subscriber pairs. The column that caused the change is the sender and the column that is changed because of it, is the subscriber. The object links are consolidated by the column relations. The entries are created when the value templates are compiled and updated.

You can see dependencies in the Schema Editor overview. To display dependencies you need to select the menu item Options | Dependencies. If a column contains a value template it is displayed in the tooltip. If the column does not have a value template itself but is referenced by value templates belong to other columns then those columns are named in the tooltip.

When you select a column, the connections to other columns are highlighted in color. A tooltip shows the sender and subscriber relationship of the column dependencies. The tooltip contains the names of tables that it refers to. The sender, subscriber and the part of the value template that gives the reason for the dependency are also shown.

Table 101: Meaning of Colors for Sender Subscriber Relations
Color Meaning
Blue Column is sender.
Red Column is subscriber.

Figure 18: Sender Subscriber Relations Schema Editor

Detailed information about this topic
Related Topics

Editing Value Templates

You can customize predefined default value templates and create your own additional value templates. The default configuration is moved to a configuration buffer during handling. You can retrieve changes from the configuration buffer and restore the default configuration in this way.

NOTE: Remember to take performance into consideration when defining value templates. In certain circumstances, changes to a property could cause large numbers of dependent objects to be changed, saved and processes to be generated through a value template in overwrite mode.

To create a value template

  1. Select the category One Identity Manager Schema in the Designer.
  2. Select the table and start the Schema Editor with the task Show table definition.
  3. Select the column and edit the following properties on the Value calculation tab:
    Overwrites

    Specifies whether the template can overwrite or not. If this option is set, the value template is always applied. If the option is not set, the value template is only applied when the column is empty.

    Template

    Template script. Write the script in VB.Net syntax which allows all VB.Net script functions to be used.

    		TIP: To display the column that trigger a template, click the link Triggers for this template.
    No automatic truncation by template

    Specifies whether the value is automatically truncated to the maximum column length if the maximum length is exceeded when applying a template. If this option is set, the value is not truncated to the maximum column length.

IMPORTANT: Compile the database to bring the value template into effect.

Prevent change to column

You can use value templates to prevent users from changing columns that are filled by a value template. To do this, add the name of this column in the value template in $-notation. The value template now references itself. Any change to the column is immediately overwritten by the value template. Self-correcting value templates are only effective if the templates are labeled as "overwriteable".

Example:

The user should not be able to change an employee‘s central user account. This should be prevented by the value template.

  • Define a custom value template for the column Person.CentralAccount.
  • Set the option Overwrites.
  • Extend the default value template with the following entry: ’$CentralAccount$.

’$CentralAccount$

If Not CBool(Session.Variables.Get("FULLSYNC")) Then

Value=VI_AE_BuildCentralAccount(GetValue("UID_Person").String,$Lastname$, $Firstname$)

End If

Limit template execution

To limit the number of objects changed by a value template you can define thresholds.

Table 102: Thresholds
Property Meaning
Threshold (asynchronous)

Maximum number of objects that can be changed by the value template. Once this limit has been reached, processing takes place synchronously with the One Identity Manager Service.

Threshold (abort)

Once this limit has been reached, processing is aborted with an error message.

NOTE: If a ‘abort’ threshold value is given, it must be larger than the threshold for asynchronous processing.

Related Topics

Example of Local Value Templates within an Object

The an employee's full name (Person.Internalname) will be derived from its surname (Person.Lastname) and first name (Person.Firstname). The value template for the column Person.Internalname looks like:

Value = $Lastname$ & ", " & $Firstname$

If the value template is labeled as "Overwrites" then each time Lastname changes a test is done to check for dependent columns that reference this value in a template. If this is the case, the value template is processed and the value is entered into the column Internalname. If the value template cannot overwrite, it only applies if there is no value in the column Internalname.

The columns Person.Lastname and Person.Firstname are the sender and the column Person.Internalname is the subscriber. The mapping for adding a database object in the table DialogNotification is:

person.lastname --> person.internalname

person.firstname --> person.internalname

Example of Value Templates across Objects

If a value template references a value from another object, it can be accessed using the FK relation.

Figure 19: Effect of Cross Object Value Templates

If, for example, the surname of a Active Directory user account (ADSAccount.Surname) is derived from the surname of an employee (Person.Lastname), enter the template for the column ADSAccount.Surname as follows:

Value = $FK(UID_Person),Person.Lastname$

If the employee’s surname changes, the last name of the Active Directory user changes, too. The column Person.Lastname is therefore the sender and the column ADSAccount.Surname is the receiver. The relation is mapped in the table DialogNotification as follows:

Person.Lastname --> ADSAccount.Surname

Related Documents