Managing Accounts and Groups

Contents
imgc10-in-progress
This page contains the following topics:
In earlier releases of Connector Xpress mapping a group object type implicitly created the association between groups and accounts. However, in this release of Connector Xpress, you have fine-grained control over the associations between accounts and groups on the endpoint system. To define groups and define group membership, you explicitly create associations between classes. You can create direct, reverse, or indirect associations. Creating an association between classes defines the class as a group class.
For JNDI connecters, the group class member attribute is hardwired to contain values of type DN (Distinguished Name). Values of this type are expressed relative to the root of the endpoint directory and enumerate the accounts belonging to each group.
The member attribute for the group class is virtual, meaning that its value is expensive to retrieve, as it has to be computed from group.member rather than being directly looked up. We therefore recommend that you request it with caution.
Some JNDI vendors, notably Novell eDirectory, actually expose the account.memberOf attribute in their schema. However to guarantee consistent behavior across all vendors, you are prohibited from mapping it explicitly. Instead, CA IAM Connector Server implements it as a virtual attribute.
Mappings
Mappings consist of the following:
  • One or more
    class mappings
    -- Each class mapping describes a single class of provisioning objects in the Provisioning Server's DIT. For JDBC, a class mapping maps to a single database table. For LDAP, a class mapping can map to multiple native LDAP object classes. Account class mappings have some special handling because they are important to Provisioning Server operations like policy syncing.
  • Multiple
    attribute mappings --
    Each class mapping can have multiple attribute mappings, which map individual values in the Provisioning Server's provisioning objects to single values in objects on the managed endpoint system.
Multi-attribute Mappings
Connector Xpress supports multi-attribute (many-to-one) mappings, which means you can map a native attribute to multiple provisioning attributes. The LDAP DYN template contains an example of multi-attribute mapping. In the template, the account class has both Common Name and Account ID mapped to the endpoint's
cn
attribute. This is useful because the Common Name is a common LDAP attribute that you should include in the account object and Account ID is the provisioning naming attribute required by the CA Identity Manager common attribute set.
Also, the Account ID and
uid
are both ambiguously mapped to the endpoint's
uid
attribute in the template.
Duplicate mappings to a native attribute within the same class are not allowed. For example, if
cn
is mapped you cannot map
cn
again. However you can map cn again as part of an
ambiguous
mapping. For example, together with
uid
as shown in the LDAP DYN template.
Note the multi-mapping of
accountname, cn, uid,
and a separate mapping directly to
cn
is required to fully manage JNDI endpoints. This allows either
cn
or
uid
to be used in the naming attribute, and satisfies the condition where
cn
is also required on an endpoint even when
uid
is used as the naming attribute.
Map Multi-attributes to the Same Native Attribute
Because JNDI endpoints can contain accounts named using
cn
or
uid
attributes, we recommend that you do the following:
  • Map Account ID to both
    cn
    and
    uid
    attributes
  • Provide single unambiguous mappings to
    cn
    and
    uid t
    o manage such endpoints.
Follow these steps:
  1. On the Project menu, click New.
    Connector Xpress automatically creates a user account provisioning class node in the Mapping tree when you create a project.
    The Select Data Source for new project dialog appears.
  2. Select the data source you want to use for the project.
    The Endpoint Types dialog appears.
  3. On the Endpoint Type Details dialog, specify a name, description, and version for your connector.
    Note:
    These fields are for descriptive purposes only.
  4. In the Mapping Tree, click the Map Attributes dialog.
    The Map Attributes dialog appears.
  5. In the Maps To column, click the edit button for the provisioning attribute you want to map to.
    The Attribute list appears.
  6. Select the native attribute you want to map to.
  7. In the Maps To column, click the edit button for the next provisioning attribute you want to map to.
    The Attribute list appears.
  8. Select the same native attribute as you selected in step 5.
Map Ambiguous Attributes
To support ambiguous (one-to-many) mappings, you can map one provisioning attribute to multiple native attributes.
Follow these steps:
  1. On the Project menu, click New.
    Connector Xpress automatically creates a user account provisioning class node in the Mapping tree when you create a project.
    The Select Data Source for new project dialog appears.
  2. Select the data source you want to use for the project.
    The Endpoint Types dialog appears.
  3. On the Endpoint Type Details dialog, specify a name, description, and version for your connector.
    Note:
    These fields are for descriptive purposes only.
  4. In the Mapping Tree, click the Map Attributes dialog.
    The Map Attributes dialog appears.
  5. In the Maps To column, click the edit button for the provisioning attribute you want to map to.
    The Attribute list appears.
  6. In the Attribute list, Ctrl+click or Shift+click to select the multiple native attributes that you want to map to.
Types of Associations
You can create the following types of associations in Connector Xpress:
  • (JNDI and JDBC) Direct association
  • (JNDI and JDBC) Reverse association
    Note:
    Reverse associations are not supported for associations between compound classes and user account classes when creating multitable support JDBC connectors.
  • (JDBC only) Indirect association
Direct Associations
A
direct
association is an association between any two classes of objects where the association values are stored on one of the objects directly.
A direct association can be in the forward direction, that is from group to account, and in the reverse direction, that is, from account to group. Creating a direct association in the forward direction lets you manage the accounts that belong to a group from the group side of the association. Creating a direct association in the reverse direction, that is a reverse association, lets you manage the association from the account side of the relationship.
Direct associations in the forward direction coincide with the natural representation of the associative information about the endpoint objects, that is, where the group stores account members. Direct associations in the reverse direction are the reverse of this representation, as they define groups to which an account belongs, even if the native system does not store such information.
Typically, it is common to establish both directions of an association at the same time, that is, both the direct and reverse associations. You can use the Direct Association dialog to create and edit both associations at the same time.
In a direct association, a group directly stores the directory-relative DNs of the accounts which belong to it. Therefore you create a direct association between classes when you map groupOfNames.member to inetOrgPerson.cn.
Note
: Both of these objectclasses are part of the inetOrgPerson schema. They differ only in minor implementation details on the endpoint, that is, groupOfUniqueNames stores its members as a set rather than a list helping ensure that the associated entries are unique.
In direct associations, references are persisted directly into a multivalued attribute on the endpoint. For example, in LDAP, a group's member attribute directly stores reference to the accounts it contains.
When creating associations between classes for JDBC connectors, we recommend that you use direct associations for one to one, and one to many relationships. For many to many relationships (for example, the relationship between Account’s memberOf and Group’s members), use an a indirect association instead of a direct association.
Example: Direct Association
The following example shows a direct association that has been mapped between an account class and a finance class. The finance class stores the accounts that belong to it in its member attribute.
Direct Association
Reverse Associations
A reverse association is a direct association between two classes of objects of the type
from
Class1
to
Class 2 (the direct association) and
from
Class 2
to
Class 1 (the reverse association). Reverse associations are by definition bi-directional.
Typically, most endpoints only let you manage only one side of the association between accounts and groups from the group side of the association. For example, you can manage the accounts that belong to a group from the group side of the association. Creating a reverse association lets you provision and manage which groups an account is a member of, from the account side of the association.
As most bi-directional associations have a physical attribute on one class and a virtual attribute on the other class, we recommend that you define the physical association attribute first.
Typically it is common to establish both directions of an association at the same time, that is, both the direct and reverse associations. You can use the Direct Association dialog to create and edit both associations at the same time.
Reverse associations appear in the mapping tree under the node of the class you have specified a reverse association with.
Example: Reverse Association
The following diagram shows a direct and reverse association between the account and group finance class, that is, a bi-directional association, created when you map the attribute in the account that contains the groups the account belongs to, for example, the
memberOf attribute
, to the group's naming attribute.
Reverse Association
Note:
If Group membership has reverse association and if a user search is performed, then the retrieving 'member' attribute causes a delay in search of user Groups if the Group has more number of users, for example, more than 8000.
To avoid the delay, set the following property to true in the connectors.xml file.
reverseAssocOnGroupMember
Indirect Associations
An
indirect a
ssociation occurs when there is a third entity defines the association between any two classes of object. For example, an intermediate table that binds two other database tables together.
In an indirect association, the association is stored as an independent entity rather than as a property on one of the objects.
For example, there is an indirect association between an account object and a group object if there is an intermediate table, such as a
membership table,
that identifies the associations between individual accounts and groups.
In a
direct
association, objects have an attribute that points directly to the other object. However in an
indirect
association, both of the related objects have attributes that point not to each other, but to the membership table.
Membership tables define the members of each group. They contain the association mappings that identify the individual accounts and groups that are related, for example, the groups an account belongs to, and a list of accounts in each group. In a membership table, associations between objects are stored in a many-to-many mapping table.
Membership tables let you specify a separate lookup table for associations between account and group objects and map the relevant attributes.
To define an indirect association, you specify the membership table that contains references to both of the related objects.
When you create an indirect association between two objects, Connector Xpress automatically creates the reverse association, that is; indirect associations are by definition bi-directional.
You can only create indirect associations for JDBC mappings.
Example: Indirect Association
The following diagram shows the indirect association that has been mapped between the employee and department classes using a membership table. The following is an example schema and database.
Indirect Relationship
The following are the three tables in the database:
  • Employees table
    - lists the employees in the organization.
    The virtual attribute memberOf contains Group IDs, that is the departments the employee is a member of.
  • Membership table
    - defines the associations between Employees and Departments. It contains the association mappings that identify the individual employees and departments that are related, that is, which departments an employee belongs to, and a list of employees in each department.
  • Departments table
    - lists the departments in the organization.
    The virtual attribute members contains Account IDs, that is,the list of employees in the department.
How to Define Group Membership
To define group membership and create an association between classes that defines the class as a group class, you do the following:
  1. Create an account
    class and map its attributes.
    Note:
    When you create a project, Connector Xpress creates a user account class by default.
  2. Create the class you want to define as a group class, and map its attributes.
    Note:
    If you use the wizard to map account and group classes, the wizard automatically creates a group class and the details of the association that you need to complete.
  3. Create a direct, reverse, or indirect association between the classes and map the groups group.member or group.uniqueMember attributes to the accounts naming attribute.
    Creating an association defines the group membership and creates the association between the classes.
Account Class Mapping Example
This example shows you the procedure you would follow if you were an administrator that wanted to map an account class for a JNDI data source. This example shows you to map an endpoint's account class to the provisioning account class. This example assumes that the administrator has set up a JNDI data source.
Follow these steps:
  1. On the Project menu, click New.
    The Select Data Source for new project dialog appears.
  2. Select the data source you want to use for the project.
    The Endpoint Types dialog appears.
  3. On the Endpoint Type Details dialog, specify a name, description, and version for your connector.
    Note:
    These fields are for descriptive purposes only.Connector Xpress automatically creates a user account provisioning class node in the Mapping tree when you create a project.
  4. In the Mapping Tree, click the User Account node.
    The Map Account Class dialog appears.
  5. Select the endpoints type's object class that you want to map from the Add structural class list. For example, inetOrgPerson.
  6. In the Mapping Tree, click the Attributes node underneath the User Account node.
    The Map Attributes dialog appears.
  7. Map the endpoints mandatory attributes to the provisioning attributes in the Map Object Class Attribute mapping table. For example, map cn Account ID and sn to Last Name.
    Note:
    If the table list fails to populate when mapping tables, verify that your database does not have outstanding transactions or locks on the schema metadata.
  8. Map any other required attributes, for example, the user password, street, and title.
  9. Click the Classes node in the mapping tree.
    The Mapped Classes dialog displays a summary of the classes you have mapped. You can use this dialog to revise the native class to provisioning mappings you have made.
  10. In the Mapping Tree, click the Account Id node under the Attributes node.
    The Attribute Details dialog appears.
    The dialog displays the LDAP attribute assigned to each field, its datatype, the JavaBean property name that JIAM uses, and whether the field is required (allows null values) and any length constraints.
  11. Click the Last Name node under the Attributes node.
    The Attribute Details dialog appears with the default policy value set.
    Note:
    When you map a required attribute to a well-known provisioning attribute, Connector Xpress sets a default account template value by default.
  12. Save the project.
How You Create a Direct and Reverse Association
To create a direct association between two classes, for example, an account class, and a group class, you do the following:
  1. Start a new project and specify a data source for your project.
  2. Create and map an account class.
  3. Create a class that you want to define as a group and map it to the class on the endpoint that defines the entries for a group of names, for example,
    groupOfNames
    .
  4. Map the group's name and its member attribute.
  5. Specify that you want to create a direct association between the group class and the account class.
  6. Map the group's member attribute to the account's naming attribute.
    Mapping the group's member attribute specifies that the group's membership attribute is populated by the account's naming attribute.
    This describes the association between the group class and the account class and creates a direct association between the account class and group class.
  7. Specify that you want to create a reverse association between the account class and the group class.
  8. Map the account class memberof attribute to the group's naming attribute.
    Note:
    If the native account class does not have a memberOf attribute, to create a virtual memberOf attribute and map it to the group's naming attribute.Connector Xpress creates the direct and reverse associations between the account and group class you have mapped and automatically creates and displays the association under the User Accounts node.
Direct and Reverse Association Example
This example shows you the procedure an administrator would follow to create a direct and reverse association between an account class, and a group class. In this example, the administrator defines an association that describes the relationship between the group class and the user account class.
This example assumes that the administrator has setup a JNDI data source, and created and mapped an account class named User account.
To create a direct and reverse association between an account class and a group class, define an association that describes the relationship between the group class and the user account class.
Follow these steps:
  1. In the mapping tree, click the Classes node.
    The Mapped Classes dialog appears.
  2. Click Add on the Mapped Classes dialog, and type a name and for your class, for example, Group of Names.
    Connector Xpress adds the new class to the mapping tree.
  3. In the mapping tree, click the Group of Names node.
    The Map Class dialog appears.
  4. In the Structural class list, select the native class that you want to map, for example, groupOfNames.
  5. In the Mapping tree, click the Attributes node.
    The Map Attributes dialog appears.
  6. Map the groups name and the group's member attribute to the provisioning attributes. For example, map the native attributes
    cn
    and
    member
    to the provisioning attributes objectname and member.
  7. Select the Multivalued check box for the member attribute.
    Selecting the check box specifies that the member attribute is multivalued and can hold multiple account names.
  8. Click the Associations node under the Group of Names node.
    The Class Associations dialog appears.
  9. In the
    Create direct association with
    list, select the User Account class.
    Connector Xpress adds a node named
    with User Account
    to the mapping tree.
  10. Click the
    with User Account
    node under the Associations node, under the Group of Names node.
    The Direct Association with User Account dialog appears.
    Note:
    Connector Xpress selects the group's naming attribute in the Group of Names By Attribute field as the attribute to map to by default.
  11. In the Group of Names Attribute, select member.
    Selecting the member attribute maps the groups member attribute to the account's naming attribute. That is, you have specified that the groups member attribute is populated by the accounts naming attribute, and defined the Group of names class as a group class.
  12. Select the Include a Reverse Association check box.
    The Reverse Association dialog appears.
  13. In the New Virtual Attribute field, type memberof.
    In this example, the native account class does not have a memberOf attribute, so create a virtual memberOf attribute and map it to the group's naming attribute.
    Note:
    Connector Xpress selects the group's naming attribute in the By Attribute field as the attribute to map to by default.
  14. Click Project, Save.
    Connector Xpress creates the direct and reverse associations between the account and group class you have mapped.
How to Create an Indirect Association
This example shows you the process you use to define an indirect association between two classes, for example, an employee class, and a department class using a membership table. To create the indirect association:
  1. Create a project and specify a JDBC data source for your project.
  2. Create and map class that holds a list of employees.
  3. Create and map a class that holds a list of departments.
  4. Specify that you want to create an indirect association between the employee class and the department class.
  5. Specify the membership table that contains the association mappings that identify the individual employees and departments that are related.
  6. Specify the membership table column that defines the association between employees and departments, and the membership table column that defines the association between departments and employees.
  7. Create a virtual
    memberof
    attribute in the employee class and map and it to the membership table column that contains the list of departments the employee is a member of.
  8. Create a virtual
    members
    attribute in the department class and map and it to the membership table column that contains the list of employees in each department.
  9. Save the project.
Indirect Association Example
This example shows you the steps you would follow if you are an administrator that wants to create an indirect association between an Employees class, and a Departments class using a membership table.
This example uses an example schema,
HR
, and an example membership table,
Membership.
The membership table columns
Account_Id
and
Dept_id
contain the association mappings that identify the individual employees and departments that are related, as shown in the following example:
Indirect Relationship
To identify individual employees and departments that are related, create an indirect association between them.
Note:
This example assumes that you have already set up a JDBC data source, and created and mapped an account class named Employees.
Follow these steps:
  1. Click the Classes node.
    The Mapped Classes dialog appears.
  2. Click Add, then specify a name for your class, for example, Departments.
    Connector Xpress adds a node named Department to the mapping tree.
  3. Click the Departments node in the mapping tree.
    The Map Class dialog appears.
  4. Specify a name and description for your class.
    Note:
    These fields are for descriptive purposes only.
  5. Select the schema and table you want to map, for example, HR and Departments.
  6. In the mapping tree, click the Attributes node.
    The Map Attributes dialog appears.
  7. In the Name column, map the account naming attribute to the objectname attribute.
  8. Click the Associations node under the Employees node.
    The Class Associations dialog appears.
  9. Create an indirect association with the Departments class.
    Connector Xpress adds a node named
    with Departments
    under the Associations node for the Employees class in the mapping tree.
  10. In the Mapping tree, click the
    with Departments
    node under the Associations node.
    The Indirect Association dialog appears.
  11. Specify the schema that contains the classes you want to map, for example,
    HR.
  12. In the Membership Table list, select the membership table,
    Membership
    .
    This table specifies the association mappings that identify the individual employees and departments that are related.
  13. In the Employees Attribute list, select the Employees class naming attribute.
  14. In the Membership Table Columns list, select AccountID and DeptID respectively.
    The result is the following:
    • Maps the Employees class naming attribute, employee_id, to the membership table column, AccountID. This defines the association between employees and departments.
    • Maps the Department class naming attribute, Department_id, to the membership table column, DeptId. This defines the association between departments and employees.
    Note:
    Connector Xpress selects the naming class attributes by default in the Employees and Departments Attributes list.
  15. In the Employees Attribute and Departments Attributes fields, type
    member
    and
    memberof
    respectively.
    Note
    : In this example, because the Employees and Department classes do not have a
    memberOf
    or
    member
    attribute, create a virtual
    member
    and
    memberOf
    attributes.
    The virtual attributes you create describe the association between the Employee class and Department class.
    These virtual attributes are a virtual representation of the association between the employee class and department classes naming attributes, and the membership table columns you mapped in step 11. The connector uses these virtual attributes to find the employees in a department, and the departments an employee belongs to.
    Connector Xpress automatically does the following:
    • Creates a
      memberof and member
      node under the Attributes node under the Employees and Department class node in the mapping tree.
    • Automatically makes the attribute multivalued and selects the multivalued check box by default on the Provisioning Details dialog.
    • Automatically creates the indirect association and displays it under the Associations node under the Departments node.
    • Automatically creates the association between the Employees and Departments class from the Departments class point of view, under the Employees node. Attributes viewed from the Associations node under the Employees class therefore appear reversed.
  16. Click Project, Save.
    Connector Xpress creates the indirect association between the Employees and Departments class you have mapped.
Container Classes
Specifying a container class is similar to mapping an ordinary class except that the only attribute that you can map is Container Name.
Additionally, you can specify the classes that are the children of this container ("Contained Classes"). For example, the container Employee Groups can only allow Staff Group and Executive Group classes and not individual account classes.
For each virtual container class, provide a default value for the Container Name attribute. The Account Container class has a default value of "Accounts".
If no default value for the Container Name is provided, the IM Provisioning Manager application does not recognize the container class properly and will not be able to search for available objects in that container when defining associations.
Input Validation
Connector Xpress validates the entries you make in the fields on the following dialogs:
  • Endpoint Type
  • Map Class
  • Provisioning Attributes
  • Defined Associations
  • Indirect Associations
Connector Xpress displays a warning icon next to any field that has invalid input, and a warning icon next to the corresponding node in the mapping tree. Connector Xpress displays details of the violation when you mouse-over the warning icon. The warning icon disappears after you correct your input and click another node in the mapping tree.