API Exported Enumerations

SmApi.h includes the following enumerations used by the Directory API:
casso10
SmApi.h includes the following enumerations used by the Directory API:
  • Sm_DirApi_Capability_t (directory capabilities)
  • Sm_PolicyResolution_t (policy resolutions)
Directory Capabilities
Sm_DirApi_Capability_t enumerates the capabilities that can be configured for a custom directory.
The following table lists the directory capabilities enumerated in Sm_DirApi_Capability_t. Descriptions of each capability follow the table.
Name
Value
Sm_DirApi_Capability_ForceResetUserPassword
0x00000001
Sm_DirApi_Capability_ChangeUserPassword
0x00000002
Sm_DirApi_Capability_DisableUser
0x00000004
Sm_DirApi_Capability_SetUserAttributes
0x00000008
Sm_DirApi_Capability_Recursive
0x00000010
 
For a custom directory to have a specific capability, you must define the required user attributes for that capability. For example, to enable
CA Single Sign-On
to change a user’s password, you need to identify a Password Attribute.
CA Single Sign-On
then uses that attribute to get and set the user password.
  • Sm_DirApi_Capability_ForceResetUserPassword. The custom directory is capable of forcing user password reset.
    To enable
    CA Single Sign-On
    to force a reset of the password, define the following user attributes:
    • Password attribute. An attribute that
      CA Single Sign-On
      can use to get and set the user password. In the
      CA Single Sign-On
      Administrative UI, enter that attribute name in the Password Attribute field on the User Attributes tab on the User Directory Dialog box. In the sample, the attribute name is password.
    • Disabled Flag. An attribute that
      CA Single Sign-On
      can use to get and set the disabled state of a user. In the
      CA Single Sign-On
      Administrative UI, enter that attribute name in the Disabled Flag field on the User Attributes tab on the User Directory Dialog box. In the sample, the attribute name is Disabled.
    When users are forced to change their passwords, the Policy Server calls SmDirSetUserDisabledState(). In the sample code, the user’s Disabled Flag is set to Sm_Api_Disabled_PWMustChange (the disabled reason).
  • Sm_DirApi_Capability_ChangeUserPassword. The custom directory is capable of changing the user password. To change the password, you need to identify a Password Attribute, which is an attribute that
    CA Single Sign-On
    can use to get and set the user password. In the
    CA Single Sign-On
    Administrative UI, enter that attribute name in the Password Attribute field on the User Attributes tab on the User Directory Dialog box.
    The
    CA Single Sign-On
    Policy Server calls SmDirChangeUserPassword() so that you can change the value in the password field for an entry in your custom directory.
  • Sm_DirApi_Capability_DisableUser. The custom directory is capable of disabling a user account. To disable a user, you need to identify a Disabled Flag, which is an attribute that
    CA Single Sign-On
    can use to get and set the disabled state of a user. In the
    CA Single Sign-On
    Administrative UI, enter that attribute name in the Disabled Flag field on the User Attributes tab on the User Directory Dialog box.
    When an administrator uses the
    CA Single Sign-On
    Administrative UI to disable or enable a user account, or when Password Services disables a user account, the
    CA Single Sign-On
    Policy Server calls SmDirSetUserDisabledState().
    In
    CA Single Sign-On
    , user accounts can be disabled for a number of reasons, and these reasons are represented by the members of the data structure Sm_Api_DisabledReason_t.
  • Sm_DirApi_Capability_SetUserAttributes.
    CA Single Sign-On
    can set user attributes in the custom directory.
    The
    CA Single Sign-On
    Policy Server calls SmDirSetUserAttr() so that you can use
    CA Single Sign-On
    to set a user attribute in your custom directory.
  • Sm_DirApi_Capability_Recursive. The custom directory is capable of supporting recursion. For example, the custom directory may support nested groups.
    The following functions in the Directory API have a parameter to hold a recursive flag:
    • SmDirGetUserGroups()
    • SmDirValidateUserPolicyRelationship()
To send information about the directory capabilities to the
CA Single Sign-On
Policy Server, implement the function SmDirQueryVersion(). Use the capabilities parameter (
pnCapabilites
) to pass one or more values enumerated in Sm_DirApi_Capability_t.
CA Single Sign-On
then checks for those capabilities.
For example, if a user attempts to change a password, the
CA Single Sign-On
Policy Server calls SmDirQueryVersion() to check for the capability Sm_DirApi_Capability_ChangeUserPassword. If the custom directory does not have that capability, the user receives an error message.
An example of setting the directory capabilities is shown in the sample code. First, initialize
*pnCapabilities
to zero, then set
*pnCapabilities
as follows:
*pnCapabilities = 
   *pnCapabilities | Sm_DirApi_Capability_
<supported_capability>
;
For example:
*pnCapabilities =
   *pnCapabilities | Sm_DirApi_Capability_ChangeUserPassword;
*pnCapabilities =
   *pnCapabilities | Sm_DirApi_Capability_DisableUser;
Ensure that no other application changes data in fields intended for use by
CA Single Sign-On
. For example, no other application should change data in the field that holds the disabled state of a
CA Single Sign-On
user.
Policy Resolutions
Sm_PolicyResolution_t, defined in SmApi.h, enumerates the values that describe the relationship between two policy objects. The following Directory API functions use Sm_PolicyResolution_t:
  • SmDirAddEntry()
  • SmDirGetDirObjInfo()
  • SmDirRemoveEntry()
  • SmDirValidateUserPolicyRelationship()