Calculate properties based off other properties
Properties can be derived from other properties within an object. This lets computed and composite values be created in the object. These derived properties are called virtual properties, and their value can be calculated in two ways:
-
Using a script called by the
onRetrievescript hook. This script calculates the current value of the virtual property based on the related properties.For example, you may want to dynamically update a property that you use for a country code (for phone number purposes). When a user’s record is retrieved, the country code is dynamically calculated based off of the
countryproperty of the user’s record. -
Using a query to identify the relationship fields to traverse to reach the managed objects whose state is included in the virtual property, and the fields in these managed objects to include in the value of the virtual property.
These properties are called relationship-derived virtual properties.
The default Advanced Identity Cloud schema defines several user properties as relationships. For information on how to define custom relationships, refer to Manage custom relationship properties.
For more information on extending attributes of the user object, refer to Customize user identities.
Derive virtual properties using`onRetrieve` scripts
The onRetrieve script hook lets you run a script when the object is retrieved. In the case of virtual properties, this script gets the data from related properties and uses it to calculate a value for the virtual property. For more information about running scripts on managed objects, refer to Extend functionality through scripts.
Relationship-derived virtual properties
Virtual properties can be calculated by IDM based on relationships and relationship notifications. This means that, rather than calculating the current state when retrieved, the managed object that contains the virtual property is notified of changes in a related object, and the virtual property is recalculated when this notification is received. To configure virtual properties to use relationship notifications, there are two areas that need to be configured:
-
The related managed objects must be configured to use relationship notifications. This lets IDM know where to send notifications of changes in related objects.
-
To calculate the value of a virtual property, you must configure which relationships to check, and in which order, a notification of a change in a related object is received. You configure this using the
queryConfigproperty.
The queryConfig property tells IDM the sequence of relationship fields it should traverse in order to calculate (or recalculate) a virtual property, and which fields it should return from that related object. This is done using the following fields:
-
referencedRelationshipFieldsis an array listing a sequence of relationship fields connecting the current object with the related objects you want to calculate the value of the virtual property from. The first field in the array is a relationship field belonging to the same managed object as the virtual property. The second field is a relationship in the managed object referenced by the first field, and so on.Example
For example, the
referencedRelationshipFieldsforeffectiveAssignmentsis["roles","assignments"]. The first field refers to therolesrelationship field inmanaged/realm-name_user, which references themanaged/realm-name_roleobject. It then refers to theassignmentsrelationship inmanaged/realm-name_role, which references themanaged/realm-name_assignmentobject. Changes to either related object (managed/realm-name_roleormanaged/realm-name_assignment) will cause the virtual property value to be recalculated, due to thenotify,notifySelf, andnotifyRelationshipsconfigurations on managed user, role, and assignment. These configurations ensure that any changes in the relationships between a user and their roles, or their roles, and their assignments, as well as any relevant changes to the roles or assignments themselves, such as the modification of temporal constraints on roles, or attributes on assignments, will be propagated to connected users, so theireffectiveRolesandeffectiveAssignmentscan be recalculated and potentially synced.-
referencedObjectFieldsis an array of object fields that should be returned as part of the virtual property. If this property is not included, the returned properties will be a reference for the related object. To return the entire related object, use*. -
flattenPropertiesis a boolean that specifies whether relationship-derived virtual properties should be returned as plain fields rather than as JSON objects with an_idand a_rev. This property isfalseby default.With
flattenPropertiesset tofalse, andreferencedObjectFieldsset toname, the response to a query on a user’seffectiveAssignmentsmight look something like this:"effectiveAssignments": [ { "name": "MyFirstAssignment", "_id": "02b166cc-d7ed-46b7-813f-5ed103145e76", "_rev": "2" }, { "name": "MySecondAssignment", "_id": "7162ddd4-591a-413e-a30b-3a5864bee5ec", "_rev": "0" } ]With
flattenPropertiesset totrue, andreferencedObjectFieldsset toname, the response to the same query looks like this:"effectiveAssignments": [ "MyFirstAssignment", "MySecondAssignment" ]Setting
flattenPropertiestotruealso lets singleton relationship-derived virtual properties be initialized tonull.
-
Using queryConfig, the virtual property is recalculated when it receives a notice that changes occurred in the related objects. This can be significantly more efficient than recalculating whenever an object is retrieved, while still ensuring the state of the virtual property is correct.
|
When you change which fields to return using |