Create and modify object types
If the managed object types provided in the default configuration are not sufficient for your deployment, you can create new managed object types. The easiest way to create a new managed object type is to use the admin UI, as follows:
-
Select Configure > Managed Objects > New Managed Object.
-
On the New Managed Object page, enter a name and readable title for the object, make optional changes, as necessary, and click Save. The readable title specifies what the object will be called in the UI.
-
On the Properties tab, specify the schema for the object type (the properties that make up the object).
-
On the Scripts tab, specify any scripts that will be applied on events associated with that object type. For example, scripts that will be run when an object of that type is created, updated, or deleted.
You can also create a new managed object type by editing your managed object configuration.
Example: Phone object created using the admin UI
{
"name": "Phone",
"schema": {
"$schema": "http://forgerock.org/json-schema#",
"type": "object",
"properties": {
"brand": {
"description": "The supplier of the mobile phone",
"title": "Brand",
"viewable": true,
"searchable": true,
"userEditable": false,
"policies": [],
"returnByDefault": false,
"pattern": "",
"isVirtual": false,
"type": [
"string",
"null"
]
},
"assetNumber": {
"description": "The asset tag number of the mobile device",
"title": "Asset Number",
"viewable": true,
"searchable": true,
"userEditable": false,
"policies": [],
"returnByDefault": false,
"pattern": "",
"isVirtual": false,
"type": "string"
},
"model": {
"description": "The model number of the mobile device, such as 6 plus, Galaxy S4",
"title": "Model",
"viewable": true,
"searchable": false,
"userEditable": false,
"policies": [],
"returnByDefault": false,
"pattern": "",
"isVirtual": false,
"type": "string"
}
},
"required": [],
"order": [
"brand",
"assetNumber",
"model"
]
}
}Every managed object type has a name and a schema that describes the properties associated with that object. The name can only include the characters a-z, A-Z, 0-9, and _ (underscore). You can add any arbitrary properties to the schema.
|
Avoid using the dash character in property names (like |
A property definition typically includes the following fields:
title-
The name of the property, in human-readable language, used to display the property in the UI.
description-
A brief description of the property.
viewable-
Specifies whether this property is viewable in the object’s profile in the UI. Boolean,
trueorfalse(trueby default). searchable-
Specifies whether this property can be searched in the UI. A searchable property is visible within the Managed Object data grid in the End User UI.
For a property to be searchable in the UI, it must be indexed in the repository configuration. For information on indexing properties in a repository, see Object mappings.
Boolean,
trueorfalse(falseby default). userEditable-
Specifies whether users can edit the property value in the UI. This property applies in the context of the End User UI, where users are able to edit certain properties of their own accounts. Boolean,
trueorfalse(falseby default). isProtected-
Specifies whether reauthentication is required if the value of this property changes.
For certain properties, such as passwords, changing the value of the property should force an end user to reauthenticate. These properties are referred to as protected properties. Depending on how the user authenticates (which authentication module is used), the list of protected properties is added to the user’s security context. For example, if a user logs in with the login and password of their managed user entry (
MANAGED_USERauthentication module), their security context will include this list of protected properties. The list of protected properties is not included in the security context if the user logs in with a module that does not support reauthentication (such as through a social identity provider). pattern-
Any specific pattern to which the value of the property must adhere. For example, a property whose value is a date might require a specific date format.
policies-
Any policy validation that must be applied to the property. For more information on managed object policies, see Default policy for managed objects.
required-
Specifies whether the property must be supplied when an object of this type is created. Boolean,
trueorfalse.The requiredpolicy is assessed only during object creation, not when an object is updated. You can effectively bypass the policy by updating the object and supplying an empty value for that property. To prevent this inconsistency, set bothrequiredandnotEmptytotruefor required properties. This configuration indicates that the property must exist, and must have a value. type-
The data type for the property value; can be
string,array,boolean,integer,number,object,Resource Collection, ornull.If any user might not have a value for a specific property (such as a
telephoneNumber), you must includenullas one of the property types. You can set a null property type in the admin UI (Configure > Managed Objects > User, select the property, and under the Details tab, Advanced Options, setNullabletotrue).You can also set a null property type in your managed object configuration by setting
"type" : '[ "string","null" ]'for that property (wherestringcan be any other valid property type. This information is validated by the policy service, as described in Validate Managed Object Data Types.If you’re configuring a data
typeofarraythrough the admin UI, you’re limited to two values. isVirtual-
Specifies whether the property takes a static value, or whether its value is calculated "on the fly" as the result of a script. Boolean,
trueorfalse. returnByDefault-
For non-core attributes (virtual attributes and relationship fields), specifies whether the property will be returned in the results of a query on an object of this type if it is not explicitly requested. Virtual attributes and relationship fields are not returned by default. Boolean,
trueorfalse. When the property is in an array within a relationship, always set tofalse. relationshipGrantTemporalConstraintsEnforced-
For attributes with relationship fields. Specifies whether this relationship should have temporal constraints enforced. Boolean,
trueorfalse. For more information about temporal constraints, see Use Temporal Constraints to Restrict Effective Roles. default-
Specifies a default value if the object is created without passing a value. Default values are available for the following data types, and arrays of those types:
-
boolean
-
number
-
object
-
string
IDM assumes all default values are valid for the schema. -
Default values
You can specify default values in the managed object configuration. If you omit a default value when creating an object, the default value is automatically applied to the object. You can have default values for the following data types, and arrays of those types:
-
boolean
-
number
-
object
-
string
For example, the default managed object configuration includes a default value that makes accountStatus:active, which effectively replaces the onCreate script that was previously used to achieve the same result. The following excerpt from the managed object configuration displays the default value for accountStatus:
"accountStatus" : {
"title" : "Status",
"description" : "Status",
"viewable" : true,
"type" : "string",
"searchable" : true,
"userEditable" : false,
"usageDescription" : "",
"isPersonal" : false,
"policies" : [
{
"policyId": "regexpMatches",
"params": {
"regexp": "^(active|inactive)$"
}
}
],
"default" : "active"
}|
IDM assumes all default values are valid for the schema. Although IDM skips policy validation for objects with default values, you can force validation on property values. |