Identity - Objects


This section describes some technical issues related to the Identity Manager.

The Identity Manager manages identity information of different entities (users and groups). It must be able to integrate with different persistence systems, ranging from LDAP to databases. Each of these systems speaks a language of their own. And so does the framework. Since the Identity Manager primary job is to communicate with the framework it uses DiF's own language. That is, it speaks IDIFUsers and IDIFGroups.

The different Identity Manager implementations must act as bridges between the framework's and the underlying system entities. As such, they must have conversion mechanisms from and to IDIFUsers and IDIFGroups. These data types are described below.


From the framework's point of view, an user is more than just a mere set of identity attributes. There are the the typical identity attributes but there are also management, organizational and additional attributes. These categories are described below.

Identity attributes

The typical attributes that describe an "human" user, such as:

  • Full name
  • User name
  • Password
  • E-mail
  • Nickname

Management attributes

These encompass information on the user activity status or permissions to perform some management operations on the user. The Java attributes that match these higher-level attributes are:

  • enabled - marks an user as active and as such eligible to be used on identity checks.
  • default - marks an user as "belonging to the system". That is, such a user must not be deleted from the system, only rendered inactive.

Organizational attributes

An user is not an isolated entity. Typically it shares some properties with other users. It also has an expected behavior in a given environment, such as a set of rights and obligations. These common properties among users might be used to combine users in groups.

An user can belong to one or more groups. An user MUST always belong to at least one group. This group has a special name on DiF's domain: the profile. The profile should be faced as the user's main group on a given environment. That is, the profile describes the user's more relevant behavior to the system.

Organizational attributes describe the user's interaction with the system and are the following two:

  • profile
  • the groups that the user belongs to

Additional attributes

There are a final type of attributes that extend the user, providing it the ability of being used for more than just an identity entity. These attributes, named additional (since they extend the user), also make the user more flexible. With it, the user can accommodate relevant information to other domains besides identity management.

These attributes are:

  • parameters - stores parameters related to the user. The URL parameters with user-scope are stored here. See also @Parameter and @Persist.
  • attributes - stores other attributes that might be relevant to the business but that might not justify to extend the class. As an example, one can think of a small online bookstore that uses theses extra attributes to collect client data as the shipping address and billing information (credit card or bank account numbers).

The parameters are stored on the identity manager since they're values must be persisted between calls to be readily available for the user. On the other hand, the attributes might or might not be stored on the identity manager. For example, the identity manager RAM-based implementation offers no data persistence, as such the attributes are managed only locally. The LDAP-based identity manager implementation offers persistence, as such the attribute values ares stored on the LDAP server as well as on the IDIFUser object.


As it was stated on the previous section groups are sets of users with similar rights or obligations. Groups share the same attribute types with users except the additional attributes, which are not present on the groups. Albeit this similarity, the attributes in each type are distinct from the ones in the user. Here's the list:

Identity attributes

These attribute identify and describe the group.

  • ID
  • Name
  • Description

Management attributes

The management attributes are in fact just one: the default. It's meaning is exactly the same as it was described on the user management attributes sub-section.

Organizational attributes

A group might have one ancestor - that's a parent group. A parent group can be shared be different groups and also encompasses a set of rights and obligations common to several groups or it describes an expected group behavior on the environment. This define a "belongs-to" relation between groups. As stated before, groups are sets of similar users. As such there will also exist groupUsers.

More in depth...

Check the following resources to learn more on the above:

Back to the identity manager page