This section describes some technical issues related to the Identity Manager.
The Identity Manager manages identity information of different entities (users and groups). It must be able to integrate with different persistence systems, ranging from LDAP to databases. Each of these systems speaks a language of their own. And so does the framework. Since the Identity Manager primary job is to communicate with the framework it uses DiF's own language. That is, it speaks IDIFUsers and IDIFGroups.
The different Identity Manager implementations must act as bridges between the framework's and the underlying system entities. As such, they must have conversion mechanisms from and to IDIFUsers and IDIFGroups. These data types are described below.
From the framework's point of view, an user is more than just a mere set of identity attributes. There are the the typical identity attributes but there are also management, organizational and additional attributes. These categories are described below.
The typical attributes that describe an "human" user, such as:
These encompass information on the user activity status or permissions to perform some management operations on the user. The Java attributes that match these higher-level attributes are:
An user is not an isolated entity. Typically it shares some properties with other users. It also has an expected behavior in a given environment, such as a set of rights and obligations. These common properties among users might be used to combine users in groups.
An user can belong to one or more groups. An user MUST always belong to at least one group. This group has a special name on DiF's domain: the profile. The profile should be faced as the user's main group on a given environment. That is, the profile describes the user's more relevant behavior to the system.
Organizational attributes describe the user's interaction with the system and are the following two:
There are a final type of attributes that extend the user, providing it the ability of being used for more than just an identity entity. These attributes, named additional (since they extend the user), also make the user more flexible. With it, the user can accommodate relevant information to other domains besides identity management.
These attributes are:
The parameters are stored on the identity manager since they're values must be persisted between calls to be readily available for the user. On the other hand, the attributes might or might not be stored on the identity manager. For example, the identity manager RAM-based implementation offers no data persistence, as such the attributes are managed only locally. The LDAP-based identity manager implementation offers persistence, as such the attribute values ares stored on the LDAP server as well as on the IDIFUser object.
As it was stated on the previous section groups are sets of users with similar rights or obligations. Groups share the same attribute types with users except the additional attributes, which are not present on the groups. Albeit this similarity, the attributes in each type are distinct from the ones in the user. Here's the list:
These attribute identify and describe the group.
The management attributes are in fact just one: the default. It's meaning is exactly the same as it was described on the user management attributes sub-section.
A group might have one ancestor - that's a parent group. A parent group can be shared be different groups and also encompasses a set of rights and obligations common to several groups or it describes an expected group behavior on the environment. This define a "belongs-to" relation between groups. As stated before, groups are sets of similar users. As such there will also exist groupUsers.
Check the following resources to learn more on the above: