Customizing the Provisioning Tree View

This chapter describes how to customize DirX Identity’s Provisioning tree view. It describes how to:

  • Structure the DirX Identity Provisioning tree into a hierarchy

  • Change the display name of entries in the tree view

Changing the Provisioning Object Tree

To make it easier to manage a large number of users, roles or permissions, you can build a hierarchical structure into the DirX Identity Provisioning tree by creating new folders.

If you use DirX Identity’s user integrator workflow to import users from a corporate directory into DirX Identity, the tree structure will be copied.As a result, the DirX Identity store will follow the corporate directory’s hierarchical structure.

The DirX Identity default schema in the user subtree allows you to create objects with the following LDAP classes and according to the following structure:

Organization
     OrganizationalUnit (recursively)
     locality
          organizationalUnit (recursively)
          organizationalPerson (or inetOrgPerson)
     organizationalPerson (or inetOrgPerson)
organizationalUnit
     organizationalUnit (recursively)
     organizationalPerson (or inetOrgPerson)
domain
     domain (recursively)
     organization
     organizationalUnit (recursively)
     organizationalPerson (or inetOrgPerson)
country
     organization
     organizationalPerson (or inetOrgPerson)

You can change this structure according your needs, for example, to organize a large number of flat entries into subfolders, or to build a structure that reflects the administrative responsibilities of DirX Identity user administrators.You can then specify access control for these subfolders using the meta directory administration tools and thus build administrative areas.

You can use the same subfolder mechanism to structure the roles and permissions subtrees.But keep in mind that roles and permissions are located in separate subtrees below the domain root: "cn=RoleCatalogue" and "cn=Permissions".

You cannot use the folder mechanism to structure the target systems subtree; the target system folders themselves structure the view.Target system accounts are flat below the Accounts folder.The DirX Identity tree does not reflect a hierarchical structure for target systems.

Structure rules similar to those used in LDAP or X.500 directories restrict the options for building hierarchical trees.DirX Identity uses the XML "parents" attribute to specify these restrictions in the object descriptions.

Changing the Display Name of Entries in the Tree View

You can change the display name of an entry in the DirX Identity Manager tree view.To display another attribute value, take the appropriate object description (e.g., user.xml from the Customer Extensions folder) and change the XML attribute displayattribute in the XML definition element.If this attribute is not specified, create it according the following example fragment, which defines the cn attribute for display:

<object name="dxrUser">
<definition ...
   displayattribute="cn"
           ...
/>
...
</object>

To display a combination of attribute values, use a Java script and define it in the object description as previously described. Enter the script definition near the end of the object description independent of any property description. The following excerpt shows an example that causes Manager to display the surname and the given name of a user entry:

<script name="displayname"  return="title" >
<![CDATA[
obj=scriptContext.getObject();
gn=obj.getProperty("givenName");
sn=obj.getProperty("sn");
title=sn;

if (gn!=null && gn.length()>0)
title=title+", "+gn;
title=title+"";
]]>
</script>