Managing User Facets

User facets are special representations of users, so we recommend reading the section "Managing Users" to become familiar with the user management tasks that also apply to user facets.

User facets have the following basic features:

User facets can have privileges assigned to them (roles, permissions, groups) that are maintained by the same processes as for users.
The privilege resolution process does not apply to user facets. User facets do not have accounts and group assignments.
Privileges assigned to a user facet are inherited by the user.
User facets have the same states as users, but their life-cycle is controlled by the related user’s life-cycle.

User facets have the following limitations:

There is no support for parameterized roles.
There is no SOD checking.
There is no support for user facet - user switching.
There is no rule for creating a user facet from an account.

A user facet is a special kind of DirX Identity user and thus generally functions in the same way as a DirX Identity user. This chapter highlights the differences between a user facet and a DirX Identity user and describes the features that apply only to a user facet. The following sections describe special aspects of user facet management, including:

Where to locate user facets in the user tree
How to view, add and delete user facet entries and change their attributes
How to work with user facet states
How to work with links at user facet entries
How to work with user facet inheritance
How to maintain user facets with DirX Identity workflows

For all other aspects of a user facet, the information about DirX Identity users given in "Managing Users" (and elsewhere in the DirX Identity documentation) applies.

Locating User Facets

User facet objects reside under the cn=Users subtree, where they are mixed with user objects and functional users that also populate this subtree.Although you are allowed to locate a user facet object anywhere in the cn=Users subtree, we recommend locating a user facet object in the same folder as its corresponding user object, because it is tightly linked to its related user and cannot exist without it.

Working with User Facets

Working with user facets consists of the following tasks:

Viewing user facet properties
Adding user facets to the Identity Store
Deleting user facets from the Identity Store
Changing the attributes of existing user facets

When DirX Identity masters the user facet data, you use DirX Identity Manager to perform these tasks by hand.

Viewing User Facets with DirX Identity Manager

When you log into DirX Identity Manager and then select Users from the view bar, DirX Identity Manager displays a hierarchical tree of the users, user facets and functional users that you are allowed to manage in the left-hand pane.

Users, user facets, personas and functional users are distinguished in the user tree by their different icons, as shown in the following figure:

Figure 1. Functional User, Persona, User and User Facet Icons

To view the properties of a user facet, click its entry in the tree. It is displayed in the same tabs as a user.

If a user facet is not in the ENABLED state, its current status is displayed in brackets at its entry. Note that user facets have the same states as users. For more information about user states, see the section "User States" in the section "Managing States" in the chapter "Managing Provisioning" and the section "Working with User Facet States".

Adding User Facets with DirX Identity Manager

To add a new user facet with DirX Identity Manager:

Click a user folder in the Users subtree or click the top-level Users folder. When adding a user facet, we recommend adding it to the folder that contains the user to which the user facet belongs.
Select New -> User facet in the context menu. The General tab is displayed for editing, and the mandatory attributes for a user (the user’s common name (cn) and surname (sn)) are displayed in red.
Click the Relationships tab and then select the user facet’s owner (this is the user that is connected with the user facet).

You can also use Web Center to create a user facet. In Web Center, user facet creation is performed by a request workflow with an activity that uses the related user as a template for creating the user facet. You can configure the attributes to be copied from the owner and the location at which to create the user facet. See the section "Using the Users Menu" in the chapter "Using DirX Identity Web Center" in the DirX Identity User Interfaces Guide for details.

Specifying a User Facet Lifetime

When you add a new user facet, you can specify a user facet lifetime: a start and end date. Define the start and end dates for the user facet as you would for users. However, remember that the user facet’s life-cycle is related to the user’s life-cycle, so that:

Disabling the user facet’s owner also disables the user facet, unless it is in state TBDEL.
If the user’s state changes to TBDEL, all his related user facets also change their states to TBDEL and their delete dates are set.
If you delete a user facet, it does not affect the user’s state.

Working with User Facet Templates

Working with user facet templates is not recommended.

Deleting User Facets with DirX Identity Manager

To delete a user facet, click it and then select Delete from the menu bar or context menu.The delete process for user facets is the same as for users.See the section "Deleting Users with DirX Identity Manager" for details.

Changing User Facet Attributes with DirX Identity Manager

You change a user facet’s attributes as you would a user’s attributes, using the same available tabs.See the section "Changing User Attributes with DirX Identity Manager" for details.

A set of user facet attributes is mastered from its owner, the related user.You can’t edit these attributes at the user facet, but they are automatically updated to the user’s values when the user facet is saved.If an attribute that is mastered to the user facet is changed during a user edit or if a state change occurs, the related user facets are updated with the new values.

Working with User Facet States

The DirX Identity Provisioning system recognizes the same states for user facets as for users.For detailed information about user facet states, see the section "Managing States" in the chapter "Managing Provisioning".

Working with Links at User Facet Entries

You can link user facet entries to the same objects as user entries.See the section "Working with Links at User Entries" in the chapter "Managing Users" for details.

The owner link is of special importance for a user facet: it contains the reference to its related user.

Working with User Facet Inheritance

Privileges assigned to a user facet are inherited by the user.These privilege assignments are marked with the notation UF in Web Center and DirX Identity Manager.If the user is disabled, the privilege assignments inherited from its user facets remain.Only its associated accounts are disabled.

User facet inheritance only applies to user facets in the ENABLED state, and only those privilege assignments in the ENABLED state are inherited by the user.Disabling a user facet revokes the privilege assignments unless the user is also disabled.

Creating a user facet with a startDate in the future results in the state NEW.No privilege inheritance takes place.When the startDate is reached and a maintenance workflow for this user facet runs, the user facet is ENABLED and its privileges are inherited by the user.

Privileges that needed to be approved during their assignment to the user facet do not need to be re-approved during user facet inheritance.

Permission match rules are applied to the user, not to the user facet.Attributes of the user facet do not influence evaluation of permission match rules.

Maintaining User Facets with DirX Identity Workflows

New DirX Identity maintenance workflows for user facets need to be created and configured.For details, see the DirX Identity Use Case Document Configuring the Maintenance Workflows for User Facets.