NevisIDMSink
The NevisIDMSink is used to insert, update or delete data in the nevisIDM software. It makes use of the nevisIDM administration web service which has to be provided in form of a NevisIDMConnectionPool.
The NevisIDMSink can be used for user data and role assignment, credential, profile and unit data. Modification of all other nevisIDM entities is not available.
For every data object a query is issued to identify the object in nevisIDM. This identification is based on a list of search fields described in NevisIDMSource.
All string fields of the nevisIDM data objects can be used as data attributes. In addition, a few non- standard data attributes can be used for data manipulation. Those are summarized in the lists below.
Users are created with a default profile based on the policy of the client the user belongs to.
Configuration
| Name | Type, usage constraints, defaults | Description |
|---|---|---|
| service | required: paraVal default: none type: NevisIDMConnectionPool | The NevisIDMConnection pool providing access to the nevisIDM administration web service. |
| operation | required: paraVal default: none type: operation type string | Determines the operation and the nevisIDM entity:createUser: Create a user, ignore if it exists.updateUser: Update a user, ignore if it does not exist.createOrUpdateUser: Create a user, update if it exists.deleteUser: Delete a user, ignore if it does not exist.createCredential: Create a credential, ignore if it exists.updateCredential: Update a credential, ignore if it does not exist.createOrUpdateCredential: Create a credential, update if it exists.deleteCredential: Delete a credential, ignore if it does not exist.createUnit: Create a unit, ignore if it exists.updateUnit: Update a unit, ignore if it does not exist.createOrUpdateUnit: Create a unit, update if it exists.deleteUnit: Delete a unit, ignore if it does not exist.createProfile: Create a profile, ignore if it exists.updateProfile: Update a profile, ignore if it does not exist.createOrUpdateProfile: Create a profile, update if it exists.deleteProfile: Delete a profile, ignore if it does not exist. |
| searchFields | optional: paraList default: empty list type: string list | Defines which data attributes are used to identify an object in nevisIDM. |
| detailLevels | optional: paraMap default: depends on the query type: string/string map | The detail levels can be used to override the defaults of the source to include or exclude information in the query.This information is only used when NevisIDMSink checks whether the current object has to be updated.The detail levels are described in detail in the nevisIDM reference guide. |
| flags | optional: paraList default: empty list type: string list | A list of flags used to fine-tune the sink's behavior. DATAROOM_STRICT: If set, all authorizations are removed and recreated on update. This flag has to be used if data room modifications on authorizations are required. In version 2.6.0.1 and higher, this flag is no longer required, but still included to ensure backward compatibility. AUTH_VIA_ROLES: If set, all authorizations are updates based on role entries of the profiles instead of authorizations. It can be used for older versions of nevisIDM which did not include authorization |
Query types
user
| Normal data attributes | ||
|---|---|---|
| addressLine1 | extId | remarks |
| addressLine2 | firstName | stateChangeDetail |
| birthDate | houseNumber | stateChangeReasonCd |
| birthDateFrom | isTechnicalUser | stateChangedDate |
| birthDateTo | language | street |
| city | loginId | telefax |
| clientExtId | mobile | telephone |
| clientIndependent | modificationComment | templateCollection |
| clientName | name | title |
| country | postOfficeBoxNumber | userState |
| dwellingNumber | postOfficeBoxText | validFrom |
| postalCode | validTo |
Special data attributes
prop_PropName: Property named "PropName".credential: The value of the first credential.credentialType: The type of the first credential.credentialState: The state of the first credential.profileName: The name of the first profile.profileState: The state of the first profile.unitExtId: The extId of the unit of the first profile.authorizations: List of nevisIDM authorization objects.
profile
Normal data attributes
defaultProfiledeputedExtIdextIdmodificationCommentnameuserExtId
Special data attributes
prop_PropName: Property named "PropName".
credential
| Normal data attributes | |
|---|---|
| autoTransitionDate | name |
| autoTransitionDateHi | newValue |
| autoTransitionDateLow | policyName |
| ctlCreDat | stateChangeDetail |
| ctlCreUid | stateChangeReasonCd |
| ctlModDat | urlPrefix |
| ctlModUid | validFrom |
| extId | validTo |
| modificationComment | value |
Special data attributes
prop_PropName: Property named "PropName".saml_Prop: SAML Federation credential property named "Prop".saml_subjectNameIdsaml_issuerNameIdsaml_userExtIdsaml_subjectNameIdFormatsaml_issuerNameIdFormat
unit
Normal data attributes
descriptiondisplayAbbreviationdisplayNameextIdlocationmodificationCommentnameparentExtIdpolicyNameprofileless
Special data attributes
prop_PropName: Property named "PropName".
Example
Create a user:
<dataFilter type="ELMappingFilter">
<dp:attrVal name="loginId" value="#{in.user.uid}"/>
<dp:attrVal name="firstName" value="#{in.user.givenName}"/>
<dp:attrVal name="name" value="#{in.user.sn}"/>
<dp:attrVal name="email" value="#{in.user.mail}"/>
</dataFilter>
<dataSink type="NevisIDMSink">
<dp:paraVal name="service" value="${inst.nevisIDMService}"/>
<dp:paraVal name="operation" value="createUser"/>
</dataSink>
Create or update a user with a credential:
<dataFilter type="ELMappingFilter">
<!-- standard attributes omitted -->
<dp:attrVal name="credential" value="#{in.user.uid}"/>
<dp:attrVal name="credentialType" value="kerberos"/>
<dp:attrVal name="credentialState" value="active"/>
</dataFilter>
<dataSink type="NevisIDMSink">
<dp:paraVal name="service" value="${inst.nevisIDMService}"/>
<dp:paraVal name="operation" value="createOrUpdateUser"/>
<dp:paraList name="searchFields>
<value>clientExtId</value>
<value>extId</value>
</dp:paraList>
</dataSink>
Create or update a user in a unit:
<dataFilter type="ELMappingFilter">
<!-- standard attributes omitted -->
<dp:attrVal name="unitExtId" value="${cfg.unitExtId}"/>
</dataFilter>
<dataSink type="NevisIDMSink">
<dp:paraVal name="service" value="${inst.nevisIDMService}"/>
<dp:paraVal name="operation" value="createOrUpdateUser"/>
<dp:paraList name="searchFields>
<value>clientExtId</value>
<value>extId</value>
</dp:paraList>
</dataSink>
Create or update a user and sync roles:
<dataFilter type="ELMappingFilter">
<!-- standard attributes omitted -->
<!-- use a nevisIDMSource with queryType role to obtain roles-->
<dp:attrVal name="roles" value="${cfg.roles}"/>
</dataFilter>
<dataSink type="NevisIDMSink">
<dp:paraVal name="service" value="${inst.nevisIDMService}"/>
<dp:paraVal name="operation" value="createOrUpdateUser"/>
</dataSink>
Create a unit:
<dataFilter type="ELMappingFilter">
<dp:attrVal name="name" value="#{in.unit.name}"/>
<dp:attrVal name="location" value="#{in.unit.address}"/>
</dataFilter>
<dataSink type="NevisIDMSink">
<dp:paraVal name="service" value="${inst.nevisIDMService}"/>
<dp:paraVal name="operation" value="createUnit"/>
</dataSink>
Update a profile:
<dataFilter type="ELMappingFilter">
<dp:attrVal name="name" value="#{in.unit.name}"/>
<dp:attrVal name="prop_profileProperty" value="test"/>
</dataFilter>
<dataSink type="NevisIDMSink">
<dp:paraVal name="service" value="${inst.nevisIDMService}"/>
<dp:paraVal name="operation" value="updateProfile"/>
<dp:paraList name="searchFields">
<value>name</value>
</dp:paraList>
</dataSink>