AWS IAM Identity Center connector
The AWS IAM Identity Center connector allows you to manage users and groups, as well as manage user group memberships between the AWS IAM identity center and IDM. You need an administrator account.
Before you start
Before you configure the connector, log in to your AWS administrator account in the web console and obtain the following
data to be able to connect: accessKey
, secretKey
, identityStoreId
, region
, and roleArn
.
Install the AWS IAM Identity Center connector
If you are looking for the Advanced Identity Cloud application for this connector, refer to: |
You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.
Connector | IDM | RCS |
---|---|---|
No |
No |
Download the connector .jar file from Backstage.
-
If you are running the connector locally, place it in the
/path/to/openidm/connectors
directory, for example:mv ~/Downloads/awsiam-connector-1.5.20.26.jar /path/to/openidm/connectors/
-
If you are using a remote connector server (RCS), place it in the
/path/to/openicf/connectors
directory on the RCS.
Configure the AWS IAM Identity Center connector
Create a connector configuration using the IDM admin UI:
-
From the navigation bar, click Configure > Connectors.
-
On the Connectors page, click New Connector.
-
On the New Connector page, type a Connector Name.
-
From the Connector Type drop-down list, select AWS IAM Identity Center Connector - 1.5.20.26.
-
Complete the Base Connector Details.
For a list of all configuration properties, refer to AWS IAM Identity Center Connector Configuration -
Click Save.
When your connector is configured correctly, the connector displays as Active in the admin UI.
Refer to this procedure to create a connector configuration over REST.
Connection details
-
Access Key ID
: The access key ID is a globally unique IAM user identifier to access the AWS service API. -
Secret Key ID
: The secret key is a password to access the AWS service API. -
Role ARN
: Amazon Resource Name (ARN) for the role which has IAM Full Access permissions. -
Session Name
: A name used to uniquely identify a user session within the identity service. -
Credentials Expiration Time
: Time (in seconds) to configure the duration in which the temporary credentials would expire. The time must be between 900 and 3600 seconds. -
Region
: The region where the AWS instance is hosted. -
Identity Store ID
: Unique identifier associated with an identity store used by AWS IAM Identity Center. -
Max connections
: Max size of the http connection pool used. Optional. -
Connection Timeout (seconds)
: Defines a timeout for the http connection in seconds. Optional. -
ProxyHost
: Proxy server host. Optional. -
ProxyPort
: Proxy server port number. Optional. -
ReadRateLimit
: Limits the request rate for read operations. The recommended rate is 20/sec. -
WriteRateLimit
: Limits the request rate for write operations. The recommended rate is 10/sec.
Object Types
If necessary, add or edit your object types to have these three objects with their properties:
__ACCOUNT__
PROPERTY NAME | TYPE | NATIVE TYPE | REQUIRED |
---|---|---|---|
|
String |
String |
NO |
|
String |
String |
YES |
|
Object |
Object |
YES |
|
String |
String |
YES |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
String |
String |
NO |
|
Array |
Object |
NO |
|
Array |
Object |
NO |
|
Array |
Object |
NO |
|
Array |
Object |
NO |
|
Array |
String |
NO |
__GROUP__
PROPERTY NAME | TYPE | NATIVE TYPE | REQUIRED |
---|---|---|---|
|
String |
String |
NO |
|
String |
String |
YES |
|
String |
String |
NO |
|
Array |
Object |
NO |
The __NAME__ field represents the username for users and the groupName for groups. |
If configuring the connector over REST or through the filesystem, specify the connection details to the AWS IAM
Identity Center resource provider in the configurationProperties
for the connector. The minimum required
properties are
accessKey
, secretKey
, roleArn
, roleSessionName
, region
, and identityStoreId
.
Sample Configuration
{
"configurationProperties": {
"accessKey": "ACCEES_KEY",
"secretKey": "xxxxxxxxxxxx",
"roleArn": "arn:aws:iam::000000000:role/USERNAME_ROLE",
"roleSessionName": "SESSION_NAME",
"region": "us-east-2",
"identityStoreId": "d-0a010101e0",
"sessionExpirationTime": 3600,
"proxyHost": null,
"proxyPort": null,
"proxyUsername": null,
"proxyPassword": null,
"connectionTimeout": null,
"maxConnections": null,
"readRateLimit": "20/sec",
"writeRateLimit": "10/sec"
}
}
On startup, IDM encrypts the value of the secretKey .
|
Mapping
From AWS users to IDM or Advanced Identity Cloud users
Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully.
SOURCE | TARGET | TRANSFORMATION SCRIPT |
---|---|---|
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
From IDM or Advanced Identity Cloud users to AWS users
Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully.
SOURCE | TARGET | TRANSFORMATION SCRIPT |
---|---|---|
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
From AWS groups to IDM or Advanced Identity Cloud groups
Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully.
SOURCE | TARGET | TRANSFORMATION SCRIPT |
---|---|---|
|
|
N/A |
|
|
N/A |
|
|
N/A |
|
|
N/A |
From IDM or Advanced Identity Cloud groups to AWS Groups
Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully.
SOURCE | TARGET | TRANSFORMATION SCRIPT |
---|---|---|
|
|
N/A |
|
|
N/A |
Test the AWS IAM Identity Center connector
Test that the connector was configured correctly:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Accept-API-Version: resource=1.0' \ --request POST \ 'http://localhost:8080/system/awsiam?_action=test' { "name": "awsiam", "enabled": true, "config": "config/provisioner.openicf/awsiam", "connectorRef": { "bundleVersion": "1.5.20.26", "bundleName": "org.forgerock.openicf.connectors.awsiam-connector", "connectorName": "org.forgerock.openicf.connectors.awsiam.AwsIamConnector" }, "displayName": "AWS IAM IC Connector", "objectTypes": [ "__ACCOUNT__", "__ALL__", "__GROUP__" ], "ok": true }
Use the AWS IAM Identity Center connector
User
Create user
To create a user in AWS IAM Identity Center, you must provide at least the __NAME__
, name
(givenName and familyName) and displayName
fields.
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request POST \ --data '{ "__NAME__": "JohnDoe", "displayName": "John Doe", "locale": "US", "nickName": "JonnyDoe", "timezone": "UTC", "title": "Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "USER", "preferredLanguage": "us-US", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "home", "value": "johndoe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2", ] }' \ 'http://localhost:8080/system/awsiam/__ACCOUNT__?_action=create' { "_id" : " "userId", "__NAME__": "JohnDoe", "displayName": "John Doe", "locale": "US", "nickName": "JonnyDoe", "timezone": "UTC", "title": "Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "USER", "preferredLanguage": "us-US", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "home", "value": "johndoe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2", ] }
Get Users
Return all users from AWS IAM Identity Center.
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__?_queryFilter=true' { "result": [ { "_id": "", "__NAME__": "jdoe", "displayName": "John Doe", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", }, "addresses": []. "emails": [], "phoneNumbers": [], "__GROUPS__": [ "groupId1", "groupId2" ] }, ... { "_id": "", "__NAME__": "jdoe", "displayName": "John Doe", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", }, "addresses": []. "emails": [], "phoneNumbers": [], "__GROUPS__": [ "groupId1", "groupId2" ] }, ], "resultCount": 999, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }
To paginate the results, the maximum value of _pageSize is 100.
|
Get user
Return a user from AWS IAM Identity Center. The user ID must be provided in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Content-Type: application/json' \
--request GET \
'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__/USER_ID'
{
"_id" : " "userId",
"__NAME__": "jdoe",
"displayName": "John Doe",
"locale": "en-US",
"nickname": "Johnny",
"timezone": "America/New_York",
"title": "Software Engineer",
"profileUrl": "https://www.profile.com/jdoe",
"userType": "employee",
"preferredLanguage": "en",
"name": {
"givenName": "John",
"middleName": "Michael",
"familyName": "Doe",
"honorificPrefix": "Sr.",
"honorificSufix": "PhD",
"formatted": "Sr. John Michael Doe, PhD"
},
"addresses": {
"type": "home",
"streetAddress": "123 Main St",
"locality": "Springfield",
"region": "IL",
"postalCode": "62701",
"country": "USA",
"primary": true,
"formatted": "123 Main St, Springfield, IL 62701, USA"
},
"emails": {
"type": "work",
"value": "john.doe@example.com",
"primary": true
},
"phoneNumbers": {
"type": "mobile",
"value": "+0101010101",
"primary": true
},
"__GROUPS__": [
"groupId1",
"groupId2"
]
}
Get user by filter
Return a user from AWS IAM Identity Center:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT___queryFilter=__NAME__%20eq%20"name"' { "_id" : " "userId", "__NAME__": "jdoe", "displayName": "John Doe", "locale": "en-US", "nickname": "Johnny", "timezone": "America/New_York", "title": "Software Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "employee", "preferredLanguage": "en", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "work", "value": "john.doe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2" ] }
The __NAME__ field only supports the equal filter. |
Get users IDs
Return all users from AWS IAM Identity Center displaying only the _id
field:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__?_queryId=query-all-ids' { "result": [ { "_id": "userID1" }, ... { "_id": userID2" } ], "resultCount": 999, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }
Update user
Update a user in AWS IAM Identity Center. The user ID must be provided in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Content-Type: application/json' \
--request PUT \
--data '{
"__NAME__": "JonnyDoe",
"displayName": "Jonny Doe",
"locale": "US",
"nickName": "JonnyDoe",
"timezone": "UTC",
"title": "",
"profileUrl": "https://www.profile.com/jonnydoe",
"userType": "USER",
"preferredLanguage": "us-US",
"name": {
"givenName": "Jonny",
"middleName": "Michael",
"familyName": "Doe",
"honorificPrefix": "Jr.",
"honorificSufix": "PhD",
"formatted": "Jr. John Michael Doe, PhD"
},
"addresses": {
"type": "home",
"streetAddress": "123 Main St",
"locality": "Springfield",
"region": "IL",
"postalCode": "60999",
"country": "US",
"primary": true,
"formatted": "123 Main St, Springfield, IL 62701, USA"
},
"emails": {
"type": "home",
"value": "johndoe@example.com",
"primary": true
},
"phoneNumbers": {
"type": "home",
"value": "505050",
"primary": true
},
"__GROUPS__": [
"groupID1",
"groupID2",
]
}' \
'http://localhost:8080/system/awsiam/__ACCOUNT__/USER_ID'
{
"_id" : "userId",
"__NAME__" : "JonnyDoe",
"displayName" : "Jonny Doe",
"locale" : "US",
"nickName" : "JonnyDoe",
"timezone" : "UTC",
"title" : "",
"profileUrl" : "https://www.profile.com/jonnydoe",
"userType" : "USER",
"preferredLanguage" : "us-US",
"name" : {
"givenName" : "Jonny",
"middleName" : "middleName",
"familyName" : "Doe",
"honorificPrefix" : "Jr",
"honorificSufix" : "PhD",
"formatted" : "Jr. John Doe, PhD"
},
"addresses": {
"type": "home",
"streetAddress": "123 Main St",
"locality": "Springfield",
"region": "IL",
"postalCode": "60999",
"country": "US",
"primary": true,
"formatted": "123 Main St, Springfield, IL 62701, USA"
},
"emails" : {
"type" : "home",
"value" : "johndoe@example.com",
"primary" : true
},
"phoneNumbers" : {
"type" : "home",
"value" : "505050",
"primary" : true
},
"__GROUPS__" : [
"groupID1",
"groupID2",
]
}
Delete user
Delete a user in the AWS IAM Identity Center. The user ID must be provided in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Content-Type: application/json' \
--request DELETE \
'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__/USER_ID'
{
"_id" : "userId",
"__NAME__" : "JohnDoe",
"displayName" : "John Doe",
"locale" : "US",
"nickName" : "JonnyDoe",
"timezone" : "UTC",
"title" : "",
"profileUrl" : "www.example.doe",
"userType" : "USER",
"preferredLanguage" : "us-US",
"name" : {
"givenName" : "John",
"middleName" : "middleName",
"familyName" : "Doe",
"honorificPrefix" : "Sr",
"honorificSufix" : "PhD",
"formatted" : "Sr. John Doe, PhD"
},
"addresses" : {
"type" : "home",
"streetAddress" : "false street",
"locality" : "springfield",
"region" : "north",
"postalCode" : "0000",
"country" : "US",
"primary" : false,
"formatted" : "no"
},
"emails" : {
"type" : "home",
"value" : "testeruser@example.com",
"primary" : true
},
"phoneNumbers" : {
"type" : "home",
"value" : "505050",
"primary" : true
},
"__GROUPS__" : [
"groupID1",
"groupID2",
]
}
GROUPS
Create group
To create a group in AWS IAM Identity Center, it is necessary to at least provide the __NAME__
field. The
description
field is optional:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request POST \ --data '{ "__NAME__" : "New Group", "description" : "Some description" }' \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__?_action=create' { "_id": "groupId", "description": "description", "__NAME__": "New Group", "externalIds": [] }
Get groups
Return all groups from AWS IAM Identity Center.
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__?_queryFilter=true' { "result": [ { "_id": "groupId1", "__NAME__": "Display name group 1", "description": "description", "externalIds": [] }, ... { "_id": "groupId99", "__NAME__": "Display name group 99", "description": "description", "externalIds": [] } ], "resultCount": 99, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }
To paginate the results, the maximum value of _pageSize is 100.
|
Get groups IDs
Return all groups from AWS IAM Identity Center displaying only the _id
field:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__?_queryId=query-all-ids' { "result": [ { "_id": "groupID1", }, ... { "_id": "groupID99", } ], "resultCount": 99, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 }
Get group
Return a group from AWS IAM Identity Center. The group ID must be provided in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Content-Type: application/json' \
--request GET \
'http://localhost:8080/openidm/system/awsiam/__GROUP__/GROUP_ID'
{
"_id": "groupId",
"description": "Some description",
"__NAME__": "Group Name",
"externalIds": []
}
Get group by filter
Return a group from AWS IAM Identity Center:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP___queryFilter=__NAME__%20eq%20"username"' { "_id": "groupId", "description": "Some description", "__NAME__": "Group Name", "externalIds": [] }
The __NAME__ field only supports the equal filter. |
Update a group
Update a group in AWS IAM Identity Center. The group ID must be provided in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Content-Type: application/json' \
--request PUT \
--header 'If-Match: *' \
--data '{
"__NAME__" : "New DisplayName",
"description" : "New Description"
}' \
'http://localhost:8080/openidm/system/awsiam/__GROUP__/GROUP_ID'
{
"_id": "groupId",
"description": "New description",
"__NAME__": "New DisplayName",
"externalIds": []
}
Delete a group
Delete a group in AWS IAM Identity Center. The group ID must be provided in the URI path:
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Content-Type: application/json' \
--request DELETE \
'http://localhost:8080/openidm/system/awsiam/__GROUP__/GROUP_ID'
{
"_id": "groupId",
"description": "description",
"__NAME__": "deleted group",
"externalIds": []
}
OpenICF Interfaces Implemented by the AWS IAM Identity Center Connector
The AWS IAM Identity Center Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:
- Create
-
Creates an object and its
uid
. - Delete
-
Deletes an object, referenced by its
uid
. - Schema
-
Describes the object types, operations, and options that the connector supports.
- Script on Connector
-
Enables an application to run a script in the context of the connector.
Any script that runs on the connector has the following characteristics:
-
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
-
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. -
The script has access to any script arguments passed in by the application.
-
- Search
-
Searches the target resource for all objects that match the specified object class and filter.
- Test
-
Tests the connector configuration.
Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
-
Updates (modifies or replaces) objects on a target resource.
AWS IAM Identity Center Connector Configuration
The AWS IAM Identity Center Connector has the following configurable properties:
Basic Configuration Properties
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
Yes |
Provides the Access Key ID to access the AWS IAM IC Service API. |
||||
|
|
|
Yes |
Yes |
Provides the Secret Key ID to access the AWS IAM IC Service API. |
||||
|
|
|
|
Yes |
Provides the Amazon Resource Name specifying the Role. |
||||
|
|
|
|
Yes |
Temporary name for the role session. |
||||
|
|
|
|
Yes |
Provides the Regions. |
||||
|
|
|
|
Yes |
Provides the identity store ID for the user and group store. |
||||
|
|
|
|
Yes |
Provides the temporary Session expiration time in seconds. |
||||
|
|
|
|
No |
Provides the Proxy Host. |
||||
|
|
|
|
No |
Provides the Proxy Port. |
||||
|
|
|
|
No |
Provides the Proxy Username. |
||||
|
|
|
Yes |
No |
Provides the Proxy Password. |
||||
|
|
|
|
No |
Provides the Maximum Connection Timeout in seconds. |
||||
|
|
|
|
No |
Provides the number of Maximum Connections. |
||||
|
|
|
|
Yes |
Defines throttling for read operations either per seconds ("30/sec") or per minute ("100/min"). |
||||
|
|
|
|
Yes |
Defines throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min"). |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.