PingOne Advanced Identity Cloud

Managed objects

Managed objects and their properties are defined in the IDM managed object schema.

The default schema includes these types of managed objects:

Each managed object type contains properties for storing information about objects of that type. For example, the user object type has properties for storing usernames, passwords, email addresses, and so forth.

In the IDM admin UI, managed objects represent the identity-related data managed by IDM. In IDM, managed objects are stored in a DS repository.

Data consistency

Single-object operations are consistent within the scope of the operation performed, limited by the capabilities of the underlying data store. Bulk operations have no consistency guarantees. IDM does not expose any transactional semantics in the managed object access API.

For information on conditional header access through the REST API, refer to Conditional Operations.

Managed object triggers

Triggers are user-definable functions that validate or modify object or property state.

State triggers

Managed objects are resource-oriented. A set of triggers is defined to intercept the supported request methods on managed objects. Such triggers are intended to perform authorization, redact, or modify objects before the action is performed. The object being operated on is in scope for each trigger, meaning that the object is retrieved by the data store before the trigger is fired.

If retrieval of the object fails, the failure occurs before any trigger is called. Triggers are executed before any optimistic concurrency mechanisms are invoked. The reason for this is to prevent a potential attacker from getting information about an object (including its presence in the data store) before authorization is applied.

Table 1. Managed object triggers
Managed object triggers Description

onCreate

Called upon a request to create a new object. Throwing an exception causes the create to fail.

postCreate

Called after the creation of a new object is complete.

onRead

Called upon a request to retrieve a whole object or portion of an object. Throwing an exception causes the object to not be included in the result.

This method is also called when lists of objects are retrieved via requests to its container object; in this case, only the requested properties are included in the object. It allows for uniform access control for retrieval of objects, regardless of the method in which they were requested.

onUpdate

Called upon a request to store an object. The oldObject and newObject variables are in-scope for the trigger.

The oldObject represents a complete object, as retrieved from the data store. The trigger can elect to change newObject properties.

If, as a result of the trigger, the values of the oldObject and newObject are identical (that is, update is reverted), the update ends prematurely, but successfully. Throwing an exception causes the update to fail.

postUpdate

Called after an update request is complete.

onDelete

Called upon a request to delete an object. Throwing an exception causes the deletion to fail.

postDelete

Called after an object is deleted.

onSync

Called when a managed object is changed, and the change triggers an implicit synchronization operation.

The implicit synchronization operation is triggered by calling the sync service that attempts to go through all the configured managed-system mappings.

The sync service returns a response or an error. For both the response and the error, the script referenced by the onSync hook is called.

You can use this hook to inject business logic when the sync service fails or succeeds to synchronize all applicable mappings. For an example of how the onSync hook is used to revert partial successful synchronization operations, refer to Synchronization Failure Compensation.

Object storage triggers

An object-scoped trigger applies to an entire object. Unless otherwise specified, the object itself is in scope for the trigger.

onValidate

Validates an object prior to its storage in the data store. If an exception is thrown, the validation fails and the object is not stored.

onStore

Called prior to when an object is stored in the data store. Typically used to transform an object prior to its storage (for example, encryption).

Property storage triggers

A property-scoped trigger applies to a specific property within an object. Only the property itself is in scope for the trigger. No other properties in the object should be accessed during execution of the trigger. Unless otherwise specified, the order of execution of property-scoped triggers is intentionally left undefined.

onValidate

Validates a given property value after its retrieval from and prior to its storage in the data store. If an exception is thrown, the validation fails and the property is not stored.

onRetrieve

Called on all requests that return a single object: read, create, update, patch, and delete.

onRetrieve is called on queries only if executeOnRetrieve is set to true in the query request parameters. If executeOnRetrieve is not passed, or if it is false, the query returns previously persisted values of the requested fields. This behavior avoids performance problems when executing the script on all results of a query.

onStore

Called before an object is stored in the data store. Typically used to transform a given property before its object is stored.

Storage trigger Sequences

Triggers are executed in the following order:

Object retrieval Sequence
  1. Retrieve the raw object from the data store

  2. The executeOnRetrieve boolean is used to check whether property values should be recalculated. The sequence continues if the boolean is set to true.

  3. Call object onRetrieve trigger

  4. Per-property within the object, call property onRetrieve trigger

Object storage sequence
  1. Per-property within the object:

    • Call property onValidate trigger

    • Call object onValidate trigger

  2. Per-property trigger within the object:

    • Call property onStore trigger

    • Call object onStore trigger

    • Store the object with any resulting changes to the data store

Managed object encryption

Sensitive object properties can be encrypted prior to storage, typically through the property onStore trigger. The trigger has access to configuration data, which can include arbitrary attributes that you define, such as a symmetric encryption key. Such attributes can be decrypted during retrieval from the data store through the property onRetrieve trigger.

Managed object configuration

Configuration of managed objects is provided through an array of managed object configuration objects. The object is managed-object-config.

{
  "objects": [ managed-object-config object, ... ]
}
objects

array of managed-object-config objects, required

Specifies the objects that the managed object service manages.

Managed object config properties

Specifies the configuration of each managed object.

{
  "name"      : string,
  "actions"   : script object,
  "onCreate"  : script object,
  "onDelete"  : script object,
  "onRead"    : script object,
  "onRetrieve": script object,
  "onStore"   : script object,
  "onSync"    : script object,
  "onUpdate"  : script object,
  "onValidate": script object,
  "postCreate": script object,
  "postDelete": script object,
  "postUpdate": script object,
  "schema"    : {
    "id"        : urn,
    "icon"      : string,
    "mat-icon"  : string,
    "order"     : [ list of properties],
    "properties": { property-configuration objects },
    "$schema"   : "http://json-schema.org/draft-03/schema",
    "title"     : "User",
    "viewable"  : true
  }
}
Table 2. Managed object config properties
Property Description

name

String, required.

The name of the managed object. Used to identify the managed object in URIs and identifiers.

actions

Script object, optional.

A custom script that initiates an action on the managed object. For more information, refer to Register custom scripted actions.

onCreate

Script object, optional.

A script object to trigger when the creation of an object is being requested. The object to be created is provided in the root scope as an object property. The script can change the object. If an exception is thrown, the create aborts with an exception.

onDelete

Script object, optional.

A script object to trigger when the deletion of an object is being requested. The object being deleted is provided in the root scope as an object property. If an exception is thrown, the deletion aborts with an exception.

onRead

Script object, optional.

A script object to trigger when the read of an object is being requested. The object being read is provided in the root scope as an object property. The script can change the object. If an exception is thrown, the read aborts with an exception.

onRetrieve

Script object, optional.

A script object to trigger when an object is retrieved from the repository. The object that was retrieved is provided in the root scope as an object property. The script can change the object. If an exception is thrown, then object retrieval fails.

onStore

Script object, optional.

A script object to trigger when an object is about to be stored in the repository. The object to be stored is provided in the root scope as an object property. The script can change the object. If an exception is thrown, then object storage fails.

onSync

Script object, optional.

A script object to trigger when a change to a managed object triggers an implicit synchronization operation. The script has access to the syncResults object, the request object, the state of the object before the change (oldObject) and the state of the object after the change (newObject). The script can change the object.

onUpdate

Script object, optional.

A script object to trigger when an update to an object is requested. The old value of the object being updated is provided in the root scope as an oldObject property. The new value of the object being updated is provided in the root scope as a newObject property. The script can change the newObject. If an exception is thrown, the update aborts with an exception.

onValidate

Script object, optional.

A script object to trigger when the object requires validation. The object to be validated is provided in the root scope as an object property. If an exception is thrown, the validation fails.

postCreate

Script object, optional.

A script object to trigger after an object is created, but before any targets are synchronized.

postDelete

Script object, optional.

A script object to trigger after a delete of an object is complete, but before any further synchronization. The value of the deleted object is provided in the root scope as an oldObject property.

postUpdate

Script object, optional.

A script object to trigger after an update to an object is complete, but before any targets are synchronized. The value of the object before the update is provided in the root scope as an oldObject property. The value of the object after the update is provided in the root scope as a newObject property.

schema

Json-schema object, optional.

The schema to use to validate the structure and content of the managed object, and how the object is displayed in the UI. The schema-object format is defined by the JSON Schema specification.

schema.icon

String, optional.

The name of the Font Awesome icon to display for this object in the UI. Only applies to standalone IDM.

schema.mat-icon

String, optional.

The name of the Material Icon to display for this object in the UI. Only applies to IDM as part of the Ping Identity Platform.

schema.id

Urn, optional.

The URN of the managed object, for example, urn:jsonschema:org:forgerock:openidm:managed:api:Role.

schema.order

List of properties, optional.

The order in which properties of this managed object are displayed in the UI.

schema.properties

List of property configuration objects, optional.

A list of property specifications. For more information, refer to Property Configuration Properties.

schema.$schema

Url, optional.

Link to the JSON schema specification.

schema.title

String, optional.

The title of this managed object in the UI.

schema.viewable

Boolean, optional.

Whether this object is visible in the UI.

Property configuration properties

Each managed object property, identified by its property-name, can have the following configurable properties:

"property-name" : {
  "description"     : string,
  "encryption"      : property-encryption object,
  "isPersonal"      : boolean true/false,
  "isProtected"     : boolean true/false,
  "isVirtual"       : boolean true/false,
  "items"           : {
     "id"                  : urn,
     "properties"          : property-config object,
     "resourceCollection"  : property-config object,
     "reversePropertyName" : string,
     "reverseRelationship" : boolean true/false,
     "title"               : string,
     "type"                : string,
     "validate"            : boolean true/false,
  },
  "onRetrieve"      : script object,
  "onStore"         : script object,
  "onValidate"      : script object,
  "pattern"         : string,
  "policies"        : policy object,
  "required"        : boolean true/false,
  "returnByDefault" : boolean true/false,
  "scope"           : string,
  "searchable"      : boolean true/false,
  "secureHash"      : property-hash object,
  "title"           : string,
  "type"            : data type,
  "usageDescription": string,
  "userEditable"    : boolean true/false,
  "viewable"        : boolean true/false,
}
Table 3. Property config properties
Property Description

description

String, optional.

A brief description of the property.

encryption

Property-encryption object, optional.

Specifies the configuration for encryption of the property in the repository. If omitted or null, the property is not encrypted.

isPersonal

Boolean, true/false.

Designed to highlight personally identifying information. By default, isPersonal is set to true for userName and postalAddress.

isProtected

Boolean, true/false.

Specifies whether reauthentication is required if the value of this property changes.

isVirtual

Boolean, true/false.

Specifies whether the property takes a static value, or whether its value is calculated dynamically as the result of a script.

The most recently calculated value of a virtual property is persisted by default. The persistence of virtual property values allows IDM to compare the new value of the property against the last calculated value, and therefore to detect change events during synchronization.

Virtual property values are not persisted by default if you are using an explicit mapping.

items

Property-configuration object, optional.

For array type properties, defines the elements in the array.

items.id

Urn, optional.

The URN of the property, for example, urn:jsonschema:org:forgerock:openidm:managed:api:Role:members:items.

items.properties

Property configuration object, optional.

A list of properties, and their configuration, that make up this items array. For example, for a relationship type property:

"properties" : {
    "_ref" : {
        "description" : "References a relationship from a managed object",
        "type" : "string"
    },
    "_refProperties" : {
        "description" : "Supports metadata within the relationship",
        ...
    }
}

items.resourceCollection

Property configuration object, optional.

The collection of resources (objects) on which this relationship is based (for example, managed/realm-name_user objects).

items.reversePropertyName

String, optional

For relationship type properties, specifies the corresponding property name in the case of a reverse relationship. For example, a roles property might have a reversePropertyName of members.

items.reverseRelationship

Boolean, true or false.

For relationship type properties, specifies whether the relationship exists in both directions.

items.title

String, optional.

The title of array items, as displayed in the UI, for example Role Members Items.

items.type

String, optional.

The array type, for example relationship.

items.validate

Boolean, true/false.

For reverse relationships, specifies whether the relationship should be validated.

onRetrieve

Script object, optional.

A script object to trigger once a property is retrieved from the repository. That property may be one of two related variables: property and propertyName. The property that was retrieved is provided in the root scope as the propertyName variable; its value is provided as the property variable. If an exception is thrown, then object retrieval fails.

onStore

Script object, optional.

A script object to trigger when a property is about to be stored in the repository. That property may be one of two related variables: property and propertyName. The property that was retrieved is provided in the root scope as the propertyName variable; its value is provided as the property variable. If an exception is thrown, then object storage fails.

onValidate

Script object, optional.

A script object to trigger when the property requires validation. The value of the property to be validated is provided in the root scope as the property property. If an exception is thrown, validation fails.

pattern

String, optional.

Any specific pattern to which the value of the property must adhere. For example, a property whose value is a date might require a specific date format. Patterns specified here must follow regular expression syntax.

policies

Policy object, optional.

Any policy validation that must be applied to the property.

required

Boolean, true/false.

Specifies whether the property must be supplied when an object of this type is created.

returnByDefault

Boolean, true/false.

For virtual properties, specifies whether the property will be returned in the results of a query on an object of this type if it is not explicitly requested. Virtual attributes are not returned by default.

scope

String, optional.

Specifies whether the property should be filtered from HTTP/external calls. The value can be either "public" or "private". "private" indicates that the property should be filtered, "public" indicates no filtering. If no value is set, the property is assumed to be public and thus not filtered.

searchable

Boolean, true/false.

Specifies whether this property can be used in a search query on the managed object. A searchable property is visible in the End User UI. False by default.

Do not modify the searchable setting on properties in the Advanced Identity Cloud managed object schema.

secureHash

Property-hash object, optional.

Specifies the configuration for hashing of the property value in the repository. If omitted or null, the property is not hashed.

title

String, required.

A human-readable string, used to display the property in the UI.

type

Data type, required.

The data type for the property value; can be String, Array, Boolean, Number, Object, or Resource Collection.

usageDescription

String, optional.

Designed to help end users understand the sensitivity of a property such as a telephone number.

userEditable

Boolean, true/false.

Specifies whether users can edit the property value in the UI. This property applies in the context of the end-user UI, in which users are able to edit certain properties of their own accounts. False by default.

viewable

Boolean, true/false.

Specifies whether this property is viewable in the object’s profile in the UI. True by default.

Script object properties

{
  "type"  : "text/javascript",
  "source": string
}
type

String, required.

IDM supports "text/javascript".

source

String, required.

Specifies the source code of the script to be executed (if the keyword is "source").

Property encryption object

{
  "cipher": string,
  "key"   : string
}
cipher

String, optional.

The cipher transformation used to encrypt the property. If omitted or null, the default cipher of "AES/CBC/PKCS5Padding" is used.

key

String, required.

The alias of the key in the IDM cryptography service keystore used to encrypt the property.

Property hash object

{
    "algorithm" : string,
    "type" : string
}
algorithm

String, required.

The algorithm that should be used to hash the value.

type

String, optional.

The type of hashing. Currently, only salted hash is supported. If this property is omitted or null, the default "salted-hash" is used.

Access managed objects using REST

IDM exposes all managed object functionality through the REST API unless you configure a policy to prevent such access. In addition to the Ping Identity REST functionality of create, read, update, delete, patch, and query, the REST API also supports patch by query. For more information, refer to the PingIDM REST API reference.