Skip to main content
Version: 8.2411.x.x RR

Property scopes

Every property has a scope. The scope defines to which type of entities the property belongs to. The administration of a property also depends on its scope: some property scopes need to be defined as nevisIDM reference data directly in the database; others may be created in the Web GUI. All scopes are described in more detail on the following pages.

onAppGlobal

DefinitionDefines a global application attribute. Each application can have a value for this attribute.
ExampleAdditional application attributes like needs_directory_export or strong_auth_required.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the database table TIDMA_PROPERTY.
Scope-ID1
UsageProperties with this scope cannot be used by nevisProxy.
Value administrationValues of this property are displayed in the application administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

The next figure shows an example of a property with scope onAppGlobal. The additional property is listed below the standard properties and, as it is an enumeration type, rendered as a drop-down menu with default value "not set". This property has been added with the following SQL code (note that IDs may have to be adjusted):

INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (100,'Export',1,1,0,0,'Application requires directory export',0,0,null,'rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);

INSERT INTO TIDMA_PROPERTY_ALLOWED_VAL (PROPERTY_ALD_VAL_ID,PROPERTY_ID,VALUE,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) values (100,100,'no',0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);

INSERT INTO TIDMA_PROPERTY_ALLOWED_VAL (PROPERTY_ALD_VAL_ID,PROPERTY_ID,VALUE,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) values (101,100,'yes',0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
Custom property Export with scope onAppGlobal

onUnitGlobal

DefinitionDefines a global unit attribute that can be defined separately for each unit. The property can be defined per client by setting the client foreign key or client-independent by setting the client foreign key to NULL.
ExampleAlternative unit identification, e.g., alternate_id.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID2
UsageProperties with this scope cannot be used by nevisProxy.
Value administrationValues of this property are displayed in the unit administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.
INSERT INTO TIDMA_PROPERTY
(PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT)
VALUES (99999008,'alternate_id',2,2,0,1,'the alternative unit
identification',0,0,null,'rw','rw',null,100,'bootstrap',SYSDATE,'bootstrap',SYSDATE);

onProfileGlobal

DefinitionDefines a global profile attribute that can be specified separately for each profile. The property can be defined per client by setting the client foreign key or client-independent by setting the client foreign key to NULL.
ExampleAlternative profile identification, e.g., ldap_profile_cn.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID3
UsageCan be used in nevisProxy via ch.nevis.idm.prof.<property_name>.
Value administrationValues of this property are displayed in the profile administration view in the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

The figure below shows an example of a property with scope onProfileGlobal. The additional property is listed below the standard properties and, as it is a string, rendered as a text field. This property has been added with the following SQL code (note that IDs may have to be adjusted):

INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (120,'ldap_profile_cn',2,3,0,0,'LDAP Profile Common Name',0,80,'','rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
Custom property ldap_profile_cn with scope onProfileGlobal

onProfileForAppGlobal

DefinitionDefines a global attribute to which you can assign a different value for each combination of profile, application and role (that is, for each authorization). For example, it is possible to assign two different roles of the same application to the same profile. For each of these roles, the properties of the scope OnProfileForAppGlobal can have a different value. Global means that the same custom extension applies to all applications.
ExampleA global property appl_uid or appl_usercred, which is applicable to every available application. If you assign two or more different roles of the same application to the same profile, each role can have a different value for the global property appl_uid or appl_usercred.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in table TIDMA_PROPERTY in the database.
Scope-ID4
UsageCan be used in nevisProxy via ch.nevis.idm.prof.<application_name>.<property_name>.
Value administrationValues are displayed in the Manage role and property view of the nevisIDM GUI. Refer to chapter 3.4.1.4.1 appl_userid for an example.

There are two default properties in the nevisIDM reference data with scope onProfileForAppGlobal. These two properties support the delegation of application-specific user IDs and credentials. They are described in the next chapters: appl_userid and appl_usercred.

appl_userid

This property is externalized by nevisAuth to ch.nevis.idm.prof.application.appl_userid, which is used for back-end login (nevisProxy -> application). It is contained in the default reference data and has been added with the following SQL code (note that IDs may have to be adjusted):

INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (1,'appl_userid',2,4,0,1,'application account user ID',0,0,null,'rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);

To administer the property values, go to the profile administration, select an existing role and click on the pencil icon at the end of the line. A view similar to the figure below appears in which you can administer properties with this scope for this profile and application.

Note that you can only administrate this property if the profile has at least one assigned role of this application.

Custom properties appl_userid and appl_usercred with scope onProfileForAppGlobal

appl_usercred

This property is externalized by nevisAuth to ch.nevis.idm.prof.application.appl_usercred, which is used for back-end login (nevisProxy -> application). It can be administrated as shown in the figure above.

onProfileForApp

Properties with this scope define a value for a profile on a specific application (contrary to the properties with scope onProfileForAppGlobal, which apply to all applications). To be able to assign or administrate properties of this scope, a profile must at least have one role of the particular application.

DefinitionDefines an attribute within an application that you can specify separately for each individual combination of application/role/profile. This scope is used for application-specific extensions of profiles.
ExampleOne particular application requires an additional parameter, for example, nevisUserId. Each role of this application includes the parameter nevisUserId. Furthermore, it is possible to assign different roles of this application to one profile, in which case each role can have a different value for the parameter nevisUserId.
Property administrationProperties of this type can be created and administrated in nevisIDM as described below.
Scope-ID5
UsageCan be used in nevisProxy via ch.nevis.idm.prof.<application_name>.<property_name>.
Value administrationValues of these properties can also be administrated in nevisIDM as described below.

For example, to add a property pb_default_country to the sample application phonebook, click Search and modify application and search for the respective application. A view similar to the figure below appears. Click on the New button in the Properties panel.

Example: Manage application view

A view similar to the figure below enables you to specify the new property. Make sure to select the onProfileForApp scope in the Scope field.

Manage onProfileForApp properties

After clicking Save, you can define a list of values as shown in the figure below.

Example: Manage onProfileForApp property values

To assign a value to the property for a specific profile/role/application, select the relevant application role assigned to the respective profile and click on the pencil icon next to the role (see the figure below).

Example: Assign onProfileForApp property value - 1

A view similar to the next figure is now displayed. This view allows you to set the pb_default_country property by selecting one of the predefined enumerated values. Thus, you assign the property to the TheoTest profile for the phonebook application /phonebookadmin role.

Example: Assign onProfileForApp property value - 2

onRoleForApp

DefinitionDefines a role attribute for roles of a specific application. Each role of the specified application can have a different value for this property.
ExampleOne particular application requires an additional attribute, e.g., nevis-UserId.
Property administrationProperties with this scope can be created and administrated via application roles in the nevisIDM GUI.
Scope-ID6
UsageCan be used in nevisProxy via the SecurityRoleFilter, for example with the filter parameter RolesRequired.
Value administrationProperty values can be created and administrated via the views application roles > property in the nevisIDM GUI.

The sample application phonebook in the figure below has two roles, phonebookadmin and phonebookuser, and three properties with the onRoleForApp scope: view_entries, modify_entries and delete_entries:

Example: onRoleForApp properties and corresponding group roles

A role is an application-specific entity that typically summarizes a set of properties with specified values. The phonebookuser role, for example, defines user access rights for the sample application phonebook. The phonebookuser role only allows viewing phonebook entries, not modifying or deleting them. You specify the property values for a specific role in the Manage roles view (see the figure below).

Example: onRoleForApp properties edited for sample role phonebookuser

onUserGlobal

DefinitionDefines a global user attribute that can be assigned a different value for each user. The property can be defined per client by setting the client foreign key or client-independent by setting the client foreign key to NULL.
ExampleAn alternative user identification, e.g., ldap_user_dn.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID7
Value administrationValues of this property are displayed in the user administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

Property scope onUserGlobal

INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (121,'custom_user_tech_id',2,7,0,0,'Custom UserTechId',0,80,'','rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
Custom property custom_user_tech_id with scope onUserGlobal

onEnterpriseRoleGlobal

DefinitionDefines a global enterprise role attribute that can be assigned a different value for each enterprise role. The property can be defined per client by setting the client foreign key, or client-independent by setting the client foreign key to NULL.
ExampleAn additional attribute of the enterprise roles, e.g., "purpose".
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID8
Value administrationValues of this property are displayed on the enterprise role administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

onCredentialCertificateGlobal

DefinitionDefines a global certificate attribute that can be assigned a different value separately for each certificate credential. The property can be defined per client by setting the client foreign key, or client-independent by setting the client foreign key to NULL.
ExampleA required information in the certificate, e.g., SuisseID.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID20
Value administrationValues of this property are displayed in the credential administration view for certificates of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

onCredentialGenericGlobal

DefinitionDefines a global generic credential attribute to which you can assign a different value separately for each generic credential. The property can be defined per client by setting the client foreign key, or client independently by setting the client foreign key to NULL.
ExampleA required information in the generic credential, e.g., MobileID
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID21
Value administrationValues of this property are displayed in the credential administration view for certificates of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

Web services: createCredential, updateCredential handles genenric credential properties. queryUsers can find users which hold specified values of a specified generic credential property. The credential type "GENERIC" should be set. Otherwise, the search falls back to certificate properties.

onMobileSignatureGlobal

DefinitionDefines a global mobile signature credential attribute to which you can assign a different value separately for each mobile signature credential. The property can be defined per client by setting the client foreign key, or client independently by setting the client foreign key to NULL.
ExampleNo example available yet.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID22
Value administrationValues of this property are displayed in the credential administration view for mobile signatures of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

Web services: createCredential and updateCredential handle mobile signature credential properties. queryUsers can find users which hold specified values of a specified mobile signature credential property.

onSamlFederationGlobal

DefinitionDefines a global SAML federation credential attribute to which you can assign a different value separately for each SAML federation credential instance. The property can be defined per client by setting the client foreign key or client independently by setting the client foreign key to NULL.
ExampleNo example available yet.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID23
Value administrationValues of this property are displayed in the credential administration view for SAML federations of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

Web services: createCredential and updateCredential handle SAML federation credential properties. queryUsers can find users which hold specified values of a specified SAML federation credential property.

onSecurityQuestionsGlobal

DefinitionDefines a global security question credential attribute to which you can assign a different value separately for each security question credential instance. The property can be defined per client by setting the client foreign key or client independently by setting the client foreign key to NULL.
ExampleNo example available yet.
Property administrationProperties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database.
Scope-ID24
Value administrationValues of this property are displayed in the credential administration view for security questions of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited.

Web services: createCredential and updateCredential handle security question credential properties. queryUsers can find users which hold specified values of a specified security question credential property.