Property scopes
Every property has a scope. The scope defines to which type of entities the property belongs to. The administration of a property also depends on its scope: some property scopes need to be defined as nevisIDM reference data directly in the database; others may be created in the Web GUI. All scopes are described in more detail on the following pages.
onAppGlobal
| Definition | Defines a global application attribute. Each application can have a value for this attribute. |
|---|---|
| Example | Additional application attributes like needs_directory_export or strong_auth_required. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the database table TIDMA_PROPERTY. |
| Scope-ID | 1 |
| Usage | Properties with this scope cannot be used by nevisProxy. |
| Value administration | Values of this property are displayed in the application administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. |
The next figure shows an example of a property with scope onAppGlobal. The additional property is listed below the standard properties and, as it is an enumeration type, rendered as a drop-down menu with default value "not set". This property has been added with the following SQL code (note that IDs may have to be adjusted):
INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (100,'Export',1,1,0,0,'Application requires directory export',0,0,null,'rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
INSERT INTO TIDMA_PROPERTY_ALLOWED_VAL (PROPERTY_ALD_VAL_ID,PROPERTY_ID,VALUE,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) values (100,100,'no',0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
INSERT INTO TIDMA_PROPERTY_ALLOWED_VAL (PROPERTY_ALD_VAL_ID,PROPERTY_ID,VALUE,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) values (101,100,'yes',0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
onUnitGlobal
| Definition | Defines a global unit attribute that can be defined separately for each unit. The property can be defined per client by setting the client foreign key or client-independent by setting the client foreign key to NULL. |
|---|---|
| Example | Alternative unit identification, e.g., alternate_id. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 2 |
| Usage | Properties with this scope cannot be used by nevisProxy. |
| Value administration | Values of this property are displayed in the unit administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. |
INSERT INTO TIDMA_PROPERTY
(PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT)
VALUES (99999008,'alternate_id',2,2,0,1,'the alternative unit
identification',0,0,null,'rw','rw',null,100,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
onProfileGlobal
| Definition | Defines a global profile attribute that can be specified separately for each profile. The property can be defined per client by setting the client foreign key or client-independent by setting the client foreign key to NULL. |
|---|---|
| Example | Alternative profile identification, e.g., ldap_profile_cn. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 3 |
| Usage | Can be used in nevisProxy via ch.nevis.idm.prof.<property_name>. |
| Value administration | Values of this property are displayed in the profile administration view in the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. |
The figure below shows an example of a property with scope onProfileGlobal. The additional property is listed below the standard properties and, as it is a string, rendered as a text field. This property has been added with the following SQL code (note that IDs may have to be adjusted):
INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (120,'ldap_profile_cn',2,3,0,0,'LDAP Profile Common Name',0,80,'','rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
onProfileForAppGlobal
| Definition | Defines a global attribute to which you can assign a different value for each combination of profile, application and role (that is, for each authorization). For example, it is possible to assign two different roles of the same application to the same profile. For each of these roles, the properties of the scope OnProfileForAppGlobal can have a different value. Global means that the same custom extension applies to all applications. |
|---|---|
| Example | A global property appl_uid or appl_usercred, which is applicable to every available application. If you assign two or more different roles of the same application to the same profile, each role can have a different value for the global property appl_uid or appl_usercred. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in table TIDMA_PROPERTY in the database. |
| Scope-ID | 4 |
| Usage | Can be used in nevisProxy via ch.nevis.idm.prof.<application_name>.<property_name>. |
| Value administration | Values are displayed in the Manage role and property view of the nevisIDM GUI. Refer to chapter 3.4.1.4.1 appl_userid for an example. |
There are two default properties in the nevisIDM reference data with scope onProfileForAppGlobal. These two properties support the delegation of application-specific user IDs and credentials. They are described in the next chapters: appl_userid and appl_usercred.
appl_userid
This property is externalized by nevisAuth to ch.nevis.idm.prof.application.appl_userid, which is used for back-end login (nevisProxy -> application). It is contained in the default reference data and has been added with the following SQL code (note that IDs may have to be adjusted):
INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (1,'appl_userid',2,4,0,1,'application account user ID',0,0,null,'rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
To administer the property values, go to the profile administration, select an existing role and click on the pencil icon at the end of the line. A view similar to the figure below appears in which you can administer properties with this scope for this profile and application.
Note that you can only administrate this property if the profile has at least one assigned role of this application.
appl_usercred
This property is externalized by nevisAuth to ch.nevis.idm.prof.application.appl_usercred, which is used for back-end login (nevisProxy -> application). It can be administrated as shown in the figure above.
onProfileForApp
Properties with this scope define a value for a profile on a specific application (contrary to the properties with scope onProfileForAppGlobal, which apply to all applications). To be able to assign or administrate properties of this scope, a profile must at least have one role of the particular application.
| Definition | Defines an attribute within an application that you can specify separately for each individual combination of application/role/profile. This scope is used for application-specific extensions of profiles. |
|---|---|
| Example | One particular application requires an additional parameter, for example, nevisUserId. Each role of this application includes the parameter nevisUserId. Furthermore, it is possible to assign different roles of this application to one profile, in which case each role can have a different value for the parameter nevisUserId. |
| Property administration | Properties of this type can be created and administrated in nevisIDM as described below. |
| Scope-ID | 5 |
| Usage | Can be used in nevisProxy via ch.nevis.idm.prof.<application_name>.<property_name>. |
| Value administration | Values of these properties can also be administrated in nevisIDM as described below. |
For example, to add a property pb_default_country to the sample application phonebook, click Search and modify application and search for the respective application. A view similar to the figure below appears. Click on the New button in the Properties panel.
A view similar to the figure below enables you to specify the new property. Make sure to select the onProfileForApp scope in the Scope field.
After clicking Save, you can define a list of values as shown in the figure below.
To assign a value to the property for a specific profile/role/application, select the relevant application role assigned to the respective profile and click on the pencil icon next to the role (see the figure below).
A view similar to the next figure is now displayed. This view allows you to set the pb_default_country property by selecting one of the predefined enumerated values. Thus, you assign the property to the TheoTest profile for the phonebook application /phonebookadmin role.
onRoleForApp
| Definition | Defines a role attribute for roles of a specific application. Each role of the specified application can have a different value for this property. |
|---|---|
| Example | One particular application requires an additional attribute, e.g., nevis-UserId. |
| Property administration | Properties with this scope can be created and administrated via application roles in the nevisIDM GUI. |
| Scope-ID | 6 |
| Usage | Can be used in nevisProxy via the SecurityRoleFilter, for example with the filter parameter RolesRequired. |
| Value administration | Property values can be created and administrated via the views application roles > property in the nevisIDM GUI. |
The sample application phonebook in the figure below has two roles, phonebookadmin and phonebookuser, and three properties with the onRoleForApp scope: view_entries, modify_entries and delete_entries:
A role is an application-specific entity that typically summarizes a set of properties with specified values. The phonebookuser role, for example, defines user access rights for the sample application phonebook. The phonebookuser role only allows viewing phonebook entries, not modifying or deleting them. You specify the property values for a specific role in the Manage roles view (see the figure below).
onUserGlobal
| Definition | Defines a global user attribute that can be assigned a different value for each user. The property can be defined per client by setting the client foreign key or client-independent by setting the client foreign key to NULL. |
|---|---|
| Example | An alternative user identification, e.g., ldap_user_dn. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 7 |
| Value administration | Values of this property are displayed in the user administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. |
Property scope onUserGlobal
INSERT INTO TIDMA_PROPERTY (PROPERTY_ID,NAME,TYPE,SCOPE,ENCRYPTED,PROPAGATED,DESCRIPTION,GUI_PRECEDENCE,STR_MAX_LEN,STR_REGEX,ACCESS_CREATE,ACCESS_MODIFY,APPLICATION_ID,CTL_TCN,CTL_CRE_UID,CTL_CRE_DAT,CTL_MOD_UID,CTL_MOD_DAT) VALUES (121,'custom_user_tech_id',2,7,0,0,'Custom UserTechId',0,80,'','rw','rw',null,0,'bootstrap',SYSDATE,'bootstrap',SYSDATE);
onEnterpriseRoleGlobal
| Definition | Defines a global enterprise role attribute that can be assigned a different value for each enterprise role. The property can be defined per client by setting the client foreign key, or client-independent by setting the client foreign key to NULL. |
|---|---|
| Example | An additional attribute of the enterprise roles, e.g., "purpose". |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 8 |
| Value administration | Values of this property are displayed on the enterprise role administration view of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. |
onCredentialCertificateGlobal
| Definition | Defines a global certificate attribute that can be assigned a different value separately for each certificate credential. The property can be defined per client by setting the client foreign key, or client-independent by setting the client foreign key to NULL. |
|---|---|
| Example | A required information in the certificate, e.g., SuisseID. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 20 |
| Value administration | Values of this property are displayed in the credential administration view for certificates of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. |
onCredentialGenericGlobal
| Definition | Defines a global generic credential attribute to which you can assign a different value separately for each generic credential. The property can be defined per client by setting the client foreign key, or client independently by setting the client foreign key to NULL. |
|---|---|
| Example | A required information in the generic credential, e.g., MobileID |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 21 |
| Value administration | Values of this property are displayed in the credential administration view for certificates of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. Web services: createCredential, updateCredential handles genenric credential properties. queryUsers can find users which hold specified values of a specified generic credential property. The credential type "GENERIC" should be set. Otherwise, the search falls back to certificate properties. |
onMobileSignatureGlobal
| Definition | Defines a global mobile signature credential attribute to which you can assign a different value separately for each mobile signature credential. The property can be defined per client by setting the client foreign key, or client independently by setting the client foreign key to NULL. |
|---|---|
| Example | No example available yet. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 22 |
| Value administration | Values of this property are displayed in the credential administration view for mobile signatures of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. Web services: createCredential and updateCredential handle mobile signature credential properties. queryUsers can find users which hold specified values of a specified mobile signature credential property. |
onSamlFederationGlobal
| Definition | Defines a global SAML federation credential attribute to which you can assign a different value separately for each SAML federation credential instance. The property can be defined per client by setting the client foreign key or client independently by setting the client foreign key to NULL. |
|---|---|
| Example | No example available yet. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 23 |
| Value administration | Values of this property are displayed in the credential administration view for SAML federations of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. Web services: createCredential and updateCredential handle SAML federation credential properties. queryUsers can find users which hold specified values of a specified SAML federation credential property. |
onSecurityQuestionsGlobal
| Definition | Defines a global security question credential attribute to which you can assign a different value separately for each security question credential instance. The property can be defined per client by setting the client foreign key or client independently by setting the client foreign key to NULL. |
|---|---|
| Example | No example available yet. |
| Property administration | Properties of this scope are defined as reference data and cannot be changed in the nevisIDM GUI, but need to be defined directly in the table TIDMA_PROPERTY in the database. |
| Scope-ID | 24 |
| Value administration | Values of this property are displayed in the credential administration view for security questions of the nevisIDM GUI. If the property is defined as read-write, the value can also be edited. Web services: createCredential and updateCredential handle security question credential properties. queryUsers can find users which hold specified values of a specified security question credential property. |