Name | Type | Multiplicity | Description |
---|---|---|---|
description |
property string |
[0,1] | |
extension |
container ExtensionType |
[0,1] | The assignment extension used to add parameters to the assignment. |
metadata |
container MetadataType |
[0,1] | Meta-data about data creation, modification, etc. |
targetRef |
reference ObjectReferenceType |
[0,1] | TODO: target ref |
construction |
container ConstructionType |
[0,1] | TODO |
focusMappings |
container MappingsType |
[0,1] | Set of mappings that are applied to a focus in addition to object template. |
activation |
container ActivationType |
[0,1] | Type that defines activation properties. |
order |
property int |
[0,1] | |
focusType |
property QName |
[0,1] | |
tenantRef |
reference ObjectReferenceType |
[0,1] | Reference to the tenant to which this assignment refers. |
orgRef |
reference ObjectReferenceType |
[0,1] | Reference to the organization (org. |
condition |
property MappingType |
[0,1] |
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: dyn,RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime,oper
Multiplicity: [0,1]
Meta-data about data creation, modification, etc.
It may apply to objects but also parts of the object (e.g. assignments).
Mata-data only apply to successful operations. That is obvious for create, but it also applies
to modify. For obvious reasons there are no metadata about delete.
We keep no metadata about reading. That would be a huge performance hit.
These data are informational only. They should not be used for security purposes (use auditing
subsystem for that). But presence of metadata simplifies system administration and may provide
some basic information "at the glance" which may be later confirmed by the audit logs.
Meta-data are also supposed to be searchable. Therefore they may be used to quickly find
"candidate" objects for a closer examination.
Flags: RAM
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,1]
Type that defines activation properties. Determines whether something is active
(and working) or inactive (e.g. disabled).
It applies to several object types. It may apply to user, account, assignement, etc.
The data in this type define if the described concept is active, from when it is active
and until when. The "active" means that it works. If something is not active, it should
not work or not cause any effect. E.g. inactive user should not be able to log in or run
any tasks, the non-active role should not be assigned and if assigned it should not be
taken into account when computing the accounts.
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM,runtime
Multiplicity: [0,1]
Flags: RAM
Multiplicity: [0,1]
Reference to the tenant to which this assignment refers. This is an argument to the target of this
assignment. E.g. is if frequently used to parametrize the role which is assigned by this assignment.
However the exact interpretation of this value depends on the logic of the target role. It may be
significant or it may be entirely ignored.
Flags: RAM
Multiplicity: [0,1]
Reference to the organization (org. unit, project, ...) to which this assignment refers. This is an argument to the target of this
assignment. E.g. is if frequently used to parametrize the role which is assigned by this assignment.
However the exact interpretation of this value depends on the logic of the target role. It may be
significant or it may be entirely ignored.
Flags: RAM,runtime
Multiplicity: [0,1]