Skip to main content
Skip table of contents

Application Profile

An Application Profile targets a specific Application, e.g. the "Trade" Active Directory. Having an Application Profile always implies having an account on the target Application.

Definition

An Application Profile targets a specific Application, e.g. the "Trade" Active Directory. Having an Application Profile always implies having an account on the target Application (this is implicit), but the Application Profile also configures all the "Entitlement" Assignments (e.g. the asset associations) that are possible for the Application, in terms of group membership and/or privilege attribution.

For example, if an Application internally manages a set of groups and/or privileges (i.e. Entitlements), a set of Assignments will be configured to represent the possible associations of user accounts with those entitlements:

ApplicationProfiles are conditionally associated with IDM objects, such as IDM Identities or IDM Organizations. A profile association is conditional; an IDM object must match an Object Matching Condition to have the Application Profile. The next section details this.

Configuration

You can access the Application Profiles configuration :

  • by clicking on "Synchronization" → "Application Profiles"

  • by clicking on "System" → "Configurations"->”Synchronization Service” and perform an import/export.

Properties

The main configuration elements are :

Property Name

Type

Mandatory

Description

id

String

YES

The Application Profile identifier.

name

String

YES

The Application Profile name.

description

String

NO

The Application Profile description.

assignments

List<Assignment>

NO

A list of Assignments.

applicationId

String

YES

The id of the target Application.

enabled

Boolean

YES

The Application Profile status.

Default value : true

objectMatchingCondition

objectMatchingCondition

YES

A condition ObjectMatchingCondition determining whether an IDM object should have the ApplicationProfile or not.

An ObjectMatchingCondition defines assignation conditions. One of those conditions can be the IDM object's access rights. For example, if an IDM Identity with the "fr" lang has the IDM "sales" right, then an account will be created in the "trade" LDAP directory, and put in the "sales-fr" LDAP group.

shadowKind

Enum

YES

ACCOUNT, ORGANIZATION, RESOURCE, ROLE, ROLE_PUBLICATION, ENTITLEMENT

assignement properties

Property Name

Type

Mandatory

Description

entitlementsSearchRule

ComputeRule

OBJECT CATEGORY

YES

How to search on the remote Application the entitlement(s) to be assigned to the account.

association

String

YES

The name of the "entitlement association" configuration, i.e. put a created account into a group, or give a privilege to the created account.

entitlementsSearchBase

String

NO

A search base for entitlements.

If not specified, entitlements are searched from root.

matchingCondition

objectMatchingCondition

NO

A "matching condition" indicating whether this assignment should be applied or not on the account.

If null then this assignment is always applied.

Example

Example
XML 
   <dmn:ApplicationProfile id="prov-activeDirectory-common-applicationProfile">
      <name>prov-activeDirectory-common-applicationProfile</name>
      <description></description>
      <assignments>
         <assignment>
            <entitlementsSearchRule>
               <script><![CDATA[
          expr { prop('cn').eq('DnsAdmins') }
          ]]></script>
            </entitlementsSearchRule>
            <association>group</association>
            <entitlementsSearchBase>DC=memority,DC=lan</entitlementsSearchBase>
            <matchingCondition>
               <objectKind>IDENTITY</objectKind>
               <objectTypes/>
               <simpleObjectMatchingStrategyDefinition>
                  <inputAttributeId>function</inputAttributeId>
                  <regex>ASSISTANT-TECHNIQUE</regex>
               </simpleObjectMatchingStrategyDefinition>
            </matchingCondition>
         </assignment>
         <assignment>
            <entitlementsSearchRule>
               <script><![CDATA[
          def group = IDM_OBJECT.adGroup as String
               LOG.info("##################group :" + group)
               expr {prop('cn').eq(group)}]]></script>
            </entitlementsSearchRule>
            <association>group</association>
            <entitlementsSearchBase>DC=memority,DC=lan</entitlementsSearchBase>
            <matchingCondition>
               <objectKind>IDENTITY</objectKind>
               <objectTypes/>
               <simpleObjectMatchingStrategyDefinition>
                  <inputAttributeId>function</inputAttributeId>
                  <regex>CUISINE</regex>
               </simpleObjectMatchingStrategyDefinition>
            </matchingCondition>
         </assignment>
         <assignment>
            <entitlementsSearchRule>
               <script><![CDATA[
               expr {prop('cn').eq('Domain Admins')}]]></script>
            </entitlementsSearchRule>
            <association>group</association>
            <entitlementsSearchBase>DC=memority,DC=lan</entitlementsSearchBase>
         </assignment>
      </assignments>
      <applicationId>prov-activeDirectory-common-application</applicationId>
      <enabled>false</enabled>
      <objectMatchingCondition>
         <objectKind>IDENTITY</objectKind>
         <objectTypes/>
         <rightMatchingCondition>
            <names>
               <name>app.prov.identity-activeDirectory</name>
            </names>
            <targets/>
            <nameAndTargets/>
         </rightMatchingCondition>
      </objectMatchingCondition>
      <shadowKind>ACCOUNT</shadowKind>
   </dmn:ApplicationProfile>

Read Next

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close