ICF 1.5.20.27

SAP HANA Database connector

Before you start

These connector instructions require a SAP HANA Database account with elevated privileges to add roles, system, and application privileges. The following information is required to configure the connector:

Username

Your SAP HANA Database username.

Password

Your SAP HANA Database password.

JDBC Connection URL

The URL to establish the connection between the connector and the SAP HANA Database.

Driver class name

The class name driver path.

For more information, refer to the Connect to SAP HANA via JDBC documentation.

Install the SAP HANA Database connector

If you are looking for the Advanced Identity Cloud application for this connector, refer to:

You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.

Connector included in default deployment
Connector IDM RCS

No

Yes

Download the connector .jar file from Backstage.

  • If you are running the connector locally, place it in the /path/to/openidm/connectors directory, for example:

    mv ~/Downloads/saphanadb-connector-1.5.20.26.jar /path/to/openidm/connectors/
  • If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Download the Sap Hana JDBC driver.

The minimum required JDBC version is 2.16.14.
  • If you are running the connector locally, place the library in the /path/to/openidm/lib/ directory:

    mv ~/Downloads/ngdbc-version.jar /path/to/openidm/lib/
  • If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Configure the SAP HANA Database connector

Create a connector configuration using the IDM admin UI:

  1. From the navigation bar, click Configure > Connectors.

  2. On the Connectors page, click New Connector.

  3. On the New Connector page, type a Connector Name.

  4. From the Connector Type drop-down list, select SAP HANA Database Connector - 1.5.20.26.

  5. Complete the Base Connector Details.

    For a list of all configuration properties, refer to SAP HANA Database Connector Configuration
  6. Click Save.

When your connector is configured correctly, the connector displays as Active in the admin UI.

Refer to this procedure to create a connector configuration over REST.

Base connector details

username

The username for logging in to the database.

password

The user password for logging in to the database.

url

The database connection string in the form of jdbc:sap://<server>:<port>[/?<options>].

driverClassName

The file directory location of DBC driver files.

pageSize

Defines the page size to be displayed to users.

ignoreUsers

Database users to ignore. Typically, these are internal database users to avoid for security reasons. SYS and SYSTEM internal users are ignored by default.

Object types

You can add or edit the object type to obtain any of the following objects and their properties:

__ACCOUNT__
PROPERTY NAME TYPE NATIVE TYPE REQUIRED

USER_ID

String

String

NO

USER_NAME

String

String

NO

PASSWORD

GuardedString

String

NO

USER_MODE

String

String

NO

EMAIL_ADDRESS

String

String

NO

CLIENT

String

String

NO

TIME_ZONE

String

String

NO

CREATOR

String

String

NO

VALID_FROM

String

String

NO

VALID_UNTIL

String

String

NO

IS_RESTRICTED

Boolean

Boolean

NO

IS_CLIENT_CONNECT_ENABLED

Boolean

Boolean

NO

HAS_REMOTE_USERS

Boolean

Boolean

NO

PASSWORD_CHANGE_NEEDED

Boolean

Boolean

NO

IS_KERBEROS_ENABLED

Boolean

Boolean

NO

IS_SAML_ENABLED

Boolean

Boolean

NO

IS_PASSWORD_ENABLED

Boolean

Boolean

NO

SAML_PROVIDERS

Array

Object

NO

SYSTEM_PRIVILEGES

Array

String

NO

APPLICATION_PRIVILEGES

Array

String

NO

ROLES

Array

String

NO

EXTERNAL_IDENTITY

Array

String

NO

ROLES
PROPERTY NAME TYPE NATIVE TYPE REQUIRED

ROLE_ID

String

String

NO

ROLE_NAME

String

String

NO

GLOBAL_IDENTITY

String

String

NO

ROLE_SCHEMA_NAME

String

String

NO

ROLE_MODE

String

String

NO

APPLICATION_PRIVILEGES

PROPERTY NAME

TYPE

NATIVE TYPE

REQUIRED

__NAME__

String

String

NO

SYSTEM_PRIVILEGES

PROPERTY NAME

TYPE

NATIVE TYPE

REQUIRED

__NAME__

String

String

NO

To configure the connector over REST or using the filesystem, specify the connection details to the SAP HANA Database resource provider in the configurationProperties for the connector. The minimum required properties are username, password, url and driverClassName.

Sample configuration

{
    "configurationProperties" : {
        "connectionProperties" : null,
        "propagateInterruptState" : false,
        "useDisposableConnectionFacade" : true,
        "defaultCatalog" : null,
        "validationInterval" : 3000,
        "ignoreExceptionOnPreLoad" : false,
        "jmxEnabled" : true,
        "commitOnReturn" : false,
        "logAbandoned" : false,
        "maxIdle" : 100,
        "testWhileIdle" : false,
        "removeAbandoned" : false,
        "abandonWhenPercentageFull" : 0,
        "minIdle" : 10,
        "defaultReadOnly" : null,
        "maxWait" : 30000,
        "logValidationErrors" : false,
        "name" : "Tomcat Connection Pool[1-20280544]",
        "useStatementFacade" : true,
        "initSQL" : null,
        "validationQueryTimeout" : -1,
        "validationQuery" : null,
        "rollbackOnReturn" : false,
        "alternateUsernameAllowed" : false,
        "dataSourceJNDI" : null,
        "validatorClassName" : null,
        "suspectTimeout" : 0,
        "useEquals" : true,
        "removeAbandonedTimeout" : 60,
        "defaultAutoCommit" : null,
        "testOnConnect" : false,
        "jdbcInterceptors" : null,
        "initialSize" : 10,
        "defaultTransactionIsolation" : -1,
        "numTestsPerEvictionRun" : 0,
        "url" : "jdbc:sap://HOST:PORT",
        "testOnBorrow" : false,
        "fairQueue" : true,
        "accessToUnderlyingConnectionAllowed" : true,
        "maxAge" : 0,
        "minEvictableIdleTimeMillis" : 60000,
        "timeBetweenEvictionRunsMillis" : 5000,
        "testOnReturn" : false,
        "useLock" : false,
        "maxActive" : 100,
        "username" : "USERNAME",
        "password" : "PASSWORD",
        "pageSize" : "50",
        "driverClassName" : "com.sap.db.jdbc.Driver",
        "ignoreUsers" : [
            "SYS",
            "SYSTEM"
        ]
    }
}

Mapping

From SAP HANA Database users to IDM or Advanced Identity Cloud users
Attributes
SOURCE TARGET TRANSFORMATION SCRIPT

USER_ID

_id

N/A

USER_NAME

userName

N/A

PASSWORD

password

N/A

EMAIL_ADDRESS

mail

N/A

TIME_ZOME

timeZone

N/A

CLIENT

sessionClient

N/A

VALID_FROM

validFrom

N/A

VALID_UNTIL

validUntil

N/A

IS_RESTRICTED

isRestricted

N/A

ROLES

grantedRoles

N/A

APPLICATION_PRIVILEGES

applicationPrivileges

N/A

SYSTEM_PRIVILEGES

systemPrivileges

N/A

SAML_PROVIDERS

samlProviders

N/A

IS_SAML_ENABLED

isSamlEnabled

N/A

IS_KERBEROS_ENABLED

isKerberosEnabled

N/A

PASSWORD_CHANGE_NEEDED

passwordChangeNeeded

N/A

EXTERNAL_IDENTITY

externalIdentity

N/A

Association>Association Rules>Correlation Queries

  • Link Qualifier: default

  • Any of the following fields: USER_NAME

From IDM or Advanced Identity Cloud users to SAP HANA Database users
Attributes
SOURCE TARGET TRANSFORMATION SCRIPT

userName

USER_NAME

N/A

password

PASSWORD

N/A

mail

EMAIL_ADDRESS

N/A

timeZone

TIME_ZONE

N/A

sessionClient

CLIENT

N/A

validFrom

VALID_FROM

N/A

validUntil

VALID_UNTIL

N/A

isRestricted

IS_RESTRICTED

N/A

grantedRoles

ROLES

N/A

applicationPrivileges

APPLICATION_PRIVILEGES

N/A

systemPrivileges

SYSTEM_PRIVILEGES

N/A

samlProviders

SAML_PROVIDERS

N/A

isSamlEnabled

IS_SAML_ENABLED

N/A

isKerberosEnabled

IS_KERBEROS_ENABLED

N/A

passwordChangeNeeded

PASSWORD_CHANGE_NEEDED

N/A

externalIdentity

EXTERNAL_IDENTITY

N/A

Association>Association Rules>Correlation Queries

  • Link Qualifier: default

  • Any of the following fields: USER_NAME

Test the SAP HANA Database connector

Test the connector configuration:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request POST \
'http://localhost:8080/openidm/system/saphanadb?_action=test'
{
    "name": "saphanadb",
    "enabled": true,
    "config": "config/provisioner.openicf/saphanadb",
    "connectorRef": {
        "bundleVersion": [1.5.0.0,1.6.0.0),
        "bundleName": "org.forgerock.openicf.connectors.saphanadb-connector",
        "connectorName": "org.forgerock.openicf.connectors.saphanadb.SapHanaDBConnector"
    },
    "displayName": "SAP HANA Database Connector",
    "objectTypes": [
        "APPLICATION_PRIVILEGES",
        "__ACCOUNT__",
        "SYSTEM_PRIVILEGES",
        "ROLES",
        "__ALL__"
    ],
    "ok": true
}

Use the SAP HANA Database connector

Database user

Create a user

To create a new user, you must include at least the USER_NAME and PASSWORD fields. The default configuration requires passwords to have:

  • a minimum of 8 characters.

  • at least one number.

  • at least one uppercase letter.

  • at least one lowercase letter.

Special characters are optional, but the default password setting (Aa1) only accepts underscores (_). For more information, refer to Password Policy Configuration Options.

If the IS_RESTRICTED field is true, a restricted user is created. A restricted user has no default roles and an unrestricted user has the default PUBLIC role.

The possible date format for the fields VALID_FROM and VALID_UNTIL is: yyyy-MM-dd HH:mm AM/PM.

When assigning SAML Providers to a User, only those providers that already exist within the database can be assigned during a create operation.

To grant and revoke roles, application or system privileges, some requirements are necessary, as detailed here.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--header 'Content-Type: application/json' \
--request POST \
--data '{
    "USER_NAME" : "SAPHANADB_NEWUSER",
    "PASSWORD" : "Password123",
    "EMAIL_ADDRESS" : "SAPHANADB_NEWUSER@example.com",
    "CLIENT" : "001",
    "TIME_ZONE" : "GMT",
    "VALID_FROM" : "2024-12-12 12:30",
    "VALID_UNTIL" : "2025-12-12 15:00",
    "IS_SAML_ENABLED" : true,
    "IS_KERBEROS_ENABLED" : true,
    "IS_PASSWORD_ENABLED" : true,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "ROLES" : [
      "MODELING"
    ],
    "APPLICATION_PRIVILEGES" : [
        "sap.hana.backup::Admin"
    ],
    "SYSTEM_PRIVILEGES" : [
        "REPO.EXPORT",
        "REPO.IMPORT",
        "REPO.MAINTAIN_DELIVERY_UNITS"
    ]
}' \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__'
{
    "USER_NAME" : "SAPHANADB_NEWUSER",
    "EMAIL_ADDRESS" : "SAPHANADB_NEWUSER@example.com",
    "IS_RESTRICTED" : false,
    "CLIENT" : "001",
    "TIME_ZONE" : "GMT",
    "USER_MODE" : "LOCAL"
    "VALID_FROM": "2024-12-12 12:30",
    "VALID_UNTIL": "2025-12-12 15:00",
    "IS_SAML_ENABLED" : true,
    "IS_KERBEROS_ENABLED" : true,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED" : false,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "HAS_REMOTE_USERS" : false,
    "EXTERNAL_IDENTITY" : false,
    "CREATOR" : "USER_CREATOR",
    "ROLES" : [
        "PUBLIC",
        "MODELING"
    ],
    "APPLICATION_PRIVILEGES" : [
        "sap.hana.backup::Admin"
    ],
    "SYSTEM_PRIVILEGES" : [
        "REPO.EXPORT",
        "REPO.IMPORT",
        "REPO.MAINTAIN_DELIVERY_UNITS"
    ]
}

Get users

Retrieve a list of database user ids from SAP HANA Database:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__?_queryId=query-all-ids'
{
    "result": [
        {
            "_id" : "001"
        },
        {
            "_id" : "002"
        },
        {
            "_id" : "003"
        },
        ...
    ]
}

Get a user

Retrieve a user from SAP HANA Database. You must specify the id in the URI path:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
    "USER_NAME" : "NEW_USER",
    "EMAIL_ADDRESS" : "NEW_USER@example.com",
    "IS_RESTRICTED" : false,
    "CLIENT" : "000",
    "TIME_ZONE" : "GMT",
    "USER_MODE" : "LOCAL",
    "VALID_FROM": "2023-09-06",
    "VALID_UNTIL": "2023-12-31",
    "IS_SAML_ENABLED" : fale,
    "IS_KERBEROS_ENABLED" : false,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED" : false,
    "HAS_REMOTE_USERS" : false,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "EXTERNAL_IDENTITY" : "999",
    "CREATOR" : "USER_CREATOR",
    "ROLES": [
        "PUBLIC",
        "MODELING"
    ],
    "APPLICATION_PRIVILEGES" : [
        "sap.hana.backup::Admin"
    ],
    "SYSTEM_PRIVILEGES" : [
        "REPO.EXPORT",
    ],
    "SAML_PROVIDERS" : [
        {
            "SAML_PROVIDER_NAME" : "PROVIDER_NAME",
            "EXTERNAL_IDENTITY" : null
        }
    ]
}

Update a user

Update a user from the database. You must specify the id in the URI path.

The roles field combines the catalog and repository roles. To grant and revoke roles, application or system privileges, some requirements are necessary, as detailed here.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request PUT \
--data '{
    "EMAIL_ADDRESS": "NEW_MAIL@EMAIL.COM",
    "CLIENT" : "002",
    "TIME_ZONE" : "PST",
    "VALID_FROM" : "2023-09-06",
    "VALID_UNTIL" : "2023-12-31",
    "IS_KERBEROS_ENABLED" : true,
    "IS_SAML_ENABLED" : true,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED": true,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "EXTERNAL_IDENTITY": "999",
    "ROLES": [
        "PUBLIC",
        "RESTRICTED_USER_JDBC_ACCESS"
    ]
}' \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
    "USER_NAME": "USERNAME",
    "EMAIL_ADDRESS": "NEW_MAIL@EMAIL.COM",
    "IS_RESTRICTED": false,
    "CLIENT": "002",
    "TIME_ZONE": "PST",
    "USER_MODE": "LOCAL",
    "VALID_FROM": "2023-09-06",
    "VALID_UNTIL": "2023-12-31",
    "IS_KERBEROS_ENABLED": true,
    "IS_SAML_ENABLED": true,
    "IS_PASSWORD_ENABLED": true,
    "PASSWORD_CHANGE_NEEDED": true,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "EXTERNAL_IDENTITY": "999",
    "HAS_REMOTE_USERS": false,
    "CREATOR": "USER_CREATOR",
    "ROLES": [
        "PUBLIC",
        "RESTRICTED_USER_JDBC_ACCESS",
    ],
    "APPLICATION_PRIVILEGES": [],
    "SYSTEM_PRIVILEGES": [],
    "SAML_PROVIDERS" : []
}

Delete a user

Delete a user from a database. You must specify the id in the URI path:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request DELETE \
'http://localhost:8080/openidm/system/saphanadb/__ACCOUNT__/USER_ID'
{
    "USER_NAME" : "NEW_USER",
    "EMAIL_ADDRESS" : "NEW_USER@EMAIL.COM",
    "IS_RESTRICTED" : false,
    "CLIENT" : "001",
    "TIME_ZONE" : "GMT",
    "USER_MODE" : "LOCAL"
    "VALID_FROM": "2024-12-12",
    "VALID_UNTIL": "2025-12-12",
    "IS_SAML_ENABLED" : false,
    "IS_KERBEROS_ENABLED" : false,
    "IS_PASSWORD_ENABLED" : true,
    "PASSWORD_CHANGE_NEEDED" : false,
    "IS_CLIENT_CONNECT_ENABLED": true,
    "HAS_REMOTE_USERS" : false,
    "EXTERNAL_IDENTITY" : "999",
    "CREATOR" : "USER_CREATOR",
    "ROLES": [
        "PUBLIC"
    ],
    "APPLICATION_PRIVILEGES" : [],
    "SYSTEM_PRIVILEGES" : [],
    "SAML_PROVIDERS" : []
}

Get roles

Retrieve roles from a SAP HANA Database:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/ROLES?_queryFilter=true'
{
    "result": [
        {
            "_id": "2361418",
            "ROLE_NAME": "ABAP_READ",
            "ROLE_ID": "2361418",
            "ROLE_MODE": "LOCAL",
            "__NAME__": "ABAP_READ",
            "ROLE_SCHEMA_NAME": null,
            "GLOBAL_IDENTITY": null
        },
        ...
}

Get system privileges

Retrieve system privileges from a SAP HANA Database:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request GET \
'http://localhost:8080/openidm/system/saphanadb/SYSTEM_PRIVILEGES?_queryFilter=true'
{
    "result": [
        {
            "_id": "ADAPTER ADMIN",
            "__NAME__": "ADAPTER ADMIN",
        },
        ...
}

Get application privileges

Retrieve application privileges from a SAP HANA Database:

curl
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header 'Accept-API-Version: resource=1.0' \
--request GET 'http://localhost:8080/openidm/system/saphanadb/APPLICATION_PRIVILEGES/_queryFilter=true'
{
    "result": [
        {
            "_id": "sap.hana.ide::Catalog",
            "__NAME__": "sap.hana.ide::Catalog"
        },
        ...
}

OpenICF Interfaces Implemented by the SAP HANA Database Connector

The SAP HANA Database Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Search

Searches the target resource for all objects that match the specified object class and filter.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

SAP HANA Database Connector Configuration

The SAP HANA Database Connector has the following configurable properties:

Configuration properties

Property Type Default Encrypted(1) Required(2)

connectionProperties

String

null

No

Description is not available

propagateInterruptState

boolean

false

No

Description is not available

useDisposableConnectionFacade

boolean

true

No

Description is not available

defaultCatalog

String

null

No

Description is not available

validationInterval

long

3000

No

Description is not available

ignoreExceptionOnPreLoad

boolean

false

No

Description is not available

jmxEnabled

boolean

true

No

Description is not available

commitOnReturn

boolean

false

No

Description is not available

logAbandoned

boolean

false

No

Description is not available

maxIdle

int

100

No

Description is not available

testWhileIdle

boolean

false

No

Description is not available

removeAbandoned

boolean

false

No

Description is not available

abandonWhenPercentageFull

int

0

No

Description is not available

minIdle

int

10

No

Description is not available

defaultReadOnly

Boolean

null

No

Description is not available

maxWait

int

30000

No

Description is not available

logValidationErrors

boolean

false

No

Description is not available

driverClassName

String

null

No

Description is not available

name

String

Tomcat Connection Pool[7-351632824]

No

Description is not available

useStatementFacade

boolean

true

No

Description is not available

initSQL

String

null

No

Description is not available

validationQueryTimeout

int

-1

No

Description is not available

validationQuery

String

null

No

Description is not available

rollbackOnReturn

boolean

false

No

Description is not available

alternateUsernameAllowed

boolean

false

No

Description is not available

dataSourceJNDI

String

null

No

Description is not available

validatorClassName

String

null

No

Description is not available

suspectTimeout

int

0

No

Description is not available

useEquals

boolean

true

No

Description is not available

removeAbandonedTimeout

int

60

No

Description is not available

defaultAutoCommit

Boolean

null

No

Description is not available

testOnConnect

boolean

false

No

Description is not available

jdbcInterceptors

String

null

No

Description is not available

initialSize

int

10

No

Description is not available

defaultTransactionIsolation

int

-1

No

Description is not available

numTestsPerEvictionRun

int

0

No

Description is not available

url

String

null

No

Description is not available

testOnBorrow

boolean

false

No

Description is not available

fairQueue

boolean

true

No

Description is not available

accessToUnderlyingConnectionAllowed

boolean

true

No

Description is not available

maxAge

long

0

No

Description is not available

minEvictableIdleTimeMillis

int

60000

No

Description is not available

timeBetweenEvictionRunsMillis

int

5000

No

Description is not available

testOnReturn

boolean

false

No

Description is not available

useLock

boolean

false

No

Description is not available

maxActive

int

100

No

Description is not available

username

String

null

No

The connection username to be passed to our JDBC driver to establish a connection

password

String

null

Yes

Yes

SAP HANA Database login password to authenticate the user

pageSize

Integer

50

No

Page size of search

ignoreUsers

String[]

['SYS', 'SYSTEM']

No

List of database users to be ignored by the connector

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.