PingOne Advanced Identity Cloud

Create and modify object types

If the managed object types provided in the default configuration don’t meet your needs, you can create or modify them.

Every managed object type has a name and a schema that describes the properties associated with that object. The name can only include the characters a-z, A-Z, 0-9, and _ (underscore). You can add any arbitrary properties to the schema.

Avoid using the dash character in property names (like last-name) because dashes in names make JavaScript syntax more complex. Rather use "camel case" (lastName). If you cannot avoid dash characters, write source['last-name'] instead of source.last-name in your JavaScript.

Also, managed object properties that contain an underscore (_) are reserved for internal use. Do not create new properties that contain underscores, and do not include these properties in update requests.

Typical managed object property definition fields

title

The name of the property, in human-readable language, used to display the property in the UI.

description

A brief description of the property.

viewable

Specifies whether this property is viewable in the object’s profile in the UI. Boolean, true or false (true by default).

searchable

Specifies whether this property can be searched in the UI. A searchable property is visible within the Managed Object data grid in the End User UI.

Boolean, true or false (false by default).

Do not modify the searchable setting on properties in the default manged object schema in IDM, unless otherwise noted in documentation.
userEditable

Specifies whether users can edit the property value in the UI. This property applies in the context of the End User UI, where users are able to edit certain properties of their own accounts. Boolean, true or false (false by default).

pattern

Any specific pattern to which the value of the property must adhere. For example, a property whose value is a date might require a specific date format.

policies

Any policy validation that must be applied to the property.

required

Specifies whether the property must be supplied when an object of this type is created. Boolean, true or false.

To set an attribute as required:

  1. In the left menu, go to Native Consoles > Identity Management.

  2. Click Configure > Managed Objects and select the managed object, in this case, click Alpha_user. A list of the properties in the managed object displays. The Required column displays which properties Advanced Identity Cloud currently requires.

  3. Click on the desired property.

  4. In the Details tab, enable the Required field.

  5. Click Save.

    The required policy is assessed only during object creation, not when an object is updated. You can effectively bypass the policy by updating the object and supplying an empty value for that property. To prevent this inconsistency, set both required and notEmpty to true for required properties. This configuration indicates that the property must exist, and must have a value.
type

The data type for the property value; can be string, array, boolean, integer, number, object, Resource Collection, or null.

If any user might not have a value for a specific property (such as a telephoneNumber), you must include null as one of the property types. You can set a null property type in the IDM admin console (Configure > Managed Objects > User, select the property, and under the Details tab, Advanced Options, set Nullable to true).

You can also set a null property type in your managed object configuration by setting "type" : '[ "string","null" ]' for that property (where string can be any other valid property type. This information is validated by the policy service.

If you’re configuring a data type of array through the IDM admin console, you’re limited to two values.
isVirtual

Specifies whether the property takes a static value, or whether its value is calculated "on the fly" as the result of a script. Boolean, true or false.

returnByDefault

For non-core attributes (virtual attributes and relationship fields), specifies whether the property is returned in the results of a query on an object of this type if it is not explicitly requested. Virtual attributes and relationship fields are not returned by default. Boolean, true or false. When the property is in an array within a relationship, always set to false.

default

Specifies a default value if the object is created without passing a value. Default values are available for the following data types, and arrays of those types:

  • boolean

  • number

  • object

  • string

    IDM assumes all default values are valid for the schema.
enum

Restricts a field’s possible values to a defined set of options. enum is supported for string and number types, and for array types containing strings or numbers.

To define enum values, add the enum property to the field’s schema definition. Currently, this must be done using an API PUT request to the /openidm/config/managed endpoint. Currently, you can’t use the Advanced Identity Cloud admin console or the IDM admin console to add, remove, or edit enums directly.

In the following examples, the string type shows the JSON hierarchy of the property, while the others truncate everything except the property itself.

  • string

  • number

  • array of strings

{
  "_id": "managed",
  "objects": [
    {
      ...
      "schema": {
        ...
        "properties": [
          ...
          {
            "favoriteColor": {
              "enum": [
                "red",
                "green",
                "blue"
              ],
              "title": "Favorite Color",
              "type": "string",
              "viewable": true,
              "searchable": false,
              "userEditable": true,
              "description": "Choose your favorite color",
              "format": null,
              "isVirtual": false
            },
            ...
{
  "custom_enum_single_number": {
    "title": "Rating",
    "description": "Select the best number",
    "type": "number",
    "viewable": true,
    "userEditable": true,
    "enum": [
      4,
      8,
      15,
      16,
      23,
      42
    ]
  }
}
{
  "custom_enum_array_string": {
    "title": "Preferred Colors",
    "description": "Choose your preferred colors",
    "type": "array",
    "viewable": true,
    "userEditable": true,
    "items": {           (1)
      "type": "string",
      "enum": [
        "red",
        "green",
        "blue",
        "yellow"
      ]
    }
  }
}
1 The enum definition must be placed within the items object.
Labels and translations for enum values are not set within the managed object schema. They must be configured using the translation override feature using API POST requests to the /openidm/config/uilocale/<locale> endpoint.

Create an object using the Advanced Identity Cloud admin console

  1. From the Advanced Identity Cloud admin console, select Native Consoles > Identity Management.

  2. Select Configure > Managed Objects > New Managed Object.

  3. On the New Managed Object page, enter a name and readable title for the object, make optional changes, as necessary, and click Save. The readable title specifies what the object will be called in the UI.

  4. On the Properties tab, specify the schema for the object type (the properties that make up the object).

  5. On the Scripts tab, specify any scripts that will be applied on events associated with that object type. For example, scripts that will be run when an object of that type is created, updated, or deleted.

Example: Phone object created using the IDM admin console 
{
    "name": "Phone",
    "schema": {
        "$schema": "http://forgerock.org/json-schema#",
        "type": "object",
        "properties": {
            "brand": {
                "description": "The supplier of the mobile phone",
                "title": "Brand",
                "viewable": true,
                "searchable": true,
                "userEditable": false,
                "policies": [],
                "returnByDefault": false,
                "pattern": "",
                "isVirtual": false,
                "type": [
                    "string",
                    "null"
                ]
            },
            "assetNumber": {
                "description": "The asset tag number of the mobile device",
                "title": "Asset Number",
                "viewable": true,
                "searchable": true,
                "userEditable": false,
                "policies": [],
                "returnByDefault": false,
                "pattern": "",
                "isVirtual": false,
                "type": "string"
            },
            "model": {
                "description": "The model number of the mobile device, such as 6 plus, Galaxy S4",
                "title": "Model",
                "viewable": true,
                "searchable": false,
                "userEditable": false,
                "policies": [],
                "returnByDefault": false,
                "pattern": "",
                "isVirtual": false,
                "type": "string"
            }
        },
        "required": [],
        "order": [
            "brand",
            "assetNumber",
            "model"
        ]
    }
}

Create an object using the REST API

  1. Get the current managed object configuration:

    curl \
--header "Authorization: Bearer <access-token>" \
--header "Accept-API-Version: resource=1.0"  \
--request GET \
"https://<tenant-env-fqdn>/openidm/config/managed"
{
  "_id": "managed",
  "objects": [ {managed-config-object} ]
}

  2. Make changes and replace the managed object configuration:

    curl \
--header "Authorization: Bearer <access-token>" \
--header "Content-type: application/json" \
--header "Accept-API-Version: resource=1.0"  \
--request PUT \
--data '{
  "_id": "managed",
  "objects": [ {managed-config-object} ]
}' \
"https://<tenant-env-fqdn>/openidm/config/managed"
{
  "_id": "managed",
  "objects": [ {managed-config-object} ]
}

Default values

You can specify default values in the IDM managed object schema. If you omit a value when creating an object, the default value is automatically applied to the object. You can have default values for the following data types, and arrays of those types:

  • boolean

  • number

  • object

  • string

For example, the default IDM managed object schema includes a default value that makes accountStatus:active, which effectively replaces the onCreate script that was previously used to achieve the same result. The following excerpt from the IDM managed object schema displays the default value for accountStatus:

"accountStatus" : {
    "title" : "Status",
    "description" : "Status",
    "viewable" : true,
    "type" : "string",
    "searchable" : true,
    "userEditable" : false,
    "usageDescription" : "",
    "isPersonal" : false,
    "policies" : [
        {
            "policyId": "regexpMatches",
            "params": {
                "regexp": "^(active|inactive)$"
            }
        }
    ],
    "default" : "active"
}
IDM assumes all default values are valid for the schema.