The virtual member manager common domain model provides the basic
concepts needed by virtual member manager applications for managing organizational
entities.
Although virtual member manager provides a common model, within the common
model there is flexibility:
- The entire model does not have to be used. Applications may use only a
portion of the model.
- The model can be extended when deployed in a customer environment.
- Within the model itself there is some flexibility in how certain concepts
are represented.
- Entity
- Entity represents an organizational entity managed by virtual member manager.
Every organizational entity is associated with one Identifier.
- Identifier
- A virtual member manager Identifier contains two identifiers defined by
virtual member manager: a virtual member manager uniqueId and a virtual member
manager uniqueName. The uniqueId is globally unique, static, and never-reused.
The uniqueName is unique within the scope of an instance of virtual member
manager, may be changed and reused. The uniqueName may be globally unique
for some deployments of virtual member manager, but is not guaranteed. An
organizational entity is stored in a repository and the repositoryId is also
available from the Identifier. A repository-specific externalName and externalId
might also be available for the entity.
Using an entity stored in an LDAP
server as example:
- The entity's virtual member manager uniqueName is the mapped DN of the
entry in virtual member manager.
- The entity's virtual member manager uniqueId can be a UUID (which can
be generated by virtual member manager or is from the LDAP server).
- The entity's RepositoryId is a string name that identifies a repository
in an instance of virtual member manager. That string name must be unique
among all the repository names in that instance of virtual member manager.
- The entity's externalName can be the LDAP DN for the entity.
- The entity's externalId can be the UUID for the entity on LDAP.
The organizational entity may have other identifiers, which can be real
life identifiers such as a social security number or a driver's license number
for a person. All these other identifiers are treated as properties of the
organizational entity.
- Group
- A group is a simple collection of entities that might not have any relational
context. Although in some models, group is considered a subclass of organization,
virtual member manager, models group as a distinct entity in order to better
align with other existing products such as LDAP, where a group is distinct
from an organization.
- GroupMembership Association
- The group membership association associates a group to its members and
an entity to the groups to which it belongs.
- OrgContainer
- OrgContainer represents an organization such as a company or an enterprise,
a subsidiary, or an organizational unit such as a division, a location, or
a department. The o and ou properties can be used to distinguish whether
the entity is an organization or an organizationalUnit.
- GeographicLocation
- Geographic location represents a real-world location. The location can
be a country, a geographic region, a locality and so forth.
- Repository
- A repository represents a data repository (for example, an LDAP server,
a database, or a file) configured under virtual member manager. Organizational
entities in a repository may be scoped by collecting them into different realms.
For example, if an LDAP server is the repository, different subtrees in
the LDAP server can be considered different realms. Note that there are different
ways to scope or collect entities together for different purposes. Out-of-the-box,
virtual member manager supports scoping by providing the realm construct.
Other methods of scoping can be built on top of virtual member manager by
applications.
- Realm
- A realm represents a scoping of organizational entities particularly for
the purpose of authentication and retrieval of security group memberships.
An application uses a realm to specify to virtual member manager the collection
of organizational entities it wants to work with.
- Person
- Person represents a human being
- Login account
- A login account represents an account in a system. The account allows
a person or an application to log in to the system in order to use the services
provided by the system. Information in a login account includes the names
that can be used for logging in, one or more passwords, and so forth.
Note: In
most LDAP deployments and operating systems that virtual member manager supports
out-of-the-box, a person and his login account are merged as a single entity
(for example, the LDAP inetOrgPerson). To support these environments, virtual
member manager uses PersonAccount as a sub-type or extension of LoginAccount.
PersonAccount is a login account with person information.
- PersonAccount
- PersonAccount represents a LoginAccount with person properties. It is
equivalent to a user concept, when the entity who uses the account is a person
(as opposed to an application). PersonAccount in virtual member manager is
designed to specifically support user entries in repositories that combine
person and account information.
- Subtypes for a login account
- A subtype represent the actual login accounts on various systems.
- Container
- A container represents a generic container object used to contain virtual
member manager entities in the virtual member manager hierarchy. The container
class is included for integration with LDAP directories.
- Virtual member manager hierarchy association
- Virtual member manager hierarchy reflects to some extent the logical location
of an organizational entity in the underlying repository. It organizes the
entities managed by virtual member manager into a hierarchical structure and
creates a hierarchical namespace that virtual member manager uses to assign
unique names for the entities. When multiple repositories are used by virtual
member manager simultaneously, virtual member manager divides the hierarchy
(that is, divides the namespace) among the multiple repositories.