Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Component overview > Functional Overview
Common domain model
The virtual member manager common domain model provides the basic concepts needed by virtual member manager applications for managing organizational entities.
Although virtual member manager provides a common model, within the common model there is flexibility:
- The entire model does not have to be used. Applications may use only a portion of the model.
- The model can be extended when deployed in a customer environment.
- Within the model itself there is some flexibility in how certain concepts are represented.
Entity
Entity represents an organizational entity managed by virtual member manager. Every organizational entity is associated with one Identifier.
Identifier
A virtual member manager Identifier contains two identifiers defined by virtual member manager: a virtual member manager uniqueId and a virtual member manager uniqueName. The uniqueId is globally unique, static, and never-reused. The uniqueName is unique within the scope of an instance of virtual member manager, may be changed and reused. The uniqueName may be globally unique for some deployments of virtual member manager, but is not guaranteed. An organizational entity is stored in a repository and the repositoryId is also available from the Identifier. A repository-specific externalName and externalId might also be available for the entity. Use an entity stored in an LDAP server as example:
- The entity's virtual member manager uniqueName is the mapped DN of the entry in virtual member manager.
- The entity's virtual member manager uniqueId can be a UUID (which can be generated by virtual member manager or is from the LDAP server).
- The entity's RepositoryId is a string name that identifies a repository in an instance of virtual member manager. That string name must be unique among all the repository names in that instance of virtual member manager.
- The entity's externalName can be the LDAP DN for the entity.
- The entity's externalId can be the UUID for the entity on LDAP.
The organizational entity may have other identifiers, which can be real life identifiers such as a social security number or a driver's license number for a person. All these other identifiers are treated as properties of the organizational entity.
Group
A group is a simple collection of entities that might not have any relational context. Although in some models, group is considered a subclass of organization, virtual member manager, models group as a distinct entity in order to better align with other existing products such as LDAP, where a group is distinct from an organization.
GroupMembership Association
The group membership association associates a group to its members and an entity to the groups to which it belongs.
OrgContainer
OrgContainer represents an organization such as a company or an enterprise, a subsidiary, or an organizational unit such as a division, a location, or a department. The o and ou properties can be used to distinguish whether the entity is an organization or an organizationalUnit.
GeographicLocation
Geographic location represents a real-world location. The location can be a country, a geographic region, a locality and so forth.
Repository
A repository represents a data repository (for example, an LDAP server, a database, or a file) configured under virtual member manager. Organizational entities in a repository may be scoped by collecting them into different realms. For example, if an LDAP server is the repository, different subtrees in the LDAP server can be considered different realms. Note that there are different ways to scope or collect entities together for different purposes. Out-of-the-box, virtual member manager supports scoping by providing the realm construct. Other methods of scoping can be built on top of virtual member manager by applications.
Realm
A realm represents a scoping of organizational entities particularly for the purpose of authentication and retrieval of security group memberships. An application uses a realm to specify to virtual member manager the collection of organizational entities it wants to work with.
Person
Person represents a human being
Login account
A login account represents an account in a system. The account allows a person or an application to log in to the system in order to use the services provided by the system. Information in a login account includes the names that can be used for logging in, one or more passwords, and so forth. In most LDAP deployments and operating systems that virtual member manager supports out-of-the-box, a person and his login account are merged as a single entity (for example, the LDAP inetOrgPerson).
To support these environments, virtual member manager uses PersonAccount as a sub-type or extension of LoginAccount. PersonAccount is a login account with person information.
PersonAccount
PersonAccount represents a LoginAccount with person properties. It is equivalent to a user concept, when the entity who uses the account is a person (as opposed to an application). PersonAccount in virtual member manager is designed to specifically support user entries in repositories that combine person and account information.
Subtypes for a login account
A subtype represent the actual login accounts on various systems.
Container
A container represents a generic container object used to contain virtual member manager entities in the virtual member manager hierarchy. The container class is included for integration with LDAP directories.
Virtual member manager hierarchy association
Virtual member manager hierarchy reflects to some extent the logical location of an organizational entity in the underlying repository. It organizes the entities managed by virtual member manager into a hierarchical structure and creates a hierarchical namespace that virtual member manager uses to assign unique names for the entities. When multiple repositories are used by virtual member manager simultaneously, virtual member manager divides the hierarchy (that is, divides the namespace) among the multiple repositories.
Parent topic: Functional Overview