Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Component overview


Functional Overview

This section gives a quick overview of the various functional components.

The following diagram shows the functional components of the virtual member manager. The items with the white background are not part of the virtual member manager functions, but are provided by the application or are additional plug-ins.

Figure 1. Functional components of virtual member manager

At runtime, applications can interact with virtual member manager:

Virtual member manager can also be invoked by using the virtual member manager User Management GUI and the wsadmin command line interface. Virtual member manager provides some commands and tasks to be plugged into the WAS Admin Command Framework. The commands and tasks are used by the GUI and wsadmin.

Virtual member manager provides operations such as create, get, update, delete, and search for organizational entities. The syntax for search filters is XPath 1.0. All requests to virtual member manager are access controlled. The requests are processed by virtual member manager by delegating most or some of the work to the underlying virtual member manager repository adapters. The adapters enable virtual member manager to interact with different types of repositories. All virtual member manager repository adapters implement the virtual member manager Repository SPI.

Virtual member manager supports the following types of repositories out-of-the-box: file, database, LDAP, and virtual member manager custom repositories. The file is a simple file-based repository with a virtual member manager-defined schema. The database repository is a database with a virtual member manager-defined schema. Virtual member manager is able to adapt to commonly used schemas for LDAP and can use existing LDAP directories. Various brands of databases and LDAP directories are supported.

A customer who has a repository that cannot be supported out-of-the-box can develop his own custom virtual member manager repository adapter. Virtual member manager can use multiple repositories simultaneously. Virtual member manager also provides a property extension repository to contain properties for organizational entities that cannot be stored in the main profile repository . Administrators who configure virtual member manager and programmers who develop applications using the virtual member manager API can make use of the property extension feature. When the virtual member manager Runtime API is invoked, virtual member manager transparently joins properties for an entity from its main profile repository and the property extension repository. The joined information is return to the caller. The existence of the property extension does not show through in the virtual member manager Runtime API.

Extensions to the virtual member manager core are made by using plug-ins. Virtual member manager has a generic plug-in service that enables the core virtual member manager code to be extended with additional functions for policy management, event notification, manipulation of group membership, and so forth. Virtual member manager exploiters (or customers) need to provide the plug-ins. Virtual member manager uses the generic plug-in service to plug in code to handle organizational views.

An application can use the Realm support to tell virtual member manager the subset of organizational entities it wants to deal with. For example, if the organizational entities in virtual member manager represent the employees (the people, the groups, and their login accounts) in IBM, an application might only want to deal with a subset of the population (for example, only those from IBM US and IBM Canada). In virtual member manager the application can configure a realm that is made up of the populations from IBM US and IBM Canada. When the application invokes virtual member manager, virtual member manager only operates on that subset of the population.

Besides create, get, update, delete, and search, virtual member manager provides a few security operations such as check password and map certificate. These operations are part of the login processing and are expected to be called by the virtual member manager UR. The security manager within virtual member manager calls out to an authorization provider to perform access control checks.

The schema service in virtual member manager enables callers to access and change the virtual member manager schema information. The virtual member manager schema defines the entity types supported by virtual member manager (for example, PersonAccount, Group, and LoginAccount). Virtual member manager has two levels of schema information:

The schema service can be used at runtime to extend the virtual member manager schema. Out-of-the-box, virtual member manager supports runtime programmatic schema extensions for LDAP, the database repository, and the property extension repository.

Parent topic: Component overview


+

Search Tips   |   Advanced Search