Security Verify Access user attributes and group attribute

Attributes

The API provides access to the Security Verify Access user attributes and group attributes. The new API provides access to:

Security Verify Access user attributes, and the native user attributes.
Security Verify Access group attributes, the description, and cn attributes of the native group.
The following table describes the API attribute details:

API Constant Name Entry Operation Description

MIN_PASSWORD_LENGTH _NAME passwordMinLength Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Minimum length of a password. Multibyte characters are treated as a single character. The value must be a decimal integer. If you do not set this attribute, the API uses the global value.

PASSWORD_SPACES _NAME secPwdSpaces Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Specifies whether to permit space and tabs in passwords. You have 2 choices:

True permits space and tab characters.
False does not permit these characters.
If you do not set this attribute, the API uses the global value.

MAX_PASSWORD_REPEATED _CHARS_NAME passwordMaxRepeatedChars Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Specifies the maximum number of times a character can be repeated consecutively in a password.
The value must be a decimal integer.
The value -1 indicates there is no limit on the number of times a character can be repeated consecutively.
If you do not set this attribute, the API uses the global value.

MIN_PASSWORD_ALPHAS _NAME passwordMinAlphaChars Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Specifies the minimum number of alphabetic characters for the password. This set consists of these characters:

UPPERCASE_LETTER: General category Lu in the Unicode specification.
LOWERCASE_LETTER: General category Ll in the Unicode specification.
TITLECASE_LETTER: General category Lt in the Unicode specification.
MODIFIER_LETTER: General category Lm in the Unicode specification.
OTHER_LETTER: General category Lo in the Unicode specification.
Use only decimal integer values. If you do not set this attribute, the API uses the global value.

MIN_PASSWORD_NON_ALPHAS _NAME passwordMinOtherChars Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Specifies the minimum number of non-alphabetic characters in the password.
This set complements MIN_PASSWORD_ALPHAS_NAME. Use only decimal integer values. If you do not set this attribute, the API uses the global value.

MAX_PASSWORD_AGE _NAME passwordMaxAge Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Number of seconds after the last password change time for which the password is valid.
A value 0 (zero) indicates there is no limit on the maximum number of seconds. If you do not set this attribute, the API uses the global value.

ACCOUNT_EXPIRY_ DATE_NAME secAcctExpires Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import
Specifies time at which the LDAP account expires in Greenwich Median Time. The format is YYYYMMDDhhmmss.tZ where:

YYYY = year (for example, 2009)
MM = month (where January = 01)
DD = day of the month (beginning with 01)
hh = hour (00 -> 23)
mm = minute (00 -> 59)
ss = second (00 -> 59)
. = period character
t = one tenth of the second (0 -> 9). This is ignored and should be set to 0
Z = this is the 'Z' character. It indicates the time zone is GMT.

API recognizes only this format.
A special value unlimited is accepted and is converted into a value suitable for storage in the underlying registry. Upon reading this value, it is not converted into unlimited, instead it is the value it was converted to. If you do not set this attribute, the API uses the global value.

DISABLE_TIME _INTERVAL_NAME timeExpireLockout Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Specifies the duration in seconds for which the account is locked after MAX_LOGIN_FAILURES_NAME login failures have occurred.
A value of 0 (zero) disables the account. The value must be a decimal integer >= 0 (zero).
If you do not set this attribute, the API uses the global value.

MAX_LOGIN _FAILURES_NAME Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import

Number of login failures that can occur before the software lock or disables the account.
Disabling or the time period for the lock out depends on DISABLE_TIME_INTERVAL_NAME.
The value must be a decimal integer >=0 (zero). See the ldap.login-failure-persistent and ldap.late-lockout-notification configuration options.
If you do not set this attribute, the API uses the global value.

TOD_ACCESS_NAME maxFailedLogins Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import
Limits authentication to particular days of the week and a specific range of time during the day. The format of the policy is days:start:end:zone where:

days - a decimal integer representing a bit mask of days of the week.

SUNDAY=1
MONDAY=2
TUESDAY=4
WEDNESDAY=8
THURSDAY=16
FRIDAY=32
SATURDAY=64

start - the decimal integer representing the starting minute of the day of allowed access.

end - a decimal integer representing the ending minute of the day of allowed access.

zone - a decimal integer that, when set to 1, indicates that GMT must be used to determine the current time of day and the day of the week against which to evaluate this policy. If you set any other value, the local default time zone is used.
If you do not set this attribute, the API uses the global value.
When you set a password policy, you provide a list of days, start time, and end time.
The start time and end time apply to each day on the list.
If the specified start time is later than the specified end time, then the access is allowed until the specified end time is reached the next day.

MAX_CONCURRENT _WEB_SESSIONS_NAME secTODAccessF Security Verify Access User Policy

Read
Add
Delete
Replace
Create
Import
The maximum number of concurrent web login for the user. This API does not use this value directly, but other applications use this value. The value must be a valid decimal integer. There are special negative values, which are:

-3 When set, a new login displaces (logout) other login sessions of the same user.
-4 When set, the number of concurrent logins are not limited.
If you do not set this attribute, the API uses the global value.

SEC_ACCT_VALID_NAME secAcctValid Security Verify Access User

Read
Replace
Create
Import

The account validity status. The permitted values are true and false. When set to false, we cannot log in to an account.

SEC_PWD_VALID_NAME secPwdValid Security Verify Access User

Read
Replace
Create
Import

The password validity setting. This attribute can be set only to true and false. When set to false, the user must change the password at next logon.

SEC_DN_NAME secDN Security Verify Access User

Read

Internal use only. Use getNativeId() instead of SEC_DN_NAME.

SEC_UUID_NAME secUUID Security Verify Access User

Read
Create
Import

Specifies the Universally Unique ID.
This attribute is normally generated by the API for the user. It is mostly used by the Authorization API when verifying ACLs.
We can supply this value when we create or import a user.
We cannot modify this value after you set it.
Do not specify any value for this parameter except when you recover accounts that were accidentally deleted.

SEC_LOGIN_TYPE _NAME secLoginType Security Verify Access User

Read
Internal use only.

SEC_CERT_DN_NAME secCertDN Security Verify Access User

Read
Internal use only.

SEC_CERT_SERIAL _NUMBER_NAME secCertSerialNumber Security Verify Access User

Read
Internal use only.

SEC_HAS_POLICY_NAME secHasPolicy Security Verify Access User

Read
Internal use only.

SEC_AUTHORITY_NAME secAuthority Security Verify Access User

Read
Internal use only.

PRINCIPAL_NAME_NAME principalName Security Verify Access User

Read
Internal use only. Use getId() instead of this attribute.

SEC_PWD_FAILURES_NAME secPwdFailures Security Verify Access User Policy State

Read

Internal use only.
Number of consecutive authentication failures because of wrong password.
This policy is a mechanism to enforce the MAX_LOGIN_FAILURES_NAME policy only if the ldap.login-failures-persistent option is enabled.

SEC_PWD_LAST_CHANGED _NAME secPwdLastChanged Security Verify Access User Policy State

Read

Specifies the time when the password was last changed.
This policy is a mechanism to enforce the MAX_PASSWORD_AGE_NAME policy.
The value is updated to the current date when SEC_PWD_VALID_NAME is set to true.

SEC_PWD_LAST_USED _NAME secPwdLastUsed Security Verify Access User Policy State

Read

Specifies the last time the that user logged in.
This value is updated every time Security Verify Access successfully authenticates a user.
This value is updated only for password-based authentication.
The option ldap.enable-last-login is set to true.

SEC_DOMAIN_ID_NAME secDomainId Security Verify Access User

Read
Internal use only.

SEC_PWD_LAST_FAILED _NAME secPwdLastFailed Security Verify Access User Policy State

Read

Internal use only.
Records the time of the last failed login to authenticate with the correct password.
This value is a part of the mechanism to enforce the DISABLE_TIME_INTERVAL_NAME policy. Some operations might be restricted by the LDAP.

SEC_PWD_UNLOCK_TIME _NAME secPwdUnlockTime Security Verify Access User Policy State

Read

Internal use only. Records the duration for which the account is locked. This value is a part of the mechanism to enforce the DISABLE_TIME_INTERVAL_NAME policy.

COMMON_NAME_NAME cn Native User and Native Group

Read
Add
Delete
Replace
Create
Import
Required when we create users or groups. LDAP server might restrict some operations.

SURNAME_NAME sn Native User

Read
Add
Delete
Replace
Create
Import
Required when we create users. LDAP server might restrict some operations.

UID_NAME uid Native User

Read
Add
Delete
Replace
Create
Import

LDAP Unique ID attribute name.
This attribute is an optional attribute when we create a RgyUser.
If you do not specify a value, this parameter is set to the userId or uid value in the leading RDN of the userNativeId. LDAP server might restrict some operations.

OBJECT_CLASS_NAME objectClass Native User and Native Group

Read
Create

Internal use only.
The LDAP object class attribute name.
This attribute contains the native LDAP objectClass values for the native entry.

DESCRIPTION_NAME description Native User and Native Group

Read
Add
Delete
Replace
Create
Import

The LDAP description attribute name.
Optional attribute when creating a new RgyUser or RgyGroup. LDAP server might restrict some operations.

IS_SEC_ENTITY_NAME isSecEntity Security Verify Access User and Security Verify Access Group

Read
Set to true if the account is a Security Verify Access enabled account. This attribute is virtual, and is dynamically determines instead of being stored in the LDAP registry.

IS_GSO_USER_NAME isGSOUser Security Verify Access User

Read
Set to true if the account is a Global Sign-On (web SSO) enabled account. This attribute is virtual, and is dynamically determines instead of being stored in the LDAP registry.

* * Native User

Read
Add
Delete
Replace
Create
Import
Indicates a native user entry that might have additional attributes for the user. If the LDAP server permits, the values are updated or deleted. LDAP servers might restrict some operations.

RESOURCE_CREDENTIALS_NAME resourceCredentials Security Verify Access User

Read

If the account is a global sign on-enabled and has resource credentials created for it, then this attribute will contain the resource credentials of the user.
This is a virtual attribute that is not stored directly in the LDAP registry. Rather, it is dynamically determined from multiple entry attributes in LDAP.
Each value for the attribute represents one resource credential and has the resources credential values condensed into one string.
The API provide methods to expand these resource credential values into separate strings.

Parent topic: Registry Direct Java API

API Constant	Name	Entry	Operation	Description
MIN_PASSWORD_LENGTH _NAME	passwordMinLength	Security Verify Access User Policy	Read Add Delete Replace Create Import	Minimum length of a password. Multibyte characters are treated as a single character. The value must be a decimal integer. If you do not set this attribute, the API uses the global value.
PASSWORD_SPACES _NAME	secPwdSpaces	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies whether to permit space and tabs in passwords. You have 2 choices: True permits space and tab characters. False does not permit these characters. If you do not set this attribute, the API uses the global value.
MAX_PASSWORD_REPEATED _CHARS_NAME	passwordMaxRepeatedChars	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the maximum number of times a character can be repeated consecutively in a password. The value must be a decimal integer. The value -1 indicates there is no limit on the number of times a character can be repeated consecutively. If you do not set this attribute, the API uses the global value.
MIN_PASSWORD_ALPHAS _NAME	passwordMinAlphaChars	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the minimum number of alphabetic characters for the password. This set consists of these characters: UPPERCASE_LETTER: General category Lu in the Unicode specification. LOWERCASE_LETTER: General category Ll in the Unicode specification. TITLECASE_LETTER: General category Lt in the Unicode specification. MODIFIER_LETTER: General category Lm in the Unicode specification. OTHER_LETTER: General category Lo in the Unicode specification. Use only decimal integer values. If you do not set this attribute, the API uses the global value.
MIN_PASSWORD_NON_ALPHAS _NAME	passwordMinOtherChars	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the minimum number of non-alphabetic characters in the password. This set complements MIN_PASSWORD_ALPHAS_NAME. Use only decimal integer values. If you do not set this attribute, the API uses the global value.
MAX_PASSWORD_AGE _NAME	passwordMaxAge	Security Verify Access User Policy	Read Add Delete Replace Create Import	Number of seconds after the last password change time for which the password is valid. A value 0 (zero) indicates there is no limit on the maximum number of seconds. If you do not set this attribute, the API uses the global value.
ACCOUNT_EXPIRY_ DATE_NAME	secAcctExpires	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies time at which the LDAP account expires in Greenwich Median Time. The format is YYYYMMDDhhmmss.tZ where: YYYY = year (for example, 2009) MM = month (where January = 01) DD = day of the month (beginning with 01) hh = hour (00 -> 23) mm = minute (00 -> 59) ss = second (00 -> 59) . = period character t = one tenth of the second (0 -> 9). This is ignored and should be set to 0 Z = this is the 'Z' character. It indicates the time zone is GMT. API recognizes only this format. A special value unlimited is accepted and is converted into a value suitable for storage in the underlying registry. Upon reading this value, it is not converted into unlimited, instead it is the value it was converted to. If you do not set this attribute, the API uses the global value.
DISABLE_TIME _INTERVAL_NAME	timeExpireLockout	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the duration in seconds for which the account is locked after MAX_LOGIN_FAILURES_NAME login failures have occurred. A value of 0 (zero) disables the account. The value must be a decimal integer >= 0 (zero). If you do not set this attribute, the API uses the global value.
MAX_LOGIN _FAILURES_NAME		Security Verify Access User Policy	Read Add Delete Replace Create Import	Number of login failures that can occur before the software lock or disables the account. Disabling or the time period for the lock out depends on DISABLE_TIME_INTERVAL_NAME. The value must be a decimal integer >=0 (zero). See the ldap.login-failure-persistent and ldap.late-lockout-notification configuration options. If you do not set this attribute, the API uses the global value.
TOD_ACCESS_NAME	maxFailedLogins	Security Verify Access User Policy	Read Add Delete Replace Create Import	Limits authentication to particular days of the week and a specific range of time during the day. The format of the policy is days:start:end:zone where: days - a decimal integer representing a bit mask of days of the week. SUNDAY=1 MONDAY=2 TUESDAY=4 WEDNESDAY=8 THURSDAY=16 FRIDAY=32 SATURDAY=64 start - the decimal integer representing the starting minute of the day of allowed access. end - a decimal integer representing the ending minute of the day of allowed access. zone - a decimal integer that, when set to 1, indicates that GMT must be used to determine the current time of day and the day of the week against which to evaluate this policy. If you set any other value, the local default time zone is used. If you do not set this attribute, the API uses the global value. When you set a password policy, you provide a list of days, start time, and end time. The start time and end time apply to each day on the list. If the specified start time is later than the specified end time, then the access is allowed until the specified end time is reached the next day.
MAX_CONCURRENT _WEB_SESSIONS_NAME	secTODAccessF	Security Verify Access User Policy	Read Add Delete Replace Create Import	The maximum number of concurrent web login for the user. This API does not use this value directly, but other applications use this value. The value must be a valid decimal integer. There are special negative values, which are: -3 When set, a new login displaces (logout) other login sessions of the same user. -4 When set, the number of concurrent logins are not limited. If you do not set this attribute, the API uses the global value.
SEC_ACCT_VALID_NAME	secAcctValid	Security Verify Access User	Read Replace Create Import	The account validity status. The permitted values are true and false. When set to false, we cannot log in to an account.
SEC_PWD_VALID_NAME	secPwdValid	Security Verify Access User	Read Replace Create Import	The password validity setting. This attribute can be set only to true and false. When set to false, the user must change the password at next logon.
SEC_DN_NAME	secDN	Security Verify Access User	Read	Internal use only. Use getNativeId() instead of SEC_DN_NAME.
SEC_UUID_NAME	secUUID	Security Verify Access User	Read Create Import	Specifies the Universally Unique ID. This attribute is normally generated by the API for the user. It is mostly used by the Authorization API when verifying ACLs. We can supply this value when we create or import a user. We cannot modify this value after you set it. Do not specify any value for this parameter except when you recover accounts that were accidentally deleted.
SEC_LOGIN_TYPE _NAME	secLoginType	Security Verify Access User	Read	Internal use only.
SEC_CERT_DN_NAME	secCertDN	Security Verify Access User	Read	Internal use only.
SEC_CERT_SERIAL _NUMBER_NAME	secCertSerialNumber	Security Verify Access User	Read	Internal use only.
SEC_HAS_POLICY_NAME	secHasPolicy	Security Verify Access User	Read	Internal use only.
SEC_AUTHORITY_NAME	secAuthority	Security Verify Access User	Read	Internal use only.
PRINCIPAL_NAME_NAME	principalName	Security Verify Access User	Read	Internal use only. Use getId() instead of this attribute.
SEC_PWD_FAILURES_NAME	secPwdFailures	Security Verify Access User Policy State	Read	Internal use only. Number of consecutive authentication failures because of wrong password. This policy is a mechanism to enforce the MAX_LOGIN_FAILURES_NAME policy only if the ldap.login-failures-persistent option is enabled.
SEC_PWD_LAST_CHANGED _NAME	secPwdLastChanged	Security Verify Access User Policy State	Read	Specifies the time when the password was last changed. This policy is a mechanism to enforce the MAX_PASSWORD_AGE_NAME policy. The value is updated to the current date when SEC_PWD_VALID_NAME is set to true.
SEC_PWD_LAST_USED _NAME	secPwdLastUsed	Security Verify Access User Policy State	Read	Specifies the last time the that user logged in. This value is updated every time Security Verify Access successfully authenticates a user. This value is updated only for password-based authentication. The option ldap.enable-last-login is set to true.
SEC_DOMAIN_ID_NAME	secDomainId	Security Verify Access User	Read	Internal use only.
SEC_PWD_LAST_FAILED _NAME	secPwdLastFailed	Security Verify Access User Policy State	Read	Internal use only. Records the time of the last failed login to authenticate with the correct password. This value is a part of the mechanism to enforce the DISABLE_TIME_INTERVAL_NAME policy. Some operations might be restricted by the LDAP.
SEC_PWD_UNLOCK_TIME _NAME	secPwdUnlockTime	Security Verify Access User Policy State	Read	Internal use only. Records the duration for which the account is locked. This value is a part of the mechanism to enforce the DISABLE_TIME_INTERVAL_NAME policy.
COMMON_NAME_NAME	cn	Native User and Native Group	Read Add Delete Replace Create Import	Required when we create users or groups. LDAP server might restrict some operations.
SURNAME_NAME	sn	Native User	Read Add Delete Replace Create Import	Required when we create users. LDAP server might restrict some operations.
UID_NAME	uid	Native User	Read Add Delete Replace Create Import	LDAP Unique ID attribute name. This attribute is an optional attribute when we create a RgyUser. If you do not specify a value, this parameter is set to the userId or uid value in the leading RDN of the userNativeId. LDAP server might restrict some operations.
OBJECT_CLASS_NAME	objectClass	Native User and Native Group	Read Create	Internal use only. The LDAP object class attribute name. This attribute contains the native LDAP objectClass values for the native entry.
DESCRIPTION_NAME	description	Native User and Native Group	Read Add Delete Replace Create Import	The LDAP description attribute name. Optional attribute when creating a new RgyUser or RgyGroup. LDAP server might restrict some operations.
IS_SEC_ENTITY_NAME	isSecEntity	Security Verify Access User and Security Verify Access Group	Read	Set to true if the account is a Security Verify Access enabled account. This attribute is virtual, and is dynamically determines instead of being stored in the LDAP registry.
IS_GSO_USER_NAME	isGSOUser	Security Verify Access User	Read	Set to true if the account is a Global Sign-On (web SSO) enabled account. This attribute is virtual, and is dynamically determines instead of being stored in the LDAP registry.
*	*	Native User	Read Add Delete Replace Create Import	Indicates a native user entry that might have additional attributes for the user. If the LDAP server permits, the values are updated or deleted. LDAP servers might restrict some operations.
RESOURCE_CREDENTIALS_NAME	resourceCredentials	Security Verify Access User	Read	If the account is a global sign on-enabled and has resource credentials created for it, then this attribute will contain the resource credentials of the user. This is a virtual attribute that is not stored directly in the LDAP registry. Rather, it is dynamically determined from multiple entry attributes in LDAP. Each value for the attribute represents one resource credential and has the resources credential values condensed into one string. The API provide methods to expand these resource credential values into separate strings.