OBLIX, INC.

CONFIDENTIAL AND PROPRIETARY

Oblix Schema Description

Date 11/19/2002 Author Joan Teng/Lakshmi Comment Included both ID and Access. Updated to 6.1.

Notations used in this document: red Italic - required attribute blue Normal - allowed attribute

oblixapplication
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obapp top This class is used for entries of the applications. structural oblixconfig obapp obapp=userservcenter, ou=oblix, o=company, c=us Description The name of the application. This is the naming attribute. The functions configured for this applications. The value is encoded with true or false to indicate whether a function button is ready to be displayed on the UI. Examples of the values are Org View:true Browse:true View Report:true My test:false The current release version.

obdirfunctions

obver

oblixpanel
SubClassOf Description top This object class is used to define entries of panels, reports, workflow table, search result, etc. Since this class is the super class of oblixtabpanel, the attributes defined in this class also applicable to tabs.

Class type PossSuperiors Naming attribute Examples Attributes obpanelid

structural oblixclass, oblixtabpanel, oblixconfig obpanelid obpanelid=telephony, obpanelid=employees, obapp=userservcenter, ou=oblix, o=company, c=us obpanelid=ticketTable, ou=oblix, o=company, c=us Description The id that uniquely identifies this panel/tab/table. It is used as the naming attribute. The object classes to be used when entry information is searched. When used for panel, the valid value is inetorgperson - or other configured person class When used for tab, the valid values are inetorgperson - or other configured person class obgroupofuniquenames - or other configured generic class officeobject - or other configured generic class When used for ticket table, the valid value is obticket When used for report, the valid value is inetorgperson - or other configured person or generic class Whether the panel is ready for display. The default is false. The name of the panel/tab. If obpaneltabimagefilename is not used, this label will show up in the default image. The type of the panel. When it used for panel, the valid values are unknown, defaultPanel, headerPanel, jCardPanel. TableViewPanel, reportPanel, monitorTableView, ticketTableView, wfProfileTopPanel, wfProfileLowerPanel, wfTicketInfoPanel, wfSubflowPanel, etc. When it is used for tab, the valid values are unknown, htmlFile, oblixUsable, personTab, groupTab The sequence order of this panel to be displayed relevant to other panels. The description for this object. The search filter is used to "and" with the obclass when generating report. It is not used in panels. The help message that the to be displayed when mouse is over this filed. The image file to be used to draw the top panel/tab tab. The image file to be used to draw the top panel/tab tab when the panel/tab is selected. The image file to be used to draw the bottom panel/tab tab for horizontal

obclass

obready obname

obpaneltype

oborder obdescription obfilter obmouseover obpaneltabimgfilename obpaneltabimgdepressed obpaneltabimgfilenamebottom

obpaneltabimgdepressedbottom obpaneltitleimgfilename obpanelelctabimgfilename (not in use) obpanelelctabimgfilename2 (not in use) obpanelelctabimgfilenamebottom (not in use) obpanelelctabimgfilename2bottom (not in use) obhidden obver

profile. The image file to be used to draw the bottom panel/tab tab when the panel/tab is selected for horizontal profile. The image file to be used to display the title for this panel. The image file to be used to draw the panel tab for a life cycle entry. Examples are the tab images starting with "!". The image file name to be used to draw the panel tab for a life cycle entry when the panel is selected.

Whether this panel is for system use only. The default is false. One example is obpanelid=locations,obapp=userservcenter,ou=oblix,o=company,c=us. The current release version.

oblixtabpanel
SubClassOf Description Class type PossSuperiors Naming attribute Examples oblixpanel (it is top for AD so AD has all the attributes from oblixpPanel) This object class is used to define the tabs and ticket tables. structural oblixapplication, oblixclass obpanelid obpanelid=Employees, obapp=userservcenter, ou=oblix, o=company, c=us obpanelid=Locations, obapp=objservcenter, ou=oblix, o=company, c=us obpanelid=ticketTable, obclass=obticket, ou=oblix, o=company, c=us

Attributes Description obtabsearchbase The searchase associated with the Tab. obdirty (not in use) The filter that will "and" with the obclass when entry information are obpanelfilter searched. obhtmlfile The url of the html file to be displayed when the tab is selected. obver The current release version.

oblixmetaattribute

SubClassOf Description Class type PossSuperiors Naming attribute

top This class is used to hold the oblix meta information for handling the semantic relationship, the display name, the display type, etc. of the attributes. It is used in our current code for: 1) the attributes configured under panels; 2) the attributes configured with the object classes structural oblixpanel, oblixtabpanel, oblixclass obattr attribute under the panel: obattr=cn,obpanelid=Employees, obapp=userservcenter, ou=oblix, o=company, c=us attribute under the user class: obattr=mailstop, obclass=inetorgperson, ou=oblix, o=company, c=us Description The name of attribute this meta data is for. This is the naming attribute. The user friendly name for the attribute that the end users will see. The display appearance of this attribute. The valid values are ObDTextS ObDEmail ObDDn ObDGenericSelector ObDSelect ObDTextM ObDTextSM ObDDate ObDRadio ObDCheckBox ObDPassword ObDGif ObDLocationDn ObDSMIMECertificate ObDPostalAddress ObDGifURL ObDFacsimileTelNum ObDBoolean ObDBitString ObDMedia ObDNumericStr ObDQueryBuilder The allowed values of objdisplaytype varies pending on the value of the obsemantictype. The semantic rule associated with this attribute. The valid values are ObSName ObSTitle ObSPhoto ObSManager ObSDirectReports ObSFirstName ObSLastName ObSIndirectManager ObSSecretary ObSRole ObSMap ObSLogin ObSPassword ObSEmail ObSDerived ObSLocationCoord ObSDNPrefix ObSVirtual ObSStaticMember ObSDynamicMember ObSOwner ObSAdministrator ObSChallenge ObSResponse The value can be "ObUnknownDate", "ObIntegerDate", "ObMDYDate "ObDMYDate", ObISO8601Date "ObISO8601DateGeneralized" The value can be / for ObMDYDate - for ObISO8601Date When the obdisplaytype is radio, check box, or select menu, this

Examples

Attributes obattr obdisplayname

obdisplaytype

obsemantictype

obdatetype

obdateseparator obchoicetype

oborder obcardinality oblifecycleinfo (not in use) obsearchable obrows obcols obsize obvisible obobjectclass oblookupattr

obmatchattr obreportable (not in use) obclass obdefaultvalue (not in use) obmaxlength ???? obdatatype obdriving obdrivenby obver The current release version.

attribute is used to indicate ob_enum - using list ob_rule - using rule See oblixenum and oblixrule for details. The sequence of the attribute that should appear in a panel. Whether a single value or multiple values are allowed for this attribute. The valid values are ob_single and multi. The life cycle information configured for this attribute. It can be ob_provision for provision, ob_required for required, or ob_none for nothing. Whether this attribute should appear in the list for search. The value of this attribute is auto assigned based on the display type. Used as a backdoor way to specify the number of rows for displaying the muti-line text box. Used as a backdoor way to specify the number of columns for displaying the muti-line text box. Used as a backdoor way to determine the width of the single line text. Whether this attribute should appear on the UI for configuring and generating report. The value of this attribute is auto-assigned based on the display type. The object class the derived attribute is looked up to. The attribute to be looked up in the other object class for the derived attribute. The attribute to be matched up for the derived attribute.

oblixrule
SubClassOf Description Class type top This object class is used to hold the rules associated with the meta data. structural

PossSuperiors Naming attribute Examples Attributes obid obattr obrule obver

oblixmetaattribute obid obrule=ourule, obattr=ou, obclass=inetorgperson, ou=oblix obrule=ourule, obattr=obparentlocationdn, obclass=oblixlocation, ou=oblix, o=company, c=us Description The system generated unique id to be used as the naming attribute. The attribute value to be used when the rule is satisfied. This attribute may or may not be the same as the attribute that meta data is associated with. The filter assigned to the rule. The current release version.

oblixenum
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obid obstoreas top This object class is used to hold the rules associated with the meta data. structural oblixmetaattribute obid obid=19980713T2257320, obattr=employeetype, obclass=inetorgperson, ou=oblix, o=company, c=us

Description The system generated unique id to be used as the naming attribute. The actual value to be used for processing. The name, corresponding to the obstoredas value, to be displayed in the list obdisplayname for user to select. oborder The sequence of the displaying order in the list. obver The current release version.

oblixuserdefinedbutton
SubClassOf Description Class type top This object class is used to define entries for user defined functions(options). structural

PossSuperiors oblixapplication Naming obname attribute Examples obname=my option, obapp=userservcenter, ou=oblix, o=company, c=us Attributes obname obhtmlfile Description The name of this object. It is used as the naming attribute. The URL of the html file to be invoked when this button is clicked. Intended for a pointer to point back to the application this button obapp belong to. Currently not filled. obbuttonimgfilename The name of the image file for the button. obmouseover The help message when mouse is over the button. obver The current release version.

oblixorgperson
SubClassOf Description Class type PossSuperiors Naming attribute Examples This object class is used as auxiliary class to associate oblix "person" information to the class configured as "Person Class". Auxiliary

Attributes obuiconfig (not in use) oblocationdn obrectangle obpsftid (not in use) obindirectmanager obobjectclass (not in use) obdirectreports (not in use)

Description The display style chosen by this person. The valid values are style:style0 - classic style:style1 - alternative style:style2 - oblix (default) The location dn for this person. The rectangle location relative to the location map. (only used by PeopleSoft) The dn of the indirect manager. Used find the object class the derived class belong to. Was used for direct reports.

obuseraccountcontrol obver

The flag indicating whether the user is active. Contains value DEACTIVATED or ACTIVATED. The current release version.

oblixGroup
SubClassOf Description Class type PossSuperiors Naming attribute Examples This object class is attached to the group object class managed by the group manager. auxiliary

Attributes oblixgrouptype obgroupcreator

Description The type of the group. The valid values are public and private. The user dn who created the group.

obgroupcreationdate The date and time the group is created. The group subscription policy. Possible values are: SubscriptionPolicyClosed obsubscriptiontypes SubscriptionPolicyOpen SubscriptionPolicyOpenFilter SubscriptionPolicyControlledWorkflow

oblixAdvancedGroup
SubClassOf Description Class type PossSuperiors Naming attribute This object class is used to attached additional attributes to the group object to perform advanced features. auxiliary

Examples Attributes obver obgroupsubscriptiontype obgroupexpandeddynamic Description The current release version. The subscription policy associated with this group.

This attribute controls whether a dynamic group is going to be expanded from time to time into static members. Indicates the type of initial access control set on a group obgroupsimplifiedaccesscontrol during creation. Indicates whether a group is pure dynamic and no static obgrouppuredynamic uniquemembers can be added. The administrator for the group which is different than obgroupadministrator the owner. Message to send to a new member when subscribed to a obgroupsubscribemessage group. Message to send to a member when unsubscribed from a obgroupunsubscribemessage group. The ldap filter to specify who can subscribe to a group if obgroupsubscriptionfilter the obsubscriptiontype is "Filter" Indicates whether to send a message to owner/member obgroupsubscribenotification when someone subscribes to a group. obgroupdynamicfilter The dynamic filter for this group.

oblixlocation
SubClassOf top This object class defines the location entries. It is provided for the Description convenient to the customers to use the location feature. Class type structural PossSuperiors domainDNS, organization, organizationUnit, locality Naming obid attribute Examples obid=650_castro, o=company, c=us Attributes obid oblocationname oblocationtitle Description The unique id of the location. It is the naming attribute. The description for this locatoin. For example, it could be the address. The name given for this location. For example, it could be the sales office.

obphoto obparentlocationdn obrectangle obver

The image for this location. The parent location DN. The rectangle location relative to the parent location. The current release version.

oblixclass
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obclass obready obclassattr top This object class defines the meta information for the object class. structural oblixconfig obclass obclass=inetorgperson,ou=oblix,o=company,c=us obclass=obticket,ou=oblix,o=company,c=us obclass=oblixlocation,ou=oblix,o=company,c=us obclass=oblixorgperson,ou=oblix,o=company,c=us Description The name of the object class this meta data is for. Whether this configuration is ready to be used. One of the configured attribute for this class. This attribute is displayed in the first line of the JCard, and is used as the link to the object profile. The class type as in the following personClass - When PersonClass is chosen. . groupClass When GroupClass is chosen genericClass - When GenericClass is chosen. locationClass - Used for obixlocation only. Whether it is for system use. Whether the defined class is structure or auxiliary The current release version.

obclasstype

obhidden obclasskind obver

oblixconfig
SubClassOf Description Class type PossSuperiors Naming attribute Examples top This object class defines the container node for the Oblix data. structural domainDNS, organization, organizationalUnit, locality ou ou=oblix,o=company,c=us

Attributes ou obpersonoc

Description The organizational unit. This is the naming attribute. The person object class managed by user manager. The global searchbase defined at setup time. This is the obsearchbase search base for all managed operations by default. obwebmasteremail The mail list name for the web masters. obbugreportemail The mail list name for filing bug reports. obfeedbackemail The mail list name for sending feedback. The personal photo style. The value can be either obphotostyle ob_variable or ob_fixed. The hight of the photo displayed on the profile page. Used obphotoheight only when style is ob_fixed. The width of the photo displayed on the profile page. Used obphotowidth only when style is ob_fixed. obsmtphostname The smtp server name. obsmtpport The smtp server port number. The default graphic style that admin has setup for all the users. The valid values are obdefaultstyle style:style0 - classic (not in use) style:style1 - alternate style:style2 - oblix (default) obdefaultonlystyle Whether the default style can be overriden. The valid value (not in use) is true or false. The idle timeout duration of the NetPoint session if SSO is obusersessiontimeout not being used. Whether the mail server can handle rich text. obrichhtmlemail true for rich text (default) false for simple text obver The current release version. obusersessionelapsetime How long is the elapse to update session cookie obssologouturl Specified the logout url if SSO is enabled obgroupoc Object class managed by group manager. obsmtpdomainname The mail server domain obmailsenttype Mail sent type: asynchronous vs. synchronous obasynchmailqueuesize Queue size for asynchronous mail obpasswordexpiryredirecturl The redirect URL for password expiration notice oblostpasswordredirecturl The redirect URL for lost password management obpasswordchangeredirecturl The redirect URL for password reset

Obpasswordmanagementflag Use to use this for global flag. (not in use) obadditionalsearchbases Used for disjoint searchbase support in ID. obpolicybase The domain path where access policies are stored.

oblixgroupOfUniqueNames
SubClassOf groupofuniquenames (AD, NS). Top (other DS) This object class is used to define the web master and directory master Description groups. Class type structural PossSuperiors organizationalUnit, organization, oblixconfig, oblixapplication Naming cn attribute cn=Web Masters,ou=oblix,o=company,c=us Examples cn=Directory Administrators,ou=oblix,o=company,c=us Attributes Description cn Naming attribute for group. obuniquemember Web master or directory master within the group. businesscategory Should not include this if inherited from groupofuniquenames. (should not need) obver The current release version.

oblixmedia
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obid obmediatype top This object class is used for media semantic type. structural oblixmetaattribute obid Obid=10021119T104927682, obattr=userCertificate, obclass=inetorgperson, ou=oblix, o=company, c=us Description The unique identify for this object. The specific media type from the following list: application/octet-stream application/octet-stream application/pdf

application/postscript application/postscript application/postscript application/rtf application/x-mif application/x-csh application/x-dvi application/x-hdf application/x-latex application/x-netcdf application/x-netcdf application/x-sh application/x-tcl application/x-tex application/xtexinfo application/x-texinfo application/x-troff application/x-troff application/x-troff application/x-troff-man application/x-troff-me application/x-troff-ms application/x-wais-src application/zip application/x-gtar application/x-shar application/x-tar application/mac-binhex40 audio/basic audio/basic audio/x-aiff audio/x-aiff audio/x-wav image/gif image/ief image/jpeg image/jpeg image/jpeg image/tiff image/tiff image/x-cmu-raster image/xportable-anymap image/x-portable-bitmap image/x-portablegraymap image/x-portable-pixmap image/x-rgb image/x-xbitmap image/xxpixmap image/x-xwindowdump text/html text/html text/plain text/richtext text/tab-separated-values text/x-setext video/mpeg video/mpeg video/mpeg video/quicktime video/quicktime video/xmsvideo video/x-sgi-movie application/msword application/mspowerpoint application/msexcel application/msexcel obmediatypefileext The file ext for the above mediatype. obdescription obver The description for this object. The current release version.

oblixPasswordPolicy
SubClassOf Description Class type PossSuperiors Naming attribute Examples top This is the object class for password policy definition. structural Oblixconfig, oblixcontainer obpasswordpolicyid obpasswordpolicyid=10021119T1033315301, obcontainerId=password, ou=oblix, o=company, c=us Description Unique id for this password policy. The minimum non-alphanumber char and length for the password.

Attributes obpasswordpolicyid obinputvalidationrules

obpasswordvalidityperiod obpasswordexpirynoticeperiod obexpirynoticemode

Password validity period Password expiration notification period how many days before expiration to notify Password expiration notification mode: email vs login or both

oblostpasswordmechanism (not Currently always set to Self. in use) oblostpasswordmodel (not in use) obchangeonreset obkeephistory obpasswordpolicydomain obpasswordpolicyname obpasswordpolicyfilter obpasswordminimumage oblogintries oblockoutduration oblogintimeout obpasswordpolicyenabled obver Currently always set to Challenge-Response. Whether password needs to be changed upon first login. How many used passwords need to be kept in the history. The domain this password policy is applicable to. (ex. o=company,c=us) The name for this password policy. The filter to be applied to the policy domain. This is useful if the DIT tree is flat. The password minimum age in days. The number of tries one can do during login. The lock out time period if login failed. The days to wait to allow retry once locked out. Whether this policy is enabled. The current release version.

oblixPersonPwdPolicy
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obpasswordcreationdate This object class is the auxiliary class attached to the user class for run time password policy handling. Auxiliary

Description The date and time the latest password was created. Used to determine if password should expire.

obpasswordhistory obpasswordchangeflag obpasswordexpmail (not in use) oblogintrycount oblockouttime obfirstlogin (no in use) obresponsetries oblastloginattemptdate obresponsetimeout (not in use)

The passwords used in the past. This attribute is used when password history is enabled. Indicating whether a password needs to be reset during login.

The number of login tries conducted. Used for number of login tries. The date and time till then the account is to be locked out. Used for lockout duration.

The number of tries given to the challenge response. Used for number of login tries. The last time login is attempted. Used for login tries reset.

oblastresponseattemptdate The last time response was given. Used for login tries reset.

oblixAuxLocation
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes oblocationdn obrectangle This auxiliary class can be attached to any structural class managed by NetPoint to mark the managed object on the location map. auxiliary

Description The dn of the location object. The coordinate of the user/group/generic object on the map defined by the location object.

oblixContainer

SubClassOf

top This object class is used to define generic container for oblix defined Description objects. Class type structural PossSuperiors Oblixconfig, oblixApplication Naming obcontainerid attribute obcontainerId=policies,ou=oblix,o=company,c=us obcontainerId=DBAgents,ou=oblix,o=company,c=us Examples obcontainerId=password,ou=oblix,o=company,c=us obcontainerId=workflowDefinitions,ou=oblix,o=company,c=us obcontainerId=workflowInstances,ou=oblix,o=company,c=us Attributes obcontainerid obver Description The name used for this object. The current release version.

oblixVirtualDB
SubClassOf top This object class is used for a specific virtual DB definition. A virtual Description DB is an agent that connect to the backend database instances. Class type structural PossSuperiors oblixContainer Naming obname attribute obname=default-ois, obcontainerId=DBAgents, ou=oblix, o=company, Examples c=us

Attributes obname obdbusedby Oborder (not in use) Obdbdatatype (not in use) obdescription (not in use)

Description The name of this object. It is used as the naming attribute. Used by Access/COREid/both.

May potentially contain values such as user/group/other etc. The description for this object. The type of operation the VDB can carry out: All, Search, Read, Write, Search Entries, Read Entry, Modify Entry, Create Entry, Delete Entry, Delete Entries, Move Entry, Move Entries, Compare Attribute, Change Password, Remove Link, Authenticate User The subtype of the backend DS. Ex. iPlanet, AD/LDAP, CP, SecureWay, eDirectory, ADSI, etc. The current release version. The string format of the searchbase associated with this object. Whether this configuration is enabled.

obdboperation

obdbsubtype obver obsearchbasestr obenable

obisschemamaster To identify the schema master among the VDBs. (for future use) obdisplayname obschemadomain (for future use) obflags obdbtype A human-readable and human-understandable name for the object. Oblix generated unique ID for the schema domain Used to store the flags [referral/SSL/ADSI] on the VDB entry. The type of the backend data store. Type of DS: LDAP/ RDBMS/ PeopleSoft etc. The fail over threshold. Fail over will happen if the alive primary DS is below this number. Frequency to detect the aliveness of the DS.

obmaximumservers Maximum DS servers used for load balancing. obfailoverthreshold obsleepfor

oblixDBInstance
SubClassOf top This object class defines the DB instance under a VDB. Each DB Description instance contains the connection configuration to a backend DS. Class type structural PossSuperiors oblixVirtualDB, oblixContainer Naming obname attribute obname=20021116T12333165617,obname=defaultExamples ois,obcontainerId=DBAgents,ou=oblix,o=company,c=us Attributes obname Oborder (not in use) obdescription (not in use) obDBAgentSecurePort obDBAgentCert7PathName (not in use) obDBAgentSizeLimit obDBAgentTimeLimit obDBAgentMaxConnections The client side size limit. The client side time limit. Description The name of this object. It is used as the naming attribute.

The description for this object. The port number to the backend DS when ssl is used.

The max number of connections with DS this instance can establish. The initial number of connections to be established when obDBAgentInitialConnections this instance is started. obDBAgentFlags Whether the referral and/or ssl is on. obDBAgentLoginPassword obDBAgentLoginName obDBAgentPort obDBAgentHost obdisplayname obver The bind password for this instance. The bind credential for this instance. The port number of the DS this instance is configured to connect to. The host name of the DS this instance is configured to connect to. A human-readable and human-understandable name for the object. The current release version.

oblixWorkflow
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obworkflowid obworkflowname obclass top This object class is used for workflow definition. structural organizationalUnit, organization, oblixcontainer obworkflowid obworkflowid=7ecd515472b14662976cdee0e447027c, obcontainerId=workflowDefinitions, ou=oblix, o=company, c=us Description The unique id generated to identity this workflow definition. The name entered by user for this workflow definition. The object classes this workflow is associated with. This includes all object classes, structured and auxiliary. The type of the workflow. Values can be: CREATGE_OBJECT DELETE_OBJECT CHANGE_OBJECT The domain path where is the workflow is defined. The workflow is applicable to all entries below this domain. The filter associated with the delegated management domain. Used when a workflow is defined by a delegated admin. The filter associated with the tree path. The filter could be used to further quantify the domain. The attribute the change attribute and certificate workflow is defined for. The application this workflow definition is for.

obworkflowtype

obtreepath obtreepathfilter obwfdomainfilter obnoofinstances obattr obapp obwffirststep (not in use) obready obdefiner (not in use) obdescription Oblabeleddn (not in use) obver

Whether is workflow is ready to use.

The description for this object.

The current release version.

obwftypename

The friendly name given for the workflow type. This name is obtained from the parameter file. The group subscription policy enabled for this workflow. These policies will shown in the list for selection during the workflow run time.

obisworkflowprovisioned Indicating whether this workflow can be used as subflow. obsubscriptiontypes

oblixWorkflowStep
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obwfstepid obactionname oborder obdescription obentrycondition obactioncallback (not in use) obrequiredattribute (not in use) obprovisionedattribute (not in use) oboptionalattribute (not in use) obver obforcecommit obuseraction obwfattrorder obwfsubflows The current release version. Whether this step needs to perform an implicit commit. When this step is user interactive. The order of the attributes to be displayed. Listed by attribute names. The dn of the subflow this step needs to wait for to begin. top This object class defines the workflow step definition. structural oblixworkflow obwfstepid obwfstepid=1, obworkflowid=7ecd515472b14662976cdee0e447027c, obcontainerId=workflowDefinitions, ou=oblix, o=company, c=us Description The unique id generated for this workflow step. The name of this workflow action. The possible names are defined in the workflow template files. The order of this workflow step relevant to others. The description for this object. The entry condition for this step. Ex. 1:true:false means first step exited successfully without waiting for subflow.

oblixWorkflowTarget
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obwftargetid obwftargetdn obwftargetlabel obwftargetfilter obver top This object class is for the target definition under a workflow defintion. structural oblixworkflow obwftargetid obwftargetid=T1, obworkflowid=7ecd515472b14662976cdee0e447027c, obcontainerId=workflowDefinitions, ou=oblix, o=company, c=us Description The unique id generated for the target. The dn of the target domain. Target domain can be a subset of the domain where workflow is defined. The name of the target domain entered by user at definition time. The filter further qualifying the target domain. Often used when DIT is flat. The current release version.

oblixWorkflowAttribute
SubClassOf top This object class contains the attribute defined under a workflow step Description definition. Class type structural PossSuperiors oblixworkflowstepinstance, oblixWorkflowStep Naming obattr attribute obattr=cn, obwfstepid=1, Examples obworkflowid=7ecd515472b14662976cdee0e447027c, obcontainerId=workflowDefinitions, ou=oblix, o=company, c=us Attributes obattr Description The attribute this object is for.

obattrtype obattrvals (not in use) obver obwfattrflags obwfattrdefval

Currently set to 1.

The current release version. How this attribute is to be handled. Possible values are: "WF_REQUIRED", "WF_OPTIONAL", "WF_READONLY", "WF_HIDDEN" The default value for this attribute if provided.

oblixWorkflowInstance
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obwfinstanceid obworkflowdn obtargetdn obcurrentdn obcurrentstep obclass obapp obworkflowtype obattr (not in use) obdatecreated The time stamp this instance is created. top This object class is for workflow instances. structural OrganizationalUnit, organization, oblixcontainer obwfinstanceid obwfinstanceid=3f3b4eb0f241426f862dfaa18efa5ec6, obcontainerId=workflowInstances, ou=Oblix, o=company, c=us Description The unique id generated to uniquely identity this workflow instance. The dn of this workflow instance. The dn the target user, group or object the workflow is trying to create, delete, or change attribute for. The dn of the current person who is processing the workflow. The dn of the current step where is workflow process is at. The object classes this workflow is for, including all structure class and auxiliary classes. The application name this workflow is for. The workflow type copied from the definiton. The valid values are CREATE_OBJECT DELETE_OBJECT CHANGE_OBJECT

obwfsupplementalval obdateprocessed obparentworkflow obparentstep

Used by subflow approval to store the user defined outcome of the subflow. The time stamp for the last action took place. The parent workflow this workflow is triggered. The step in the parent workflow this workflow is triggered. The instance status. -1 - Unknown 2 - PendingUser PendingPreAction 5 - PendingPostAction PendingUserInPost 8 - LastStepDone PendingExecution 11 - Cancelled PendingPreSubflow 14 - PendingPostNotify ForceCommit 17 - Retry 0 - Success 1 - Failed 3 - PendingSubflow 4 6 - PendingUserInPre 7 9 - Asynch 12 - PendingPreNotify 15 - TriggerSubflows 18 - PendingRetry 10 13 16 -

obwfstatus

obtriggeredworkflow The number of workflow triggered by this workflow. obver obhostname obport obactionindicator obwftypename obactorcomment obkey obcertid obworkflowname oblockedby The current release version. The host name where webpass is running. Used for asynch resume and idxml call in event plug-in. The port number where webpass is running. Used for asynch resume and idxml call in event plug-in. Used in change attribute workflow indicating whether to modify or remove an attribute. The workflow name specified by the user in the definition. The comments people put in during the workflow process. Used for certificate workflows. Key is the public key to be used to connect to VeriSign. Used for certificate workflows. Uniquely identify a user cert in case multiple certs are present. The workflow name copied from the definition. If one of the step instance is locked by a user, this contain the dn of the user who locked the ticket.

oblixWorkflowStepInstance
SubClassOf top

Description Class type PossSuperiors Naming attribute Examples Attributes obwfstepinstid

This object class is for the workflow step instances. structural oblixworkflowinstance obwfstepinstid obwfstepid=1, obworkflowid=7ecd515472b14662976cdee0e447027c, obcontainerId=workflowDefinitions, ou=Oblix, o=company, c=us; Description The unique id generated to uniquely identity this step instance. The dn of this step instance.

obworkflowstepdn obentrycondition (no in use) obwfstatus obrequiredattribute oboptionalattribute obparticipant (not in use) obactordn obactionname obdatecreated obdateprocessed obactorcomment obexitcondition (not in use) obactionreturncode obver obapp obretrycount obretrydone oblockedby

Current step status. See obwfstatus in workflow instance for details. Contains the names of the required attributes. Contains the names of the attributes associated with the subflows.

obprovisionedattribute Contains the names of the optional attributes.

The dn of the person who processed this step. The step action name. Copied from the definiton. The time stamp this step instance is created. The time stamp this step is last processed. Step status used for the comfirmation page. Modifiable by event api with SetResultString ex. 2:completed step 2 completed

The return code from this action. 0 success. 1- failure. The current release version. The application this workflow is associated with. The number of retries happened for this step. If the step involves retry, this is set to true when the retry is done. If the step is locked by a user, this contains a dn of the user who locked the ticket.

obtriggeredworkflow The subflow(s) triggered by this workflow.

oblixPolicyContainer
SubClassOf top This object class is a container contains access policies for a particular Description group of objects. Class type structural PossSuperiors oblixcontainer Naming obpolicycontainerid attribute obpolicyContainerId=UserDB, obcontainId=Policies, ou=oblix, Examples o=company, c=us Attributes Description The value of this attribute uniquely identifies the related policies stored under this container. The possible values are: WebResourceDB obpolicycontainerid UserDB ObGroupDB ObObjectDB WorkflowDb obver The current release version.

oblixPolicyCondition
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obname obpolicyconditionorder obpolicyconditionusage obpolicyconditionuid top This object class contains the policy condition for a policy definition. structural oblixpolicyrule obname Obname=c20021119T21151119115, obname=P20021119t210123979, obpolicyContainerId=UserDB, obcontainerId=Policies, ou=oblix, o=company, c=us Description The name of this object. It is used as the naming attribute. The order of the policy condition. The policy will be evaluated in this order. Currently only ALLOW is used. The users assigned access control by their dns.

obpolicyconditiongroup

The groups assigned access control by their dns. The role assigned the access control. Roles are varying for different access rights. In general, roles are the dn type of attributes plus ob_any, ob_self, ob_anonymous, etc. Each workflow type has its own defined roles from the workflow template files. The ldap url defined from the Query Builder. Originally planned to use this to store the tree path as trustee.

obpolicyconditionrole

obpolicyconditionruleurl obpolicyconditiontreeurl (not in use)

obpolicyconditionipaddress Originally thinking to use IP as the trustee information. (not in use) obver The current release version.

oblixResourceOperationRule
SubClassOf Top This object class defines the operation and evaluation rule for the access Description policy. Class type structural PossSuperiors oblixsitedomain, oblixpolicycontainer Naming obname attribute obname=R20021119T210123820, obpolicyContainerId=UserDB, Examples obcontainerId=Policies, ou=oblix, o=company, c=us

Attributes Obname obdescription obResourceOperation (m)

Description A unique id generated to identify the policy. This is the naming attribute. A short informal description of the Resource Operation Rule that will be displayed by the Access Manager. The value of this attribute depends upon type of resource. For web resources, it's simply the HTTP request methods. The possible values are "GET", "PUT", HEAD, OPTIONS, CONNECT, DELETE, TRACE, OTHER or "POST". For ID access control, the possible values are "READ",

"WRITE", ""DELETE", "PRENOTIFY", "POSTNOTIFY", "PARTICIPANT", "WORKFLOW", "CONTAINER_LIMIT", "WF_MONITORING", "PROXY". These basic rights can be combined with "GRANT" and "DELEGATE. This can be used to indicate type of resource. In Access, for example, resource could be a "uri", a "directory entry" or an "application" etc. 0 indicates an HTTP resource type, 1 indicates ejb resource type

obResourceType

In ID, it may contain USER_DB_ENTRY, "GROUP_DB_ENTRY", "GENERIC_DB_ENTRY", "APPLICATION", "OTHER" Used by ID. Contains the dn of the corresponding obPolicyRuleName oblixPolicyRule entry. obResourcePropagatePolicy Used by ID. Currently always set to true. Used by ID. Currently always set to true, which means the obResourceUmbrellaPolicy policy is applied to all the subtree. obdisplayname A human-readable and human-understandable name for the (not in use) object. Used by ID. The filter associated with the domain path. The obResourceFilter filter is to further qualify the nodes under the domain path. It is especially useful when DIT is flat. Used by ID. This is an internal priority. It defines the obResourcePriority sequence of the policies to be evaluated when resource filter is present at the same domain path. The highest rank is 99. ObResourceId (not in use) obabspathpattern (not in use) obver The current release version.

oblixUserResourceAuxClass
SubClassOf Description Class type This is the auxiliary class attached to oblixResourceOperationRule for UserDB. auxiliary

PossSuperiors Naming attribute Examples Attributes obresourceuid Description The domain path at where policy is defined. The policy is applicable to the subtree of this domain path.

obresourceattribute The directory attribute this policy is defined for.

oblixGroupResourceAuxClass
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obresourceuid obresourceattribute obgroupsubscriptiontype (not in use) obgrouptype (not in use) This is the auxiliary class attached to oblixResourceOperationRule for GroupDB auxiliary

Description The domain path at where policy is defined. The policy is applicable to the subtree of this domain path. The directory attribute this policy is defined for.

oblixWorkFlowResourceAuxClass
SubClassOf Description Class type PossSuperiors Naming This is the auxiliary class attached to oblixResourceOperationRule for WorkflowDB. Auxiliary

attribute Examples Attributes Description obworkflowname The workflow definition dn for which this policy is defined for. obwfstepid The step id of the workflow the policy is applied.

oblixGenericResourceAuxClass
SubClassOf Description Class type PossSuperiors Naming attribute Examples This is the auxiliary class attached to oblixResourceOperationRule for obObjDB. auxiliary

Attributes obResourceSid obResourceAttribute obobjectclass

Description ???? The directory attribute this policy is defined for. The structural class for which the policy is defined. The maximum number of subnodes specified by the container obsize limit. obcontainmentnotifylimit The % up to which notification should be sent.

oblixWebResourceAuxClass
SubClassOf Description This objectclass defines additional resource parameters. Class type Auxiliary PossSuperiors Naming attribute Examples

Attributes Obname

Description A unique id generated by ACCESS SYSTEM to identify the resource. This attribute defines a "filter" to a group of WebResources. The value of this glob pattern. for example:
obAbsPathPattern: /webgatetest/.../*.html

ObAbsPathPattern

This attribute defines the name-value pair to be matched in the query string. I obQueryStrNameValuePattern: <var_name>:<globpattern>

The <var_name> will be matched character by character with the query string <globpattern> part will be matched by globbing. Order of which these variabl query string is not important. for example: obQueryStrNameValuePattern: program:*.exe obQueryStrNameValuePattern: userid:use*1 obQueryStrNameValuePattern: param1:fo*

ObQueryStrNameValuePattern

the above values will match with these query strings http://www.company.com/frontpage.cgi? program=search.exe&userid=user1k1&param1=foo http://www.company.com/frontpage.cgi?program=search.exe&userid= user1k1&param1=foo&param2=bar http://www.company.com/frontpage.cgi?program=search.exe&userid= user1k1&param1=foo but will not match these http://www.company.com/frontpage.cgi?program=search&userid=cchan&p http://www.company.com/frontpage.cgi?program=search.exe&userid=ccha

This pattern will be matched directly with the query string. i.e. order of which appear in the query string matters. The variable must be in full name, i.e. vari cannot be matched as glob patterns. However values can be represented as a g for example: ObQueryStrPattern
obQueryStrPattern: program=*.exe&userid=u*1

but not,
obQueryStrPattern: pr*am=asdf.exe&u*d=use1k1

Obhostcontext

Value contains the obname value of the host identifier to which this oblixweb

applies.

OblixURLPrefix
SubClassOf Description top
This objectclass defines the resource protected by Access System and the policy domain to which the resource belongs.

Class type structural PossSuperiors oblixapplication Naming obname attribute Examples

Attributes

Description This is the naming attribute. It is generated by ACCESS SYSTEM by obname "munging" the URL prefix. We have an internal tool to do the conversion. A short informal description of the URL Prefix that will be displayed by obdescription the Access Manager. The attribute contains the obname value of the policy domain to which obSiteDomainID this URL prefix belongs. oburlprefix The munged value of the Resource. This attribute contains the obname value of the Host Identifier to which obhostcontext this URL Prefix belongs. Indicates the resource type. Resource types are added through the obResourceType System Console. For e.g. 0 indicates HTTP, 1 indicates EJB. obver The current release version.

oblixAuthenticationPolicy
SubClassOf Description top
This class represents the authentication rule for a given policy domain or policy.

Class type structural PossSuperiors Oblixresourceoperationrule, oblixsitedomain

Naming attribute Examples Attributes obname obdescription obdisplayname obschemeid obver

obname

Description The name of this object. It is used as the naming attribute. The description for this object. A human-readable and human-understandable name for the object. The current release version.

oblixPolicyRule
SubClassOf top This class represents the "If <Condition> then <Action>" semantics Description associated with a policy. This entry is used as a container for the Authorization Rules as well as the delegated admin rules. Class type structural PossSuperiors Oblixresourceoperationrule, oblixsitedomain, oblixpolicycontainer Naming obname attribute Examples Attributes obname Description A unique id generated by Access Manager to identify the policy. This is the naming attribute. This attribute indicates whether the policy rule is currently enabled or not. If the entry is that of a delegated admin then value of this attribute is always true and cannot be changed from the UI. When used in the Authorization Rule context, the value can either be TRUE or FALSE. This attribute groups conditions. As specified in the CIM draft, it has a complex format:
<group num>:<+|->:<condition>.

obpolicyRuleEnabled obpolicyRuleConditionList (m) (not in use)

for example:
1:+:People:cn=Tamara Weiss, ou=HQ, o=Company, c=US:: 1:+:role:ob_any:: 1:+:ruleURL:ldap\:///o=company,c=US??sub?

(pricingapppermission3=TRUE)::

The purpose of group number is to group conditions in different groups to apply more complicated boolean logic. The "+" factor implies the condition is to be taken as is, "-" implies it is to be negated. The CIM model defines <condition> as DN of a condition. We will use the condition's UID. For Palantir, we will not support grouping of conditions. However, for future extensibility purposes, we will still keep the group number in the format and simply not use it. This attribute indicates whether the list of policy conditions associated with this policy rule is in disjunctive normal form (DNF) or conjunctive normal form (CNF). Defined values are DNF(1) and CNF(2). If the value is "1", it means that all the conditions of obpolicyRuleConditionList must be evaluated to be true in order for the obpolicyRuleConditionListType oblixPolicyRule to be evaluated to be true. If the value is "2", it means that if any of the conditions in obpolicyRuleConditionList is evaluated to be true then the oblixPolicyRule is evaluated to be true. Access System currently uses only 2. Identity System Uses these. Not Sure how

obpolicyRuleActionList

obpolicyRuleDeniedActionList Identity System Uses these. Not Sure how This attribute contains DNs of obPolicyTimePeriodCondition that ObpolicyRuleValidityPeriodList determine when the oblixPolicyRule is scheduled to be active / inactive. (not in use) No order is implied. A non-negative integer for prioritizing this oblixPolicyRule relative to other oblixPolicyRules. A larger value indicates a higher priority. obpolicyRulePriority It is not used in Access System and a value of "1" is assigned to all obPolicyRule. Possible values for this attribute are: USER, ADMIN obpolicyKeyword The keyword is used to distinguish between two different types of policies - an Access Policy and an Admin Policy. obdescription The description for this object. obdisplayname A human-readable and human-understandable name for the object. This is used to determine if the timing condition associated with the obpolicytimingcondlocalorabs policy should be evaluated with respect to local time or absolute time obver The current release version.

oblixPolicyTimePeriodCondition
SubClassOf Description Class type PossSuperiors Naming attribute Examples This class provides a means of representing the time periods during which a policy rule is valid, i.e., active Auxiliary

Attributes obptpConditionTime

Description The range of calendar dates on which a policy rule is valid. The format of the string is
[yyyymmddhhmmss]:[yyyymmddhhmmss]

A mask identifying the months of the year in which a policy rule is valid. The format is a string of 12 ASCII "0"s and "1"s, representing the months of the year from January through December. obptpConditionMonthOfYearMask example: a policy which is valid only on May and December will have the following value for this attribute 000010000001 A mask identifying the days of the month on which a policy rule is valid. The format is a string of 62 ASCII "0"s and "1"s. The first 31 positions represent the days obptpConditionDayOfMonthMask of the month in ascending order, from day 1 to day 31. The next 31 positions represent the days of the month in descending order, from the last day to the day 31 days from the end. obptpConditionDayOfWeekMask A mask identifying the days of the week on which a policy rule is valid. The format is a string of seven ASCII "0"s and "1"s, representing the days of the week from Sunday through Saturday. example:

a policy which is valid from Monday to Friday will have the following value for this attribute 0111110 The range of times at which a policy rule is valid. If the second time is earlier than the first, then the interval spans midnight. The format of the string is
hhmmss:hhmmss

obptpConditionTimeOfDayMask

obptpConditionTimeZone

The definition of the time zone for this object. The format of the string is either
"Z" (UTC)

or
<"+"|"-"><hhmm>

oblixWRSCAction
SubClassOf Description Class type PossSuperiors Naming attribute Examples A class representing an action to be performed as a result of a policy rule auxiliary

Attributes

Description This attribute defines the URL, which the user will be redirected to obSuccessRedirect if the policy condition is evaluated to be true. for example: http://intranet/apps/hrpayroll/mypaycheck.html obSuccessProfileAttrs This attribute defines HTTP header variables to be returned when a (m) policy condition is evaluated to be true. It has the following format: <Return Type>: <var_name>:<attribute in person
objectclass>

The value to be returned is retrieved from the person's user profile. for example: to have Access System return the authenticated

person's First and Last name in HTTP header variables FULLNAME and LASTNAME, the oblixWRSCAction entry should contain the followings attributes:
obSuccessProfileAttrs:headerVar:FULLNAME:cn obSuccessProfileAttrs:headerVar:LASTNAME:sn

obSuccessFixedVals (m)

This attribute defines HTTP header variables to be returned when a policy condition is evaluated to be true. It has the following format: <Return Type>:<var_name>:<value> The value to be returned is fixed and predefined. for example: to have Access System return "true" in HTTP header variable "Authenticated", the oblixWRSCAction entry should contain the followings attribute:
obSuccessFixedVals:headerVar:Authenticated:true

obFailRedirect

This attribute defines the URL which the user will be redirected to if the policy condition is evaluated to be false. for example:
http://intranet/apps/errorpages/CustomAuthentFail. html

This attribute defines HTTP header variables to be returned when a policy condition is evaluated to be false. It has the following format: <return type>:<var_name>:<attribute in person
objectclass>

The value to be returned is retrieved from the person's user profile. for example: obFailProfileAttrs (m) to have Access System return upon a failed authentication the person's First, Last name and Organization in HTTP header variables FULLNAME,LASTNAME and ORGANIZATION, the oblixWRSCAction entry should contain the followings:
obFailProfileAttrs:headervar:FULLNAME:cn obFailProfileAttrs:headerVar:LASTNAME:sn obFailProfileAttrs:headervar:ORGANIZATION:ou

obFailFixedVals (m)

This attribute defines HTTP header variables to be returned when a policy condition is evaluated to be false. It has the following format: <return type>:<var_name>:<value>

The value to be returned is fixed and predefined. for example: to have ACCESS SYSTEM return "true" in HTTP header variable "Authenticated", the oblixWRSCAction entry should contain the followings attribute:
obFailFixedVals:headervar:Authenticated:true

oblixSiteDomain
SubClassOf top This objectclass defines the Policy Domain objects in the Access Description System Class type structural PossSuperiors oblixapplication Naming Obname attribute Examples

Attributes Obname Obdescription Obdisplayname ObEvalOrder

Description A unique id generated by ACCESS SYSTEM to identify the policy. This is the naming attribute. A short informal description of the site domain that will be displayed by the Access Man A human-readable and human-understandable name for the object. This name will be displayed by the Access Manager. This attribute defines the order in which the oblixResourceOperationRules of this policy domain will be evaluated. It has the format:
obEvalOrder: <obname_1>:<obname_2>:<obname_3>:...:<obname_n>:

in which the obnames are the obnames of the oblixResourceOperationRules. for example: A policy domain has four oblixResourceOperationRules and their DNs are:
dn: obname=19991221T2025490, obname=19991028T1959590, obapp=PSC, o=Oblix, o=Company, c=US dn: obname=19991028T2009020, obname=19991028T1959590, obapp=PSC, o=Oblix,

o=Company, c=US dn: obname=19991028T2010350, obname=19991028T1959590, obapp=PSC, o=Oblix, o=Company, c=US dn: obname=19991028T2021420, obname=19991028T1959590, obapp=PSC, o=Oblix, o=Company, c=US

and we want them to be matched in the order that is listed, then the obEvalOrder of the policy domain should be:
obEvalOrder: 19991221T2025490:19991028T2009020:19991028T201035 0:19991028T2021420:

This attribute defines the Admin Policy of the oblixSiteDomain. The values of this attrib ObPolicyRuleName should be the obname of an Admin Policy (an oblixPolicyRule with obpolicyKeyword (not in use) ADMIN). ObEnabled Indicates if the Policy Domain is enabled or not. ObVer Indicates the current version of the product

oblixAuthenticationPolicy
SubClassOf Description Class type PossSuperiors Naming attribute Examples Top This objectclass defines Structural Oblixapplication Obname

Attributes obname obdescription obdisplayname Obschemeid

Description A unique id generated by ACCESS SYSTEM to identify the policy. This is the naming attribute. A short informal description of the authentication policy that will be displayed by the Access Manager. A human-readable and human-understandable name for the object.This name will be displayed by the Access Manager. This defines the challenge scheme that this Authentication Policy will use. It should be the obname of the corresponding

oblixChallengeScheme Obver The current release version.

OblixChallengeScheme
SubClassOf Top Defines processing and mapping policies for an authentication scheme Description used by policy domains and web resources. Class type Structural PossSuperiors Oblixapplication Naming Obname attribute Examples

Attributes obname obtype obdescription obdisplayname ObMappingFilter (not in use) obDllPath (not in use)

Description A unique id generated by ACCESS SYSTEM to identify the policy. This is the naming attribute. Value is always set to LDAP A short informal description of the challenge scheme that will be displayed by the System Console. A human-readable and human-understandable name for the object. This name will be displayed by the System Console.

obChallengeMethod

obChallengeRedirect

This attribute defines the location of the DLL for custom authentication. It's a local path on the machine where AAA_server is running. for example: e:/docs/oblix/apps/customEval.exe This attribute defines the challenge type for Authentication. Possible values are 0x00 - indicating no credentials required 0x01 - username and password required 0x02 - X509 certificate required 0x04 Form credentials required 0x08 SSL Required 0x10 External Credentials The URL to which WebGate will redirect the user's browser if necessary.

Challenge URL method Basic over https://serverhost.domain.com HTTPS Form (local to /URLpath/login-form web server) Form (on another http(s)://serverhost.domain.com/ web URLpath/login-form server) obLevel

Example https://mymachine.oblix.com

/login.html

https://mymachine.oblix.com/ login.html

An integer value specifying the authentication level of the scheme: larger values are more secure. If omitted, the default level is 1. A custom processing library specification, of the form
plugin?priority?parameters

where
plugin is the file name of the library (on the AAA Server host) and priority is a positive integer; priority order is 1, 2,... If omitted, priority

is

obcustomlib

1.
parameters is a list of name-value pairs There can be multiple custom processing libraries for a scheme, with execution ordered by priority. The parameters are name-value pairs that are comma separated. The value must be surrounded by quotes. ie. name="value", name2="value2"

A parameter used in the authentication challenge between the web server and the browser. The format is name:value. This is intended to be extensible to meet future challenge requirements. For Basic authentication this value must have realm: at the beginning, see example below. Value example obchallengeparameter realm name used realm in BASIC realm:Profile Access Site challenge loginTarget CGI program loginTarget:/oblix/logintest/loginHandler.cgi that is the POST target of a login form Obselectionfilter (not in use) ObMappingBase name

(not in use) ObCredentialPassword (not in use) ObAnonUser (not in use) obver The current release version.

oblixWebGateConfig
SubClassOf Description Class type PossSuperiors Naming attribute Examples top
This class contains all the webgate / access gate parameters.

structural Oblixapplication Obname

Attributes obname

Description The name of this object. It is used as the naming attribute. The host name for the WebServer on which the WebGate is obHostName installed. The port number for the WebServer on which the WebGate obPort is installed. This indicates the maximum number of connections that can obmaxaaaserverconnections be established between the WebGate and Access Server This value indicates if the WebGate is running in the debug obdebug mode or not. Value of OB_TRUE/true indicates debug is on. The session time out between Webgate and AAA server if obmaxaaasessiontime the session is idle. The minimum number of AAA server to alive otherwise obfailoverthreshold failover will happen. Frequency to detect if AAA server is alive. Default is every obsleepfor 60 seconds. obaaaprimaryserverid This attribute indicates which Access Server is the primary access sever for the webgate to communicate with. The

value of this field is the obname attribute of the Access Server entry. This attribute indicates which Access Server is the secondary access sever for the webgate to communicate obaaasecondaryserverid with. The value of this field is the obname attribute of the Access Server entry. obisencrypted The transport security mode. Can be open, simple, cert. The sso cookie maximum sesseion timeout. SSO cookie obmaxsessiontime will be invalid when this number is reached. The maximum elements per cache. Cache will be rotated obmaxwebgatecacheelems when this number is reached. The maximum amount of time an element can be in the obwebgatecachetimeout cache. The time stamp. It is used to determine if the webgate obtimestamp configuration has been changed. obPrimaryCookieDomain The domain assigned to the cookie set. obIdleSessionTimeout The maximum time a cookie can be idle. If set, the host will be used by webgate regardless the host obPreferredHost in the url. obAccessClientPasswd The password used to connect to AAA server. obver The current release version. obService Used for AM engine if it is used. The timeout threshold to determine if COREid is reachable. obServerTimeoutThreshold It is used in case of tcp connection lost for example.

oblixWebResourceSearchList
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obsearchlist Contains list of objects that can be searched on from the Search functionality in the Access Manager auxiliary

Description Takes values SD; WROR. SD indicates you can search on display name of Policy Domain. WROR indicates you can search on display name of Policies.

oblixWRSSearchResultColumns
SubClassOf Description top
This is used to determine what attributes need to be displayed in the search results. The search functionality in Access Manager allows one to search on the policy domain name and policy name.

Class type structural PossSuperiors oblixapplication Naming obname attribute Examples Attributes obname Description The name of this object. It is used as the naming attribute. This attribute indicates which all columns need to be displayed in the search results. Values for this are SDName, WRORName; AuthentPolicyName; AuthorPolicyName; URLPrefix SDName : Display Name of Policy Domain obsearchresultcolumns WROR Name : Display Name of Policy AuthentPolicyName : Display Name of the Authentication Rule AuthorPolicyName : Display Name of the Authorization Rule URLPrefix : URL Prefix value obver The current release version.

oblixPSCConfig
SubClassOf Description
This is an auxillary class and contains top level configuration information for Access System Product. It contains the root directory for the resource, the attributes from a users entry which need to be cached.

Class type auxiliary PossSuperiors Naming attribute Examples Attributes Description obuserattrstocache Contains the list of user attributes that need to be cached. For e.g. lets say the audit rule says audit cn, sn and the Authentication rule

obUrlMatching obrootdir

action says return cn in header variable HTTP_CN. For both these rules the attributes needed are cn and sn. We have 2 rules referencing cn and one referencing sn. Hence the value of the obuserattrstocache would be cn=2:sn=1. This attribute is not being used since 5.0. OblixResourceType:obResourceMatching replaces this attribute This attribute indicates your root directory. For e.g. most commonly the value of this attribute is /. This indicates all the resource to be managed by the Access System are under the root dir /

oblixAAAEngineConfig
SubClassOf Description Top
This is an auxillary class which contains all the parameters used by the Access Server for the Access Engine like the cache timeouts, audit file/ audit interval related information.

Class type Auxiliary PossSuperiors Naming attribute Examples Attributes obauditfilename obmaxauditfilesize obauditfilerotationinterval Description Value of this attribute indicates the audit file name to be used Value of this attribute indicates the maximum size in bytes of the audit file. Indicates how often the audit file needs to be rotated. File Rotation Interval is specified in seconds Indicates the Audit buffer size. So if the buffer size is 100 bytes, then when the Access server has data equal to or more than 100 bytes it will write the data to the audit file. Indicates the maximum number of elements in the user cache Indicates the time out associated with the elements in the user cache Indicates the maximum number of elements in the policy caches. Indicates the time out associated with the elements in the

obauditbuffersize

obmaxusercacheelems obusercachetimeout obmaxpolicycacheelems obpolicycachetimeout

policy caches This attribute specifies the refresh period for the following components Authentication: "Maximum elements in User Cache" "User Cache Timeout" "Password Poolicy Reload Period" Authorization: "URL Prefix Reload Period" obengineconfigrefreshperiod "Maximum Elements in Policy Cache" "Policy Cache Timeout" Audit: "Audit File Name" "Audit File Size" "Buffer Size" "File Rotation Interval" It will also reload the revoked user list. Indicates the time in seconds after which the url prefixes oburlprefixreloadinterval need to be reloaded. Indicates the time in seconds after which the password obpasswordpolicyreloadinterval policies need to be reloaded. There is a audit buffer flush interval in the code... but obauditbufferflushinterval there is no UI to change it and this attribute is not used. Hence the aaa engine uses a default of 10 (seconds).

OblixAuditPolicy
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obname top Contains the Audit Policy for the Policy Domains and Policies structural Oblixresourceoperationrule, oblixsitedomain obname

Description The name of this object. It is used as the naming attribute.

Indicates which all events need to be audited. Authentication Failure, Authentication Success, Authorization Failure, Authorization Succes. obauditevent Values stored in the directory for each of these events are AUTHN_FAIL; AUTHN_SUCCESS; AUTHZ_FAIL;AUTHZ_SUCCESS obauditprofileattrs Indicates which user profile attribute need to be audited. For e.g. cn,

sn etc. obver The current release version.

oblixMasterAuditPolicy
SubClassOf oblixauditpolicy This is the master audit rule, which will be used in case there is no audit rule specified at the policy domain or policy level. If there is an audit Description rule defined at the policy domain or policy level, then the obauditevent attribute can be overridden but the obauditprofileattrs gets appended to the attribute list at the policy domain or policy level Class type Structural PossSuperiors oblixapplication, oblixpolicycontainer Naming Obname attribute Examples Attributes obname obAuditFields Description The name of this object. It is used as the naming attribute. Order in which auditing information displays in reports. Oblix recommends the Audit Format Rule field follow this structure: StaticString%DataType%StaticString%DataType%... The leading static string can be an empty string, but the rest of the static strings, including the ending static string, should contain static text. For example: %ob_datetime% - %ob_event% - %ob_url% - %ob_userid% :: %ob_wgid ; NetPoint supports the following data types for audit records:

ob_date

ob_datetime

Corresponds to date only. It does not include the time of the event unless the date format is ISO. Corresponds to date and time. The date is logged in the format specified in the master audit policy. The time is logged as

hh:mm:ss. The time is always the GMT time on the web server that received the HTTP request, followed by the web server's offset from GMT. ob_event String corresponding to the event that occurred. Event can be one of the following: Authentication Success, Authentication Failure, Authorization Success or Authorization Failure. ob_ip IP address of the browser submitting the request. ob_operation HTTP operation, such as GET, PUT, POST, or others. ob_serverid Corresponds to the ID of the Access Server that is auditing this information. ob_time Corresponds to the GMT time at which the event occurred on the web server. Time is always logged as hh:mm:ss+/- offset from GMT on web server. ob_time_no_offset Corresponds to the GMT time on the AccessGate, but no GMT offset is logged. Time is logged as hh:mm:ss. Master access administrators and delegated access administrators cannot change these settings. ob_url Request url. ob_userid Contains the user's DN if the user was successfully authenticated. If the user was not authenticated, or in addition to the DN, it may also contain any other information the authentication module of the Access Server wanted to audit (such as password used by the anonymous user or any certificate fields). For a regular user entry that exists in the directory server and who is not logging in as "anonymous", the password is not logged to the audit log. ob_wgid ID of the AccessGate that received the request. Field separator The default is " - " (space/dash/space). Note: If you want to use the DBImport Tool utility, you must use a field separator obDateType Specifies the date format. For e.g. you can have the date is

dd/mm/yyyy, mm/dd/yyyy, Integer format, ISO 8601 format, ISO 8601 generalized format, yyyy/mm/dd, yyyy/dd/mm obDateSeparator obEscapeChar This is used but has no UI for it. The default is "/". Escape character for the audit logged. This helps logged information appear correctly in reports. Specifies the audit event map. For e.g. AUTHN_SUCCESS:Authentication_Success; AUTHN_FAIL:Authentication_Failure; AUTHZ_SUCCESS:Authorization_Success; AUTHZ_FAIL:Authorization_Failure

obRecordSeparator Used but again no UI for it. The default is "\n"

obAuditEventMap

obKeyValSeparator Default to be "=", again no UI for it. obListItemSeparator This is used in the code, but again no UI, defaults to ", " obver The current release version.

oblixApplicationAuditInfo
SubClassOf

top This object class the logging and auditing policies. The global one is stored in obname=comm Description specific ones are stored in obname=userservcenter, obname=groupservcenter, etc. Class type structural PossSuperiors oblixpolicycontainer Naming obname attribute obname=common,obpolicyContainerId=WebResrcDB,obcontainerId=Policies,ou=oblix,o=co obname=userservcenter,obpolicyContainerId=WebResrcDB,obcontainerId=Policies,ou=oblix Examples obname=groupservcenter,obpolicyContainerId=WebResrcDB,obcontainerId=Policies,ou=obl obname=objservcenter,obpolicyContainerId=WebResrcDB,obcontainerId=Policies,ou=oblix, obname=corpdir,obpolicyContainerId=WebResrcDB,obcontainerId=Policies,ou=oblix,o=com Attributes obname Description The name of this object. It is used as the naming attribute. The application log level. Can be 0 - DEBUG 1 - INFO 2 - WARNING, 3 - ERROR 4 -NOLOGGING The attributes to be logged by default.

obLogLevel

ObProfileAttrs

ObAppEventInfo

The event specific setting. This list varies for each application. Login:ON:3:UID: - Login is on. Enable. For both success and failure. Logout:ON:3:UID: Licence:ON:3:UID: PasswordManagement:ON:3:UID: The current release version.

obver

oblixAAAServerConfigInfo
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obname obhostname obport obdebug obdebugfilename obthreads obisencrypted obmaxaaasessiontime obver ObService Top Structural oblixapplication Obname

Description The name of this object. It is used as the naming attribute. The host name for the AAA server. The port number of the AAA server. Attribute to turn on Access Server debugging Indicates the debug file name The number of threads configured for the access server This attribute defines the transport security mode This attribute though stored in the directory when a new access server entry is created is not used. The current release version. Talk to Christine

oblixWRSCAdminCommon
SubClassOf Description Class type PossSuperiors Naming attribute Top
This class contains which HTTP operations are supported.

Structural oblixapplication Cn

Examples Attributes cn obhttpoperations Description Naming attribute. Its value is WRSC Admin Common Object

Indicates the HTTP operations on which policies can be set. Values are GET:POST:PUT:HEAD Indicates some more HTTP operations on which policies can be obmorehttpoperations set. Values are DELETE:TRACE:OPTIONS:CONNECT:OTHER Obsharedsecret (not in use) Obsecretrecycletime (not in use) Obsecretsize (not in use) Obtimestamp (not in use) obver The current release version.

oblixHostId
SubClassOf Description top
This class represents all the host and port variations for a given host. For e.g. company.com can be addressed as company.com:80, or company.net:80. This class contains the list of all possible identifiers.

Class type structural PossSuperiors oblixapplication Naming obname attribute Examples Attributes obname obdescription obdisplayname obhostnameport obver Description The name of this object. It is used as the naming attribute. The description for this object. A human-readable and human-understandable name for the object. Host name and port combinations. All possible identifiers for the host The current release version.

oblixGSN

SubClassOf Description

top
This class is used in the cache flushing mechanism. It contains a global sequence number which represents the flush request number. The GSN gets incremented by every cache flush request.

Class type structural PossSuperiors oblixapplication Naming obseqno attribute Examples Attributes obseqno obver Description This is the global sequence number used in the cache flushing mechanism. This entry gets updated every time any entry is written to the directory with the update Cache turned on. The current release version.

OblixSyncRecord
SubClassOf Description top
This object is written to the directory for every cache flush request. This object describes what component has been flushed and what policy domain or policy it belongs to.

Class type structural PossSuperiors oblixmgmtnode Naming obsyncrequestno attribute Examples Attributes Description Anumber starting from 1, new sync request will have a value of <max obsyncrequestno obSyncRequestNo in the DS> + 1 Unique ID of the componenet that we are trying to flush, the value obcompid changes depend on the flush type. If we are flushing a URL, then this contains the <resourcetype_no>:<URL>. Unique ID of the componenet that we are trying to flush. This is the obcompsdid policy domain ID of the component that we are trying to flush. Ynique ID of the componenet that we are trying to flush. This is the obcompwrorid policy ID of the component that we are trying to flush. obsyncrequesttype 0 is url prefix, 1 is SD, 2 is policy, 3 is authentication scheme, 4 is default authentication rule,

5 is authentication rule, 6 is default authz rule, 7 is policy authz rule, 8 is default audit rule, 9 is policy audit rule, 10 is user, 11 is host identifier, 12 is password policy, 13 is password policy redirect url, 14 is unknown, 15 is authz scheme, 16 is all password policies obsyncchangetype 0 indicates an ADD, 1 is MODIFY, 2 is DELETE obsynctime obver The sync record creation time The current release version.

oblixMgmtNode
SubClassOf Description top
This is the container node for all the syn records. All oblixsyncrecord objects are stored below this node.

Class type structural PossSuperiors oblixapplication Naming cn attribute Examples

Attributes cn obver

Description The name of this object. It is used as the naming attribute. The current release version.

oblixAAAServerIDNode
SubClassOf Description Top ObName of this entry is used on the WebGate entry to identify which Access Server the webgate should communicate with. ObAAAPrimaryServerID and obAAASecondaryServerID attributes in the WebGate entry contains the obname of oblixAAAServerIDNode

Class type structural PossSuperiors oblixapplication Naming obname attribute Examples Attributes Obname Observerid obmaxaaaserverconnections Obver Description The name of this object. It is used as the naming attribute. Contains the DN of the Access Server Indicates the maximum number of connections from the WebGate to Access Server The current release version.

oblixWebpassConfigInfo
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes obname obhostname top This object class defines the webpass configuration information. structural oblixpolicycontainer obname Obname=webpassdefault, obpolicyContainerId=WebResrcDB, obcontainerId=Policies, ou=oblix, o=company, c=us Description The name of this object. It is used as the naming attribute.

The host name for the WebServer on which the Webpass is installed. The port number for the WebServer on which the Webpass is obport installed. This indicates the maximum number of connections that can obmaxoisserverconnections be established between the Webpass and COREid Server This value indicates if the Webpass is running in the debug obdebug mode or not. Value of OB_TRUE/true indicates debug is on. The session time out between webpass and COREid server if obmaxoissessiontime the session is idle. The minimum number of COREid server to alive otherwise obfailoverthreshold failover will happen.

obsleepfor

oboisprimaryserverid

oboissecondaryserverid obisencrypted obmaxsessiontime (not in use) obmaxwebpasscacheelems (not in use) obwebpasscachetimeout (not in use) obprimarycookiedomain (not in use) obidlesessiontimeout (not in use) obtimestamp obpreferredhost (not in use) obver obServerTimeoutThreshold

Frequency to detect if COREid server is alive. Default is every 60 seconds. This attribute indicates which COREid Server is the primary access sever for the webpass to communicate with. The value of this field is the obname attribute of the COREid Server entry. This attribute indicates which COREid Server is the secondary access sever for the webpass to communicate with. The value of this field is the obname attribute of the COREid Server entry. The transport security mode. Can be open, simple, cert.

The time stamp. It is used to determine if the webpass configuration has been changed.

The current release version. The timeout threshold to determine if COREid is reachable. It is used in case of tcp connection lost for example.

oblixOISServerConfigInfo
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes top This object class defines the coreid server configuration information. structural oblixpolicycontainer obname Obname=ois, obpolicyContainerId=WebResrcDB, obcontainerId=Policies, ou=oblix, o=company, c=us Description

obname obhostname obport obdebug obdebugfilename obthreads obisencrypted obmaxoissessiontime obAuditFileName obAuditBufferSize obAuditMaxFileSize obAuditFileRotationInterval obAuditFileFlushInterval obAuditFlag

The name of this object. It is used as the naming attribute. The host name for the COREid server. The port number for the COREid server. Attribute to turn on COREid Server debugging The debug file name and location. The number of threads configured between webpass and COREid server. The mode between webpass and COREid server. The transport security mode. Can be open, simple, cert. The session time out between webpass and COREid server if the session is idle. The audit file name and location. The buffer size set for the audit file. The max size for the audit file. The time interval to rotate the audit file. Will rotate file when time interval reached. The time interval to flush the audit file. Will flush the cache when time interval reached. The flag indicating whether audit is on. The date type. Can be ddddd mm/dd/yyyy dd/mm/yyyy yyyy-mm-ddThh:mm:ssTZD yyyymmddhhmmss.0TZD The separator used as delimiter in the corresponding date type. The log file name and location. The max size for the log file. When this size is reached, the file will be rotated. The scope file name and location. The time interval to rotate the scope file. Will rotate file when time interval reached. ????? Character used as escape character. The time interval to rotate the log file. Will rotate file when time interval reached. The time interval to flush the log file. Will flush the cache when time interval reached.

obDateType

obDateSeparator obLogFileName obLogFileMaxSize obScopeFileName obFileRotateInterval obAuditFields obEscapeChar obLogFileRotationInterval obLogCacheFlushInterval

obLogCacheMaxSize obver

The maximum cache size for the log information. Will write to the cache when max size reached. The current release version.

oblixOISServerIDNode
SubClassOf top This object class contains information for webpass to use to find the Description COREid server configuration information. Class type structural PossSuperiors oblixpolicycontainer Naming obname attribute obname=20021119535T5353, obcontainerId=WebRescDB, Examples obcontainerId=Policies, ou=oblix, o=company, c=us

Attributes obname observerid

Description The generated id for this object. It is used as the naming attribute. The dn of the instance of oblixOISServerConfigInfo (COREid configuration info) The current release version.

obmaxoisserverconnections The maximum connections to the COREid server. obver

OblixAuthzPluginScheme
SubClassOf Description top
This object contains the basic information about the plug-in that a delegated access administrator is not likely to know.

Class type structural PossSuperiors OblixApplication Naming obname attribute Examples

Attributes obname obdisplayname obdescription obCustomLib

Description The name of this object. It is used as the naming attribute. A human-readable and human-understandable name for the object. The description for this object. Path of the plug-in dll or shared library. Depending on the platform, the Access Server will append .dll or .so to this path. This path can be absolute. If not Access Server will prepend <Access Server install dir>/oblix/lib to it A multi-valued attribute. Values will be stored as name:value. If the Master Access Administrator did not specify any values, only the name will be stored as name:. A multi-valued attribute. Values will be stored as name:value. If the Master Access Administrator did not specify any values, only the name will be stored as name:. A multi-valued attribute containing information about users profile information to be passed to the plug-in. The DN will be represented by name:obuniqueid

obRequiredParams

obOptionalParams

obUserProfileAttrs ObRequestContextParams (not in use) Obver

The current release version.

OblixCustomAuthzCondition
SubClassOf Description top
This class represents the custom authorization rules. The custom authorization rules are stored as custom conditions below the oblixpolicyrule and contain the authorization plugin scheme id to which this rule maps.

Class type structural PossSuperiors oblixPolicyRule Naming obname attribute Examples Attributes obname obdisplayname obdescription Description The name of this object. It is used as the naming attribute. A human-readable and human-understandable name for the object. The description for this object.

obpolicyConditionOrder Specifies the order in which this custom condition is invoked.

This is not used in 4.6 (Talk to Christine) Specifies if the plug-in is configured as an authorization plug-in obpolicyConditionUsage or post authorization plug-in obschemeID ID of the authorization plug-in scheme this condition uses 1. A multi-valued attribute. Values will be stored as name:value*. Condition level required parameters are required parameters for which no value is specified in the authorization scheme. A delegated administrator: 1. must provide values for all these parameters, 2. can not add or delete any required parameter. 1. A multi-valued attribute. Values will be stored as name:value*. Condition level optional parameters are optional parameters for which no value is specified in the authorization scheme and a delegated administrator can provide a value. If a delegated administrator does not specify a value for an optional parameter, it will not be stored at the condition level. A delegated administrator: 1. need not provide values for all these parameters, 2. can not add or delete any optional parameter.

obRequiredParams

obOptionalParams

obAdditionalParams obver

A multi-valued attribute. Values will be stored as name:value*. These parameters are not configured in the authorization scheme but represent additional parameters a delegated administrator may choose to pass to the plug-in for a given resource The current release version.

oblixResourceType
SubClassOf Description top
This class allows administrators to define the various resources types. Examples of resource types are http, ejb etc. This class also contains the operations that are allowed on the resource type.

Class type structural PossSuperiors oblixContainer Naming obname attribute Examples Attributes obname obSchemeName Description The name of this object. It is used as the naming attribute. Unique name for the new resource type.

obResourceType obDisplayName obResourceMatching

Value is always URI (??? Talk to Christine) A human-readable and human-understandable name for the object. Indicates whether to perform Case sensitive or case insensitive matching. Specify the available resource operation(s). Click the + and - signs to add or delete fields as necessary. Valid resource operations for HTTP resources are:

CONNECT Handshakes with a URL. DELETE Deletes information from the URL, or deletes the URL itself. GET Retrieves information from the URL. Obtains information about the resource without HEAD making changes to the URL. obResourceOperation OPTIONS Obtains information about HTTP methods available to and from the URL. OTHER Non-standard, custom operation. POST Copies information to the URL. PUT Replaces a file or document in the URL. TRACE Views information about what the URL is receiving. Note: For HTTP resource types, you can specify a custom operation; however, NetPoint interprets it as an OTHER operation.

obver

The current release version.

oblixEncryptionKey
SubClassOf Description Class type PossSuperiors Naming attribute Examples Attributes top structural Oblixconfig, oblixcontainer cn

Description

cn obSharedSecret obSecretSize obTimeStamp obCipher obver Contains the cipher (rc4 or rc6) used by webgate to encrypt the sso cookie

obESSJCMapping
SubClassOf Description Class type PossSuperiors Naming attribute Examples top This is the objectclass that stores Control-SA ESS Job Code information structural oblixconfig, oblixContainer obESSjcname ObESSjcname = sales, o=Oblix, o=Company, c=US Description The is the key value of this objectclass This is the job code value. This indicates whether approval is required. This indicates whether the job code is viewable or not. This indicates email processing is needed or not for the job code value. This indicates the user group associated with the job code. This stores the tuple information of (usergroup, job code).

Attributes obESSjcname obESSJobCode obESSApprovalFlag obESSViewableDomains obESSEmailFlag obESSUserGroup obESSUGJC

oblixAuxBMCPersonInfo
SubClassOf Description Class type PossSuperiors This is the auxiliary class that stores additional information for BMC Control-SA ESS Enterprise User auxiliary

Naming attribute Examples Attributes obBMCJobCode obBMCEnterpriseID obBMCMachineName obBMCMachineType obBMCUserGroup Description This indicates the job code values associated with this user. This indicates the unique Enterprise ID used by the ESS server. This indicates the machine name values associated with the user. This indicates the machine type values associated with the user. This indicates the user group values associated with the user. This indicates the user group and machine info relationship obBMCUGRelation associated with the user. obBMCRSSUserName This stores the RSS user names associated with the user.

obESSLockingInfo
SubClassOf Description Class type top Objectclass used to store state information for NetPoint Provisioning Module and Bridge. structural oblixconfig PossSuperiors oblixContainer Naming obStatusName attribute Examples ObStatusName=200292847471781,obcontainerId=ESSProv,o=Oblix,o=Company,c=US Attributes obStatusName Description This is the key value for this objectclass. This indicates which COREid server (by ID) is processing this entry obWhichOIS of obESSLockingInfo. obLockStatus This indicates the status of the ESS Lock. obESSTimeStamp This indicates the time this entry is being processed. This indicates the URL to be sent back to the workflow engine when obESSSuccessURL ESS backend process is successful. This indicates the URL to be sent back to the workflow engine when obESSFailURL ESS backend process is failed. This stores the unique transactions ESS external ID associated with obESSExteralID this ESSLockingInfo entry.