Functional Overview

This section gives a quick overview of the various functional components.

The following diagram shows the functional components of the virtual member manager. The items with the white background are not part of the virtual member manager functions, but are provided by the application or are additional plug-ins.

Figure 1. Functional components of virtual member manager
The illustration shows the structure of virtual member manager and how it integrates with other applications.
At runtime, applications can interact with virtual member manager:
  • By calling the virtual member manager API. Virtual member manager version 6.1 supports two versions of the virtual member manager API: a Service Data Objects (SDO)-based plain Java API and an SDO-based stateless session EJB API.
  • By calling J2EE Security API that invokes the WebSphere Application Server Security implementation of the JAAS framework which in turn calls the virtual member manager. Virtual member manager provides a user registry (UR) adapter that acts as the integration point between the WebSphere Application Server Security and virtual member manager. Virtual member manager UserRegistry is one of the four user registry choices supported by WebSphere Application Server Security: LDAP, LocalOS, virtual member manager, and Custom. The virtual member manager UR delegates operations to the virtual member manager core (represented by the virtual member manager Runtime API box in the diagram).

Virtual member manager can also be invoked by using the virtual member manager User Management GUI and the wsadmin command line interface. Virtual member manager provides some commands and tasks to be plugged into the WebSphere Application Server Admin Command Framework. The commands and tasks are used by the GUI and wsadmin.

Virtual member manager provides operations such as create, get, update, delete, and search for organizational entities. The syntax for search filters is XPath 1.0. All requests to virtual member manager are access controlled. The requests are processed by virtual member manager by delegating most or some of the work to the underlying virtual member manager repository adapters. The adapters enable virtual member manager to interact with different types of repositories. All virtual member manager repository adapters implement the virtual member manager Repository SPI.

Virtual member manager supports the following types of repositories out-of-the-box: file, database, LDAP, and virtual member manager custom repositories. The file is a simple file-based repository with a virtual member manager-defined schema. The database repository is a database with a virtual member manager-defined schema. Virtual member manager is able to adapt to commonly used schemas for LDAP and can use existing LDAP directories. Various brands of databases and LDAP directories are supported.

A customer who has a repository that cannot be supported out-of-the-box can develop his own custom virtual member manager repository adapter. Virtual member manager can use multiple repositories simultaneously. Virtual member manager also provides a property extension repository to contain properties for organizational entities that cannot be stored in the main profile repository . Administrators who configure virtual member manager and programmers who develop applications using the virtual member manager API can make use of the property extension feature. When the virtual member manager Runtime API is invoked, virtual member manager transparently joins properties for an entity from its main profile repository and the property extension repository. The joined information is return to the caller. The existence of the property extension does not show through in the virtual member manager Runtime API.

Extensions to the virtual member manager core are made by using plug-ins. Virtual member manager has a generic plug-in service that enables the core virtual member manager code to be extended with additional functions for policy management, event notification, manipulation of group membership, and so forth. Virtual member manager exploiters (or customers) need to provide the plug-ins. Virtual member manager uses the generic plug-in service to plug in code to handle organizational views.

An application can use the Realm support to tell virtual member manager the subset of organizational entities it wants to deal with. For example, if the organizational entities in virtual member manager represent the employees (the people, the groups, and their login accounts) in IBM®, an application might only want to deal with a subset of the population (for example, only those from IBM US and IBM Canada). In virtual member manager the application can configure a realm that is made up of the populations from IBM US and IBM Canada. When the application invokes virtual member manager, virtual member manager only operates on that subset of the population.

Besides create, get, update, delete, and search, virtual member manager provides a few security operations such as check password and map certificate. These operations are part of the login processing and are expected to be called by the virtual member manager UR. The security manager within virtual member manager calls out to an authorization provider to perform access control checks.

The schema service in virtual member manager enables callers to access and change the virtual member manager schema information. The virtual member manager schema defines the entity types supported by virtual member manager (for example, PersonAccount, Group, and LoginAccount). Virtual member manager has two levels of schema information:
  • schema information at the virtual member manager level for all repositories
  • schema information specific to a particular virtual member manager repository (such as mapping information)
The schema service can be used at runtime to extend the virtual member manager schema. Out-of-the-box, virtual member manager supports runtime programmatic schema extensions for LDAP, the database repository, and the property extension repository.