Attributes

The API provides access to the Security Verify Access user attributes and group attributes.

The new API provides access to:

Security Verify Access user attributes, and the native user attributes.
Security Verify Access group attributes, the description, and cn attributes of the native group.

The following table describes the API attribute details:

Table 1. API attribute details
API Constant	Name	Entry	Operation	Description
`MIN_PASSWORD_LENGTH _NAME`	passwordMinLength	Security Verify Access User Policy	Read Add Delete Replace Create Import	Minimum length of a password. Multibyte characters are treated as a single character. The value must be a decimal integer. If you do not set this attribute, the API uses the global value.
`PASSWORD_SPACES _NAME`	secPwdSpaces	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies whether to permit space and tabs in passwords. You have 2 choices: True permits space and tab characters. False does not permit these characters. If you do not set this attribute, the API uses the global value.
`MAX_PASSWORD_REPEATED _CHARS_NAME`	passwordMaxRepeatedChars	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the maximum number of times a character can be repeated consecutively in a password. The value must be a decimal integer. The value -1 indicates that there is no limit on the number of times a character can be repeated consecutively. If you do not set this attribute, the API uses the global value.
`MIN_PASSWORD_ALPHAS _NAME`	passwordMinAlphaChars	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the minimum number of alphabetic characters for the password. This set consists of these characters: UPPERCASE_LETTER: General category `Lu` in the Unicode specification. LOWERCASE_LETTER: General category `Ll` in the Unicode specification. TITLECASE_LETTER: General category `Lt` in the Unicode specification. MODIFIER_LETTER: General category `Lm` in the Unicode specification. OTHER_LETTER: General category `Lo` in the Unicode specification. Use only decimal integer values. If you do not set this attribute, the API uses the global value.
`MIN_PASSWORD_NON_ALPHAS _NAME`	passwordMinOtherChars	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the minimum number of non-alphabetic characters in the password. This set complements MIN_PASSWORD_ALPHAS_NAME. Use only decimal integer values. If you do not set this attribute, the API uses the global value.
`MAX_PASSWORD_AGE _NAME`	passwordMaxAge	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the number of seconds after the last password change time for which the password is valid. A value `0` (zero) indicates that there is no limit on the maximum number of seconds. If you do not set this attribute, the API uses the global value.
`ACCOUNT_EXPIRY_ DATE_NAME`	secAcctExpires	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies time at which the LDAP account expires in Greenwich Median Time. The format is YYYYMMDDhhmmss.tZ where: YYYY = year (for example, 2009) MM = month (where January = 01) DD = day of the month (beginning with 01) hh = hour (00 -> 23) mm = minute (00 -> 59) ss = second (00 -> 59) . = period character t = one tenth of the second (0 -> 9). This is ignored and should be set to 0 Z = this is the 'Z' character. It indicates the time zone is GMT. API recognizes only this format. A special value unlimited is accepted and is converted into a value suitable for storage in the underlying registry. Note: Upon reading this value, it is not converted into unlimited, instead it is the value it was converted to. If you do not set this attribute, the API uses the global value.
`DISABLE_TIME _INTERVAL_NAME`	timeExpireLockout	Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the duration in seconds for which the account is locked after MAX_LOGIN_FAILURES_NAME login failures have occurred. A value of 0 (zero) disables the account. The value must be a decimal integer >= 0 (zero). If you do not set this attribute, the API uses the global value.
`MAX_LOGIN _FAILURES_NAME`		Security Verify Access User Policy	Read Add Delete Replace Create Import	Specifies the number of login failures that can occur before the software lock or disables the account. Disabling or the time period for the lock out depends on `DISABLE_TIME_INTERVAL_NAME`. The value must be a decimal integer >=0 (zero). See the `ldap.login-failure-persistent` and `ldap.late-lockout-notification` configuration options. If you do not set this attribute, the API uses the global value.
`TOD_ACCESS_NAME`	maxFailedLogins	Security Verify Access User Policy	Read Add Delete Replace Create Import	Limits authentication to particular days of the week and a specific range of time during the day. The format of the policy is days:start:end:zone where: days - a decimal integer that represents a bit mask of days of the week. SUNDAY=1 MONDAY=2 TUESDAY=4 WEDNESDAY=8 THURSDAY=16 FRIDAY=32 SATURDAY=64 start - the decimal integer that represents the starting minute of the day of allowed access. end - a decimal integer that represents the ending minute of the day of allowed access. zone - a decimal integer that, when set to 1, indicates that GMT must be used to determine the current time of day and the day of the week against which to evaluate this policy. If you set any other value, the local default time zone is used. If you do not set this attribute, the API uses the global value. Note: When you set a password policy, you provide a list of days, start time, and end time. The start time and end time apply to each day on the list. If the specified start time is later than the specified end time, then the access is allowed until the specified end time is reached the next day.
`MAX_CONCURRENT _WEB_SESSIONS_NAME`	secTODAccessF	Security Verify Access User Policy	Read Add Delete Replace Create Import	The maximum number of concurrent web login for the user. This API does not use this value directly, but other applications use this value. The value must be a valid decimal integer. There are special negative values, which are: -3 When set, a new login displaces (logout) other login sessions of the same user. -4 When set, the number of concurrent logins are not limited. If you do not set this attribute, the API uses the global value.
`SEC_ACCT_VALID_NAME`	secAcctValid	Security Verify Access User	Read Replace Create Import	Indicates the account validity status. The permitted values are true and false. When set to false, you cannot log in to an account.
`SEC_PWD_VALID_NAME`	secPwdValid	Security Verify Access User	Read Replace Create Import	Indicates the password validity setting. This attribute can be set only to true and false. When set to false, the user must change the password at next logon.
`SEC_DN_NAME`	secDN	Security Verify Access User	Read	Internal use only. Use `getNativeId()` instead of `SEC_DN_NAME`.
`SEC_UUID_NAME`	secUUID	Security Verify Access User	Read Create Import	Specifies the Universally Unique ID. This attribute is normally generated by the API for the user. It is mostly used by the Authorization API when verifying ACLs. You can supply this value when you create or import a user. You cannot modify this value after you set it. Do not specify any value for this parameter except when you recover accounts that were accidentally deleted.
`SEC_LOGIN_TYPE _NAME`	secLoginType	Security Verify Access User	Read	Internal use only.
`SEC_CERT_DN_NAME`	secCertDN	Security Verify Access User	Read	Internal use only.
`SEC_CERT_SERIAL _NUMBER_NAME`	secCertSerialNumber	Security Verify Access User	Read	Internal use only.
`SEC_HAS_POLICY_NAME`	secHasPolicy	Security Verify Access User	Read	Internal use only.
`SEC_AUTHORITY_NAME`	secAuthority	Security Verify Access User	Read	Internal use only.
`PRINCIPAL_NAME_NAME`	principalName	Security Verify Access User	Read	Internal use only. Use `getId()` instead of this attribute.
`SEC_PWD_FAILURES_NAME`	secPwdFailures	Security Verify Access User Policy State	Read	Internal use only. Specifies the number of consecutive authentication failures because of wrong password. This policy is a mechanism to enforce the `MAX_LOGIN_FAILURES_NAME` policy only if the ldap.login-failures-persistent option is enabled.
`SEC_PWD_LAST_CHANGED _NAME`	secPwdLastChanged	Security Verify Access User Policy State	Read	Specifies the time when the password was last changed. This policy is a mechanism to enforce the `MAX_PASSWORD_AGE_NAME` policy. The value is updated to the current date when `SEC_PWD_VALID_NAME` is set to `true`.
`SEC_PWD_LAST_USED _NAME`	secPwdLastUsed	Security Verify Access User Policy State	Read	Specifies the last time the that user logged in. This value is updated every time Security Verify Access successfully authenticates a user. This value is updated only for password-based authentication. The option ldap.enable-last-login is set to `true`.
`SEC_DOMAIN_ID_NAME`	secDomainId	Security Verify Access User	Read	Internal use only.
`SEC_PWD_LAST_FAILED _NAME`	secPwdLastFailed	Security Verify Access User Policy State	Read	Internal use only. Records the time of the last failed login to authenticate with the correct password. This value is a part of the mechanism to enforce the `DISABLE_TIME_INTERVAL_NAME` policy. Note: Some operations might be restricted by the LDAP.
`SEC_PWD_UNLOCK_TIME _NAME`	secPwdUnlockTime	Security Verify Access User Policy State	Read	Internal use only. Records the duration for which the account is locked. This value is a part of the mechanism to enforce the `DISABLE_TIME_INTERVAL_NAME` policy.
`COMMON_NAME_NAME`	cn	Native User and Native Group	Read Add Delete Replace Create Import	Required when you create users or groups. Note: LDAP server might restrict some operations.
`SURNAME_NAME`	sn	Native User	Read Add Delete Replace Create Import	Required when you create users. Note: LDAP server might restrict some operations.
`UID_NAME`	uid	Native User	Read Add Delete Replace Create Import	Specifies the LDAP Unique ID attribute name. This attribute is an optional attribute when you create a `RgyUser`. If you do not specify a value, this parameter is set to the `userId` or `uid` value in the leading RDN of the `userNativeId`. Note: LDAP server might restrict some operations.
`OBJECT_CLASS_NAME`	objectClass	Native User and Native Group	Read Create	Internal use only. Indicates the LDAP object class attribute name. This attribute contains the native LDAP `objectClass` values for the native entry.
`DESCRIPTION_NAME`	description	Native User and Native Group	Read Add Delete Replace Create Import	Indicates the LDAP description attribute name. Optional attribute when creating a new `RgyUser` or `RgyGroup`. Note: LDAP server might restrict some operations.
`IS_SEC_ENTITY_NAME`	isSecEntity	Security Verify Access User and Security Verify Access Group	Read	Set to true if the account is a Security Verify Access enabled account. This attribute is virtual, and is dynamically determines instead of being stored in the LDAP registry.
`IS_GSO_USER_NAME`	isGSOUser	Security Verify Access User	Read	Set to true if the account is a Global Sign-On (web SSO) enabled account. This attribute is virtual, and is dynamically determines instead of being stored in the LDAP registry.
*	*	Native User	Read Add Delete Replace Create Import	Indicates a native user entry that might have additional attributes for the user. If the LDAP server permits, the values are updated or deleted. Note: LDAP servers might restrict some operations.
`RESOURCE_CREDENTIALS_NAME`	resourceCredentials	Security Verify Access User	Read	If the account is a global sign on-enabled and has resource credentials created for it, then this attribute will contain the resource credentials of the user. This is a virtual attribute that is not stored directly in the LDAP registry. Rather, it is dynamically determined from multiple entry attributes in LDAP. Each value for the attribute represents one resource credential and has the resources credential values condensed into one string. The API provide methods to expand these resource credential values into separate strings.