Capabilities
The Capabilities menu item allows administrators to define the currently available capabilities. Selecting this option opens a prompt to edit Capabilities, which control the various functionalities that should be exposed by the RapidIdentity server.
The advantage of this functionality in a unified RapidIdentity is that RapidIdentity back end processes are not dedicated to a component that isn't applicable. Therefore, RapidIdentity can run more efficiently.
 |
The end result is that the rapididentity.propertiescapabilities value is updated.
 |
Capabilities can be configured to inclusive or exclusive by adding prefixes of "+" or "-", respectively.
Each component in the table matches to a RapidIdentity Component, except for "admin" which refers to RapidIdentity Configuration components. The API is critical for any .ui or .jobs components.
Component | UI | Jobs |
|---|---|---|
admin | admin.ui | admin.jobs |
connect | connect.ui | connect.jobs |
federation | federation.ui | federation.jobs |
folders | folders.ui | folders.jobs |
portal | portal.ui | portal.jobs |
studio NoteStudio is only available in IDaaS environments | studio.ui | studio.jobs |
Folders Notes
If the Cluster metadirectory is not pointing to Active Directory, the folders capabilities will continue running even with no tasks since RapidIdentity Folders is specific for Windows-based home or group shared folders.
Note
Best practice is to exclude or not enable any capabilities that are not licensed.
Wildcard Groups
The wildcard "all" can be used as a prefix in three possible ways with either an inclusion or exclusion.
all: includes or excludes every UI and Job capability
all.ui: includes or excludes every UI capability
all.jobs: includes or excludes every Job capability
Inclusions and Exclusions
Inclusions and exclusions are processed in the order they occur and result in adding or removing from the set of capabilities.
If the list is empty, then all capability group is used.
If the list starts with an exclusion, then the initial set is the all capability group.
If the first item in the list is an inclusion, the initial set starts as empty.
Including or excluding a top level capability also includes or excludes all its subordinates (e.g. connect includes connect, connect.ui and connect.jobs).
Including a subordinate implies inclusion of its superior (e.g. federation.ui includes Federation).
Excluding a subordinate does not imply exclusion of its superior.
Including or excluding a group is equivalent to including or excluding each of the individual members of the group.
Capability | Description |
|---|---|
capabilities= | Includes all capabilities |
capabilities=all | Includes all capabilities |
capabilities=admin,connect | Includes admin, admin.ui, admin.jobs, connect, connect.ui, and connect.jobs. |
capabilities=-folders | Includes all capabilities except folders. |
capabilities=portal,-portal.jobs,federation | Includes portal, portal.ui, federation, federation.ui, and federation.jobs. |
Specialty Configurations
Occasionally, you will need capabilities configurations to support customized actions for RapidIdentity. Listed below are a few typical options.
Expose Connect RESTPoints without exposing the UI or jobs on that server:
capabilities=connect,-connect.jobs,-connect.uiNote
This will allow a cluster member to accept and respond to RESTPoints built in a Connect project, but prevent UI access from that instance and prevent scheduled Connect jobs from running on that instance.
Configure a Connect instance to not run background jobs:
capabilities=connect,-connect.jobs
Configure a Studio instance to not run background jobs:
Note
Studio is only available in IDaaS environments
capabilities=studio,-studio.jobs