changelog

v2.42.3 (Massive Moose, 2025-10-22)

What's new

• allow to translate bulk approval table cells via i18n files

  Approval Pending: Genehmigung ausstehend
  Role Request/Revocation Approval: Rolleanfrage/Widerrufsgenehmigung
  

v2.42.2 (Rainy Rook, 2025-10-16)

What's new

• resolve SourceDN and TargetDN of form data (flowdata) via LDAP; this allows link these entities to their corresponding entries in the UI
• allow to translate most UI elements via i18n files; use i18n/app/{locale}.{json,json5,yml,yaml} to add your own translations

v2.42.1 (Busy Bee, 2025-05-27)

What's new

• redesigned the bulk approval interface with a modern table component for improved task management and visibility

v2.42.0 (Sharp Seal, 2025-05-14)

Bugfixes

• ensure bulk approval of tasks works

v2.41.1 (Quiet Quelea, 2024-08-20)

Bugfixes

• ensure signature is generated for nested API requests

v2.41.0 (Beautiful Barracuda, 2024-08-15)

Bugfixes

• if the UserApp server uses a different timezone than the Karma server, the date and time values are now correctly displayed

  To use this feature you need to configure the timezone of the UserApp server in the Karma configuration file:

  rbpm:
    timeZone: 'Europe/Berlin' # can also be "CEST" or "+0200"
  

  The default is to use the timezone of the Karma server. Possible values are IANA timezones like Europe/Berlin or America/New_York, a timezone abbreviation like CEST or UTC, or a timezone offset like +0200.

  We recommend using IANA timezones to avoid issues with daylight saving time changes.

• if trustedClients are configured the Rest-DAL will now correctly pass the signature header to the UserApp server

v2.40.3 (Fantastic Falcon, 2024-05-21)

Bugfixes

• role action menu rendering for segmented actions

v2.40.2 (Brave Bison, 2024-05-07)

Bugfixes

• calculation of take parameter for count only queries

v2.40.1 (Blue Bear, 2024-05-07)

Bugfixes

• resolving of inherited roles using their assignment cause

v2.40.0 (Old Otter, 2024-04-25)

Bugfixes

• ensure signature is only required when at least one trustedClient is configured

What's new

• the max value for the take parameter can be configured

  The value may either be an integer between 0 and 16.777.215 or the string all to allow fetching all entries.

  If not configured the first fallback is ldap.search.maxTake and if that is not configured the default value is 100.

  ldap:
    search:
      maxTake: 200 # or 'all' — default is 100
  
  rbpm:
    maxTake: 50 # or 'all' — default is `ldap.search.maxTake`
  
  users:
    maxTake: 300 # or 'all' — default is `ldap.search.maxTake`
  
  # ... other types
  
  dal:
    'allow_to_fetch_9999_entries':
      type: 'ldap:list'
      options:
        # ... other options ...
        take: 9999 # or 'all' — default is `ldap.search.maxTake`
  

v2.39.1 (Fresh Falcon, 2024-03-14)

Bugfixes

• only enable signature if trustedClients are enabled
• use different header for signature to prevent intermediate proxies from removing the header

v2.39.0 (Pleasant Partridge, 2024-03-06)

What's new

• when using LDAP logins the login form will show a hint if the login has failed

• actions can now be grouped into segments which allows to display several tabs (segments)

  actions:
    -
      # create a new tab "Permissions" that will show all actions with the segment "Permissions"
      segment: Permissions
      # ...
    -
      segment: Permissions
      # ...
    -
      # when no segment is defined, the action will be shown in the default tab
      # ...
  

  The order of tabs is determined by the order (eg first appearance) of segments in the configuration.

v2.38.4 (Hot Hornet, 2023-10-24)

What's new

• API requests are required to either contain a signature (requests from the UI) or the x-client-token header which is matched against the configured trustedClients

v2.38.3 (Wonderful Woodpecker, 2023-08-07)

Bugfixes

• ensure native userapp forms work after upgrade of IDM 4.8

v2.38.2 (Witty Walrus, 2023-06-29)

Bugfixes

• fix the take parameter for the ldap:list DAL type

  The take configuration option is now acknowledged as the maximum value, which can be provided through the take query parameter. The default value is 100.

  Using the special value all enables the retrieval of all entries. However, it's important to note that the maximum value that can be defined is 16,777,215.

  The default setting of the take parameter can be customized through its configuration option as demonstrated below:

  dal:
    'allow_to_fetch_9999_entries':
      type: 'ldap:list'
      options:
        # ... other options ...
        take: 9999
  
    'allow_to_fetch_15_entries':
      type: 'ldap:list'
      options:
        # ... other options ...
        take: 15
  
    'allow_to_fetch_all_entries':
      type: 'ldap:list'
      options:
        # ... other options ...
        take: all
  

v2.38.1 (Thankful Tarsier, 2023-06-23)

Bugfixes

• loading of role panels should show the correct role count and filtered roles

v2.38.0 (Fantastic Finch, 2023-06-19)

Bugfixes

• role sources loading if the viewer is not allowed to view inherited roles
• allow to filter for roles without categories
• prevent invalid intermediate "no matching roles" message

What's new

• allow unencrypted forms in non-SSL deployments

  disableFormEncryption: true
  

• allow to disable delegatee resolution globally via rbpm.disableDelegatees or by partition via partitions.<partition>.rbpm.disableDelegatees

  To disable it globally, set rbpm.disableDelegatees to true in the config:

  rpmb:
    disableDelegatees: true
  

  Setting partitions.<partition>.rbpm.disableDelegatees to false in the config enables delegatee resolution again for a specific partition:

  partitions:
    <partition>:
      rbpm:
        disableDelegatees: false
  

  To disable it only for a specific partition, set partitions.<partition>.rbpm.disableDelegatees to true in the config:

  partitions:
    <partition>:
      rbpm:
        disableDelegatees: true
  

v2.37.1 (Spicy Shrimp, 2023-05-15)

Bugfixes

• the user details panel now shows the correct roles for each user and account
• the DAL type ldap:list now correctly handles the take parameter

v2.37.0 (Obnoxious Octopus, 2023-04-04)

Bugfixes

• prevent failure for invalid DNs that start with { and end with } like often used placeholders

What's new

• allow to negate the attribute value in DAL queries

  'accounts-search':
    type: 'ldap:list'
    options:
      # ... other options ...
      query:
        # `cn!` - the query paramter `cn` is required
        # `!cn` - it maps to the ldap attribute `cn` and the value is negated
        # `?cn=xyz` -> `(!(cn=xyz))`
        cn!: '!cn'
  

  Usage:

  {
    "templateOptions": {
      "options": [],
      "dal": {
        "key": "accounts-search",
        "options": {
          "cn": "user1"
        }
      }
    },
    // or via expressions
    "expressionProperties": {
      "templateOptions.dal.options.cn": "model.cn"
    }
  }
  

v2.36.0 (Great Goshawk, 2023-03-07)

What's new

• all form submission are encrypted to prevent leaking of sensitive data

• allow to bypass the encryption of form submissions for trusted client

  A trusted client is a client that is allowed to access the API without encryption. This is useful for internal services that are not exposed to the public. The trusted clients are configured in the trustedClients section of the config:

  # id/token map of clients that can post/patch data without encryption
  trustedClients:
    # openssl rand -base64 24
    acme: KZQgdKmpLkxdN6m14PeFHzH7a0vIdY9D
  

  The client token can be passed via the X-Client-Token header or via the client_token property within the json body.

  {
    "client_token": "KZQgdKmpLkxdN6m14PeFHzH7a0vIdY9D",
    "model": {
      "//": "..."
    }
  }
  

v2.35.0 (Fine Falcon, 2023-02-09)

Bugfixes

• ensure pages and tabs are only rendered when the required permission is set
• ensure API responses respect the permissions for resources
• the take parameter value now has an upper bound of 100

What's new

• the new permission type task allows to validate who can view and who can forward a task

  a task has the following structure (it may contain additional properties):

  {
    activityId: 'Activity',
    activityName: 'Approval',
    requestId: 'b7439319a68246889b81b3ee4c22549b',
    addressee: {
      entryDN: '...',
      '$id': '614f681f-76aa-b048-92e3-614f681f76aa',
      '$name': '...',
      '$description': '...',
      '$type': 'user',
    },
    processId: {
      entryDN: '...',
      '$type': 'request',
      '$id': '650d633b-c2a9-bc4c-98b8-650d633bc2a9',
      '$name': '...',
      '$description': '...',
    },
    recipient: {
      entryDN: '...',
      '$id': '614f681f-76aa-b048-92e3-614f681f76aa',
      '$name': '...',
      '$description': '...',
      '$type': 'user',
    },
    initiator: {
      entryDN: '...',
      '$id': '614f681f-76aa-b048-92e3-614f681f76aa',
      '$name': '...',
      '$description': '...',
      '$type': 'user',
    },
    '$id': '04fcb7c535c5404fb285a839b39e4dfb',
    actions: [ 'approve', 'deny' ],
    bulkApprovable: false,
    '$type': 'task',
    approvable: true,
    name: 'Approval',
    data: [ [Object], [Object], [Object], [Object], [Object] ],
    comments: [ [Object], [Object] ],
  }
  

v2.34.0 (Colossal Chicken, 2022-11-16)

What's new

New feature: You are now able to configure the pagination settings for Karma's role, account and user lists.

  ui:
    # ...
    pagination:
      itemsPerPage: 12 # defines, how many items are loaded for the cover flow and list view (default: 10)
      itemsPerPageCardsView: 18 # defines, how many items are loaded for the cards view (default: 36)
      itemsPerPageOptions: [6, 12, 18, 24] # defines the results per page options for the list view (default: [10, 25, 50, 100])

v2.33.2 (Tough Turtle, 2022-07-14)

Bugfixes

• process history: only show processes that have been started by the user or the user is a recipient of; previously, processes of all user principals (roles, containers, groups) were shown

v2.33.1 (Big Bee, 2022-05-09)

What's new

• allow to embed karma within iframe on other origins

  http:
    static:
      directory: ../htdocs
      # only allow from same origin (default)
      X-Frame-Options: SAMEORIGIN
      # allow from any origin
      X-Frame-Options: false
      csp: false
  

v2.33.0 (Whispering Whale, 2022-03-24)

Bugfixes

• update panels after action execution

What's new

• dal ldap:list: allow to configure the used base via query param

  'accounts-search':
    type: 'ldap:list'
    options:
      # ... other options ...
      baseQueryParam: '$base'
  

  Usage:

  {
    "templateOptions": {
      "options": [],
      "dal": {
        "key": "accounts-search",
        "options": {
          "$base": "ou=accounts,o=data"
        }
      }
    },
    // or via expressions
    "expressionProperties": {
      "templateOptions.dal.options.$base": "model.base"
    }
  }
  

v2.32.3 (Magnificent Manatee, 2022-02-16)

Bugfixes

• Roles: fix assigment

v2.32.2 (Helpful Hawk, 2022-01-21)

What's new

• Child roles on roles detail page are now pagable
• forms: repeatable section allows to clear the selected value if it is optional

v2.32.1 (Resonant Reindeer, 2021-12-10)

Bugfixes

• hide info messages after timeout and allow to discard them

v2.32.0 (Courageous Curlew, 2021-10-28)

What's new

• dal:rest: allow url replacement using {{...}}

  A config like

  'search-roles-api-wf0034':
    type: 'rest'
    authz: 'user'
    options:
      url: 'http://<%= http.server.host %>:<%= http.server.port %>/api/accounts/{{id}}?fields=nrfAssignedRoles&loadRoleDetails=true'
      query:
        $id!: entryUUID
      forwardHeaders: Authorization
      response: 'data.collection'
  

  would create a url like http://localhost:3000/api/accounts/uuid-of-account?fields=nrfAssignedRoles&loadRoleDetails=true

• allow to configure which attributes are used to resolve all principals for a user

  ldap:
    # defaults listed below
    principalAttributes: 
      - 'securityEquals'
      # on a user
      - 'groupMembership nrfMemberOf nrfDynamicGroupMembership'
      # on a role
      - 'nrfChildRoles nrfExternalChildRoles'
  

  It is still possible to use additionalPrincipalAttributes to add attributes to the default set.

• allow to use a minimal principal list for RBPM SOAP request regarding the work entries (i.e. tasks)

  ## which principals are used for retrieving the work entries for a user
  # 'full': (default) user DN, its containers, its roles and groups, its delegatees
  # 'minimal': user DN, its delegatees
  rbpm:
    # same as the default
    taskPrincipalsResolution: 'full'
  
  # can be defined and overriden for each partition
  partitions:
    identity:
      rbpm:
        taskPrincipalsResolution: 'minimal'
  

v2.31.2 (Modern Magpie, 2021-10-05)

Bugfixes

• improved client input validation for role assignment requests

v2.31.1 (Gentle Goat, 2021-08-27)

Bugfixes

• refactoring forms repeat section onAdd and onRemove

v2.31.0 (Hungry Hippopotamus, 2021-08-16)

Bugfixes

• fix: use taggedElement to resize iframe

What's new

• Add onRemove and onAdd to templateOptions of k5-repeat-section

v2.30.1 (Sharp Sea Lion, 2021-07-28)

Bugfixes

• ldap filter optimizations

What's new

• Standalone forms view for integration
• IDM v4.8 SOAP optimizations and compatibility enhancements

v2.29.1 (Substantial Scorpion, 2021-02-23)

What's new

• enhance LDAP caching and performance
• increase default LDAP cache time from 30s to 90s

v2.29.0 (Fuzzy Fox, 2021-02-19)

What's new

• reduce LDAP load for loading users roles
• reduce LDAP load by changing delegate resolution

v2.28.0 (Thankful Turkey, 2020-12-30)

Bugfixes

• optimize UserApp SOAP queries to reduce load on the UserApp engine
• optimize caching of permissions generated from rules.js

What's new

• Initial IDM v4.8 support

v2.27.1 (Sticky Starling, 2020-10-22)

Bugfixes

• osp: iframe token retrieval

v2.27.0 (Kind Komodo, 2020-09-28)

Bugfixes

• soap: re-use connections
• support xml entities in comments

What's new

• the refresh interval for updating counts is configurable using ui.refreshInterval (default: 90s)

  ui:
    # can be milliseconds or a string with `s` (seconds), `m` (minutes) or `h` (hours)
    # like `90s`, `3m`, `1h 5m 10s`
    refreshInterval: 30s
  

• Roles may have a panels configuration

v2.26.0 (Silent Salmon, 2020-04-30)

What's new

Delegation: new properties to know who is operating on a task or workflow

• viewer: logged in user
• delegatee: user/account to whom the the workflow or task belongs; or undefined if not a delegated workflow or task)
• initiator: user/account used to start the workflow or approve the task

These properties exist on the StateVault when the model script is executed on the karma server and on the formState within the client side form.

Each property is an object with at-least the entryDN property. Additional properties like $type, cn, etc, may exist.

Example model script:

module.exports = async ({ StateVault }) => {
  // StateVault.viewer = {entryDN: ....}
  // StateVault.delegatee = undefined || {entryDN: ....}
  // StateVault.initiator = {entryDN: ....}
  // StateVault.recipient = {entryDN: ....}
  // StateVault.addressee = {entryDN: ....}
  return {
    viewerDN: StateVault.viewer.entryDN,
    delegateeDN: StateVault.delegatee && StateVault.delegatee.entryDN,
    initiatorDN: StateVault.initiator.entryDN,
  }
}

v2.25.0 (Clever Crow, 2020-04-02)

What's new

• Additional, optional, translatable header for delegatees workflows section: config/i18n/app/[locale].yaml (Translations)

  home:
    delegateesWorkflowsHeader: Hier steht der <strong>spezielle</strong> Erklärtext.
  

• new css class on a task list item, to indicate this is a delegated task: .tasks-view .delegated-task

v2.24.0 (Fluffy Falcon, 2020-03-05)

What's new

• several new permissions to regulate special property access

  exports.permissions = {
    user: {
      'can view $parentObjects': everybody,
      'can view $childObjects': everybody,
    },
    account: {
      'can view $parentObjects': everybody,
      'can view $childObjects': everybody,
    }
    role: {
      'can view $parentObjects': everybody,
      'can view $childObjects': everybody,
      'can view $externalChildRoles': everybody,
      'can view $externalParentRoles': everybody,
      'can view $implicitGroups': everybody,
      'can view $implicitContainers': everybody,
      'can view $owners': everybody,
    },
    group: {
      'can view $associatedRoles': everybody,
      'can view $owners': everybody,
    }
  }
  

v2.23.2 (Obedient Ox, 2020-02-10)

Bugfixes

• user dropdown: same items as in user tabs
• user/account summary tab: do not load and hide unavailable DNs

What's new

• panel row resolve options: accept additional take option to limit number of loaded record

  - { resolve: 'directReports', take: 30, preset: 'link' }
  

v2.23.1 (Colorful Cormorant, 2020-02-03)

Bugfixes

• respect can view history tab permission for history in user dropdown

What's new

• two new permissions to hide certain user/account tabs:
  • can view tasks tab
  • can view requests tab

v2.23.0 (Powerful Partridge, 2020-01-28)

What's new

• roles search: allow "and" combination for categories and levels
• two new permissions to hide certain user/account tabs:
  • can view history tab
  • can view process history tab

v2.22.3 (Funny Fox, 2020-01-20)

Bugfixes

• transpiled all form scripts for browsers down to IE11

v2.22.2 (Faithful Fox, 2019-12-11)

Bugfixes

• $goTo for relative and absolute urls

v2.22.1 (Hot Hawk, 2019-12-09)

Bugfixes

• form scripts for browsers are transpiled

What's new

• new empty sidebar element before the profile box: <div class="sidebar-heading"></div>

$goTo(event, url)

This method allows set or open the provided url:

{
  "type": "html",
  "templateOptions": {
    "expression": "<div>Clickable</div>",
    "onClick": "$goTo($event, model.url)",
  }
}

v2.22.0 (Witty Woodcock, 2019-11-14)

Bugfixes

• prevent reload when opening a modal from a form on the dashboard

What's new

• control k5-select: onChange event handler

v2.21.0 (Magnificent Manatee, 2019-10-29)

Bugfixes

• form-control intro: stacking order issue when used in modals

What's new

• all template expressions have access to moment (moment@v2.24.0); this is in addition to _ (lodash@v2.4.2)
• form-control intro:
  • support keyboard navigation
    • tab and shift-tab to go next/previous step
    • left, right and escape if outside an input field
  • auto-focus first form control of current step
• dal type rest: support forwarding of headers; this allows to use the karma rest api

  'accounts-search':
    type: 'rest'
    options:
      url: http://localhost:9999/accounts?fields=$id,$name,$description
      query:
        $q: q
        $take!: take
        $skip!: skip
      forwardHeaders: Authorization
      response: 'data.collection'
  

v2.20.2 (Wild Worm, 2019-09-24)

Bugfixes

• login: support unicode characters in username und password

v2.20.1 (Handsome Hornet, 2019-09-19)

Bugfixes

• better DN detection for nrfOriginator to prevent log spamming

What's new

• new intro form control
• every form control reflects its id into the data-form-field attribute on its container

  {
    "type": "input",
    "key": "password",
    "id": "user__password",
    "templateOptions": {
      "label": "Password",
      "type": "password"
    }
  }
  

  This field can now be selected using [data-form-field="user__password"].
• an additional css class is added to the tasks li on the sidebar indicating the tasks count
  • task-count-loading - if the task count is loading
  • task-count-some - if there is at least one task
  • task-count-none - if there is no task

Permissions

• role['can modify assignment range'] allows to determine who can request a new role assignment range (used within the role panel of a user or account)

const isSame = (a, b) => !!(a && b) && (a === b || (a.$type === b.$type && a.$id === b.$id))

exports.permissions = {
  role: {
    'can modify assignment range': ({viewer, role, owner, log}) => {
      // owner is the object containing this role - maybe any type or nothing
      if (owner && (owner.$type === 'user' || owner.$type === 'account')) {
        log.warn({viewer, role, owner})
        return isSame(viewer, owner)
      }
      return false
    }
  }
}

v2.19.0 (Excited Elk, 2019-08-20)

Bugfixes

• IDVault.get caching

What's new

Shopping Cart

support heading via template or form (like it is already possible on the dashboard)

• template: config/templates/shopping-cart_[locale].html (config/templates/shopping-cart_de.html), default fallback is config/templates/shopping-cart.html
• form: config/forms/shopping-cart

additional help for description, startDate and endDate may be provided

The i18n files in config/i18n/[locale].(json|json5|yaml|yml) allow to configure an optional help text for these form fields.

roleAssignmentRange:
  description: Description
  # descriptionHelpText: uncomment to show this help text
  startDate: Effective Date
  # startDateHelpText: uncomment to show this help text
  endDate: Expiration Date
  # endDateHelpText: uncomment to show this help text

v2.18.0 (Graceful Gorilla, 2019-08-08)

Bugfixes

• forms: reset submitted stated after form submission

What's new

• IDVault: cache IDVault.get, IDVAult.dal and IDVAult.globalQuery calls
• DAL type ldap:entry: add $filter support like in ldap:list
• Forms: expose currentUser in server side formState

v2.17.1 (Elegant Elephant, 2019-06-21)

Bugfixes

• denying a task with a reason
• always pass authz from a task config through to rules engine
• do not try to load inherited roles if the viewer is not allowed to view them

v2.17.0 (Freezing Frog, 2019-06-18)

What's new

• possibility to adjust the LDAP search queries to reduce the visibility of LDAP entries based on business requirements, see Rules Queries

  Query system is based on rules, that can be defined in a configuration file called rules.js within the configuration directory. These rules allow to add additional filter parts to each search:

  exports.queries = {
    async users({ viewer, IDVault, config, escapeLDAPFilter }) {
      if (viewer.is('admin')) return
  
      const allSpecialRoles = await IDVault.search(config.get('roles.base'), {
        scope: config.get('roles.scope'),
        filter: `(&${config.get('roles.filter')}(cn=*${escapeLDAPFilter('special role')}))`,
      })
  
      return { nrfMemberOf: { in: allSpecialRoles.map(role => role.entryDN) } }
    },
  }
  

  The following queries can be adjusted: users, accounts, roles, groups and organizationalUnits

• a lot of documentation enhancements, for example the Karma Script API

v2.16.0 (Whispering Walrus, 2019-05-15)

Bugfixes

• several small fixes

What's new

• form-control/k5-select: 2-way data-binding for model values
• forms: an explicit reason may be requested for deny and refuse actions, providing a the reason may be enforced by setting model.$requireDenyReason and/or model.$requireRefuseReason to true

v2.15.0 (Amused Alpaca, 2019-04-11)

Bugfixes

• k5-select:
  • initial options loading with correct dal options
  • update select fields after dal options changes
• k5-paged-list: do not show empty last page

What's new

• actions: track targeted recipient for later use in workflow
• render line breaks in comments
• k5-paged-list: onChange handler to re-act to data changes

  [
    {
      "type": "html",
      "hideExpression": "!!model._isUsersEmpty",
      "templateOptions": {
        "expression": "<h3>Users</h3>"
      },
    },
    {
      "type": "k5-paged-list",
      "templateOptions": {
        "dal": {
          "key": "users-search",
        },
        "onChange": "model._isUsersEmpty = !$items.length",
        "fields": [{
          "type": "html",
          "templateOptions": {
            "expression": "{{model.givenName}} {{model.sn}}"
          },
        }]
      },
    }
  ]
  

v2.14.1 (Loud Lion, 2019-04-02)

Bugfixes

• sporadic Cannot read property 'attributes' of undefined error

What's new

• open a provisioning request via url parameter openProvisioningRequest: https://<karma.host.name>/?openProvisioningRequest=<dn to workflow> Example in fields.json:

  {
    "type": "html",
    "templateOptions": {
      "expression": "<a href=\"/?openProvisioningRequest={{'cn=aWorkflow,cn=RequestDefs,cn=AppConfig,cn=User Application Driver,cn=driverset,o=system' | encodeURIComponent}}\">{{model.givenName}} {{model.sn}}</a>"
    }
  }
  

• allow to remove parts of the dashboard (in rules.js)

  const always = value => () => value
  const nobody = always(false)
  
  exports.permissions = {
    user: {
      'can view child objects on dashboard': nobody,
      'can view tiles on dashboard': nobody,
      'can view provisioning requests on dashboard': nobody,
    }
  }
  

v2.14.0 (Vivacious Viper, 2019-03-27)

Bugfixes

• hide labels in sidebars on small viewports
• enable custom script in approval and request forms

What's new

• open task modal via url parameter open: https://<karma.host.name>/me/tasks?selected=<task id>&open

  the following URLs are supported:

  • /me/tasks?selected=<task id>&open
  • /me/requests?selected=<task id>&open
  • /users/<user id>/tasks?selected=<task id>&open
  • /users/<user id>/requests?selected=<task id>&open
  • /accounts/<account id>/tasks?selected=<task id>&open
  • /accounts/<account id>/requests?selected=<task id>&open

DAL

• Type rest:
  • specify response status code validation

      # define a custom HTTP status code success range
      # default: status >= 200 && status < 300
      validateStatus: 'status >= 200 && status < 500'
    

  • select which data to return from the response

      # array -> pick those key from the response: ['data', 'status']
      #  -> { data: { ... }, status: 200 }
      # object -> map those keys: {data: '=', status: 'statusCode'}
      #  -> { data: { ... }, statusCode: 200 }
      # string -> just that key (default: 'data')
      #  -> { ... }
      response: ['status']
    

  • support different HTTP method for the request

      # default: GET
      method: POST
    

  • body for POST, PATCH, ..., can be specified like query parameters

      body:
        username!: username
        password!: password
    

• Form Fields: support HTTP POST method for the request (GET is the default) to hide query parameters like passwords or large query strings

    "templateOptions": {
      "dal": {
        "method": "POST"
      }
    }
  

• Form Control button: templateOptions.dal allows to specify a DAL request to send on click, the result is stored in the model with field key

    {
      "key": "result",
      "type": "button",
      "templateOptions": {
        "label": "Send",
        "dal": {
          "key": "check-password",
          "method": "POST",
          "options": {
            "username": "a-user-name"
          }
        }
      },
      "expressionProperties": {
        "templateOptions.dal.options.password": "formState.$model.password"
      }
    }
  

v2.13.2 (Black Bee, 2019-03-11)

Bugfixes

• dashboard form: allow access for everyone

What's new

• ScriptVault.localizeAttributes: convert strings to object before selecting the localized value
• dashboard form: provide access to the authenticated user
  • in the fields: formState.initiator.entryDN
  • within the model script: initiator and StateVault.initiator.entryDN

v2.13.1 (Petite Panther, 2019-03-07)

Bugfixes

• sidebar: show partition icon instead of name on small viewports
• form-control k5-paged-list: expressions are scoped to each item

What's new

• sidebar: show badges on small viewports
• form-control html: may have an onClick listener

  {
    "type": "html",
    "templateOptions": {
      "expression": "{{model.givenName}} {{model.sn}}",
      "onClick": "$.onClick($event, model)"
    }
  }
  

• form-control k5-paged-list: may have an onClick listener which is applied to each rendered row container (model is the currently rendered item):

  {
    "type": "k5-paged-list",
    "templateOptions": {
      "onClick": "$.onClick($event, model)"
    }
  }
  

v2.13.0 (Perfect Partridge, 2019-02-28)

Bugfixes

• several minor bugfixes

What's new

• dashboard form (config/forms/dashbord) which adds dynamic content to the dashboard
• k5-paginated-list form control
• user permissions to customize dashboard view:

  user: {
    'can view tiles on dashboard': everybody
    'can view provisioning requests on dashboard': everybody
  }
  

• allow localizeAttributes to be used in ScriptVault

  const entry = {
    siteLocation: 'en~1st Floor|de~1.OG'
  }
  
  const result = ScriptVault.localizeAttributes(entry, { siteLocation: 'localizedSiteLocation' })
  // -> result === entry
  // -> entry.localizedSiteLocation === '1.OG'
  // -> entry.siteLocation === undefined
  
  ScriptVault.localizeAttributes(entry, { siteLocation: '=' })
  ScriptVault.localizeAttributes(entry, ['siteLocation'])
  // -> entry.siteLocation === '1.OG'
  

v2.12.0 (Thundering Tapir, 2019-02-14)

Bugfixes

• show additional task info in result list
• show initiator info in tasks details

What's new

• Tasks are bulk approvable: Documentation
• Define custom javascript functions and use them within formly expressions: Documentation

v2.11.6 (Long Llama, 2019-01-25)

What's new

• new $filter option (boolean) to allow an additional ldap filter provided by the client

  DAL config:

  dal:
    with-custom-ldap-filter:
      type: 'ldap:list'
      options:
        $filter: true
        # and any other options
  

  Fields config:

  {
    templateOptions: {
      dal: {
        key: 'with-custom-ldap-filter',
        queryOptions: {
          $filter: '(cn=must match)'
        }
      }
    }
  }
  

v2.11.5 (Zealous Zebra, 2019-01-21)

Bugfixes

• authz caching
• allow to clear the shopping cart without roles or users

What's new

• DAL type for REST now supports mapping of input query parameter names using options.query

Shopping Cart

• one can add and remove him/her self
• the label can be translated using shoppingCart.actions.addSelf and shoppingCart.actions.removeSelf

v2.11.4 (Proud Pony, 2018-12-10)

Bugfixes

• only show child object on dashboard if there are any
• show user/account breadcrumbs for deployments without partitions
• show correct count in tabs header
• approval form (non-karma forms) now correctly shows results after submit and closes automatically
• show role detail in history when using Slash-DNs
• only Karma admins were able to see actions on „My Data“
• handle eDirctory bug where it returns 0 as count although there are results
• allow to clear the shopping cart
• only include users and accounts in child objects for the dashboard

What's new

Form Controls

• button: props are re-evaluated on change
• unique-input: allows to query with other model values

v2.11.3 (Brainy Bear, 2018-10-31)

Bugfixes

• groups panel: consistent not found message styling
• ensure roles not matching the role filter are not included in roles of a user/account
• show spinner while loading pre-filled search filters
• show group type icon in dropdown
• show role level icon in dropdown
• indicate active refresh with rotating refresh icon
• category and level of roles are now linked to a pre-filled roles search
• lazy load roles panel
• cache authz info
• prevent POST method not allowed while searching
• ldap
  • use consistent DN formating
  • always include base in cmdline
  • ensure configured and received filters are combined with a logical and

v2.11.2 (Breezy Bear, 2018-10-17)

Bugfixes

• user: reduce amount of ldap queries for initial roles loading
• ldap:
  • optimized deferred full entry loading
  • prevent trailing comma in DN formatting if a empty base DN is used

v2.11.1 (Old Opossum, 2018-10-10)

Bugfixes

• reduce number of requests
• doctor: show used ldap capabilitites
• role panel: ensure updates are reflected in the ui

v2.11.0 (Healthy Hawk, 2018-09-25)

Bugfixes

• role panel: sorting order
• panels: render compiled template as-is bypassing Strict Contextual Escaping (SCE)
• groups panel: prevent canceling of same query
• highlight selected option in dropdowns
• show loading indicator
  • during initial load of groups panel
  • during load of view data on first load of page
  • after click on a link while loading the view data
  • after click on card while loading the view data
• render escaped html (like unicode) in $name and $description correctly
• partitions: always try to find partition of an entry

What's new

• dynamic groups can be used within a search for users or accounts

role panel: the roles can additionally be filtered by assignment type, level and category

users: # works identically for accounts
  # defines which options are not selected by default
  # if not set all options are enabled by default
  rolesFilterDefaultHidden:
    # each value can be an array, comma or space separated string
    assigments: container # possible values: 'assigned', 'group', 'container'
    levels: # possible values: 10, 20, 30
    categories: system # any category defined in the UA

new DAL type to load data from an REST endpoint

Example configuration:

dal:
  'servers':
    type: 'rest'
    # possible options can be found here: https://www.npmjs.com/package/axios#request-config
    options:
      url: 'https://my.rest.api/servers'
      method: 'GET'
      headers:
        Authorization: 'Basic XXX'
      # if params is set, it overrides all received params
      params:
        os: 'linux'

the history tab and its content is configurable for users and accounts

users:
  # mapping from kind to ldap attribute
  historyAttributes:
    # the default configuration
    userID: 'k5UserIDHistory'
    role: 'k5RoleHistory'
    saphr: 'k5SaphrHistory'
    resource: 'nrfResourceHistory'
    lifecycle: 'k5UserLifecycle'

accounts: 
  historyAttributes:
    # only hide resources, all others use the default config shown above
    resource: false

  # it is possible to hide the tab completly
  historyAttributes: false

users and accounts maybe filtered by organizationalUnit (using businessCategory)

The organizational units below users and accounts can now be used to narrow down a search. Organizational units are grouped into primary and secondary. For each of these you can define which businessCategory (an ldap attribute on organizational unit) belongs to primary or secondary.

Note:

• Each primary OU should be hierarchically before any secondary OU.
• To use this feature effectivly a value index on businessCategory should exist.

Features

• filtered searches based on organizational units
• breadcrumbs have links to organizational unit search
• the ldap base for accounts maybe configured for each partition

Config

users:
  businessCategories:
    primary: department
    # value can be an array, comma or space separated string
    secondary: section costCenter

accounts:
  businessCategories:
    # just use same as users
    primary: <%= users.businessCategories.primary %>
    secondary: <%= users.businessCategories.secondary %>

Styling

Each businessCategory should have a own icon to distinguish them. In the custom css file define each businessCategory using a font-awesome icon.

/* using https://fontawesome.com/v4.7.0/icon/building for businessCategory: section */
.fa-section:before { content: "1ad"; }

Translations

The default translations for the extended search form can be ovverriden in the custom i18n files.

• users.search.query.primaryOrgUnit
• users.search.query.secondaryOrgUnit
• users.search.query.placeholders.primaryOrgUnit
• users.search.query.placeholders.secondaryOrgUnit

v2.10.4 (Beautiful Bear, 2018-09-11)

Bugfixes

• form designer fails to load

v2.10.3 (Loud Llama, 2018-08-29)

Bugfixes

• panels:
  • use 'forEach' as label if defined
  • added translation defaults for accounts
• use HTTP POST for searches with possibly large query parameters

What's new

• new permission to hide details tab: user['can view details tab'] and account['can view details tab']
• allow to forward tasks assigned to one of the authentictaed user child objects
• show child objects tasks and requests count on the dashboard:
  • this can be disabled using the permission user['can view child objects on dashboard']
  • you may change the header using the following app i18n keys:

    home:
      childObjects:
        tasks: Tasks of child objects
        requests: Requests of child objects
    

v2.10.1 (Sweet Sardine, 2018-08-20)

Bugfixes

• modify roles: display search boxes although the object has no assigned roles

What's new

• k5-repeat-section adds the templateOption: validateExpression to recognize changes within the model value of the repeat section and perfom validations accordingly
• jsonStableStringify can now be used in forms

v2.10.0 (Modern Mosquito, 2018-08-20)

Bugfixes

• Process History: ignore missing entry and select first one

What's new

• Customizable Panels: see the documentation

v2.9.3 (Modern Mink, 2018-06-26)

Bugfixes

• several minor form control fixes

What's new

• configurable timeout for form data scripts (default is 7.5 seconds)

  rbpm:
    evalFormDataTimeout: '7.5s'
  

Permissions

• viewer.is(role) accepts a DN as well (addtional to the karma roles admin, user & guest) which is checked against the viewers principals
• actions.authz maybe a principal DN as it uses viewer.is(role)

Form Controls

• unique-input has new template options:
  • templateOptions.negate: negates the result from the dal query so that valiadtion fails if no objects could be found
  • templateOptions.dal.queryOptions.XXX: allows to define additional query options for dal queries
• k5-select has new template option selectFirst
  • if false, the first value of a required fields will not be automatically selected
  • defaults to true

v2.9.2 (Calm Chough, 2018-05-09)

Bugfixes

• show info message when nothing has been found for a search
• show search errors (like timeouts) in results pane (instead of message box)
• fix form issue where primaryValue in k5-repeat-section isn't displayed correctly
• fix form issue where wizard couldn't be submitted in case of following disabled steps

What's new

permissions

• viewer.is(role) to simplify checks for user and guest

  $role	is('admin')	is('user')	is('guest')
  admin	true	true	true
  user	false	true	true
  guest	false	false	true

• the subject is available as its type in the parameter object

  exports.permissions = {
    user: {
      'can edit attributes': ({ subject, user }) => {
        // subject === user
      },
    }
    account: {
      'can edit attributes': ({ subject, account }) => {
        // subject === account
      },
    }
    role: {
      'can edit attributes': ({ subject, role }) => {
        // subject === role
      },
    }
  }
  

v2.9.1 (Disturbed Dragonfly, 2018-05-03)

Bugfixes

• forms:
  • k5-repeat-section: setting primary value key within new sections causes blank k5-repeat-section if there is no primary value at all
  • wizard: disable form submission if no further enabled steps
• the refresh button in the roles panel should reload the roles
• actions: invalid ACL validation
• hide error details in production
• refresh tasks/requests list after a task has been finished

What's new

• re-designed avatar icons when initals are used
• show not found message if the main requested object does not exist
• the groups within the groups panel are loaded in a seperate request to reduce inital load time
• the resources panels can be disabled - it is not only hidden but the attributes are not requested from the ldap server

users:
  hideResourcesPanel: true
accounts:
  hideResourcesPanel: true

Permissions

• edit attributes: user['can edit attributes'], account['can edit attributes'] and role['can edit attributes']
• view inherited roles: user['can view inherited roles] and account['can view inherited roles']
• view groups: user['can view groups] and account['can view groups']
• view ressources: user['can view ressources] and account['can view ressources']

v2.9.0 (Gorgeous Goldfish, 2018-04-19)

Bugfixes

• several ui fixes:
  • increase number of typeahead options
  • increase infinity scroll tresholds
  • increase timeout for auto submit of search forms (slow typing would lead to a lot of cancelled ldap operations)
  • update count on any search parameter change
  • show load more button in infinity scroll mode if there may be more entries to load
  • accounts:
    • correct naming in count display
    • group link within an account links to the account search page
    • disable add to shopping cart button
  • users/acccounts: group selection should not depend on role selection
  • forms(k5-repeat-section):
    • preventing line break within action buttons (remove/primary)
    • set primary value key within new sections
• performance:
  • remove several unnecessary uses of ServerSideSorting
  • work around several eDirectory bugs/features:
    • if the pageSize parameter for the PagedResults is greater than the available results it does not return any entries
    • for a *complex- filter it returns all entries for PagedResults
    • under high load (especially if ServerSideSorting is used) it responds with UnwillingToPerform
  • adjusted cache sizes

What's new

• metrics:
  • new ldap_search_seconds metric to track all ldap search operations with their scope, filter and controls
  • new http_* metric to track http requests (concurrent connections, request duration, in and out bytes)
• ldap:
  • use specialized count (estimate from PagedResults without sorting)
  • load balancing pool to distribute operations on several connections with auto validation and connection health check
  • the number of connections can be configured using ldap.maxConnections (defaults to number of cpu cores)

    please note that each worker (cluster.workers - defaults to number of cpu cores) will use that many ldap connnections

  • on certain errors (UnwillingToPerform, Other, Unavailable, Busy) the operation will be retried up to 5 times (in total 6 attempts) with an increasing delay
  • if an http request is aborted (for example the user refined the search parameters) all associated ldap operations are abandoned
  • new log component ldap-ops to log all ldap operations
    • each log entry contains a cmdline property which can be used to test the query from the command line
    • if not defined the log level is inherited from log.components.ldap
    • if info or higher nothing will be logged
    • if debug base search are excluded
    • if trace base search are included
• cache entries are pruned; previously each cache grew to its max size and stayed there

v2.8.24 (Tough Turkey)

Bugfixes

• Treat special ACLs like [Root], [Public], [Self], [Inherited Rights Filter] and [This] in ACL evaluation
• Forms: Hidden keys filter for data to submit will only be applied on plain objects and arrays
• Performance:
  • optimized loading of roles for users/accounts
  • remove slow query warning logs, (the amount the of these log entries alone had an performacne impact), instead new metrics based on prometheus (see below)
• under certain circumstances the eDirectory responds with an empty or incorrect result list if the filter is only a simple equality filter
• hide task list after last task is completed

What's new

• replaced slow query detection with Prometheus metrics
  • each query has an filter label which is a normalized version of the used ldap filter, this allows to detect which attributes are used with what filter type to create an optimized index for that query
  • these can be accessed through the new metric endpoint: http://karma.server:9001/-/metrics
• log real ldap search queries for better debugging of used queries, enable via log.components.ldap: debug;

  please note that base and sizeLimit=1 queries are not logged as there are just to many and they usually provide no additional insight

• roles may have actions just like users/accounts; configuration is exactly the same

v2.8.23 (Moaning Manatee)

Bugfixes

• ACL evaluation fails with large amount of principals (NDS error insufficient buffer: -649)
• include securityEquals in principal calculation

What's new

• actions are configurbale for accounts and shown in action tab
• use Proxied Authorization Control (RFC 4370) for ACL evaluation when available (since eDirectoy 9.0); this can be disabled and reverted to the old behavior (simple check on the ACL attribute for each entry) using:

ldap:
  capabilities:
    proxiedAuthorization: false

Note: For this feature to work, the Karma LDAP Proxy account must have supervisor rights on the impersonated user. Click here for more details and configuration.

v2.8.22 (Fancy Finch)

Bugfixes

• permissions: same checks on the server like on the client
• scripts
  • support most console methods within scripts: assert, count, dir, error, group, groupEnd, info, log, table, time, timeEnd, timeStamp, trace, warn
• forms:
  • de-serialize JSON from scripts
  • k5-select: keep selected entries for rendering while loading more matches

What's new

Orders

• a template for the nrfRequest object can be defined in the config file; this allows to change for example objectClass or nrfStatus, or add other attributes

The defaults are:

orders:
  nrfRequestTemplate:
    objectClass: ['Top', 'nrfRequest', 'grpNrfRequest']
    nrfStatus: '10'

Example how to change the nrfStatus:

orders:
  nrfRequestTemplate:
    nrfStatus: '5'

v2.8.21 (Busy Boar)

What's new

Form Control: k5-repeat-section

• Option removeLabel to hide the remove button

{ 
  "type": "k5-repeat-section",
  "templateOptions": {
    "removeLabel": false
  }
}

Form Control: k5-collapse

• renaming template option uncollapsedText to expandedText
• adding template options collapsedIconClass and expandedIconClass (using font-awesome classes, see defaults in example)

{
  "type": "k5-collapse",
    "templateOptions": {
      "collapsedText": "",
      "expandedText": "",
      "collapsedIconClass": "fa-square-o",
      "expandedIconClass": "fa-check-square-o"
    }
}

v2.8.20 (Yummy Yak)

What's new

• scripts can now require custom modules which are resolved relative to config dir

User <-> Account Relations

The relation between a user and its accounts can now be configured and is shown in the UI. Once configured a new tab is added to the user screen showing tha associated accounts and there roles.

To enable this feature adjust your configuration:

users:
  # defines which multi-value attribute at the user contains the account DNs
  childObjectDNsAttribute: directReports

accounts:
  # defines which attribute (single or multi-value) at the account contains the user DN
  parentObjectDNsAttribute: manager

Configurable Permission System

Karma ships with a flexible built-in permission system that allows you to define, who can perform certain actions within Karma.

Permission system is based on rules, that can be defined in a configuration file called rules.js within the configuration directory.

The following is an example for a rules configuration (config/rules.js):

exports.permissions = {
  // subject.$ype === 'user'
  user: {
    // is the viewer allowed to request role assignments and revokations for this user
    'can assign and revoke roles': ({ viewer, subject }) => {
      return (
        // is admin
        viewer.$role === 'admin' ||
        // can edit own roles
        viewer.$id === subject.$id
      )
    }
  },
  // subject.$ype === 'role'
  role: {
    // is the viewer allowed to request revokation of this role
    'is revokable': ({ viewer, subject, owner }) => {
      return (
        // is admin
        viewer.$role === 'admin' ||
        // can remove own roles
        (owner && viewer.$id === owner.$id)
      )
    }
  }
}

For further information can be found in the permission documentation.

v2.8.19 (Kind Komodo)

Bugfixes

• forms(k5-select): when not defining matchExpression or labelExpression fallback to labelProp

What's new

• forms: converting date string to date object

v2.8.18 (Gorgeous Goldfish)

What's new

• allow to revoke directly assigned roles

Form Control: k5-select

• new matchExpression option to override rendering of selected items
• new dal async property to allow async/typeahead like search behavior
• new dal $take option to define how many choices should be loaded
• the model may contain a sibling property with initial enhanced objects for already selected options: _<model key>_options; this can be populate using the model script: model["_child-roles_options"] = await IDVAult.globalQuery(null, 'roles', {$include: model["child-roles"]}) using the below dal config
• if a $partition is included in the result, it is shown before each match and choice; to ensure $partition is added to each result set the server dal config option loadDefaultProperties to true (see below)

field.json

{
  "type": "k5-select",
  "key": "child-roles",
  "templateOptions": {
    "multiple": true,
    "valueProp": "entryDN",
    "labelExpression": "$item.name",
    "descriptionExpression": "$item.description",
    "matchExpression": "{{$item.name}} <small>{{_.truncate($item.description, {length: 15})}}</small>",
    "dal": {
      "key": "roles",
      "async": true,
      "options": {
        "$take": 5
      }
    }
  }
}

model.json

{
  "child-roles": [
    "cn=Finance,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset,o=system",
    "cn=Level10,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset,o=system"
  ],
  "_child-roles_options": [
    {
      "entryDN":"cn=Finance,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset,o=system",
      "nrfLocalizedDescrs":{
        "en":"Finance Department"
      },
      "nrfLocalizedNames":{
        "en":"Finance"
      },
      "cn":"Finance",
      "entryUUID":"60914df0-5edf-0941-b192-60914df05edf",
      "$id":"60914df0-5edf-0941-b192-60914df05edf",
      "$name":"Finance",
      "$partition":{
        "id":"k5",
        "ui":{
          "label":"Kenoxa",
          "logo":"logo.png",
          "icon":"Karma_symbol_blau.png"
        }
      },
      "$type":"role",
      "nrfStatus":"50",
      "nrfRoleLevel":"30",
      "nrfRoleCategoryKey":[
        "default",
        "favorites"
      ],
      "name":"Finance",
      "description":"Finance Department"
    },
    {
      "entryDN":"cn=Level10,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset,o=system",
      "nrfLocalizedDescrs":{
        "en":"Level10, Permission Role"
      },
      "nrfLocalizedNames":{
        "en":"Level10"
      },
      "cn":"Level10",
      "entryUUID":"03ebaf0b-23d3-c740-9e81-03ebaf0b23d3",
      "$id":"03ebaf0b-23d3-c740-9e81-03ebaf0b23d3",
      "$name":"Level10",
      "$partition":{
        "id":"k5",
        "ui":{
          "label":"Kenoxa",
          "logo":"logo.png",
          "icon":"Karma_symbol_blau.png"
        }
      },
      "$type":"role",
      "nrfStatus":"50",
      "nrfRoleLevel":"10",
      "name":"Level10",
      "description":"Level10, Permission Role"
    }
  ]  
}

DAL: `ldap-list``

• new qAttributes option to allow to define which attributes are searched from k5-select typeahead query
• new take option to allow to define how many results should be returned by default (may be overriden in fields dal option $take)
• new loadDefaultProperties option which allows to enrich each entry with some standard properties like $id, $name, $typeand $partition
• new useServerSideSort option to make the ldap server sort the result set; when enabled the used sortBy attribute must have a value index

dal:
  'roles':
    type: 'ldap:list'
    options:
      base: '<%= roles.base %>'
      scope: '<%= roles.scope %>'
      filter: '<%= roles.filter %>'
      attributes:
        - entryDN
        - cn nrfLocalizedNames nrfLocalizedDescrs
        - nrfRoleCategoryKey nrfRoleLevel nrfStatus nrfActive
      sortBy: '<%= roles.sort %>'
      useServerSideSort: true
      qAttributes: cn nrfLocalizedNames nrfLocalizedDescrs
      take: 15
      loadDefaultProperties: true

v2.8.17

Bugfixes

• ensure cache entries are created with language key
• prevent blocking modal when provisioning request could not be loaded

v2.8.15

Bugfixes

• forms: adding formState to nestedOptions
• performance improvement for loading user and account lists
• load avalaible actions for a user or account only if it is needed in the ui

What's new

• forms: making $model available in formState
• forms: making model and formState available in primaryValue expressionProperties

v2.8.14

Bugfixes

• use correct label in accounts view

What's new

user & account card attributes are configurable

The attributes shown in the cards of search results for user and account are now configurable.

users:
  # the defaults are mail, telephoneNumber, roomNumber and container
  cardAttributes: mail telephoneNumber roomNumber

v2.8.12

Bugfixes

• forms: disabled fields are no longer preventing form submit. Note This may allow to send invalid model data to the server.

v2.8.11

Bugfixes

• forms: options from server (incl. the properties formState and data) are now available on the client
• scripts: better directory detection to support common execution variants

What's new

Form Control: json-tree

• color and indention matching global style
• used model values are customizable

[{
  "type": "json-tree",
  "key": "someKey",
  "customize": "_.map(model, 'nested.model.path')"
}, {
  "type": "k5-merge-ui",
  "templateOptions": {
    "fields": [{
      "key": "urmAffiliations",
      "label": "Category Data",
      "isArray": true,
      "rootName": "Category Data",
      "jsonTreeCustomize": "_.map(model, 'affiliation.model')"
    }]
  }
}]

v2.8.10

Bugfixes

• Display issue when using checkboxes in formly forms

What's new

New unique-input form control

This form control allows to check if an input field contains a unique value by performing a dal query and evaluating the result.

Example field configuration:

{
  "type": "unique-input",
  "key": "cn",
  "templateOptions": {
    "label": "Login Name",
    "dal": {
      "key": "users-by-cn",
      "attribute": "cn"
    }
  },
  "asyncValidators": {
    "unique": {
      "message": "'This Login Name is not unique.' | formlyTranslate"
    }
  }
},

Example dal query (local.yaml):

# ...
dal:
  'users-by-cn':
    type: 'ldap:list'
    authz: 'user'
    options:
      base: '<%= users.base %>'
      scope: '<%= users.scope %>'
      filter: '<%= users.filter %>'
      attributes:
        entryDN
      sortBy: '<%= users.sort %>'
      query:
        'cn!': 'cn'

json-tree form control customization

The json-tree from control now allows to customize the input object via an expression.

The following example shows how to display only a child property of the actual object.

Example field configuration:

{
  "type": "json-tree",
  "key": "myObject",
  "templateOptions": {
    "label": "My Object",
    "customize": "_.map(model, 'data.model')"
  }
}

Let's assume myObject is defined as follows:

[
  {
    id: 123,
    data: {
      foo: 'bar',
      model: {
        name: 'baz',
        limit: 5,
        isGreat: true
      }
    },
    metadata: {
      createdAt: '20170105121314Z'
    }
  },
  {
    id: 124,
    data: {
      foo: 'baz',
      model: {
        name: 'foo',
        limit: 30,
        isGreat: false
      }
    },
    metadata: {
      createdAt: '20170105121314Z'
    }
  }
]

json-tree would display the object like this:

[
  {
    name: 'baz',
    limit: 5,
    isGreat: true
  },
  {
    name: 'foo',
    limit: 30,
    isGreat: false
  }
]

v2.8.9

Bugfixes

• Issues when following links in Karma. Reason was a missing id

What's new

• html form control now supports translation

v2.8.8

Bugfixes

• use different (visible) color for loading bar
• show loading indicator for initial list loading

What's new

HTML Formly Control

This control allows to render an html expression. The key property is optional and may access a property within the model.

{
  "type": "html",
  "key": "isNew",
  "templateOptions": {
    "label": "Is New",
    "expression": "<i class='fa fa-fw fa-{{model ? 'check-square-o' : 'square-o'}}'></i>"
  }
}

JSON-Tree Formly Control

This control allows to render an json object as a tree. The key property is optional and may access a property within the model.

templateOptions:

• rootName: This is an optional attribute that sets the title displayed at the root node. This is useful when you are showing sub-portions of an object or want the object root node to have a different string than the key or 'Model'.
• start-expanded: This is an optional attribute that designates if the tree's root should display as expanded initially.

{
  "type": "json-tree",
  "key": "treeDataProperty",
  "templateOptions": {
    "rootName": "Data Tree",
  }
}

v2.8.7

Bugfixes

• IE11 load error

What's new

• systemd init script refactored/simplified

v2.8.6

What's new

External Role Relationship

nrfExternalParentRoles and nrfExternalChildRoles are resolved and displayed on the role details page.

Custom Search Fields

Search attributes can now be defined in the configuration file. If omitted defaults apply.

users:
  searchAttributes:
    - {$id: '$id', label: 'k5SiteSearch.attributes.id'}
    - {$id: '$name', label: 'k5SiteSearch.attributes.login'}
    - {$id: '$description', label: 'k5SiteSearch.attributes.description'}
    - {$id: 'givenName', label: 'k5SiteSearch.attributes.givenName'}
    - {$id: 'sn', label: 'k5SiteSearch.attributes.surName'}
    - {$id: 'mail', label: 'k5SiteSearch.attributes.mail'}
    - {$id: 'some-custom-field', label: 'Some Custom Field'}

• The $id is the ldap attribute to be searched.
• The label may be a plain text value or an translation key (see below: Custom i18n).

Defaults:

users:
  searchAttributes:
    - {$id: '$id', label: 'k5SiteSearch.attributes.id'}
    - {$id: '$name', label: 'k5SiteSearch.attributes.login'}
    - {$id: '$description', label: 'k5SiteSearch.attributes.description'}
    - {$id: 'givenName', label: 'k5SiteSearch.attributes.givenName'}
    - {$id: 'sn', label: 'k5SiteSearch.attributes.surName'}
    - {$id: 'mail', label: 'k5SiteSearch.attributes.mail'}

accounts:
  searchAttributes:
    - {$id: '$id', label: 'k5SiteSearch.attributes.id'}
    - {$id: '$name', label: 'k5SiteSearch.attributes.login'}
    - {$id: '$description', label: 'k5SiteSearch.attributes.description'}
    - {$id: 'givenName', label: 'k5SiteSearch.attributes.givenName'}
    - {$id: 'sn', label: 'k5SiteSearch.attributes.surName'}
    - {$id: 'mail', label: 'k5SiteSearch.attributes.mail'}

roles:
  searchAttributes:
    - {$id: '$id', label: 'k5SiteSearch.attributes.id'}
    - {$id: 'nrfLocalizedNames', label: 'k5SiteSearch.attributes.name'}
    - {$id: 'nrfLocalizedDescrs', label: 'k5SiteSearch.attributes.description'}

Custom i18n

This feature allows to override translations or define additional translations.

Custom translations are stored in config/{app,formly}/<locale>.{json,json5,yml,yaml} and may be in one of the following formats: json, json5, ymlor yaml.

Example: define a custom translation for search attributes

local.yaml

users:
  searchAttributes:
    - {$id: '$id', label: 'k5SiteSearch.attributes.id'}
    - {$id: '$name', label: 'k5SiteSearch.attributes.login'}
    - {$id: '$description', label: 'k5SiteSearch.attributes.description'}
    - {$id: 'givenName', label: 'k5SiteSearch.attributes.givenName'}
    - {$id: 'sn', label: 'k5SiteSearch.attributes.surName'}
    - {$id: 'mail', label: 'k5SiteSearch.attributes.mail'}
    - {$id: 'some-custom-field', label: 'some-custom-field'}

config/app/i18n/en.yaml

some-custom-field: Some Custon Field Label
# override an existing label
k5SiteSearch:
  attributes:
    login: User Login Name

config/app/i18n/de.yaml

some-custom-field: Ein Eigenes Feld
# override an existing label
k5SiteSearch:
  attributes:
    login: Anmeldename

v2.8.4

What's new

simplified start script

Instead of

NODE_ENV=production NODE_CONFIG_DIR=~/config ~/server/.bashpack/bin/node ~/server/bin/karma

you can now use

~/server/bin/karma

Doctor Script

Check your configuration for potential problems. Doctor exits with a non-zero status if any problems are found.

~/server/bin/doctor

Configuration Value Encryption

This new feature allows you to encrypt some config values (ldap.bindDN, ldap.bindCredentials, rbpm.credentials.username and rbpm.credentials.password).

Note that this is not intended for security purposes, since the encryption key may be found inside the app.

Its main use is for obscurity. If a user looks through the config file and finds the config value, it is not useable because of the encryption.

First you need to encrypt a value:

~/server/bin/encrypt

Enter a value to encrypt: foo
ENC(kV7qYMpqQdBiDfQgAYBETpDW8rol97WwCTYjp_zuCjpv)
Enter a value to encrypt: foo
ENC(06TDT14nMFbz1NIiF3q0nK0Q-3RP3BbpSfv28kGa8w7a)
Enter a value to encrypt: bar
ENC(jVdeNOK_HLkXqnGqe3uSIVizDBLmxh3K8D7psptY7YWO)
Enter a value to encrypt:
(To exit, press enter again or type .exit)
Enter a value to encrypt:

As you see the same value results in different encryption strings. This allows you to hide the fact that you are using the same password several times.

For additional security you can use the -p flag. This hides the value you entered.

~/server/bin/encrypt -p

Enter a value to encrypt (password mode):
ENC(O4iVOerwFcnA114fzqBOR0Ozr0xRKrv-ZEpi5Qt150tQ)
Enter a value to encrypt (password mode):
ENC(SVy-7fi-zjrKNMSjHkhlhaP0SvV52KOIiHWaXojhf-hG)
Enter a value to encrypt (password mode):
(To exit, press enter again or type .exit)
Enter a value to encrypt (password mode):

Now use ENC(...) in the config file:

ldap:
  bindDN: ENC(RY_ba2QtihfZsvI3d3jcyr5UEvGmZvfWxSJYIxrGi0Qk)
  bindCredentials: ENC(QcuO_te7tKR25yHqzy6TXPinWc7K0PweciOuHrCl16Gw)

partitions:
  identity:
    rbpm:
      credentials:
        username: ENC(-Y48J-WIA8sthGsIzAKRH5svHZlmPuaZXAHCF-WRGHyD)
        password: ENC(2x7kF0M35oi2iBIseEihV4CA6t-AD8cBdHv93jp1NWHV)

rbpm:
  credentials:
    username: ENC(O_4g80fqibVBWDgjMRXfwgCmO6-gwoB5pNxv7qYTT7r1)
    password: ENC(J90VZzva4im8xq8EY7p5gtba0IHRZj2BNoZGwJoWdAvt)

v2.8.3

What's new

Custom Styling Support

ui:
  assets:
    # path within config/assets for an additional stylesheet to load
    # this can be used to apply specific styles
    styles: styles/custom.css

partitions:
  name_of_partition:
    ui:
      # css class added to the document body
      # this can be used to apply different styles based on the primary partition of the logged-in user
      # default: primary-partition-<kebabCase(id)> -> primary-partition-name-of-partition
      bodyClassName: some-partition-specific-css-class-name
      # path within config/assets for an additional stylesheet to load
      # this can be used to apply different styles based on the primary partition of the logged-in user
      styles: styles/this-partition-styles.css

Example using just one stylesheet file:

ui:
  assets:
    styles: styles/custom.css

partitions:
  microfocus:
    # no special config

File config/assets/styles/custom.css:

body {
  background: yellow;
}

/* change background for partition microfocus */
body.primary-partition-microfocus {
  background: green;
}

Example but using different stylesheets:

ui:
  assets:
    styles: styles/custom.css

partitions:
  microfocus:
    ui:
      styles: styles/partition-microfocus.css

File config/assets/styles/custom.css:

body {
  background: yellow;
}

File config/assets/styles/partition-microfocus.css:

/* change background for partition microfocus */
body {
  background: green;
}

v2.8.2

What's new

• show partition affiliation for each entry (user, role, ...)

partitions:
  name_of_partition:
    # compared with value of users.primaryPartitionAttribute
    # to determine if this partition is the primary partition for that user
    primaryPartitionKey: K
    # ui related configuration
    ui:
      # human readable name of this partition
      label: Partition Label
      # path within config/assets to an image shown in the header based on logged-in user
      logo: logo.png
      # path within config/assets to an image besides each entry (user, role, ...) from this partition
      icon: icon.png

users:
  # used to select primary partition of an user (see partitions -> primaryPartitionKey above)
  primaryPartitionAttribute: klPzmSparte

v2.7.1

What's new

Karma adds a new form controller dal-input to store attributes received from a DAL query directly into a text input field. The following is a example for a form definition that automatically fills first and last name as the user types a cn:

[{
  key: 'cn',
  type: 'input',
  className: 'col-sm-6',
  templateOptions: {
    label: 'CN',
    placeholder: 'Common Name',
    required: true
  }
}, {
  key: 'firstName',
  type: 'dal-input',
  className: 'col-sm-6',
  templateOptions: {
    label: 'First Name',
    placeholder: 'First Name',
    required: false,
    disabled: true,
    valueProp: 'givenName',
    dal: {
      key: 'user-by-cn'
    }
  },
  expressionProperties: {
    'templateOptions.dal.options.queryCN': 'model.cn'
  }
}, {
  key: 'lastName',
  type: 'dal-input',
  className: 'col-sm-6',
  templateOptions: {
    label: 'Last Name',
    placeholder: 'Last Name',
    required: false,
    disabled: true,
    valueProp: 'sn',
    dal: {
      key: 'user-by-cn'
    }
  },
  expressionProperties: {
    'templateOptions.dal.options.queryCN': 'model.cn'
  }
}]

Instead of providing query results as lists the Karma DAL can now respond with single objects. The following configuration (local.yaml) shows a example on how to request a single user object by providing a cn.

dal:
  # ...
  'user-by-cn':
    type: 'ldap:entry'
    # admin, user (default) or guest
    authz: 'user'
    options:
      base: '<%= users.base %>'
      scope: 'sub'
      filter: '<%= users.filter %>'
      attributes: 'cn givenName sn'
      requireUnique: false
      query:
        queryCN: cn

Two options differ from list requests:

# the type must be: 'ldap:entry'
type: 'ldap:entry'

# requireUnique tells Karma if ambigious results are allowed
# If requireUnique is true and multiple matching objects are found in LDAP, the DAL result will be empty.
# If requireUnique is false and multiple matching objects are found in LDAP, the DAL will return the first result.
# The default value is false
requireUnique: false

Results are cached by Karma so that only one LDAP query will be sent for the example above (requesting givenName and sn).

v2.7.0

What's new

Besides some minor performance enhancements and bugfixes, Karma v2.7.0 now offer a new shopping cart feaure which allows users to order permissions in form of Roles. In contrast to the traditional role assignment process, role requests are not sent right away but temporarily stored in the users Shopping Cart, which can be modified until the order is submitted.

Users are able to see an overview of previous orders ...

... and track the status of their orders.

Installation & Configuration

To update Karma to version 2.7.0 and benefit from the new Shopping Cart feature, changes to eDirectory schema, structure and indexes must be appplied and the Karma configuration must be adopted accordingly. This section describes the changes in detail.

Extending the schema

Karma stores all information about orders initiated through the Shopping Cart in separate objects in eDirectory which are then procecessed by a special IDM driver provided by NetIQ. The eDirectory schema needs to be extended in order to enable the storage of those objects. To extend the schema, execute the following LDIF code:

version: 1

#NDS attribute:k5Data
#Syntax:SYN_CI_STRING
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.10
  NAME 'k5Data'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5InitiatorDN
#Syntax:SYN_DIST_NAME
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.3
  NAME 'k5InitiatorDN'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5EndDate
#Syntax:SYN_TIME
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.9
  NAME 'k5EndDate'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5RequestDate
#Syntax:SYN_TIME
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.2
  NAME 'k5RequestDate'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5Originator
#Syntax:SYN_CI_STRING
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.4
  NAME 'k5Originator'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5OrderId
#Syntax:SYN_OCTET_STRING
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.11
  NAME 'k5OrderId'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5Description
#Syntax:SYN_CI_STRING
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.5
  NAME 'k5Description'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5TargetDNs
#Syntax:SYN_DIST_NAME
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.7
  NAME 'k5TargetDNs'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5SourceDNs
#Syntax:SYN_DIST_NAME
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.6
  NAME 'k5SourceDNs'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5StartDate
#Syntax:SYN_TIME
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.8
  NAME 'k5StartDate'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS attribute:k5CorrelationId
#Syntax:SYN_CI_STRING
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (
  1.3.6.1.4.1.29603.5.2.1.1
  NAME 'k5CorrelationId'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  X-NDS_NOT_SCHED_SYNC_IMMEDIATE '1'
  )

#NDS class:k5Karma
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (
  1.3.6.1.4.1.29603.5.2.2.1
  NAME 'k5Karma'
  SUP Top
  AUXILIARY
  MAY description
  )

#NDS class:k5Config
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (
  1.3.6.1.4.1.29603.5.2.2.10
  NAME 'k5Config'
  SUP Top
  STRUCTURAL
  MUST cn
  MAY description
  X-NDS_NAMING 'cn'
  )


#NDS class:k5Orders
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (
  1.3.6.1.4.1.29603.5.2.2.20
  NAME 'k5Orders'
  SUP Top
  STRUCTURAL
  MUST cn
  MAY description
  X-NDS_NAMING 'cn'
  )


#NDS class:k5Order
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (
  1.3.6.1.4.1.29603.5.2.2.21
  NAME 'k5Order'
  SUP Top
  STRUCTURAL
  MUST ( k5CorrelationId $ k5Data $ k5InitiatorDN $ k5RequestDate $ k5OrderId $ k5SourceDNs $ k5TargetDNs )
  MAY ( k5Description $ k5EndDate $ k5Originator $ k5StartDate )
  X-NDS_NAMING 'k5CorrelationId'
  X-NDS_CONTAINMENT 'k5Orders'
  X-NDS_NOT_CONTAINER '1'
  )

Creating directory structure

The following LDIF code shows an example for creating a directory structure in order to store Shopping Cart objects. This structure can be updated to suit the customers custom requirements.

version: 1

# services container
dn: ou=services,o=data
changetype: add
objectClass: organizationalUnit
objectClass: ndsLoginProperties
objectClass: Top
objectClass: ndsContainerLoginProperties
ou: services
description: Services

# resource container
dn: ou=res,ou=services,o=data
changetype: add
objectClass: organizationalUnit
objectClass: ndsLoginProperties
objectClass: Top
objectClass: ndsContainerLoginProperties
ou: res
description: IDM resources

# karma container
dn: ou=karma,ou=res,ou=services,o=data
changetype: add
objectClass: organizationalUnit
objectClass: ndsLoginProperties
objectClass: Top
objectClass: ndsContainerLoginProperties
objectClass: k5Karma
ou: karma
description: Karma resources

# karma configuration
dn: cn=k5Config,ou=karma,ou=res,ou=services,o=data
changetype: add
objectClass: Top
objectClass: k5Config
cn: k5Config
description: Karma configuration

# karma configuration
dn: cn=k5Orders,ou=karma,ou=res,ou=services,o=data
changetype: add
objectClass: Top
objectClass: k5Orders
cn: k5Orders
description: Karma orders

# nrfConfig
dn: cn=nrfConfig,ou=res,ou=services,o=data
changetype: add
objectClass: Top
objectClass: nrfConfig
cn: nrfConfig
Version: 4.6

# global input requests
dn: cn=GlobalInputRequests,cn=nrfConfig,ou=res,ou=services,o=data
changetype: add
objectClass: Top
objectClass: nrfRequests
cn: GlobalInputRequests

Adding indexes

Karma v2.7.0 benefits from the following additional eDirectory indexes for performance reasons:

dn: cn=idm,ou=servers,o=system
changetype: modify
add: indexDefinition
indexDefinition: 0$karma(k5CorrelationId_v)$2$0$0$1$k5CorrelationId
indexDefinition: 0$karma(k5OrderId_v)$2$0$0$1$k5OrderId

Format: <Index Version>$<Index Name>$<Index State>$<Index Rule>$<Index Type>$<Index Value State>$<AttributeName>

• Index State: should be 2 Specifies the state of the index.
  • 0 – Denotes the ‘suspended’ state. This means that this index is not used in queries and not updated.
  • 1 – Denotes the ‘Bringing Online’ state. This means that the index is in the process of being created. It has two states, Bringing Online (low) and Bringing online (high).
  • Bringing Online (low) indicates that the index creation process on the said attribute is pending.
  • Bringing Online(high) indicates that the index creation is in progress.
  • 2 – Denotes the ‘online’ state, which indicates that the index is up and working.
  • 3 – Denotes the ‘Pending Creation’ state, which indicates that the index has been defined and is waiting for the background process to run.
• Index Rule
  • 0 – Value Matching, which optimizes queries that involve the entire value or the first part of the value. For example, a query for all entries with a surname equal to Jensen or beginning with Jen.
  • 1 – Presence Matching, which optimizes queries that involve only the presence of an attribute. For example, a query for all entries with a surname attribute.
  • 2 – Substring Matching, which optimizes queries that involve a match of a few characters. For example, a query for all entries with a surname containing .der. This query returns entries with the surnames of Derington, Anderson, and Lauder.
• Index Type: always 0 Specifies who created the index.
  • 0 – User Defined
  • 1 – Added on Attribute Creation
  • 2 – Required for Operation
  • 3 – System Index
• Index Value State: always 1 Specifies the source of the index.
  • 0 – Uninitialized
  • 1 – Added from Server
  • 2 – Added from Local DIB
  • 3 – Deleted from Local DIB
  • 4 – Modified from Local DIB

Adjusting the configuration

To tell karma were to store and find order items, add the following items to the configuration file (e.g. /srv/karma/config/local.yaml):

orders:
  base: 'cn=k5Orders,ou=karma,ou=res,ou=services,o=data'

orderItems:
  base: 'cn=GlobalInputRequests,cn=nrfConfig,ou=res,ou=services,o=data'

ui:
  features:
    # ...
    shoppingCart: true