Novell IDENTITY MANAGER 3.6.1 - STAGING BEST PRACTICES GUIDE 2010, Implementation Manual

Page 1: ... www novell com novdocx en 17 September 2009 AUTHORIZED DOCUMENTATION Identity Manager 3 6 1 WorkOrder Driver Implementation Guide Identity Manager 3 6 1 December 18 2009 WorkOrder Driver Implementation Guide ...

Page 2: ...rt or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell as...

Page 3: ...ell Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 5: ...Driver 21 4 3 Creating the Driver in iManager 22 4 3 1 Importing the Driver Configuration File 22 4 3 2 Configuring the Driver Settings 24 4 3 3 Starting the Driver 24 4 4 Activating the Driver 25 5 Upgrading an Existing Driver 27 5 1 Supported Upgrade Paths 27 5 2 What s New in Version 3 6 1 27 5 3 Upgrade Procedure 27 6 Customizing the Driver 29 6 1 Policies and Rules Used in the Basic Configura...

Page 6: ...Module 44 A 1 2 Driver Object Password iManager Only 44 A 1 3 Authentication 44 A 1 4 Startup Option 45 A 1 5 Driver Parameters 46 A 1 6 ECMAScript Designer Only 47 A 2 Global Configuration Values 47 B Objects and Attributes Used 49 B 1 New Objects Used by the Driver 49 B 1 1 DirXML WorkOrder Object 49 B 1 2 DirXML WorkToDo Object 49 B 2 DoItNow and SendToPublisher Flags 49 B 2 1 DoItNow Flag 50 B...

Page 7: ... This guide is intended for developers and administrators using Identity Manager and the WorkOrder driver Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation or go to www novell com documentation feedback html and enter your comment...

Page 8: ...8 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 A trademark symbol TM etc denotes a Novell trademark An asterisk denotes a third party trademark ...

Page 9: ...r through an automated process another driver or a manual process iManager and is added as a WorkOrder object in a the Identity Vault s work order container 2 At the scheduled time as defined in the WorkOrder object the driver begins processing the work order 3 The driver applies any policies to the work order performing any actions associated with the policies and creates a WorkToDo object in the...

Page 10: ...rder Figure 1 1 Subscriber Channel Configuration The Subscriber channel performs the following actions 1 Creates an association for each WorkOrder object it receives 2 Checks if the DoItNow and SendToPublisher flags are set to True If these attributes are set to True the Subscriber channel builds a work order and sends it immediately to the Publisher channel 3 If the DoItNow and SendToPublisher fl...

Page 11: ...ubscriber channel sends a WorkOrder object If the SendToPublisher flag is set to True the work order is written out to the work order container If the DoItNow flag is set to True the work order is processed immediately Wakes because the poll loop has expired Wakes because of Heartbeat Wakes because the WorkOrder object is sent by the Subscriber Query the Work Order container for all work orders pe...

Page 12: ...d DeleteDueDates See How the Publisher Channel Deletes Work Orders on page 13 3 If the driver heartbeat is configured the driver wakes to report the driver status How the Publisher Channel Processes Work Orders After the Publisher channel queries the Identity Vault for work orders it configures the work orders in the driver The following flowchart illustrates how the Publisher channel processes wo...

Page 13: ...processed without an error the status of the work order is changed to Configured If an error occurred then the status is changed to Error The work order process log is updated to contain the results 5 If the WorkOrder object has a repeat interval value the value is added to the Due Date and the work order status remains Pending This allows for the work order to be repeated as many times as specifi...

Page 14: ...quirements in the Identity Manager 3 6 1 Installation Guide Remote Platforms The WorkOrder driver works on all the platforms supported by the Remote Loader See Remote Loader in System Requirements in the Identity Manager 3 6 1 Installation Guide Role Based Entitlements The WorkOrder driver does not support Role Based Entitlements Password Synchronization Support The WorkOrder driver does not suppo...

Page 15: ...ration file to create the driver For instructions see Chapter 4 Creating a New Driver on page 19 If you have an existing driver you can upgrade its configuration to this version For instructions see Chapter 5 Upgrading an Existing Driver on page 27 Customize the driver The basic configuration for the WorkOrder driver enables it to create WorkOrder objects and WorkToDo objects This is the extent of...

Page 16: ...16 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 17: ... or upgrade an existing driver s configuration see Chapter 5 Upgrading an Existing Driver on page 27 If you performed a custom installation and did not not install the WorkOrder driver on the Metadirectory server you have two options Install the files on the Metadirectory server using the instructions in Installing the Metadirectory Server in the Identity Manager 3 6 1 Installation Guide Install t...

Page 18: ...18 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 19: ...You should restrict rights to the container so that only authorized administrators can change the container or the objects it holds 4 2 Creating the Driver in Designer You create the WorkOrder driver by importing the driver s basic configuration file and then modifying the configuration to suit your environment After you ve created and configured the driver you need to deploy it to the Identity Va...

Page 20: ...efault configuration settings click Configure then continue with the next section Configuring the Driver Settings or To skip the configuration settings at this time click Close When you are ready to configure the settings continue with the next section Configuring the Driver Settings 4 2 2 Configuring the Driver Settings After importing the driver configuration file the WorkOrder driver will run H...

Page 21: ...r example and assign security equivalence to that user Whatever rights that the driver needs to have on the server the DriversUser object must have the same security rights 7a Click Add then browse to and select the object with the correct rights 7b Click OK twice 8 Click Exclude Administrative Roles to exclude users that should not be synchronized You should exclude any administrative User object...

Page 22: ...er set you are prompted to specify the name context and server for the driver set Import a configuration into this driver set Use the default option Import a configuration from the server XML file In the Show field select Identity Manager 3 6 1 configurations In the Configurations field select the WorkOrder file Driver name Type a name for the driver The name must be unique within the driver set W...

Page 23: ...er is running remotely Specify the Remote Loader s password as defined on the Remote Loader service The Metadirectory engine or Remote Loader shim requires this password to authenticate to the Remote Loader Define Security Equivalences The driver requires rights to objects within the Identity Vault and to the input and output directories on the server The Admin user object is most often used to su...

Page 24: ...e driver set object that contains the new driver 1d Click the driver set name to access the Driver Set Overview page 1e Click the upper right corner of the driver then click Edit properties 2 Review the settings on the various pages and modify them as needed for your environment The configuration settings are explained in Driver Parameters on page 46 Although it is important for you to understand ...

Page 25: ...Driver on page 39 4 4 Activating the Driver If you created the driver in a driver set where you already activated the Metadirectory engine and service drivers the driver inherits the activation If you created the driver in a driver set that has not been activated you must activate the driver within 90 days Otherwise the driver stops working For information on activation refer to Activating Novell ...

Page 26: ...26 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 27: ...tions until you want to upgrade them The following sections provide information to help you upgrade an existing driver s configuration to version 3 6 1 Section 5 1 Supported Upgrade Paths on page 27 Section 5 2 What s New in Version 3 6 1 on page 27 Section 5 3 Upgrade Procedure on page 27 5 1 Supported Upgrade Paths You can upgrade from any 3 x version of the WorkOrder driver Upgrading a pre 3 x ...

Page 28: ...28 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 29: ...stomizing your driver Section 6 2 Human Resource Example Using an HR Driver on page 31 Section 6 3 Human Resource Example without an HR Driver on page 33 6 1 Policies and Rules Used in the Basic Configuration This section describes policies and rules for the Subscriber and Publisher channels in the WorkOrder driver s basic configuration For an overview on how the Subscriber and Publisher channels ...

Page 30: ...work orders from the work order container you specified to the driver This mapping is necessary so that the Subscriber channel can check the work orders to see if the DoItNow flag is set to True Command Transformation Not used in the sample configuration Schema Mapping Maps the eDirectory namespace to the Work Order namespace Output Transformation Not used in the sample configuration Rule or Polic...

Page 31: ...istinguished name as the value for the content attribute in the work order and the new hire date as the value for the due date in the work order Write the WorkOrder object to the WorkOrder container Write the user to the Identity Vault with the loginDisabled attribute set to True Wait for next event WorkOrder Container Identity Manager HR driver detects the new user Send the new user to eDirectory...

Page 32: ...attributes LastName FirstName HireDate and Disabled Mapping Rule The mapping rule maps the attributes used in the WorkOrder driver to attributes in the Identity Vault You can view the sample at hr drv schema map xml http www novell com documentation idm36drivers work_order samples hr drv schema map xml Filter The filter attribute allows only the attributes that are needed by this example to be pas...

Page 33: ...ectly You can view the sample at hr wo drv pub cmd transform xml http www novell com documentation idm36drivers work_order samples hr wo drv pub cmd transform xml 6 3 Human Resource Example without an HR Driver This example creates a new user and postpones activating the new employee s access to the system until the hire date by putting policies in the WorkOrder driver to create the work order Fig...

Page 34: ... is set to pending The DirXML nwoSendToPublisher attribute is set to True This work order has not yet been created in the Identity Vault so the sample configuration creates the work order in the Identity Vault by setting the SendToPublisher attribute to True This tells the publisher in the WorkOrder driver to write the policy to the work order container that it looks in for work orders to be proce...

Page 35: ...er Properties on page 35 Section 7 2 3 Filtering the Work Order List on page 37 7 2 1 Creating a New Work Order 1 In iManager click to display the Identity Manager Administration page 2 In the Features list click Work Order Management to display the Work Order Management page 3 In the WorkOrder Driver field browse for and select the WorkOrder driver for which you are creating the work order 4 Clic...

Page 36: ...browse for and select dependent work orders To remove a work order from the list select the work order then click Type Use this field to specify a work order type The driver does not change this attribute The attribute is passed through to the WorkToDo object when the work order is processed Work Order Number A unique work order number This value can be assigned by a corporate work order system ot...

Page 37: ...o close the work order without saving the information 7 2 3 Filtering the Work Order List 1 Click Show under Work Order Management 2 From the drop down menu select the filter type Show all All work orders associated with the driver are listed Configured Only configured work orders associated with the driver are listed Error Only work orders with an error status are listed On Hold Work orders that ...

Page 38: ...38 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 39: ...ds to securely store passwords associated with the driver Monitoring the driver s health status Backing up the driver Inspecting the driver s cache files Viewing the driver s statistics Using the DirXML Command Line utility to perform management tasks through scripts Securing the driver and its information Because these tasks as well as several others are common to all Identity Manager drivers the...

Page 40: ...40 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 41: ... driver processing events use DSTrace You should only use it during testing and troubleshooting the driver Running DSTrace while the drivers are in production increases the utilization on the Identity Manager server and can cause events to process very slowly For more information see Viewing Identity Manager Processes in the Identity Manager 3 6 1 Common Driver Administration Guide ...

Page 42: ...42 Identity Manager 3 6 1 WorkOrder Driver Implementation Guide novdocx en 17 September 2009 ...

Page 43: ... driver set that contains the driver whose properties you want to edit 2a In the Administration list click Identity Manager Overview 2b If the driver set is not listed on the Driver Sets tab use the Search In field to search for and display the driver set 2c Click the driver set to open the Driver Set Overview page 3 Locate the WorkOrder driver icon then click the upper right corner of the driver ...

Page 44: ...ava class is com novell nds dirxml driver workorde r WorkOrderDriverShim Connect to Remote Loader Used when the driver is connecting remotely to the connected system Designer includes two suboptions Driver Object Password Specifies a password for the Driver object If you are using the Remote Loader you must enter a password on this page Otherwise the remote driver does not run The Remote Loader us...

Page 45: ...e Remote Loader is listening on The default port for the Remote Loader is 8090 The kmo entry is optional It is only used when there is an SSL connection between the Remote Loader and the Metadirectory engine Example hostname 10 0 0 1 port 8090 kmo IDMCertificate Driver Cache Limit kilobytes or Cache limit KB Specify the maximum event cache file size in KB If it is set to zero the file size is unli...

Page 46: ... The actual name you want to use for the driver WorkOrders Container The name of the container where WorkOrder objects and WorkToDo objects are to be stored Poll Interval How often the Publisher channel polls the WorkOrder container for work orders to be configured The default is one minute You can use this setting not use this setting or use it with the Poll Time setting If you don t want to use ...

Page 47: ...rch for and display the driver set 2c Click the driver set to open the Driver Set Overview page 3 To add a GCV to the WorkOrder driver locate the WorkOrder driver icon click the upper right corner of the driver icon to display the Actions menu then click Edit Properties or To add a GCV to the driver set click Driver Set then click Edit Driver Set properties To modify the driver s GCVs in Designer ...

Page 48: ...on Guide novdocx en 17 September 2009 2 To add a GCV to the WorkOrder driver right click the driver icon or line then select Properties Global Configuration Values or To add a GCV to the driver set right click the driver set icon then click Properties GCVs ...

Page 49: ...t immediately and doesn t wait for a polling time or time of day To learn how to use the DoItNow and SendToPublisher flags see Section B 2 DoItNow and SendToPublisher Flags on page 49 An iManager plug in is provided to help you create and maintain work orders To learn how to use the plug in see Chapter 7 Creating and Managing Work Orders on page 35 B 1 2 DirXML WorkToDo Object The driver creates t...

Page 50: ...omated solution you can use policies to determine whether the flag should be set B 2 2 SendToPublisherFlag When this flag is set to True for a work order the Subscriber channel sends the work order to the Publisher channel and the Publisher channel writes the WorkOrder object to the WorkOrder container specified in the configuration parameters This flag is usually set to False However if a work or...

Page 51: ...rkOrder object in this documentation is used to tell the driver what tasks to perform It delays the work order until a date and time or until another work order is configured It also repeats work orders at a given interval The following table shows the work order attributes you need to specify Table C 1 WorkOrder Object Attributes Work Order Attributes eDirectory Namespace Description Type Descrip...

Page 52: ...is non existent or empty it is ignored Distinguished Name DirXML nwoRepeatInterval The amount of time in hours before the work order is repeated This value is added to the due date after the work order is processed Case ignore string DirXML nwoRepeatCount Repeats the work order as many times as the number specifies Use this attribute in association with the DirXML nwoRepeatInterval attribute Case ...

Page 53: ...iver does not change this attribute It is passed through to the WorkToDo object when the work order is processed Case ignore string WorkToDo Attributes Description Type DirXML CreatorName Information about the work order The driver does not change this attribute Case ignore string DirXML nwoContent The value of the content attribute in the work order Case ignore string DirXML nwoDN DN of the work ...

Page 54: ...eate Rule To create a work order the Subscriber Create rule is set up so all new work orders with the necessary information can be sent to the Subscriber channel The following attributes must be present to pass the Create rule otherwise the event cannot be processed further Table C 3 Work Order Attributes for the Subscriber Create Rule Required Attributes Description Values or Examples DirXML nwoS...