Documentation Additions and Corrections

This section contains new and corrected information that was required after the Identity Manager 7.1 documentation set was published. This information is organized as follows:

Identity Manager Installation
Identity Manager Upgrade
Identity Manager Administration Guide
Identity Manager Resources Reference
Identity Manager Technical Deployment Overview
Identity Manager Workflows, Forms, and Views
Identity Manager Deployment Tools
Identity Manager Tuning, Troubleshooting, and Error Messages
Identity Manager Service Provider Edition Deployment
Using helpTool

---

Identity Manager Installation

This section provides new information and documentation corrections related to Sun Java™ System Identity Manager Installation.

The Exchange 5.5 resource adapter is not supported. Ignore any references to this adapter.

---

Identity Manager Upgrade

This section provides new information and documentation corrections for Sun Java™ System Identity Manager Upgrade.

Before upgrading, it is important to back up both the directory where Identity Manager is installed and the database that Identity Manager is using. You can use third-party back up software or a back up utility supplied with your system to back up the Identity Manager file system. To back up your database, refer to the database documentation for recommended back up procedures. (ID-2810)

When you are ready to create your backups, you must first shutdown (or idle) Identity Manager. Then, use your backup utilities to back up your database and the file system where you installed Identity Manager.

The AD Active Sync resource has been deprecated and replaced by the AD resource. Perform the following steps to migrate to the AD Active Sync to newer releases: (ID-11363)
Export the existing AD Active Sync resource object to an xml file (either from the command line or debug pages).
Delete the existing resource (this will not affect Identity Manager users or resource account users)
Create a new AD resource that is Active Sync.
Export this new resource object to an XML file.
Edit this file and change the value of the id attribute and the value of the name attribute to match the values from the OLD resource object saved in step 1. These attributes are in the <Resource id='idnumber' name='AD' ...> tag.
Save the changes to the file.
Import the modified object back into Identity Manager using either the Configure->Import Exchange File page or the command line.
Updated the Other Custom Repository Objects section to include instructions for using Identity Manager’s SnapShot feature to create a baseline or “snap shot” of the customized repository objects in a deployment. (ID-14840)

Other Custom Repository Objects

Record the names of any other custom repository objects that you created or updated. You might have to export these objects from your current installation and then re-import them to the newer version of Identity Manager after upgrading.

Admin group
Admin role
Configuration
Policy
Provisioning task
Remedy configuration
Resource form
Resource form
Role
Rule
Task definition
Task template
User form

You can use Identity Manager’s SnapShot feature to create a baseline or “snap shot” of the customized repository objects in your deployment, which can be very useful when you are planning an upgrade.

SnapShot copies the following, specific object types from your system for comparison:

AdminGroup
AdminRole
Configuration
EmailTemplate
Policy
ProvisionTask
RemedyConfig
ResourceAction
Resourceform
Role
Rule
TaskDefinition
TaskTemplate
UserForm

You can then compare two snapshots to determine what changes have been made to certain system objects before and after upgrade.

Note	This feature is not intended for detailed, on-going XML diffs — it is only a minimal tool for “first-pass” comparisons.

To create a snapshot:

From the Identity Manager Debug page ( ), click the SnapShot button to view the SnapShot Management page.

Figure 1  SnapShot Management Page



Type a name for the snapshot in the Create text box, and then click the Create button.

When Identity Manager adds the snapshot, the snapshot’s name displays in the Compare menu list and to the right of the Export label.

To compare two snapshots:

Select the snapshots from each of the two Compare menus ( ).

Figure 2  SnapShot Management Page



Click the Compare button.
If there are no object changes, then the page indicates that no differences were found.
If object changes were found, then the page displays the object type and name, and whether an object is different, absent, or present.

For example, if an object is present in baseline_1, but is not present in baseline_2, then the baseline_1 column indicates Present and the baseline_2 column indicates Absent.

You can export a snapshot in XML format. Click the snapshot name to export the snapshot file.

To delete a snapshot, select the snapshot from the Delete menu, and then clicking the Delete button.

Added the following paragraph to the Modified JSPs section to include information about using the inventory -m command to identify modified JSPs in a deployment: (ID-14840)

You can use the inventory -m command (described on the previous page) to identify any JSP modifications made in your deployment.

If you are upgrading from a 6.x install to version 7.0 or 7.1, and you want to start using the new Identity Manager end-user pages, you must manually change the system configuration ui.web.user.showMenu to true for the horizontal navigation bar to display. (ID-14901)
If you are upgrading from 6.0 or 7.0 to version 7.1, and using LocalFiles, you must export all of your data before upgrading and then re-import the data after doing a clean installation of 7.1. (ID-15366)
Upgrading from 6.0 or 7.0 to version 7.1 requires a database schema upgrade. (ID-15392)
If you are upgrading from 6.0 to 7.1, you must use the upgradeto71.* script appropriate to the type of RDBMS you are using.
If you are upgrading from 7.0 to 7.1, you must use the upgradeto71from70.* script appropriate to the type of RDBMS you are using.
During the upgrade process, Identity Manager analyzes all roles on the system and then updates any missing subroles and super roles links using the RoleUpdater class. (ID-15734)

To check and upgrade roles outside of the upgrade process, import the new RoleUpdater configuration object that is provided in sample/forms/RoleUpdater.xml. For example:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
   <ImportCommand class='com.waveset.session.RoleUpdater' >
      <Map>
         <MapEntry key='verbose' value='true' />
         <MapEntry key='noupdate' value='false' />
         <MapEntry key='nofixsubrolelinks' value='false' />
   v</Map>
   </ImportCommand>
</Waveset>

Where:

verbose: Provides verbose output when updating roles. Specify false to enable a silent update of roles.
noupdate: Determines whether the roles are updated. Specify false to get a report that only lists which roles will be updated.
nofixsubrolelinks: Determines whether super roles are updated with missing subrole links. This value is set to false by default and links will be repaired.

If you have a space in the path to the Identity Manager installation directory, you must specify the WSHOME environment variable without double quotes ("), as shown in the following example (ID-15470):

Note	Do not use trailing slashes (\) when specifying the path, even if the path contains no spaces.

set WSHOME=c:\Program Files\Apache Group\Tomcat 4.1\idm

or

set WSHOME=c:\Progra~1\Apache~1\Tomcat~1\idm

The following path will not work:

set WSHOME="c:\Program Files\Apache Group\Tomcat 4.1\idm"

---

Identity Manager Administration Guide

This section provides new information and documentation corrections for Sun Java™ System Identity Manager Administration.

Chapter 3, User and Account Management

In the section titled Disable Users (User Actions, Organization Actions), the note has been amended.:

Note	If an assigned resource does not have native support for account disabling, but does support password changes, then Identity Manager can be configured to disable user accounts on that resource through the assignment of new, randomly generated passwords. This configuration requires that you enable the resource Disable and Password account features by using the Identity System Parameters page in the Resource Wizard. See Chapter 4, Configuration, for more information.

In the section titled Enable Users (User Actions, Organization Actions), the note has been added.:

Note	If an assigned resource does not have native support for account enabling, but does support password changes, then Identity Manager can be configured to enable user accounts on that resource through password resets. This configuration requires that you enable the resource Enable and Password account features by using the Identity System Parameters page in the Resource Wizard. See Chapter 4, Configuration, for more information.

Chapter 5, Administration

In the section titled Delegating Work Items, the following note has been added.

Note	After setting up delegation, any work items created during the effective delegation period are added to your list and the delegate’s list. If you end delegation, then the delegated work items are recovered; this may result in duplicate work items. When you approve or reject one, then the duplicate is automatically removed from your list.

In the section titled Managing Work Items, the following information has been added.

           Delegations to Deleted Users

If you have delegated a work item to a user who is later deleted from Identity Manager, then the deleted user is indicated in the Current Delegations list in parentheses. If you subsequently edit or create a delegation that includes the deleted user, then the action fails. Additionally, any user create or update work items that are delegated to a deleted user will fail.

You can recover work items that are delegated to a deleted user by ending the delegation.

In the table titled Identity Manager Capabilities Descriptions, the End User Administrator capability has been added. Any user assigned this capability can view and modify the rights to object types specified in the End User capability, as well as the contents of the end User Controlled Organizatsions rule. By default, this capability is assigned to Configurator.

Chapter 11, Identity Auditing

The following information has been added to this chapter.

Resolving Auditor Capabilities Limitations

By default, capabilities needed to perform auditing tasks are contained in the Top organization (object group). As a result, only those administrators who control Top can assign these capabilities to other administrators.

You can resolve this limitation by adding the capabilities to another organization. Identity Manager provides two utilities, located in the sample/scripts directory, to assist with this task.

Run the following command to list all capabilities (AdminGroups) and their associated organizations (object groups):

beanshell objectGroupUpdate.bsh -type AdminGroup -action list -csv

This command captures the output to a comma-separated value (CSV) file.

Edit the CSV file to adjust the capabilities organizational locations as desired.
Run this command to update Identity Manager.

beanshell objectGroupUpdate.bsh -data CSVFileName -action add -groups NewObjectGroup

Chapter 13, Service Provider Administrator

The section titled “Configure Synchronization” should state the default synchronization interval for Service Provider synchronization tasks defaults to 1 minute.

---

Identity Manager Resources Reference

This section contains new information and documentation corrections for the Sun Java™ System Identity Manager Resources Reference:

The Exchange 5.5 resource adapter is not supported. Ignore any references to this adapter.
In the Database Table adapter documentation, the example for the Last Fetched Predicate is invalid. It should be defined as follows:

lastMod > '$(lastmod)'

The Flat File Active Sync adapter discusses setting the sources.hosts property in the Waveset.properties file. This configuration should now be accomplished using synchronization policy.
The NDS adapter has improved support for GroupWise:
The adapter can now manage post offices in secondary domains.
GroupWise users can subscribe to any known distribution list.
A post office can be deleted without specifying a “delete pattern”.
The “Managing ACL List” procedure of this guide contains the following step: (ID-16476)

3. Edit the user in Identity Manager and on the Edit User form.

Replace this sentence with the following:

3. Edit the user in Identity Manager on the Edit User form.

---

Identity Manager Technical Deployment Overview

This section contains new information and documentation corrections for Sun Java™ System Identity Manager Technical Deployment Overview:

You can use CSS to set column widths in the User list and Resource list tables to a fixed pixel or percentage value. To do so, add the following style classes (commented out by default) to customStyle.css. You can then edit the values to meet the user's requirements.

th#UserListTreeContent_Col0 {
  width: 1px;
}

th#UserListTreeContent_Col1 {
  width: 1px;
}

th#UserListTreeContent_Col2 {
  width: 50%;
}

th#UserListTreeContent_Col3 {
  width: 50%;
}

th#ResourceListTreeContent_Col0 {
  width: 1px;
}

th#ResourceListTreeContent_Col1 {
  width: 1px;
}

th#ResourceListTreeContent_Col2 {
  width: 33%;
}

th#ResourceListTreeContent_Col3 {
  width: 33%;
}

th#ResourceListTreeContent_Col4 {
  width: 33%;
}

You can also resize table columns by clicking and dragging the right border of the column header. If you mouse over the right border of the column header, the cursor will change to a horizontal resize arrow. Left-click and drag the cursor will resize the column. (Resizing ends when you release the mouse button.)

The System Configuration object now contains the security.delegation.historyLength attribute, which controls the number of previous delegations that are recorded.
The Access Review Dashboard and Access Review Detail Report both show instances of reviews that are recorded in the audit logs. Without database maintenance, the audit logs are never trimmed, and the list of reviews grows. Identity Manager provides the ability to limit the reviews shown to a certain age range. To change this limit, you must customize compliance/dashboard.jsp (for the dashboard) and sample/auditortasks.xml (for the Details report). (The default is to show only reviews that are less than 2 years old.)

To restrict the reviews included in the Access Review Dashboard, customize compliance/dashboard.jsp as follows:

Open compliance/dashboard.jsp in either the Identity Manager IDE or editor of your choice:
Change the line: form.setOption("maxAge", "2y"); to form.setOption("maxAge", "6M"); to limit the list to reviews run in the last 6 months. The qualifiers are:
m - minute
h - hour
d - day
w - week
M - month
y - year

To show all reviews that still exist in the audit logs, comment out this line.

To restrict the reviews included in the Access Review Detail Report,

Open sample/auditortasks.xml in either the IDE or editor of your choice.
Change the following line as indicated:

<s>maxAge</s>
  <s>2y</s>

to

<s>maxAge</s>
  <s>6M</s>

to limit reviews to the last 6 months. The same qualifiers as above apply.

Each Periodic Access Review includes a set of UserEntitlement records that were created when the review was run. These records, which accumulate over time, provide valuable historical information about accounts. However, to conserve database space, consider deleting some records. You can delete a record by executing Server Task > Run Task > Delete Access Review. Deleting a review adds new audit log entries that indicate the review is deleted, and deletes all UserEntitlement records associated with the review, which conserves database space.

In the section “Changing Background Image on the Login Page”, the third line of code should read:

url(../images/other/login-backimage2.jpg)

Code Example 5-5 contains information that should appear in Code Example 5-4.
Code Example 5-4 should be as follows:

Code Example 5-4  Customizing Navigation Tabs  

/* LEVEL 1 TABS */ .TabLvl1Div {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   background-color:#333366;   padding:6px 10px 0px; } a.TabLvl1Lnk:link, a.TabLvl1Lnk:visited {   display:block;   padding:4px 10px 3px;   font: bold 0.95em sans-serif;   color:#FFF;   text-decoration:none;   text-align:center; } table.TabLvl1Tbl td {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left top;   background-color:#666699;   border:solid 1px #aba1b5; } table.TabLvl1Tbl td.TabLvl1TblSelTd {   background-color:#9999CC;   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   border-bottom:none; } /* LEVEL 2 TABS */ .TabLvl2Div {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   background-color:#9999CC;   padding:6px 0px 0px 10px } a.TabLvl2Lnk:link, a.TabLvl2Lnk:visited{   display:block;   padding:3px 6px 2px;   font: 0.8em sans-serif;   color:#333;   text-decoration:none;   text-align:center; } table.TabLvl2Tbl div.TabLvl2SelTxt {   display:block;   padding:3px 6px 2px;   font: 0.8em sans-serif;   color:#333;   font-weight:normal;   text-align:center; } table.TabLvl2Tbl td {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left top;   background-color:#CCCCFF;   border:solid 1px #aba1b5; } table.TabLvl2Tbl td.TabLvl2TblSelTd {   border-bottom:none;   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   background-color:#FFF;   border-left:solid 1px #aba1b5;   border-right:solid 1px #aba1b5;   border-top:solid 1px #aba1b5;

Code Example 5.5 should be as follows:

Code Example 5-5  Changing Tab Panel Tabs

table.Tab2TblNew td {background-image:url(../images/other/dot.gif);background-repeat:repeat-x;background-positi on:left top;background-color:#CCCCFF;border:solid 1px #8f989f} table.Tab2TblNew td.Tab2TblSelTd {border-bottom:none;background-image:url(../images/other/dot.gif);background-repeat:repeat- x;background-position:left bottom;background-color:#FFF;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f}

In the Identity Manager End User Interface, the horizontal navigation bar is driven by the End User Navigation UserForm in enduser.xml. (ID-12415)

userHeader.jsp, which is included in all the end user pages, includes another JSP named menuStart.jsp. This JSP accesses two system configuration objects:

ui.web.user.showMenu - Toggles the display of the navigation menu on/off (default: true)
ui.web.user.menuLayout - Determines whether the menu is rendered as horizontal navigation bar with tabs (the default: horizontal) or a vertical tree menu (vertical)

The CSS style classes that determine how the menu is rendered are in style.css.

Identity Manager now calls the Lighthouse account the Identity Manager account. You can override this name change through the use of a custom catalog. (ID-14918) See Enabling Internationalization in Identity Manager Technical Deployment Overview for information on custom catalogs.

The following catalog entries control the display of the product name:

PRODUCT_NAME=Identity Manager

LIGHTHOUSE_DISPLAY_NAME=[PRODUCT_NAME]

LIGHTHOUSE_TYPE_DISPLAY_NAME=[PRODUCT_NAME]

LIGHTHOUSE_DEFAULT_POLICY=Default [PRODUCT_NAME] Account Policy

Identity Manager now provides a new configuration object (WorkItemTypes configuration object) that specifies all supported work item type names, extensions, and display names. (ID-15468) This configuration object is defined in sample/workItemTypes.xml, which is imported by init.xml and update.xml.

The extends attribute allows for a hierarchy of work item types (workItem Types). When Identity Manager creates a work item, it delegates the work item to the specified users if its workItem type is:

the type delegated
one of the subordinate workItem types of the type being delegated.

workItem Type	Description	Display Name
Approval	extends WorkItem	Approval
OrganizationApproval	extends Approval	Organization Approval
ResourceApproval	extends Approval	Resource Approval
RoleApproval	extends Approval	Role Approval
Attestation	WorkItem	Access Review Attestation
review	WorkItem	Remediation
accessReviewRemediation	WorkItem	Access

By default, Identity Manager’s anonymous enrollment processing generates values for accountId and emailAddress by using user-supplied first (firstName) and last names (lastName) as well as employeeId. (ID-16131)

Because anonymous enrollment processing can result in the inclusion of non-ASCII characters in email addresses and account IDs, international users should modify EndUserRuleLibrary rules so that Identity Manager maintains ASCII account IDs and email addresses during anonymous enrollment processing.

To maintain account ID and email address values in ASCII during anonymous enrollment processing, follow these two steps:

Edit the following three rules within the EndUserRuleLibrary as indicated below:

Edit this rule	To make this change...
getAccountId	To use employeeId only (and remove firstName and lastName)
getEmailAddress	To use employeeId only (remove firstName, lastName, and ".")
verifyFirstname	To change length check from 2 to 1 to allow for single character Asian first names

Edit the End User Anon Enrollment Completion form to remove the firstName and lastName arguments from calls to the getAccountId and getEmailAddress rules.

---

Identity Manager Workflows, Forms, and Views

This section contains new information and documentation corrections for Sun Java™ System Identity Manager Workflows, Forms, and Views.

You can turn off policy checking in your user form by adding the following field to the form:

<Field name='viewOptions.CallViewValidators'>   <Display class='Hidden'/>     <Expansion>         <s>false</s>     </Expansion> </Field>

This field overrides the value in the OP_CALL_VIEW_VALIDATORS field of modify.jsp.

The Identity Manager User Interface pages include a second XPRESS form that implements the navigation bar. As a result, the rendered page contains two <FORM> tags, each with a different name attribute:

<form name="endUserNavigation"> and <form name="mainform">

To avoid potential confusion between these two <FORM> elements, make sure you use the name attribute as follows to distinguish which <FORM> you are referencing: document.mainform or document.endUserNavigation.

Chapter 2, Identity Manager Workflow

Identity Manager provides the following new sample Access Review workflow in /sample/workflows. (ID-15393)

Test Auto Attestation

Use to test new Review Determination rules without creating Attestation work items. This workflow does not create any work items, and simply terminates shortly after it starts. It leaves all User Entitlement objects in the same state that they were created in by the access scan. Use the Terminate and Delete options to clean up the results from access scans run with this workflow.

You can import this stub workflow as needed. (Identity Manager does not import it automatically.)

Identity Manager Compliance uses workflows as integration and customization points for the application. The default compliance-related workflows are described below. (ID-15447)

Workflow Name	Purpose
Remediation	Remediation for a single Remediator working with a single Compliance Violation
Access Review Remediation	Remediation for a single remediator working with a single UserEntitlement
Attestation	Attestation for a single Attestor working with a single UserEntitlement
Multi Remediation	Remediation for a single Compliance Violation and multiple remediators
Update Compliance Violation	Mitigates a Compliance Violation
Launch Access Scan	Launch an Access Scan task from an Access Review task
Launch Entitlement Rescan	Launch a rescan of an Access Scan for a single user
Launch Violation Rescan	Launch a rescan of an Audit Policy Scan for a single user

The description of the maxSteps property has been revised as follows: (ID-15618)

Specifies the maximum number of steps allowed in any workflow process or subprocess. Once this level is exceeded, Identity Manager terminates the workflow. This setting is used as a safeguard for detecting when a workflow is stuck in an infinite loop. The default value set in the workflow itself is 0, which indicates that Identity Manager should pull the actual setting value from the global setting stored in the SystemConfiguration object's workflow.maxSteps attribute. The value of this global setting is 5000.

This chapter now contains the following description of the Scripted Task Executor task. (ID-15258)

Executes Beanshell or JavaScript based on the script provided. As a task, it can be scheduled to run periodically. For example, you can use it to export data from the repository to a database for reporting and analysis. Benefits include the ability to write a custom task without writing custom Java code. (Custom Java code requires a re-compile on every upgrade and must be deployed to every server because the script is embedded in the task there is no need to recompile or deploy it.)

Chapter 3, Identity Manager Forms

This chapter now contains the following description of forms used in auditing and compliance procedures. (ID-15447, 16240)

Identity Manager auditing and compliance forms provide a feature unique among Identity Manager forms: You can assign a form on a per-user and per-organization basis. Forms assigned on a per-user basis can boost the efficiency of attestation and remediation processing.

For example, you can specify the user form that Identity Manager displays for editing a user in the context of an access review, remediation or a compliance violation remediation. You can specify this user form at the level of user or organization. When Identity Manager rescans a user in context of an access review re-scan or access review remediation, the re-scan will respect the audit policies as defined in the AccessScan. You can define this to include the continuous compliance audit policies.

Note	To configure auditing components, you must be an Identity Manager administrator with the Configure Audit and Auditor Administrator capabilities.

Related Information

See Identity Manager Administration for a discussion of the concepts that support Identity Manager auditing and compliance features as well as the basic procedures for implementing the default auditing and compliance features.
See Identity Manager Rules in Identity Manager Deployment Tools for a general discussion of rules as well as specific information about remediation rules.

About Auditing-Related Form Processing

Much like userForm and viewUserForm, you can set the form on a specific user, or on an organization, and the user (or all users in the organization) will used that form. If you set a form on both user and organization, the form set on the user takes precedence. (When looking up the form, Identity Manager searches organizations upwards.)

Auditing-related forms behave the same way that the User Form and View User Form work: Each user can designate a specific form to use, and the resolution of which form a specific user should use will honor the user's organization.

Specifying User Forms

The Audit Policy List and Access Scan List forms support a fullView property that causes the form to display a significant amount of data about the elements in the list. Set this policy to false to improve the performance of the list viewer.

The Access Approval List form has a similar property named includeUE, and the Remediation List form uses the includeCV property.

Default Auditing-Related Forms

The following table identifies the default auditing-related forms that ship with Identity Manager.

Form Name	Mapped Name	Per-User Control	General Purpose
Access Approval List	accessApprovalList		Display the list of attestation workitems
Access Review Delete Confirmation	accessReviewDeleteConfirmation		Confirm the deletion of an access review
Access Review Abort Confirmation	accessReviewAbortConfirmation		Confirm the termination of an access review
Access Review Dashboard	accessReviewDashboard		Show the list of all access reviews
Access Review Remediation Form	accessReviewRemediationWorkItem	Yes	renders each UE-based remediation workitem
Access Review Summary	accessReviewSummary		Show the details of a specific access review
Access Scan Form	accessScanForm		Display or edit an access scan
Access Scan List	accessScanList		Show the list of all access scans
Access Scan Delete Confirmation	accessScanDeleteConfirmation		Confirm the deletion of an access scan
Access Approval List	attestationList	Yes	Renders the list of all pending attestations.
Attestation Form	attestationWorkItem	Yes	Renders each attestation work item
UserEntitlementForm	userEntitlementForm		Display the contents of a UserEntitlement
UserEntitlement Summary Form	userEntitlementSummaryForm
Violation Detail Form	violationDetailForm		Show the details of a compliance violation
Remediation List	remediationList	Yes	Show a list of remediation work items
Audit Policy List	auditPolicyList		Show a list of audit policies
Audit Policy Delete Confirmation Form	auditPolicyDeleteConfirmation		Confirm the deletion of an audit policy
Conflict Violation Details Form	conflictViolationDetailsForm		Show the SOD violation matrix
Compliance Violation Summary Form	complianceViolationSummaryForm
Remediation Form	reviewWorkItem	Yes	Renders a compliance violation.

Why Customize These Forms?

Attestors and remediators can specify forms that show exactly the detail they need to more efficiently attest and remediate. For example, a resource attestor could show specific resource-specific attributes in the list form to allow them to attest without looking at each specific work item. Because this form would differ depending on the resource type (and thus attributes) involved, customizing the form on a per-attestor basis makes sense.

During attestation, each attestor can look at entitlements from a unique perspective. For example, the idmManager attestor may be looking at the user entitlement in a general way, but a resource attestor is interested only in resource-specific data. Allowing each attestor to tailor both the Attestation-list form and the AttestationWorkItem form to retrieve and display only the information they need can boost the efficiency of the product interface.

Scan Task Variables

The Audit Policy Scan Task and Access Scan Task task definitions both specify the forms to be used when initiating the task. These forms include fields that allow for most, but not all, of the scan task variables to be controlled.

Variable Name	Default Value	Purpose
maxThreads	5	Identifies the number of concurrent users to work at one time for a single scanner. Increase this value to potentially increase throughput when scanning users with accounts on very slow resources.
userLock	5000	Indicates time (in mS) spent trying to obtain lock on user to be scanned. If several concurrent scans are scanning the same user, and the user has resources that are slow, increasing this value can result in fewer lock errors, but a slower overall scan.
scanDelay	0	Indicates time (in mS) to delay between issuing new scan threads. Can be set to a positive number to force Scanner to be less CPU-hungry.

The description of the Disable element has been revised as follows: (ID-14920)

Calculates a Boolean value. If true, the field and all its nested fields will be ignored during current form processing.

Do not create potentially long-running activities in Disable elements. These expressions run each time the form is recalculated. Instead, use a different form element that will not run as frequently perform this calculation.

The section titled “Inserting Javascript into a Form” incorrectly states that you can include JavaScript in your form with a <JavaScript> tag (ID-15741). Alternatively, include JavaScript as follows:

<Field>
   <Expansion>
      <script>
............

Note	The display.session and display.subject variables are not available to Disable form elements.

You can now insert WARNING), error (ERROR), or informational (OK) alert messages into an XPRESS form. (ID-14540, ID-14953)

Note	Although this example illustrates how to insert a Warning ErrorMessage object into a form, you can assign a different severity level.

Use the Identity Manager IDE to open the form to which you want to add the warning.
Add the <Property name='messages'> to the main EditForm or HtmlPage display class.
Add the <defvar name='msgList'> code block from the following sample code.
Substitute the message key that identifies the message text to be displayed in the Alert box in the code sample string:

<message name='UI_USER_REQUESTS_ACCOUNTID_NOT_FOUND_ALERT_VALUE >

Save and close the file.

Code Example   

<Display class='EditForm'>    <Property name='componentTableWidth' value='100%'/>    <Property name='rowPolarity' value='false'/>    <Property name='requiredMarkerLocation' value='left'/>    <Property name='messages'>      <ref>msgList</ref>    </Property> </Display> <defvar name='msgList'>   <cond>     <and>       <notnull>         <ref>username</ref>       </notnull>       <isnull>         <ref>userview</ref>       </isnull>     </and>     <list>       <new class='com.waveset.msgcat.ErrorMessage'>         <invoke class='com.waveset.msgcat.Severity' name='fromString'>            <s>warning</s>         </invoke>         <message name='UI_USER_REQUESTS_ACCOUNTID_NOT_FOUND_ALERT_VALUE'>           <ref>username</ref>         </message>       </new>     </list>   </cond> </defvar>

To display a severity level other than warning, replace the <s>warning</s> in the preceding example with either of the these two values:

error -- Causes Identity Manager to render an InlineAlert with a red "error" icon.
ok -- Results in an InlineAlert with a blue informational icon for messages that can indicate either success or another non-critical message.

Identity Manager renders this as an InlineAlert with a warning icon

<invoke class='com.waveset.msgcat.Severity' name='fromString'>

   <s>warning</s>

</invoke>

where warning can also be error or ok.

Chapter 4, Identity Manager Views

The description of the Org view has been updated as follows: (ID-13584)

Used to specify the type of organization created and options for processing it.

Common Attributes

The high-level attributes of the Org view are listed in the following table.

Name	Editable?	Data Type	Required?
orgName	Read	String	System-Generated
orgDisplayName	Read/Write	String	Yes
orgType	Read/Write	String	No
orgId	Read	String	System-Generated
orgAction	Write	String	No
orgNewDisplayName	Write	String	No
orgParentName	Read/Write	String	No
orgChildOrgNames	Read	List	System-Generated
orgApprovers	Read/Write	List	No
allowsOrgApprovers	Read	List	System-Generated
allowedOrgApproverIds	Read	List	System-Generated
orgUserForm	Read/Write	String	No
orgViewUserForm	Read/Write	String	No
orgPolicies	Read/Write	List	No
orgAuditPolicies	Read/Write	List	No
renameCreate	Read/Write	String	No
renameSaveAs	Read/Write	String	No

orgName

Identifies the UID for the organization.This value differs from most view object names because organizations can have the same short name, but different parent organizations.

orgDisplayName

Specifies the short name of the organization. This value is used for display purposes only and does not need to be unique.

orgType

Defines the organization type where the allowed values are junction or virtual. Organizations that are not of types junction or virtual have no value.

orgId

Specifies the ID that is used to uniquely identify the organization within Identity Manager.

orgAction

Supported only for directory junctions, virtual organizations, and dynamic organizations. Allowed value is refresh. When an organization is a directory junction or virtual organization, the behavior of the refresh operation depends on the value of orgRefreshAllOrgsUserMembers.

orgNewDisplayName

Specifies the new short name when you are renaming the organization.

orgParentName

Identifies the full pathname of the parent organization.

orgChildOrgNames

Lists the Identity Manager interface names of all direct and indirect child organizations.

orgApprovers

Lists the Identity Manager administrators who are required to approve users added to or modified in this organization.

allowedOrgApprovers

Lists the potential user names who could be approvers for users added to or modified in this organization.

allowedOrgApproverIds

Lists the potential user IDs who could be approvers for users added to or modified in this organization.

orgUserForm

Specifies the userForm used by members users of this organization when creating or editing users.

orgViewUserForm

Specifies the view user form that is used by member users of this organization when viewing users.

orgPolicies

Identifies policies that apply to all member users of this organization. This is a list of objects that are keyed by type string: Each policy object contains the following view attributes, which are prefixed by orgPolicies[<type>]. <type> represents policy type (for example, Lighthouse account).

policyName -- Specifies name
id -- Indicates ID
implementation -- Identifies the class that implements this policy.

orgAuditPolicies

Specifies the audit policies that apply to all member users of this organization.

renameCreate

When set to true, clones this organization and creates a new one using the value of orgNewDisplayName.

renameSaveAs

When set to true, renames this organization using the value of orgNewDisplayName.

Directory Junction and Virtual Organization Attributes

Name	Editable?	Data Type	Required?
orgContainerId	Read	String	System-generated
orgContainerTypes	Read	List	System-generated
orgContainers	Read	List	System-generated
orgParentContainerId	Read	String	System-generated
orgResource	Read/Write	String	yes, if directory junction or virtual organization
orgResourceType	Read	String	System-generated
orgResourceId	Read	String	System-generated
orgRefreshAllOrgsUserMembers	Write	String	No

orgContainerId

Specifies the dn of the associated LDAP directory container (for example, cn=foo,ou=bar,o=foobar.com).

orgContainerTypes

Lists the allowed resource object types that can contain other resource objects.

orgContainers

Lists the base containers for the resource used by the Identity Manager interface to display a list to choose from.

orgParentContainerId

Specifies the dn of the associated parent LDAP directory container (for example, ou=bar,o=foobar.com).

orgResource

Specifies the name of the Identity Manager resource used to synchronize directory junction and virtual organizations (for example, West Directory Server).

orgResourceType

Indicates the type of Identity Manager Resource from which to synchronize directory junction and virtual organizations (for example, LDAP).

orgResourceId

Specifies the ID of the Identity Manager resource that is used to synchronize directory junctions and virtual organizations.

orgRefreshAllOrgsUserMembers

If true and if the value of orgAction is refresh, synchronizes Identity organization user membership with resource container user membership for the selected organization and all child organizations. If false, resource container user membership will not be synchronized, only the resource containers to Identity organizations for the selected organization and all child organizations.

Dynamic Organization Attributes

Name	Editable?	Data Type	Required?
orgUserMembersRule	Read/Write	String	No
orgUserMembersRuleCacheTimeout	Read/Write	String	No

orgUserMembersRule

Identifies (by name or UID) the rule whose authType is UserMembersRule, which is evaluated at run-time to determine user membership.

orgUserMembersCacheTimeout

Specifies the amount of time (in milliseconds) before the cache times out if the user members returned by the orgUserMembersRule are to be cached. A value of 0 indicates no caching.

The discussion of the User view now includes the following discussion of the accounts[Lighthouse].delegates attributes: (ID-15468)

accounts[Lighthouse].delegates

Lists delegate objects, indexed by workItemType, where each object specifies delegate information for a specific type of work item

If delegatedApproversRule is the value of delegateApproversTo, identifies the selected rule.
If manager is the value of delegateApproversTo, this attribute has no value.

accounts[Lighthouse].delegatesHistory

Lists delegate objects, indexed from 0 to n, where n is the current number of delegate history objects up to the delegate history depth

This attribute has one unique attribute: selected, which is a Boolean that indicates the currently selected delegate history object.

accounts[Lighthouse].delegatesOriginal

Original list of delegate objects, indexed by workItemType, following a get operation or checkout view operation.

All accounts[Lighthouse].delegates* attributes take the following attributes:

Attributes of accounts[Lighthouse].delegate* Attributes	Description
workItemType	Identifies the type of workItem being delegated. See the description of the Delegate Object Model in the Identity Manager Technical Deployment Overview section of this Documentation Addendum for a valid list of workItem types.
workItemTypeObjects	Lists the names of the specific roles, resources, or organizations on which the user is delegating future workItem approval requests. This attribute is valid when the value of workItemType is roleApproval, resourceApproval, or organizationApproval. If not specified, this attribute by default specifies the delegation of future workItem requests on all roles, resources, or organizations on which this user is an approver.
toType	Type to delegate to. Valid values are: manager delegateWorkItemsRule selectedUsers
toUsers	Lists the names of the users to delegate to (if toType is selectedUsers).
toRule	Specifies the name of the rule that will be evaluated to determine the set of users to delegate to (if toType is delegateWorkItemsRule).
startDate	Specifies the date when delegation will start.
endDate	Specifies the date when delegation will end.

Referencing a DelegateWorkItems View Object from a Form

The following code sample illustrates how to reference a DelegateWorkItems view delegate object from a form:

<Field name='delegates[*].workItemType'>

<Field name=’delegates[*].workItemTypeObjects’>

<Field name=’delegates[*].toType’>

<Field name='delegates[*].toUsers'>

<Field name=’delegates[*].toRule’>

<Field name='delegates[*].startDate'>

<Field name='delegates[*].endDate'>

where supported index values (*) are workItemType values.

This chapter now contains the following description of the User Entitlement view:

Use to create and modify UserEntitlement objects.

This view has the following top-level attributes:

Name	Editable?	Type	Required?
name		String	Yes
status		String	Yes
user		String	Yes
userId		String	Yes
attestorHint		String	No
userView		GenericObject	Yes
reviewInstanceId		String	Yes
reviewStartDate		String	Yes
scanId		String	Yes
scanInstanceId		String	Yes
approvalWorkflowName		String	Yes
organizationId		String	Yes
attestorComments.name		String	No
attestorComments.attestor		String	No
attestorComments.time		String	No
attestorComments.timestamp		String	No
attestorComments.status			No

name

Identifies the User Entitlement (by a unique identifier).

status

Specifies the state of User Entitlement object. Valid states include PENDING, ACCEPTED, REJECTED, REMEDIATING, CANCELLED.

user

Identifies the name of the associated WSUser for this entitlement.

userId

Specifies the ID of the associated WSUser.

attestorHint

Displays the (String) hint to the attestor that is provided by the Review Determination Rule. This hints acts as “advice” from the rule to the attestor.

userView

Contains the User view that is captured by User Entitlement scanner. This view contains zero or more resource accounts depending on the configuration of the Access Scan object.

reviewInstanceId

Specifies the ID of the PAR Task instance.

reviewStartDate

Indicates the (String) start date of the PAR task (in canonical format).

scanId

Specifies the ID of AccessScan Task definition.

scanInstanceId

Specifies the ID of AccessScan Task instance.

approvalWorkflowName

Identifies the name of workflow to be run for approval. This value comes from the Access Scan Task definition.

organizationId

Specifies the ID of the WSUser's organization at the time of the scan.

attestorComments

Lists attestation records for the entitlement. Each attestation record indicates an action or statement made about the entitlement, including approval, rejection, and rescan.

attestorComments[timestamp].name

Timestamp used to identify this element in the list.

attestorComments[timestamp].attestor

Identifies the WSUser name of the attestor making the comment on the entitlement.

attestorComments[timestamp].time

Specifies the time at which the attestor attested this record. May differ from the timestamp.

attestorComments[timestamp].status

Indicates the status assigned by the attestor. This can be any string, but typically is a string that indicates the action taken by the attestor -- for example, approve, reject, rescan, remediate.

attestorComments[name].comment

Contains comments added by attestor.

The following User view attributes have been deprecated. (ID-15468)
accounts[Lighthouse].delegateApproversTo
accounts[Lighthouse].delegateApproversSelected
accounts[Lighthouse].delegateApproversStartDate
accounts[Lighthouse].delegateApproversEndDate
The Delegate Approvers view has been deprecated, but still works for editing Delegate objects whose workItemType is approval.

The existing User View accounts[Lighthouse].delegate* attributes are deprecated and no longer available via the User View. Use the new accounts[Lighthouse].delegates view.

Chapter 6, XPRESS Language

This chapter has been substantially updated. See the.pdf titled XPRESS in the same directory as these Release Notes.

Chapter 8, HTML Display Components

The following discussion about an alternative to the MultiSelect component has been added to this chapter:

It can be unwieldy to display many admin roles using the MultiSelect component (either the applet or HTML version). Identity Manager provides a more scalable way of displaying and managing admin roles: the objectSelector field template. (ID-15433)

The Scalable Selection Library (in sample/formlib.xml) includes an example of using an objectSelector field template to search for admin role names that a user can select.

Code Example   Example of objectSelector Field Template

<Field name='scalableWaveset.adminRoles'>   <FieldRef name='objectSelector'>      <Property name='selectorTitle' value='_FM_ADMIN_ROLES'/>      <Property name='selectorFieldName' value='waveset.adminRoles'/>      <Property name='selectorObjectType' value='AdminRole'/>      <Property name='selectorMultiValued' value='true'/>      <Property name='selectorAllowManualEntry' value='true'/>      <Property name='selectorFixedConditions'>        <appendAll>          <new class='com.waveset.object.AttributeCondition'>            <s>hidden</s>            <s>notEquals</s>            <s>true</s>          </new>          <map>            <s>onlyAssignedToCurrentSubject</s>            <Boolean>true</Boolean>          </map>        </appendAll>      </Property>      <Property name='selectorFixedInclusions'>        <appendAll>          <ref>waveset.original.adminRoles</ref>        </appendAll>      </Property>   </FieldRef> </Field>

How to Use the objectSelector Example Code

From the Identity Manager IDE, open the Administrator Library UserForm object.
Add the following code to this form:

<Include>

   <ObjectRef type='UserForm' name='Scalable Selection Library'/>

</Include>

Select the accounts[Lighthouse].adminRoles field within the AdministratorFields field.
Replace the entire accounts[Lighthouse].adminRoles with the following reference:

<FieldRef name='scalableWaveset.adminRoles'/>

Save the object.

When you subsequently edit a user and select the Security tab, Identity Manager displays the customized form. Clicking ... opens the Selector component and exposes a search field. Use this field to search for admin roles that begin with a text string and set the value of the field to one or more values.

To restore the form, import $WSHOME/sample/formlib.xml from Configure > Import Exchange File.

See the Scalable Selection Library in sample/formlib.xml for other examples of using the objectSelector template to manage resources and roles in environments with many objects.

The discussion of the TabPanel component now contains the following description of the validatePerTab property: (ID-15501)

validatePerTab -- When set to true, Identity Manager performs validation expressions as soon as the user switches to a different tab.

The discussion of the MultiSelect component now contains the following description of the displayCase property: (ID-14854)

displayCase – Maps each of the allowedValues to their uppercase or lowercase equivalents. Takes one of these two values: upper and lower.

The following discussion of the Menu component has been added to this chapter: (ID-13043)

Consists of three classes: Menu, MenuBar, and MenuItem.

Menu refers to the entire component.
MenuItem is a leaf, or node, that corresponds to a tab on the first or second level.
MenuBar corresponds to a tab that contains MenuBars, or MenuItems.

Menu contains the following properties:

layout - A String with value horizontal or vertical. A value of horizontal generates a horizontal navigation bar with tabs. A value of vertical causes the menu to be rendered as a vertical tree menu with typical node layout.
stylePrefix - String prefix for the CSS class name. For the Identity Manager End User pages, this value is User.

MenuBar contains the following properties:

default - A String URL path that corresponds to one of the MenuBar's MenuItem URL properties. This controls which subtab is displayed as selected by default when the MenuBar tab is clicked.

MenuItem contains the following properties:

containedUrls - A List of URL path(s) to JSPs that are "related" to the MenuItem. The current MenuItem will be rendered as "selected" if any of the containedUrls JSPs are rendered. An example is the request launch results page that is displayed after a workflow is launched from the request launch page.

You can set these properties on either a MenuBar or MenuItem:

title - Specifies the text String displayed in the tab or tree leaf as a hyperlink
URL - Specifies the String URL path for the title hyperlink

The following XPRESS example creates a menu with two tabs. The second tab contain two subtabs:

Code Example   Implementation of Menu, MenuItem, and MenuBar Components

<Display class='Menu'/> <Field>    <Display class='MenuItem'>      <Property name='URL' value='user/main.jsp'/>      <Property name='title' value='Home' />    </Display> </Field> <Field>    <Display class='MenuBar' >      <Property name='title' value='Work Items' />      <Property name='URL' value='user/workItemListExt.jsp' />    </Display>     <Field>        <Display class='MenuItem'>          <Property name='URL' value='user/workItemListExt.jsp'/>          <Property name='title' value='Approvals' />        </Display>     </Field>     <Field>       <Display class='MenuItem'>          <Property name='URL' value='user/otherWorkItems/listOtherWorkItems.jsp'/>          <Property name='title' value='Other' />       </Display>     </Field> </Field>

Appendix A, Form and Process Mappings

An updated version of this appendix, titled Form and Process Mappings, is included in the same directory as these Release Notes.
You can access compliance-specific tasks through the mapped names. (ID-15447)

Process Name	Mapped Name	Description
Access Review	accessReview	Performs an access review
Access Scan	accessReviewScan	Performs an access scan
Access Review Rescan	accessReviewRescan	Performs an access rescan
Audit Policy Rescan	auditPolicyRescan	Performs an audit policy rescan
Abort Access Review	abortAccessReview	Terminates an access review
Delete Access Review	deleteAccessReview	Deletes an access review
Recover Access Review	recoverAccessReview	Recovers missing access review status objects from audit logs

---

Identity Manager Deployment Tools

This section contains new information and documentation corrections for the Sun Java™ System Identity Manager Deployment Tools:

What’s New?

Substantial information was added to the following chapters in the Identity Manager Deployment Tools book:

Chapter 1, “Using the Identity Manager IDE,” was updated to provide information about the following new features and functionality:
The process for creating and working with Identity Manager IDE projects was updated to provide two project types (ID-14587):
Identity Manager Project is a fully featured, primary development environment for developers.
Identity Manager Project (Remote) is used to make small modifications and perform debugging on an external server.
Identity Manager IDE projects are now integrated with a Configuration Build Environment (CBE) (ID-14980)
There is now an IdM menu on the NetBean's top level menu bar from which you can can select actions that are appropriate for selected object nodes. (ID-14787)
Library objects were added to the list of object types displayed in the Explorer window, and these objects have Property Sheets, Palette features, and navigation nodes. (ID-14817)
When you select Design view for a Rule object, an Expression Builder now displays in the Editor window to make it easier for you to see the logical structure of a rule and to modify the rule’s properties. (ID-15104)
You can now compare (diff) objects in a local directory with those in the repository. (ID-15206)
The process for testing forms and rules was modified. The Form Previewer option was renamed to Form Tester. (ID-15325)
Features and functionality were added to the Identity Manager IDE Expression Builder dialogs, including:
You can now edit simple data types (integers and strings) directly in the Expression Builder table. (ID-15528)
You can now create a specific expression rather than first creating a BLOCK and then changing it to the expression you want. (ID-15932)
A new Change To button and dialog were created that enable you to change an element’s expression type. (ID-15933)
You can now edit property values that support an expression and a primitive value (such as a string) directly in a property table. (ID-15528)
When defining instance or static XPRESS invoke statements in the Expression Builder, you can view the related JavaDoc information for the Identity Manager API methods. You access this JavaDoc by running your cursor over the methods listed in the Method Name menus. A pop-up window displays with the information.
The Identity Manager IDE plugin now requires JDK 1.5 and Netbeans 5.5. (ID-14950)
You can now delete objects from the Identity Manager IDE repository. (ID-15031)
You can now upload an object in the IDE to an Identity Manager 7.0 server and manually assign an ID to the object. (ID-15474)
You can now right-click nodes in the Project tree and open objects to which certain references refer (such as ObjectRefs, FormRefs, FieldRefs and Workflow Subprocesses). (ID-15406)
Other, minor user interface and process changes.
The “Auditor Rules” section in Chapter 2, “Working with Rules,” was updated to provide more detailed information about Identity Auditor rules. (ID-15367, 15496, 15609, 15934, 16166, 16263, and 16292)
Chapter 7, “Using SPML 1.0 with Identity Manager Web Services,” was updated to include information about the SPE SPML interface. (ID-14458)
The “Using Trace in SPML” section in Chapter 7, “Using SPML 1.0 with Identity Manager Web Services,” was updated to provide additional information about how to enable trace output so you can log Identity Manager’s SPML traffic and diagnose problems. (ID-15346)
The “Using Trace in SPML” section in Chapter 8, “Using SPML 2.0 with Identity Manager Web Services,” was updated to provide additional information about how to enable trace output so you can log Identity Manager’s SPML traffic and diagnose problems. (ID-15346)

Updates

This section provides corrections and additions to the Identity Manager Deployment Tools documentation:

The “Palette Window” and “Properties Window” sections in Chapter 1, “Using the Identity Manager IDE,” should include GenericObjects in the list of elements provided in the first paragraph of both sections, as follows: (ID-14817)
The Palette window (such as Figure 1-11) enables you to “drag-and-drop” elements into Email Template, Form, GenericObjects, Library, Workflow Process, or Workflow Subprocess objects displayed in the Editor windows — without having to type XML.
The Identity Manager IDE Properties window consists of a properties sheet for XML elements associated with Email Template, Form, GenericObjects, Library, Rule, Workflow Process, and Workflow Subprocess objects. You can use this properties sheet to view and edit a selected object’s properties; including the object name, file sizes, modification times, result information, and so forth.

---

Identity Manager Tuning, Troubleshooting, and Error Messages

This section provides new information and documentation corrections for Sun Java™ System Identity Manager Tuning, Troubleshooting, and Error Messages.

Information about the size of repository objects (in characters) is now available. You can use this information to detect problematically large objects that might affect your system. (ID-9896, ID-15239)

You can access this information through the debug/Show_Sizes.jsp web page or from the console command line by typing:

showSizes [<type> [<limit>]]

Note	For upgrades, existing objects will report a size of 0 until they have been updated or otherwise refreshed.

Some tasks have been moved from the adapter to the task package. Update these paths if you have tracing enabled for any of the following tasks, or if you have customized task definitions referencing these packages.

Old Package Name	New Package Name
com.waveset.adapter.ADSyncFailoverTask	com.waveset.task.ADSyncFailoverTask
com.waveset.adapter.ADSyncRecoveryCollectorTask	com.waveset.task.ADSyncRecoveryCollectorTask
com.waveset.adapter.SARunner	com.waveset.task.SARunner
com.waveset.adapter.SourceAdapterTask	com.waveset.task.SourceAdapterTask

---

Identity Manager Service Provider Edition Deployment

This section provides new information and documentation corrections for Sun Java™ System Identity Manager SPE Deployment.

Chapter 5, Other Objects in Identity Manager SPE

Identity Manager Identity Manager SPE now supports link correlation and link confirmation rules.

Link Correlation Rule

The linkTargets IDMXUser view option allows the caller to specify the list of resources that should be targeted for linking. When using forms, the list can be provided as a form property with the same name. Form properties are assimilated into view options when the IDMXUser view is checked in.

A link correlation rule selects resource accounts that the user might own. Given the view of the user, a link correlation rule returns an identity, a list of identities, or an option map.

If the rule returns an option map, then the view handler uses the map to look for resource accounts and obtains a list of identities that satisfy these options. For example, the searchFilter option of the getResourceObjects FormUtil method can be used to pass a search filter to an LDAP resource adapter.

A link correlation rule must have the authType attribute set to SPERule with the subtype set to SUBTYPE_SPE_LINK_CORRELATION_RULE.

Link Confirmation Rule

A link confirmation rule eliminates any resource accounts from the list of potential accounts that the link correlation rule selects. Given the view of the user and the list of candidate resource accounts, a link confirmation rule selects at most one resource account from the candidate list. The view of the user is visible under the 'view' path, while the list of candidates is available under the 'candidates' path.

If the link correlation rule selects no more than one resource account, the link confirmation rule is optional.

Note	Unlike Identity Manager confirmation rules, a link confirmation rule is invoked only once during the linking process.

A link confirmation rule must have the authType attribute set to SPERule with the subtype set to SUBTYPE_SPE_LINK_CONFIRMATION_RULE.

LighthouseContext API

Several convenience methods have been added to the SessionFactory class. The table on page 16 should be updated as follows.

Connection Type	Method	Description
Local anonymous	getServerInternalContext()	Returns a fully authorized context without any authentication.
Local authenticated	getSPESession(String user, EncryptedData password)	Constructs a session for the Service Provider user interface.
Local authenticated	getSPESession(Map credentials)	Constructs a session for the Service Provider user interface. The map specifies the credentials of the user, including the values of the user and password keys.
Local pre-authenticated	getSPEPreAuthenticatedSession(String user)	Constructs a pre-authenticated session for the Service Provider user interface.
Remote anonymous	Not applicable	This connection type is only available through SPML.
Remote authenticated	getSession(URL url, String user, EncryptedData pass)	Returns an authenticated session.

---

Localization Scope

Historically, Identity Manager does not localize resource objects and functions, primarily because they are mostly samples that get loaded (through init.xml) during initialization of Identity Manager, and because the attributes of object types can vary between actual customer deployments, depending on the level of customizations. Following is a list of areas where users might encounter English: (ID-16349)

Default user forms and process mapping
Example: Edit User > Security > User Form pull-down menus
Example: Configure > Form and Process Mappings
Configuration object attribute names

Example: Configure > User Interface, concatenated names such as displayPasswordExpirationWarning

Default tasks
Task templates

Example: Server Tasks > Configure Tasks > available task template names in table

Task type labels

Example: Server Tasks > Run Tasks > second column items from Available Tasks table

Task definitions

Example: Server Tasks > Find Tasks > second pull-down menu to select Task Definition

Default report names

Example: Report names found under Reports > Run Reports > Report Table

Default policy names

Example: Compliance > Manage Policies > audit policy names and descriptions

Default capability names

Example: Edit User > Security > Available Capabilities

Default report & graph names
Process/workflow diagram applets

---

Using helpTool

With the Identity Manager 6.0 release, a new feature has been added that allows you to search the online help and documentation files, which are in HTML format. The search engine is based on the SunLabs “Nova” search engine technology.

There are two stages to using the Nova engine: indexing and retrieval. During the indexing stage, the input documents are analyzed and an index is created which is used during the retrieval stage. During retrieval, it is possible to pull “passages” that consist of the context in which the query terms were found. The passage retrieval process requires the original HTML files to be present, so these files must exist in a location in the file system accessible by the search engine.

helpTool is a Java program that performs two basic functions:

Copies the HTML source files into a location known to the search engine
Creates the index used during the retrieval stage

You execute helpTool from the command line, as follows:

$ java -jar helpTool.jar

usage: HelpTool

-d Destination directory

-h This help information

-i Directory or JAR containing input files, no wildcards

-n Directory for Nova index

-o Output file name

-p Indexing properties file

Rebuilding/Re-Creating the Online Help Index

The HTML files for online help are packaged in a JAR file. You must extract these files to a directory for the search engine. Use the following procedure:

Unpack the helpTool distribution to a temporary directory. (Details TBD)

In this example, we will extract the files to /tmp/helpTool.

In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.

For example, a directory for Sun Java System Application Server might look like the following:

/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm

Change your current working directory to the help/ directory.

Note	It is important to run helpTool from this directory or the index will not build correctly. In addition, you should remove the old index files by deleting the contents of the index/help/ subdirectory.

Gather the following information for your command line arguments:
Destination directory — html/help/en_US

Note	Use the locale string appropriate for your installation.

Input file — ../WEB-INF/lib/idm.jar
Nova index directory — index/help
Output file name — index_files_help.txt

Note	The name of the file is not important — but the tool will exit if this file already exists.

Indexing properties file — index/index.properties
Run the following command:

$ java -jar /tmp/helpTool/helpTool.jar -d html/help/en_US -i ../
WEB-INF/lib/idm.jar -n index/help -o help_files_help.txt -p index/index.properties

Extracted 475 files.

[15/Dec/2005:13:11:38] PM Init index/help AWord 1085803878
[15/Dec/2005:13:11:38] PM Making meta file: index/help/MF: 0
[15/Dec/2005:13:11:38] PM Created active file: index/help/AL
[15/Dec/2005:13:11:40] MP Partition: 1, 475 documents, 5496 terms.
[15/Dec/2005:13:11:40] MP Finished dumping: 1 index/help 0.266
[15/Dec/2005:13:11:40] IS 475 documents, 6.56 MB, 2.11 s, 11166.66 MB/h
[15/Dec/2005:13:11:40] PM Waiting for housekeeper to finish
[15/Dec/2005:13:11:41] PM Shutdown index/help AWord 1085803878

Rebuilding/Re-Creating the Documentation Index

Use the following procedure to rebuild or re-create the documentation index:

Unpack the helpTool distribution to a temporary directory. (Details TBD)

In this example, we will extract the files to /tmp/helpTool.

In a UNIX shell or Windows command window, change directory to the location where the Identity Manager application was deployed to your web container.

For example, a directory for Sun Java System Application Server might look like:

/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/idm

Change your current working directory to the help/ directory.

Note	You must run helpTool from this directory or the index will not build correctly. In addition you should remove the old index files by deleting the contents of the index/docs/ subdirectory.

Gather the following information for your command line arguments:
Destination directory — html/docs
Input files — ../doc/HTML/en_US

Note	The tool will copy the en_US/ directory and subdirectories to the destination.

Nova index directory — index/docs
Output file name — index_files_docs.txt

Note	The name of the file is not important – but the tool will exit if this file already exists.

Indexing properties file — index/index.properties
Run the following command:

$ java -jar /tmp/helpTool/helpTool.jar -d html/docs -i ../doc/HTML/en_US -n index/docs -o help_files_docs.txt -p index/index.properties Copied 84 files. Copied 105 files. Copied 1 files. Copied 15 files. Copied 1 files. Copied 58 files. Copied 134 files. Copied 156 files. Copied 116 files. Copied 136 files. Copied 21 files. Copied 37 files. Copied 1 files. Copied 13 files. Copied 2 files. Copied 19 files. Copied 20 files. Copied 52 files. Copied 3 files. Copied 14 files. Copied 3 files. Copied 3 files. Copied 608 files. [15/Dec/2005:13:24:25] PM Init index/docs AWord 1252155067 [15/Dec/2005:13:24:25] PM Making meta file: index/docs/MF: 0 [15/Dec/2005:13:24:25] PM Created active file: index/docs/AL [15/Dec/2005:13:24:28] MP Partition: 1, 192 documents, 38488 terms. [15/Dec/2005:13:24:29] MP Finished dumping: 1 index/docs 0.617 [15/Dec/2005:13:24:29] IS 192 documents, 14.70 MB, 3.81 s, 13900.78 MB/h [15/Dec/2005:13:24:29] PM Waiting for housekeeper to finish [15/Dec/2005:13:24:30] PM Shutdown index/docs AWord 1252155067