Sun Identity Manager 8.1 Business Administrator's Guide

Understanding Directory Junctions and Virtual Organizations

A directory junction is a hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. A directory resource is one that employs a hierarchical namespace through the use of hierarchical containers. Examples of directory resources include LDAP servers and Windows Active Directory resources.

Each organization in a directory junction is a virtual organization. The topmost virtual organization in a directory junction is a mirror of the container representing the base context defined in the resource. The remaining virtual organizations in a directory junction are direct or indirect children of the top virtual organization, and also mirror one of the directory resource containers that are children of the defined resource’s base context container. This structure is illustrated in Figure 6–2.

Figure 6–2 Identity Manager Virtual Organization

Figure illustrating the structure of an example Identity Manager Virtual

Directory junctions can be spliced into the existing Identity Manager organizational structure at any point. However, directory junctions cannot be spliced within or below an existing directory junction.

Once you have added a directory junction to the Identity Manager organizational tree, you can create or delete virtual organizations in the context of that directory junction. In addition, you can refresh the set of virtual organizations comprising a directory junction at any time to ensure they stay synchronized with the directory resource containers. You cannot create a non-virtual organization within a directory junction.

You can make Identity Manager objects (such as users, resource, and roles) members of, and available to, a virtual organization in the same way as an Identity Manager organization.

Setting Up Directory Junctions

This section describes how to set up a directory junction.

ProcedureTo Set Up a Directory Junction

  1. In the Administrator interface, select Accounts in the menu bar.

    The User List page opens.

  2. Select an Identity Manager organization in the Accounts list.

    The organization you select will be the parent organization of the virtual organization you set up.

  3. In the New Actions menu, select New Directory Junction.

    Identity Manager opens the Create Directory Junction page.

  4. Use the options on the Create Directory Junction page to set up the virtual organization.

    These options include:

    • Parent organization. This field contains the organization you selected from the Accounts list; you can, however, select a different parent organization from the list.

    • Directory resource. Select the directory resource that manages the existing directory whose structure you want to mirror in the virtual organization.

    • User form. Select a user form that will apply to administrators in this organization.

    • Identity Manager account policy. Select a policy, or select the default option (inherited) to inherit the policy from the parent organization.

    • Approvers. Select administrators who can approve requests related to this organization.

Refreshing Virtual Organizations

This process refreshes and re-synchronizes the virtual organization with the associated directory resource, from the selected organization down. Select the virtual organization in the list, and then select Refresh Organization from the Organization Actions list.

Deleting Virtual Organizations

When deleting virtual organizations, you can select from two delete options:

Select an option, and then click Delete.