![]() | |
Sun Java[TM] System Identity Manager 7.1 Admininstration |
Chapter 4
ConfigurationThis chapter provides information and procedures for using the Administrator Interface to set up Identity Manager objects and server processes. For more information about Identity Manager objects, see Identity Manager Objects of the Overview chapter.
Note
For information about configuring Identity Manager for a Service Provider implementation, see Chapter 13, "Service Provider Administration."
This chapter is organized in the following topics:
Understanding and Managing RolesRead this section for information about setting up roles in Identity Manager.
What are Roles?
Identity Manager roles define the collection of resources on which accounts are managed. Roles allow you to profile a class of users, grouping Identity Manager users with similar characteristics.
You can assign each user to one or more roles, or to none. All users assigned to a role share access to the same base group of resources.
All resources associated with a role are indirectly assigned to the user. Indirect assignment differs from direct assignment, in which resources are specifically selected for the user.
When you create or edit a role, Identity Manager launches the ManageRole workflow. This workflow saves the new or updated role in the repository, and allows you to insert approvals or other actions before the role is created or saved.
You assign roles to users through the Administrator Interface Create and Edit User pages.
Creating Roles
You can create a role in one of the following ways:
- From the Identity Manager menu bar, select Roles.
- From the Roles page, click New.
The Create Role page allows you to:
- Assign resources and resource groups to the role.
- Select role approvers and make notification selections.
Tip
To learn more about the approval process, refer to Account Approvals.
- Exclude roles. This means that if this role is assigned to a user, the excluded role or roles may not also be assigned.
- Select the organizations to which this role will be available for assignment.
- Edit attribute values for resources assigned to the role.
Editing Assigned Resource Attribute Values
In the Assigned Resources area on the Create Role page, click Set Attribute Values to display a list of attributes for each resource assigned to the role. From this Edit attributes page, you can specify new values for each attribute and determine how attribute values are set. Identity Manager enables you to directly set values or use a rule to set values; it also provides a range of options for overriding or merging with existing values.
Make selections to establish values for each resource account attribute:
- Value override — Select one of the following options:
- How to set — Select one of the following options:
- Default value — Makes the rule or text the default attribute value. The user can change or override this value.
- Set to value — Sets the attribute value as specified by the rule or text. The value will be set and overrides any user changes.
- Merge with value — Merges the current attribute value with the values specified by the rule or text.
- Merge with value, clear existing — Removes the current attribute values; sets the value to a merger of values specified by this and other assigned roles.
- Remove from value — Removes the value specified by the rule or text from the attribute value.
- Authoritative set to value — Sets the attribute value as specified by the rule or text. The value will be set and overrides any user changes. If you remove the role, the new value is null, even if it previously existed on the attribute.
- Authoritative merge with value — Merges the current attribute value with the values specified by the rule or text. If you remove the role, the new attribute value is null, even if it previously existed on the attribute.
- Rule Name — If you select Rule in the Value override area, select a rule from the list.
- Text — If you select Text in the Value override area, enter text to be added to, deleted from, or used as the attribute value.
Click OK to save your changes and return to the Create or Edit Role page.
Managing Roles
You can perform a range of actions on roles from the list of roles on the Roles page.
If you select more than one search type, the search must meet all specified criteria to successfully return results. Search is not case-sensitive.
Renaming Roles
To rename a role, follow these steps:
Synchronizing Identity Manager Roles and Resource Roles
You can synchronize Identity Manager roles with roles created natively on a resource. When synchronized, the resource is assigned, by default, to the role. This applies to roles that are created with the task, as well as existing Identity Manager roles that match one of the resource role names.
From the menu bar, select Tasks, and then select the Run Tasks tab to access the Synchronize Identity System Roles with Resource Roles task page. To launch the task, specify a name for the synchronization task, the resource, resource role attribute to use, and the organizations to which the role will apply, and then click Launch.
Configuring Identity Manager ResourcesRead this section for information and procedures to help you set up Identity Manager resources.
What are Resources?
Identity Manager resources store information about how to connect to a resource or system on which accounts are created. Identity Manager resources define the relevant attributes about a resource and help specify how resource information is displayed in Identity Manager.
Identity Manager provides resources for a wide range of resource types, including:
The Resources Area in the Interface
Identity Manager displays information about existing resources on the Resources page.
To access resources, select Resources on the menu bar.
Resources are grouped by type, represented in the list by named folders. To expand the hierarchical view and see currently defined resources, click the indicator next to the folder. Collapse the view by clicking the indicator again.
When you expand a resource type folder, it dynamically updates and displays the number of resource objects it contains (if it is a resource type that supports groups).
Some resources have additional objects you can manage, including the following:
Select an object from the resources list, and then make selections from one of these options lists to initiate a management task:
- Resource Actions — Perform a range of actions on resources, including edit, active synchronization, rename, and delete; as well as work with resource objects and manage resource connection.
- Resource Object Actions — Edit, create, delete, rename, save as, and find resource objects.
- Resource Type Actions — Edit resource policies, work with the account index, and configure managed resources.
When you create or edit a resource, Identity Manager launches the ManageResource workflow. This workflow saves the new or updated resource in the repository, and allows you to insert approvals or other actions before the resource is created or saved.
Managing the Resources List
The list from which you can select resources to create is managed from the Resources tab of the Administrator interface. Select Configure Managed Resources from the Resource Type Actions options list to choose the resources that will populate the resources list.
On the Managed Resources page, Identity Manager divides resources into two categories:
- Identity Manager resources — Resources included in this table are those most commonly managed by Identity Manager. The table shows the resource type and version. Choose one or more resources by selecting the option in the Managed? column, and then click Save to add them to the resources list.
- Custom resources — Use this page area to add custom resources to the Resources list.
To add a custom resource:
Table 4-1 lists custom resource classes.
.
Creating Resources
You create resources by using the Resource Wizard. The Resource Wizard guides you through the process of creating an Identity Manager resource adapter to manage objects on a resource.
Using the Resource Wizard, you will set up:
- Resource-specific parameters — You can modify these values from the Identity Manager interface when creating a specific instance of this resource type.
- Account attributes — Defined in the schema map for the resource. These determine how Identity Manager user attributes map to attributes on the resource.
- Account DN or identity template — Includes account name syntax for users, which is especially important for hierarchical namespaces.
- Identity Manager parameters for the resource — Sets up policies, establishes resource approvers, and sets up organization access to the resource.
To create a resource:
- Select New Resource from the Resource Type Actions list of options.
Identity Manager displays the New Resource page.
- Select the resource type, and then click New to display the Resource Wizard Welcome page.
- Click Next to begin defining the resource. Resource Wizard steps and pages display in the following order:
- Resource Parameters — Set up resource-specific parameters that control authentication and resource adapter behavior. Enter parameters, and then click Test Connection to ensure the connection is valid. On confirmation, click Next to set up account attributes. Figure 4-1 shows the Resource Parameters page.
Figure 4-1 Resource Wizard: Resource Parameters
- Account Attributes (schema map) — Maps Identity Manager account attributes to resource account attributes.
To add an attribute, click Add Attribute. Select one or more attributes, and then click Delete Selected Attributes to delete attributes from the schema map. When finished, click Next to set up the identity template.
Figure 4-2 shows the Account Attributes page in the Resource Wizard.
Figure 4-2 Resource Wizard: Account Attributes (Schema Map)
- Identity System Parameters — Sets Identity Manager parameters for the resource, including retry and policy configuration, as shown in Figure 4-4.
Figure 4-4 Resource Wizard: Identity System Parameters
Use Next and Back to move among the pages. When you complete all selections, click Save to save the resource and return to the list page.
Managing Resources
You can perform a range of edit actions on a resource from the resources list. In addition to editing capabilities on each of the Resource Wizard pages, you can:
- Delete resources — Select one or more resources, and then select Delete from the Resource Actions list. You can select resources of several types at the same time. You cannot delete a resource if any roles or resource groups are associated with it.
- Search for resource objects — Select a resource, and then select Find Resource Object from the Resource Object Actions list to find a resource object (such as an organization, organizational unit, group, or person) by object characteristics.
- Manage resource objects — For some resource types, you can create new objects. Select the resource, and then select Create Resource Object from the Resource Object Actions list.
- Rename resources — Select a resource, and then select Rename from the Resource Actions list. Enter a new name in the entry box that appears, and then click Rename.
- Clone resources — Select a resource, and then select Save As from the Resource Actions list. Enter a new name in the entry box that appears. The cloned resource appears in the resource list with the name you select.
- Perform bulk operations on resources — Specify a list of resources and actions to apply (from CSV-formatted input) to all resources in the list. Then launch bulk operations to initiate the bulk-operation background task.
Working with Account Attributes
Identity Manager resources use schema maps to define names and types for attributes coming from the external resource (resource account attributes); they then map those attributes to the standard Identity Manager account attributes. By setting up a schema map (on the Account Attributes page of the Resource Wizard), you can:
To access these values, select the resource from the resources list, and then select Edit Resource Schema from the Resource Actions list.
The left column of the schema map (titled Identity system User Attribute) contains the names of Identity Manager account attributes that are referenced by the forms used in the Identity Manager Administrator and User interfaces. The right column of the schema map (titled Resource User Attribute) contains the names of attributes from the external source.
By defining Identity system attribute names, attributes from different resources can be defined with common names. For example, on an Active Directory resource, the lastname attribute in Identity Manager is mapped to the Active Directory resource attribute sn; on GroupWise, the fullname attribute can be mapped to the GroupWise attribute Surname. As a result, an administrator is required to complete a value for lastname only once; when the user is saved, it is passed to the resources with different names.
Resource Groups
Use the resources area also to manage resource groups, which let you group resources to be updated in a specific order. By including and ordering resources in a group, and assigning the group to a user, you determine the order in which that user’s resources are created, updated, and deleted.
Activities are performed on each resource in turn. If an action fails on a resource, the remaining resources are not updated. This type of relationship is important for related resources.
For example, an Exchange 5.5 resource relies on an existing Windows NT or Windows Active Directory account: one of these must exist before the Exchange account can be successfully created. By creating a resource group with (in order) a Windows NT resource and an Exchange 5.5 resource, you ensure the correct sequence when creating users. Conversely, this order ensures that resources are deleted in the correct sequence when you delete users.
Select Resources, and then select List Resource Groups to display a list of currently defined resource groups. From that page, click New to define a resource group. When defining a resource group, a selection area lets you choose and then order chosen resources, as well as select the organizations to which the resource group will be available.
Global Resource Policy
You can edit properties in the Global Resource Policy for a resource. From the Edit Global Resource Policy Attributes page, you can edit the following policy attributes:
- Default Capture Timeout — Enter a value, in milliseconds, that specifies the maximum time that the adapter should wait from the command line prompt before the adapter times out. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the results of a command or script are important and will be parsed by the adapter.
- Default Wait for Timeout — Enter a value, in milliseconds, to specify the maximum time that a scripted adapter should wait between polls before checking to see if a command has characters (or results) ready. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the results of a command or script are not examined by the adapter.
- Wait for Ignore Case — Enter a value, in milliseconds, to specify the maximum time the adapter should wait for the command line prompt before timing out. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the case (uppercase or lowercase) is irrelevant.
- Resource Account Password Policy — If applicable, select a resource account password policy to apply to the selected resource. None is the default selection.
- Excluded Resource Accounts Rule — If applicable, select a rule that governs excluded resource accounts. None is the default selection.
You must click Save to save your changes to the policy.
Setting additional Timeout values
You can modify the maxWaitMilliseconds property by editing the Waveset properties file. The maxWaitMilliseconds property controls the frequency in which an operation’s timeout will be monitored. If this value is not specified, the system will use a default value of 50.
To set this value, add the following line to the Waveset.properties file:
com.waveset.adapter.ScriptedConnection.ScriptedConnection.maxwaitMilliseco nds.
Bulk Resource Actions
You can perform bulk operations on resources by using a CSV-formatted file or by creating or specifying the data to apply for the operation.
Figure 4-5 shows the launch page for bulk operations using a create action.
Figure 4-5 Launch Bulk Resource Actions Page
The options available for the bulk resource operation depend on the Action you select for the operation. You can specify a single action to apply to the operation or select From Action List to specify multiple actions.
For a single action selection, you will be presented with options to specify the the resource involved with the action. For a Create action, you will specify the resource type.
If you specify From Action List, use the Get action list from area to specify either the file to use that contains the actions or the actions you specify in the Input area.
Click Launch to start the operation, which runs as a background task.
Identity Manager ChangeLogsRead this section for information about the Identity Manager ChangeLog feature, and for procedures to help you configure and use ChangeLogs.
What are ChangeLogs?
ChangeLogs provide a view of identity attributes information contained by Identity Manager resources. Each ChangeLog is defined to capture changes to a subset of identity attributes.
As attribute data changes on a resource, Active Sync adapters capture the information, and then write changes to a ChangeLog. Custom scripts developed specifically to interact with a resource in the enterprise then read the ChangeLogs and update the resource.
The ChangeLog feature differs from Identity Manager’s standard resource active synchronization and reconciliation features because it enables indirect communication to resources from the provisioning system (via custom scripts).
ChangeLogs and Security
Identity Manager's ChangeLog feature requires write access to a designated directory or directories in the local file system. Some Web containers, by default, do not allow local file system access to the hosted Web modules like Identity Manager.
You grant access by editing a Java policy file. If using /tmp/changelogs as the directory, your policy file should contain:
grant {
permission java.io.FilePermission "/tmp/changelogs/*", "read,write,delete";
};You must define a file permission for each ChangeLog directory that you have specified.
The default security policy file for Java can be found at:
$JAVA_HOME/jre/lib/security/java.policy
Editing that file may be sufficient; however, if you are using your own file (not the default file), then the server is running with options such as:
-Djava.security.manager -Djava.security.policy=/path/to/your/java.policy
In this case, edit the file identified by the java.security.policy system property.
ChangeLogs Feature Requirements
The ChangeLogs feature requires that you configure identity attributes before configuring a ChangeLog.
Note
Complete the procedures described in the section Configuring Identity Attributes and Events to meet these requirements.
Configuring ChangeLogs
You configure ChangeLogs by creating ChangeLog policies and ChangeLogs. Each ChangeLog must have an associated ChangeLog policy. A ChangeLog defines the subset of changes, detected by Active Sync and pushed through the Identity Attributes, should be written to a log. Its associated ChangeLog policy defines how the ChangeLog files should be written. The ChangeLog files will be consumed by custom scripts.
To configure ChangeLogs and ChangeLog policies, select Meta View, and then select ChangeLogs.
Identity Manager displays the ChangeLog Configuration page, which displays two summary areas.
Figure 4-6 ChangeLog Configuration
ChangeLog Policies Summary
The ChangeLog Policies summary area shows currently defined ChangeLog policies. To edit an existing ChangeLog policy, click its name in the list. To create a ChangeLog policy, click Create Policy.
To remove one or more ChangeLog policies, select them in the list, and then click Remove Policy. (No confirmation is needed for this action.)
ChangeLogs Summary
The ChangeLogs summary area shows currently defined ChangeLogs. To edit an existing ChangeLog, click its name in the list. To create a ChangeLog, click Create ChangeLog.
To remove one or more ChangeLogs, select them in the list, and then click Remove ChangeLog. (No confirmation is needed for this action.)
Saving ChangeLog Configuration Changes
Any changes you make to the ChangeLog Configuration — either to ChangeLog policies or defined ChangeLogs — must be saved from the ChangeLog Configuration page. Click Save to save changes and return to the Meta View.
Creating and Editing ChangeLog Policies
Provide input and make selections on the Edit ChangeLog Policy page to create or edit ChangeLog Policies:
- Policy Name — Enter a unique name for the policy.
- Daily Start Time — Establish the time of day used to calculate the times when rotations should start or change over. ChangeLogs using this policy will start new rotations at this time and at increments calculated from this time. For example, if the start time is set to midnight (00:00) with 3 'Rotations Per Day', the prefixes on log files will change at 00:00, 08:00, and 16:00.
Filenames follow the pattern, cl_User_yyyyMMddHHmmss.n.suffix, where HHmmss is the most recent time for a rotation to start. (n is the Sequence number, and suffix is a suffix provided in the ChangeLog definition.)
Using '00:00' for the start time with 3 as the number of rotations, if you were to activate a ChangeLog at 9:24 a.m. one morning, the resulting rotation name would include the most recent rotation start time (for example, 08:00). In this case, the filenames would start with cl_User_yyyyMMdd080000. At 16:00, a new rotation (a new prefix on filenames) would start.
This value is limited to non-negative integers. A value of 0 means to ignore this field. When this field is non-zero, the Maximum Age of a Rotation setting is ignored.
If you specify the length of rotations in seconds, and if the Rotations Per Day field is 0, then this value is used to determine the period of rotation.
This is limited to non-negative integer values. If you specify a non-zero number of Rotations Per Day, then that value is used (and this one is not). If the value of both of these fields is 0, then only the sequence information is applied. (Even Daily Start Time is unused in this case.)
- Number of Rotations to Keep — Specify how many rotations are allowed to accumulate before Identity Manager deletes them. For example, if you are running with 3 rotations per day and want to keep 2 days of changes in the logs, specify a value of 6.
- Maximum File Size in Bytes — A new log file (with the same rotation prefix, but with a new sequence number) is started if writing a change to the current file will exceed this limit. A value of 0 indicates that this limit is not used. All of the limit fields (size, lines, age) that are non-zero are used; however, this limit is checked before the others.
- Maximum File Size in Lines — If writing a change will cause the current file to have more lines than this limit, then a new sequence file is created and the line is written to the new file. A value of 0 indicates no limit. This limit is checked after the size limit and before the age limit.
- Maximum File Age in Seconds — When a change is received and the existing sequence file is now older than the number of seconds specified here, a new sequence file is created before writing the change. A value of 0 indicates that this limit is not used. The other limits, if non-zero, are applied before this one.
Click OK to return to the ChangeLog Configuration page. You must click OK from the Configuration page to save the new ChangeLog policy or changes to an existing policy.
Creating and Editing ChangeLogs
Provide input and make selections on the Edit ChangeLogs page to create or edit a ChangeLog:
- ChangeLog Name — Enter a unique name for the ChangeLog.
- Active — If you select this option, then the ChangeLog will monitor and write changes as they flow through Active Sync resources and into the Identity Attributes (Active Sync must be an Identity Attributes application for this to work).
- Filter — Enter the name of the ChangeLog filter to use. Noop means use the default filter, which accepts all changes. This should be sufficient for the vast majority of cases. Otherwise, this must name a Java class implementing com.sun.idm.changelog.ChangeLogFilter. The class must be in the classpath of the server, and it must have a public default constructor.
- Log these Operations — Log events of the types selected, which includes Creates, Updates, and Deletes. Events not selected are ignored.
- ChangeLog View — Define the contents (columns) of the ChangeLog by using this table. Each table row specifies a column in the ChangeLog. Click Add Column to add a ChangeLog column. Each column has a name, a type, and an Identity Attribute Name. The order of the rows indicates the order of the columns. Use the Up and Down buttons to order columns after they are defined.
- Use the Policy Named — Select a defined ChangeLog policy from the list to use for logging.
- Output Path — Enter the name of the directory on the file system that will contain the log files. This can be a network-mounted location; but it is preferable to use a directory that is local to the server. It is also advisable to use a unique location per ChangeLog.
- Suffix — Enter a suffix for the ChangeLog files (for example, .csv). The suffix selected may be used to differentiate these files from other ChangeLog files.
Click OK to return to the ChangeLog Configuration page. You must click OK from the Configuration page to save the new ChangeLog or changes to an existing ChangeLog.
Example
The following examples detail how to set up identity attributes and a ChangeLog to capture a specific set of attributes data.
Example: Define Identity Attributes
In this example, two Identity Manager resources (Resource 1 and Resource 2) provide source data to a third resource (Resource 3). Resource 3 is not directly connected to the Identity Manager system. A ChangeLog is needed to pull and maintain a data subset from Resource 1 and 2 to Resource 3.
Resource 1: EmployeeInfo
employeeNumber*
givenname
mi
surname
phoneResource2 : OrgInfo
employeeNum*
managerEmpNum
departmentNumberResource 3 : PhoneList
empId*
fullname
phone
department
The Identity Attributes are defined in the following table..
Example: Configure the ChangeLog
After defining the identity attributes, define a ChangeLog called PhoneList ChangeLog. Its purpose is to write a subset of the identity attributes to a ChangeLog file.
ChangeLogView in PhoneList ChangeLog
Column Name
Type
Identity Attribute
empId
Text
employee
fullname
Text
fullname
phone
Text
phoneNumber
When records in Resource 1 or Resource 2 are changed, the full set of data (not just the changes) for a ChangeLog record (all data from the identity attributes) is written to the ChangeLog. A custom script reads the information and uses it to populate Resource 3.
CSV File Format in ChangeLogs
Read this section for information about the format of the comma-separated value (CSV) file written by ChangeLogs.
Think of a ChangeLog file in terms of rows and columns, such as a spreadsheet or database table. Each “row” is a line in the file.
The ChangeLog format is self-describing using the first two rows. Together, these two rows define the “schema”; that is, the logical names and logical types of each “cell” (values between commas on a row) in the table.
The first row names the attributes in the file. The second row describes the types of values of the attributes. Additional rows represent all the data for a change-event.
The ChangeLog file is encoded in Java UTF-8 format.
Columns
The first column in the file has special significance. This defines the operation type; for example, whether the change event was a create, modify, or delete action. It is always named changeType, and is always type T (representing Text). Its value is one of the values: ADD, MOD, or DEL.
Exactly one column should hold a unique identifier (the primary key) for the entry. This generally is the second column in the file.
Other columns simply name the attribute. The name is taken from the Column Name value in the ChangeLog View table.
Rows
After the first two header rows that define the schema of the file, the remaining rows hold the values of the attributes. The values appear in the order of the columns in the first row. The ChangeLog is applied from the Identity Attributes, and therefore contains all data known about the user at the time the change is detected.
In addition, there is no special sentinel value indicating null (or not set). If a value is not present when a change is detected, then the ChangeLog writes an empty string.
Values are encoded according to the type of the column, as specified in the second row of the file. Supported types are:
Text Values
Text values are written as a string, with two exceptions:
- If a value contains a , (comma), then Identity Manager escapes the comma within the value by inserting a \ (backslash) character. For example, if the value for fullname is Doe, John, then Identity Manager writes
Doe \,John as the value.- If a value contains a \ (backslash) character, then Identity Manager escapes it with another \. For example, if a value for homedir contains C:\users\home, then Identity Manager writes C:\\users\\home to the log.
Text values cannot contain a newline character. If the file needs new lines, then use the Binary value type.
Binary Values
Binary values are Base64 encoded.
Multi-Text Values
Multi-Text values are written similarly to Text values, but are comma-separated and bracketed (using [ and ]).
Multi-Binary Values
Multi-Binary values are written like Binary values (Base64 encoded), but also are comma-separated and bracketed (using [ and ]).
Formatting Examples
The following examples illustrate various output format. Each example is in the form:
column1, column2, column3, column4
Column 3 of each example shows the example text.
- Text (T) data appear as strings in the file:
ADD,account0,some text data,column4
- Binary (B) data appears base64 encoded.
ADD,account0,FGResWE23WDE==,column4
- Multi-Text (MT) appears as:
ADD,account0,[one,two,three],column4
- Multi-Binary (MB) appears as:
ADD,account0,[FGResWE23WDE==,FGRCAFEBADE3sseGHSD],column4
ChangeLog Filenames
Filenames are of the form:
servername_User_timestamp.sequenceNumber.suffix
Where:
- timestamp is the time that this log was started or rolled over. Files with the same timestamp are considered to be a Rotation.
- sequenceNumber is a monotonically increasing number, used to partition a rotation into subsets of files, that are controlled by a maximum number of bytes, lines, or seconds. Each of these is known as a Sequence file.
- suffix is the file extension defined in the ChangeLog config, usually .csv.
Configuring Rotations and Sequences
These are defined in ChangeLogPolicy objects and referred to from ChangeLogs.
Example
A policy that defines rotations as follows:
would result in rotation file names similar to the following. (There are two sequence files in each of these rotations.)
myServer_User_20060101070000.1.csv
myServer_User_20060101070000.2.csv
myServer_User_20060101150000.1.csv
myServer_User_20060101150000.2.csv
myServer_User_20060101230000.1.csv
myServer_User_20060101230000.2.csvmyServer_User_20060102070000.1.csv
myServer_User_20060102070000.2.csv
myServer_User_20060102150000.1.csv
myServer_User_20060102150000.2.csv
myServer_User_20060102230000.1.csv
myServer_User_20060102230000.2.csvJanuary 1 shows 3 rotations, 8 hours apart, beginning at 07:00:00. January 2 is similar; only the portion of the name that corresponds to the day (20060102) differs.
Writing ChangeLog Scripts
Read this section for information helpful to ChangeLog script writers.
- Scripts likely run continuously, waiting for new data, new files, or sleeping between activity; and then simply read the file and apply the changes for each line to the back-end resource.
- ChangeLogs support delete operations; however, only the accountId value will be included in DEL lines.
- By using Rotations and Sequences, you can decide how often a script runs. For example, you could specify:
- Rotation at midnight; and then every night run the script against the prior rotation.
- Rotation every 4 hours, starting at 8:00 a.m., and then run the scripts every four hours (at 8, 12, 16, 20, 24, 4, ...)
- No rotation, and run the script such that it reads a sequence file when the sequence number bumps. You can control how the sequence number increments; it can be size-based, num-operations based, or time-based.
- Each ChangeLog can be seen as a representation of the records in the back-end system. To keep things simple for the script reading the log, Identity Manager always writes all data for a given record, whether or not it has changed. Scripts can "blindly" apply the data in the records.
However, they need to ensure that the back-end resource (or the script), especially with regard to ADD and DEL, can either:
- Handle this idempotently. (Idempotency means if you apply the data more than once, then it does nothing.) If the script reads the ChangeLog from start to finish in two passes, then the state of the data records in the resource should be exactly the same after each pass.
- Does this (at most) one time. For example, if the resource cannot be made idempotent with regard to add and delete actions, then the script must ensure that it applies changes only once, either by reading the log entries only once, or by otherwise tracking its progress.
- A good approach might be to watch for a sequence file to appear, and then apply the previous file. For example, do not apply a .1 file until the .2 file appears. When .3 appears, apply .2. After applying a file, note that you have done so on a disk. This approach allows you to avoid using calls like fstat or
tail -f.
Configuring Identity Attributes and EventsYou use the Meta View area of the Administrator interface to configure identity attributes and events. Use the information and procedures in the following sections to configure Identity Manager identity attributes and identity events and to select the Identity Manager system applications to which the attributes and events will be applied.
Working with Identity Attributes
To configure identity attributes, select MetaView, and then select Identity Attributes. The Identity Attributes page appears. The following figure shows an example of this page.
Figure 4-7 Configuring Identity Attributes in Meta View
To add an Identity Attribute, click Add Attribute. Once added to the list, edit an Identity Attribute by clicking its name in the list. To remove one or more Identity Attributes, select them, and then click Remove Selected Attributes.
You can select one or more responses to add to or remove from attributes.
You must click Save before the action will take place.
If resources have changed since the last time you modified Identity Attributes, then the Identity Attributes page displays the following warning message (Figure 4-8). Click Configure the Identity Attributes from resource changes in the warning message to assimilate the changes.
Figure 4-8
Resources Have Changed Warning Message
Passwords
Active Sync is configured to create users on one or more resources. Identity Manager users require a password to be specified upon creation, but most resources do not allow reading passwords for security reasons. If password generation has not been set, click Configure password generation.
Select how passwords should be set on the identity user and other resource accounts created through Active Sync:
- Use default password — Select this option, and then enter a password. The password.password Identity Attribute will set the user password from this value.
- Use rule to generate password -- Select this option to select a rule to use for password generation. The password.password Identity Attribute uses the selected rule to generate a password.
- Use Identity System Account Policy password generation -- Select this option to select a policy to use for password generation. Selecting this option sets the waveset.assignedLhPolicy Identity Attribute to the selected policy. If the selected policy is not configured to generate passwords, and you have permissions needed to create and modify policies, then the page redisplays with additional options that allow you to create a copy of the policy or modify the existing policy.
Selecting Applications
Use the Enabled Applications area to select the Identity system applications to which the Identity Attributes will be applied. Select one or more applications from the Available applications area and move them to the Enabled applications area. You must click Save before the action will take place.
Note
To use the ChangeLog feature, you must enable the Active Sync application. For more information, see Active Sync Adapters.
Adding and Editing Identity Attributes
From the Add Identity Attributes or Edit Identity Attributes pages, make these selections to add or edit Identity Attributes:
- Attribute Name — Select or enter an attribute name. Select from the default values provided (from resource schema map entries, operational Identity Attributes, and user extended attributes); or enter a value in the text box.
- Sources — Select one or more sources with which to populate the value for this Identity Attribute. The sources will be evaluated in order, and the Identity Attribute will be set to the first non-null value.
- Attribute Properties— Use this area to specify the property settings for the Identity Attribute.
- How to set Identity Attribute — Select one of the following options to specify how Identity Manager will set the value for the attribute on the resource:
- Set to value — The value of the Identity Attribute is authoritatively set on all targets. Selecting this option will cause the value determined by the sources to override any values entered by the user in a form, and those values set in forms, workflows, rules, or roles. This option is an appropriate setting for a typical implementation.
For additional information about Identity Attributes, see Identity Manager Technical Deployment Overview.
- Default value — Sets the attribute values on the targets only when they have no value.
- Merge with value — Adds the value to the existing values. Duplicate values are filtered out.
- Store attribute in IDM repository — Select to store the Identity Attribute locally in the Identity system repository. This should be selected if the Identity system user is to be the authoritative store for the Identity Attribute, or if the attribute should be capable of handling queries.
- Set value on all assigned resources — Select this option if the Identity Attribute should globally be set on all assigned resources that support this attribute.
- Targets — Select the target resource on which this Identity Attribute should be set. If no targets are defined, then click Add Target. To remove a target from the list, select it, and then click Remove Selected Targets.
Adding Target Resources
It is not necessary to set targets for Identity Attributes if they are being used solely for the ChangeLog. You might do this, for example, if you wanted to use the ChangeLog, but also wanted to use the standard "Input Form" to push data through Active Sync. If there are no targets, then the MetaView simply calculates the identity attributes' values; it does not set them on any of the other resources.
Make selections to add a target resource for which an Identity Attribute should be set:
- Target Resource — Select the target resource on which the selected Identity Attribute should be set.
- Target Attribute — Select the name of the attribute on the target resource that will receive the value.
- Condition — Select a rule to run to determine if the selected Identity Attribute should be set on this target resource. This rule should return a value of true or false. If the condition is not set, then the target attribute always will be set for the selected event types.
- Apply To: — Select the types of events for which the selected Identity Attribute should be set on this target resource. These selections are combined with the Condition to determine if the target attribute should be set.
Removing Target Resources
To remove one or more target resources, select them in the list, and then click Remove Selected Targets.
Importing Identity Attributes
Using the Import Identity Attributes feature, you can select one or more forms to import and populate Identity Attributes values. Identity Manager will analyze the imported form values and make a "best guess" at Identity Attributes; however, it may be necessary to edit the Identity Attributes after import.
Make these import selections:
- Merge with existing Identity Attributes — If you select this option, then Identity Manager will merge imported values with existing Identity Attributes. If not selected, then the Identity Attributes are cleared before the import occurs.
- Forms to import — Select one or more forms from the Available Forms area to populate the Identity Attributes.
Configuring Identity Events
You can also configure identity events for resources managed by Identity Manager to define the behavior of the events that occur on those resources. The behavior that is defined in the identity events is used during Active Sync to determine when an event occurs and to take the appropriate actions to respond to the event.
For example, you can configure an identity event to detect and respond to a deletion on your authoritative Human Resources (HR) system that triggers the identity user and all other resource accounts to be deleted.
To configure identity events, select MetaView, and then the Identity Events tab. On the Identity Events page, click Add Event and specify the event type. You can also edit an Identity Event by selecting the event on the Identity Events page and specifying the following options.
- Event Type — Select delete, enable, or disable to specify the identity event type you are configuring.
- Sources — Select a resource that the identity event applies to (for example, AD for the Active Directory). If the resource requires an event detection rule to detect and respond to events (because it does not have native support for it), select the rule in the determined by field. You can add and remove resources.
- Responses — Select a response from the Response list, or click Add Response to add a response if none are defined. To remove a response from the selection list, select it and click Remove Selected Responses.
Click OK when you have completed your selections.
Configuring Identity Manager PoliciesRead this section for information and procedures for configuring user policies.
What are Policies?
Identity Manager policies set limitations for Identity Manager users by establishing constraints for Identity Manager account ID, login, and password characteristics.
Note
Identity Manager also provides Audit policies that are specifically designed to audit user compliance. Audit policies are discussed in Chapter 11, "Identity Auditing."
You create and edit Identity Manager user policies from the Policies page. From the menu bar, select Security, and then select Policies. From the displayed list page, you can edit existing policies and create new ones.
Policies are categorized as the following types:
- Identity System Account policies — Establish user, password, and authentication policy options and constraints. You assign Identity System Account policies (shown in Figure 4-9) to organizations or users, through the Create and Edit Organization and Create and Edit User pages.
Figure 4-9 Identity Manager Policy
Options you can set or select include:
- User policy options — Specify how Identity Manager treats user accounts if a user fails to correctly answer authentication questions
- Password policy options — Set password expiration, warning time before expiration, and reset options
- Authentication policy options — Determine how authentication questions will be presented to the user, whether the user can provide his own authentication questions, enforce authentication at login, and establish the bank of questions that can be presented to a user.
- SPE System Account policies — This policy type is used in a service provider implementation to establish user, password, and authentication policy options and constraints for service provider users. You assign the policies to organizations or users, through the Create and Edit Organization and Create and Edit SPE User pages.
- String Quality Policies — String quality policies include policy types such as password, AccountID, and authentication, and set length rules, character type rules, and allowed words and attribute values. This type of policy is tied to each Identity Manager resource, and is set on each resource page. Figure 4-10 provides an example.
Figure 4-10 Create/Edit Password Policy
Options and rules you can set for passwords and account IDs include:
- Length rules — Determine minimum and maximum length.
- Character type rules — Set minimum and maximum allowable values for alphabetic, numeric, uppercase, lowercase, repetitive, and sequential characters.
- Password re-use limits — Specify the number of passwords preceding the current password that cannot be re-used. When a user attempts to change his password, the new password will be compared to the password history to ensure this is a unique password. For security reasons, a digital signature of the previous passwords is saved; new passwords are compared to this.
- Prohibited words and attribute values — Specify words and attributes that cannot be used as part of an ID or password.
Must Not Contain Attributes in Policies
You can change the allowed set of “must not contain” attributes in the UserUIConfig configuration object. Attributes are listed in UserUIConfig as follows:
Dictionary Policy
The dictionary policy enables Identity Manager to check passwords against a word database to ensure that they are protected from a simple dictionary attack. By using this policy with other policy settings to enforce the length and makeup of passwords, Identity Manager makes it difficult to use a dictionary to guess passwords that are generated or changed in the system.
The dictionary policy extends the password exclusion list that you can set up with the policy. (This list is implemented by the Must Not Contain Words option on the Administrator Interface password Edit Policy page.)
Configuring the Dictionary Policy
To set up the dictionary policy, you must:
Follow these steps:
- From the menu bar, select Configure, and then select Policies.
- Click Configure Dictionary to display the Dictionary Configuration page.
- Select and enter database information:
- Database Type — Select the database type (Oracle, DB2, SQLServer, or MySQL) that you will use to store the dictionary.
- Host — Enter the name of the host where the database is running.
- User — Enter the user name to use when connecting to the database.
- Password — Enter the password to use when connecting to the database.
- Port — Enter the port on which the database is listening.
- Connection URL — Enter the URL to use when connecting. These template variables are available:
- %h - host
- %p - port
- %d - database name
- Driver Class — Enter the JDBC driver class to use while interacting with the database.
- Database Name — Enter the name of the database where the dictionary will be loaded.
- Dictionary Filename — Enter the name of the file to use when loading the dictionary.
- Click Test to test the database connection.
- If the connection test is successful, click Load Words to load the dictionary. The load task may take a few minutes to complete.
- Click Test to ensure that the dictionary was loaded correctly.
Implementing the Dictionary Policy
Implement the dictionary policy from the Identity Manager policies area. From the Policies page, click to edit a password policy. On the Edit Policy page, select the Check passwords against dictionary words option. Once implemented, all changed and generated passwords will be checked against the dictionary.
Customizing Email TemplatesIdentity Manager uses email templates to deliver information and requests for action to users and approvers. The system includes templates for:
- Access Review Notice — Sends notification that the access rights for a user needs to be reviewed. The system sends this notification when a violation of an access policy must be remediated or mitigated.
- Account Creation Approval — Sends notification to an approver that a new account is awaiting his approval. The system sends this notification when the Provisioning Notification Option for the associated role is set to approval.
- Account Creation Notification — Sends notification that an account has been created with a particular role assignment. The system sends this notification when one or more administrators are selected in the Notification recipients field on the Create Role or Edit Role pages.
- Account Deletion Approval — Sends notification to an approver that a user account deletion action is awaiting approval. The system sends this notification when one or more administrators are selected in the Notification recipients field on the Create Role or Edit Role pages.
- Account Deletion Notification — Sends notification that an account has been deleted.
- Account Update Notification — Sends notification to the specified email addresses or user accounts that an account has been updated.
- Password Reset — Sends notification of a Identity Manager password reset. Depending on the Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the administrator resetting the password or emails the user whose password is being reset.
- Password Synchronization Notice — Notifies the user that a password change has completed successfully on all resources. The notification lists which resources were updated successfully and indicates the origin of the password change request.
- Password Synchronization Failure Notice — Notifies the user that the password change was not successful on all resources. The notification provides a list of errors and indicates the origin of the password change request.
- Policy Violation Notice — Sends a notice that an account policy violation has occurred.
- Reconcile Account Event, Reconcile Resource Event, Reconcile Summary — Called from the Notify Reconcile Response, Notify Reconcile Start, and Notify Reconcile Finish default workflows, respectively. Notification is sent as configured in each workflow.
- Report — Sends a generated report to a specified list of recipients.
- Request Resource — Sends notification to a resource administrator that a resource has been requested. The system sends this notification when an administrator requests a resource from the Resources area.
- Retry Notification — Sends notification to an administrator that a particular operation has been unsuccessfully attempted on a resource a specified number of times.
- Risk Analysis — Sends a risk analysis report. The system sends this report when one or more email recipients are specified as part of a resource scan.
- Temporary Password Reset — Sends notification to the user or role approver that a temporary password has been provided for the account. Depending on the Password Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the user, emails the user, or emails the role approvers.
- User ID Recovery — Sends a recovered user ID to the specified email address.
Editing an Email Template
You can customize email templates to provide specific directions to the recipient, telling him how to accomplish a task or how to see results. For example, you might want to customize the Account Creation Approval template to direct an approver to an account approval page by adding the following message:
Please go to http://host.example.com:8080/idm/approval/approval.jsp to approve account creation for $(fullname).
To customize an email template, use the following procedure using the Account Creation Approval template as an example:
- From the menu bar, select Configure.
- On the Configure page, select Email Templates.
- Click to select the Account Creation Approval template.
Figure 4-11 Editing an Email Template
- Enter details for the template:
- In the SMTP Host field, enter the SMTP server name so that email notification can be sent.
- In the From field, customize the originating email address.
- In the To and Cc fields, enter one or more email addresses or Identity Manager accounts that will be the recipients of the email notification.
- In the Email Body field, customize the content to provide a pointer to your Identity Manager location.
- Click Save.
You can also modify email templates by using the Identity Manager IDE. For more information on the IDE, see Identity Manager Deployment Tools.
HTML and Links in Email Templates
You can insert HTML-formatted content into an email template to display in the body of an email message. Content can include text, graphics, and Web links to information. To enable HTML-formatted content, select the HTML Enabled option.
Allowable Variables in the Email Body
You can also include references to variables in the email template body, in the form $(Name); for example: Your password $(password) has been recovered.
Allowable variables for each template are defined in the following table.
.
Configuring Audit Groups and Audit EventsSetting up audit configuration groups allows you to record and report on system events you select. Configuring audit groups and events requires the Configure Audit administrative capability.
To configure audit configuration groups, select Configure from the menu bar, and then select Audit.
The Audit Configuration page shows the list of audit groups, each of which may contain one or more events. For each group, you can record successful events, failed events, or both.
Click an audit group in the list to display the Edit Audit Configuration Group page. This page lets you select the types of audit events to be recorded as part of an audit configuration group in the system audit log.
Check that the Enable Audit check box is selected. Clear the check box to disable the auditing system.
Editing Events in the Audit Configuration Group
To edit events in the group, you can add or delete actions for an object type. To do this, move items in the Actions column from the Available to the Selected area for that object type, and then click OK.
Adding Events to the Audit Configuration Group
To add an event to the group, click New. Identity Manager adds an event at the bottom of the page. Select an object type from the list in the Object Type column, and then move one or more items in the Actions column from the Available area to the Selected area for the new object type. Click OK to add the event to the group.
Remedy IntegrationYou can integrate Identity Manager with a Remedy server, enabling it to send Remedy tickets according to a specified template.
Set up Remedy integration in two areas of the Administrator interface:
- Remedy server settings — Set up Remedy configuration by creating a Remedy resource from the Resources area. After setting up the resource, test the connection to ensure integration is enabled.
- Remedy template — After setting up the Remedy resource, define a Remedy template. To do this, select Configure, and then select Remedy Integration. You will then select the Remedy schema and resource.
Creation of Remedy tickets is configured through Identity Manager workflow. Depending on your preferences, a call can be made at an appropriate time that uses the defined template to open a Remedy ticket. For more information about configuring workflows, see Identity Manager Workflows, Forms, and Views.
Configuring Identity Manager Server SettingsYou can edit server-specific settings so that Identity Manager servers run only specific tasks. To do this, select Configure, and then select Servers.
To edit settings for an individual server, select a server in the list on the Configure Servers page. Identity Manager displays the Edit Server Settings page, where you can edit reconciler, scheduler, JMX and other settings.
Reconciler Settings
By default, reconciler settings display on the Edit Server Settings page. You can accept the default value or de-select the Use default option to specify a value:
- Parallel Resource Limit — Specify the maximum number of resources that the reconciler can process in parallel.
- Minimum Worker Threads — Specify the number of processing threads that the reconciler will always keep alive.
- Maximum Worker Threads — Specify the maximum number of processing threads that the reconciler can use. The reconciler will only start as many threads as the workload requires; this places a limit on that number.
Scheduler Settings
Click Scheduler on the Edit Server Settings page to display scheduler options. You can accept the default value or de-select the Use default option to specify a value:
- Scheduler Startup — Select a startup mode for the scheduler:
- Tracing Enabled — Select this option to activate scheduler debug tracing to standard output.
- Maximum Concurrent Tasks — Selet this option to specify the maximum number of tasks, other than the default, that the Scheduler will run at any one time. Requests for additional tasks above this limit will either be deferred until later or run on another server.
- Task Restrictions — Specify the set of tasks that can execute on the server. To do this, select one or more tasks from the list of available tasks. The list of selected tasks can be an inclusion or exclusion list depending on the option you select. You can choose to allow all tasks except those selected in the list (the default behavior), or allow only the selected tasks.
Click Save to save changes to the server settings.
Email Template Server Settings
Click Email Templates on the Servers menu to specify the Default SMTP Server setting.
Use this option to specify the default email server by clearing the Use Default selection and entering the mail server to use, if other than the default. The text you enter is used to replace the smtpHost variable in Email Templates.
JMX
Use this setting to enable JMX cluster polling and configure the interval for the polling threads. JMX data gathered can be viewed by going to the Identity Manager debug page and clicking the Show MBean Info button.
To enable the JMX polling, click JMX on the Servers tab and select the following options:
- Enable JMX — Use this option to enable or disable the polling thread for the JMX Cluster MBean. To enable JMX, clear the default selection (Use Default (false)).
Note
Because of the use of system resources for polling cycles, enable this option only if you plan to use JMX.
- Polling Interval (ms) — Use this option to change the default interval at which the server will poll the repository for changes, when JMX is enabled. Specify the interval in milliseconds.
Click Save to save changes to the server settings.
Editing Default Server Settings
The Default Server Settings feature lets you set the default settings for all Identity Manager servers. The servers inherit these settings unless you select differently in the individual server settings pages. To edit the default settings, click Edit Default Server Settings. The Edit Default Server Settings page displays the same options as the individual server settings pages.
Changes you make to each default server setting is propagated to the corresponding individual server setting, unless you have de-selected the Use default option for that setting.
Click Save to save changes to the server settings.