Sun Identity Manager Deployment Guide

Preparing for Data Loading

Review the following sections before you begin the process of loading account information into Identity Manager:

Configuring an Adapter

To manage accounts on resources, you must configure an adapter for each source of account information. If you are using the Load from File process or bulk actions, then the adapter configuration can wait until you are ready to reconcile. Otherwise, the adapter must be configured before you can load data into Identity Manager.

For general information about configuring an adapter, see Understanding and Managing Identity Manager Resources in Sun Identity Manager 8.1 Business Administrator’s Guide. For detailed information about a specific adapter, refer to the Sun Identity Manager 8.1 Resources Reference or the online help.

Setting Account ID and Password Policies

When you load account data from a resource using Load from Resource, reconciliation, or Active Sync, Identity Manager does not obtain the password from the resource. (It would be a security breach on the part of the resource if it yielded the password.) Therefore, the Identity Manager account passwords will not be the same as the those on the resource. By default, Identity Manager generates a random password that must be reset. However, you can also use the password view in the user form to specify a temporary password, such as a literal string that is the same for everyone, or is the same as the Identity Manager account ID. See Assigning User Forms and Chapter 3, Identity Manager Views, in Sun Identity Manager Deployment Reference for more information.

For bulk actions, and Load from File, you can specify password values in the CSV file. These should be considered temporary passwords that users must change.

Policies establish limitations for Identity Manager accounts, and are categorized as:

Make sure you make any updates to the default policies before you begin loading account information into Identity Manager.

The following table lists the policies provided with Identity Manager as well as the default settings.

Table 4–2 Default Identity Manager Policies

Policy Name 

Default Characteristics 

AccountId Policy

Account IDs must have a minimum length of 4 characters and a maximum length of 16 characters. 

Default Lighthouse Account Policy

Sets the account ID and password policies to AccountId Policy, and Password Policy. Passwords are generated by Identity Manager, rather than by users.

Password Policy

Passwords must have a minimum length of 4 characters and a maximum length of 16 characters. The password cannot contain the user’s e-mail, first name, last name, or full name. 

Windows 2000 Password Policy

Passwords must have a minimum length of 6 characters. Passwords must have 3 of the following characteristics: 

  • 1 numeric character

  • 1 uppercase letter

  • 1 lowercase letter

  • 1 special character

    In addition, the password cannot contain the account ID.

See Chapter 3, User and Account Management, in Sun Identity Manager 8.1 Business Administrator’s Guide for more information about account and password policies.

Creating a Data Loading Account

It is recommended that you create a separate administrator account to perform data loading for the following reasons:

See Creating Users and Working with User Accounts in Sun Identity Manager 8.1 Business Administrator’s Guide for more information about creating accounts.

Assigning User Forms

In the context of data loading, user forms are used to perform background processing. For example, forms can work in conjunction with resource adapters to process information from an external resource before storing it in the Identity Manager repository. They can also be used to place users in the correct Organization based on input user data.

The user view is a data structure that contains all available information about an Identity Manager user. It includes:

Views contain many attributes, and a view attribute is a named value within the view (for example, waveset.accountId is the attribute in the user view whose value is the Identity Manager account name).

Most form field names are associated with a view attribute. You associate a field with a view attribute by specifying the name of the view attribute as the name of the form field. For more information on the user view, including a reference for all attributes in the user view, see the chapter titled Views.

The following fields are often in a user form that loads users.

The waveset.accountId and waveset.organization are values specific to Identity Manager. The EmployeeId attribute is a customized attribute. Its use is illustrated in Defining Custom Correlation Keys.

Identity Manager provides numerous forms that are pre-loaded into the system. Additional forms are also available in the $WSHOME/sample/forms directory. Many of the forms in this directory are resource-specific. You might wish to review these forms with the Identity Manager IDE to determine whether they should be used in production.

To increase performance during bulk operations, the user form assigned to an administrator should be as simple as possible. If you want to create a form for data loading, then you can remove code that is designed to display data. Another example of simplifying the form would be if you use bulk add actions. Your CSV file could define basic attributes such as firstname and lastname. These attributes could then be removed from the administrator’s user form. See the chapter titled Identity Manager Forms for more information about creating and editing forms.

Note –

Do not directly modify a form provided with Identity Manager. Instead, you should make a copy of the form, give it a unique name, and edit the renamed copy. This will prevent your customized copy from being overwritten during upgrades and service pack updates.