Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java[TM] System Identity Manager 7.0 Deployment Overview 

Appendix E  
HR Database/Active Directory Deployment Scenario

This scenario illustrates how Identity Manager can be deployed in an environment where user accounts are defined in a human resources database (for example, PeopleSoft) and their access to IT infrastructure is controlled by Active Directory. This scenario illustrates the process of deploying Identity Manager across multiple resources.

This section contains:

Features

This scenario applies to many typical deployment situations. Users are created through PeopleSoft (where PeopleSoft is an authoritative source), and authorization for IT infrastructure is based on Active Directory group membership.

This scenario includes the following features:

Sample Contents

This scenario contains about 30 XML files that are loaded into Identity Manager. These files reside in:

<IDM_HOME>/sample/scenarios/scenario2/

These files create and configure the following types of objects:

Prerequisites

To run this scenario, your environment must include:

For more information about these adapters, see Identity Manager Resources Reference.

Loading and Configuring the Scenario

Perform the following steps to configure your environment:

Configure Active Directory

  1. Create an Organizational Unit (OU) called Scenario2 in your Active Directory domain using the Active Directory Users and Computers application.
  2. Create groups in the above OU by right-clicking the OU and select New > Group. For example:
    • Human Resources
    • Engineering
    • Marketing
    • Sales Department
  3. Create a user in the OU called adresowner.
  4. Modify the properties of each of the preceding groups by selecting the Managed By tab and setting the name value to:

    5. <AD Domain>/Scenario2/adresowner

Configure PeopleSoft

  1. Create departments and department IDs in the PeopleSoft environment. For example:
    • Human Resources (KU001)
    • Engineering (KU017)
    • Marketing (KU015)
    • Sales and Services (KU014)
  2. If you need to change the preceding names or department numbers for your environment, modify the mappings in the rule:

    3. <IDM_HOME>/sample/scenario2/GetPeopleSoftDepartmentName.xml.

Configure Identity Manager

Refer to Identity Manager Administration for detailed information on the following procedures.

  1. Install Identity Manager and import the following:

    2. <IDM_HOME>/sample/init.xml

  2. Copy the psjoa.jar file from the PeopleSoft installation media into:

    3. <IDM_HOME>/WEB-INF/lib directory.

  3. Import the following configuration file:

    4. <IDM_HOME>/sample/scenarios/scenario2/scenario2.xml.

  4. Configure the PeopleSoft resource and Active Directory resource to match your environment including:
    • Hostnames
    • Ports
    • User names
    • Passwords
    • Container
    • LDAP hostname
    • Identity templates.
  5. If desired, enable logging for Active Sync.

    6. Change the Log File Path and Log Level for both the PeopleSoft and Active Directory resources using the Active Sync Wizard.

  6. Modify each role to change the AD Groups role attribute to match your Active Directory setup.

    7. For example, the role attribute values should match the Distinguished Names (DNs) of the groups created in Configure Active Directory step two. The AD Groups attribute on the Active Directory resource is set via the AD Groups attributes configured in the roles.

  7. Change the SMTP Host in the Account Creation Approval email template to a valid SMTP server.
    1. Navigate to Configure > Servers and click on Edit Default Server.
    2. Select Default SMTP Server under the Email Template tab.
  8. Restart the application server.
  9. Initialize Identity Manager with all the PeopleSoft users. To create Identity Manager users for all accounts on the PeopleSoft resource, perform a Load From Resource.

    10. Navigate to Accounts > Load From Resource and select the PeopleSoft resource. Click Load Accounts to load all PeopleSoft accounts into Identity Manager.

  10. Ensure that Active Sync is detecting changes to PeopleSoft users.

    11. Active Sync for the PeopleSoft resource should start automatically when the container is restarted. If it does not, from the Resources > List Resources page, select Start Active Sync for the PeopleSoft resource.

  11. Start a Full Reconciliation on the Active Directory resource.

    12. On the List Resources page, select the Active Directory resource and click Full Reconcile Now from the Resource Actions menu.

  12. Create the Identity Manager account with the accountId adresowner. Assign this account to the Users organization. Assign the Approver capability and make Top:Users a controlled organization.
  13. Link this account to the Active Directory resource account you just created.
    1. Navigate to the Resources > Examine Account Index > Windows Active Directory.
    2. Select the following adresowner account:

      3. (cn=adresowner,ou=Scenario2,dc=example,dc=com)

      The account should be UNMATCHED and lists __UNKNOWN__ as the owner.

    3. Right-click and select Specify Owner. The Identity Manager account created above in Step 12 should appear.
    4. Click adresowner and verify in the Account Index applet that the situation has changed to Confirmed and the owner is adresowner.

      5. Approvals for membership in the Active Directory groups will go to this Identity Manager account.

  14. Start Active Sync on the Active Directory resource to set the authoritative attributes from Active Directory.

    15. Go to the Active Sync Wizard for Active Directory and change the Startup Mode to automatic. Save the Active Sync settings.

Verify Deployment

Perform the following steps to configure users and verify that the scenario has been properly installed and configured:

Create and Propagate Users

  1. Create a new test user in your PeopleSoft environment.

    2. For example, click on Home > Administer Workforce > Use > Hire. Fill in any pertinent address, profile, or identity information for the user.

  2. Assign the new user to one of the departments that maps to Active Directory groups created in Configure Active Directory step two.

    3. Wait for the change to be detected by Active Sync for PeopleSoft.

  3. Login to the Identity Manager Administrator Interface as the adresowner user.
  4. Navigate to Approvals > Awaiting Approval.

    5. The list should contain an approval request for the user that was created on the PeopleSoft resource in Step 1. Approve this request.

  5. Log out of Identity Manager, and log back in as Configurator.
  6. Click Accounts. Verify that an Identity Manager user for the PeopleSoft account now appears in the Accounts List.
  7. Log in to your Active Directory server.
  8. Use the Active Directory Users and Computers tool to verify that an Active Directory account was created with the information entered in the PeopleSoft environment in Step 1.
  9. View the Active Directory group that corresponds to the assigned department to verify that this account is a member of the group.

Modify Users

  1. Use the Active Directory Users and Computers tool to modify the following for your test user:
    • Description
    • Work Phone
    • Mobile Phone
    • Fax Number
  2. Log in to Identity Manager as Configurator.
  3. Click Accounts. Verify that the Active Directory test user information modified in Step 1 is now stored in the Identity Manager user database.

    4. Note

    Users will not appear in the Identity Manager user database until the next Active Sync poll has occurred.

Configure Auditing

This scenario provides the following example audit workflow file designed to measure performance timing for the group Engineering:

Report-WorkflowEngineering.xml

This auditing provides system performance data to support service level agreements.and can be modified to serve your needs.

Perform the following to setup and run this example auditing:

  1. Select Configure from the menu bar, and then select Audit.

    2. The Audit Configuration page shows the list of audit configuration groups, each of which may contain one or more events. For each group, you can record successful events, failed events, or both.

  2. Click the WorkflowEngineering configuration group in the list to display the Edit Audit Configuration Group page. This page lets you select the types of audit events to be recorded as part of an audit configuration group in the system audit log.
  3. Click Run > Reports

    4. To define an AuditLog report, select AuditLog Report from the list of report options on the Run Reports page.

  4. Run the WorkflowEngineering AuditLog report from the Run Reports list page.

    5. Click Run to produce a report of all results that match the saved criteria. Included in the report are the date an event occurred, the action performed, and the result of the action.

    Note

    You can download and save reports to save and open in another application, such as Excel. To download a report, click Download.

Verify Linking

  1. Log in to your Active Directory server.
  2. Create a new test user in the OU.
  3. Wait for an Active Directory Active Sync poll.
  4. Log in to Identity Manager as Configurator.
  5. Create a new Identity Manager user for the account created in Step 2.

    6. Use the intended PeopleSoft employee ID as the new Identity Manager user account ID.

  6. Link the account created in Active Directory (before it is created in the PeopleSoft database.)

    7. Go to the Approvals page and view the approvals for the AD link admin user. Link the account to the test user you created in Step 5.

  7. Log in to PeopleSoft.
  8. Create a test user with the same employee ID assigned in Step 5.
  9. Wait for a PeopleSoft Active Sync poll.
  10. Log in to Identity Manager.
  11. Verify that the test user now has valid Active Directory and PeopleSoft accounts.



Previous      Contents      Index      Next     

Part No: 819-6126-10.   Copyright 2006 Sun Microsystems, Inc. All rights reserved.