Previous      Contents      Index      Next
Sun Java[TM] System Identity Manager 7.0 Deployment Overview

Appendix D  
Sun Communications Services Deployment Scenario

The Sun Communications Services deployment scenario illustrates how Identity Manager can be deployed in an environment where user accounts are defined on a Sun Communications Services resource. This scenario assumes that Sun Communications Services is the only resource to be managed. HR Database/Active Directory Deployment Scenario illustrates the process of deploying Identity Manager across multiple resources.

---

Features

The Sun Communications Services scenario contains about 50 XML files that are loaded into Identity Manager. These files create and configure the following types of objects:

User Form
Rule
Account Policy
Admin Role
Role
Task Definition and Schedule
Task Template
Login Application and Login Module Group
Sun Communications Services Resource
Email Template

In addition, the scenario also provides several JSP files as well as a sample LDIF file that can be loaded onto your directory server. The LDIF file defines several users, several of which are managers.

The most important features of the scenario include the following:

Managers can edit account attribute data for their subordinates. Managers are not explicitly granted the capabilities needed to access the Administrator Interface. However, they can view a linked list of their subordinates from the User Interface, and from this list, managers can access the account attributes for their subordinates.
When a user edits account attribute data from the User Interface, the user’s manager must approve the change for it to take effect. This is optional and only works if configured.
Users can request access to a resource. The list of available resources is generated dynamically. Any resources that are already assigned to the user, either directly or through a role, are not displayed.
The answer to a default authentication question is derived from a Sun Communications Services attribute.

---

Prerequisites

The Sun Communications Services scenario illustrates the integration of Identity Manager with the following products:

Sun Java System Directory Server 5 2005Q1
Sun Java System Messaging Server 6 2005Q1

Other directory servers and e-mail servers will not work with this scenario unless you customize the provided scripts.

In addition, Directory Server and Messaging Server must use the same Sun Communications Services base context.

---

Loading and Configuring the Scenario

Perform the following steps to configure your environment:

Caution	Do not load the scenario in an existing production environment. The scenario reconfigures several system attributes.

Step 1: Set Up Directory Server

Create a user named IdM User in the base context, such as cn=IdM User,dc=example,dc=com. This user will be used by the Sun Communications Services resource adapter to provision to the directory.
Change the access control on the base context (dc=example,dc=com) to allow IdM User to have full control (read, compare, search, write, delete, add).
Enable the changelog on the Directory Server. From the Configuration tab of the Directory Server administrative console, click Data, then click on the Replication tab on the right. Check the Enable Changelog check box. If you are using Directory Server 5.0 or higher, also enable the Retro Changelog Plugin in the administrator console.

Then restart Directory Server.

Change the access control on cn=changelog to allow IdM User to read and search.
Import the $WSHOME/sample/scenarios/scenario1/schema.ldif file into Directory Server.
Import the $WSHOME/sample/scenarios/scenario1/ scenario1Data.ldif file into Directory Server.

Step 2: Configure Messaging Server

Note	The Sun Communications Services scenario has been tested using Schema 1 for the mail server. The scenario should work with Schema 1.5 (compatibility mode) and Schema 2.

Add or modify the following option in the MessageServeroot/config/
option.dat file to ensure that the mail forwarding and autoreply features work:

DELIVERY_OPTIONS=*mailbox=$M%$\\$2I$_+$2S@ims-ms-daemon, \

&members=*, \

*native=$M@native-daemon, \

/hold=@hold-daemon:$A, \

*unix=$M@native-daemon, \

&file=+$F@native-daemon, \

&@members_offline=*, \

program=$M%$P@pipe-daemon, \

#forward=**, \

*^!autoreply=$M+$D@bitbucket

Step 3: Load the Scenario

Use the following procedure to load the Sun Communications Services scenario into Identity Manager.

Configure Identity Manager so that it can display and operate task templates. Edit the $WSHOME/config/Waveset.properties file and set gui.enableTaskTemplateEditor=true.
Log in to Identity Manager as Configurator.
From the Identity Manager menu bar, click Configure, and then click Import Exchange File.

Note	The browser must be launched from the Identity Manager server or have access to the files contained in the idm/sample directory on the Identity Manager server.

Enter the name or browse to the $WSHOME/sample/scenarios/scenario1 /scenario1.xml file, and then click Import.

Identity Manager displays a message indicating that the file imported successfully.

Copy the contents of $WSHOME/sample/scenarios/scenario1/jsp/ into $WSHOME/user/. These JSP files are necessary for enabling a manager to edit a subordinate’s data and for users to request access to a resource.

Step 4: Configure the Sun Communications Services Resource Adapter

Loading the scenario creates a resource named Sun JSCS Resource. This resource must be configured to match your environment.

Use the following procedure to minimally configure the Sun JSCS Resource. Additional configuration might be required.

From the Identity Manager menu bar, click Resource.

Resources are grouped by type, which are represented in the list by named folders. To expand the hierarchical view and see currently defined resources, double-click the resource type folder or click + (plus sign) next to the folder.

Right click on the Sun JSCS Resource icon and select the Edit > Resource Wizard option from the pop-up menu. The Resource Parameters page is displayed.
At minimum, configure the following fields so that they match your environment:
Host
User DN
Password
Base Contexts

Note	The User DN field defaults to cn=IdM User,dc=example,dc=com. This value should be changed to the user created in Step 1: Set Up Directory Server.

Click Next to display the Account Attributes page.

No configuration is required at this point on the Account Attributes page. See Sun JSCS Resource Attributes for more information about the account attributes.

Click Next to display the Identity Template page.

The identity template defines account name syntax for users. Update the value for the identity template. For a Sun JSCS resource, this value in the general format:

uid=$accountId$,ou=OrganizationUnit,BaseContext

Click Save.

For now, disable the ActiveSync feature of the adapter.To do this, right click on the Sun JSCS Resource icon and select Edit > Edit Active Sync Running Settings. by changing the value of the Startup Type parameter to Disabled.

Also change the Proxy Administrator to Configurator or other administrator with the capabilities necessary for processing changes on the resource.

Click Save.

Restart the application server in order to disable the ActiveSync functionality.

Step 5: Configure Email Templates

In the Sun Communications Services scenario, Identity Manager sends an email in the following circumstances:

When a user or manager changes the value of an account attribute.
When ActiveSync discovers a user on the Sun JSCS resource.

Use the following procedure to configure the Identity Manager email templates.

From the menu bar, click Configure, and then click Email Templates.
Click the link for Sun JSCS ActiveSync Account Creation Notification.
Change the values of the SMTP Host and From fields. Edit other fields as desired.
Click Save.
Repeat steps 2 through 4 for the Account Update Notification email template and any other template you wish to implement.

After you have loaded the Sun Communications Services scenario and made the necessary configurations, there are no specific steps that you must perform. However, it is recommended that you use the procedures listed in the remainder of this chapter to explore the capabilities provided in the scenario. Unless otherwise specified, all files mentioned in this scenario are loaded by default.

---

Sample Directory Overview

The scenario1Data.ldif file defines several default users, some of which are managers. The following table lists each user and indicates the user’s manager and subordinates, if any.

Table D-1  Sun Communications Services Scenario Users, Managers, and Subordinates

User ID	Name	Manager	Subordinates
ah1340	Anthony Harris	John Thomas	Joseph Smith
js1260	Joseph Smith	Anthony Harris	Renee Lebec
tb926	Theodore Benjamin	Bill Cady	None
ed1096	Eric D ‘Angelo	Bill Cady	None
rl891	Renee Lebec	Joseph Smith	Bill Cady
jt509	John Thomas	Josie Smith	Anthony Harris
rb945	Robert Blinn	None	Josie Smith
js1436	Josie Smith	Robert Blinn	John Thomas
sp486	Stephen Perkins	Bill Cady	None
bc1165	Bill Cady	Renee Lebec	Theodore Benjamin Eric D’Angelo Stephen Perkins

To view end-user functions of this scenario, log in to the User Interface with the User ID listed in the table. The password for all users in this scenario is hello.

---

Creating and Configuring Identity Manager Objects

This section discusses how selected Identity Manager objects are created and configured as a result of loading the Sun Communications Services scenario. These objects are needed to support this scenario.

Sun JSCS Resource Attributes

The users defined in the scenario1Data.ldif file contain attributes from standard object classes such as inetOrgPerson. Additional attributes are defined in Messaging Server object classes such as inetmailuser. If you are using the Sun Communications Services scenario with a mail server other than Messaging server, you must update the schema map for the Sun JSCS resource.

The following table lists the account attributes that were added for the Sun Communications Services scenario. If you are using a directory server or e-mail server other than those supported for this scenario, you may need to make changes to the account attributes.

Table D-2  Sun Communications Services Scenario Account Attributes  

Identity Manager Attribute	Sun JSCS Attribute	Description
manager	manager	Distinguished name of the user's manager.
dn	entrydn	The distinguished name for the user.
employeeNumber	employeenumber	Numerically identifies an employee within an organization
roomNumber	roomnumber	The user’s office or room number.
building	extendedaddress	The user’s office building name or code. This is not a standard Sun JSCS attribute.
carLicense	carlicense	Vehicle license or registration plate
ldapGroups	ldapGroups	A string that contains a list of groups for the Sun JSCS user.
email	mail	The user’s primary email addresses.
alternateEmail	mailalternateaddress	One or more additional email addresses.
mailDeliveryOption	maildeliveryoption	One or more of autoreply, hold, mailbox, native, or unix.
mailHost	mailhost	The fully qualified host name of the MTA that is the final destination of messages sent to this recipient.
mailForwardingAddress	mailforwardingaddress	A forwarding address for inbound messages.
inetUserStatus	inetuserstatus	The status of a user’s account with regard to global server access. Values are active, inactive, and deleted.
mailQuota	mailquota	The amount of disk space, in bytes, allowed for the user’s mailbox.
mailAutoReplySubject	mailautoreplysubject	Subject text of auto-reply response.
mailAutoReplyText	mailautoreplytext	Auto-reply text sent to all senders except users in the recipient’s domain.
mailAutoReplyTextInternal	mailautoreplytextinternal	Auto-reply text sent to senders from the recipients domain.
vacationStartDate	vacationstartdate	Vacation start date and time in the format YYYYMMDDHHMMSSZ. The Z is literal.
vacationEndDate	vacationenddate	Vacation end date and time. Uses the same format as vacationStartDate.
mailAutoReplyMode	mailautoreplymode	Either echo or reply.

In addition, the following Sun JSCS attributes are queried on Directory Server, but are not mapped to Identity Manager:

ismanager. If this attribute is present and has the value of “Y”, then the user is deemed a manager.
manager. The value of this attribute is set to the dn of the record of the manager who manages that specific entry. Therefore, a subordinate has the manager attribute set to the dn of their manager.

Admin Roles

The AdminRole-User.xml file creates two admin roles:

The User admin role is defined in the AdminRole-User.xml file. This admin role assigns the User Account Administrator capability to the My Employees organization and allows a manager to edit the data of his or her subordinates. The User admin role also grants the Approver capability to the Top organization.

Roles

The Mail Users role assigns the Sun JSCS resource to the user. The role is defined in the Role-MailUser.xml file.

If a user exists in the directory and it contains the inetuser, ipuser, inetmailuser, inetlocalmailrecipient, and userpresenceprofile object classes, the user will be assigned the Mail Users role when it is created in Identity Manager. If one or more of these object classes are missing, the role is not applied to the user.

When a user is created from Identity Manager and the Mail Users role is enabled, an email account will be created on the Messaging Server upon reconciliation. Since the user has a mail account, it will pass the rule Is Mail User (Rule-IsMailUser.xml).

The Sun Communications Services scenario assumes that there might be users defined in the directory that should not have mail accounts. If all users in the directory should have an email account, then do the following:

Add the inetuser, ipuser, inetmailuser, inetlocalmailrecipient, and userpresenceprofile object classes to the list of managed object classes on the adapter.
Change the properties of the Mail User role so that the objectClass resource account attribute is set to None.

Object Groups

The scenario creates the following object groups:

Users — The virtual organization in which reconciled users are placed. This organization is defined in the ObjectGroup-Users.xml file.

My Employees — This virtual organization is assigned in the User admin role. It invokes the Get My Subordinates rule. This organization is defined in the ObjectGroup-MyEmployees.xml file.

Login Application and Login Module Group

Identity Manager uses pass-through authentication to resolve the validity of the Sun JSCS password for the end-user pages. The Administrator Interface uses the Identity Manager user’s password. To enable this feature, the scenario uses the following files to create the Sun JSCS Login Module Group for the User Interface.

LoginApp-UserInterface.xml
LoginModGroup-SunJSCSLoginModuleGroup.xml

General Configuration

The following files configure miscellaneous aspects of the Sun Communications Services scenario.

Configuration-UserUIConfig.xml — Adds the manager attribute to the SummaryAttrNames and QueryableAttrNames attributes so that administrators can search for users by specifying their manager’s distinguished name.

Configuration-UserExtendedAttributes.xml — Adds manager to the view of the User object.

Configuration-CustomMessageCatalog.xml — Defines strings that are displayed in the on the user interfaces.

The following table lists the form and process map changes.

Table D-3  Forms and Process Mappings

Process or Form?	Type	New Value	Original Value
Process	createUser	Create User Template	Create User
Process	updateUser	Update User Template	Update User
Form	endUserForm	Sun JSCS End User Form	End User Form
Form	endUserMenu	Custom End User Menu	End User Menu
Form	userForm	Custom Tabbed User Form	Tabbed User Form

---

Creating User Accounts

Creating user accounts is one of the most important activities that an administrator performs. In the Sun Communications Services scenario, the majority of the user accounts are created when Identity Manager initially loads accounts from the directory server. However, other accounts will be loaded by ActiveSync, or created by an administrator in Identity Manager. This section describes the process of creating users with each of these mechanisms.

Using Reconciliation to Create Users

Before performing a reconciliation, the reconciliation policy must be configured, and a user form must be assigned to the user performing the reconciliation.

Reconciliation Policy

Reconciliation policy allows the administrator to select the server to run reconciliation, determine how often and when reconciliation takes place, and set responses to each situation encountered during reconciliation. You can also configure reconciliation to detect changes made natively (not made through Identity Manager) to account attributes.

Identity Manager provides a default global reconciliation policy, which can be inherited for any resource. However, the Sun Communications Services scenario requires some changes to the default policy, and these changes are defined in the Configuration-ReconcileConfiguration.xml file.

There are two significant changes to the default policy:

The proxy administrator is set to Reconciliation Admin. When a reconciliation response is performed, it is performed as this administrator. The Reconciliation Admin has been configured to create users with the User Form with Questions user form. If you need to login as Reconciliation Admin, the password is reconadmin.

If you want to use a different user to perform this function, assign the default user form to User Form with Questions. In addition, ensure the user has the Bulk Account Administrator capability.

The UNMATCHED situation is configured to create a new user based on resource account. When Identity Manager detects an account on the resource that does not have a corresponding account on Identity Manager, it creates a new Identity Manager user.

User Form

The User Form used for reconciliation (User Form with Questions) is defined in the UserForm-UserFormWithQuestions.xml file. This user form is meant to be used for reconciliations and load-from-resource operations only.

The default user form contains overhead that is not necessary for loading account data. The User Form with Questions form has been trimmed down so that it defines the following:

The user’s global full name, which is determined by concatenating the user’s first and last names
The user’s organization, which is set to Top:User
The answer to the user’s authentication question. (See Setting Answers to Authentication Questions for more information.)

Account information loaded from a resource is stored in a User object and can be accessed from the User view. As a result, detailed information about each user does not need to be referenced in the user form. The User Form with Question form contains minimal data to help speed the process of reconciliation. In a production environment with thousands of users, the reconciliation process can take hours. Therefore, eliminating all unnecessary fields and attributes speeds up the reconciliation process.

The full name and authentication answers remain in the user form because they are derived attributes. The organization specifies the Identity Manager virtual organization into which the user object should be placed.

Workflow

The Sun Communications Services scenario uses the standard Create User workflow when creating user accounts via reconciliation.

Testing Procedure

After the Sun Communications Services adapter has been configured, you can perform a reconciliation so that user data can be populated into Identity Manager.

Log in to Identity Manager as Configurator and initiate a full reconciliation by right-clicking on the Sun JSCS resource and selecting the Full Reconcile Now option. When reconciliation is complete, the status of all reconciliation attempts is displayed.

Using ActiveSync to Create Users

ActiveSync is another mechanism for loading resource account data into Identity Manager. ActiveSync “listens” or polls for changes to a resource, detecting incremental changes in real time. Because ActiveSync is designed to detect changes, it should not be used to load account information into Identity Manager for the first time.

The Sun Communications Services scenario enables changes from Sun JSCS to be propagated into Identity Manager. Once a new users are detected with the ActiveSync functionality, the new users can immediately log in to the end user pages to manage their accounts.

The scenario also creates a temporary password and emails it to the new user. This is necessary for two reasons. First, it is possible to create an account in Sun JSCS without a password. Therefore, the user would not be able to log in to Identity Manager. Secondly, passwords are usually not readable from Sun JSCS. This means that if the Sun JSCS ActiveSync is to be the authoritative source of the user's password, Identity Manager will not be able to synchronize the passwords on other resources with the Sun JSCS password. In order for the passwords to be consistent among all resources, a temporary password should be used, which the user will use to login and change all resource passwords.

User Form

The Sun JSCS ActiveSync Form translates ActiveSync attributes into Identity Manager user attributes. A temporary password (change12345) is created in this form.

The viewOptions.Process field (listed below), causes the Sun JSCS ActiveSync Create User and Sun JSCS ActiveSync Update User workflows to run for creates and updates respectively. For other operations (such as delete), the normal user workflows will be run.

Code Example D-1  viewOptions.Process Field  

<Field name='viewOptions.Process'>    <Comments>Use the optimized create and update workflows.</Comments>    <Expansion>       <switch>          <ref>feedOp</ref>          <case>             <s>create</s>             <s>Sun JSCS ActiveSync Create User</s>          </case>          <case>             <s>update</s>             <s>Sun JSCS ActiveSync Update User</s>          </case>          <case default='true'>             <null/>          </case>       </switch>    </Expansion> </Field>

Workflow

The TaskDefinition-SunJSCSActiveSyncCreateUser.xml file defines the workflow to run when a user is created through ActiveSync. This workflow is run whenever a user is discovered on the resource.

This workflow has been reduced to two actions. The first action is to provision the account in Identity Manager. The workflow then sends an email notification that contains the temporary password to the newly created user.

Also, the resultLimit workflow attribute is set to 0. This also helps speed up the workflow in that the results in the repository.

Email Template

The EmailTemplate-SunJSCSActiveSyncAccountCreationNotification.xml file defines an email template that sends a temporary password to the newly created user.

Testing Procedure

Prerequisites

The Sun JSCS resource must be configured for ActiveSync. In Step 4 : Configure the Sun Communications Services Resource Adapter, ActiveSync was disabled. Run the Active Sync Wizard by right clicking on the Sun JSCS resource and selecting Edit > Active Sync Wizard.

On the Synchronization Mode page set the Input Form field to Sun JSCS ActiveSync Form. Then click Next.
On the Active Sync Running Settings page:
Change the Startup Type to Automatic or Manual.
Set the Proxy Administrator to Configurator or other administrator with the capabilities necessary for processing changes on the resource.
Specify a directory to which a log file will be written in Log File Path.
Assign a value such as 5 minutes in the Poll Every field.

Then click Next.

On the General Active Sync Settings page, set the Filter Changes By field to cn=IdM User. This will prevent changes that were provisioned into the resource from Identity Manager from being reprocessed as Active Sync events.

Then click Save.

Restart Identity Manager to allow the changes to take effect.

Procedure

Use the following steps to test that Identity Manager creates a new user when an account is detected on an ActiveSync resource.

Create a new inetOrgPerson in the base context directory using the directory server’s native tools. Do not use Identity Manager to create the user.
Wait for the amount of time specified in the Poll Every field until the ActiveSync changes are loaded into Identity Manager. In some circumstances, you might need to start ActiveSync.
In Identity Manager, click the Accounts tab. The user has been added to the Users organization.
Log in to the User Interface using the new user's account ID and temporary password.
Use the “Change Password” link to change the user's password.

The end result is that users created externally in Sun JSCS are given accounts in Identity Manager. A temporary password is set on the Sun JSCS resource, and the user is notified of the temporary password.

Using Identity Manager to Create Users

The Sun Communications Services scenario requires customized user forms, workflows, task templates, and notifications. These aspects are discussed in detail.

User Forms

The following user forms help create new Users

Custom Tabbed User Form
Custom Dynamic Sun JSCS User Form

Custom Tabbed User Form

The Sun Communications Services scenario replaces the Tabbed User Form with the Custom Tabbed User Form. The standard Tabbed User Form controls the layout of the Create and Edit User pages. These pages have several navigation tabs that allow the administrator to set or view a user’s identity, assignments, capabilities, and resource attributes. The Custom Tabbed User Form is essentially the same, except that it uses a field reference to “Resource Tabs” in the UserForm-CustomDynamicUserForms.xml file (Custom Dynamic User Forms) instead of MissingFields. This will generate a Sun JSCS tab if the user has been assigned a Sun JSCS resource, either directly, or through a role. The Custom Dynamic User Forms in turn references the Custom Dynamic Sun JSCS User Form.

To register a replacement Tabbed User Form, the userForm form mapping must be changed. The scenario automatically changes the userForm value to Custom Tabbed User Form.

Custom Dynamic Sun JSCS User Form

The Custom Dynamic Sun JSCS User Form controls the Sun JSCS-specific attributes on the Create or Edit User page. It divides the Sun JSCS-specific attributes into two sections: User Attributes and Mail Attributes.

In the User Attributes section, the Manager field contains a drop-down menu containing a list of managers. This list is populated by calling the Get Managers rule, which checks for accounts on the Sun JSCS resource where the ismanager attribute is set to Y. The rule returns the entrydn attribute for each account that meets that criterion.

The Groups multi-select box is populated by the Get Sun JSCS Groups rule. This rule queries the resource and returns a list of Sun JSCS groups. If the account is already a member of a Sun JSCS group, the group is placed in the Current Groups box.

On the Assignments navigation tab, if the Mail Users role is assigned to a user, then the Mail Account Created field contains a value of Yes. If the Sun JSCS resource is assigned directly, without the role, then the Create Mail Account button is displayed. When this button is clicked, then the user is assigned the Mail Users role, and the button disappears.

The user form performs a validation on any value entered in the Primary Email and Other Email fields. The system checks for matching email addresses on the directory server. If a match is found, an error message is displayed.

Workflow

In the Sun JSCS scenario, a task template is launched when a user is created from the Administrator Interface. A task template is a set of components and product enhancements that enable administrators to configure workflow behavior through the Administrator Interface, instead of writing customized workflows to achieve the same result.

Task templates can be accessed by clicking Tasks, then the Task Templates subtab.

A task template contains the following elements:

TaskDefinitionRef — Defines which TaskDefinition will be launched to perform the action, in this case, to create a user. Standard workflows are often defined as a TaskDefinition.
FormRef — A reference to a form that can generate a user interface for configuring a TaskTemplate.
Variables — Contains attributes that are used in configuring the task. Variables are not discussed here.

The following XML fragment shows the top of the TaskTemplate-CreateUser.xml file:

Code Example D-2  Top of the TaskTemplate-CreateUser.xml File

<TaskTemplate id='#ID#TaskTemplate:CreateUser' name='Create User Template' taskType='TaskConfiguration' visibility='invisible'>    <TaskDefinitionRef>       <ObjectRef type='ProvisioningTask' name='Create User'/>    </TaskDefinitionRef>    <FormRef>       <ObjectRef type='UserForm' name='Create User Template Form'/>    </FormRef> ... </TaskTemplate>

The TaskTemplate is named Create User Template. The TaskDefinitionRef points to the Create User ProvisioningTask, which is the standard workflow for creating users. The FormRef refers to the Create User Template Form, a pre-defined form that controls the process of creating a user through a TaskTemplate.

Approvals

The Create User Template task template defines an approval workflow that runs when a user is created in Identity Manager. This task template does not configure notifications or other template features, but they can still be implemented, if desired, in this scenario.

To enable the Create User Template, the following prerequisites must be met:

The createUser process map must be updated to point to the Create User Template. Click Configure, then the Form and Process Mappings subtab. Under the Process Mappings section, change the value for createUser from Create User to Create User Template. This mapping has already been configured in the Sun Communications Services scenario.
The Get Managers rule (Rule-GetManagers.xml) uses the ismanager attribute to determine whether an account belongs to a manager, as shown in the following XML fragment:

Code Example D-3  Using the ismanager Attribute

<map>      <s>searchAttrsToGet</s>      <list>         <s>cn</s>         <s>dn</s>         <s>ismanager</s>      </list>      <s>searchScope</s>      <s>subTree</s>      <s>searchFilter</s>      <s>(&amp;(objectclass=inetorgperson)(ismanager=Y))</s>   </map>

If you use a different attribute to convey this status, change the rule to match this customized attribute. If you do not use this type of attribute, remove all references to the ismanager attribute. In this case, also change final string in the map to the following:

   <s>(objectclass=inetorgperson)</s>

In this scenario, a create user request requires approval from the user’s manager, who is not an Identity Manager administrator. The manager is determined by an approval query. The following fields have been pre-configured for this scenario:

Determine additional approvers from — The Query option indicates the account IDs of approvers will be determined by querying the Sun JSCS resource. The parameters of the query are constructed from the Resource Attribute to Query and Attribute to Compare fields.
Resource Attribute to Query — The entrydn attribute is queried on the resource. The query is searching for the user’s manager.
Attribute to Compare — The value of user.accounts[LDAP Resource].manager is compared to the value in the entrydn resource attribute. A match indicates the approver of the new user has been found.
Approval times out after — The default value is 1 day. If the manager does not approve the request to create the user, an approval request will be sent to the manager’s manager. (The Escalation Administrator Query is identical to the Approval Administrator Query.) Note that an approval request can only be escalated once. If the second-line manager does not approve the request in the specified time, the request is not forwarded to the third-line manager.
Approval Attributes — Attributes that will be displayed on the approval notice. The new user’s first name, last name, email address, and Sun JSCS groups are displayed on the notice, but these values can be changed by the approver.

If the Sun JSCS resource is configured so that an approver is required on the resource, that approval must occur before the manager receives the approval request.

Notifications

The Sun Communications Services scenario uses a standard workflow process, Notification Evaluator, to handle notifications. The Notification Evaluator process has been extended by adding an activity named Process User Manager.

The Process User Manager activity calls two rules:

Get Sun JSCS Resource Name — Determines which resource to contact to determine the user’s manager.
Get Manager Account Id — Queries the Sun JSCS resource and returns the value of the user’s manager attribute.

Upon fetching the value of the manager’s account ID, Identity Manager will attempt to send a notification email to the manager. The email template must be configured correctly.

---

Updating User Accounts

In general, the workflow processes that occur when changes are made to account mimic those that occur when accounts are created. The processes are simpler, however, because reprovisioning an existing user is less complicated than provisioning a new user.

Updates Discovered by Reconciliation

Data changes discovered by reconciliation go through the same general process as when creating a user. The User Form with Questions form controls the process.

See Using Reconciliation to Create Users for more information.

Updates Discovered by ActiveSync

The Sun JSCS ActiveSync Update User workflow defines how ActiveSync updates are performed. When changes are discovered via ActiveSync, Identity Manager triggers the reProvision workflow service.

See Using ActiveSync to Create Users for more information.

Updates Performed with Identity Manager

In the Sun Communications Services scenario, user data can be edited by an administrator from the Administrator Interface, or by an end-user or manager from the User Interface. Regardless of how this data is changed, Identity Manager runs the same workflow and handles approvals and notifications in the same manner. See Using Identity Manager to Create Users for more information about the workflow, approvals, and notifications.

The Update User Template TaskTemplate defines the workflow. It is an abbreviated version of the Create User Template TaskTemplate. In most cases, it is less urgent to change attributes of an existing user than to create the user in the first place. Therefore, the Update User Template TaskTemplate does not include these features.

Notifications work the same as when creating a user.

The updateUser process map must be updated to point to the Update User Template. This mapping has already been configured in the Sun Communications Services scenario, but to replicate this, click Configure, then the Form and Process Mappings subtab. Under the Process Mappings section, change the value for updateUser from Update User to Update User Template.

---

Implementing Changes to the User Interface

The User Interface presents a limited view of the Identity Manager system that is specifically tailored to users without administrative capabilities. By default, the User Interface allows users to change passwords and modify account attributes.

The Sun Communications Services scenario adds the following functionality to the standard user interface:

Provides a default authentication question. The answer to the authentication question is read from the carLicense attribute of the inetOrgPerson object class.
A user can change a variety of account attributes, including Sun JSCS group memberships. Changing the any value requires approval from the user’s manager.
A user can request access to a resource.
If the user is a manager, change attributes of his or her subordinates.

These features are discussed in detail below.

Setting Answers to Authentication Questions

If a user forgets his password, or his password is reset, he can answer one or more account authentication questions to gain access to Identity Manager. These questions, along with the rules that govern them, are defined in the account policy.

The Default Lighthouse Account Policy in this scenario contains the default authentication question “Car license plate number?”. When an account is first reconciled, the User Form With Questions form loads the value of the carLicense attribute of the inetOrgPerson object class. The user form performs some additional processing so that the value of carLicense is used as an answer to the authentication question.

However, it should be noted that license plate number may not be the best attribute to use for authentication questions, as this information is often omitted from the corporate Sun JSCS servers. Also, a license plate number is not a secure piece of information, so an unauthorized person could easily reset another person's Sun JSCS password.

A better attribute would have ACIs in the directory that restrict read access to the owner and high-level administrators, such as IDM User and directory administrators. The availability of such an attribute will vary for each directory server.

If such an attribute is not available, you could expand the scenario so that the user must specify an employee ID as well as the license plate number. To do this, you must update the resource’s schema map, update the account policy, and update the User Form with Questions form. Again, this scenario is not secure if employee IDs are publicly available.

Resource

The schema map must define any attribute that is used in any user form, rule, or other Identity Manager object. In this scenario, the employeenumber Sun JSCS attribute has already been mapped to the employeeNumber user attribute.

Account Policy

The account policy can modified from the Administrator Interface by clicking the Configure tab, then the Policies subtab. Select the account policy to be edited and enter a new question, such as “Enter Employee ID”, under the Secondary Authentication Policy Options heading.

To add the question directly to the Policy-DefaultLighthouseAccountPolicy.xml file, modify the questions attribute list as follows.

<Attribute name='questions'>

   <List>

      <Question>Car license plate number?</Question>

      <Question>Enter Employee ID</Question>

   </List>

</Attribute>

User Form

Replace the FieldLoop block in the “User Form with Questions” form with the following:

Code Example D-4  Replacing the FieldLoop Block

<FieldLoop for='questionName' in='waveset.questions[*].name'>    <Field name='waveset.questions[$(questionName)].answer'>       <Expansion>          <cond>             <eq>                <ref>waveset.questions[$(questionName)].question</ref>                <s>Car license plate number?</s>             </eq>             <ref>global.carLicense</ref>             <cond>                <eq>                   <ref>waveset.questions[$(questionName)].question</ref>                   <s>Employee number?</s>                </eq>                <ref>global.employeeNumber</ref>             </cond>          </cond>       </Expansion>       <Disable>          <and>             <neq>                <ref>waveset.questions[$(questionName)].question</ref>                <s>Car license plate number?</s>             </neq>             <neq>                <ref>waveset.questions[$(questionName)].question</ref>                <s>Enter Employee ID</s>             </neq>          </and>       </Disable>    </Field> </FieldLoop>

This code block determines whether each question defined in the authentication policy matches text specified in a <s> element. If the questions do not match, the fields are disabled.

Changing Account Attributes

The Sun JSCS End User Form determines which account attributes are displayed and whether the attributes can be edited. When any attribute is edited, the user’s manager is notified of the change. The manager must then approve or reject the change. For more information about the implementation of this feature, see Using Identity Manager to Create Users.

The Sun JSCS End User Form allows users to request changes to the Sun JSCS groups they are a member of. To manage Sun JSCS groups, the ldapGroups attribute must be added to the adapter’s schema map. In this scenario, the manager and employeeNumber attributes from the inetOrgPerson object class have also been added to the schema map to track who is the manager of the user.

The User Form calls the Get Sun JSCS Groups rule. This rule gets the list of Sun JSCS groups available on the directory server.

The Sun JSCS End User Form also contains fields named Manager and Manager Name. The Manager field contains the value returned from the manager Sun JSCS attribute. The Manager Name field, however, is derived by the Get Manager Name rule. This rule looks up the Sun JSCS user listed in the Manager field and retrieves this user’s first name (givenName) and last name (sn), then concatenates these values.

If the user is a manager, the Subordinates table is populated with the user IDs, names, and email addresses of subordinate users. See Manager Editing Subordinate Data.

Manager Editing Subordinate Data

In the Sun Communications Services scenario, managers do not have the ability to log in to the Administrator Interface. However, managers are able to edit attributes of their subordinates because the scenario creates a virtual organization, an admin role to control the organization, and provides several rules that determines whether a manager/subordinate relationship exists.

Virtual Organization

The My Employees organization contains users whose manager Sun JSCS attribute matches the distinguished name of the logged in user. If a user is not a manager, then the organization is empty, and the user cannot act on other accounts. Note that a manager can act on direct reports only. A second-line manager can edit the data of a first-line manager, but not the first-line manager’s subordinates.

The organization is assigned the Get My Subordinates rule. This rule has an authType of UserMembersRule and determines whether users can be a member of this organization. The rule in turn calls the Get Sun JSCS Resource Name and Get Subordinate Account IDs rules. The Get Subordinate Account IDs rule uses the resource returned in the Get Sun JSCS Resource Name rule to determine where to search for Sun JSCS users whose manager is the current user. The Get Subordinate Account IDs rule searches the cn, givenname, and dn attribute values on the directory and returns the value in dn.

Admin Role

The AdminRole-User.xml file creates the Users admin role. This admin role is unique in that it is automatically given to all Identity Manager users. In addition, this role has the following characteristics:

Is assigned the User Account Administrator.
Controls the MyEmployees virtual organization, which is created in the ObjectGroup-MyEmployees.xml file
Is available to the Top organization.

User Form

End User Subordinate Form — This form is similar to the Sun JSCS End User Form, except that it does not have a subordinates section. It is accessed after a manager clicks on the name of a subordinate.

JSP Files

The changesSubUser.jsp file controls the display of the End User Subordinate form. It is referenced in the Sun JSCS End User Form.

Requesting Access to Resources

The Sun Communications Services scenario gives end users the ability to request a resource account. When the user selects a resource, Identity Manager displays a set of attributes that the user can fill in to expedite the process. To enable this feature, the scenario contains customized forms, rules, and JSP pages.

Custom End User Menu User Form

When the scenario is first loaded, the configuration script changes the endUserMenu form mapping from End User Menu to Custom End User Menu. The UserForm-CustomEndUserMenu.xml file defines the Custom End User Menu form, which controls what is displayed when an end-user logs in to the User Interface.

The Custom End User form differs from the default End User menu in that it adds the link to the page that allows users to request access to resources. The following field adds the Request Resource Access link.

<Field>

   <Display class='Link'>

      <Property name='name' value='Request Resource Access'/>

      <Property name='URL' value='user/requestResources.jsp'/>

   </Display>

</Field>

Resource Request User Form

In the default Administrator Interface, the Tabbed User Form is displayed when creating or editing users. On the Assignments navigation tab, the Individual Resource Assignments multi-select box allows the administrator to assign one or more resources to the user. This multi-select box is the primary construct of the Resource Request User Form.

However, an end-user does not have the capability to view a list of available resources. To get around this limitation, the form calls the Get Unassigned Resources rule. This rule has two elements of note:

The RunAsUser element specifies the user account that will be used to query for available resources. The example uses Configurator perform this task. In a production environment, you would create an administrator account with minimal capabilities to query for resources.
The rule invokes the FormUtil method getUnassignedResources. This method builds a list of all accessible resources minus the names of the resources that are already assigned to the user through their role.

JSP Files

To enable the feature for allowing users to request access to resources, the following JSP files must be copied from $WSHOME/sample/scenarios/scenario1/jsp/ into $WSHOME/user/.

requestResources.jsp — Derived from user/changeAll.jsp. The only changes made to the requestResources.jsp file include setting the result and post URLs and changing several message catalog strings.
requestResourcesResults.jsp — Copied without modification from user/changeAllResults.jsp.

---

Implementing Changes to the Administrator Interface

Modifying the Approval Page

When a manager logs in to the User Interface, a link labeled View Inbox is displayed if the manager has a pending approval request. The UserForm-ApprovalForm.xml enhances the default Approval Form by displaying attributes that have been changed.

Modifying the Find User Form

The scenario adds a new search option to the Find Users page. This option allows the administrator to locate users whose manager starts with, contains, or matches the specified text.

Enabling this feature requires modifications to the UserUIConfig configuration object and two user forms.

UserUIConfig Configuration Object

The UserUIConfig configuration object controls the account search function and how results are displayed. To search for users by manager, the manager attribute must be added to the QueryableAttrNames and SummaryAttrnames elements. QueryableAttrNames define attributes that can be searched, while SummaryAttrNames are the attributes that can be displayed in list results.The scenario adds these attributes automatically.

User Search Library User Form

The User Search Library User Form defines the manager field. This multi-part field contains the following facets:

A checkbox that allows the administrator to conduct a search on multiple types.
The label “Manager”.
A reference to the manager attribute
A drop-down menu for selecting the operator (starts with, contains, or is).
A text box for entering the string to be searched for.

The following fragment defines the manager field.

Code Example D-5  Fragment Defining the Manager Field

<Field name='manager'>    <Field name='query.clauses[clause1].conditions[manager].active'>       <Display class='Checkbox'/>    </Field>    <Field>       <Display class='Label'>          <Property name='value' value='Manager'/>          <Property name='rowHold' value='true'/>       </Display>    </Field>    <Field name='query.clauses[clause1].conditions[manager].attribute'>       <Expansion>          <s>manager</s>       </Expansion>    </Field>    <Field name='query.clauses[clause1].conditions[manager].operator'>       <Display class='Select'>          <Property name='valueMap'>             <ref>displayHints.searchOperators</ref>          </Property>          <Property name='rowHold' value='true'/>       </Display>    </Field>    <Field name='query.clauses[clause1].conditions[manager].value'>       <Display class='Text'>          <Property name='rowHold' value='true'/>          <Property name='size' value='20'/>          <Property name='maxLength' value='48'/>       </Display>    </Field> </Field>

Find User Form User Form

The UserForm-FindUserForm.xml file modifies the default Find User Form to add a field reference to the manager field, which is defined in the User Search Library form.

Previous      Contents      Index      Next

---

Part No: 819-6126-10.   Copyright 2006 Sun Microsystems, Inc. All rights reserved.