Previous      Contents      Next
Sun Java System Identity Manager 2005Q4M3 Administration

5

Configuration

This chapter provides information and procedures for using the Administrator Interface to set up Identity Manager objects.

In this chapter, you can learn more about:

Creating and editing Identity Manager objects, such as:
Roles
Resources
ChangeLogs
Policies
Capabilities
Admin roles
Email templates
Servers
Setting up audit configuration groups (audit events)
Integrating Identity Manager with a Remedy server
Configuring digitally signed approvals

---

Understanding Roles

Read this section for information about setting up roles in Identity Manager.

What are Roles?

Identity Manager roles define the collection of resources on which accounts are managed. Roles allow you to profile a class of users, grouping Identity Manager users with similar characteristics.

You can assign each user to one or more roles, or to none. All users assigned to a role share access to the same base group of resources.

All resources associated with a role are indirectly assigned to the user. Indirect assignment differs from direct assignment, in which resources are specifically selected for the user.

When you create or edit a role, Identity Manager launches the ManageRole workflow. This workflow saves the new or updated role in the repository, and allows you to insert approvals or other actions before the role is created or saved.

You assign roles to users through the Administrator Interface Create and Edit User pages.

Creating Roles

To create a role:

From the menu bar, select Roles.
From the Roles list page, click New.

The Create Role page allows you to:

Assign resources and resource groups to the role.
Select role approvers and make notification selections.

---

Tip  To learn more about the approval process, refer to Approvals in the chapter titled Administration.

---

Exclude roles. This means that if this role is assigned to a user, the excluded role or roles may not also be assigned.
Select the organizations to which this role will be available for assignment.
Edit attribute values for resources assigned to the role.

Editing Assigned Resource Attribute Values

Click Set Attribute Values from the Assigned Resources area on the Create Role page to display a list of attributes for each resource assigned to the role. From this Edit attributes page, you can specify new values for each attribute and determine how attribute values are set. Identity Manager enables you to directly set values or use a rule to set values; it also provides a range of options for overriding or merging with existing values.

Editing Roles

To make changes to a role:

From the menu bar, select Roles.
From the Roles list page, click a role in the list.

Finding Roles

Use the Find Roles area to search for roles. The search feature returns a list of roles that match your search criteria.

You can search for roles by one or more of these search types:

Name
Availability
Approver
Resource
Resource group

---

Notes:

---

If you select more than one search type, the search must meet all specified criteria to successfully return results.
Search is not case-sensitive.

To search for roles, select Roles, and then select Find Roles.

Cloning Roles

You can use the selections from an existing role to create a new role. To do this:

Select a role to edit.
Enter a new name in the Name field, and then click Save.

Identity Manager displays the Create or Rename page.

Click Create to create the new role.

Renaming Roles

To rename a role:

Select a role to edit.
Enter a new name in the Name field, and then click Save.

Identity Manager displays the Create or Rename page.

Click Rename to change the role name.

Synchronizing Identity Manager Roles and Resource Roles

You can synchronize Identity Manager roles with roles created natively on a resource. When synchronized, the resource is assigned, by default, to the role. This applies to roles that are created with the task, as well as existing Identity Manager roles that match one of the resource role names.

From the menu bar, select Tasks, and then select Run Tasks to access the Synchronize Identity Manager Roles with Resource Roles task page.

---

Understanding Resources

Read this section for information and procedures to help you set up Identity Manager resources.

What are Resources?

Identity Manager resources store information about how to connect to a resource or system on which accounts are created. Identity Manager resources define the relevant attributes about a resource and help specify how resource information is displayed in Identity Manager.

Identity Manager provides resources for a wide range of resource types, including:

Mainframe security managers
Databases
Directory services
Operating systems
Enterprise Resource Planning (ERP) systems
Messaging platforms

Resources Area

Identity Manager displays information about existing resources on the Resources page.

To access resources, select Resources on the menu bar.

Resources are grouped by type, represented in the list by named folders. To expand the hierarchical view and see currently defined resources, click the indicator next to the folder. Collapse the view by clicking the indicator again.

When you expand a resource type folder, it dynamically updates and displays the number of resource objects it contains (if it is a resource type that supports groups).

Some resources have additional objects you can manage, including:

Organizations
Organizational units
Groups
 Roles

Select an object from the resources list, and then make selections from one of these options lists to initiate a management task:

Resource Actions — Perform a range of actions on resources, including edit, active synchronization, rename, and delete; as well as work with resource objects and manage resource connection.
Resource Object Actions — Edit, create, delete, rename, save as, and find resource objects.
Resource Type Actions — Edit resource policies, work with the account index, and configure managed resources.

When you create or edit a resource, Identity Manager launches the ManageResource workflow. This workflow saves the new or updated resource in the repository, and allows you to insert approvals or other actions before the resource is created or saved.

Managing the Resources List

The list from which you can select resources to create is managed from the Configure area of the Administrator Interface. Select Configure Managed Resources from the Resource Type Actions options list to choose the resources that will populate the resources list.

On the Managed Resources page, Identity Manager divides resources into two categories:

Identity Manager resources — Resources included in this table are those most commonly managed by Identity Manager. The table shows the resource type and version. Choose one or more resources by selecting the option in the Managed? column, and then click Save to add them to the resources list.
Custom resources — Use this page area to add custom resources to the Resources list.

To add a custom resource:

Click Add Custom Resource to add a row to the table.
Enter the resource class path for the resource, or enter your custom-developed resource.
Click Save to add the resource to the Resources list.

The following table lists custom resource classes.

Custom Resource	Resource Class
Access Manager	com.waveset.adapter.AccessManagerResourceAdapter
ACF2	com.waveset.adapter.ACF2ResourceAdapter
ActivCard	com.waveset.adapter.ActivCardResourceAdapter
Active Directory	com.waveset.adapter.ADSIResourceAdapter
Active Directory ActiveSync	com.waveset.adapter.ActiveDirectoryActiveSyncAdapter
ClearTrust	com.waveset.adapter.ClearTrustManagerResourceAdapter
DB2	com.waveset.adapter.DB2ResourceAdapter
INISafe Nexess	com.waveset.adapter.INISafeNexessResourceAdapter
Microsoft SQL Server	com.waveset.adapter.MSSQLServerResourceAdapter
MySQL	com.waveset.adapter.MySQLResourceAdapter
Natural	com.waveset.adapter.NaturalResourceAdapter
NDS SecretStore	com.waveset.adapter.NDSSecretStoreResourceAdapter
Oracle	com.waveset.adapter.OracleResourceAdapter
Oracle Financials	com.waveset.adapter.OracleERPResourceAdapter
OS400	com.waveset.adapter.OS400ResourceAdapter
PeopleSoft	com.waveset.adapter.PeopleSoftCompIntfcAdapter com.waveset.adapter.PeopleSoftComponentActiveSyncAdapter
RACF	com.waveset.adapter.RACFResourceAdapter
SAP	com.waveset.adapter.SAPResourceAdapter
SAP HR	com.waveset.adapter.SAPHRResourceAdapter
SAP Portal	com.waveset.adapter.SAPPortalResourceAdapter
Scripted Host	com.waveset.adapter.ScriptedHostResourceAdapter
SecurID	com.waveset.adapter.SecurIdResourceAdapter com.waveset.adapter.SecurIdUnixResourceAdapter
Siebel	com.waveset.adapter.SiebelResourceAdapter
SiteMinder	com.waveset.adapter.SiteminderAdminResourceAdapter com.waveset.adapter.SiteminderLDAPResourceAdapter com.waveset.adapter.SiteminderExampleTableResourceAdapter
Sun ONE Identity Server	com.waveset.adapter.SunISResourceAdapter
Sybase	com.waveset.adapter.SybaseResourceAdapter
Top Secret	com.waveset.adapter.TopSecretResourceAdapter

Creating Resources

You create resources by using the Resource Wizard. The Resource Wizard guides you through the process of creating an Identity Manager resource adapter to manage objects on a resource.

Using the Resource Wizard, you will set up:

Resource-specific parameters — You can modify these values from the Identity Manager interface when creating a specific instance of this resource type.
Account attributes — Defined in the schema map for the resource. These determine how Identity Manager user attributes map to attributes on the resource.
Account DN or identity template — Includes account name syntax for users, which is especially important for hierarchical namespaces.
Identity Manager parameters for the resource — Sets up policies, establishes resource approvers, and sets up organization access to the resource.

To create a resource:

Select New Resource from the Resource Type Actions list of options.

Identity Manager displays the New Resource page.

Select the resource type, and then click New to display the Resource Wizard Welcome page.

---

Note  Alternatively, you can select a resource type in the resources list before selecting New Resource from the Resource Type Actions list. In this case, Identity Manager does not display the New Resource page, but immediately launches the Resource Wizard.

---

Click Next to begin defining the resource. Resource Wizard steps and pages that display are, in order:
Resource Parameters — Set up resource-specific parameters that control authentication and resource adapter behavior. Enter parameters, and then click Test Connection to ensure the connection is valid. On confirmation, click Next to set up account attributes.





Figure 1. Resource Wizard: Resource Parameters

Account Attributes (schema map) — Maps Identity Manager account attributes to resource account attributes.

To add an attribute, click Add Attribute. Select one or more attributes, and then click Delete Selected Attributes to delete attributes from the schema map. When finished, click Next to set up the identity template.





Figure 2. Resource Wizard: Account Attributes (Schema Map)

Identity Template — Defines account name syntax for users. This feature is particularly important for hierarchical namespaces.

Select attributes from the Insert Attributes list. To delete attributes from the template, click in the list and delete one or more items from the string. Delete the attribute name, as well as the preceding and following $ (dollar sign) characters.





Figure 3. Resource Wizard: Identity Template

Identity System Parameters — Sets Identity Manager parameters for the resource, including retry and policy configuration.





Figure 4. Resource Wizard: Identity System Parameters

Use Next and Back to move among the pages. When you complete all selections, click Save to save the resource and return to the list page.

Managing Resources

You can perform a range of edit actions on the resource from the resources list. In addition to editing capabilities on each of the Resource Wizard pages, you can:

Delete resources — Select one or more resources, and then select Delete from the Resource Actions list. You can select resources of several types at the same time. You cannot delete a resource if any roles or resource groups are associated with it.
Search for resource objects — Select a resource, and then select Find Resource Object from the Resource Object Actions list to find a resource object (such as an organization, organizational unit, group, or person) by object characteristics.
Manage resource objects — For some resource types, you can create new objects. Select the resource, and then select Create Resource Object from the Resource Object Actions list.
Rename resources — Select a resource, and then select Rename from the Resource Actions list. Enter a new name in the entry box that appears, and then click Rename.
Clone resources — Select a resource, and then select Save As from the Resource Actions list. Enter a new name in the entry box that appears. The cloned resource appears in the resource list with the name you select.

Working with Account Attributes

Identity Manager resources use schema maps to define names and types for attributes coming from the external resource (resource account attributes); they then map those attributes to the standard Identity Manager account attributes. By setting up a schema map (on the Account Attributes page of the Resource Wizard), you can:

Limit resource attributes to only those that are essential for your company
Create common Identity Manager attribute names to use with multiple resources
Identify required user attributes and attribute types

To access these values, select the resource from the resources list, and then select Edit Resource Schema from the Resource Actions list.

The left column of the schema map (titled Identity system User Attribute) contains the names of Identity Manager account attributes that are referenced by the forms used in the Identity Manager Administrator and User interfaces. The right column of the schema map (titled Resource User Attribute) contains the names of attributes from the external source.

By defining Identity system attribute names, attributes from difference resources can be defined with common names. For example, on an Active Directory resource, the lastname attribute in Identity Manager is mapped to the Active Directory resource attribute sn; on GroupWise, the fullname attribute can be mapped to the GroupWise attribute Surname. As a result, an administrator is required to complete a value for lastname only once; when the user is saved, it is passed to the resources with different names.

Resource Groups

Use the resources area also to manage resource groups, which let you group resources to be updated in a specific order. By including and ordering resources in a group, and assigning the group to a user, you determine the order in which that user’s resources are created, updated, and deleted.

Activities are performed on each resource in turn. If an action fails on a resource, the remaining resources are not updated. This type of relationship is important for related resources.

For example, an Exchange 5.5 resource relies on an existing Windows NT or Windows Active Directory account: one of these must exist before the Exchange account can be successfully created. By creating a resource group with (in order) a Windows NT resource and an Exchange 5.5 resource, you ensure the correct sequence when creating users. Conversely, this order ensures that resources are deleted in the correct sequence when you delete users.

Select Resources, and then select List Resource Groups to display a list of currently defined resource groups. From that page, click New to define a resource group. When defining a resource group, a selection area lets you choose and then order chosen resources, as well as select the organizations to which the resource group will be available.

---

Understanding ChangeLogs

Read this section for information about the Identity Manager ChangeLog feature, and for procedures to help you configure and use ChangeLogs.

What are ChangeLogs?

ChangeLogs provide a view of identity attributes information contained by Identity Manager resources. Each ChangeLog is defined to capture changes to a subset of identity attributes.

As attribute data changes on a resource, ActiveSync adapters capture the information, and then write changes to a ChangeLog. Custom scripts developed specifically to interact with a resource in the enterprise then read the ChangeLogs and update the resource.

The ChangeLogs feature differs from Identity Manager’s standard resource active synchronization and reconciliation features because it enables indirect communication to resources from the provisioning system (via custom scripts).

ChangeLogs and Security

Identity Manager's ChangeLog feature requires write access to a designated directory or directories in the local file system. Some Web containers, by default, do not allow local file system access to the hosted Web modules like Identity Manager.

You grant access by editing a Java policy file. If using /tmp/changelogs as the directory, your policy file should contain:

grant {
    permission java.io.FilePermission "/tmp/changelogs/*", "read,write,delete";
};

You must define a file permission for each ChangeLog directory that you have specified.

The default security policy file for Java can be found at:

$JAVA_HOME/jre/lib/security/java.policy

Editing that file may be sufficient; however, if you are using your own file (not the default file), then the server is running with options such as:

-Djava.security.manager -Djava.security.policy=/path/to/your/java.policy

In this case, edit the file identified by the java.security.policy system property.

---

Note  You may need to restart the Web container after editing the security policy file.

---

ChangeLogs Feature Requirements

The ChangeLogs feature requires that you configure identity attributes before configuring a ChangeLog.

Configuring Identity Attributes

Use the following information and procedures to configure Identity Attributes and to select the Identity system applications to which Identity Attributes will be applied.

Working with Identity Attributes

To configure identity attributes, select Configure, and then select Identity Attributes from the Identity Manager Administrator interface. The Identity Attributes page displays.

To add an Identity Attribute, click Add Attribute. Once added to the list, edit an Identity Attribute by clicking its name in the list. To remove one or more Identity Attributes, select them, and then click Remove Selected Attributes.

---

Note  You must click Save before the action will take place.

---

Selecting Applications

Use the Enabled Applications area to select the Identity system applications to which the Identity Attributes will be applied. Select one or more applications from the Available applications area and move them to the Enabled applications area. You must click Save before the action will take place.

---

Note  To use the ChangeLog feature, you must enable the ActiveSync application.

---

Adding and Editing Identity Attributes

From the Add Identity Attributes or Edit Identity Attributes pages, make these selections to add or edit Identity Attributes:

Attribute Name — Select or enter an attribute name. Select from the default values provided (from resource schema map entries, operational Identity Attributes, and user extended attributes); or enter a value in the text box.
Sources — Select one or more sources with which to populate the value for this Identity Attribute. The sources will be evaluated in order, and the Identity Attribute will be set to the first non-null value.
Resource — The value comes from a selected attribute on a selected resource.
Rule — The value comes from the evaluation of a selected rule.
Constant — The value is set to the supplied constant value.

Click + (plus sign) to add a new line to select another source. Click - (minus sign) next to a source to delete it.

Attribute Properties — Use this area to set up properties for the Identity Attribute.
Identity Attribute is authoritative — The value of the Identity Attribute is authoritatively set on all targets. Select this option to cause the value determined by the sources to override any values entered by the user in a form. Typically, this option should be selected.
Store attribute in IDM repository — Select to store the Identity Attribute locally in the Identity system repository. This should be selected if the Identity system user is to be the authoritative store for the Identity Attribute, or if the attribute should be capable of handling queries.
Set value on all assigned resources — Select this option if the Identity Attribute should globally be set on all assigned resources that support this attribute.
Targets — Select the target resource on which this Identity Attribute should be set. If no targets are defined, then click Add Target. To remove a target from the list, select it, and then click Remove Selected Targets.

Click OK to add the Identity Attribute and return to the Identity Attributes page. You must click Save on the Identity Attributes page to save the additions.

Adding Target Resources

---

Tip  It is not necessary to set targets for Identity Attributes if they are being used solely for the ChangeLog. You might do this, for example, if you wanted to use the ChangeLog, but also wanted to use the standard "Input Form" to push data through ActiveSync. If there are no targets, then the MetaView just calculates the identity attributes' values; it doesn't set them on any of the other resources.

---

Make selections to add a target resource for which an Identity Attribute should be set:

Target Resource — Select the target resource on which the selected Identity Attribute should be set.
Target Attribute — Select the name of the attribute on the target resource that will receive the value.
Condition — Select a rule to run to determine if the selected Identity Attribute should be set on this target resource. This rule should return a value of true or false. If the condition is not set, then the target attribute always will be set for the selected event types.
Apply To: — Select the types of events for which the selected Identity Attribute should be set on this target resource. These selections are combined with the Condition to determine if the target attribute should be set.

Click OK to add the target resource and return to the Add or Edit Identity Attribute page.

Removing Target Resources

To remove one or more target resources, select them in the list, and then click Remove Selected Targets.

Importing Identity Attributes

Using the Import Identity Attributes feature, you can select one or more forms to import and populate Identity Attributes values. Identity Manager will analyze the imported form values and make a "best guess" at Identity Attributes; however, it may be necessary to edit the Identity Attributes after import.

Make these import selections:

Merge with existing Identity Attributes — If you select this option, then Identity Manager will merge imported values with existing Identity Attributes. If not selected, then the Identity Attributes are cleared before the import occurs.
Forms to import — Select one or more forms from the Available Forms area to populate the Identity Attributes.

Click Import to import the forms. The Identity Attributes page displays with the new or merged Identity Attributes listed.

Click Save to save changes to the Identity Attributes.

---

Note  If there are Identity Attributes conditions that need to be corrected, then Identity Manager will display a Warning page that lists one or more warnings. Click OK to return to the Configure area.

---

Configuring ChangeLogs

You configure ChangeLogs by creating ChangeLog policies and ChangeLogs. Each ChangeLog must have an associated ChangeLog policy. A ChangeLog defines the subset of changes, detected by ActiveSync and pushed through the Identity Attributes, should be written to a log. Its associated ChangeLog policy defines how the ChangeLog files should be written. The ChangeLog files will be consumed by custom scripts.

To configure ChangeLogs and ChangeLog policies, select Configure, and then select ChangeLogs from the Administrator interface menu bar.

Identity Manager displays the ChangeLog Configuration page, which displays two summary areas.

Figure 5. ChangeLog Configuration

ChangeLog Policies Summary

The ChangeLog Policies summary area shows currently defined ChangeLog policies. To edit an existing ChangeLog policy, click its name in the list. To create a ChangeLog policy, click Create Policy.

To remove one or more ChangeLog policies, select them in the list, and then click Remove Policy. (No confirmation is needed for this action.)

ChangeLogs Summary

The ChangeLogs summary area shows currently defined ChangeLogs. To edit an existing ChangeLog, click its name in the list. To create a ChangeLog, click Create ChangeLog.

To remove one or more ChangeLogs, select them in the list, and then click Remove ChangeLog. (No confirmation is needed for this action.)

Saving ChangeLog Configuration Changes

Any changes you make to the ChangeLog Configuration — either to ChangeLog policies or defined ChangeLogs — must be saved from the ChangeLog Configuration page. Click Save to save changes and return to the Identity Manager Configure page.

Creating and Editing ChangeLog Policies

Provide input and make selections on the Edit ChangeLog Policy page to create or edit ChangeLog Policies:

Policy Name — Enter a unique name for the policy.
Daily Start Time — Establish the time of day used to calculate the times when rotations should start or change over. ChangeLogs using this policy will start new rotations at this time and at increments calculated from this time. For example, if the start time is set to midnight (00:00) with 3 'Rotations Per Day', the prefixes on log files will change at 00:00, 08:00, and 16:00.

Filenames follow the pattern, 'cl_User_yyyyMMddHHmmss.n.suffix', where 'HHmmss' is the most recent time for a rotation to start. ('.n' is the Sequence number, and .suffix is a suffix provided in the ChangeLog definition.)

Using '00:00' for the start time with 3 as the number of rotations, if you were to activate a ChangeLog at 9:24 a.m. one morning, the resulting rotation name would include the most recent rotation start time (for example, 08:00). In this case, the filenames would start with cl_User_yyyyMMdd080000. At 16:00, a new rotation (a new prefix on filenames) would start.

Rotations Per Day — Specify the number of times you want to rotate the logs each day. For example, if you want a rotation every 4 hours, enter a value of 6.

This value is limited to non-negative integers. A value of 0 means to ignore this field. When this field is non-zero, the 'Maximum Age of a Rotation' setting is ignored.

If you specify the length of rotations in seconds, and if the 'Rotations Per Day' field is 0, then this value is used to determine the period of rotation.

This is limited to non-negative integer values. If you specify a non-zero number of 'Rotations Per Day', then that value is used (and this one is not). If the value of both of these fields is 0, then only the sequence information is applied. (Even Daily Start Time is unused in this case.)

Number of Rotations to Keep — Specify how many rotations are allowed to accumulate before Identity Manager deletes them. For example, if you are running with 3 rotations per day and want to keep 2 days of changes in the logs, specify a value of 6.
Maximum File Size in Bytes — A new log file (with the same rotation prefix, but with a new sequence number) is started if writing a change to the current file will exceed this limit. A value of 0 indicates that this limit is not used. All of the limit fields (size, lines, age) that are non-zero are used; however, this limit is checked before the others.
Maximum File Size in Lines — If writing a change will cause the current file to have more lines than this limit, then a new sequence file is created and the line is written to the new file. A value of 0 indicates 'no limit.' This limit is checked after the size limit and before the age limit.
Maximum File Age in Seconds — When a change is received and the existing sequence file is now older than the number of seconds specified here, a new sequence file is created before writing the change. A value of 0 indicates that this limit is not used. The other limits, if non-zero, are applied before this one.

Click OK to return to the ChangeLog Configuration page. You must click OK from the Configuration page to save the new ChangeLog policy or changes to an existing policy.

Creating and Editing ChangeLogs

Provide input and make selections on the Edit ChangeLogs page to create or edit a ChangeLog:

ChangeLog Name — Enter a unique name for the ChangeLog.
Active — If you select this option, then the ChangeLog will monitor and write changes as they flow through ActiveSync resources and into the Identity Attributes (ActiveSync must be an Identity Attributes application for this to work).
Filter — Enter the name of the ChangeLog filter to use. 'Noop' means use the default filter, which accepts all changes. This should be sufficient for the vast majority of cases. Otherwise, this must name a Java class implementing com.sun.idm.changelog.ChangeLogFilter. The class must be in the classpath of the server, and it must have a public default constructor.
Log these Operations — Log events of the types selected, which includes Creates, Updates, and Deletes. Events not selected are ignored.
ChangeLog View — Define the contents (columns) of the ChangeLog by using this table. Each table row specifies a column in the ChangeLog. Click Add Column to add a ChangeLog column. Each column has a name, a type, and an Identity Attribute Name. The order of the rows indicates the order of the columns. Use the 'Up' and 'Down' buttons to order columns after they are defined.

---

Note  In every ChangeLog, there will be an implicit first column in the table named 'changeType'. This implicit first column indicates the type of the change. This column's type is 'Text'. The data in the log will be one of the following values: 'ADD', 'MOD', or 'DEL'.

---

Use the Policy Named — Select a defined ChangeLog policy from the list to use for logging.
Output Path — Enter the name of the directory on the file system that will contain the log files. This can be a network-mounted location; but it is preferable to use a directory that is local to the server. It is also advisable to use a unique location per ChangeLog.
Suffix — Enter a suffix for the ChangeLog files (for example, .csv). The suffix selected may be used to differentiate these files from other ChangeLog files.

Click OK to return to the ChangeLog Configuration page. You must click OK from the Configuration page to save the new ChangeLog or changes to an existing ChangeLog.

Example

View this example that details how to set up identity attributes and a ChangeLog to capture a specific set of attributes data.

Example: Define Identity Attributes

In this example, two Identity Manager resources (Resource 1 and Resource 2) provide source data to a third resource (Resource 3). Resource 3 is not directly connected to the Identity Manager system. A ChangeLog is needed to pull and maintain a data subset from Resource 1 and 2 to Resource 3.

Resource 1: EmployeeInfo
employeeNumber*
givenname
mi
surname
phone

Resource2 : OrgInfo
employeeNum*
managerEmpNum
departmentNumber

Resource 3 : PhoneList
empId*
fullname
phone
department

---

Note  * indicates a key to correlate records.

---

The Identity Attributes are defined as follows.

Attribute	<==	From Resource.Attribute
employee	<==	EmployeeInfo.employeeNumber
dept	<==	OrgInfo.departmentNumber
reportsTo	<==	OrgInfo.managerEmpNum
firstName	<==	EmployeeInfo.givename
lastName	<==	EmployeeInfo.surname
middleInitial	<==	EmployeeInfo.mi
fullname	<==	firstName + “ “ + middleInitial + “ “ + lastName
phoneNumber	<==	EmployeeInfo.phone

Example: Configure the ChangeLog

After defining the identity attributes, define a ChangeLog called PhoneList ChangeLog. Its purpose is to write a subset of the identity attributes to a ChangeLog file.

ChangeLogView in PhoneList ChangeLog

Column Name	Type	Identity Attribute
empId	Text	employee
fullname	Text	fullname
phone	Text	phoneNumber

When records in Resource 1 or Resource 2 are changed, the full set of data (not just the changes) for a ChangeLog record (all data from the identity attributes) is written to the ChangeLog. A custom script reads the information and uses it to populate Resource 3.

CSV File Format

Read this section for information about the format of the comma-separated value (CSV) file written by ChangeLogs.

Think of a ChangeLog file in terms of rows and column, such as a spreadsheet or database table. Each “row” is a line in the file.

The ChangeLog format is self-describing using the first two rows. Together, these two rows define the “schema”; that is, the logical names and logical types of each “cell” (values between commas on a row) in the table.

The first row names the attributes in the file. The second row describes the types of values of the attributes. Additional rows represent all the data for a change-event.

The ChangeLog file is encoded in Java UTF-8 format.

Columns

The first column in the file has special significance. This defines the operation type; for example, whether the change event was a create, modify, or delete action. It is always named changeType, and is always type T (representing Text). Its value is one of the values ADD, MOD, or DEL.

Exactly one column should hold a unique identifier (the primary key) for the entry. This generally is the second column in the file.

Other columns simply name the attribute. The name is taken from the Column Name value in the ChangeLog View table.

Rows

After the first two header rows that define the "schema" of the file, the remaining rows hold the values of the attributes. The values appear in the order of the columns in the first row. The ChangeLog is applied from the Identity Attributes, and therefore contains all data known about the user at the time the change is detected.

In addition, there is no special sentinel value indicating null (or not set). If a value is not present when a change is detected, then the ChangeLog writes an empty string.

Values are encoded according to the type of the column, as specified in the second row of the file. Supported types are:

T: Text
B: Binary
MT: Multi-Text
MB: Multi-Binary

Text Values

Text values are written as a string, with two exceptions:

If a value contains a , (comma), then Identity Manager escapes the comma within the value by inserting a \ (backslash) character. For example, if the value for fullname is Mouse, Mickey, then Identity Manager writes
Mouse \,Mickey as the value.
If a value contains a \ (backslash) character, then Identity Manager escapes it with another \. For example, if a value for homedir contains C:\users\home, then Identity Manager writes C:\\users\\home to the log.

Text values cannot contain a newline. If the file needs newlines, then use the Binary value type.

Binary Values

Binary values are Base64 encoded.

Multi-Text Values

Multi-Text values are written similarly to Text values, but are comma-separated and bracketed (using [ and ]).

Multi-Binary Values

Multi-Binary values are written like Binary values (Base64 encoded), but also are comma-separated and bracketed (using [ and ]).

Formatting Examples

The following examples illustrate various output format. Each example is in the form:

column1, column2, column3, column4

Column 3 of each example shows the example text.

Text (T) data appear as strings in the file:

ADD,account0,some text data,column4

Binary (B) data appears base64 encoded.

ADD,account0,FGResWE23WDE==,column4

Multi-Text (MT) appears as:

ADD,account0,[one,two,three],column4

Multi-Binary (MB) appears as:

ADD,account0,[FGResWE23WDE==,FGRCAFEBADE3sseGHSD],column4

---

Note  The Base64 alphabet does not include the , (comma), [ (left bracket), or ] (right bracket) characters, or a newline.

---

ChangeLog Filenames

Filenames are of the form:

servername_User_timestamp.sequenceNumber.suffix

Where:

timestamp is the time that this log was started or rolled over. Files with the same timestamp are considered to be a "Rotation."
sequenceNumber is a monotonically increasing number, used to partition a rotation into subsets of files, that are controlled by a maximum number of bytes, lines, or seconds. Each of these is known as a "Sequence" file.
suffix is the file extension defined in the ChangeLog config, usually .csv.

Configuring Rotations and Sequences

These are defined in ChangeLogPolicy objects and referred to from ChangeLogs.

Example

A policy that defines rotations to:

begin at 7:00 a.m.
rotate three times each day for two days

would result in rotation file names similar to the following. (There are two sequence files in each of these rotations.)

myServer_User_20060101070000.1.csv
myServer_User_20060101070000.2.csv
myServer_User_20060101150000.1.csv
myServer_User_20060101150000.2.csv
myServer_User_20060101230000.1.csv
myServer_User_20060101230000.2.csv

myServer_User_20060102070000.1.csv
myServer_User_20060102070000.2.csv
myServer_User_20060102150000.1.csv
myServer_User_20060102150000.2.csv
myServer_User_20060102230000.1.csv
myServer_User_20060102230000.2.csv

January 1 shows 3 rotations, 8 hours apart, beginning at 07:00:00. January 2 is similar; only the portion of the name that corresponds to the day (20060102) differs.

Writing ChangeLog Scripts

Read this section for information helpful to ChangeLog script writers.

Scripts likely run continuously, waiting for new data, new files, or sleeping between activity; and then simply read the file and apply the changes for each line to the back-end resource.
ChangeLogs support delete operations; however, only the accountId value will be included in DEL lines.
By using Rotations and Sequences, you can decide how often a script runs. For example, you could specify:
Rotation at midnight; and then every night run the script against the prior rotation.
Rotation every 4 hours, starting at 8:00 a.m., and then run the scripts every four hours (at 8, 12, 16, 20, 24, 4, ...)
No rotation, and run the script such that it reads a sequence file when the sequence number bumps. You can control how the sequence number increments; it can be size-based, num-operations based, or time-based.
Each ChangeLog can be seen as a representation of the records in the back-end system. To keep things simple for the script reading the log, Identity Manager always writes all data for a given record, whether or not it has changed. Scripts can "blindly" apply the data in the records.

However, they need to ensure that the back-end resource (or the script), especially with regard to ADD and DEL, can either:

Handle this idempotently. (Idempotency means if you apply the data more than once, then it does nothing.) If the script reads the ChangeLog from start to finish in two passes, then the state of the data records in the resource should be exactly the same after each pass.
Does this (at most) one time. For example, if the resource cannot be made idempotent with regard to add and delete actions, then the script must ensure that it applies changes only once, either by reading the log entries only once, or by otherwise tracking its progress.
A good approach might be to watch for a sequence file to appear, and then apply the previous file. For example, do not apply a .1 file until the .2 file appears. When .3 appears, apply .2. After applying a file, note that you have done so on a disk. This approach allows you to avoid using calls like fstat or
tail -f.

---

Understanding Policies

Read this section for information and procedures for configuring policies.

What are Policies?

Identity Manager policies set limitations for Identity Manager users by establishing constraints for Identity Manager account ID, login, and password characteristics.

You create and edit Identity Manager policies from the Policies page. From the menu bar, select Configure, and then select Policies. From the displayed list page, you can edit existing policies and create new ones.

Policies are categorized as:

Identity System Account policies — Establish user, password, and authentication policy options and constraints. You assign Identity System Account policies to organizations or users, through the Create and Edit Organization and Create and Edit User pages.





Figure 6. Identity Manager Policy

Options you can set or select include:

User policy options — Specify how Identity Manager treats user accounts if a user fails to correctly answer authentication questions
Password policy options — Set password expiration, warning time before expiration, and reset options
Authentication policy options — Determine how authentication questions will be presented to the user, whether the user can provide his own authentication questions, and establish the bank of questions (up to 10) that could be presented to a user.
String Quality Policies — String quality policies include policy types such as password, AccountID, and authentication, and set length rules, character type rules, and allowed words and attribute values. This type of policy is tied to each Identity Manager resource, and is set on each resource page.





Figure 7. Create/Edit Password Policy

  Options and rules you can set for passwords and account IDs include:

Length rules — Determine minimum and maximum length.
Character type rules — Set minimum and maximum allowable values for alphabetic, numeric, uppercase, lowercase, repetitive, and sequential characters.
Password re-use limits — Specify the number of passwords preceding the current password that cannot be re-used. When a user attempts to change his password, the new password will be compared to the password history to ensure this is a unique password. For security reasons, a digital signature of the previous passwords is saved; new passwords are compared to this.
Prohibited words and attribute values — Specify words and attributes that cannot be used as part of an ID or password.

Dictionary Policy

The dictionary policy enables Identity Manager to check passwords against a word database to ensure that they are protected from a simple dictionary attack. By using this policy with other policy settings to enforce the length and makeup of passwords, Identity Manager makes it difficult to use a dictionary to guess passwords that are generated or changed in the system.

The dictionary policy extends the password exclusion list that you can set up with the policy. (This list is implemented by the Must Not Contain Words option on the Administrator Interface password Edit Policy page.)

Configuring the Dictionary Policy

To set up the dictionary policy, you must:

Configure dictionary server support
Load the dictionary

Follow these steps:

From the menu bar, select Configure, and then select Policies.
Click Configure Dictionary to display the Dictionary Configuration page.
Select and enter database information:
Database Type — Select the database type (Oracle, DB2, SQLServer, or MySQL) that you will use to store the dictionary.
Host — Enter the name of the host where the database is running.
User — Enter the user name to use when connecting to the database.
Password — Enter the password to use when connecting to the database.
Port — Enter the port on which the database is listening.
Connection URL — Enter the URL to use when connecting. These template variables are available:
%h - host
%p - port
%d - database name
Driver Class — Enter the JDBC driver class to use while interacting with the database.
Database Name — Enter the name of the database where the dictionary will be loaded.
Dictionary Filename — Enter the name of the file to use when loading the dictionary.
Click Test to test the database connection.
If the connection test is successful, click Load Words to load the dictionary.

---

Note  The load task may take a few minutes to complete.

---

Click Test to ensure that the dictionary was loaded correctly.

Implementing the Dictionary Policy

Implement the dictionary policy from the Identity Manager policies area. From the Policies page, click to edit a password policy. On the Edit Policy page, select the Check passwords against dictionary words option. Once implemented, all changed and generated passwords will be checked against the dictionary.

---

Understanding Capabilities

Capabilities are groups of rights in the Identity Manager system. Capabilities represent administrative job responsibilities, such as resetting passwords or administering user accounts. Each Identity Manager administrative user is assigned one or more capabilities, which provide a set of privileges without compromising data protection.

Not all Identity Manager users need capabilities assigned; only those who will perform one or more administrative actions through Identity Manager. For example, an assigned capability is not needed to enable a user to change his password, but an assigned capability is required to change another user’s password.

Your assigned capabilities govern which areas of the Identity Manager Administrator Interface you can access. All Identity Manager administrative users can access certain areas of Identity Manager, including:

Home and Help tabs
Passwords tab (Change My Password and Change My Answers subtabs only)
Reports (limited to types related to the administrator's specific responsibilities)

Capabilities Categories

Identity Manager defines capabilities as:

Task-based. These are capabilities at their simplest task level.
Functional. Functional capabilities contain one or more other functional or task-based capabilities.

Built-in capabilities (those provided with the Identity Manager system) are protected, meaning that you cannot edit them. You can, however, use them within capabilities that you create.

Protected (built-in) capabilities are indicated in the list with a red key (or red key and folder) icon. Capabilities that you create and can edit are indicated in the capabilities list with a green key (or green key and folder) icon.

Working with Capabilities

From the menu bar, select Configure.
Select Capabilities to display the list of Identity Manager capabilities.

Create a Capability

To create a capability, click New.

Edit a Capability

To edit a non-protected capability, right-click it in the list, and then select Edit.

---

Note  You cannot edit built-in capabilities; however, you can save them with a different name to create your own capability, or use them in capabilities you create.

---

Save and Rename a Capability

To “clone” a capability (save it with a different name to create a new capability):

Right-click a capability in the list, and then select Save As.
Enter a new name, and then click OK.

You can edit the new capability, even if the copied capability is protected.

Assigning Capabilities

Assign capabilities to a user from the Create and Edit User page.

---

Note  You can also assign capabilities to a user by assigning an admin role, which you set up through the Security area. See Understanding Admin Roles for more information.

---

Capabilities Hierarchy

Task-based capabilities fall within the following functional capabilities hierarchy:

Account Administrator

Approver
Assign User Capabilities
User Account Administrator
Create User
Delete User
Delete IDM User
Deprovision User
Unassign User
Unlink User
Disable User
Enable User
Password Administrator
Change Password Administrator
Reset Password Administrator
Rename User
Unlock User
Update User
View User
Import User

Admin Role Administrator

Connect Capabilities
Connect Capabilities Rules
Connect Controlled Organizations Rules
Connect Organizations

Bulk Account Administrator

Approver
Assign User Capabilities
Bulk User Account Administrator
Bulk Create User
Bulk Delete User
Bulk Delete IDM User
Bulk Deprovision User
Bulk Unassign User
Bulk Unlink User
Bulk Disable User
Bulk Enable User
Password Administrator
Rename User
Unlock User
View User
Import User

Bulk Change Account Administrator

Approver
Assign User Capabilities
Bulk Change User Account Administrator
Bulk Disable User
Bulk Enable User
Bulk Update User
Password Administrator
Rename User
Unlock User
View User

Capability Administrator

Change Account Administrator

Approver
Assign User Capabilities
Change User Account Administrator
Disable User
Enable User
Password Administrator
Change Password Administrator
Reset Password Administrator
Rename User
Unlock User
Update User
View User

Import/Export Administrator

Login Administrator

Organization Administrator

Password Administrator (Verification Required)

Change Password Administrator (Verification Required)
Reset Password Administrator (Verification Required)

Policy Administrator

Reconcile Administrator

Reconcile Request Administrator

Remedy Integration Administrator

Report Administrator

Admin Report Administrator
Run Admin Report
Audit Report Administrator
Run Audit Report
Configure Audit
Reconcile Report Administrator
Run Reconcile Report
Resource Report Administrator
Run Resource Report
Risk Analysis Administrator
Run Risk Analysis
Role Report Administrator
Run Role Report
Task Report Administrator
Run Task Report
User Report Administrator
Run User Report

Resource Administrator

Resource Group Administrator
Change Active Sync Resource Administrator
Control Active Sync Resource Administrator

Resource Object Administrator

Resource Password Administrator

Change Resource Password Administrator
Reset Resource Password Administrator

Role Administrator

Security Administrator

View Organizations

List Organizations

View Resources

List Resources

Waveset Administrator

Capabilities Definitions

The following table describes each of the task-based capabilities and highlights the tabs and subtabs accessible with each capability.

All capabilities grant the user or administrator access to the Change My Password and Change My Answers subtabs (Passwords tab).

Capability	Allows the Administrator/User to:	Can Access These Tabs and Subtabs:
Account Administrator	Perform all operations on users, including assigning capabilities. Does not include bulk operations.	Accounts - List Accounts, Find Users, Extract to File, Load from File, Load from Resource subtabs Passwords - All subtabs Approvals - All subtabs Tasks - All subtabs
Admin Report Administrator	Create, edit, delete, and run administrator reports.	Reports - Manage Reports, Run Reports subtabs (Administrator report only)
Admin Role Administrator	Create, edit, and delete admin roles.	Configure - Admin Roles subtab
Approver	Approve or reject requests initiated by other users.	Approvals - All subtabs
Assign User Capabilities	Change user capabilities assignments (assign and unassign).	Accounts - List Accounts (Edit only), Find Users subtabs. Must be assigned with another user administrator capability (for example, Create User or Enable User).
Audit Report Administrator	Create, edit, delete, and run audit reports.	Reports - Audit reports only
Bulk Account Administrator	Perform regular and bulk operations on users, including assigning capabilities.	Accounts - All subtabs Passwords - All subtabs Approvals - All subtabs Tasks - All subtabs
Bulk Change Account Administrator	Perform regular and bulk operations except delete on existing users, including assigning capabilities.	Accounts - List Accounts, Find Users, Launch Bulk Actions subtabs. Cannot create or delete users. Passwords - All subtabs Approvals - All subtabs Tasks - All subtabs
Bulk Change User Account Administrator	Perform regular and bulk operations except delete on existing users.	Accounts - List Accounts, Find Users, Launch Bulk Actions subtabs. Cannot create, delete, or assign capabilities to users. Passwords - All subtabs Tasks - All subtabs
Bulk Create User	Assign resources and initiate user create requests (on individual users and by using bulk operations).	Accounts - List Accounts (Create only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Delete User	Delete Identity Manager user accounts; deprovision, unassign, and unlink resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Create only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Delete IDM User	Delete existing Identity Manager user accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Delete only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Deprovision User	Delete and unlink existing resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Deprovision only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Disable User	Disable existing users and resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Disable only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Enable User	Enable existing users and resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Enable only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Unassign User	Unassign and unlink existing resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Unassign only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Unlink User	Unlink existing resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Unlink only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk Update User	Update existing users and resource accounts (on individual users and by using bulk operations).	Accounts - List Accounts (Update only), Find Users, Launch Bulk Actions subtabs Tasks - All subtabs
Bulk User Account Administrator	Perform all regular and bulk operations on users.	Accounts - All subtabs Passwords - All subtabs Tasks - All subtabs
Capability Administrator	Create, modify, and delete capabilities.	Configure - Capabilities subtab
Change Account Administrator	Perform all operations except delete on existing users, including assigning capabilities. Does not include bulk operations	Accounts - All subtabs. Cannot delete users. Passwords - All subtabs Approvals - All subtabs Tasks - All subtabs Reports - Create admin and user reports, run and edit admin reports, run auditlog reports in scope. Cannot run admin and user reports on out-of-scope organizations.
Change Active Sync Resource Administrator	Change active sync resource parameters.	Tasks - Find Tasks, All Tasks, Run Tasks subtabs Resources - For Active Sync resources: Edit actions menu, Edit Active Sync Parameters
Change Password Administrator	Change user and resource account passwords.	Accounts - List Accounts, Find Users subtabs (Change Password only) Passwords - All subtabs Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
Change Password Administrator (Verification Required)	Change user and resource account passwords following successful validation of the user's authentication question answers.	Accounts - List Accounts, Find Users subtabs (Change Password only; verification required before action) Passwords - All subtabs Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
Change Resource Password Administrator	Change resource administrator account passwords.	Tasks - All subtabs Resources - List Resources subtab. Change resource password only (from Manage Connection-->Change Password in the actions menu)
Change User Account Administrator	Perform all operations except delete on existing users. Does not include bulk operations	Accounts - List Accounts, Find Users subtabs. Cannot create, delete, or assign capabilities to users. Passwords - All subtabs Tasks - All subtabs
Configure Audit	Configure the activities audited in the system.	Configure - Audit Events subtab
Control Active Sync Resource Administrator	Control Active Sync resource state (such as start, stop, and refresh)	Tasks - Find Tasks, All Tasks, Run Tasks Resources - For Active Sync resources: Active Sync actions menu (all selections)
Create User	Assign resources and initiate user create requests. Does not include bulk operations	Accounts - List Accounts (Create only), Find Users subtabs Tasks - All subtabs
Delete User	Delete Identity Manager user accounts; deprovision, unassign, and unlink resource accounts. Does not include bulk operations.	Accounts - List Accounts (Delete only), Find Users subtabs Tasks - All subtabs
Delete IDM User	Delete Identity Manager user accounts. Does not include bulk operations.	Accounts - List Accounts (Delete only), Find Users subtabs Tasks - All subtabs
Deprovision User	Delete and unlink existing resource accounts. Does not include bulk operations.	Accounts - List Accounts (Deprovision only), Find Users subtabs Tasks - All subtabs
Disable User	Disable existing users and resource accounts. Does not include bulk operations	Accounts - List Accounts (Disable only), Find Users subtabs Tasks - All subtabs
Enable User	Enable existing users and resource accounts. Does not include bulk operations	Accounts - List Accounts (Enable only), Find Users subtabs Tasks - All subtabs
Import User	Import users from defined resources.	Accounts - Extract to File, Load from File, Load from Resource subtabs
Import/Export Administrator	Import and export all types of objects.	Configure - Import Exchange File subtab
License Administrator	Set the Identity system product license	Provides lh license command access. (No Administrator Interface tabs provided by this capability.)
Login Administrator	Edit the set of login modules for a given login interface.	Configure - Login subtab
Organization Administrator	Create, edit, and delete organizations.	Accounts - List Accounts subtab (Edit and create organizations and directory junctions, delete organizations only)
Password Administrator	Change and reset user and resource account passwords.	Accounts - List Accounts (list, change, and reset passwords only), Find Users subtabs Passwords - All subtabs Tasks - All subtabs
Password Administrator (Verification Required)	Change and reset user and resource account passwords following successful validation of the user's authentication question answers.	Accounts - List Accounts (list, change, and reset passwords only; verification required before action succeeds), Find Users subtabs Passwords - All subtabs Tasks - All subtabs
Policy Administrator	Create, edit, and delete Policies.	Configure - Policy subtab
Reconcile Administrator	Edit reconciliation policies and control reconciliation tasks.	Tasks - All subtabs (View reconcile task). Resources - List Resources subtab
Reconcile Report Administrator	Create, edit, delete, and run reconciliation reports.	Reports - Run Reports (Account Index report only), Manage Reports subtabs
Reconcile Request Administrator	Manage reconciliation requests.	Tasks - All subtabs Resources - List Resources subtab (list and reconciliation features only)
Remedy Integration Administrator	Modify Remedy integration configuration.	Tasks - All subtabs (view tasks, run role synchronization) Configure - Remedy Integration subtab
Rename User	Rename existing users and resource accounts.	Accounts - List Accounts subtab (list all accounts in scope, rename users)
Report Administrator	Configure audit settings and run all report types.	Tasks - All subtabs (view tasks, run role synchronization) Reports - All subtabs
Reset Password Administrator	Reset user and resource account passwords.	Accounts - List Accounts, Find Users subtabs (Reset Password only) Passwords - All subtabs Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
Reset Password Administrator (Verification Required)	Reset user and resource account passwords following successful validation of the user's authentication question answers.	Accounts - List Accounts, Find Users subtabs (Reset Password only; verification required before action succeeds) Passwords - All subtabs Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
Reset Resource Password Administrator	Reset resource administrator account passwords.	Tasks - Find Tasks, All Tasks, Run Tasks subtabs Resources - List Resources subtab. Reset resource password only (from Manage Connection -->Reset Password in the actions menu)
Resource Administrator	Create, modify, and delete resources.	Reports - Resource user report, resource group report returns error on out-of-scope resources. Resources - List Resources subtab (edit global policy, edit parameters, resource groups. Cannot manage connection or resource objects).
Resource Group Administrator	Create, edit, and delete resource groups.	Resources - List Resource Groups subtab
Resource Object Administrator	Create, modify, and delete resource objects.	Tasks - Find Tasks, All Tasks, Run Tasks subtabs (view tasks involving resource objects). Resources - List Resources subtab (list and manage resource objects only)
Resource Password Administrator	Change and reset resource proxy account passwords.	Tasks - Find Tasks, All Tasks, Run Tasks subtabs Resources - List Resources subtab. Change resource password only (from Manage Connection-->Change Password in the actions menu)
Resource Report Administrator	Create, edit, delete, and run resource reports.	Reports - All subtabs (resource reports only)
Risk Analysis Administrator	Create, edit, delete, and run risk analysis.	Risk Analysis - All subtabs
Role Administrator	Create, modify, and delete roles.	Tasks - Find Tasks, All Tasks, Run Tasks subtabs (synchronize roles) Roles - All subtabs
Role Report Administrator	Create, edit, delete, and run resource reports.	Reports - Role reports only
Run Admin Report	Run administrator reports.	Reports - Admin reports onlyl
Run Audit Report	Run audit reports.	Reports - AuditLog and Usage reports only
Run Reconcile Report	Run reconciliation reports.	Reports - AuditLog and Usage reports only
Run Resource Report	Run resource reports.	Reports - AuditLog and Usage reports only
Run Risk Analysis	Run risk analysis.
Run Role Report	Run role reports.	Reports - Role reports only
Run Task Report	Run task reports.	Reports - Task reports only
Run User Report	Run user reports.	Reports - User reports only
Security Administrator	Create users with capabilities; manage encryption keys, login configuration, and policies.	Accounts - List Accounts (delete, create, update, edit, change and edit passwords), Find Users subtabs (audit report) Passwords - All subtabs Tasks - Find Tasks, All Tasks, Run Tasks subtabs Reports - All subtabs Resources - List Resources (list and control resource objects) Configure - Policies, Login subtabs
Task Report Administrator	Create, edit, delete, and run task reports.	Reports - Create and manage task reports
Unassign User	Unassign and unlink existing resource accounts. Does not include bulk operations.	Accounts - List Accounts (Unassign only), Find Users subtabs Tasks - All subtabs
Unlink User	Unlink existing resource accounts. Does not include bulk operations.	Accounts - List Accounts (Unlink only), Find Users subtabs Tasks - All subtabs
Unlock User	Unlock existing user’s resource accounts that support unlock. Does not include bulk operations.	Accounts - List Accounts (Unlock only), Find Users subtabs Tasks - Find Tasks, All Tasks, Run Tasks subtabs
Update User	Edit existing users and initiate user update requests.	Accounts - Edit and update users Tasks - Manage existing tasks (from the All Tasks subtab)
User Account Administrator	All operations on users.	Accounts - List Accounts, Find Users, Extract to File, Load from File, Load from Resource subtabs. Cannot assign user capabilities (Security form tab on List Accounts subtab). Tasks - Find Tasks, All Tasks, Run Tasks subtabs
User Report Administrator	Create, edit, delete, and run user reports.	Reports - Run user reports.
View User	View individual user details.	Accounts - Select users from the list to view individual user account information. No change actions allowed.
Waveset Administrator	Perform system-wide tasks, such as modification of system configuration objects.	Tasks - All subtabs. Synchronize roles, edit source adapter template, and schedule reports Reports - All subtabs Resources - List Resources (list only; no change actions allowed) Configure - Audit Events, Email Templates, Form and Process Mappings subtabs

Table 1. Identity Manager Capabilities Descriptions

---

Understanding Admin Roles

Admin roles enable the assignment of a unique set of capabilities for each set of organizations managed by an administrator. An admin role is assigned capabilities and controlled organizations; it can then be assigned to an administrative user.

The assignment of capabilities and organizations to an admin role can be:

Direct — This option allows you to assign specific capabilities, controlled organizations, or both to the admin role.
Dynamic (indirect) — This option uses capabilities and controlled organizations rules to dynamically determine, each time the assigned user logs into Identity Manager, the capabilities and controlled organizations given to him through the admin role.

---

Note  See Capabilities Rules and Controlled Organizations Rules for key information about setting up these rules.

---

You can assign one or more admin roles to each user. An admin role can be assigned to one or more users.

User Admin Role

Identity Manager includes a built-in admin role, titled "User". By default, it contains no capabilities or controlled organization assignments, and it cannot be deleted. This admin role is implicitly assigned to all users (end users and administrators) at login time.

You can edit the User admin role through the Administrator interface (select Configure, and then select Admin Roles).

Because any capabilities or controlled organizations that are statically assigned through this admin role are assigned to all users, it is recommended that the assignment of capabilities and controlled organizations be done through rules. This will enable different users to have different (or no) capabilities, and assignments will be scoped depending on factors such as who they are, which department they are in, or whether they are managers, which can be queried for within the context of the rules.

The User admin role does not deprecate or replace the use of the authorized=true flag used in workflows. This flag is still appropriate in cases where the user should not have access to objects accessed by the workflow, except when the workflow is executing. Essentially, this lets the user enter a "run as superuser" mode.

However, in cases where a user should have specific access to one or more objects outside of and potentially inside of workflows, then dynamic assignment of capabilities and controlled organizations via the User admin role enables dynamic, fine-grain authorization to those objects.

Example

The steps in the following example show how the User admin role can be used in a dynamic environment.

Create two Active Directory ou's:
"Chicago Cubs" && "New York Yankees"
Create three Active Directory users in each ou, with the following attributes set:
Chicago Cubs:
Dusty Baker (title = 'manager', manager = '')
Kerry Woods (title = 'pitcher', manager = 'Dusty Baker')
Mark Prior (title = 'pitcher', manager = 'Dusty Baker')
New York Yankees
Joe Torre (title = 'manager', manager = '')
Alex Rodriguiz (title = '3rd', manager = 'Joe Torre')
Derek Jeter (title = 'shortstop', manager = 'Joe Torre')
Assign the following rules to the User admin role:
capabilitesRule ==> If Team Manager Assign Account Admin Capability
controlledOrganizationsRule ==> If Team Manager Assign Control of My Team
Create an Identity Manager organization named “My Team” and assign:
userMembersRule ==> Get My Team

When a user logs in, then:

If his Active Directory user title is 'manager', then he will be assigned the "Account Administrator" capability and assigned control of the "My Team" organization.
If his AD user title is not 'manager', then he will not be assigned any capabilities or organizations to control.
If the logged-in user's title is 'manager', then when the "My Team" organization is opened, the "Get My Team" rule will invoke getResourceObjects on the Active Directory resource requesting all users whose 'manager' is the accountInfo.accounts[AD].accountId of the user currently logged in.

This setup will enable managers logged into the User interface to manage their employees, and prevent employees from performing admin functions when logged in to the User interface.

Creating and Editing Admin Roles

To create or edit an admin role, you must be assigned the Admin Role Administrator capability. To access the admin roles area, click Configure, and then click Admin Roles. The Admin Roles list page allows you to create, edit, and delete admin roles in Identity Manager.

To edit an existing admin role, click a name in the list. Click New to create an admin role. Identity Manager displays the Create Admin Role page, where you specify the capabilities and scope of the new admin role.

Figure 8. Admin Role: Create Page

Scoping Controlled Organizations

For each directly assigned, controlled organization included in an admin role, you can define the scope of objects on which a user can act. You can choose to include or exclude one or more objects that are generally available to each organization controlled by the user.

For example, you might choose to restrict the access of a user who can create, update, and delete users within an organization that includes a wide range of resources to a specific subset of resources in that organization. To do this, you could create an admin role with these characteristics:

Name — NT User Administrator
Capabilities — Create User, Update User, Delete User
Controlled Organization — OrganizationName
Included Resources — NT

To do this, make selections in the Select Objects to Include / Exclude area of the Create Admin Role page.

Figure 9. Admin Role: Include/Exclude Selections for Controlled Organizations

If you include an item in both an include and an exclude list, it is excluded from the admin role.

Assigning User Forms to an Admin Role

You can specify a user form as an attribute of an admin role. The admin assigned the admin role will use this user form when he creates or edits users in the organizations controlled by that admin role. A user form assigned through an admin role overrides any user form that is inherited from the organization of which the admin is a member. It does not override a user form that is directly assigned to the admin.

The user form that will be used when editing a user is determined in this order of precedence:

If a user form is assigned directly to the admin, then it is used.
If no user form is assigned directly to the admin, but the admin is assigned an admin role that:
controls the organization of which the user being created or edited is a member, and
specifies a user form

then that user form is used.

If no user form is assigned directly to the admin, or assigned indirectly through an admin role, then the user form assigned to the admin’s member organizations (starting with the admin’s member organization and going up to just below Top) is used.
If none of the admin’s member organizations are assigned a user form, then the default user form is used.

If an admin is assigned more than one admin role that controls the same organization but specifies different user forms, then an error is displayed when he attempts to create or edit a user in that organization. If an admin attempts to assign two or more admin roles that control the same organization but specify different user forms, then an error is displayed. Changes cannot be saved until the conflict is resolved.

Capabilities Rules and Controlled Organizations Rules

The following samples show how you might set up a capabilities rule or controlled organizations rule that can dynamically control the assigned capabilities or controlled organizations given to a user assigned an admin role.

---

Note  For information about creating and working with rules in Identity Manager, see Identity Manager Deployment Tools.

---

Capabilities Rule: Key Definitions and Inclusions

A capabilities rule must include the authType=’CapabilitiesRule’ entry. This is required to ensure that you can select the rule from within the admin role page.
The context is the currently authenticated Identity Manager user’s user view.
In the following sample rule, the defined variable (defvar) ‘user groups’ gets the currently authenticated Identity Manager user’s account on the Windows Active Directory server named ‘ranger-AD’, and returns the list of groups of which the user is currently a member.
The conditional logic (cond) checks to see if the currently authenticated Identity Manager user is a member of the ‘manager’ group. If yes, the user is assigned the Identity Manager capabilities Login Administrator and Resource Administrator. If no, then no Identity Manager capabilities are assigned.

Sample Capabilities Rule

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>

<Rule authType='CapabilitiesRule' name='If Manager'>

   <block>

      <defvar name='user groups'>

         <get>

            <invoke name='getResourceObject'               class='com.waveset.ui.FormUtil'>

         <ref>context</ref>

            <s>ranger-AD</s>

            <s>User</s>

         <ref>accountInfo.accounts[ranger-AD].accountId</ref>

         <map>

            <s>searchAttrsToGet</s>

               <list>

            <s>memberOf</s>

               </list>

         </map>

         </invoke>

            <s>user.attributes.memberOf</s>

         </get>

      </defvar>

   <cond>

      <contains>

         <ref>user groups</ref>

            <s>CN=manager,DC=dev-ad,DC=waveset,DC=com</s>

      </contains>

      <list>

         <s>Login Administrator</s>

         <s>Resource Administrator</s>

      </list>

   </cond>

   </block>

   <MemberObjectGroups>

      <ObjectRef type='ObjectGroup' id='#ID#ObjectGroup:Waveset'        name='Waveset'/>

   </MemberObjectGroups>

</Rule>

Controlled Organizations Rule: Key Definitions

A controlled organizations rule must include the authType=’ControlledOrganizationsRule’ entry. This enables you to select the rule from within the admin role page.
The context is the currently authenticated Identity Manager user’s user view.
In the following sample rule, the defined variable (defvar) ‘user groups’ gets the currently authenticated Identity Manager user’s account on the Windows Active Directory server named ‘ranger-AD’ and returns the list of groups of which the user is currently a member.
The conditional logic (cond) checks to see if the currently authenticated Identity Manager user is a member of the ‘manager’group. If yes, the user is assigned control of the Identity Manager ‘Waveset’ organization. If no, then no organizational control is assigned.

Sample Controlled Organizations Rule

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>

<Rule authType='ControlledOrganizationsRule' name='Get managed departments'>

   <block>

      <defvar name='user groups'>

         <get>

            <invoke name='getResourceObject'               class='com.waveset.ui.FormUtil'>

            <ref>context</ref>

               <s>ranger-AD</s>

               <s>User</s>

            <ref>accountInfo.accounts[ranger-AD].accountId</ref>

            <map>

               <s>searchAttrsToGet</s>

            <list>

               <s>memberOf</s>

            </list>

            </map>

         </invoke>

            <s>user.attributes.memberOf</s>

         </get>

      </defvar>

   <cond>

      <contains>

      <ref>user groups</ref>

         <s>CN=manager,DC=dev-ad,DC=waveset,DC=com</s>

   </contains>

      <list>

         <s>Waveset</s>

      </list>

     </cond>

   </block>

   <MemberObjectGroups>

   <ObjectRef type='ObjectGroup' id='#ID#ObjectGroup:Waveset'        name='Waveset'/>

   </MemberObjectGroups>

</Rule>

---

Understanding Email Templates

Identity Manager uses email templates to deliver information and requests for action to users and approvers. The system includes templates for:

Account Creation Approval — Sends notification to an approver that a new account is awaiting his approval. The system sends this notification when the Provisioning Notification Option for the associated role is set to approval.
Account Creation Notification — Sends notification that an account has been created with a particular role assignment. The system sends this notification when one or more administrators are selected in the Notification recipients field on the Create Role or Edit Role pages.
Password Reset — Sends notification of a Identity Manager password reset. Depending on the Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the administrator resetting the password or emails the user whose password is being reset.
Password Synchronization Notice — Notifies the user that a password change has completed successfully on all resources. The notification lists which resources were updated successfully and indicates the origin of the password change request.
Password Synchronization Failure Notice — Notifies the user that the password change was not successful on all resources. The notification provides a list of errors and indicates the origin of the password change request.
Reconcile Account Event, Reconcile Resource Event, Reconcile Summary — Called from the Notify Reconcile Response, Notify Reconcile Start, and Notify Reconcile Finish default workflows, respectively. Notification is sent as configured in each workflow.
Report — Sends a generated report to a specified list of recipients.
Request Resource — Sends notification to a resource administrator that a resource has been requested. The system sends this notification when an administrator requests a resource from the Resources area.
Retry Notification — Sends notification to an administrator that a particular operation has been unsuccessfully attempted on a resource a specified number of times.
Risk Analysis — Sends a risk analysis report. The system sends this report when one or more email recipients are specified as part of a resource scan.
Temporary Password Reset — Sends notification to the user or role approver that a temporary password has been provided for the account. Depending on the Password Reset Notification Option value selected for the associated Identity Manager policy, the system displays notification immediately (in the Web browser) to the user, emails the user, or emails the role approvers.

Customizing Email Templates

You can customize email templates to provide specific directions to the recipient, telling him how to accomplish a task or see results. For example, you might want to customize the Account Creation Approval template to direct an approver to an account approval page:

Please go to http://host.example.com:8080/idm/approval/approval.jsp to approve account creation for $(fullname).

To customize the Account Creation Approval template:

From the menu bar, select Configure.
On the Configure page, select Email Templates.
Click to select the Account Creation Approval template.





Figure 10. Customize Email Template

Enter details for the template:
In the SMTP Host field, enter the SMTP server name so that email notification can be sent.
In the From field, customize the originating email address.
In the To and Cc fields, enter one or more email addresses or Identity Manager accounts that will be the recipients of the email notification.
In the Email Body field, customize the content to provide a pointer to your Identity Manager location.
Click Save.

---

Note  You can also modify email templates by using the Business Process Editor (BPE). For more information on the BPE, see Identity Manager Deployment Tools.

---

HTML and Links in Email Templates

You can insert HTML-formatted content into an email template to display in the body of an email message. Content can include text, graphics, and Web links to information. To enable HTML-formatted content, select the HTML Enabled option.

Allowable Variables in the Email Body

You can also include references to variables in the email template body, in the form $(Name); for example: Your password $(password) has been recovered.

Allowable variables for each template are defined in the following table.

Template	Allowable Variables
Password Reset	$(password) – newly generated password
Update Approval	$(fullname) – user’s full name $(role) – user’s role
Update Notification	$(fullname) – user’s full name $(role) – user’s role
Report	$(report) – generated report $(id) – encoded ID of the task instance $(timestamp) – time when email was sent
Request Resource	$(fullname) – user’s full name $(resource) – resource type
Risk Analysis	$(report) – risk analysis report
Temporary Password Reset	$(password) – newly generated password $(expiry) – password expiration date

Table 2. Email Template Variables

---

Audit Group Configuration

Setting up audit configuration groups allows you to record and report on system events you select.

To configure audit configuration groups, select Configure from the menu bar, and then select Audit Events.

The Audit Events page shows the list of audit configuration groups, each of which may contain one or more events. For each group, you can record successful events, failed events, or both.

Click an audit configuration group in the list to display the Edit Audit Configuration Group page. This page lets you select the types of audit events to be recorded as part of an audit configuration group in the system audit log.

Editing Events in the Audit Configuration Group

To edit events in the group, you can add or delete actions for an object type. To do this, move items in the Actions column from the Available to the Selected area for that object type, and then click OK.

Adding Events to the Audit Configuration Group

To add an event to the group, click New. Identity Manager adds an event at the bottom of the page. Select an object type from the list in the Object Type column, and then move one or more items in the Actions column from the Available area to the Selected area for the new object type. Click OK to add the event to the group.

---

Remedy Integration

You can integrate Identity Manager with a Remedy server, enabling it to send Remedy tickets according to a specified template.

Set up Remedy integration in two areas of the Administrator interface:

Remedy server settings — Set up Remedy configuration by creating a Remedy resource from the Resources area. After setting up the resource, test the connection to ensure integration is enabled.
Remedy template — After setting up the Remedy resource, define a Remedy template. To do this, select Configure, and then select Remedy Integration. You will then select the Remedy schema and resource.

Creation of Remedy tickets is configured through Identity Manager workflow. Depending on your preferences, a call can be made at an appropriate time that uses the defined template to open a Remedy ticket. For more information about configuring workflows, see Identity Manager Workflows, Forms, and Views.

---

Configuring Identity Manager Server Settings

You can edit server-specific settings so that Identity Manager servers run only specific tasks. To do this, select Configure, and then select Servers.

To edit settings for an individual server, select a server in the list on the Configure Servers page. Identity Manager displays the Edit Server Settings page, where you can edit reconciler and scheduler settings.

Reconciler Settings

By default, reconciler settings display on the Edit Server Settings page. You can accept the default value or de-select the Use default option to specify a value:

Parallel Resource Limit — Specify the maximum number of resources that the reconciler can process in parallel.
Minimum Worker Threads — Specify the number of processing threads that the reconciler will always keep alive.
Maximum Worker Threads — Specify the maximum number of processing threads that the reconciler can use. The reconciler will only start as many threads as the workload requires; this places a limit on that number.

Scheduler Settings

Click Scheduler on the Edit Server Settings page to display scheduler options. You can accept the default value or de-select the Use default option to specify a value:

Scheduler Startup — Select a startup mode for the scheduler:
Automatic — Starts when the server is started. This is the default startup mode.
Manual — Starts when the server is started, but remains suspended until manually started.
Disabled — Does not start when the server is started.
Tracing Enabled — Select this option to activate scheduler debug tracing to standard output.
Task Restrictions — Specify the set of tasks that can execute on the server. To do this, select one or more tasks from the list of available tasks. The list of selected tasks can be an inclusion or exclusion list depending on the option you select. You can choose to allow all tasks except those selected in the list (the default behavior), or allow only the selected tasks.

Click Save to save changes to the server settings.

Editing Default Server Settings

The Default Server Settings feature lets you set the default settings for all Identity Manager servers. The servers inherit these settings unless you select differently in the individual server settings pages. To edit the default settings, click Edit Default Server Settings. The Edit Default Server Settings page displays the same options as the individual server settings pages.

Changes you make to each default server setting is propagated to the corresponding individual server setting, unless you have de-selected the Use default option for that setting.

Click Save to save changes to the server settings.

---

Signed Approvals

Use the following information and procedures to set up digitally signed approvals. Steps and examples follow for:

Configuring signed approvals (server-side and client-side)
Adding certificates and CRL to Identity Manager
Signing approvals

Configuring Signed Approvals

Follow these steps to configure signed approvals.

Server-Side Configuration

To enable server-side configuration:

In the system configuration, set security.nonrepudiation.signedApprovals=true
Add your certificate authority (CA)’s certificates as trusted certificates. To do this, you must first obtain a copy of the certificates.

For example, if you are using a Microsoft CA, follow steps similar to these:

Go to http://IPAddress/certsrv and log in with administrative privileges.
Select Retrieve the CA certificate or certificate revocation list, and then click Next.
Download and save the CA certificate.
Add the certificate to Identity Manager as a trusted certificate:
From the Administrator interface, select Configure, and then select Certificates. Identity Manager displays the Certificates page.





Figure 11. Certificates

In the Trusted CA Certificates area, click Add. Identity Manager displays the Import Certificate page.
Browse to and then select the trusted certificate, and then click Import.

The certificate now displays in the list of trusted certificates.

Add your CA's certificate revocation list (CRL):
In the CRLs area of the Certificates page, click Add.
Enter the URL for the CA's CRL.

---

Notes:

---

The certificate revocation list (CRL) is a list of certificate serial numbers that have been revoked or are not valid.
The URL for the CA’s CRL may be http or LDAP.
Each CA has a different URL where CRLs are distributed; you can determine this by browsing the CA certificate’s CRL Distribution Points extension.
Click Test Connection to verify the URL.
Click Save.
Sign applets/ts1.jar using jarsigner.

---

Note  Refer to http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/jarsigner.html for more information. The ts1.jar file provided with Identity Manager is signed using a self-signed certificate, and should not be used for production systems. In production, this file should be re-signed using a code-signing certificate issued by your trusted CA.

---

Client-Side Configuration

Follow these steps to enable client-side configuration:

Prerequisites

Your client system must be running a Web browser with JRE 1.4 or higher.

Procedure

Obtain a certificate and private key, and then export them to a PKCS#12 keystore.

For example, if using a Microsoft CA, you would follow steps similar to these:

Using Internet Explorer, browse to http://IPAddress/certsrv, and then log in with administrative privileges.
Select Request a certificate, and then click Next.
Select Advanced request, and then click Next.
Click Next.
Select User for Certificate Template.
Select these options:
Mark keys as exportable
Enable strong key protection
Use local machine store
Click Submit, and then click OK.
Click Install this certificate.
Select Run —> mmc to launch mmc.
Add the Certificate snap-in:
Select Console—>Add/Remove Snap-in.
Click Add...
Select Computer account.
Click Next, and then click Finish.
Click Close.
Click OK.
Go to Certificates—>Personal—>Certificates.
Right-click Administrator All Tasks—>Export.
Click Next.
Click Next to confirm exporting the private key.
Click Next.
Provide a password, and then click Next.
File CertificateLocation.
Click Next, and then click Finish. Click OK to confirm.

Signing Approvals

Follow these steps to sign an approval.

from the Identity Manager Administrator interface, select Approvals.
Select an approval from the list.
Enter comments for the approval, and then click Approve.

Identity Manager prompts you and asks whether to trust the applet.

Click Always.

Identity Manager displays a dated summary of the approval.

Enter or click Browse to locate the keystore location (the location provided in Step 10m of the server-side configuration procedure).
Enter the keystore password (the password provided in Step 10l of the server-side configuration procedure).
Click Sign to approve the request.

Signing Subsequent Approvals

After signing an approval, subsequent approval actions require only that you enter the keystore password and then click Sign. (Identity Manager should remember the keystore location from the previous approval.)

Viewing the Transaction Signature

Follow these steps to view the transaction signature in an Identity Manager AuditLog report.

From the Identity Manager Administrator interface, select Reports.
On the Run Reports page, select AuditLog Report from the New... list of options.
In the Report Title field, enter a title (for example, “Approvals”).
In the Organizations selection area, select all organizations.
Select the Actions option, and then select Approve.
Click Save to save the report and return to the Run Reports page.
Click Run to run the Approvals report.
Click the details link to see transaction signature information, including:
issuer
subject
certificate serial number
message signed
signature
signature algorithm

Previous      Contents      Next

---

Copyright 2006 Sun Microsystems, Inc. All rights reserved.