How it Works
Novell
Loading...
A
B
C
D
E
F
G
I
L
O
P
Q
S
V
X
Z
Loading...
Loading...
IDENTITY MANAGER
Common Driver Administration Guide
120 pgs1.51 Mb0
User Manual 3,0
106 pgs2.44 Mb0
User Manual
108 pgs2.73 Mb0
Reporting Guide for Novell Sentinel
54 pgs908.96 Kb0
DTD Reference
546 pgs5.55 Mb0
Driver Implementation Guide
72 pgs760.12 Kb0
E-Mail Notification Guide
30 pgs506.88 Kb0
User Manual 3,5
172 pgs4.69 Mb0
Client Login Extension Guide
32 pgs623.73 Kb0
Drivers Implementation Guide
30 pgs522.83 Kb0
Security Guide
20 pgs406.24 Kb0
Jobs Guide
38 pgs604.98 Kb0
Installation Guide 3.6.1
96 pgs2.66 Mb0
Password Management Guide
78 pgs1.37 Mb0
Integration Guide For Novell Audit
58 pgs1.26 Mb0
Overview
32 pgs3.49 Mb0
Understanding Policies
64 pgs895 Kb0
Remote Loader Guide
54 pgs713.78 Kb0
WorkOrder Driver Implementation Guide
54 pgs883.28 Kb0
Entitlements Guide
44 pgs794.78 Kb0
Installation Guide
104 pgs2.65 Mb0
User Manual
52 pgs849.22 Kb0
Staging Best Practices Guide
26 pgs522.69 Kb0
implementation Guide
40 pgs762.49 Kb0
User Manual
356 pgs8.46 Mb0
implementation Guide
36 pgs523.59 Kb0
Table of contents
Loading...

Novell IDENTITY MANAGER implementation Guide

Novell®
www.novell.com
AUTHORIZED DOCUMENTATION
Implementation Guide
Identity Manager Entitlements Service Driver
novdocx (en) 17 September 2009
3.6.1

Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide

Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. For more information on exporting Novell software, see the Novell International Trade Services Web page (http://
www.novell.com/info/exports/). Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 17 September 2009
Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at Novell Legal Patents (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com
Online Documentation: To access the online documentation for this and other Novell products, and to get
updates, see Novell Documentation (http://www.novell.com/documentation/).
Novell Trademarks
For a list of Novell trademarks, see Trademarks (http://www.novell.com/company/legal/trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 17 September 2009
novdocx (en) 17 September 2009
4 Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide
Contents
About This Guide 7
1Overview 9
1.1 How the Entitlements Service Driver Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 Role-Based Entitlements Versus Other Entitlements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Multiple Entitlements Service Drivers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 Implementation Checklist 13
3 Creating a New Driver 15
3.1 Creating the Driver in Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.1 Importing the Driver Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.2 Configuring the Driver Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.3 Deploying the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.4 Starting the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Creating the Driver in iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.1 Importing the Driver Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.2 Configuring the Driver Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.3 Starting the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Activating the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
novdocx (en) 17 September 2009
4 Upgrading an Existing Driver 21
4.1 Supported Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 What’s New in Version 3.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.3 Upgrade Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5 Creating Entitlement Policies 23
6 Controlling the Meaning of Granting or Revoking Entitlements 27
7 Managing the Driver 29
8 Troubleshooting Role-Based Entitlements 31
8.1 General Troubleshooting Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
8.2 Conflict Resolution between Entitlement Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
8.2.1 Conflict Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
8.2.2 Changing the Conflict Resolution Method for an Individual Entitlement . . . . . . . . . . 33
8.2.3 Prioritizing Entitlement Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
A Driver Properties 37
A.1 Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
A.1.1 Driver Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
A.1.2 Driver Object Password (iManager Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Contents 5
A.1.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
A.1.4 Startup Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
A.1.5 Driver Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.1.6 ECMAScript (Designer Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
A.2 Global Configuration Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
novdocx (en) 17 September 2009
6 Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide

About This Guide

This guide explains how to install and configure the Identity Manager Entitlements Service Driver.
Chapter 1, “Overview,” on page 9
Chapter 2, “Implementation Checklist,” on page 13
Chapter 3, “Creating a New Driver,” on page 15
Chapter 4, “Upgrading an Existing Driver,” on page 21
Chapter 5, “Creating Entitlement Policies,” on page 23
Chapter 6, “Controlling the Meaning of Granting or Revoking Entitlements,” on page 27
Chapter 7, “Managing the Driver,” on page 29
Chapter 8, “Troubleshooting Role-Based Entitlements,” on page 31
Appendix A, “Driver Properties,” on page 37
novdocx (en) 17 September 2009
Audience
This guide is for Novell® eDirectoryTM and Identity Manager administrators who are using the Entitlements Service driver to implement role-based entitlements.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation included with this product. Use the User Comment feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.
Documentation Updates
For the most recent version of this document, see the Novell Identity Manager Drivers
Documentation Web site (http://www.novell.com/documentation/idm36drivers/index.html).
Additional Documentation
For information on Identity Manager and other Identity Manager drivers, see the Identity Manager
Documentation Web site (http://www.novell.com/documentation/idm36/index.html).
Documentation Conventions
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.
A trademark symbol (®, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.
About This Guide 7
novdocx (en) 17 September 2009
8 Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide
1

Overview

The following overview assumes that you understand entitlements (as explained in the Entitlement
Overview (http://www.novell.com/documentation/idm36/idm_entitlements/?page=/documentation/ idm36/idm_entitlements/data/be4rlrn.html#be4rlrn) in the Identity Manager 3.6.1 Entitlements Guide (http://www.novell.com/documentation/idm36/idm_entitlements/data/bookinfo.html)) and
have created the entitlements you want managed by the Entitlements Service driver.
The Entitlements Service driver is one of three entitlement agents that you can use to grant entitlements, or permission slips, to users. The other two entitlement agents are the role-based provisioning component and workflow-based provisioning component in the User Application.
The following sections provide information to help you understand the Entitlements Service driver:
Section 1.1, “How the Entitlements Service Driver Works,” on page 9
Section 1.2, “Role-Based Entitlements Versus Other Entitlements,” on page 11
Section 1.3, “Multiple Entitlements Service Drivers,” on page 11
novdocx (en) 17 September 2009
1

1.1 How the Entitlements Service Driver Works

The Entitlements Service driver grants entitlements to and revokes entitlements from users, as shown in the following diagram.
Overview
9
Figure 1-1 Entitlements Service Driver Process
novdocx (en) 17 September 2009
The driver implements entitlements through the use of entitlement policies. An entitlement policy contains the following:
Membership: The list of users assigned to a policy. A user can be dynamically assigned to a
policy when he or she meets the criteria for the policy, or the user can be statically (manually) assigned to the policy. In the above example, User A, User B, and User C are all members of Entitlement Policy 1. User D and User E are members of Entitlement Policy 2.
Entitlements: The list of entitlements associated with the policy. Users assigned to the policy
receive all of the entitlements associated with the policy. If the user is removed from the policy, he or she loses all entitlements associated with the policy. In the above example, the
®
Entitlements Service driver has granted the AD User Account entitlement and GroupWise Mailbox entitlement to User A, User B, and User C. Likewise, the driver has granted the AD User Account entitlement and Exchange Mailbox entitlement to User D and User E.
The Entitlements Service driver uses the following basic process to grant entitlements to and revoke entitlements from users:
1. The driver evaluates the users within its defined scope to see if they meet the criteria established for membership in a policy. This occurs whenever:
Any criteria attribute used for determining membership in an entitlement policy is
modified.
A user is moved.
10 Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide
A user is renamed.
You manually initiate a reevaluation of a policy’s membership.
2. The driver updates the DirXML-EntitlementRef attribute of any user whose entitlements have changed. This includes granting entitlements if the user was added to an entitlement policy or revoking entitlements if the user was removed from a policy.
3. After the DirXML-EntitlementRef attribute for a user is updated, the Entitlements Service driver’s job is finished. For the entitlement to be implemented, the entitlement must be defined on the appropriate driver and the driver’s policies must include the actions required to enforce the entitlement. For information about creating entitlements and the policies to support them, see the Identity Manager 3.6.1 Entitlements Guide (http://www.novell.com/documentation/
idm36/idm_entitlements/data/bookinfo.html).

1.2 Role-Based Entitlements Versus Other Entitlements

Entitlements managed through the Entitlements Service driver are called Role-Based Entitlements, or RBEs, because they are granted to users who are members of, or have a role in, an entitlement policy. Only the Entitlements Service driver uses Role-Based Entitlements and entitlement policies. The two other entitlement agents (roles-based provisioning and workflow-based provisioning through the User Application) use their own methods for assigning entitlements to users.
novdocx (en) 17 September 2009
The Role-Based Entitlement functionality in iManager lets you manage the entitlement policies used by the Entitlements Service driver.

1.3 Multiple Entitlements Service Drivers

If your Identity Manager system includes multiple driver sets and you want to use Role-Based Entitlements with each driver set, you must create an Entitlements Service driver in each driver set. In addition, the Entitlements Service driver can manage only those User objects that are in a master or read/write replica on the Metadirectory server (where the Entitlements Service driver is located).
If necessary, you can run multiple Entitlements Service drivers in the same driver set. However, you must make sure that the scope of users managed by each of the drivers does not overlap. For example, entitlements for User A should not be managed by two different Entitlement Service drivers.
Overview 11
novdocx (en) 17 September 2009
12 Identity Manager 3.6.1 Driver for Role-Based Entitlements: Implementation Guide
Loading...
+ 28 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use