Related Manuals for Novell IDENTITY MANAGER 3.6.1 - WORKORDER DRIVER IMPLEMENTATION GUIDE 18-12-2009
Summary of Contents for Novell IDENTITY MANAGER 3.6.1 - WORKORDER DRIVER IMPLEMENTATION GUIDE 18-12-2009
- Page 1 AUTHORIZED DOCUMENTATION WorkOrder Driver Implementation Guide Novell ® Identity Manager 3.6.1 December 18, 2009 www.novell.com Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
- Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
- Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
- Page 4 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 5: Table Of Contents
Contents About This Guide 1 Overview The Work Order Process ............9 1.1.1 Subscriber Channel Functions. - Page 6 7 Creating and Managing Work Orders Using Drivers to Create Work Orders..........35 Using iManager .
-
Page 7: About This Guide
For documentation on other Identity Manager drivers, see the Identity Manager Documentation Web site (http://www.novell.com/documentation/idm36drivers). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. About This Guide... - Page 8 ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 9: Overview
Overview Typically, changes to data in the Identity Vault or a connected application are immediately processed. Work orders enable you to schedule when tasks are to be performed. For example, a new employee is hired but is not scheduled to start for a month. The employee needs to be added to the HR database but should not be granted access to any corporate resources (e-mail, servers, and so forth) until the start date. - Page 10 First, Placement and Create rules are configured so all new work orders that contain the required attributes are sent to the Subscriber channel. The following attributes must be present for a work order to pass the Create rule and go to the Subscriber channel: DirXML-nwoContent DirXML-nwoStatus DirXML-DoItNow Flag...
-
Page 11: Publisher Channel Functions
1.1.2 Publisher Channel Functions This section reviews the functions of the Publisher channel. “The Publisher Channel Wakes Up” on page 11 “How the Publisher Channel Processes Work Orders” on page 12 “How the Publisher Channel Deletes Work Orders” on page 13 The Publisher Channel Wakes Up The following flowchart illustrates the Publisher channel’s action when it wakes up. - Page 12 2. The Publisher channel wakes when the polling time has expired and queries the work order container for work orders that are pending and due. The driver processes these work orders. Work orders with delete due dates are deleted. a. The Publisher channel queries the work order container for work orders that are pending and due.
- Page 13 dependent work order status is configured, the Publisher channel processes the work order. If not, the work order waits until the next polling loop to see if the dependent work order has been configured. 2. The Publisher channel performs the work orders that are due, completing the appropriate action based on the attributes of the DirXML-WorkOrder objects.
-
Page 14: Key Features
1.2 Key Features The following list describes key features of the WorkOrder driver: Schedules work orders: The WorkOrder driver allows work to be scheduled for a specific date and time. Supports dependent work orders: If a work order is dependent on another work order, it is not processed until the dependent work order has been successfully processed. -
Page 15: Implementation Checklist
Implementation Checklist Use the following checklist to ensure that you complete all of the tasks required to set up and use the WorkOrder driver. WorkOrder Implementation Checklist Table 2-1 Task Details Install the WorkOrder By default, the WorkOrder driver files (driver shim and configuration file) driver files are copied to the Metadirectory server when the Metadirectory engine is installed. - Page 16 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 17: Installing Driver Files
Installing Driver Files By default, the WorkOrder driver files are installed on the Metadirectory server at the same time as the Metadirectory engine. The installation program extends the Identity Vault’s schema and installs both the driver shim and the driver configuration files. It does not create the driver in the Identity Vault (see Chapter 4, “Creating a New Driver,”... - Page 18 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 19: Creating A New Driver
Creating a New Driver After the WorkOrder driver files are installed on the server where you want to run the driver (see Chapter 3, “Installing Driver Files,” on page 17), you can create the driver in the Identity Vault. You do so by importing the basic driver configuration file and then modifying the driver configuration to suit your environment. -
Page 20: Configuring The Driver Settings
Driver is Local/Remote: Select Local if this driver will run on the Metadirectory server without using the Remote Loader service. Select Remote if you want the driver to use the Remote Loader service, either locally on the Metadirectory server or remotely on another server. -
Page 21: Deploying The Driver
4.2.3 Deploying the Driver After a driver is created in Designer, it must be deployed into the Identity Vault. 1 In Designer, open your project. 2 In the Modeler, right-click the driver icon or the driver line, then select Live > Deploy. 3 If you are authenticated to the Identity Vault, skip to Step 5;... -
Page 22: Creating The Driver In Imanager
4.3 Creating the Driver in iManager You create the WorkOrder driver by importing the driver’s basic configuration file and then modifying the configuration to suit your environment. After you’ve created and configured the driver, you need to start it. Section 4.3.1, “Importing the Driver Configuration File,” on page 22 Section 4.3.2, “Configuring the Driver Settings,”... - Page 23 Prompt Description Remote Password This applies only if the driver is running remotely. Specify the Remote Loader’s password (as defined on the Remote Loader service). The Metadirectory engine (or Remote Loader shim) requires this password to authenticate to the Remote Loader Define Security Equivalences The driver requires rights to objects within the Identity Vault and to the input and output directories on the server.
-
Page 24: Configuring The Driver Settings
To skip the configuration settings at this time, click Finish. When you are ready to configure the settings, continue with the next section, Configuring the Driver Settings. 4.3.2 Configuring the Driver Settings After importing the driver configuration file, the WorkOrder driver will run. However, the basic configuration might not meet the requirements for your environment. -
Page 25: Activating The Driver
If you created the driver in a driver set that has not been activated, you must activate the driver within 90 days. Otherwise, the driver stops working. For information on activation, refer to “Activating Novell Identity Manager Products” in the Identity Manager 3.6.1 Installation... - Page 26 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 27: Upgrading An Existing Driver
Upgrading an Existing Driver If you are running the driver on the Metadirectory server, the driver shim files are updated when you update the server unless they were not selected during a custom installation. If you are running the driver on another server, the driver shim files are updated when you update the Remote Loader on the server. - Page 28 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 29: Customizing The Driver
Customizing the Driver After you create a new WorkOrder driver by importing the basic configuration file, the driver processes WorkOrder objects from the Identity Vault to create WorkToDo objects. This is all the WorkOrder driver does when using the basic configuration. For any additional work to be done, you must customize the WorkOrder driver or other Identity Manager drivers to perform the desired work. -
Page 30: Publisher Channel
Rule or Policy What it does Create Rule Contains rules only for WorkOrder objects. Requires values for the following attributes on a WorkOrder object: nwoStatus nwoSendToPublisher nwoDoItNow nwoContent nwoType If the values are not present, the work order is not sent to the Publisher channel and the work order is not updated by the driver. -
Page 31: Human Resource Example Using An Hr Driver
6.2 Human Resource Example Using an HR Driver The following example illustrates how the WorkOrder driver can be used with an HR driver to create a new user and postpone activating the new employee’s access to the system until the hire date. -
Page 32: Human Resource Driver Policies
Mapping Rule The mapping rule maps the attributes used in the WorkOrder driver to attributes in the Identity Vault. You can view the sample at hr-drv-schema-map.xml (http://www.novell.com/documentation/ idm36drivers/work_order/samples/hr-drv-schema-map.xml). Filter The filter attribute allows only the attributes that are needed by this example to be passed through. -
Page 33: Workorder Driver Policy
When direct is equal to True, the action is performed as desired, but the results are not returned to the driver. Therefore, the driver cannot report the results of the write correctly. You can view the sample at hr-wo-drv-pub-cmd-transform.xml (http://www.novell.com/documentation/idm36drivers/ work_order/samples/hr-wo-drv-pub-cmd-transform.xml). 6.3 Human Resource Example without an HR Driver This example creates a new user and postpones activating the new employee’s access to the system... -
Page 34: Filter Additions
The Create rule vetoes this event if the loginActivationTime or the loginDisabled attributes are not present. It also vetoes this event if the loginDisabled attribute is set to False. You can view the sample at wo-create.xml (http://www.novell.com/documentation/idm36drivers/work_order/ samples/wo-create.xml). 6.3.3 Subscriber Command Transform This policy checks to see if the event is an Add of a user object. -
Page 35: Creating And Managing Work Orders
Creating and Managing Work Orders There are two ways to create work orders. The following sections review how this is accomplished: Section 7.1, “Using Drivers to Create Work Orders,” on page 35 Section 7.2, “Using iManager,” on page 35 7.1 Using Drivers to Create Work Orders Identity Manager drivers can create work orders as a result of events processed by the drivers. - Page 36 WorkToDo object when the work order is processed. Work Order Number: A unique work order number. This value can be assigned by a ® corporate work order system other than Novell eDirectory , such as a work order database.
-
Page 37: Filtering The Work Order List
3 Select one of the following options when you are finished specifying or editing the work order properties: Click Apply to save the current information and continue working. Click OK to save and close the work order. Click Cancel to close the work order without saving the information. 7.2.3 Filtering the Work Order List 1 Click Show under Work Order Management. - Page 38 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 39: Managing The Driver
Managing the Driver As you work with the WorkOrder driver, there are a variety of management tasks you might need to perform, including the following: Starting and stopping the driver Viewing driver version information Using Named Passwords to securely store passwords associated with the driver Monitoring the driver’s health status Backing up the driver Inspecting the driver’s cache files... - Page 40 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 41: Troubleshooting Driver Processes
Troubleshooting Driver Processes Viewing driver processes is necessary to analyze unexpected behavior. To view the driver processing events, use DSTrace. You should only use it during testing and troubleshooting the driver. Running DSTrace while the drivers are in production increases the utilization on the Identity Manager server and can cause events to process very slowly. - Page 42 Identity Manager 3.6.1 WorkOrder Driver Implementation Guide.
-
Page 43: A Driver Properties
Driver Properties This section provides information about the Driver Configuration and Global Configuration Values properties for the WorkOrder driver. These are the only unique properties for drivers. All other driver properties (Named Password, Engine Control Values, Log Level, and so forth) are common to all drivers. -
Page 44: Driver Module
.jar file. If this option is selected, the driver is running locally. The name of the Java class is: com.novell.nds.dirxml.driver.workorde r.WorkOrderDriverShim Connect to Remote Loader Used when the driver is connecting remotely to the connected system. Designer includes two... -
Page 45: Startup Option
Authentication Options Table A-3 Option Description Authentication ID Specify a user application ID. This ID is used to pass Identity Vault subscription information to the application. Example: Administrator User ID Authentication Context Specify the IP address or name of the server the application shim should communicate with. -
Page 46: Driver Parameters
Option Description Disabled The driver has a cache file that stores all of the events. When the driver is set to Disabled, this file is deleted and no new events are stored in the file until the driver state is changed to Manual or Auto Start. Do not automatically This option only applies if the driver is deployed and was previously disabled. -
Page 47: Ecmascript (Designer Only)
Option Description Publisher Heartbeat every Poll Interval Specifies if the Publisher should emit heartbeat documents. The driver emits heartbeat documents to indicate to the Identity Manager engine that the driver is still functioning. If you don’t use the Poll Interval setting, this setting is automatically disabled. - Page 48 2 To add a GCV to the WorkOrder driver, right-click the driver icon or line, then select Properties > Global Configuration Values. To add a GCV to the driver set, right-click the driver set icon , then click Properties > GCVs.
-
Page 49: B Objects And Attributes Used
Objects and Attributes Used This section reviews the new objects and attributes used by the driver. Section B.1, “New Objects Used by the Driver,” on page 49 Section B.2, “DoItNow and SendToPublisher Flags,” on page 49 B.1 New Objects Used by the Driver Using two new object classes in the Identity Vault, the Identity Manager WorkOrder driver configures work orders and records the results. -
Page 50: Doitnow Flag
B.2.1 DoItNow Flag When this flag is set to True, the Subscriber channel wakes up the Publisher channel by sending the work order to the Publisher channel. This allows the Publisher channel to perform the work order immediately instead of waiting for the next polling time or polling interval. Use this flag when you want the work order completed immediately. -
Page 51: C Schema And Policy Rules For Work Order Management
Schema and Policy Rules For Work Order Management ® As part of the installation of the WorkOrder driver, Novell eDirectory is extended to include two new object classes. These objects allow the driver to connect to the Identity Vault correctly, perform work orders, and create a process log with the work order status. - Page 52 Work Order Attributes Description Type (eDirectory Namespace) DirXML-nwoDoItNowFlag If set to True, the Subscriber channel sends Boolean the work order to the Publisher channel to be processed immediately. DirXML- If set to True, the Subscriber channel sends Boolean nwoSendToPublisher the work order to the Publisher channel to be written to the WorkOrder container.
-
Page 53: Dirxml-Worktodo Object
Work Order Attributes Description Type (eDirectory Namespace) DirXML-nwoDeleteDueDate If the status is Pending or Configured, this Time attribute shows the date and time the work order will be deleted. DirXML-CreatorName Information about the work order. The driver Distinguished Name does not change this attribute. It is passed through to the WorkToDo object when the work order is processed. -
Page 54: Publisher Placement Rule
C.3 Publisher Placement Rule The Publisher Placement rule determines where the work orders are placed in the Identity Vault after they are processed. These containers might be the same or different, depending on how you choose to set up your customized driver. For example, you could have work orders stored in containers depending on the returned status, such as configured, error, warning, or on hold.