Related Manuals for Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS
Summary of Contents for Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS
- Page 1 AUTHORIZED DOCUMENTATION Entitlements Guide Novell ® Identity Manager 3.6.1 June 05, 2009 www.novell.com Identity Manager 3.6.1 Entitlements Guide...
- Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
- Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
- Page 4 Identity Manager 3.6.1 Entitlements Guide...
-
Page 5: Table Of Contents
A Writing Entitlements in XML Novell Entitlement Document Type Definition (DTD) ....... . 35 A.1.1... - Page 6 Identity Manager 3.6.1 Entitlements Guide...
-
Page 7: About This Guide
Identity Manager Documentation Web site (http://www.novell.com/documentation/idm36/). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. - Page 8 Identity Manager 3.6.1 Entitlements Guide...
-
Page 9: Entitlements Overview
Entitlements Overview ® Novell Identity Manager uses entitlements as a way for you to provide users with access to resources in connected systems. You can think of an entitlement as a permission slip. For example, if you want a new employee to be given an Active Directory* account when he or she is added to your Human Resource system, the user must have a permission slip, or entitlement, for the Active Directory account. -
Page 10: Why Use Entitlements
Accountant role that requires access to the Accounting group in Active Directory. The Role Service driver grants the Active Directory Group Membership entitlement to the user. User Application Workflow-Based Provisioning: A provisioning workflow grants the entitlement to the user. For example, a new employee is added to the HR system, which causes a User object to be created in the Identity Vault. -
Page 11: Drivers With Preconfigured Entitlements
1.3 Drivers with Preconfigured Entitlements The following drivers include configuration files that already contain entitlements and the policies required to implement them. These entitlements support the most common scenarios, including granting and revoking user accounts, groups, and e-mail distribution lists. Active Directory: Grant and revoke accounts, group membership, Exchange Mailbox ®... - Page 12 Identity Manager 3.6.1 Entitlements Guide...
-
Page 13: Checklist For Implementing Entitlements
Checklist for Implementing Entitlements Use the following checklist to ensure that you complete all of the tasks required to implement entitlements for an Identity Manager driver. The tasks are listed in the recommended order of completion, but you can change the completion order if necessary. Entitlements Checklist Table 2-1 Details... - Page 14 User Application Roles-Based Provisioning: Manages entitlements based on roles that are assigned to users. For instructions, see the Identity Manager Roles Based Provisioning Module 3.6.1 documentation (http://www.novell.com/documentation/ idmrbpm361/). User Application Workflow-Based Provisioning: Manages entitlements through provisioning workflows. For instructions, see the Identity Manager Roles Based Provisioning Module 3.6.1...
-
Page 15: Enabling Entitlements On A Driver
Enabling Entitlements on a Driver A driver must be enabled in order to use entitlements. You enable a driver by modifying the driver filter to add the DirXML-EntitlementRef attribute to the User class. Refer to the following sections for instructions: Section 3.1, “Using Designer to Enable Entitlements,”... - Page 16 6 On the Driver Overview page, click the Driver Filter icon for the Subsciber channel. By default, Organizational Unit is highlighted. 7 Click User and select Add Attribute, then scroll to the bottom and select Show all attributes. 8 Select the DirXML-EntitlementRef attribute, then click OK. 9 Select DirXML-EntitlementRef in the Filter page, then under the Subscribe heading, select Notify.
-
Page 17: Creating Entitlements
Creating Entitlements Because entitlements represent resources in a connected system, each entitlement must be created on the driver associated with the connected system. For example, to create an entitlement for an Active Directory User Account, you would create it on the Active Directory driver that connects to the directory where you want the account created. - Page 18 Name: Specify the name you want used for the entitlement. This is the name used for the entitlement object in the Identity Vault, and the name that is seen in both Designer and iManager. Display Name: By default, the entitlement agents that consume the entitlements use the name specified in the Name field.
-
Page 19: Administrator-Defined Entitlements With Value Lists
Novell eDirectory. 4 In the Assign Multiple Values dialog box, select Yes if you want the entitlements to be able to be granted to a user more than once and with different values, then click Next. -
Page 20: Administrator-Defined Entitlements Without Value Lists
5 You are asked if this entitlement is intended to be used by Role-Based Entitlement policies through iManager. If you want this entitlement to be granted or revoked automatically, select Yes to the Role-Based Entitlements question, click Next, then continue with Step If you want the granting or revoking of this entitlement to be a manual process (approved by someone), select No to use the User Application, then skip to... -
Page 21: Valued Entitlement That Queries An External Application
For example, you might only want to use an entitlement one time to assign a building location to a user. However, because a user could belong to multiple groups, you might want an entitlement that assigns a user to a group to be able to be used multiple times to assign the user to multiple groups. - Page 22 Enter a class to query: Click the Schema Browser button on the right side of the Class entry. The Schema Browser shows you the Classes in the eDirectory namespace that are available. If you know the name of the Class type you want to query, click to select a selection in the Classes tab, then start typing the Class name.
- Page 23 Select No if the entitlement can only be granted once, then click Next. For example, you might only want to use an entitlement one time to assign a building location to a user. However, because a user could belong to multiple groups, you might want an entitlement that assigns a user to a group to be able to be used multiple times to assign the user to multiple groups.
-
Page 24: Creating Entitlements In Imanager
8 If you see the Add To Filter window, answer Yes if you want the driver to listen for this entitlement. This enables entitlements for the driver. The DirXML-EntitlementRef attribute allows the driver filter to listen for entitlement activities, which is necessary in order to use the entitlements you are creating. - Page 25 8 Specify a name for the entitlement. NOTE: You should not change an entitlement’s name after it is created. If you rename an entitlement, you need to change all of the references in the policies that are implementing the entitlement. The entitlement name is stored on the Ref and Result attributes within the policy. The context for the entitlement is already populated, because the driver object is selected.
- Page 26 Identity Manager 3.6.1 Entitlements Guide...
-
Page 27: Creating Policies To Support Entitlements
Information about how to create policies is provided in the Policies in Designer 3.0 (http:// www.novell.com/documentation/idm36/policy_designer/data/bookinfo.html) Policies in iManager for Identity Manager 3.6.1 (http://www.novell.com/documentation/idm36/ policy_imanager/data/bookinfo.html) guides. By default, the Active Directory driver includes several entitlements and the policies required to support the entitlements. - Page 28 account in Active Directory if the user is not entitled to an account in Active Directory. Modify or remove this rule if you want the entitlement policy to apply to matching accounts in Active Directory. This might result in the Active Directory account being deleted or disabled. Creation (Subscriber channel): The Creation policy contains the following rules pertaining to entitlements: Account Entitlement: Block Account Creation When Entitlement Not Granted.
-
Page 29: Editing Entitlements
Editing Entitlements The following sections provide instructions for editing entitlements in Designer and iManager. Although you can use either tool to create entitlements, we strongly recommend that you use Designer. Section 6.1, “Editing Entitlements in Designer,” on page 29 Section 6.2, “Editing Entitlements in iManager,” on page 34 6.1 Editing Entitlements in Designer After you have created entitlements, you might need to edit them. - Page 30 The Entitlement Editor view shows you all of the pages and choices that you see in the Entitlement Wizard, but the information is on one page. Entitlement Editor: Displays the full DN name for the entitlement. If there is a conflict with the entitlement name or some other error, you see a red icon to the left of the Entitlement Editor name, followed by an error message.
-
Page 31: Using The Xml Source And Xml Tree Views
XML Schema, or DTD DTD (Document Type Definition) file. For default Windows installation, the DTD for entitlements is found under C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.de signer.idm.entitlements_1.1.0\DTD\dirxmlentitlement s.dtd Copy XML to Clipboard Allows you to copy highlighted XML code to the clipboard. This action removes the DOCTYPE element. - Page 32 Name Description Find/Replace (Ctrl+F) Ctrl+F brings up the Find/Replace window, which allows you to query text, structure, and XPath searches in a forward or a backward direction. Other options include case sensitive, wrap search, whole word, incremental, and regular expressions search capabilities. Help Opens the Help view to the right of the XML Source view.
- Page 33 Allows you to attach an XML Catalog entry, an XML schema file, or a XML Schema, or DTD DTD (Document Type Definition) file. For default Windows installation, the DTD for entitlements is found under C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.de signer.idm.entitlements_1.1.0\DTD\dirxmlentitlement s.dtd Find/Replace (Ctrl+F) Brings up the Find/Replace window, which allows you to query text, structure, and XPath searches in a forward or a backward direction.
-
Page 34: Editing Entitlements In Imanager
6.2 Editing Entitlements in iManager 1 In iManager, click to display the Identity Manager Administration page. 2 In the Administration list, > click Identity Manager Overview. 3 If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set. -
Page 35: A Writing Entitlements In Xml
Section A.2, “Examples to Help You Write Your Own Entitlements,” on page 39 A.1 Novell Entitlement Document Type Definition (DTD) The Novell Entitlement DTD is provided below. An explanation of the DTD is provided in the two sections following the DTD: Section A.1.1, “Explaining the Entitlement DTD,” on page 36 Section A.1.2, “Other Headings in the DTD,”... -
Page 36: Explaining The Entitlement Dtd
<!ELEMENT result-set (display-name, description, ent-value)> <!ELEMENT display-name(token-attr | token-src-dn | token-association)> <!ELEMENT ent-value (token-association | token-src-dn | token-attr)> <!ELEMENT description (token-association | token-src-dn | token-attr)> <!ELEMENT token-association EMPTY> <!ELEMENT token-attr EMPTY> <!ATTLIST token-attr attr-name CDATA #REQUIRED > <!ELEMENT token-src-dn EMPTY> <!-- Entitlement reference stored in the DirXML-EntitlementRef attribute of a... - Page 37 <!-- Entitlement definition stored in the XmlData attribute of a DirXML-Entitlement object. --> Headings are followed by Elements ( ) and Attribute lists ( ). Below is a detailed ELEMENT ATTLIST explanation of the elements and attributes under the Entitlement Definition heading, which is the main heading you need to focus on when creating entitlements.
-
Page 38: Other Headings In The Dtd
The functionality for DirXML rules, object migration, etc. depends on the driver’s implementation of the query command. For more information on XML queries, see the Novell developer documentation on queries (http://developer.novell.com/ndk/doc/ dirxml/dirxmlbk/ref/ndsdtd/query.html). <!ELEMENT result-set (display-name, description, ent-value)> <!ELEMENT display-name(token-attr | token-src-dn | token-association)>... -
Page 39: Examples To Help You Write Your Own Entitlements
<!-- Entitlement result stored in the DirXML-EntitlementResult attribute of a DirXML-EntitlementRecipient object. --> The Entitlement Result portion reports the results about whether an entitlement is granted or revoked. The information includes the state or status of the event and when the event is granted or revoked (through a time stamp). -
Page 40: Example 2: Application Query Entitlement: External Query
This is an Account Entitlement, and the display name is Account Entitlement. This information is all you need to create an Account Entitlement, which you can then use to grant an account in an application. The Active Directory driver with entitlements enabled has a UserAccount entitlement that Active Directory uses to grant or revoke a user account. - Page 41 <display-name> <token-src-dn/> </display-name> <description> <token-attr attr-name="Description"/> </description> <ent-value> <token-association/> </ent-value> </result-set> </query-app> </values> </entitlement> In this example, the Group entitlement uses Union to settle conflicts if the entitlement is applied more than once to the same object. The Union attribute merges the entitlements of all involved Role- Based Entitlement policies, so if one policy revokes an entitlement but another policy grants an entitlement, the entitlement is eventually granted.
- Page 42 <?xml version="1.0" encoding="UTF-8"?> <entitlement conflict-resolution="union" description="The Exchange Mailbox Entitlement grants or denies an Exchange mailbox for the user in Microsoft Exchange." display-name="Exchange Mailbox Entitlement" name="ExchangeMailbox"> <values> <query-app> <query-xml> <nds dtd-version="2.0"> <input> <query class-name="msExchPrivateMDB" dest-dn="CN=Configuration," scope="subtree"> <search-class class-name="msExchPrivateMDB"/> <read-attr attr-name="Description"/> <read-attr attr-name="CN"/> </query>...
-
Page 43: Example 3: Administrator-Defined Entitlement: With Lists
Roles-Based Entitlement task or through the User Application, users or defined-task managers can specify the building information, which is then included in an external application, such as Novell eDirectory A.2.4 Example 4: Administrator-Defined Entitlements: Without... - Page 44 Identity Manager 3.6.1 Entitlements Guide...
Need help?
Do you have a question about the IDENTITY MANAGER 3.6.1 - ENTITLEMENTS and is the answer not in the manual?
Questions and answers