Page 2
Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3
Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Contents About This Guide Part I Planning 1 Setting Up a Development Environment 2 Creating a Project Plan Discovery Phase ............15 2.1.1 Defining Current Business Processes .
Chapter 5, “Where to Get Identity Manager,” on page 43 Chapter 6, “System Requirements,” on page 45 Chapter 7, “Installing Identity Manager,” on page 55 Chapter 8, “Activating Novell Identity Manager Products,” on page 65 Part III, “Upgrading,” on page 69 Chapter 10, “What’s New,” on page 71 Chapter 11, “Supported Versions for Upgrades and System Requirements,”...
Page 10
Identity Manager Roles Based Provisioning Module Documentation Web site (http://www.novell.com/documentation/idmrbpm361/index.html). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.
Identity Manager implementation. For more information about partnership options, see the Novell Solution Partner Web site (http://www.novell.com/partners/). Novell Education also offers courses that address Identity Manager implementation. Chapter 1, “Setting Up a Development Environment,” on page 13 Chapter 2, “Creating a Project Plan,” on page 15 Chapter 3, “Technical Guidelines,”...
Setting Up a Development Environment Before you begin the planning phase of the Identity Manager deployment, you must be familiar with the Identity Manager products so you can create a useful plan. Setting up a development environment where you can test, analyze, and develop your Identity Manager solution allows you to learn about each component of Identity Manager and find unforeseen issues and complications that can arise.
Creating a Project Plan This planning material provides an overview of the type of activities that are usually part of an Identity Manager project, from its inception to its full production deployment. Implementing an identity management strategy requires you to discover what all of your current business processes are, what are the needs for these processes, who the stakeholders are in your environment, and then design a solution, get buy-in from stakeholders, and test and roll out the solution.
2.1.1 Defining Current Business Processes Identity Manager automates business processes to easily manage identities in your environment. If you do not know what the current business processes are, you cannot design an Identity Manager solution that automates those processes. You can use the Architecture mode of Designer to capture your current business processes and display them graphically.
Example of Business Processes Figure 2-1 The next step is in Section 2.1.2, “Defining How the Identity Manager Solution Affects the Current Business Processes,” on page 2.1.2 Defining How the Identity Manager Solution Affects the Current Business Processes After you have defined your current business processes, you need to decide which processes you want to incorporate into an Identity Manager solution.
2.1.3 Identifying the Key Business and Technical Stakeholders Identifying all stakeholders involved in the Identity Manager solution is important for the success of the solution. In most companies, there is not just one person you can contact who understands all business and technical aspects of the business processes.
® basic knowledge of directories, Novell eDirectory , Novell Identity Manager, and XML integration in general. After you have completed the discovery phase, proceed to the Section 2.2, “Requirements and Design Analysis Phase,”...
After the requirements analysis, you can establish the scope and project plan for the implementation, and determine if any prerequisite activities need to occur. To avoid costly mistakes, be as complete as possible in gathering information and documenting requirements. Here is a list of possible requirements: Data model showing all systems, authoritative data sources, events, information flow, data format standards, and mapping relationships between connected systems and attributes within...
It might be advantageous to divide the deployment into phases that enable implementation of a portion of the deployment earlier and other portions of the deployment later. You can do a phased deployment approach as well. It should be based on groups of people within the organization.
What operations/events/actions are to be ignored? How is the data to be transformed and mapped to Identity Manager? Interviewing key people can lead to other areas of the organization that can provide a more clear picture of the entire process. After you have gathered all of this information, you can design a correct enterprise data model for your environment.
The development of this model begins by answering questions such as the following: What types of objects (users, groups, etc.) are being moved? Which events are of interest? Which attributes need to be synchronized? What data is stored throughout your business for the various types of objects being managed? Is the synchronization one-way or two-way? Which system is the authoritative source for which attributes? It is also important to consider the interrelationships of different values between systems.
You need to have the data model that you completed in the analysis and design phases. You should also have a proposed record matching and data format strategy defined in order to prepare the data correctly. With the data model and format strategy defined, you can: Create production data sets appropriate for loading into the Identity Vault (as identified in the analysis and design activities).
2.7 Production Deployment The production deployment phase puts all of the plans into action and the Identity Manager solution is created in the live environment. Use the production rollout plan to put the different pieces of the Identity Manager solution into place. This might take one night or it might be spread across a longer period of time.
Server with eDirectory iManager Server Novell Sentinel Server Identity Manager is very customizable. The following sections contain technical best practices guidelines to help set up and configure the Identity Manager solution that works best for your environment. Variables that affect how these guidelines apply to your environment include the type of hardware you have for your servers, how your WAN is configured, and how many objects are being synchronized.
This document contains information only about Designer and iManager. The User Application uses a Web-based administration page that is not discussed here. For more information about the User Application, see “Administering the User Application” (http://www.novell.com/documentation/ idmrbpm361/agpro/data/agpropartadminapp.html) in the User Application Administration Guide.
The Remote Loader provides added flexibility for your Identity Manager solution. For more information, see the Identity Manager 3.6.1 Remote Loader Guide. Metadirectory Sever Figure 3-3 User Designer iManager Application Server Administration Workstation Metadirectory Server with eDirectory iManager Server Novell Sentinel Server Technical Guidelines...
Guide. For considerations for each driver, see the Identity Manager Drivers documentation Web site (http:// www.novell.com/documentation/idm36drivers/index.html). Driver-specific information is provided in each driver guide. 3.3 eDirectory Guidelines eDirectory is the Identity Vault that stores the objects that are synchronized through the Identity Manager solution.
NOTE: When creating a Driver Set object, the default setting is to create a separate partition. ® Novell recommends creating a separate partition on the Driver Set object. For Identity Manager to function, the server is required to hold a full replica of the Driver Set object. If the server has a full replica of the location where the Driver Set object is installed, the partition is not required.
To prevent separate instances of a driver from trying to synchronize the same users, you need to use scope filtering to define which users each instance of the driver should synchronize. Scope filtering means that you add rules to each driver to limit the scope of the driver’s management to specific containers.
Page 33
The following illustration shows an Identity Vault with three containers that hold users: Marketing, Finance, and Development. It also shows an Identity Management container that holds the driver sets. Each of these containers is a separate partition. Example Tree for Scope Filtering Figure 3-4 ACME Identity Vault ACME...
Two Servers with Overlapping Replicas, without Scope Filtering Figure 3-5 Marketing Development Finance Finance JBassad JBassad Identity Management Identity Management Identity Identity Manager Manager Driver Set Server A Driver Set Server B Server A Server B GroupWise Server A GroupWise Server B Without scope filtering, both GroupWise drivers try to manage user JBassad...
3.5 Auditing and Reporting Guidelines If you need auditing and reporting as part of the Identity Manager solution, you need to implement Identity Audit or Novell Sentinel . It is recommended that you run Identity Audit or Sentinel on its...
Page 36
Sentinel Figure 3-8 User Designer iManager Application Server Administration Workstation Metadirectory Server with eDirectory iManager Server Novell Sentinel Server Identity Manager 3.6.1 Installation Guide...
Basic Identity Manager System Checklist The are many different ways to configure Identity Manager to take advantage of all of its features. Figure 4-1 represents a basic configuration of Identity Manager, which provisions users by synchronizing data. No matter how Identity Manager is configured, you always start with a basic system.
For more information, see the eDirectory 8.8 documentation Web site (http://www.novell.com/ documentation/edir88/index.html). Install Novell iManager 2.7.3 on the same server. For more information, see the iManager documentation Web site (http://www.novell.com/documentation/imanager27/index.html). Download the Identity Manager product. For instructions on how to access the Identity Manager software, see Chapter 5, “Where to Get Identity Manager,”...
For specific information about your driver, see the Identity Manager 3.6.1 Drivers Documentation Web site (http://www.novell.com/documentation/idm36drivers/). (Optional) Enable entitlements on the driver. Verify that you have the correct policies in place to execute the entitlement. For more information, see Identity Manager 3.6.1 Entitlements...
Page 42
You can add Identity Audit or Novell Sentinel to your Identity Manager solution for auditing and reporting. For more information about Identity Audit, see the Identity Manager 3.6.1 Integration Guide for Identity...
(http://download.novell.com). 2 In the Product or Technology menu, select Novell Identity Manager, then click Search. 3 On the Novell Identity Manager Downloads page, click the Download button next to a file you want. 4 Follow the on-screen prompts to download the file to a directory on your computer.
Page 44
Provisioning Module comes on a separate ISO image and is purchased separately. See the User Application Installation Guide (http://www.novell.com/documentation/idmrbpm37/) for more information. Your Identity Manager purchase also includes Designer for Identity Manager, a powerful and flexible administration tool that dramatically simplifies configuration and deployment.
System Requirements ® The components of Novell Identity Manager can be installed on multiple systems and platforms. Figure 6-1 shows which platforms and systems are supported. System Requirements for the Identity Manager Components Figure 6-1 Windows Vista Windows XP Pro. SP2 openSUSE 10.3...
8.8.5 or later (32-bit or 64-bit) iManager 2.7.3 For system requirements for eDirectory, see the Novell eDirectory 8.8 SP5 Installation Guide (http:/ /www.novell.com/documentation/edir88/index.html). For system requirements for iManager, see the iManager 2.7 Installation Guide (http://www.novell.com/documentation/imanager27/index.html). 6.2 Metadirectory Server The Metadirectory server processes the events from the drivers, whether they are configured using the Remote Loader or not.
Red Hat 5.0 or later (32-bit and 64-bit) SLES 10 SP1 or later SPs (32-bit and 64-bit) SLES 11 (32-bit and 64-bit) Novell Sentinel Solaris 10 (32-bit and 64-bit) Server 6.1 AIX 5.3 (64-bit) OES 2 SP1 and SP2 (32-bit...
64-bit mode. Red Hat 5.0 or later (32-bit and 64-bit) The Metadirectory server runs in either 32-bit or 64-bit mode. Novell recommends that you apply the latest OS patches via the manufacturer’s automated update facility before you install Identity Manager.
64-bit iManager 2.7.3 Server Novell Sentinel Server 6.1 If you have installed the Metadirectory engine as a 32-bit application on a 64-bit operating system, you cannot install the 64-bit Remote Loader on the same machine. The libraries for the 32-bit Metadirectory engine and the 64-bit Remote Loader have the same names.
Red Hat 5.0 or later (32-bit and 64-bit) The Remote Loader runs in either 32-bit or 64- bit mode. Novell recommends that you apply the latest OS patches via the manufacturer’s automated update facility before you install Identity Manager.
Identity Manager 3.6.1 Integration Guide for Identity Audit. For configuration uniformitarian about Sentinel with Identity Manager, see the Identity Manager 3.6.1 Reporting Guide for Novell Sentinel. For system requirement information about Identity Audit, see the Identity Audit Guide (http://www.novell.com/ documentation/identityaudit/index.html). For system requirement information about Novell Sentinel, see the Novell Sentinel Installation Guide (http://www.novell.com/documentation/...
8.8.5 or later 32-bit and 64-bit iManager 2.7.3 Server Novell Sentinel Server 6.1 There are three different items that affect workstations: Section 6.6.1, “Workstation Platforms,” on page 52 Section 6.6.2, “iManager and Web Browsers,” on page 53 6.6.1 Workstation Platforms Table 6-3 contains a list of the supported workstation platforms for Designer and iManager.
Platforms Details SUSE Linux Enterprise Server 10 SP1/SP2 Apply the latest patches via the automated update facility. 6.6.2 iManager and Web Browsers The supported version of iManager for Identity Manager 3.6.1 is iManager 2.7.3. It runs all of the plug-ins required to configure and administer Identity Manager. The supported Web browsers for managing Identity Manager are: Internet Explorer* 6 SP2 Internet Explorer 7...
Install Folder: Specify a location on the workstation where Designer should be installed. Create Shortcuts: Select whether the shortcuts are placed on your desktop and in your Desktop Menu. 4 Refer to Designer 3.5 for Identity Manager 3.6 Administration Guide (http://www.novell.com/ documentation/designer35/admin_guide/data/front.html) for further information. 7.2 Installing the Metadirectory Server For Linux\UNIX platforms you can install the Metadirectory Server as or a nonroot user.
Page 56
Novell Identity Manager Metadirectory Server: This option requires the Identity Vault to be installed on this server. It extends the schema for Identity Manager, ® installs the Metadirectory engine, the Identity Manager drivers, and the Novell Audit Agent. Novell Identity Manager Connected System Server: This option does not require the Identity Vault to be installed on this server.
Novell Identity Manager Web-based Administration Server: Select this option if you have iManager installed on this server. It installs the iManager plug-ins for Identity Manager. Utilities: Installs utilities used to help configure the drivers for the connected systems. Not all drivers have utilities. If you are not sure if you need this, select it. It does not use much disk space.
IDM3.6.1_platform/setup/utilities 5 Activate Identity Manager. For more information, see Chapter 8, “Activating Novell Identity Manager Products,” on page 6 Create and configure the driver objects. This information is contained in each driver guide. For more information, see the Identity Manager Drivers documentation (http://www.novell.com/...
7.3.1 Requirements The Remote Loader requires that each driver’s connected system is available and the relevant APIs are provided. Refer to the Identity Manager Driver documentation (http://www.novell.com/ documentation/idm36drivers) for operating system and connected system requirements that are specific to each driver.
Lotus Notes* PeopleSoft* 5.2 Remedy* ARS SAP* HR SAP User Management Scripting SOAP WorkOrder Manual Task Services Null Services LoopBack The drivers listed in Table 7-2 are not capable of using the Remote Loader. No Remote Loader Capabilities Table 7-2 eDirectory Entitlements Service Role Service...
Page 61
Select Components: Select the connected system server and utilities to install the Remote Loader. Novell Identity Manager Metadirectory Server: Select this option only if you are installing the Metadirectory server. This option requires the Identity Vault to be installed on this server. For more information, see Section 7.2, “Installing the...
Installing 32-Bit Remote Loader on 64-Bit Operating System By default 64-bit Remote Loader is installed. To install a 32-bit Remote Loader, do the following: On Windows: 1 Browse the file in the 32bit_RL_Install.properties IDM3.6.1_Win:Windows\setup\ folder and set the RL_32BIT_INSTALL_ON_64BIT property values to true as follows: RL_32BIT_INSTALL_ON_64BIT=true 2 In the command prompt, change the directory path to IDM 3.6.1 installation folder (say, C:\IDM3.6.1\windows\setup) and enter one of the following commands:...
“Configuring the Remote Loader for Linux\UNIX by Creating a Configuration File” in the Identity Manager 3.6.1 Remote Loader Guide. 7.4 Installing the Roles Based Provisioning Module To install the Roles Based Provisioning Module, see the Installation Guide (http://www.novell.com/ documentation/idmrbpm361/index.html) for the Roles Based Provisioning Module. Installing Identity Manager...
7.7 Installing Identity Manager in Clustering Environment If you deploy Identity Manager in a clustered environment, Novell supports Identity Manager running in the cluster, although in most situations, the cluster itself is not supported. The following two scenarios describe the extent of support given: If you run the Identity Manager engine or remote loader on SUSE Linux Enterprise Server (SLES), and use Heartbeat to manage High Availability, everything is supported.
After you purchase a product license, Novell sends you a Customer ID via e-mail. The e-mail also contains a URL to the Novell site where you can obtain a credential. If you do not remember or do not receive your Customer ID, call the Novell Activation Center at 1-800-418-8373 in the U.S. In all other locations, call 1-801-861-8373 (You will be charged for calls made using the 801 area code.).
5 Click to browse for and select a driver set in the tree structure. 6 On the Identity Manager Overview page, click the driver set that contains the driver to activate. 7 On the Driver Set Overview page, click Activation > Installation. 8 Select the driver set where you want to activate an Identity Manager component, then click Next.
Troubleshooting Identity Manager Keep in mind the following information when you install Identity Manager: On AIX 5.3, IDM 3.6.1 installation hangs if NFS mounts are down. This behavior is also applicable for the instances where the IDM installer iso is on the same machine (AIX) and any mounted partition is down.
Upgrading I I I The following sections contain information about upgrading your existing Identity Manager solution: Chapter 10, “What’s New,” on page 71 Chapter 11, “Supported Versions for Upgrades and System Requirements,” on page 73 Chapter 12, “In-place Upgrade Versus Migration,” on page 75 Chapter 13, “Performing an In-place Upgrade,”...
What’s New Section 10.1, “Support for 64-Bit Operating Systems,” on page 71 Section 10.2, “Support for 32-Bit Remote Loader Installation on 64-Bit Operating Systems,” on page 71 Section 10.3, “Identity Manager Driver for SAP Portal,” on page 71 Section 10.4, “Updated Identity Manager Driver for SAP HR and Identity Manager Driver for SAP User Management,”...
Supported Versions for Upgrades and System Requirements Section 11.1, “Supported Versions for Upgrades,” on page 73 Section 11.2, “System Requirements,” on page 73 11.1 Supported Versions for Upgrades The table indicates the supported upgrades for the previous versions of Identity Manager. Supported Versions for Upgrades Table 11-1 Installed Versions...
In-place Upgrade Versus Migration There are two different ways to upgrade: in-place upgrade or migration. Each method has advantages and disadvantages, and there are scenarios where only one method can be used. Section 12.1, “In-place Upgrade,” on page 75 Section 12.2, “Migration,” on page 76 Section 12.3, “Multiple Servers Associated with a Single Driver Set,”...
12.2 Migration A migration is installing Identity Manager 3.6.1 on a new server, then migrating the existing data to this new server. Follow the Chapter 4, “Basic Identity Manager System Checklist,” on page 39 verify that the installation is complete. The advantages are: There is minimal downtime for the drivers The disadvantages are:...
Upgrade eDirectory to 8.8.5 or later on the server running Identity Manager. For more information, see the eDirectory Installation Guide (http://www.novell.com/documentation/ edir88/index.html). (Conditional) If your platform is Linux, UNIX, or Solaris, there are additional steps the must be completed to add files to the correct location. For more information, see Section 13.3, “Adding...
Page 78
Start the drivers associated with this server. For more information, see Section 13.10, “Starting the Drivers,” on page 87 If you are using Novell Sentinel , you must update to Novell Sentinel 6.1. For more information about upgrading Sentinel, see the Sentinel Installation Guide (http:// www.novell.com/documentation/sentinel6/pdfdoc/sentinel60_installationguide.pdf).
13.1 Creating a Backup of the Current Configuration Before upgrading, it is important to create a backup of the current configuration of your Identity Manager system. There are no additional steps required if you are using the User Application. All User Application configuration is stored in the User Application driver.
5 On the toolbar, select Project > Import Project > Identity Vault. 6 Specify a name for the project, then either use the default location for your project or select a different location. 7 Click Next. 8 Specify the Identity Vault connection information: Host Name: Specify the IP address or DNS name of the Identity Vault server.
3 Click the Driver Set object that holds the driver you want to upgrade. 4 Click the driver you want to upgrade, then click Export. 5 Click Next, then select Export all contained policies, linked to the configuration or not. 6 Click Next, then click Save As.
6e On the Driver Configuration page under Startup Options, select Manual, then click OK. 6f Repeat Step 6a through Step 6e for each driver in your tree. 13.3 Adding Files to the Correct Location on Linux/UNIX Platforms When you do an in-place upgrade from eDirectory 8.7.3 to eDirectory 8.8.5, the installation places the eDirectory files in different locations.
1 Create a backup of the Remote Loader configuration files. The default location of the files is as follows: Windows: C:\Novell\RemoteLoader\remoteloadername-config.txt Linux: Create your own configuration file in the path of rdxml. 2 Verify that the drivers are stopped. For instructions, see Section 13.2, “Stopping the Drivers,”...
6 (Conditional) If there is a problem with the configuration file, copy the backup file created in Step 1. Otherwise, continue with Step 7 Start the Remote Loader service or daemon for each driver. Windows: In the Remote Loader Console, select the Remote Loader instance, then click Start.
13.7.2 Using iManager to Overlay the New Driver Configuration File over the Existing Driver 1 In iManager, select Identity Manager > Identity Manager Overview. 2 Browse to and select the location in the tree to search for Driver Set objects, then click the search icon 3 Click the Driver Set object.
3 Browse to and select the customized policy, then click OK. 4 Specify the name of the customized policy, then click OK. 5 Click Yes in the file conflict message to save your project. 6 After the Policy Builder opens the policy, verify that the information is correct in the copied policy.
For information on starting the driver, see Section 13.10, “Starting the Drivers,” on page There is no policy simulator in iManager. To test the policies, cause events to happen that make the policies execute. For example, create a user, modify a user, or delete a user. 10 After you verify that the policies work, move the driver to the production environment.
Page 88
6b Browse to and select the location in the tree to search for Driver Set objects, then click the search icon 6c Click the Driver Set object. 6d In the upper right corner of the driver icon, click Edit properties. 6e On the Driver Configuration page, under Startup Options, select Auto start or select your preferred method of starting the driver, then click OK.
The User Application driver must be migrated in Designer. For more information, see the Roles Based Provisioning Module Migration Guide (http://www.novell.com/ documentation/idmrbpm361/index.html). Create a new Roles Service driver. The Roles Service driver is not migrated. If you have an existing Role Service driver for version 3.6.1, you must create a new driver for version...
Remove the old server from the driver set. For more information, see Section 14.3, “Removing the Old Server from the Driver Set,” on page If you are using Novell Sentinel , you must update to Novell Sentinel 6.1. For more information about upgrading Sentinel, see the Sentinel Installation Guide (http:// www.novell.com/documentation/sentinel6/pdfdoc/sentinel60_installationguide.pdf).
Driver parameters Driver set data You can do this in Designer or iManager. If you use Designer, it is an automated process. If you use iManager, it is a manual process. You should use iManager if you are migrating from an IDM server earlier than 3.5 version to an IDM server greater than or equal to 3.5.
6 Click the upper right corner of the driver, then click Edit properties. 7 You must copy or migrate all server-specific driver parameters, global configuration values, engine control values, named passwords, driver authentication data, and driver startup options that contain the old server’s information to the new server’s information. Global configuration values and other parameters of the driver set, such as max heap size, Java settings, and so on, must have identical values as those of the old server.
1 Remove the eDirectory replicas from this server. For more information, see “Deleting Replicas” (http://www.novell.com/documentation/edir88/edir88/data/fbgciaad.html) in the eDirectory Administration Guide (http://www.novell.com/documentation/edir88/pdfdoc/ edir88/edir88.pdf). 2 Remove eDirectory from this server. For more information, see TID 10056593, “Removing a Server From an NDS Tree Permanently” (http://www.novell.com/support/php/ search.do?cmd=displayKC&docType=kc&externalId=10056593&sliceId=&docTypeID=DT_ TID_1_1&dialogID=35218849&stateId=0%200%2035214815). Performing a Migration...
Uninstalling Identity Manager If you need to uninstall Identity Manager, use the procedures in the following sections in order. Chapter 15, “Removing Objects from eDirectory,” on page 97 Chapter 16, “Uninstalling the Metadirectory Server and Drivers,” on page 99 Chapter 17, “Uninstalling Designer,” on page 101 Uninstalling Identity Manager...
For more information, see Keeping eDirectory Healthy (http://www.novell.com/ documentation/edir88/edir88/data/a5ziqam.html) in the Novell eDirectory 8.8 Administration Guide. 2 Log in to iManager as an administrator user with full rights to the eDirectory tree. 3 Select Partitions and Replica > Merge Partition.
Execute the uninstall script ( ) located at Uninstall Identity Manager.exe C:\Program Files\Novell\Identity Manager\Uninstall_Identity_Manager For 64-bit Windows, use one of the following methods: Access the Control Panel on the Windows server. If the server is Windows Server 2003, click Add or Remove Programs. If the server is Windows Server 2008, click Programs and Features.
Uninstalling Designer Uninstalling Designer is very similar to uninstalling the Metadirectory server and driver. For Windows, select Add or Remove Programs in the control panel. For Linux/UNIX, execute the uninstall script located at ~/designer/UninstallDesigner/ Uninstall_Designer_for_Identity_Manager Uninstalling Designer...
Documentation Updates The documentation was updated on the following dates: A.1 July 31, 2009 Updates were made to the following sections. The changes are explained below. Section A.1.1, “What’s New,” on page 103 A.1.1 What’s New The following update was made in this section: Location Change Section 10.3, “Identity...
Need help?
Do you have a question about the IDENTITY MANAGER 3.6.1 and is the answer not in the manual?
Questions and answers