manualshive.com logo in svg

Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS, Manual

Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS user manual is available for free download on manualshive.com. This comprehensive manual provides detailed instructions on managing user entitlements within the software. Download the manual now to optimize your use of Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS.

Share
Download
background image

10

Identity Manager 3.6.1 Entitlements Guide

no

vd

ocx 

(e

n)

  

13

 Ma
y 20

09

Accountant role that requires access to the Accounting group in Active Directory. The 
Role Service driver grants the Active Directory Group Membership entitlement to the 
user.

Š

User Application Workflow-Based Provisioning: 

A provisioning workflow grants the 

entitlement to the user. For example, a new employee is added to the HR system, which 
causes a User object to be created in the Identity Vault. Creation of the new User object 
initiates a workflow that grants the Active Directory User Account entitlement to the user.

2. When an entitlement is added to or removed from a user’s DirXML-EntitlementRef attribute, 

any entitlement-enabled drivers begin to process the event. Only drivers that have the DirXML-
EntitlementRef attribute added to their Subscriber channel filter can monitor users for 
entitlement changes.

3. The driver processes the entitlement event against the Subscriber channel policies. If the 

entitlement event is for an entitlement that applies to the driver, the policies are processed. 
Otherwise, no processing occurs. In the diagram above, the Grant User Account policy is 
processed because 1) the Active Directory User Account entitlement was added to the user’s 
DirXML-EntitlementRef attribute and 2) the User Account entitlement is defined on the Active 
Directory driver. If the Active Directory User Account entitlement is later removed from the 
user’s DirXML-EntitlementRef attribute, the Revoke User Account policy is processed. 

4. The policies trigger the granting or revoking of access to the entitled resource. In the diagram 

above, the Grant User Account policy triggers the creation of a user account in Active 
Directory.

1.2  Why Use Entitlements?

Both roles-based provisioning and workflow-based provisioning require the use of entitlements. If 
you use either of these User Application provisioning methods, you must use entitlements.

If you are not using the User Application for roles-based or workflow-based provisioning, you might 
still want to use Role-Based Entitlements (RBEs) through the Entitlements Service driver. Using 
Role-Based Entitlements enables you to remove the business logic, or decision-making, from your 
driver policies. In the example used in 

Section 1.1, “How Entitlements Work,” on page 9

, the Active 

Directory driver policies include only the information required to grant or revoke an Active 
Directory user account. The decision about whether or not a user receives an Active Directory user 
account is handled through the entitlement agent, not the driver policies. In this case, the entitlement 
agent is the Entitlements Service driver.

Removing the business logic from drivers provides several benefits:

Š

If you have multiple drivers that are the same (for example, multiple Active Directory drivers) 
and your business logic changes, you don’t have to change the logic in each driver. The logic 
only needs to change in the entitlement agent.

Š

You can use any of the three entitlement agents to grant an entitlement to a user. You can even 
use all three entitlement agents together. However, you should have only one entitlement agent 
handle an entitlement for a given user. For example, you could have an Active Directory User 
Account entitlement granted to a user by the Entitlement driver and a Linux User Account 
entitlement granted to the same user through the User Application’s Role Service driver. 
However, you should not have the same entitlement (for example, the Active Directory User 
Account) managed by both the Entitlement driver and the User Application’s Role Service 
driver. Doing so can cause unintended granting and revoking of the entitlement. 

Summary of Contents for IDENTITY MANAGER 3.6.1 - ENTITLEMENTS

Page 1: ...Novell www novell com novdocx en 13 May 2009 AUTHORIZED DOCUMENTATION Identity Manager 3 6 1 Entitlements Guide Identity Manager 3 6 1 June 05 2009 Entitlements Guide...

Page 2: ...r re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclea...

Page 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the proper...

Page 4: ...4 Identity Manager 3 6 1 Entitlements Guide novdocx en 13 May 2009...

Page 5: ...20 4 2 3 Valued Entitlement that Queries an External Application 21 4 3 Creating Entitlements in iManager 24 5 Creating Policies to Support Entitlements 27 6 Editing Entitlements 29 6 1 Editing Entit...

Page 6: ...6 Identity Manager 3 6 1 Entitlements Guide novdocx en 13 May 2009...

Page 7: ...online documentation or go to www novell com documentation feedback html and enter your comments there Documentation Updates For the most recent version of the Entitlements Guide visit the Identity Ma...

Page 8: ...8 Identity Manager 3 6 1 Entitlements Guide novdocx en 13 May 2009...

Page 9: ...figured Entitlements on page 11 1 1 How Entitlements Work The following diagram shows the basic entitlement process Figure 1 1 Overview of Entitlements 1 An entitlement agent grants an entitlement to...

Page 10: ...itlements Both roles based provisioning and workflow based provisioning require the use of entitlements If you use either of these User Application provisioning methods you must use entitlements If yo...

Page 11: ...y Grant and revoke accounts group membership Exchange Mailbox GroupWise Grant and revoke accounts grant and revoke members of distribution lists LDAP Grant and revoke user accounts and group membershi...

Page 12: ...12 Identity Manager 3 6 1 Entitlements Guide novdocx en 13 May 2009...

Page 13: ...ttribute to the User class The following drivers are already enabled for entitlements You do not need to complete this task for these drivers Active Directory GroupWise LDAP Linux and UNIX Lotus Notes...

Page 14: ...r Role Based Entitlements Implementation Guide http www novell com documentation idm36drivers entitlements data bktitle html User Application Roles Based Provisioning Manages entitlements based on rol...

Page 15: ...d Unix Lotus Notes RACF 3 1 Using Designer to Enable Entitlements Designer is the recommended tool for creating entitlements see Section 4 2 Creating Entitlements in Designer on page 17 During the ent...

Page 16: ...hlighted 7 Click User and select Add Attribute then scroll to the bottom and select Show all attributes 8 Select the DirXML EntitlementRef attribute then click OK 9 Select DirXML EntitlementRef in the...

Page 17: ...to create for other drivers User Account Entitlement Grants or revokes an account in Active Directory for the user When the account is granted the user is given an enabled logon account When the acco...

Page 18: ...is displayed select Yes then click OK to enable the entitlement for the driver Skip the remaining steps in this section or Select Yes if the entitlement needs to include values click Next then continu...

Page 19: ...n this example the values are corporate buildings Building A through Building D Through an entitlement client such as an iManager Role Based Entitlement task or through the user application users or d...

Page 20: ...lows the driver filter to listen for entitlement activities which is necessary in order to use the entitlements you are creating or If you don t want to see the Add To Filter window on entitlements yo...

Page 21: ...rity Merging the values merges the entitlements of all involved Role Based Entitlement policies so if one policy revokes an entitlement but another policy grants an entitlement the entitlement is even...

Page 22: ...e Schema Browser The list includes both the Attributes and the Inherited Attributes for the selected class Description Defines the attribute that displays as a description for that value For the descr...

Page 23: ...policy grants an entitlement the entitlement is eventually granted Solving conflicts by priority works if you need to ensure that only one policy is applied to this entitlement at any time This examp...

Page 24: ...w again 4 3 Creating Entitlements in iManager We strongly recommend that you use the Entitlement Wizard in Designer to create entitlements The Entitlement Wizard creates the entitlement XML from the i...

Page 25: ...es in the policies that are implementing the entitlement The entitlement name is stored on the Ref and Result attributes within the policy The context for the entitlement is already populated because...

Page 26: ...26 Identity Manager 3 6 1 Entitlements Guide novdocx en 13 May 2009...

Page 27: ...Vault When you use the User Account Entitlement managed user accounts are controlled by the entitlement in the Identity Vault A delete in Active Directory does not delete the controlling object in th...

Page 28: ...ased Entitlements accounts are created only for users that are specifically granted the account entitlement This rule vetoes user account creation when the entitlement is not granted Identity Vault Ac...

Page 29: ...entitlements You can also edit the XML source directly Section 6 1 1 Using the Entitlement Editor on page 29 Section 6 1 2 Using the XML Source and XML Tree Views on page 31 6 1 1 Using the Entitlemen...

Page 30: ...priority button is the default Values Allows you to define how values are defined no values administrator defined values or values from an application The information that appears in the Entitlement E...

Page 31: ...he XML code in a formatted state The upper right corner of the XML Source view has the following selections Name Description Expand All Allows you to see all items under the item that you have selecte...

Page 32: ...a tree control view of the XML source code You can perform the same edits in this view as you can in the Entitlement Editor view or the XML Source view To view the entitlement in XML Tree view select...

Page 33: ...d Before a Comment a Processing Instruction a PCDATA a CDATA Section a new Element Add After a Comment a Processing Instruction a PCDATA a CDATA Section a new Element Name Description Expand All Allow...

Page 34: ...river Sets tab use the Search In field to search for and display the driver set 4 Click the driver set to open the Driver Set Overview page 5 Click the driver to display the Driver Overview page 6 On...

Page 35: ...s provide information to help you create XML entitlement documents Section A 1 Novell Entitlement Document Type Definition DTD on page 35 Section A 2 Examples to Help You Write Your Own Entitlements o...

Page 36: ...c id param state status msg timestamp ELEMENT dn PCDATA ELEMENT state PCDATA ELEMENT status PCDATA ELEMENT msg ANY ELEMENT timestamp PCDATA Cached query results stored in the DirXML SPCachedQuery attr...

Page 37: ...Policy has a higher priority If an entitlement is single valued conflicts must be resolved by priority because a union of values results in more than one value being applied Role Based Entitlements p...

Page 38: ...esult set element to help you interpret the result of an external application query There are three pieces of data that are of interest the display name of the value the display name child element the...

Page 39: ...EntitlementRef portion is actually not part of the Entitlement definition You don t need to do anything with the elements and attributes under this heading A 2 Examples to Help You Write Your Own Enti...

Page 40: ...perform future modifications to the entitlement The actual name of the entitlement is UserAccount while the display name displays in a managing agent as User Account Entitlement A 2 2 Example 2 Applic...

Page 41: ...top of the tree and continues through its subtrees These values come from the connected Active Directory server and the application query starts at the nds tag Under the query xml tag this query recei...

Page 42: ...states that the entitlement grants or revokes an Exchange mailbox for the user in Microsoft Exchange which is enough detail for what the entitlement does The display name is Exchange Mailbox Entitleme...

Page 43: ...orporate building letters Building A through Building F Then through an entitlement client such as an iManager Roles Based Entitlement task or through the User Application users or defined task manage...

Page 44: ...44 Identity Manager 3 6 1 Entitlements Guide novdocx en 13 May 2009...

Reviews:

No comments

Related manuals for IDENTITY MANAGER 3.6.1 - ENTITLEMENTS

Samsung UN40C7000WF User Manual preview
UN40C7000WF
Brand: Samsung Pages: 7
Sony Ericsson RS232 interface for GT47 embedded apps UART Application Note preview
RS232 interface for GT47 embedded apps UART
Brand: Sony Ericsson Pages: 14
F-SECURE ANTI-VIRUS FOR MIMESWEEPER - Administrator'S Manual preview
ANTI-VIRUS FOR MIMESWEEPER -
Brand: F-SECURE Pages: 44
TANDBERG Codian Remote Management API Reference Manual preview
Codian Remote Management API
Brand: TANDBERG Pages: 66
Ricoh GlobalScan NX Server 5/Server 32/Server 750 Manual preview
GlobalScan NX Server 5/Server 32/Server 750
Brand: Ricoh Pages: 6
KAPERSKY ANTI-VIRUS - FOR FREEBSD-OPENBSD-BSDI MAIL SERVER User Manual preview
ANTI-VIRUS - FOR FREEBSD-OPENBSD-BSDI MAIL SERVER
Brand: KAPERSKY Pages: 295
Sling Media Slingbox User Manual preview
Slingbox
Brand: Sling Media Pages: 112
JVC Blank Media LYT1015 Instructions Manual preview
Blank Media LYT1015
Brand: JVC Pages: 22
JVC ImageMixer 1.7 Instructions Manual preview
ImageMixer 1.7
Brand: JVC Pages: 43
JVC JLIP VIDEO CAPTURE Instructions Manual preview
JLIP VIDEO CAPTURE
Brand: JVC Pages: 56
JVC GR-DVL500U - Digital Camcorder Instructions Manual preview
GR-DVL500U - Digital Camcorder
Brand: JVC Pages: 72
JVC GZMG27US - Everio Camcorder - 680 KP Instructions Manual preview
GZMG27US - Everio Camcorder - 680 KP
Brand: JVC Pages: 72
JVC GZ-MG77U - Everio Camcorder - 2.18 MP Instructions Manual preview
GZ-MG77U - Everio Camcorder - 2.18 MP
Brand: JVC Pages: 72
JVC Digital Photo Navigator ImageMixer with VCD LYT1116-001A Instructions Manual preview
Digital Photo Navigator ImageMixer with VCD LYT1116-001A
Brand: JVC Pages: 50
JVC GZMG21US - Everio Camcorder - 680 KP Instructions Manual preview
GZMG21US - Everio Camcorder - 680 KP
Brand: JVC Pages: 72
Ulead VIDEOSTUDIO 11 User Manual preview
VIDEOSTUDIO 11
Brand: Ulead Pages: 168
Acroprint ATR 20/20 Quick Start Manual preview
ATR 20/20
Brand: Acroprint Pages: 1
ACRONIS TRUE IMAGE CORPORATE WORKSTATION 8.0 User Manual preview
TRUE IMAGE CORPORATE WORKSTATION 8.0
Brand: ACRONIS Pages: 79

Brands by name

Popular brands

Load more brands