You Don't Need to Build
Identity Management Policies
from Nuts and Bolts
Using and Building Packaged Policies in Novell Identity Manager 4
Written by Michael Astle
Automobile manufacturers don't build cars from nuts and bolts anymore. They haven't for many years. They build them from components. The engines may come from Japan, transmissions from Mexico, bodies from Thailand and entertainment systems from Malaysia. Then the cars are assembled in Canada. So why do some IT departments still pay to have their identity management policies built from Java code?
With a host of policies making up an identity management system, and nearly every organization in the world requiring complex security protection, the chances are that the very policies your programmers or integrators are building from code right now have already been created a thousand times by someone else.
Novell decided to take advantage of these potential resources in its Novell Identity Manager product, first by introducing a graphical means of building policies when it introduced Designer, and now with a large library of packaged policies. In this article we'll discuss these packaged policies and look at how you can use them and even build your own packaged policies.
Novell Identity Manager 4 Advanced Edition is an intelligent solution that uses policy-driven identity management to protect application access from the data center to the cloud.
What Is a Policy?
Before we go further, we need to define what we mean by policy. This word can refer to myriad concepts, from company policies specifying how employees treat customers to government regulations. In Novell Identity Manager, the term policy refers specifically to the set of configurations that define how the application functions. Novell Identity Manager policies are primarily security related and enforce the other kind of policies, the business policies companies create to safeguard their systems and data. For example, the company likely has a business policy specifying that only authorized people can access certain financial information. The company uses identities and strong passwords to enforce this business policy. To manage the identities and passwords, the IT department or its integrator create a policy in Novell Identity Manager that checks to ensure passwords are 12 characters and include nonalphanumeric characters. This is a password policy in Novell Identity Manager.
Taking Two Steps Beyond Programming
If you're still programming policies line by line in Java or some other programming code, you're spending a lot of time and resources unnecessarily. When you program policies using raw code, you have to build, debug, test, stage, beta test and deploy the policy. Over time that code needs to be updated to keep up with changing business needs, and with each change it has to be rebuilt, debugged, tested and so on. With enough changes, the code may become so fragile that you can no longer make changes without breaking the whole system.
Novell Identity Manager came on the scene with its graphical drag-and-drop Designer a few years ago to save companies from this resource-draining programming merry-go-round. Designer gave policy builders a visual programming environment, where personnel could point and click on the components they needed to build policies.
Novell Identity Manager 4 Advanced Edition now includes another major step beyond programming with content libraries. These libraries contain packaged policies that Novell has built based on the experience of Novell and its thousands of customers over several years of building policies across industries and countless business needs. What's especially nice about these policies is that they are all tested to work together. And when business needs change, you can unplug the existing policy and either modify it or select another policy from the library.
You can customize the packaged policies using Designer, and if the policy you need isn't in the library, you can build the policy, package it and place it in the library. Novell is constantly adding to the library via an update website and encourages customers to contribute policy packages they build. You can also set policies to automatically update.
Novell Identity Manager Designer and Drivers
The Designer in Novell Identity Manager is an Eclipse-based tool with which you can design, simulate, deploy and document your Novell Identity Manager system. You or your consultant use a graphical interface to drag and drop components that create the control between Novell Identity Manager and the applications for which you are adding control. You use Designer to configure policies and manipulate how data flows between connected applications. (See Figure 1.)
Drivers connect the applications that hold the identity information. They have two responsibilities. First, they report event changes in the application to Novell Identity Manager, and second, they execute data change commands that the Novell Identity Manager engine submits to the applications. Packaged policies contain the drivers needed to control the applications.
In addition to controlling identity information, the new package management function of Designer notifies you if conflicts exist between policies and dependencies between policies, along with the prerequisite policies that must be installed.
Installing Policies from Libraries
Novell Identity Manager 4 ships with dozens of policy packages already in its library, and more are available on the Identity Manager 4 Advanced Edition website. Locating the policy you need is a simple process. In the left-hand menu of Designer is a package library or catalog with a list of package categories, such as Directory, E-mail, Provisioning and so on. Look up the policies you need by opening a category folder and selecting the policy. The policy titles are descriptive and should tell you what you're looking for.
If the policy package is just what you're looking for, you can drag it to the Modeler in the center of the Designer screen and proceed with the process of simulating and deploying the policies. If you want to customize a policy package, you can do that, too.
Customizing Policy Packages
Creating a new package or customizing a package, starts by your right clicking on the Package Catalog in the Designer left-hand menu and selecting New Category. You'll name the category and click OK. Then right click on the new category you just created to create a new group. It's in this group that you will place the packages you are creating. You could also place them in one of the existing groups and categories if they belong there.
Now select an existing package that you want to use as your template. For example, you may go to the Active Directory category and select the Active Directory Base. In here you'll find one or more packages, and you'll notice the package icons may have a little lock icon on them. This is to indicate that if you make changes to this package, you will not be able to save the changes back to the package. This is a safeguard Novell has included to prevent customers from modifying the library packages, which would then no longer be available if you need to revert to them. But you can make a copy of the package and change that. To make modifications, right click on the desired package and select Copy Package. This opens a dialog box, where you set the name, version number and so on. If you created a new category and group for this package, you can specify those here to save the package in the right place. (See Figure 2.)
Select Properties for the package by right clicking on the package. You can set the IDM compatibility, minimum and maximum application versions for compatibility, supported drivers, and vendor information for the vendor who is creating the package. You can also set the configuration wizard definitions, constraints, dependencies, initial settings, languages, licensing, linkages, the read-me, targets and the vendor. (See Figure 3.)
The new package now exists in your new category and group. If you right click on it there, you can open its properties to generate prompt resources, including driver names, initial settings, upgrade settings, remote loader and so on. You can also open the Resources folder and right click on the drivers to set or modify their settings.
You're now ready to build the package. Right click on the package icon, and select Build. In the Build dialog box, you specify where to save the file and check Release Package. Checking this box locks the package, so no one can make further modifications, which will be indicated by the little lock icon on the package icon. (See Figure 4.)
And your package is complete. This was a simplified walk-through to show the highlights of how you can build or modify packages in Novell Identity Manager 4 Advanced Edition. The packaged-policy approach is a major advance from the nuts-and-bolts days of policy creation and management. This time-saving approach should save you a lot headache and resources if you build your own policies, or if you depend on an integrator, it should save a large portion of your IT budget. The best part is that you should end up with a much more stable environment that is easer to maintain and update as business needs evolve. For more information visit www.novell.com/identitymanager.