Novell Analyzer for Identity Manager Readme

Analyzer is an Eclipse^*-based Identity Manager project that provides a set of tools aimed at ensuring that general internal policies are adhered to for data quality, which includes data analysis, data cleansing, data reconciliation, and data monitoring/reporting. Customers can use Analyzer to analyze, enhance, and control all data stores throughout their enterprise.

Three phases—Analyze, Enhance, and Control—are particularly important when designing Identity Management solutions. Before implementing an Identity Management solution, designers spend a significant amount of time analyzing the identity data, cleansing the identity data, and modeling business rules to create identity data replication and synchronization policies that guarantee the data remains in a reliable state. Additionally, after an Identity solution is put into place, customers must verify and reconcile that the these processes are performing as intended to maintain consistent and reliable data.

The goal of Analyzer is to provide a set of tools to resolve data quality issues and improve the Identity Manager deployment process. Industry analysts note that Identity Management projects spend three to eight times more on design and implementation than on the cost of the software on design and implementation. Analyzer directly attacks these project-related costs by providing a powerful environment for cleaning and preparing identity data in order to streamline identity infrastructure implementations.

Novell is developing Analyzer under an iterative development model. At the end of each iteration Novell releases a milestone build that encompasses the goals of that milestone. These milestones provide customers with access to the product throughout the development cycle so they can participate in directing development decisions over time.

2.0 System Requirements

Review the following system requirements before installing Analyzer.

2.1 Hardware Requirements

Minimum video resolution: 1024x768 (1280x1024 recommended)
Memory: 512 MB minimum (1 GB recommended)
Processor: 1 GHz or higher

2.2 Software Requirements

Analyzer requires one of the following operating systems:
- SUSE® Linux Enterprise Desktop 10 SP2
- SUSE Linux Enterprise Server 10 SP2
- openSUSE® 10.3
- Windows* XP or Vista
Gettext Utilities (Linux^* installation only)

2.3 Available Drivers

The following Identity Manager drivers have been tested with Analyzer 1.0, both locally and remotely where applicable:

Active Directory*
JDBC^*

NOTE:The JDBC driver has been tested with the following databases: DB2*, Informix*, MySQL*, Oracle*, PostgreSQL, SQL Server*, and Sybase*.
LDAP
PeopleSoft*
i5/OS*
LinuxUnix
OS/400*
RACF*
SAP* User
TopSecret*

For information about installing and configuring a Remote Loader for the drivers that require it, see the Identity Manager Remote Loader documentation.

3.0 Known Issues

The following issues exist in the Analyzer 1.1 environment:

3.1 Avoiding Projects Created with Pre-Release Versions of Analyzer

Over the course of its development, Analyzer has gone through some significant architectural and model changes. Because of this, projects created with pre-release versions of Analyzer might not work properly with the released Analyzer.

To avoid difficulty, specify a new workspace for the released Analyzer and do not mix old projects with new projects. When you use the internal Analyzer database, this ensures that you are not mixing pre-release data tables and formats with the released Analyzer data tables.

If you use an external MySQL database as your Analyzer database, clean out any pre-release data before using it with the released Analyzer. To do this, use your preferred database management tool to delete the following database tables before starting the released Analyzer for the first time:

DSTable_ver where ver is a version number
AnalysisTable_ver where ver is a version number
All tables with an enf_ prefix

Alternatively, you can create a new MySQL database for use with the released Analyzer.

3.2 Data Browser Issues

Please note the following issues when using the Data Browser:

Limit Attributes in Data Set Definition: Novell recommends restricting data set definitions to fewer than 10 attributes for optimal Data Browser performance. Creating data set definitions with more than 10 attributes causes the Data Browser performance to deteriorate significantly.

Painting Issues: When returning from the Multi-Value Edit dialog box to a cell with multiple values, Analyzer does not repaint the table cursor correctly.

To correct the display, move to another cell with a click or an arrow key, then move back to the original cell.

Sorting Issues: Integer columns sort as strings instead of integers. For example, 100 sorts before 90. Also, sorting is case sensitive. For example, “Bob” sorts before “andy”.

Empty Column in Flat File Data Import: The Source-DN field is always empty in a data set instance imported from a flat file. You can ignore it.

3.3 Analyzer Does Not Start After Installing on Windows Vista

Windows Vista* has implemented a new User Account Control feature that prevents applications from running as Administrator unless you specifically allow it.

To run Analyzer in Vista, right-click the Analyzer shortcut and choose the option to Run as Administrator. You can also choose to disable User Account Control.

3.4 Analyzer Database Does not Initialize After Restart

If you quickly stop and restart Analyzer, the Analyzer Database might not reinitialize properly. To avoid this problem, wait approximately thirty seconds before restarting Analyzer.

If Analyzer starts and the Analyzer Database is not initialized correctly, select Refresh View in the Project View to reinitialize the database.

3.5 Using a MySQL External Database with Analyzer

Analyzer allows you to change its internal database from the default HSQLDB to a MySQL database. You can configure database settings in Window > Preferences > Analyzer > Database Settings. When using an external MySQL database, be aware of the following issues:

Importing a Data Set Instance: An error might occur when importing a data set instance to the MySQL database if another instance of Analyzer is accessing the MySQL database at the same time. This is a synchronization error between Hibernate and the MySQL server. To work around this problem; do one of the following:

Wait a minute, then try to import the data set instance again.
Open Window > Preferences > Analyzer > Database Settings, then click OK to reinitialize the database settings.

Automatically Creating a MySQL Database: When you designate an external MySQL database for use by Analyzer (in Window > Preferences > Analyzer > Database Settings), Analyzer automatically attempts to create the database. However, if you have any issues accessing the MySQL database after doing this, you might need to first create the database manually. When doing this, test access to the database with the user credentials that Analyzer will use.

Extended and Double-Byte Characters: The MySQL database uses the default character set from the operating system for encoding table fields. If an extended or double-byte character is not recognized by the default character set, Analyzer displays ??? in the Data Browser. To avoid this, set the operating system’s default character set to UTF-8, or to a character set that includes all the extended or double-byte characters that Analyzer might import.

3.6 SAP User Driver Requires Additional Files

To use the SAP user driver, you must install the sapjco.jar library in Analyzer, and install the librfc32.dll and sapjcorfc.dll into the Windows %systemroot% folder (typically C:\windows\system32).

Restart Analyzer after installing these files.

3.7 DB2 Driver Requires Additional Libraries

The Analyzer DB2 driver requires the following two libraries to function properly. You can download these libraries from IBM^*.

db2java.zip
db2jcc.jar

3.8 Warning About Modifying Data

Analyzer does not prevent users from modifying anything in a data set. If a user with appropriate rights to the source application modifies a value, for example a GUID or DN, Analyzer does not attempt to determine if the modification will cause a problem when written out to the source application.

To avoid causing unintended problems in the source application, users should be careful when modifying data and sending those modifications to the source application.

3.9 Errors When Sending Updated Data to an Application

When attempting to push updated data to the source application from Analyzer’s Data Browser (by clicking Save to Application), you might get an error indicating there was a problem with the update operation. However, the Data Browser’s modified data indicators in the data table change to indicate that the updates were successful.

If this occurs, the data updates might have been unsuccessful. Re-import the data from the source application to make sure you know the true state of the data before making any other data modifications.

Problems with the update operation occur primarily when adding a value to a multi-valued attribute.

3.10 IDS Trace Level

The IDS Trace view consumes significant resources. You should only open the IDS Trace view when you need the information.

The IDS Trace level is set to 3 by default in order to track connection problems and errors. This trace level can cause performance issues with data browsing. You can modify this setting by clicking the Preferences button in the IDS Trace view.

3.11 Importing Does Not Return Data from the Application

The following issues can prevent Analyzer from displaying data set content in the Data Browser view:

3.11.1 SQL Reserved Word Used as a Column Name

Analyzer 1.0 does not support SQL reserved words as column names for data sets (For example, group or select.) If a column name is an SQL reserved word, no data displays in the Data Browser view. To avoid this, exclude the column (attribute) with a reserved-word name from the data set.

3.11.2 Subscriber Is Disabled for the Selected Connection

By default, Analyzer’s Subscriber channel is enabled so that you can perform data set queries. However, if a connection profile was synchronized from Designer with the Subscriber channel disabled, it remains disabled for Analyzer. If your data sets do not have any data, confirm that the connection profile’s Subscriber channel is enabled in Analyzer.

To do this, right-click the desired connection profile, then select Properties. In the connection profile properties, select IDS Configuration > Parameters > Subscriber Options. Make sure that Disable subscriber is set to No (default).

3.12 Back Button Does Not Work in the Configuration Wizard

The Back button in the Configuration Wizard dialog boxes is not functional. If you need to make a change to the connection profile on which you are working, either cancel the wizard and start over, or finish configuring the connection profile and make the change in connection properties.

3.13 Analysis Does Not Consider the Class Name

Analyzer performs its data analysis solely based on the attribute name, and does not take the class name into account. Therefore, if you map attributes from different classes to the same application attribute, the Analysis tests only the first mapped attribute it encounters. For example, in the following schema map, Analyzer tests only the name attribute mapped to the Group class, and ignores the mapping in the User class.

Class = Group
  |___ Attribute = gname ---> name

Class = User
  |___ Attribute = uname ---> name

This issue might also exist with the preconfigured schema maps that Analyzer includes with its drivers. The mappings might be correct to the attribute name, but not the class name.

3.14 Deleting Multiple Projects Generates Exception Errors

If you delete multiple Analyzer projects simultaneously, the error log might record several exception messages. These messages are benign and do not indicate any problem with Analyzer or with the delete operation.

3.15 Some Characters Cause Problems with Pattern Frequency Analysis

The Pattern Frequency analysis metric does not work properly with data that includes the following characters. If you attempt to do a pattern frequency analysis on a data set that has values that contain any of these characters, the analysis fails and returns an empty result.

Character	Description
+	Plus (addition) symbol
*	Asterisk
.	Period
‘	Apostrophe
?	Question mark
\|	Pipe symbol
\	Backslash symbol
( )	Left or right parentheses
[ ]	Left or right bracket

3.16 Apostrophe in a Value Causes a Problem with Saving to an Application

If you modify a data value in a data set instance so that it includes an apostrophe (‘), Analyzer generates a Java* exception error when attempting to save the changes back to the application. This occurs when using either the HSQL database or an external MySQL database for Analyzer.

3.17 Unable to Import Connections from Designer

If connections do not import properly from Designer, the likely problem is that the server configuration associated with the driver set in Designer is incorrect or incomplete. For example, when you create a new driver set in Designer, the default server DN is server.context. If you attempt to import connection information that includes invalid information like this, the import fails.

Before importing connection information from Designer, make sure that the server information is valid.

3.18 Errors when Printing Reports

On Linux systems with CUPS printers, the JasperReports* framework is unable to print reports directly from the Report Viewer. However, you can save the report as a PDF file, then print it from a PDF reader.

3.19 Unable to Cancel Large Data Operations

When importing a large data set instance or running an SQL query on a large data set instance, clicking Cancel in the progress dialog box does not work. To cancel the operation, you can either let the operation complete or shut down and restart Analyzer.

3.20 Connection Wizard Help Pages

The Connection Wizard uses some dynamic help pages from which Designer is unable to properly reference the Analyzer help pages. Because of this, when you click the Help button you get general Eclipse help rather than dialog-specific help for the Connection Wizard.

The first three pages and the final Summary page in the Connection Wizard are static pages that properly display the Analyzer help. Use the help from these pages to get all the help information for the Connection Wizard.

3.21 Matching Analysis Does Not Exclude Deleted Values

If you have deleted values in the Data Browser that have not been updated to the application, the deleted values are still considered when running a Matching Analysis.

3.22 Application Schema Import Fails

The Identity Vault schema does not support multiple classes with the same name. Some application schemas, such as Notes, do support duplicate class names. If you want to import an application schema that includes duplicate class names, you should first consolidate the duplicate class names into a single class that contains the attributes from all duplicate classes.

If you cannot resolve the duplicate classes in the application schema, you can manually resolve the duplicate class names in Analyzer by doing the following:

WARNING:This procedure is not recommended and can cause inconsistencies in the Identity Vault schema. It should only be used if absolutely necessary.

Open the IDS Trace view (Window > Show View > IDS Trace).
In the Project view, right-click the appropriate connection, then select Refresh Schema.

This captures the application schema in the IDS Trace. If the IDS trace does not capture the entire schema, increase the IDS Trace window size by clicking the Preferences icon, then increasing the Maximum lines to retain setting.
Open the Navigator view (Window > Show View > Navigator).
In the Navigator view, expand the appropriate project, then browse to Model > Analyzer.
Double-click the appropriate schema file (*ShimConfig.xml) to open it in an XML editor.

If there are multiple shim config files, you can identify the application associated with each file by opening the file and looking at the contents of the <class-name>, <auth-id>, and <auth-context> tags.
In the XML editor, search for the following elements. If they do not exist, add them to the schema immediately above the closing </shim-config> tag.
```
<app-schema-def>
   <schema-def>
...
   </schema-def>
<app-schema-def>
```
In IDS Trace, locate the <NDS> tag, then paste the contents of the <NDS> tag into the <schema-def> tag in the *ShimConfig.xml file.

Make sure you do not include the <NDS> as part of what you copy and paste into the *ShimConfig.xml.
Search for any duplicate <ClassDef> elements in the schema definition and consolidate all attribute definitions <attr-def> under a single <ClassDef> element.
Save the changes to the schema file (Ctrl+S), then restart Analyzer.

3.23 Matching is Case Sensitive when Using HSQL

If you are using HSQL as the back end database for Analyzer, matching is case sensitive. If you are using MySQL the back end database is case insensitive.

3.24 Outstanding Bugs

A list of all currently open Analyzer bugs is available in Bugzilla by using the following Analyzer Bugzilla query.

4.0 Documentation

The following sources provide information about Analyzer:

Novell Compliance Management Platform product page

Analyzer is part of the Novell Compliance Management Platform product.
Analyzer for Identity Manager Forum
Identity Manager support forums
Novell Identity Manager documentation site
Designer for Identity Manager documentation site
Identity Manager drivers documentation site

5.0 Third-Party License Information

5.1 HSQLDB License

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE HYPERSONIC SQL GROUP, OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the Hypersonic SQL Group.

5.2 Jython License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of the Sun Microsystems, Inc. nor the names of contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

6.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell Export Web site for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007-2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at the Novell Patent Web site and one or more additional patents or pending patent applications in the U.S. and in other countries.

For a list of Novell trademarks, see the Novell Online Trademark List.

All third-party trademarks are the property of their respective companies.