The following scenarios are examples of the environment in which Identity Manager might be used. For each scenario, some guidelines are provided to help you with your implementation.
Figure 2-1 New Installation
Identity Manager is a data-sharing solution that leverages your Identity Vault to automatically synchronize, transform, and distribute information across applications, databases, and directories.
Your Identity Manager solution includes the following components:
The Identity Vault contains the user or object data you want to share or synchronize with other connected systems. We recommend that you install Identity Manager in its own eDirectory™ instance and use it as your Identity Vault.
You use Novell® iManager and the Identity Manager plug-ins to administer your Identity Manager solution.
Connected systems might include other applications, directories, and databases that you want to share or synchronize data with the Identity Vault. To establish a connection from your Identity Vault to the connected system, install the appropriate driver for that connected system. Refer to the driver implementation guides for specific instructions.
Install System Components: Because your Identity Manager solution might be distributed across several computers, servers, or platforms, you should run the installation program and install the appropriate components per system. Refer to Section 4.2, Identity Manager Components and System Requirements for more information.
Set Up Connected Systems: Refer to Section 4.2, Identity Manager Components and System Requirements and the driver implementation guides for specific instructions.
Activate Your Solution: Identity Manager products (professional, server editions, Integration Modules, and User Applications) require activation within 90 days of installation. See Section 6.0, Activating Novell Identity Manager Products.
Define Business Policies: Business policies enable you to customize the flow of information into and out of the Identity Vault for a particular environment. Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Identity Manager associations, and many other things. A detailed guide to policies is contained in the Policy Builder and Driver Customization Guide.
Configure Password Management: Using Password policies, you can increase security by setting rules for how users create their passwords. You can also decrease help desk costs by providing users with self-service options for forgotten passwords and for resetting passwords. For in-depth information on Password Management, refer to “Managing Passwords by Using Password Policies” in the Managing Passwords guide.
Configure Entitlements:
Entitlement definitions let you grant entitlements on connected systems
to a defined group of users within the Identity Vault. Using Entitlement
policies, you can streamline management of business policies and
reduce the need to configure your Identity Manager drivers. For
more information, see Creating
and Using Entitlements
in the Novell
Identity Manager 3.0 Administration Guide.
Logging Events with
Novell Audit:
Identity Manager is instrumented to use Novell Audit for auditing
and reporting. Novell Audit is a collection of technologies providing
monitoring, logging, reporting and notification capabilities. Through
integration with Novell Audit, Identity Manager provides detailed
information about the current and historical status of driver and engine
activity. This information is provided by a set of preconfigured
reports, standard notification services, and user-defined logging.
Refer to Logging
and Reporting Using Novell Audit
in the Novell
Identity Manager 3.0 Administration Guide.
Workflow Approval and User Application: The Novell Identity Manager User Application is a powerful web application (and supporting tools) designed to provide a rich, intuitive, highly configurable, highly administrable web-UI experience atop a sophisticated identity-services framework. When used in conjunction with the Provisioning Module for Identity Manager and Novell Audit, the Identity Manager User Application provides a complete, end-tend provisioning solution that’s secure, scalable, and easy to manage. Refer to the User Application Documentation.
Figure 2-2 Installing Identity Manager in the Same Tree as DirXML 1.1a
If you are running both Identity Manager and DirXML® 1.1a in the same environment, keep in mind the following considerations.
In the Identity Manager plug-ins, if you click a driver that is in 1.1a format you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.
A notable exception is that Password Synchronization 1.0 which does not run correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
Upgrading Existing Driver Configurations to Support Password Synchronizationin the Novell Identity Manager 3.0 Administration Guide.
Figure 2-3 Upgrading from Starter Pack to Identity Manager
The Identity Manager Starter Pack solutions included with other Novell products provide licensed synchronization of information held in NT Domains, Active Directory, and eDirectory. Additionally, evaluation drivers for several other systems including PeopleSoft*, GroupWise®, and Lotus Notes*, are included to allow you to explore data synchronization for your other systems.
This solution also offers you the ability to synchronize user passwords. With PasswordSync, a user is required to remember only a single password to log in to any of these systems. Administrators can manage passwords in the system of their choice. Any time a password is changed in one of these environments, it will be updated in all of them.
Identity Manager Starter Packs that shipped with NetWare 6.5 and Nterprise™ Linux Services 1.0 were based on DirXML 1.1a technology. When upgrading from a Starter Pack to the latest version of Identity Manager, keep in mind the following considerations:
In the Identity Manager plug-ins, if you click a driver that is in 1.1a format, you are prompted to complete the conversion. This is a simple process done with a wizard, and it does not change the functionality of the driver configuration. As part of the process, a backup copy of the DirXML 1.1a version is saved.
A notable exception Password Synchronization 1.0, which does not run correctly for AD and NT after you upgrade the driver shim unless you add some additional driver policies. For instructions, see the sections about Password Synchronization in the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
For more information on activation, refer to Section 6.0, Activating Novell Identity Manager Products.
Figure 2-4 Upgrading from Password Synchronization 1.0 to Identity Manager Password Synchronization
Identity Manager Password Synchronization offers many features, including bidirectional password synchronization, additional platforms, and e-mail notification when password synchronization fails.
If you are using Password Synchronization 1.0 with Active Directory or NT Domain, it’s very important that you review the instructions for upgrading before you install the new driver shims.
If you are running Identity Manager 2.x with Password Synchronization 2.0, do you not need to follow these steps.
For information about Identity Manager Password Synchronization
in general, see Password
Synchronization across Connected Systems
in the Novell
Identity Manager 3.0 Administration Guide. That
section contains conceptual information including a comparison of
old and new features, prerequisites, a list of features supported
for each connected system, instructions on adding support to existing
drivers, and several scenarios showing how you could use the new
features.
In this section:
The new Password Synchronization functionality is done by driver policies, not by a separate agent. This means that if you install the new driver shim without upgrading the driver configuration at the same time, Password Synchronization 1.0 continues to work only for existing users. New, moved, or renamed users do not participate in Password Synchronization until you complete the upgrade of the driver configuration.
Use the following general steps to upgrade:
This step allows Password Synchronization 1.0 to continue to function correctly until you make the switch to Identity Manager Password Synchronization.
See Implementing
Password Synchronization
in the Novell
Identity Manager 3.0 Administration Guide.
For detailed instructions, see the driver implementation guides for the Identity Manager Drivers for Active Directory and NT Domain.
Upgrading for eDirectory is fairly simple, and the driver shim is intended to work with your existing DirXML 1.1a driver configuration with no changes, assuming that your driver shim and configuration have the latest patches. For instructions, see the Identity Manager Driver for eDirectory: Implementation Guide.
Identity Manager Password Synchronization supports more connected systems than Password Synchronization 1.0.
For a list of the features that are supported for other systems,
see Connected
System Support for Password Synchronization
in the Novell
Identity Manager 3.0 Administration Guide.
Driver policy “overlays” are provided to
help you add bidirectional Password Synchronization functionality
to existing drivers for connected systems that were not previously
supported. See Upgrading
Existing Driver Configurations to Support Password Synchronization
in
the Novell
Identity Manager 3.0 Administration Guide.
Universal Password is protected by four layers of encryption
inside eDirectory, so it is very secure in that environment. If
you choose to use bidirectional password synchronization, and you
synchronize Universal Password with the Distribution Password, keep
in mind that you are extracting the eDirectory password and sending
it to other connected systems. You need to secure the transport
of the password, as well as the connected systems it is synchronized
to. See Security:
Best Practices
in the Novell
Identity Manager 3.0 Administration Guide.