Novell Documentation: Nsure Identity Manager Drivers - Understanding the Driver Configuration

Understanding the Driver Configuration

After you install Identity Manager and the driver, you create a Driver object. A Driver object represents an instance of the Identity Manager Driver for SIF.

A driver configuration file, SIFAgent.xml, is provided to get you up and running with a minimum of customization. This section explains what the driver configuration does.

For information about Identity Manager in general, see "Overview" in the Novell Nsure Identity Manager 2 Administration Guide.

How eDirectory Is Updated When Data Changes in the Student Information System

The following tables describe what the configuration does to provision user accounts and keep eDirectory updated when changes occur in the student information system.

In this section:

Student Provisioning

Change in Student Data	Synchronization in eDirectory
A student is added	Creates an eDirectory User object with a unique user ID. Populates the User object attributes with data from the student information system. The attributes are listed in Data Mapping. Places the user in the correct container as determined by the student's school and grade level or graduation year. Uses a template (if you specify one) to set default properties for the user, group membership, login restrictions, and password restrictions. (NetWare^® only) Creates a home directory in the file system. (You must use a template to specify this.)
A student's information is modified	Modifies the eDirectory User object attributes accordingly. The attributes are listed in Data Mapping. If appropriate, moves the User object to a different container in the tree. For example, a school or grade level/graduation year change could trigger moving the user to a different container. (Optional) If any of the attributes used to create the User ID change, the user account is renamed. The home directory is not moved.
A student withdraws from school or graduates	On the Exit Date, disables the login of the User object in eDirectory. (Optional) On the Exit Date, moves the user account to the Disabled directory. The home directory is not deleted.
A student returns to the school system (an Entry Date that is newer than the Exit Date is entered in the student information system)	Enables the login of the User object in eDirectory. Moves the user account from the Disabled directory to the correct student container. The User object still has rights to the home directory.
A student is removed from the student information system	On the Exit Date, disables the login of the User object in eDirectory. (Optional) Moves the user account to the Disabled directory. The home directory is not deleted.

Staff Provisioning

Change in Staff Data	Synchronization in eDirectory
Staff is added	Creates an eDirectory User object with a unique User ID. Populates the User object attributes with data from the student information system. The attributes affected are listed in Data Mapping. Places the user in the correct container, as determined by the Zone. Uses a template (if you specify one) to set default properties for the user, including group membership, login restrictions, and password restrictions. (NetWare only) Creates a home directory in the file system. (You must use a template to specify this.)
Staff information is modified	Modifies the eDirectory user accordingly. The attributes maintained are listed in Data Mapping. (Optional) If any of the attributes used to create the User ID change, the user account is renamed.
Staff removed from the student information system	Disables the User object in eDirectory. (Optional) Moves the user account to the Disabled directory. The home directory is not removed from the file system.

Data Mapping

The Identity Manager Driver for SIF uses data from the student information system to synchronize the following User class attributes in eDirectory:

eDirectory Attribute	SIF Object	SIF Attribute
CN	StudentPersonal or StaffPersonal	CN is formed from the combination of several SIF attributes.
Full Name	StudentPersonal or StaffPersonal	Name/FullName
Generational Qualifier	StudentPersonal or StaffPersonal	Name/Suffix
Given Name	StudentPersonal or StaffPersonal	Name/FirstName
Initials	StudentPersonal or StaffPersonal	Name/MiddleName
Internet EMail Address	StudentPersonal or StaffPersonal	Email
Login Expiration Time	StudentSchoolEntrollment	EntryDate and ExitDate When ExitDate is newer than EntryDate, the login is set to expire on the ExitDate. When the EntryDate is newer than the ExitDate, the expiration date is removed.
personalTitle	StudentPersonal or StaffPersonal	Name/Prefix
preferredName	StudentPersonal or StaffPersonal	Name/PreferredName
Physical Delivery Office Name	StudentPersonal or StaffPersonal	Address/City
Postal Code	StudentPersonal or StaffPersonal	Address/PostalCode
Postal Office Box	StudentPersonal or StaffPersonal	Address/Street/Line2
S	StudentPersonal or StaffPersonal	Address/StatePr
SA	StudentPersonal or StaffPersonal	Address/Street/Line1
Surname	StudentPersonal or StaffPersonal	Name/LastName
Telephone Number	StudentPersonal or StaffPersonal	PhoneNumber
Title	StaffPersonal	Name/Title
DirXML-sifGrade	StudentSchoolEnrollment	GradeLevel
DirXML-sifGradYear	StudentPersonal	GradYear
DirXML-sifIsStaff	StudentPersonal or StaffPersonal	Not set from a particular attribute. It is set to True if the SIF object is StaffPersonal. Otherwise, it is set to False.
DirXML-sifSchool	SchoolInfo	IdentificationInfo
DirXML-sifSchoolName	SchoolInfo	SchoolName
DirXML-sifSISID	SchoolInfo	RefId
DirXML-sifSSEGUID	StudentSchoolEnrollment	RefId

Sending Data from eDirectory to SIF

The SIF Driver is generally used to provision users from a SIF-enabled student information system to eDirectory. The driver is configured, by default, to send no data from eDirectory to the Zone Integration Server (ZIS) and the student information system. The student information system is considered to be the authoritative data source.

However, the driver is capable of bidirectional synchronization and can send data to the ZIS and SIF. There are two ways you might choose to use this bidirectional capability:

Configure the driver as the authoritative source for some user attributes or for new users.
If you want eDirectory to be the authoritative source for some user attributes, you could configure the driver to send certain attributes from eDirectory to SIF.

If your business practices allow users to be entered manually in eDirectory who are not entered in the student information system first, you could also configure the driver to send new users from eDirectory to SIF.
Configure the driver to be the SIF provider for all student and staff data.
If your student information system is not SIF-enabled, but you have other SIF-enabled applications, you might choose to configure the SIF Driver to function as the authoritative source for students and staff.

In this role, the SIF Driver is the SIF provider for StudentPersonal, StudentSchoolEnrollment, SchoolInfo, StaffPersonal, and SIF Authorization objects. Being the provider means this driver responds when other SIF-enabled applications send SIF queries for information about students and staff.

For example, you could export student and staff information from your student information system and import it into eDirectory, using a database import. At the start of the school year, the other SIF Agents in the Zone would populate their databases by querying for all students. If you register the SIF Driver as the provider for the Zone, the queries would be routed to the SIF Driver. During the school year, as student and staff information in eDirectory is updated, either by database import or by updating manually, the SIF Driver would send those updates to SIF, thereby keeping the other SIF-enabled applications current.

You would not enable this option if you have a SIF-enabled student information system. Only one Agent in a Zone can be the provider. If you have a SIF-enabled student information system, we recommend that the student information system be the provider.

If you configure the Novell SIF Driver to send new users or to be the provider of all student and staff information, at a minimum you must provide the following user attributes when creating a user object in eDirectory. A new user object is not sent from eDirectory to SIF unless these attributes have values.

Type of User Account	Attribute
Student	Given Name
	Surname
	DirXML-sifGrade
	DirXML-sifGradYear
	DirXML-sifSchool
	DirXML-sifSISID
Staff	Given Name
	Surname
	DirXML-sifSISID