1.3 What’s New in Identity Manager?

Identity Manager has the following new features:

1.3.1 Fixes included in Identity Manager 3.0.1

For a list of defect fixes included in Identity Manager 3.0.1, see TID 3351724.

1.3.2 Designer for Identity Manager

Identity Manager includes an extremely flexible and powerful modeling tool, Designer 1.2. Designer is a standalone client application that enables you to design, deploy, and document Identity Manager-based solutions in a highly productive environment.

Using Designer, you can do the following:

  • Design solutions locally, test them, then deploy solutions to the network.

  • Import existing solutions from the network into Designer and work on them.

  • Interact with your deployed solution to update any setting and view the state of any driver or system.

Designer has most of the configuration capabilities that are available in Novell iManager, plus new capabilities and advantages for designers. Some of the tasks you can perform in Designer include:

  • Use powerful modeling to create the big picture of Identity management for your enterprise, with all Identity Manager components, end-systems and applications, and other visual elements. Divide the big picture into smaller connected pictures by organizing the systems into groups. Pan, scan, and zoom. Model application subsystems, eDir-to-eDir, and multiple drivers connecting to one system, in a way never possible before.

    Figure 1-1 Creating the Big Picture Is Simple In Designer

  • Work in different modes as either a high-level architect or a low-level developer, and easily transition from one to the other.

    Figure 1-2 Choose Between Developer and Architect Modes

  • Visually see and manipulate how data flows across the entire enterprise.

  • With the push of a button, document your solution with detailed tables, charts, and graphics of all of your systems. You can document policies, schema, Identity Manager components, custom content, and project information, including a table of contents, appendix, and page numbering. You can strongly customize both the content and format of your document.

  • Use the built-in policy simulator and Identity Manager engine to test your policies off-line.

  • Easily create, copy, move, and share projects that span an entire enterprise. Because projects are local and filed based, you can easily back up and version your entire solution.

  • Use instant project-wide search and edit capabilities.

  • Work in a highly productive rich-client environment, with a native look and feel.

  • Work well in a disconnected mobile environment for when you're “on the go.”

  • Use strong visual editors, minimal pop-ups, and well-synchronized views laid out to maximize productivity.

  • Use wizards to help you get started and configure projects.

  • Auto-create of objects, auto-value, auto-connection, auto-layouts.

  • Use strong copy/paste within and across editors, as well as full undo/redo in most editors and views.

  • Set many preferences and options that tailor the UI to how you want to use the product.

  • Get help thorough contextual help and a powerful searchable help system.

  • Auto-update installation notifies you of any updates and easily pulls them in.

Designer also comes with a number of features for developers:

  • You can easily add and model something not in the shipping version. For example, you can add your own applications, drivers, resources, and icons.

  • You can configure Designer to use a different editor. Configure all file types (for example, .xml and .txt) to use your editor of choice. Eclipse-based editors work best, but you can also include various artifacts (for example, word processing documents and spreadsheets). The native editor is automatically integrated into Designer if the platform supports it.

  • You can develop and debug in Java. If you install Designer plug-ins into a full Eclipse install, you can do Java development and debugging, ANT, C#, and UML modeling, all in the same tool alongside Designer. This has particular value to Identity Manager driver writers (Java or C) who want the tools all together.

  • You can use public APIs. Novell is using fully published public Eclipse APIs, an underlying project data model that is consistent with open industry standards in its format, and also using published Eclipse extension points.


Designer was created for the following audiences:

  • Enterprise IT developers

  • Consultants

  • Sales engineers

  • Architects or system designers

  • System administrators

This tool is aimed at information technology professionals who:

  • Have a strong understanding of directories, databases, and their information environment

  • Act in the role of a designer or architect of identity-based solutions

You don’t need to be a developer or programmer to fully make use of every aspect of this tool. We provide many capabilities for developers to extend this tool to suit their own needs. Wizards make this tool easy to learn and use in building Identity Management solutions. Experienced users can bypass the wizards and interact directly at any level of detail.

You can also use Designer as an effective and valuable tool to help communicate key Identity Solution concepts and design to strategic decision-makers in the organization. You can use both the visual Modeler and documentation that captures and displays Designer data.

How Designer Relates to the iManager Tools

iManager’s primary use is for administration. iManager continues to be updated with new functionality for managing and monitoring deployed solutions. iManager’s Web-based environment continues to have the following advantages:

  • Remote access

  • Centralized administration

  • Support for roles

  • Integration with other Web-based tools

iManager and Designer have similarities, but their features and end-user experience are optimized for their respective target users and environments. They are compatible. You can export information (for example, a driver set or a driver) from one application to the other. Also, several key common User Interface elements have been made similar so that you can move between the tools effectively.

1.3.3 Eclipse-based tools to customize the User Application

Identity Manager 3.0.1 also includes Designer 1.2. The latest version of Designer provides a powerful set of Eclipse-based design tools that can be used to customize the Identity Manager User Application. These tools include the directory abstraction layer editor and the provisioning request definition editor.

The directory abstraction layer editor allows you to modify the user applications behavior by:

  • Adding new entities (Identity Vault objects)

  • Defining the set of attributes for an entity

  • Specifying the contents of lists

  • Modeling relationships among entities

  • Defining automatic lookups between entities

The provisioning request definition editor gives you complete control over the workflow design for a provisioning request. It lets you model the flow of user interactions needed to handle the provisioning request and its approvals. The provisioning editor allows you to:

  • Define the basic characteristics of the provisioning request

  • Design the associated workflow

  • Define the request and approval forms

  • Configure the activities and flow paths

Identity Manager ships with a set of provisioning request templates you can use to create your definitions. The templates model some common workflow design patterns. However, if you want to exercise complete control over the behavior of your workflows, you can create your provisioning request definitions from scratch.

For more information on designing user application components, see the Identity Manager User Application Design Guide.

1.3.4 Entitlements for Workflow-Based Provisioning and Enhancements to Role-Based Entitlements

Identity Manager allows you to synchronize data between connected systems. Entitlements allow you to set up criteria for a person or group that, once met, initiate an event to grant or revoke access to business resources within the connected system. This gives you one more level of control and automation for granting and revoking resources.

There are two aspects to making entitlements work: creating the entitlement and managing the entitlement. You create entitlements through iManager or through Designer. To create an entitlement through iManager, select the Create Entitlement Option under the Identity Manager Utilities heading in iManager. For more information, see Creating and Using Entitlements in the Novell Identity Manager 3.0.1 Administration Guide.

You can also use Designer to create entitlements and deploy them into existing Identity Manager drivers. Designer allows you to create entitlements through the Entitlement Wizard, which gives you a graphical interface through which to create the entitlement, and steps you through the process. In iManager, you create entitlements through a simple interface, but you add additional properties through an XML editor. Because it has a graphical interface, we recommend using Designer for creating and editing entitlements.

After you create entitlements (or use entitlements that come preconfigured with certain Identity Manager drivers), you need to manage them. Entitlements are managed by two packages or agents: iManager through Role-Based Entitlement Policies or with workflow-based provisioning through the User Application.

Role-Based Entitlement policies allow you to grant business resources if the criteria are met. For example, if a user meets criteria 1, 2, and 3, then a Role-Based Entitlement policy can add the user to Group H; but if the user meets criteria 4 and 5, he or she becomes a member of Group I. In order for this entitlement to work through workflow-based provisioning, approval is first required.

Entitlements created in Designer 1.2 won’t work on Identity Manager engines earlier than Identity Manager 3.0. In Designer, you can access the Entitlements Wizard from the Modeler or from the Outline view.

  • In the Outline view, right-click an Identity Manager driver. Select Add Entitlement.

  • In the Modeler view, right-click a Driver object and select Entitlements > Add Entitlement.

1.3.5 Novell Identity Manager User Application and Workflow-Based Provisioning

The Novell Identity Manager User Application is a powerful Web application with supporting tools for provisioning. Workflow-based provisioning is the process of managing user access to secure resources in an organization. Users request resources and one or more individuals (including delegates or proxies) with approval rights can approve or deny the request. Users can also view the status of requests.

When used in conjunction with the Provisioning Module for Identity Manager and Novell Audit, the Identity Manager User Application provides a complete, end-to-end provisioning solution that’s secure, scalable, and easy to manage.

The User Application offers the following Web-based end user functionality:

  • White pages

  • Organizational charts

  • User search (with ability to save custom search configurations)

  • Self-service password management

  • Lightweight user administration tools

  • Initiation and monitoring of provisioning requests (if the Provisioning Module is installed)

  • Management of personal and/or team tasks (if the Provisioning Module is installed)

  • Delegation and proxy capabilities

  • Self-Service User Profile management (users can edit selected information on their public profiles)

  • E-mail notification of provisioning tasks

  • More than 85 portlets to create customized intranet pages for users as part of the Identity portal

  • Support for self-provisioning and approval based provisioning workflows

For the system administrator, the User Application offers a rich assortment of configuration and administration capabilities, including:

  • iManager plug-ins to allow setup and management of proxy and delegation rights

  • Access to logging tools and customized Crystal Reports

  • Wizard-based configuration of workflows (if the Provisioning Module is installed)

  • Workflow management (if the Provisioning Module is installed), including enabling and disabling of workflows and suspension of flows in progress

Support for workflow-based provisioning is a key feature of Identity Manager 3 and is a separate purchase. Workflow-based provisioning is not supported in Identity Manager 2.

1.3.6 Novell Credential Provisioning Policies

Novell Credential Provisioning Policies for Identity Manager have been developed to enhance the user provisioning capabilities of any Identity Manager driver by providing the capability to simultaneously provision application credentials to the Novell SecretStore® and Novell SecureLogin credential repositories. Additionally, the product can provision the SecureLogin Passphrase question and answer in environments where non-repudiation capability is desired. These product capabilities enhance the User Single Sign-On (SSO) experience and increase the return on investment of SSO technologies by eliminating the initial setup of SecureLogin account information, providing additional security to application credentials, and reducing the replication of effort normally associated with provisioning SSO credential stores for users. It is important to note that the product can use IDM policies to automatically de-provision application credentials to prevent access to application data. For more information see Novell Credential Provisioning Policies in the Policy Builder and Driver Customization Guide.