1.2 User Application Architecture

The Identity Manager User Application relies on a number of independent components acting together. The core components are shown in Figure 1-1.

Figure 1-1 User Application Core Components

1.2.1 User Interface

The Identity Manager User Application is a browser-based Java* application. It is comprised of a collection of JSR168-compliant portlets, JavaServer* Pages, and JavaServer Faces that run within a Java Web application on a J2EE*-compliant application server. The User Application framework provides container services, such as managing window state, portlet preferences, persistence, caching, theming, logging, and acts as a security gatekeeper. The application server, on which the User Application runs, provides various services to the application as a whole, such as scalability through clustering, database access via JDBC*, and support for certificate-based security.

1.2.2 Directory Abstraction Layer

The directory abstraction layer provides a logical view of the Identity Vault data. You define a set of entities and their related attributes based on the Identity Vault objects that you want users to view, modify, or delete in the User Application. The Directory Abstraction layer:

  • Performs all of the User Application’s LDAP queries against the Identity Vault. This isolates presentation-layer logic from the Identity Vault, so that all requests for identity data go through the directory abstraction layer.

  • Checks constraints and access control on data requests made via the User Application.

  • Caches runtime configuration and entity-definition data obtained from the Identity Vault. See Section 5.1.1, Caching Management

You use the directory abstraction layer editor plug-in (available in Designer for Identity Manager) to define the structure of the directory abstraction layer data definitions. To learn more, see the section on the directory abstraction layer editor in the Identity Manager User Application: Design Guide.

1.2.3 Workflow Engine

The Workflow Engine (available with the Provisioning Module) is a set of Java executables responsible for managing and executing steps in an administrator-defined workflow and keeping track of state information (which is persisted in a database). When the necessary approvals have been given, the Provisioning System provisions the resource as requested.

During the course of workflow execution, the Workflow Engine can send one or more e-mail messages to notify users of changes in the state of the workflow. In addition, it can send e-mail messages to notify users when updates have been made to proxy, delegate, and availability settings.

You can edit an e-mail template in the Designer for Identity Manager or in iManager and then use this template for e-mail notifications. At runtime, the Workflow Engine retrieves the template from the directory and replaces tags with dynamic text suitable for the notification.

Additional details about the Workflow Engine, including how to configure and manage provisioning workflows, are in Section V, Configuring and Managing Provisioning Workflows.

1.2.4 SOAP Endpoints

The User Application provides the following SOAP endpoints to allow third-party software applications to take advantage of User Application services:

Table 1-1 SOAP Endpoints

SOAP Endpoint


Provisioning Web Service

To support third-party access, the provisioning Workflow Engine includes a Web service endpoint. The endpoint offers all provisioning functionality (for example, allowing SOAP clients to start a new approval flow, or list currently executing flows).

Metrics Web Service

The workflow engine also includes a Web Service for gathering workflow metrics. The addition of the Metrics Web Service to the Workflow Engine lets you monitor an approval flow process. In addition, it provides indicators the business manager can use to modify the process for optimal performance.

Notification Web Service

The Identity Manager Provisioning Module includes an e-mail notification facility that lets you send e-mail messages to notify users of changes in the state of the provisioning system, as well as tasks that they need to perform. To support third-party access, the notification facility includes a Web service endpoint that lets you send an e-mail message to one or more users.

Directory Abstraction Layer (VDX) Web Service

The directory abstraction layer provides a logical view of the Identity Vault data. To support access by third-party software applications, the directory abstraction layer includes a Web service endpoint called the VDX Web Service. This endpoint lets you access the attributes associated with entities defined in the directory abstraction layer. It also lets you perform ad hoc searches for entities and execute predefined searches called global queries.

1.2.5 Application Server (J2EE-Compliant)

The application server provides the runtime framework in which the User Application, directory abstraction layer and Workflow Engine execute. The User Application is packaged as a Java Web Application Archive, or WAR file. The WAR is deployed to the application server.

The User Application runs on JBOSS and WebSphere. For a complete list of supported platforms, see the Installation Guide.

1.2.6 Database

The User Application relies on a database (MySQL* by default; see the Installation Guide for a list of supported databases) to store several kinds of information:

  • User application configuration data: for example, Web page definitions, portlet instance registrations, and preference values.

  • If the Provisioning Module is installed, workflow state information is persisted in the database. (The actual workflow definitions are stored in the User Application driver in the Identity Vault.)

  • Novell Audit logs

1.2.7 User Application Driver

The User Application driver is an important enabling piece of the User Application. It is responsible for:

  • Storing application-specific environment configuration data.

  • Notifying the directory abstraction layer when important data values change in the Identity Vault. This causes the directory abstraction layer to update its cache.

If the Provisioning Module is installed, the User Application driver can be configured to:

  • Allow events in the Identity Vault to trigger workflows.

  • Communicate the success or failure of a workflow's provisioning activity back to the User Application database, which allows users to view the final status of their requests.

  • Start workflows automatically in response to changes of attribute values in the Identity Vault.

The User Application driver is not only a runtime component but a storage wrapper for directory objects (comprising the User Application’s runtime artifacts).

Table 1-2 Artifacts Stored in the User Application Driver



Driver Set Object

Every Identity Manager installation requires that drivers be grouped into driver sets. Only one driver set can be active at a time (on a given directory server). The drivers within that set can be toggled on or off individually without affecting the driver set as a whole. The User Application driver (like any other Identity Manager driver) must exist inside a driver set. The driver set is not automatically created by the User Application; you must create one, then create the User Application driver within it.

User Application

The User Application driver object is the container a variety of artifacts. The User Application driver implements Publisher and Subscriber channel objects and policies. The Publisher channel is not used by the User Application but is available for custom user cases.

App Config Object

The AppConfig object is a container for the following User Application configuration objects.

  • RequestDefs: Container for Provisioning Request Definitions. The definitions stored here (as XML) represent the classes of requests that end users with appropriate rights can instantiate via the User Application. (Provisioning Module only)

  • WorkflowDefs: :Container for Workflow objects, including design-time descriptions plus any template or unused flows.

  • ResourceDefs: Container for Provisioned Resource definitions, including design-time descriptions plus any templates or unused targets.

  • ServiceDefs: Container for Service Definition objects, which wrap Web Services called by workflows.

  • DirectoryModel: Directory abstraction layer objects that represent different types of content of the Identity Vault that can be exposed in the User Application.

  • AppDefs: Container for configuration objects that initialize the runtime environment, such as cache configuration information and e-mail notification properties.

  • ProxyDefs: Container for proxy definitions.

  • DelegateeDefs: Container for delegate definitions.

1.2.8 Designer for Identity Manager

Designer for Identity Manager provides a set of plug-ins you can use to define the directory abstraction layer objects and provisioning requests and their associated workflows. For more information, see Section 1.4, Design and Configuration Tools

1.2.9 iManager

iManager provides a set of plug-ins you can use to configure and manage provisioning requests and their associated workflows. These tools also let you define provisioning teams and team rights. For more information, see Section 1.4, Design and Configuration Tools.

1.2.10 Identity Manager Engine

The Identity Manager engine provides the runtime framework that monitors events in the Identity Vault and connected systems. It enforces policies and routes data to and from the Identity Vault. The Identity Manager User Application is a connected system. Communication between the Identity Vault, the User Application’s directory abstraction layer, and the Workflow Engine occurs through the User Application driver.

1.2.11 Identity Vault

The Identity Vault is the repository for user data (and other identity data) plus the Identity Manager driver set and the User Application driver. Because the User Application relies on various Identity Vault objects, it’s necessary to extend the eDirectory schema to accommodate the custom LDAP objects and attributes required by the User Application. The schema extension occurs automatically as part of the User Application install. The custom objects and attributes are populated with default values after the User Application driver is installed and activated.

1.2.12 Novell Audit

Novell Audit is an independent logging server that can persist a variety of kinds of data (such as data generated by steps of a workflow). For more information, see Section 3.0, Setting Up Logging.