Novell Doc: Identity Manager 3.5.1 Driver for SIF Implementation Guide

1.4 Understanding the Driver Configuration

After you install Identity Manager and the driver, you create a Driver object. A Driver object represents an instance of the Identity Manager Driver for SIF.

A driver configuration file, SIFAgent-IDM3_5_0-V1.xml, is provided to get you up and running with a minimum of customization. This section explains what the driver configuration does.

For information about Identity Manager in general, see the Novell Identity Manager 3.5.1 Administration Guide .

1.4.1 How the Identity Vault Is Updated When Data Changes in the Student Information System

The following tables describe what the configuration does to provision user accounts and keep the Identity Vault updated when changes occur in the Student Information System. There are two types of user accounts; students and staff. Table 1-1 contains information about student provisioning and Table 1-2 contains information about staff provisioning.

Table 1-1 Student Provisioning

Change in Student Data	Synchronization in the Identity Vault
A student is added	Creates an the Identity Vault User object with a unique user ID. Populates the User object attributes with data from the Student Information System. The attributes are listed in Data Mapping. Places the user in the correct container as determined by the student’s school and grade level or graduation year. Uses a template (if you specify one) to set default properties for the user, group membership, login restrictions, and password restrictions. (NetWare only) Creates a home directory in the file system. (You must use a template to specify this.)
A student’s information is modified	Modifies the Identity Vault User object attributes accordingly. The attributes are listed in Data Mapping. If appropriate, moves the User object to a different container in the tree. For example, a school or grade level/graduation year change could trigger moving the user to a different container. (Optional) If any of the attributes creates a User ID change, the user account is renamed. The home directory is not moved.
A student withdraws from school or graduates	On the Exit Date, disables the login of the User object in the Identity Vault. (Optional) On the Exit Date, moves the user account to the Disabled directory. The home directory is not deleted.
A student returns to the school system (an Entry Date that is newer than the Exit Date is entered in the Student Information System)	Enables the login of the User object in the Identity Vault. Moves the user account from the Disabled directory to the correct student container. The User object still has rights to the home directory.
A student is removed from the Student Information System	On the Exit Date, disables the login of the User object in the Identity Vault. (Optional) Moves the user account to the Disabled directory. The home directory is not deleted.

Table 1-2 Staff Provisioning

Change in Staff Data	Synchronization in the Identity Vault
Staff is added	Creates an the Identity Vault User object with a unique User ID. Populates the User object attributes with data from the Student Information System. The attributes affected are listed in Data Mapping. Places the user in the correct container, as determined by the Zone. Uses a template (if you specify one) to set default properties for the user, including group membership, login restrictions, and password restrictions. (NetWare only) Creates a home directory in the file system. (You must use a template to specify this.)
Staff information is modified	Modifies the Identity Vault user accordingly. The attributes maintained are listed in Data Mapping. (Optional) If any of the attributes creates a User ID change, the user account is renamed.
Staff removed from the Student Information System	Disables the User object in the Identity Vault. (Optional) Moves the user account to the Disabled directory. The home directory is not removed from the file system.

1.4.2 Data Mapping

The Identity Manager Driver for SIF uses data from the Student Information System to synchronize the following User class attributes in the Identity Vault. Table 1-3 contains a list of the eDirectory attribute, the SIF objects, and the SIF attributes.

Table 1-3 User Class Attributes

eDirectory Attribute	SIF Object	SIF Attribute
CN	StudentPersonal or StaffPersonal	CN is formed from the combination of several SIF attributes.
Full Name	StudentPersonal or StaffPersonal	Name/FullName
Generational Qualifier	StudentPersonal or StaffPersonal	Name/Suffix
Given Name	StudentPersonal or StaffPersonal	Name/FirstName
Initials	StudentPersonal or StaffPersonal	Name/MiddleName
Internet EMail Address	StudentPersonal or StaffPersonal	Email
Login Expiration Time	StudentSchoolEntrollment	EntryDate and ExitDate When ExitDate is newer than EntryDate, the login is set to expire on the ExitDate. When the EntryDate is newer than the ExitDate, the expiration date is removed.
personalTitle	StudentPersonal or StaffPersonal	Name/Prefix
preferredName	StudentPersonal or StaffPersonal	Name/PreferredName
Physical Delivery Office Name	StudentPersonal or StaffPersonal	Address/City
Postal Code	StudentPersonal or StaffPersonal	Address/PostalCode
Postal Office Box	StudentPersonal or StaffPersonal	Address/Street/Line2
S	StudentPersonal or StaffPersonal	Address/StatePr
SA	StudentPersonal or StaffPersonal	Address/Street/Line1
Surname	StudentPersonal or StaffPersonal	Name/LastName
Telephone Number	StudentPersonal or StaffPersonal	PhoneNumber
Title	StaffPersonal	Name/Title
DirXML-sifGrade	StudentSchoolEnrollment	GradeLevel
DirXML-sifGradYear	StudentPersonal	GradYear
DirXML-sifIsStaff	StudentPersonal or StaffPersonal	Not set from a particular attribute. Set to True if the SIF object is StaffPersonal. Otherwise, it is set to False.
DirXML-sifSchool	SchoolInfo	IdentificationInfo
DirXML-sifSchoolName	SchoolInfo	SchoolName
DirXML-sifSISID	SchoolInfo	RefId
DirXML-sifSSEGUID	StudentSchoolEnrollment	RefId

1.4.3 Sending Data from the Identity Vault to SIF

The SIF Driver is generally used to provision users from a SIF-enabled Student Information System to the Identity Vault. The driver is configured, by default, to send no data from the Identity Vault to the Zone Integration Server (ZIS) and the Student Information System. The Student Information System is considered to be the authoritative data source.

However, the driver is capable of bidirectional synchronization and can send data to the ZIS and SIF. There are two ways you might choose to use this bidirectional capability:

Configure the driver as the authoritative source for some user attributes or for new users.

If you want the Identity Vault to be the authoritative source for some user attributes, you could configure the driver to send certain attributes from the Identity Vault to SIF.

If your business practices allow users to be entered manually in the Identity Vault who are not entered in the Student Information System first, you could also configure the driver to send new users from the Identity Vault to SIF.
Configure the driver to be the SIF provider for all student and staff data.

If your Student Information System is not SIF-enabled, but you have other SIF-enabled applications, you might choose to configure the SIF Driver to function as the authoritative source for students and staff.

In this role, the SIF Driver is the SIF provider for StudentPersonal, StudentSchoolEnrollment, SchoolInfo, StaffPersonal, and SIF Authorization objects. Being the provider means this driver responds when other SIF-enabled applications send SIF queries for information about students and staff.

For example, you could export student and staff information from your Student Information System and import it into the Identity Vault, using a database import. At the start of the school year, the other SIF Agents in the Zone would populate their databases by querying for all students. If you register the SIF Driver as the provider for the Zone, the queries would be routed to the SIF Driver. During the school year, as student and staff information in the Identity Vault is updated, either by database import or by updating manually, the SIF Driver would send those updates to SIF, thereby keeping the other SIF-enabled applications current.

You would not enable this option if you have a SIF-enabled Student Information System. Only one Agent in a Zone can be the provider. If you have a SIF-enabled Student Information System, we recommend that the Student Information System be the provider.

If you configure the SIF Driver to send new users or to be the provider of all student and staff information, at a minimum you must provide the user attributes listed in Table 1-4 when creating a user object in the Identity Vault. A new user object is not sent from the Identity Vault to SIF unless these attributes have values.

Table 1-4 Required User Attributes

Type of User Account	Attribute
Student	Given Name
	Surname
	DirXML-sifGrade
	DirXML-sifGradYear
	DirXML-sifSchool
	DirXML-sifSISID
Staff	Given Name
	Surname
	DirXML-sifSISID