Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.
The Lotus Notes driver includes many GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.
To access the driver’s GCVs in iManager:
Click to display the Identity Manager Administration page.
Open the driver set that contains the driver whose properties you want to edit.
In the
list, click .If the driver set is not listed on the
tab, use the field to search for and display the driver set.Click the driver set to open the Driver Set Overview page.
Locate the driver icon, click the upper right corner of the driver icon to display the
menu, then click .or
To add a GCV to the driver set, click
, then click .To access the driver’s GCVs in Designer:
Open a project in the Modeler.
Right-click the driver icon or line, then select
or
To add a GCV to the driver set, right-clickthe driver set icon , then click
.The global configuration values are organized as follows:
There multiple configuration sections for the Notes driver:
Show Certifier Options: Select
to display the certifier options.Fully Qualified Default Certifier Name: Specify the default Fully Qualified (typed) Notes Certifier name as found in the Notes Address Book. The root certifier can be used (an example is /o=acme).
Default Certifier Name: Specify the default Notes Certifier name as found in the Notes Address Book. The root certifier can be used (an example is /acme).
Default Certifier Driver Parameter Key: Specify the driver parameter key name that stores the default certifier ID file name. An example is cert-id-file.
Default Certifier Password Driver Parameter Key: Specify the driver parameter key name that stores the default certifier ID password. An example is cert-id-password.
Show New User Options: Select
to display the new user options.Notes User Certification Options: Select the desired Notes User Certification option. Select
to create a Notes Certification ID file for the user. Select to not create the Notes Certification ID file. The default is .User ID File Creation: Select the desired Notes User ID file creation option. Select
to create an ID file when registering users. Select to not create the ID file. The default isStore user ID File in Address book: Select the desired Notes User ID file option. Select
to place a Notes Certification ID file for the user in the Notes address book. Select to not place the Notes Certification ID file in the address book. The default is .User ID Expire Term (in years): Specify the expiration term (in years) for ID files created by the driver when certifying users who are added on the Subscriber channel. This number specifies how many years the user’s Certification ID file will be valid. The default is
.User ID Expiration Date: Specify an expiration date, or leave the field blank to ignore this setting. Specify the date when the user’s Certification ID file will expire. This entry has priority over the Expire Term entry.
Alternate Organization Unit: Specify an alternate Organizational Unit to be used for each registered user, or leave the field blank to ignore this setting.
Alternate Organization Unit Language: Specify an alternate Organizational Unit language to be used for each registered user, or leave the field blank to ignore this setting.
Notes Explicit Policy Name to be attached to User: Specify the desired Notes Explicit Policy Name to be attached to each registered user. When specified, registration policies are not executed.
Synchronize User’s Internet Password: Select the user’s Internet password option. Select
to synchronize the user password with the Web password. Select to not synchronize user passwords. The default is .Notes User Password Check Setting: Select
to ignore this setting. Select to require users to enter a password when authenticating to servers that have password checking enabled. Select to not require users to enter a password when authenticating to other servers. Select to prevent users from accessing servers that have password checking enabled. The default is .Notes User Password Change Interval (in days): Specify the desired user password change interval in days. Specify a number to indicate the days a password is valid and before the user must supply a new password.
Notes User Password Grace Period (in days): Specify the desired user password grace period in days. Specify a number to indicate the days the grace period is valid before the user must supply a new password.
Notes User Internet Password Change Required: Select the user’s Internet password change option. Select
to require users to change the password on the next login. Select to not require users to change the password on the next login. The default is .Roaming Option: Select the desired Notes roaming user option. Select
to enable roaming for Notes users. Select to disable roaming. The default is . Selecting brings up the next four options.Roam Server Name: Specify the Domino server that will host this roaming user. An example is (cn=ServerName/o=org)
Roam Server Subdirectory: Specify the Domino server subdirectory to store roaming user data. An example is Roaming\
Cleanup Setting: Select the Notes roaming user cleanup setting. Select
to do nothing. Select to never delete roaming data. Select to delete roaming data by the days specified by . Select to delete Notes data when Notes shuts down. Select to clean up roaming data when the user exits Notes; the user can also decline to be prompted in the future.Cleanup Period (in days): If
is selected as the , specify the number of days before deleting roaming user data.Show E-Mail Options: Select
to display the e-mail options.Internet Mail Domain: Specify the Internet Mail Domain to be used when generating Internet e-mail addresses. An example is
.Add User E-Mail Box: Select the desired Notes user e-mail creation option. Select
to create a Notes e-mail account for a user. Select to not create an e-mail account. The default is .Create Mail File in background via AdminP: Select the desired Notes user e-mail creation option. Select
to create a mail file by issuing a request to the Domino administration process to create the mail file in the background through AdminP. Select to create the mail file directly. AdminP support is required for this option. The default is .Inherit from Mail File Template: Select the desired Notes user e-mail database inheritance option. Select
in order for the user e-mail database to inherit changes from the specified creation template. Select to not inherit changes. You specify the e-mail creation template through the Subscriber channel settings. The default is .E-Mail Database ACL Setting: Select the desired Notes user e-mail database ACL option. Select
to ignore this setting. Other options include , and . The default is .Mail ACL Manager: Specify the Notes e-mail database Manager name. Leave this entry blank to allow e-mail access by the owner. If ACL access of the mail database is less than
, you need to specify an e-mail manager. Use the plus icon to add names, the minus icon to delete names, and the pen icon to edit existing entries.Mail File Size Quota (in megabytes): Specify the Notes e-mail database size quota in megabytes. Leave the field blank to ignore this setting. The size specifies disk space that the server administrator allows for the e-mail database. If the Notes driver user is not a Domino server administrator, leave this value blank.
Mail File Size Warning Threshold (in megabytes): Specify the mail file size warning threshold in kilobytes. Leave the field blank to ignore this setting. The size specifies disk space allowed before warning messages are sent to the database owner.
Mail File Replication: Select the desired Notes user e-mail file replication option. Select
to replicate the mail file of a user. Select to not replicate the mail file. The default is .Create Mail File Replica On Which Server: Specify the distinguished name of the desired Domino server where the mailbox replicas are initially created and should be replicated (for example CN=Server1/O=acme.
Mail File Replication Priority: Select the mail file replication priority setting: Low, Medium, or High. The default is Medium.
Create Mail File Replica in background via AdminP: Select the desired Notes User E-Mail replica creation option.
replicates the mail file by issuing a request to the Administration Process to create the replica in the background. creates the replica directly on the destination server.NOTE:If the Create Mail File in the account.email.createinbackground (background setting) is set to
, the policy overrides this setting with a value of .User Delete Mail File Action: Select the action that is taken when a user is deleted.
All: Removes the e-mail from the home mail server on all replica mail servers when this user account is deleted.
Home: Removes the e-mail only from the home mail server when this user account is deleted.
None: Preserves all e-mails when this user account is deleted.
Show AdminP Options: Select
to display the AdminP options.Tell AdminP Process Command when a User is Added: Select the AdminP process command to use when a user is added. This specifies the Tell adminp Process command to send to the Domino server immediately after the user has been added to the Domino Public Address Book. Options include (default), , and .
Tell AdminP Process Command when a User is Modified: Select the AdminP process command to use when a user is modified. This specifies the Tell adminp Process command to send to the Domino server immediately after the user has been modified using AdminP methods in the Domino Public Address Book. Options include (default), , and .
Tell AdminP Process Command when a User is Deleted: Select the adminp process command to immediately send to the Domino server after an object is deleted from the Domino Public Address Book. Options include (default), , and .
Remove User or Group object from the Notes Address Book Immediately: Select whether to immediately delete the user or group object from the Notes address book. Select
to remove the user or group immediately from the Notes address book. Select to remove the user or group from the Notes address book through the normal course of the background administration process.Entitlements act like an On/Off switch to control the account access. When the driver is enabled for entitlements, accounts are only created and removed or disabled when the account entitlement is granted to or revoked from the users. For more information, see the Identity Manager 4.0.1 Entitlements Guide.
The entitlements are divided into the following categories:
Use Account Entitlement: Select
to enable the driver to manage Notes accounts based on the driver’s defined entitlements.When Account Entitlement Revoked: If the
option is , specify what action is taken in Notes when a User Account Entitlement is revoked.User Group Entitlement: Select whether the driver manages groups with the group entitlement.
allows the driver to manage Notes groups based on the notesGroup2 Entitlement. does not allow the driver to manage Notes groups based on the notesGroup2Entitlement.Advance Settings: Select show to display the entitlement options that allow or deny additional functionality like data collection. These settings should rarely be changed.
Data collection enables the Identity Report Module to gather information to generate reports. For more information, see the Identity Reporting Module Guide.
Enable data collection: Select
to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select .Allow data collection from user accounts: Select
to allow data collection by the Data Collection Service through the Managed System Gateway driver for the user accounts.Allow data collection from groups: Select
to allow data collection by the Data Collection Service through the Managed System Gateway driver for groups.The Role Mapping Administrator allows you to map business roles with IT roles. For more information, see the Novell Identity Manager Role Mapping Administrator 4.0.1 User Guide.
Enable role mapping: Select
to make this driver visible to the Role Mapping Administrator.Allow mapping of user accounts: Select
if you want to allow mapping of user accounts in the Role Mapping Administrator. An account is required before a role, profile, or license can be granted through the Role Mapping Administrator.Allow mapping of groups: Select
if you want to allow mapping of groups in the Role Mapping Administrator.The Roles Based Provisioning Module allows you to map resources to users. For more information, see the User Application: User Guide.
Enables resource mapping: Select
to make this driver visible to the Roles Based Provisioning Module.Allow mapping of user accounts: Select
if you want to allow mapping of user accounts in the Roles Based Provisioning Module. An account is required before a role, profile, or license can be granted.Allow mapping of groups: Select
if you want to allow mapping of groups in the Roles Based Provisioning Module.Format for Account entitlement: Select the parameter format the entitlement agent must use when granting this entitlement. The options are
or .Format for Group entitlement: Select the parameter format the entitlement agent must use when granting this entitlement. The options are
or .User account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguraiton resource object.
Group extensions: The content of this field is added below the entitlement element in the EntitlementConfiguration resource object.
These GCVs enable password synchronization between the Identity Vault and the Notes system.
In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.
In iManager, you should edit the Password Management Options on the
tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.For more information about how to use the Password Management GCVs, see Configuring Password Flow
in the Identity Manager 4.0.1 Password Management Guide.
Connected System or Driver Name: Specify the name of the LDAP system or the driver name. This valued is used by the e-mail notification template to identity the source of the notification message.
Application accepts passwords from Identity Manager: If
, allows passwords to flow from the Identity Manager data store to the connected system.Identity Manager accepts passwords from application: If
, allows passwords to flow from the connected system to Identity Manager.Publish passwords to NDS password: Use the password from the connected system to set the non-reversible NDS password in eDirectory.
Publish passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.
Require password policy validation before publishing passwords: If
, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.Reset user’s external system password to the Identity Manager password on failure: If
, on a publish Distribution Password failure, attempts to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.Notify the user of password synchronization failure via e-mail: If
, notifies the user by e-mail of any password synchronization failures.Use Deny Access Group for Account Status: Select whether to place disabled user accounts into a Notes Deny Access Group.
Deny Access Group Name: Specify the Notes Deny Access Group where the driver places users when the user account is disabled.
Add Deleted Users to Deny Access Group: Select whether to add the deleted user name into the Deny Access group. Because user deletion does not happen instantaneously in Notes, this option adds more security. Users pending deletion cannot log in even though their accounts are still available in Notes.
Publish Events for Deny Access Group: Select whether to publish events for the Deny Access group or not. Select
only if you intend to synchronize the Deny Access group.Account tracking is part of the Identity Reporting Module. For more information, see the Identity Reporting Module Guide.
Enable account tracking: Set this to
to enable account tracking policies. Set it to if you do not want to execute account tracking policies.Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique.
Advanced settings Select
to display the account tracking settings. Changing these settings might result in malfunction of the Account Tracking feature. Change these settings only if you know exactly what you are doing.Identifiers: Add the account identifier attributes. Attribute names must be in the application namespace.
Object Class: Add the object class to track. Class names must be in the application namespace.
Status attribute: Name of the attribute in the application namespace to represent the account status.
Status active value: Value of the status attribute that represents an active state.
Status inactive value: Value of the status attribute that represents an inactive state.
Subscription default status: Select the default status the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.
Publication default status: Select the default status the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.