Novell is now a part of Micro Focus

Cool Solutions


Contact vscheuber
Member since 1/3/2007


No author bio information

User Points

1475 points earned on legacy (former) Cool Solutions site
0 points earned on this site

Author Archives

getting loaded


July 9, 2006 11:12 pm



elvis the designer team is done with the 1.2 release and starting next week we will get loaded for 2.0 m4. we ask you to help us set the right priorities as we continue our march toward 2.0. what are the 3 most pressing enhancements, new feature areas or bug fixes you want us to focus on?please tell us your priorities in form of a bug (, a comment to this post or in an email directly to me ( you, the customer, is king. speak up and be heard!

[i will be gone to zion national park canyoneering all of next week. i will respond to feedback after i get back.]

+read more

order and chaos


June 29, 2006 3:10 pm




we got a lot of feedback after we announced the availability of Designer 1.2RC1 and RC2. most of the comments came from customers who were confused that we release a 1.2 version as an update to a 2.0M2 milestone. here comes the reasoning behind the version order and chaos:

Designer releases iteratively. this means at the beginning of each major release development cycle we define what the scope for this major release is. a major release is 1.0 or 2.0 etc. this initial scope is just a rough idea gathering and setting goals to say something like: in Designer 2.0 we want to see Version Control and Staging as the two major new feature areas and we want to improve our overall user experience etc.
then we break down this rough scope into milestones. this is where the iterations come in. so we broke Designer 2.0 into 7 milestones where M7 will be 2.0. we then get loaded at the beginning of each milestone and scope this milestone out in detail. usually beside our rough goals, we get A LOT of additional feedback from our customers which we try to absorb into one of the milestones. then we implement the milestone and get loaded for the next. we roughly fix about 500 bugs per milestone and get about 100 enhancements in.

now what happened with 2.0 M3 and 1.2:

at the time we scoped out Designer 2.0, there were no official plans for another official Designer release before 2.0. that’s why we made the decision to start working on something called 2.0 at the beginning of this calendar year. but then, as things evolved, it turned out that we had to release another supported release of Designer together with IDM 3.0.1 (SP1). now since we develop iteratively, we don’t branch our code base (at least we try notto branch if ever possible). so we basically had to put SP1 specific changes into our running 2.0 trunk. looking at what’s new in SP1, it really would not make sense to release a Designer 2.0 just for Spitfire SP1 and we would not have any of our 2.0 main features in by then anyway. so we decided to do a marketing version 1.2 and release 2.0 M3 as 1.2 to the public so that it makes sense to the end customer who got 1.1 with IDM 3.0 and will now get 1.2 with IDM 3.0.1.

we are thinking of including a build number in the future so you could see what our “real” version is versus the marketing version. really, don’t put too much weight into the marketing version. it’s just a name.

+read more

bug=bad. many bugs=bad product?


June 29, 2006 1:36 pm



bug in my last post i stated that we fixed over 900 bugs since designer 2.0m2. after posting i realized that i probably painted an inaccurate picture of what 2.0m2 was and what the overall product quality was. at least for people who are not familiar with the way we use bugs to manage the designer project it may be difficult to correctly interpret my statement. designer is high quality, extremely customer focused and constantly evolving.

most of novell engineering uses bugzilla as a development process, problem and enhancement tracking tool. bugzilla holds records – referred to as bugs – that are assigned to a responsible person and categorized into products and feature areas per product. each of these records (or bugs) has a severity and a priority assigned. the severity is set by the reporting party and is meant to indicate how important the record is where as the priority is assigned internally and determines the attention (importance) the record gets.

the severity field divides the records into two different groups: problems and enhancement requests. if a record’s severity is set to “enhancement” it describes a non-existing but desired functionality. all other levels assume a problem and indicate the importance of the problem.

now what makes the difference between an enhancement request and a bug? at first this seams obvious but very often it is not: designer does not currently provide any team enablement features like version control. a record (bug?) which asks for team enablement and version control would thus be given a severity of “enhancement”. if designer during a deploy was going to destroy data, a record (bug?) reporting this issue would probably be assigned a severity level of “major” or “critical”. but there is a lot of space between these two examples. imagine designer behaves in a way that is unexpected (wrong?) for you. if you reported this and requested a change of behavior would that be an enhancement request or a problem report? difficult to say.

we in the designer team use bugs for release planning, too. whoever has an idea enters a bug. often the severity level doesn’t even matters. then, when we get loaded to do our next milstone, we pull up all the open bugs and prioritize them. this way we make sure no idea is being forgotten. you as a customer can do the same. our bugzilla system is open for you. you have an idea or a problem? go to and tell us about it.

back to my original post: over 900 bug fixes does not mean we had 900 critical problems we fixed. it means that we worked down a queue of over 900 records in our bugzilla database who describe our current release. from the over 900 bugs approx. 110 were marked as enhancement requests right away. this leaves us with over 790 records. most of these are bugs reported by our internal test team. they try every day to break our code and report every success they have. this way we make sure what we ship is of shipping quality. so 2.0m2 was not a milestone that had over 900 problems, but 1.2 (2.0m3) is a release with loads of new features and many, many adoptions requested by you and many, many, many problems fixed before they even were able to hit you, the customer, because they were found by our internal test team.

+read more

a little treat upfront


June 26, 2006 10:58 pm



Designer 1.2 Test Drive

the first release candidate for the new designer for identity manager 1.2 is available for you to download!

the new designer is ready for a test drive. before you race of, make yourself familiar with the new engine, carriage and chassis feature:

  • Full support for Credentials Provisioning
  • Live browse, view, and edit any eDirectory object
  • Provisioning work flow Editor creates new custom work flow topologies
  • Generate doc in editable RTF format
  • Generate doc on just selected items
  • Remote control desktops where applications are running
  • Lots of new project checks
  • Discovery and modeling of AD Domain Controllers
  • Start, stop, and status all drivers on driver sets and vaults
  • Deploy certificates for eDir-to-eDir drivers
  • Lots of new main menus and simplified context menus
  • Built-in HTML viewer/editor for Notification Templates
  • Over 900 bug fixes and enhancements since M2

don’t hesitate to tell us about all your good and other experiences! leave your comments here, post them to the designer forum or email me directly.

+read more

mixing the doughs, baking the cake, tasting it


June 23, 2006 2:02 pm



entitlements in my last post i drew the picture of a marble cake where role-based entitlements and workflow are the two differently colored doughs that make up the perfect cake when they come together. read on to get more details and even a piece of the cake to taste…

mix doughs mixing the doughs
the example i gave in my last post was about handling exceptions in an automated provisioning solution where all resource provisioning activities are implemented through the role-based entitlement (rbe) framework. rbe allows exception management out-of-the-box through its static include and exclude lists on rbe policies. this way an administrator can do manual exception handling but what we are really looking for is taking the exception handling from the administrator to the end user. here is where the doughs start to merge. we will use workflows to manage the static include and exclude lists and have the person responsible for the resources approve the workflows. this way the user discovers the need for access to a certain system (which he has no access to because it has not been assigned to his role in the enterprise) and requests access through the web interface (user application). whoever is responsible for approving this rquest approves or denies and the exception is handled securely and policy compliant without administrator or help desk intervention.

bake it baking the cake
now here come some more detailed baking instructions. technically there are two different approaches to make workflow manage the static include/exclude lists: one is creating a custom entitlement with values and the corresponding dirxml script policies to handle the static include/exclude lists and then have the workflow just grant or revoke this custom entitlement. the other way would be to have the workflow manage the lists directly through an entity activity (instead of an entitlement activity which is the default for identity manager 3.0). the second approach is much more straight forward but requires a little more knowhow about workflow, the first approach leaves the workflow part pretty much at the standard level of an out-of-the-box installation but requires some dirxml-script work. to save anyone who wants to try any of these approaches a headache, i have to mention here that Identity Manager 3 sp1 code is needed to make it all work. sp1 will be out this summer, so very soon.

taste it tasting it
as i mentioned above, you need sp1 code to make the whole scenario work as discussed. since i want to give you something now that you can taste, i put together the custom entitlement and driver anyway and you can use it to manage static include/exclude lists but you will have to manually re-evaluate membership all your users to make the rbe service pick up the change until you run the driver that comes with sp1. an alternative approach which would work even without sp1 is to set a flag on the user object and include this flag in the dynamic member query but i prefer having the exception handled on the rbe policy rather than on all the user objects.

download this zip file containing a driver export with custom entitlements and dirxml script policies to manage the static include/exclude lists.

+read more

mutually exclusive?


June 14, 2006 10:11 pm



Marble Cakewith identity manager 2 we introduced the role-based entitlements (rbe) framework. it allows you to grant or revoke resources through a common architecture based on role membership. with identity manager 3 we expanded the framework to also allow for approval-based resource provisioning. the documentation indicates that role-based and approval-based provisioning are mutually exclusive per resource. true?

roles let you specify static members (and non-members) and dynamic members. the dynamic member feature lets you specify a query that, on evaluation, returns the list of members. this way you can easily set up a policy called “managers” and have it gather its members by querying “class-name equals User AND isManager equals TRUE” instead of manually having to find and add all managers.

approval flows, on the other hand, usually don’t include any dynamics other than finding the next approver. the approver approves or declines a resource request. the reasons an approver bases her/his decision on are beyond the reach of the software controlling the approval flow.

given the fundamental differences between the two, can we assume they are mutually exclusive for a single resource or even the whole provisioning system? e.g. does it make sense to allow access to an application be requested and at the same time grant that same access based on a role? absolutely! eventhough being black and white, role-based and approval-based make up a the perfect marble cake in a good architecture:

  • identify resources which can be granted based on roles and which do not need approval in addition to the role membership (which can be seen as a passive approval). once this type of resources has been identified, rbe can be used to create a fully-automated role-based provisioning system.
  • define whether exceptions can occur in the above architected system. what if a manager wants to delegate a performance management task to a senior employee with no manager grade but the role-based provisioning system only provisions managers to this application? this is definitely an exception that need to be taken care of. here comes the marble cake: approval-based provisioning can perfectly complement role-based provisioning to handle exceptions in a secure and policy compliant manner.
  • identify resources which always need approval for compliance or other reasons. these resources should be excluded from role-based provisioning unless the roles are provisioned approval-based. so there are two approaches: either force approval for each single resource or force approval for role assignments and then have the roles grant access to all the resources necessary to execute that role.

in my next post i will give some technical insights on how to best make role-based and approval-based provisioning work together.

+read more

the yin and yang of idm management


May 26, 2006 7:52 am




in my last post i asked you what console strategy you would prefer. i would now like to share some insights with you about what the designer for identity manager future holds. your posts have all been received and in my hallway where my office is i was called “trouble maker” for 2 weeks after my post.

see how designer for identity manager is going to address the issues that were brought up.

for the public, designer for identity manager started off as an offline only tool and we got overwhelmingly positive feedback to this new approach. now that designer for idm is in the maturing phase, we get a lot of requests for “live” features. you and others told us that it is awkward to alt+tab over to imanager, do an object modification, watch the trace to see the result and then alt+tab back to designer to make changes to the driver configuration, run the changes through the simulator, deploy them and again alt+tab back over to imanager.

we cannot comlete the whole visionary picture in a single milestone but we work one stroke of a brush after the other. some strokes have been painted long ago like the ability to start/stop/status drivers from designer and some are being painted at this very moment. in our next milestone release you will get access to another experimental live feature: an identity vault browser with object access.

Live Mode

the identity vault browser lets you browse every idv in your current project and allows to login to any other tree as well. the feature currently allows you also to edit any object with a generic object/attribute editor and you will be able to define customized ui for your schema on a per object class basis. in one of the future milestones we will add object creation, rename, move and delete.
imanager remains the primary edirectory administration tool for anything that goes beyond the above mentioned capabilties. designer and imanager are the yin and yang of idm management.

+read more

“what the heck!”


April 28, 2006 9:22 am



was i shouting when novell consulting, about 6.5 years ago, installed and launched consoleone on my admin workstation. at that time i had just filled a position in an nt server engineering group at an international company located in zuerich, switzerland. before that position i was working in a small company as a web and database developer and, on the side, was also managing that company’s netware environment. i was away from the novell business for about 6 months only, and so i expected to get good old nwadmin on my box but in stead: “what the heck!” i got consoleone. a java application that took about 2 minutes to start and offered only limited managing capabilities at that time.


i wonder how many “what the heck!”s went around the globe when, after consoleone had finally matured, it was violently killed and replaced by imanager, a terribly clumsy and slow web application at that time and offering only limited managing capabilities.

and i hope we caused at least as many “what the heck!”s when we shipped designer for identity manager 1.0 mid last year. but this time not because we did a brutal rip and replace of an existing admin tool. instead we added to what was already there. we brought the rich client back onto the novell administrators and developers workstations. the echo so far has been overwhelmingly positive.

so have we finally found the right balance? is designer the answer to all the cry-outs for help: “i want a rich client!”. until my very last day in novell consulting i had console one installed on my laptop but i considered myself a dinosaur. i had the chance to work with a good friend from consulting recently and as i asked him to log into my development tree, i expected him to login using imanager but “what the heck!” this good old friend, in the year 2006, launched consoleone!

so now please tell me: what the heck is it that you really want?

+read more

new feature discovery


March 31, 2006 4:19 pm



now that brainshare is over and has been a huge success, the designer team is back finding out whatelse you, elvis ah… our customer, the king, may need most in the near future.

whereas the main goal for designer 1.0 and 1.1 was to enable you to do all the configuration tasks you had been doing in imanager until then, our focus has now changed a little. i’d like to share with you some of our thoughts and methodology how we discover new features that we need to integrate into designer.

when a company decides to investigate an identity management solution, it usually starts a long and sometimes hairy process. roughly, this process is defining the business case, developing the solution, then implementing/deploying and finally maintaining and monitoring the solution.

in the past novell covered exactly the development part of this process. we think that designer can do more than just configuration and development. we want to support the whole process:

Solution Development Process

as you can see, we cover already quite a bit of the whole process, but we know we can do even more. we want to accompany you from the first day in your project until the last day of that project and even beyond into the maintenance phase.

let us know what you think of this approach. do we meet your expectations this way?

+read more

i don’t own my identity and you don’t own yours


March 15, 2006 10:35 am



hi. my name is volker scheuber. i work on the identity manager and designer projects. i was born in germany, grew up, got married and two children in switzerland and live now with my family in utah, usa.

i have spent my first five years with novell in novell consulting, switzerland. now that i’m part of engineering, i’m putting all my energy into providing the tools our customers, partners and consultants need to successfully deploy identity management projects. what i have learned during the delivery of about twenty five idm projects in emea will keep me busy for the next little while trying to merge it into our tools around identity management.

with my relocation to the states my understanding of identity got re-defined. this is why and how:

that's me

i learned that i have to follow these steps to establish an identity in my new host country:

  • get a visa
  • get a checking account (difficult without a social but not impossible)
  • get a social (social security number)
  • establish multiple lines of credit
  • get cars. the country is so huge that one car is not enough. get at least two.
  • get utah driver licenses
  • find and buy a house

when i visited the u.s. last summer, i checked out different banks to open a bank account. this turned out to be a difficult thing without a us passport, no us id of any kind and no social. i finally succeeded, though, finding a bank that does these things.

lesson learned: as long as i do not have any kind of u.s. id, i will be a suspect, no matter how good my record is back in switzerland or anywhere else. there is no such thing like global identity federation. good or bad? i haven’t decided on that, yet.

at the us embassy in bern, switzerland, my family and i received our visas for the united states. we thought: well, that’s it, we’re in. we didn’t realize it all had only just begun:

during our immigration when we arrived at our port of entry, a mistake happened and my wife got my L-1 stamp on her I-94 form where as i got her L-2 stamp on mine. this basically gave her work permit and revoked mine.

lesson learned: my identity is nothing i own. others own it for me. if they screw up, i’m screwed up. my biometrics don’t matter, my record doesn’t matter. only the record that others have of me matters and determines their actions regarding me.

so i applied for a social security number. but i was told: no. you gotta fix your I-94 first. showing them my passport with the L-1 visa in it didn’t do any good. so i had to take my whole family and start a marathon from office to office to find out how to fix our identity, ahm… I-94 forms. we finally got this done and i was able to apply for a social security number.

next step was to buy cars. we wanted to get rid of the rental car asap. so we checked out several car dealers. several deals were almost closed. but always they asked the question: may we have your social? no social no deal. actually they didn’t care for my social but for my non-existing credit record tied to my non-existing social.

at the same time we started to look for houses and actually found one and got it under contract. now we had 4 weeks to receive our social before the contract expired and we would loose the house.

lesson learned: having an identity is not enough. you need the right type of identity. the environment you are in defines what the right type of identity is. the environment you are in also sets the rules how to obtain it.

now that we knew we are going to get a social for me (not for the rest of my family, though) the next problem arose. the bank wanted to find out if i was a reliable person for the house loan. so we arranged several phone calls with swiss credit institutes and banks who would give them information on my credit record in switzerland. the bank did this effort for the house loan but for car loans they said: we don’t do that. you have to build up your credit, first.

lesson learned: good records tied to the wrong identity don’t help. good records need to be tied to the right identity. records cannot be transferred from one to another identity.

my social security number arrived 3 days before the contract for the house expired. our credit record was established and our money from switzerland arrived on the last day and we were able to close on the house.

because we were able to establish our credit record for the house, the car dealers all the sudden were willing to sell us cars. having a social also allowed me to get cell phones, a regular phone and cable tv.

lesson learned: i am a very lucky and happy person having all the identities i need to take care of my family in a foreign country. i realize that not everybody is blessed like this.

with our identity management product here at novell we cannot change reality for people but we can make sure realty doesn’t get manipulated and identities are given the proper respect they deserve.

my team is working hard on making managing identities easier.

visit us at brainshare in salt lake city next week:

  • all day long from monday to friday in the solutions lab
  • on tuesday and wednesday in the tut160 session (presentation and demo of bleeding edge functionality in designer for identity manager)
  • on thursday in the bof161 session (round table discussion)

+read more


© Micro Focus