10.2 Managing Provisioning Teams

This section includes information about the following topics:

10.2.1 Creating a Provisioning Team

To create a new provisioning team:

  1. Launch the New Provisioning Team wizard in any of these ways:

    From Designer’s menus:

    • Select File > New > Provisioning > Provisioning Team, then click Next.

    From the Provisioning view:

    Right-click Provisioning Teams, then select New.

    The New Provisioning Teams dialog box displays.

    NOTE:When launched from the File menu, the dialog box contains fields not displayed when launched in from the Provisioning view.

  2. Fill in the fields as follows:

    Field

    Description

    Identity Manager Project and Provisioning Application

    Select the correct Identity Manager project and Provisioning Application.

    NOTE:This field displays when you create queries from the File menu.

    Identifier

    Type a common name (CN) for the team.

    Display Label

    Type the name of the provisioning team. This is the name displayed in Designer and also in the User Application runtime. The label is localizable in the Provisioning Team editor.

    Description

    Provide a description of the provisioning team.

  3. Click Finish. The Team panel of the Provisioning Team editor displays.

  4. Type a description.

  5. To add a Team Manager, click , then choose the objects from the Identity Vault.

    You might be prompted for credentials before you are able to access the Identity Vault. Managers can be users or groups.

  6. Select Managers are members of team if you want the manager to be included as a team member in requests submitted for the team.

  7. To define the team’s members, do one of the following:

    • Click DAL Relationship, then select the relationship that represents the team’s membership.

    • Click Identity Vault Objects. Click , then select the members from the Identity Vault. Members can be users, groups, containers, organizational units(OU), or organizations (O). Specifying an O or OU can impact the User Application’s runtime performance. It is recommended that when you select an O or OU that you also select the General Option: The manager will need to search for the member using a select-pick list to reduce the performance impact.

  8. Complete the Options section of the panel as follows:

    Field

    Description

    Allow Manager(s) to set the availability of team members

    When this setting is enabled, the team managers can access the Team Availability action in the navigation menu of the User Application.

    Allow Manager(s) to set proxy for team members

    When this setting is enabled, the team managers can access the Team Proxy Assignments action in the navigation menu of the User Application.

    All team members will be displayed in a select list

    When this option is selected, the manager can select team members in a drop-down list box. Use this option when the team has only a few members. It is not recommended if you specify an O or OU to define the team’s member because runtime performance can be greatly reduced.

    The manager will need to search for the member using a select-pick list

    When this option is selected, the manager must perform a search before selecting team members. Use this option when the team has a large number of members, for example, when you select an O or OU to define the team’s member.

    If a particular team definition does not permit team managers to set proxies or team availability settings, the manager can still view the settings defined for the team members by the administrator or by a manager of another team to which these users belong. However, the team manager cannot edit these settings, view details for these settings, or create new proxy assignments or team availability settings.

    You can now specify what types of requests this team can work on.

  9. Click Requests. The Provisioning Team Request page displays.

  10. Choose the Provisioning Request Scope for this team. The values are:

    Selection

    Description

    All

    Specifies that this team definition applies to all request types.

    Categories

    Specifies that this team definition applies to all request types associated with a particular category.

    Individual Requests

    Specifies that this team definition applies to a single request type.

  11. Click and specify an identifier for the new provisioning team request object.

  12. Specify values for the General panel. It displays different options, depending on the scope you select.

    • For Categories, select one or more categories from the Available Categories column and move them to the Selected Categories column.

    • For Individual requests, select the request from the drop-down list.

    Each category or individual request can only be associated with one request object. As you select them, they are removed from the list of possible values for the next request object that you create.

  13. Complete the Task Scope tab as follows:

    Field

    Description

    Allow managers to act on tasks where a team member is an addressee

    When this setting is enabled, the team managers can use the Team Tasks action within the User Application to take actions on tasks for which the team members are addressees. These actions include approving and denying requests.

    If you do not permit team managers to act on tasks for which the team member is an addressee, you can view these tasks, but you cannot see details about them, or take actions on them.

    Allow managers to act on tasks where a team member is a recipient

    When this setting is enabled, the team managers can use the Team Tasks action within the User Application to take actions on tasks for which the team members are recipients. These actions include approving and denying requests.

    If you do not permit team managers to act on tasks for which the team member is a recipient, you can view these tasks, but you cannot see details about them, or take actions on them.

    NOTE:For security reasons, the recipient task scope option is disabled by default. Giving a team manager the ability to act on tasks where the recipient of the request is a team member can raise several security issues. First, the manager is then able to view data included on any of the forms that are displayed during the course of workflow execution, regardless of his or her trustee rights. Second, depending on the permission options, a team manager could circumvent the approval process by claiming or approving the task or reassigning it to someone else.

  14. Complete the Permissions page as follows:

    Field

    Description

    Allow managers to initiate a Provisioning Request on behalf of a team member

    When this setting is enabled, the list of resources on the Request Team Resources page of the User Application includes resources that are within the scope of this team. When this setting is disabled, these resources are not included.

    Allow managers to retract a Provisioning Request on behalf of a team member

    When this setting is enabled, the Retract button is displayed on the Team Requests page for requests that are within the scope of this team. When this setting is disabled, the Retract button is not displayed.

    Allows managers to make a team member a delegate for other team member’s Provisioning Requests

    When this option is enabled, the manager can use the Team Delegate Assignments action to designate a team member as a delegate for another team member’s provisioning requests.

    If this option is disabled, the manager can still view delegate settings defined for the team members by the administrator or by a manager of another team to which these users belong. However, the team manager cannot edit or delete these settings, view details for these settings, or create new delegate assignments.

    Allow managers to claim a task for team members who are recipient and/or addressee

    When this setting is enabled, the Claim button is enabled on the Team Tasks page for requests that are within the scope of this team. When this setting is disabled, the Claim button is dimmed.

    Allow managers to reassign a task for team members who are recipient and/or addressee

    When this setting is enabled, the Reassign button is enabled on the Team Tasks page for requests that are within the scope of this team. When this setting is disabled, the Reassign button is disabled.

  15. Click Save.

You must deploy the Provisioning Team for it to be available to the User Application. See Section 2.7, Deploying Provisioning Objects. A deploy of a provisioning team creates two objects in the User Application driver Appconfig Teams node:

  • srvprvTeam: contains the provisioning teams object.

  • srvprvTeamRequest: contains the request object.

Because there are two objects stored in the User Application driver for a provisioning team, the compare and import operations are different than for other types of provisioning objects. To compare or import both objects, you must do the compare or import at the team node and not at the individual element. If you do the compare or import at the individual element, only the srvprvTeam object is imported or compared.

10.2.2 Deleting a Provisioning Team

You delete the Provisioning Team object from the Provisioning view by selecting the team, right-clicking, then selecting Delete. The Delete confirmation dialog box lets you specify whether to delete the object locally only, or from the Identity Vault during the next deploy of the parent object. If you delete team request objects in Designer, the team request objects are deleted from the Identity Vault when you deploy the team.

10.2.3 Creating a Team to Manage Direct Reports

  1. In iManager, create a dynamic group called Managers.

    1. Set the Search Scope to Search Sub Containers.

    2. Specify the Search Filter as (&(isManager=TRUE)).

      For complete details on creating dynamic groups, see the Novell Identity Manager: Administration Guide.

  2. In Designer, create a new provisioning team and name it DirectReports.

    1. To specify the team managers, pick the Managers dynamic group you created earlier.

    2. To identify the team members, select the Manager-Employee relationship.

    3. To define the team options:

      • Select Allow managers to set team availability for team members.

      • Select Allow managers to set proxies for team members.

      • Select All team members will display in a select list.

  3. Select the Requests tab to define a provisioning team request object.

  4. Set the Provisioning Request Scope to All Provisioning Requests, then name the new provisioning team request DirectReportsTeamRequestRights.

  5. Click the Task Scope tab and specify the task scope options as follows:

    • Select Allow managers to act on tasks where the team member is an addressee.

    • Deselect Allow managers to act on tasks where the team member is a recipient.

  6. Click the Permissions tab and specify the permission options as follows:

    • Select Allow managers to initiate a Provisioning Request on behalf of a team member.

    • Select Allow managers to retract a Provisioning Request on behalf of a team member.

    • Select Allow managers to make a team member a delegate for other team member’s Provisioning Requests.

    • Select Allow managers to claim a task for team members who are a recipient and/or addressee based on the task scope.

    • Select Allow managers to reassign a task for team members who are a recipient and/or addressee based on the task scope.

  7. Save and deploy the team.

    For more information, see Section 2.7, Deploying Provisioning Objects.