NetIQ Identity Manager is a great product for managing identities, roles, and passwords.
There are lots of components to it which can be pretty confusing. One nice thing is that much of the work is managed and modeled in an Eclipse based tool called Designer for Identity Manager. Henceforth referred to as simply Designer. (There once was a Designer for Extend Composer, of which only the Integration Activity in Workflows remains.)
I have written some articles about Designer which you can read here:
I have written a book, which focuses on how the DirXML Script language in NetIQ Identity Manager works, with almost all screen shots being taken from Designer, in which you would use the language.
You can buy a paper, electronic, or site license copy if you would like.
With the last few major revisions of Designer, they have added an Online Update channel for Designer, and between major releases of the product they release Auto Update releases. The latest release (as of this writing) is Auto Update 3.
When a new release comes out, it is fun to try and figure out what is new in this release. With Auto Update 2 we got some really cool new features like Policy compares. Previously we could compare the project in Designer, to its deployed state in the Identity Vault. In Auto Update 2 we got the ability to use that compare facility, against data exclusively in Designer.
We can now compare:
The first, Dirty package customizations, is awesome. It means that when you look at the Packages tab of your driver in Designer and see, oh no, it is dirty, with changes. Before all you could do was Revert Customizations. Now we can Compare Customizations, and see a report of all the changes you made. Then you can decide what to do with useful insight.
The second is great for people like me, Package to Package comparisons. What this means is when NetIQ releases version 2.01 of the driver package you have deployed as 2.00 and the Readme is less than compelling in terms of details, you can actually easily see what changed. Just compare the 2.01 version to the 2.00 package from the Package Catalog. Now you get a report of all the differences between the two packages. I see this as a article generating tool. Imagine if we could get folk to write an article explaining all the differences between the various versions of the packages. How useful would that be, when it comes times to upgrade and you want to be sure the change won’t cause issues in your system. If the changes are all cosmetic, no big deal to upgrade. If there are huge changes, you probably want to spend some time figuring out if they will matter. But now you can actually know the answer to the question of what changed. Huge improvement.
The third is much the same as the package level compare, but at a smaller scale and lets you compare two objects.
There was more in Auto Update 2, but that was my favorite part. Alas, the Auto Update 3 both adds some equally interesting new things and bug fixes, but they are not quite usable yet. Several of the most interesting new features require an upgrade for Identity Manager to be able to use. Which is frustrating, but sort of the nature of the beast. That is, the tool to manage the new features needs to be available as well as the underlying code for the new features. Since there are other bug fixes and new things in the upgrade, it makes sense to release it earlier than the engine upgrade. I assume the engine upgrade will follow soon after, but no sign as of this writing. But I shall remain patient.
The first new feature of interest is defined as:
The Driver Policy set view includes two new policy sets, “Startup” and “Shutdown”. Policies on these new policy sets are executed during driver startup and shutdown, respectively. These policy sets are shown if the IDM engine version is 220.127.116.11 or greater.
As you can see, this expects an engine of 18.104.22.168 which implies, IDM 4.02 with SP3 or patch 3. Depending on how they call it. For IDM 4.02, the Patch 1 and Patch 2 releases, updated the engine version string 22.214.171.124 and 126.96.36.199 respectively, so Patch 3 makes sense.
Alas, you cannot set an engine version by hand in Designer to these levels. Only values in the format of 3.5, 3.51, 3.6, 3.61, 4.00, 4.01, 4.02 style values are allowed. (Go try it yourself. Identity Vault icon in the Modeler view, right click and select Properties. select the Servers tabs, pick one and Edit it. You will see you can specify the engine version as I suggested, as well as Standard vs Advanced Edition (if you picked 4.0 and higher as the engine level. Obviously IDM below 4.00 did not have this distinction). Interestingly, Bundle Edition is not an option, which probably makes sense, since licensing on Bundle Edition is enforced by the license auditing process. Might be nice to have Bundle Edition as an option so that perhaps you would get a warning if you try to use a driver that exceeds the Bundle Edition license. Thus you cannot set an engine to 188.8.131.52 right now, so I am curious how Designer will know this information. Of course, since that version of the engine is not released, I cannot quite try the Live button next to the version, to go get it from the vault and see if it differs.
Anyway, this is a very interesting addition to IDM. The fishbone diagram, so familiar from iManager (sideways) and Designer (up and down view) is actually getting an update! There will be two new policy sets. Startup and Shutdown. I do not know where they will be placed, and am very curious to see how they are graphically represented. (Darn it, now I will have to go update my book with some new screen shots. That sucks!)
I was following the bug that required this option, which I think is related to some new functionality the IDM team is working on. They discussed at BrainShare, a project called Jade, which is designed to do faster Role onloading from connected systems. They want to make it simple to add a connection to a system, read out its Roles, and start using them, even fast. Instead of the work involved in more complex bidirectional driver setups. There are number of things it would be useful to do, when you start or stop a driver. (Perhaps read or write some state info to keep track of where you were?)
I thought they would just add a new token for say the Input transform, maybe a condition token like If Driver operation, with values of Starting, Stopping, and maybe more.
Then your rules could be processed. Maybe they could have a pre initialization and post initialization mode as well. If you have ever watched a driver start, it actually starts in three stages. (I was looking at a bizarre start up issue in the SAP UM driver so I figured out some interesting details there) The main shim initializes (Init()) then the Subscriber channel initializes, then the Publisher channel.
You can see how a token as I suggest might give some more control. Perhaps you want to do something at different stages of Init().
But they went with new policy sets, which is a really interesting design choice. I would love to have been a bug on the wall when they debated which way to implement this, since I think it would give a lot of insight into how hard each type of change would be for the developers.
Next up is “Support for new Identity Manager end-user-focused user interface.” This seems like it is for project Aquamarine, which is a new web interface, fronting the User Application. They demoed this at Brainshare, and having seen some further demos, it is looking like a really nice improvement. This is distinct from the Citrine project which is released as the iPhone Approval app for NetIQ Identity Manager. That App is designed for approvers to quickly approve or deny requests on their smart phone and has been released.
The new User App interface is basically another web service that uses SOAP and REST to talk back to the User App as needed to do stuff, but with a more modern, prettier user interface. What was clever was they implemented it in chunks. First they built the overall framework, and then identified each area and initially just linked back to that area on User App in a frame. As each piece was reworked, they made it available to the new interface.
I am curious what changes Designer needs to accommodate what seems like an entirely front end change, but I am guessing it is somehow reflected in the AppConfig container under the User Application. I look forward to finding out more details about these changes.
The final major feature addition is support for two new drivers: “Driver for Oracle EBS HR” and “Driver for Oracle EBS TCA”. Alas, it is just a change in the palette on the right hand side of the Modeler view to add three new driver names to the list. There are no packages provided for these drivers, so if you try to add them (which of course I did) you get empty drivers with no policies. I am sure, like the Startup policy thing, this is waiting on some further work on the packages before it is all available.
Interestingly there are actually three new drivers added, all three starting as Driver Oracle EBS XXX, where XXX is HR, TCA, and User. HR and User are obvious, but what is TCA, I wonder?
Then there is a category of “General Designer Bug Fixes”.
This one seems like a fix for something I have noticed. The different places where you can click the GCV browser, you sometimes get a different set of available GCVs. This was really annoying, and hard to figure out when it was going on. I am glad to see it get fixed.
The version control support in Designer is very important if you are working together with multiple developers, and it is nice to see fixes come in for it. There is probably still lots more than can be worked on here, but I will take what I can get. I think I have seen this when using SVN, it is possible to get into trouble when people move drivers around. I hope this is resolving some of those issues.
This seems like an odd bug, I wonder if it is related to the Aquamarine support, where perhaps it comes as an Add on package for User App? I only see a CMP add on for User App right now. Those two changes together might reflect a coming update in terms of new packages in the update source.
I know there are some bugs fixed that they decided not to call out standalone. I have been continuing to submit memory leak examples for them to fix, and hope some of those have been incorporated. So far I have not been able to easily leak memory as quickly as in the past which is a good sign.
There is definitely a bug introduced, where if you add a policy to a package, that is in the Subscriber Event Transform (ONLY the Sub-etp) it gets linked in three times. Thus if you use the package, you the same policy linked in three times. Very odd, and reported.
Overall, it looks like it is a good release so far, and looking forward to the engine updates to get the rest of the features enabled so we can see more of what they will enable.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.