To use the Permission Collection and Reconciliation service included in the Identity Manager drivers, you can either create a new driver with the latest packages or upgrade packages on an existing driver. In both cases, you install the driver packages and then modify the driver configuration to suit your environment. For creating new drivers, NetIQ recommends that you refer to the individual driver documentation.
The following sections provide instructions for upgrading common settings packages on existing drivers:
After you have imported the current driver packages into the Package Catalog, you can install the driver packages to create a new driver.
In Designer, open your project.
In the Modeler, right-click the driver set where you want to create the driver, then select
> .Follow the driver configuration wizard to create the driver.
On the Entitlements Name to CSV File Mappings page, click the
icon to populate the page with the entitlement configuration options.Identity Manager uses the CSV file to map entitlements to corresponding resources in the Identity Manager catalog.
The information that you specify in this page is used for creating the permission catalog. Fill in the following fields, then click
:Entitlement Name: Specify a descriptive name for the entitlement to map it to the CSV file that contains the connected system entitlement details.
is the name of the entitlement. This parameter corresponds to the Entitlement Assignment Attribute in the connected system. For example, you could define an entitlement called .
This parameter is used to create a resource in the User Application.
Entitlement Assignment Attribute: Specify a descriptive name for the assignment attribute for an entitlement.
holds the entitlement values in the connected system. For example, you could have an attribute called .
You must add this parameter to
in the Driver Parameters page or modify it in driver settings after creating the driver.CSV File: Specify the location of the CSV file. This file must be located on the same server as the driver. This file contains the values for the application entitlements.
Multi-valued?: Set the value of this parameter to
if you want to assign resources and entitlements multiple times with different values to the same user. Otherwise, set it to .Review the summary of tasks that will be completed to create the driver, then click
.The driver is now created. You can modify the configuration settings, by continuing with the next section, Section 19.6.2, Configuring the Driver. If you don’t need to configure the driver, continue with Section 19.6.3, Deploying the Driver.
When you install the Permission Collection and Reconciliation service package, there are some settings that you must review and configure for the driver to start properly. These settings are located under
and on the Driver Properties page in Designer. In the Modeler, right-click the driver icon or the driver line, then select and click .In addition to the driver settings, you should review the set of default policies and rules provided by the basic driver configuration. The default policies and rules are discussed in the Default Driver Configuration section of the each Driver Implementation Guide.
After a driver is created in Designer, you must deployed it into the Identity Vault.
In Designer, open your project.
In the Modeler, right-click the driver icon or the driver line, then select
.If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the following information:
Host: Specify the IP address or DNS name of the server hosting the Identity Vault.
Username: Specify the DN of the user object used to authenticate to the Identity Vault.
Password: Specify the user’s password.
Click
.Read through the deployment summary, then click
.Read the success message, then click
.Click
to assign rights to the driver.The driver requires rights to objects within the Identity Vault. The Admin user object is most often used to supply these rights. However, you might want to create a user account called DriversUser, for example, and assign security equivalence to that user.
Click
, then browse to and select the object with the correct rights.Click
twice.Click
to exclude users that should not be synchronized.You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.
Click
.When a driver is created, it is stopped by default. To make the driver work, you must start the driver and cause events to occur. Identity Manager is an event-driven system, so after the driver is started, it won’t do anything until an event occurs.
To start the driver:
In Designer, open your project.
In the Modeler, right-click the driver icon or the driver line, then select
.