2.4 Preparing the Access Review Driver

This section helps you create, configure, and deploy the Access Review driver. You perform these tasks in your project in Designer.

2.4.1 Updating the Base Package for the Access Review Driver

NetIQ regularly provides updates to the Identity Manager drivers. You must have the latest content for the Access Review driver, User Application driver, and notifications object. For more information about the packages, see Installation Requirements.

  1. Open Designer.

  2. Select Help > Check for Package Updates.

  3. Select the updated packages that you want to update, including packages for the User Application driver and notification templates.

  4. Click Yes.

  5. When the update completes, restart Designer.

2.4.2 Configuring the Access Review Driver

This section helps you configure the Access Review driver and establish its basic settings.

The driver interacts with Access Review through database views. It uses the Access Review administrator account as well as an account in the Identity Manager identity applications. When configuring the driver, you need information about Access Review and Identity Manager settings. For more information about required settings, see Information Needed for Installation and Configuration.

NOTE:The Access Review driver requires the driver set packages for common settings: NOVLACOMSET and NOVLCOMSET. Ensure that you import these packages before configuring the driver. For more information about the packages, see Installation Requirements.

  1. In the Modeler view of Designer, select Developer.

  2. (Conditional) If you have more than one driver set in the Identity Vault, select the driver set in the Modeler view to which you want to add the driver.

  3. In the Palette view, expand Service.

  4. Drag Access Review to the Modeler view.

    This action opens the Driver Configuration Wizard.

  5. For Select Driver Base Configuration, select Access Review Base, then click Next.

  6. For Optional Features, select the following items:

    • Default Configuration

    • Managed System Information

    • Password Synchronization

  7. Click Next.

  8. For Driver Name, specify a value. For example, Access Review Driver.

  9. Click Next.

  10. (Conditional) Select Yes or No to determine if the driver will use the Remote Loader. If you select No, skip to Step 11. If you select Yes, use the following information to complete the Remote Loader configuration, then click Next:

    • Host Name: Specify the hostname or IP address of the server where the driver’s Remote Loader service is running.

    • Port: Specify the port number where the Remote Loader is installed and running. The default port number is 8090.

    • KMO: Specify the Key Name of the Key Material Object (KMO) that contains the keys and certificate the Remote Loader uses for an SSL connection. This parameter is only used when you use SSL for connections between the Remote Loader and the Identity Manager engine.

    • Other Parameters: Specify any other parameters required to connect to the Remote Loader. Any parameters specified must use a key-value pair format, as follows: paraName1=paraValue1 paraName2=paraValue2.

    • Remote Password: Specify the Remote Loader’s password as defined on the Remote Loader. The Identity Manager server (or Remote Loader) requires this password to authenticate to the Remote Loader.

    • Driver Password: Specify the driver object password that is defined in the Remote Loader service. The Remote Loader requires this password to authenticate to the Identity Manager server.

  11. Specify the following details to connect to the Access Review database, then click Next:

    Authentication ID: Specify a user application ID. This ID is used to pass Identity Vault subscription information to the application.

    Connection Information: Specify the IP address or name of the server the application shim should communicate with.

    Password: Specify a password for the driver to communicate with the application.

    Driver Options: Select Show to display the driver options and specify the following parameters:

    • Access Review Database Connection URL: Specify the JDBC connection URL. For example, jdbc:postgresql://(host):(port)/arops, where arops is the default operation table.

    • JDBC Driver Class Name: Specify the JDBC driver class name. For example, org.postgresql.Driver.

    Publisher Options: Select Show to display the publisher options and specify the following parameters:

    • Access Review Resources Base Container: Specify the name for the base container for the Access Review resources. For example, Access_Review_Resources.

    • User Application Driver DN: Specify the DN for User Application driver. For example, CN=User Application Driver,CN=driverset1,O=system.

    • User Application Provisioning URL: Specify the User Application provisioning URL. For example, http://<uahost>:<port>/IDMProv.

    • User Application User Name: Specify the user name for the User Application. For example, Admin.

    • User Application User Password: Specify the password for the user name of the User Application. For example, password.

    • Provisioning Service Account Password: Specify the password for the Provisioning Service Account. For example, pswd.

    Allow IDM Account Creation and Migration?: Click Adds and Migrate Allowed to allow Identity Manager to create new users based on the identities published from the Access Review repository. Specify the following parameters and click Next.

    • Access Review Application URL: Specify the URL of the server where Access Review application is hosted. For example, http://arhost:8080.

    • Access Review Data Administrator User Name: Specify the name for the Access Review database administrator. For example, aradmin.

    • Access Review Data Administrator User Password: Specify the password for the Access Review database administrator. For example, arpassword.

    • OSP Client Name: Specify the user name for the User Application. For example, iac.

    • OSP Client Password: Specify the password for the user name of the User Application. For example, iacpswd.

  12. (Conditional) On the Access Review Default Configuration Information page, specify the container name where the new users from Access Review will be created in the Publisher user Object Placement field. For example, data\users\arusers.

  13. (Conditional) On the Access Review Managed System Information page, fill in the following fields to define the ownership of Access Review, then click Next:

    General Information

    • Name: Specify a descriptive name for the managed system.

    • Description: Specify a brief description of the managed system.

    • Location: Specify the physical location of the managed system.

    • Vendor: Specify the vendor of the managed system.

    • Version: Specify the version of the managed system.

    System Ownership

    • Business Owner: Select a user object in the Identity Vault that is the business owner of Access Review. This can only be a user object, not a role, group, or container.

    • Application Owner: Select a user object in the Identity Vault that is the application owner of Access Review. This can only be a user object, not a role, group, or container.

    System Classification

    • Classification: Select the classification of Access Review. This information is displayed in the reports. The options are as follows:

      • Mission-Critical

      • Vital

      • Not-Critical

      • Other

        If you select Other, you must specify a custom classification for Access Review.

    • Environment: Select the type of environment Access Review provides. The options are asfollows:

      • Development

      • Test

      • Staging

      • Production

      • Other

        If you select Other, you must specify a custom environment for Access Review.

  14. Click Finish.

2.4.3 Adding the Driver Account to the Access Review Driver

This section helps you apply the system account that you created for the driver in the identity applications to the driver. For more information about the account, see Creating an Identity Manager Provisioning Service Account for the Driver.

NOTE:Identity Manager shares Global Configuration Values (GCVs) with the entire driver set, the Role and Resource driver, and the Access Review driver. NetIQ recommends that you periodically review the GCVs to ensure that it does not get reset by installations of other drivers or changes to the Access Review driver.

  1. In the Outline view of Designer, right-click the Access Review driver.

  2. Select Properties.

  3. In the navigation pane, select Driver Configuration and select Publisher Options tab.

  4. Specify the DN and password of the service account created for User Application Provisioning Service Account DN.

    The Properties window displays the name of the service account based on the descriptive name that you created when you added the account to the GCVs for the driver set. For example, User Application Provisioning Service Account DN. For more information, see Creating an Identity Manager Provisioning Service Account for the Driver.

  5. Click OK.

2.4.4 Deploying the Access Review Driver and Supporting Objects

After you create, configure, or modify the driver, you must deploy the Access Review driver, User Application driver, and notifications object.

  1. In the Modeler or Outline view of Designer, right-click Driver Set or the driver set where you installed the Access Review driver.

  2. Select Live > Deploy.

  3. Select Deploy, then select OK.

  4. Right-click the Access Review driver, then repeat the two deployment steps.

  5. Deploy the User Application driver.

  6. Deploy the Default Notification Collection object.

  7. (Conditional) If Identity Manager requests Security Equivalences values, set equivalence to the admin.sa.system user.