The sections below contains information about the key driver features.
A local installation is an installation of the driver on the Identity Manager server. The Active Directory driver can be installed on the Windows operating systems supported for the Identity Manager server. The following Windows platforms are supported:
Windows Server 2016 (64-bit)
Windows Server 2012 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2008 SP2 (32-bit and 64-bit)
For more information about local installations, see Where to Install the Active Directory Driver.
For additional information about system requirements, see Considerations and Prerequisites for Installation
in the NetIQ Identity Manager Setup Guide.
The Active Directory driver can use the Remote Loader service to run on a Windows server other than the Identity Manager server. The Remote Loader service for the Active Directory driver can be installed on the following Windows platforms:
Windows Server 2019 (64-bit)
Windows Server 2016 (64-bit)
Windows Server 2012 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2008 SP2 (32-bit and 64-bit)
For more information about remote installations, see Where to Install the Active Directory Driver.
For additional information about system requirements, see Considerations and Prerequisites for Installation
in the NetIQ Identity Manager Setup Guide.
The Active Directory driver supports entitlements. However, an action such as provisioning an account in the target directory is delayed until the proper approvals have been made. In Role-Based Services, rights assignments are made based on attributes of a user object. Entitlements standardize a method of recording this information on objects in the Identity Vault. From the driver perspective, an entitlement grants or revokes the right to something in Active Directory. You can use entitlements to grant the right to an account in Active Directory, to control group membership, and to provision Exchange mailboxes.
The Active Directory driver uses Permission Collection and Reconciliation service to map entitlements to resources and automatically assign those entitlements to users when permissions change in Active Directory. The driver updates the Resource Catalog so that it reflects the exact state of user permissions in Active Directory. The driver content includes an enhanced entitlement package that contains the following entitlements by default:
ExchangeMailbox: This entitlement grants or denies a Microsoft Exchange mailbox for the specified user.
Group: This entitlement grants or denies membership to a group in Active Directory. When the entitlement is revoked, Identity Manager removes the user from the group.
UserAccount: This entitlement grants or denies an Active Directory account for the specified user. When this entitlement is granted, the driver provides an enabled logon account. When this entitlement is revoked, the driver either disables or deletes the logon account, depending on the driver configuration.
The Active Directory driver also supports custom entitlements other than the default set provided, creating and automatically managing the relationship of identities to resource assignments. The driver uses a CSV file to map Active Directory entitlements into corresponding resources in the Resource Catalog. If an administrator then assigns a resource to a user in the User Application or in iManager, that change is reflected in Active Directory, and similarly, if an Active Directory administrator makes a change to the user permission, that change is reflected in the Identity Vault and the corresponding resource is updated with the permission assignment.
The following packages contain the content necessary for collecting and reconciling permissions in Active Directory:
NOVLACOMSET 2.0.0 (Common Settings Advanced Edition)
NOVLADENTEX 2.0.0 (Active Directory Entitlements and Exchange Mailbox Support)
NOVLADDCFG 2.3.0 (Active Directory Default Configuration)
If you want the driver to support permission collection and reconciliation, ensure that these packages are installed on the driver. You can turn this functionality on or off using the new set of GCVs included with the driver.
You should enable entitlements for the driver only if you plan to use the User Application or Role-Based Entitlements with the driver. For more information about entitlements, see the NetIQ Identity Manager Entitlements Guide.
Before continuing, ensure that you go through the prerequisites needed for enabling this functionality. For general prerequisites, see Synchronizing Permission Changes from the Connected Systems
in the NetIQ Identity Manager Driver Administration Guide. In addition to the general prerequisites, ensure that the Active Directory driver version is 4.0.0.2 or later.
Also, you need to set up administrative user accounts and configure a password policy for them. For more information, see Setting Up Administrative User Accounts
and Setting Up Administrative Passwords
in the NetIQ Identity Manager Driver Administration Guide.
To use the new functionality included in the Active Directory driver, you can either create a new driver with the latest packages or upgrade packages on an existing driver. For more information about creating a driver, see Creating the Driver in Designer or Adding Packages to an Existing Driver.
The Active Directory driver can consume the entitlement information from the CSV file, which is present on the server where Identity Manager is installed. The CSV file must contain values of the Active Directory system permission information in the format specified below. The Active Directory administrator should maintain a separate CSV file for every custom entitlement. For example, a CSV file can contain details about issuing parking passes to the employees for the ParkingPass entitlement. A CSV file that holds ParkingPass entitlement details represents this information in the following format:
North, North Lot, North Parking Lot
where North is the entitlement value, North Lot is the display name in the User Application for the entitlement value North, and North Parking Lot is the description of the entitlement value, which is displayed in the User Application.
The Active Directory driver synchronizes passwords on both the Subscriber channel and the Publisher channel. For more information, see Section 6.0, Synchronizing Passwords.
The Active Directory driver synchronizes User objects, Group objects, containers, and Exchange mailboxes.