ID Vault is a server-based database that stores protected copies of Lotus Notes user IDs. ID Vault allows Domino administrators to perform tasks such as recover and reset passwords, recover IDs, and rename users. Users are assigned to an ID Vault through a policy. When the policy takes effect, copies of user IDs are automatically uploaded to the ID Vault.
The Identity Manager driver for Lotus Notes supports the use of ID Vault. By default, the driver packages support connecting to a single ID Vault running locally on a Domino server. Connecting to multiple vaults requires customizing the default configuration using Designer or iManager.
The following examples depict these scenarios:
Example 1: An organization has three different organizational units (OU): Sales, Engineering, and Marketing. The Sales OU uses the sales.nsf vault, the Engineering OU uses the eng.nsf vault, and the Marketing OU uses the marketing.nsf vault. ID Vault and the Domino server on which the names.nsf file resides are on the same server.
In this case, you need to perform the following actions:
Add new GCVs to the driver to include the vaults for Sales, Engineering, and Marketing.
<definition display-name="Sales organization ID Vault DB Name" name="account.idVault.salesIDVaultDB" type="string"> <description>Enter the Sales organization ID Vault database name.</description> <value>sales.nsf</value> </definition> <definition display-name="Marketing organization ID Vault DB Name" name="account.idVault.markIDVaultDB" type="string"> <description>Enter the Marketing organization ID Vault database name.</description> <value>marketing.nsf</value> </definition> <definition display-name="Engineering organization ID Vault DB Name" name="account.idVault.engIDVaultDB" type="string"> <description>Enter the Engineering organization ID Vault database name.</description> <value>eng.nsf</value> </definition>
Add a policy in the Subscriber Command Transformation policies to instruct the driver to place a userID in a specific vault on the Domino server.
<?xml version="1.0" encoding="UTF-8"?>
<policy>
<rule>
<description>setting the Sales idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.SalesName~</if-src-dn>
<if-global-variable name="account.idVault.salesIDVaultDB" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.salesIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Marketing idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.MktgName~</if-src-dn>
<if-global-variable name="account.idVault.markIDVaultDB" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Engineering idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.EngName~</if-src-dn>
<if-global-variable name="account.idVault.engIDVaultDB" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.engIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
</policy>Example 2: ID Vault and the Domino server on which the names.nsf file resides are on different servers.
Use admin-p in your policy to specify the ID Vault server name from which the user IDs should be either deleted or moved to an inactive state.
<?xml version="1.0" encoding="UTF-8"?>
<policy>
<rule>
<description>setting the Sales idVault Server Names & Database Names</
description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.SalesName~</if-srcdn>
<if-global-variable name="account.idVault.salesIDVaultDB" op="not-equal"/>
<if-global-variable name="account.idVault.salesIDVaultServerName" op="notequal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']" name="IDVaultdatabase">
<arg-string>
<token-global-variable name="account.idVault.salesIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../delete[@class-name='User']" name="adminpserver">
<arg-string>
<token-global-variable name="account.idVault.salesIDVaultServerName"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Marketing idVault Server Names & Database Names</
description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.MktgName~</if-srcdn>
<if-global-variable name="account.idVault.markIDVaultDB" op="not-equal"/>
<if-global-variable name="account.idVault.markIDVaultServerName" op="notequal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']" name="IDVaultdatabase">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../delete[@class-name='User']" name="adminpserver">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultServerName"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Engineering idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.EngName~</if-src-dn>
<if-global-variable name="account.idVault.engIDVaultDB" op="not-equal"/>
<if-global-variable name="account.idVault.engIDVaultServerName" op="notequal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']" name="IDVaultdatabase">
<arg-string>
<token-global-variable name="account.idVault.engIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../delete[@class-name='User']" name="adminpserver">
<arg-string>
<token-global-variable name="account.idVault.engIDVaultServerName"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
</policy>