A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The SAP User Management driver includes several predefined GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit.

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The GCVs are divided into the following categories:

A.2.1 Entitlements

There are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled and displayed. This section documents all of the options.

Entitlements Options

Entitlements act like an ON/OFF switch to control account access. For more information about entitlements, see the NetIQ Identity Manager Entitlements Guide.

Use User Account Entitlement: Entitlements act like an on/off switch to control access. When the driver is enabled for entitlements, accounts are created and removed or disabled only when the account entitlement is granted to or revoked from users.

Select True to enable the user account entitlement. You must have an entitlement agent configured in your environment.

When Account Entitlement revoked: Select which action is taken in the SAP system when a User Account Entitlement is revoked. The options are to disable the account or to delete the account.

Use Role (ActivityGroup) Entitlement: Enables the Role entitlement that is included with the driver. Select True to enable this entitlement.

Use Profile Entitlement: Enables the Profile entitlement that is included with the driver. Select True to enable this entitlement.

Advanced settings: Select show to display all of the advanced settings. The advanced settings enable additional functionality in the driver such as data collection or enabling the driver to work with Identity Applications. If you change these settings from the default, you risk disabling the additional functionality.

Data Collection

Data collection enables Identity Reporting to gather information to generate reports. For more information, see the NetIQ Identity Reporting: User’s Guide to Running Reports.

Enable data collection: If Yes, data collection is enabled for the driver through Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: If Yes, it allows data collection by Data Collection Service through the Managed System Gateway driver for the user accounts.

Allow data collection from roles (ActivityGroups): If Yes, it allows data collection by Data Collection Service through the Managed System Gateway driver for groups.

Allow data collection from profiles: If Yes, it allows data collection by Data Collection Service through the Managed System Gateway driver for profiles.

Role Mapping

Identity Applications allows you to map business roles with IT roles. For more information, see the Identity Applications Administration in the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

Enable role mapping: If Yes, this driver is visible to Identity Applications.

Allow mapping of user accounts: If Yes, it allows mapping of user accounts in Identity Applications. An account is required before a role, profile, or license can be granted through Identity Applications.

Allow mapping of roles (ActivityGroups): If Yes, it allows mapping of roles (ActivityGroups) in Identity Applications.

Allow mapping of profiles: If Yes, it allows mapping of profiles in Identity Applications.

Resource Mapping

Identity Applications allow you to map resources to users. For more information, see the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

Enables resource mapping: If Yes, this driver is visible to Identity Applications.

Allow mapping of user accounts: If Yes, it allows mapping of user accounts in Identity Applications. An account is required before a role, profile, or license can be granted.

Allow mapping of roles (ActivityGroups): If Yes, it allows mapping of roles (ActivityGroups) in Identity Applications.

Allow mapping of profiles: If Yes, it allows mapping of profiles in Identity Applications.

Parameter Format

Format for User Account entitlement: Specifies the parameter format that the entitlement agent uses when granting this entitlement. The options are Identity Manager 4 or Legacy.

Format for Role entitlement: Specifies the parameter format that the entitlement agent uses when granting this entitlement. The options are Identity Manager 4 or Legacy.

Format for Group entitlement: Specifies the parameter format that the entitlement agent uses when granting this entitlement. The options are Identity Manager 4 or Legacy.

Entitlement Extensions

User account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguraiton resource object.

Role (ActivityGroup) extension: The content of this field is added below the entitlement element in the EntitlementConfiguration resource object.

Profile extensions: The content of this field is added below the entitlement element in the EntitlementConfiguration resource object.

A.2.2 Rename Operation

The Rename Operation GCV allows you to rename users.

Show User Rename Options: Select show to display the options for renaming of a user.

If you select hide, the following options are not displayed:

How to handle User Rename Operations: The options are Process Rename Operation or Block Rename Operation. Select Process Rename Operation to display all the parameters to copy user data from the old user account when a user is renamed. Select Block Rename Operation to block renaming of a user.

How to handle old SAP Account: The options are CopyTo and Diasble, CopyTo and Delete, and CopyTo and Keep Active.

  • CopyTo and Disable: This option copies the user information and disables the old user account.

  • CopyTo and Delete: This option copies the user information and deletes the old user account.

  • CopyTo and Keep Active: This option copies the user information only. It does not disable or delete the old user account. The old user account remains active when the new user is created.

Address (ADDRESS): If True, copies the Address tab values from the old user to the new user when the user is renamed.

Defaults (DEFAULTS): If True, copies the Defaults tab values from the old user to the new user when a user is renamed.

User Parameters (PARAMETERS): If True, copies the Parameters tab values from the old user to the new user when a user is renamed.

Reference User (ROLES): If True, copies the Reference User Roles from the old user to the new user when a user is renamed.

Roles (ROLES): If True, copies all the roles of the old user to the new user when a user is renamed.

Authorization Profiles (PROFILES): If True, copies all the profiles of the old user to the new user when a user is renamed.

User Groups (GROUPS): If True, copies all the groups of the old user to the new user when a user is renamed.

License Data (LICENSE): If True, copies all the License tab values from the old user to the new user when a user is renamed.

Systems (SYSTEMS): If True, copies all the System tab values from the old user to the new user when a user is renamed.

Logon Data (LOGONDATA): If True, copies all the Logon Data tab values from the old user to the new user when a user is renamed.

A.2.3 Password Synchronization

These GCVs enable password synchronization between the Identity Vault and the connected system.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, to edit the Password management options go to Driver Properties > Global Configuration Values, and then edit it in your Password synchronization policy tab.

For more information about how to use the Password Management GCVs, see Configuring Password Flow in the NetIQ Identity Manager Password Management Guide.

Connected System or Driver Name: Specifies the name of the connected system or the driver name. This valued is used by the e-mail notification template to identity the source of the notification message.

Application accepts passwords from Identity Manager: If True, allows passwords to flow from the Identity Manager data store to the connected system.

Identity Manager accepts passwords from application: If True, allows passwords to flow from the connected system to Identity Manager.

Publish passwords to NDS password: Use the password from the connected system to set the non-reversible NDS password in eDirectory.

Publish passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require password policy validation before publishing passwords: If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If True, on a publish Distribution Password failure, attempt to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If True, notify the user by e-mail of any password synchronization failures.

A.2.4 Account Tracking

Account tracking is part of Identity Reporting. For more information, see the NetIQ Identity Reporting: User’s Guide to Running Reports.

Enable Account Tracking: If True, it enables account tracking policies. Set it to False if you do not want to execute account tracking policies.

Mode Of Operation: Specifies whether this driver runs in standard (one-to-one) or in fan-out (many-to-one) mode.

Realm Lookup-Key Source: Specifies the source of the key you want to use to look up the realm. The only option available is Association.

Realm Key Extractor: Specifies a regular expression that extracts the key from the realm lookup key source.

Show Subscriber Operation Mapping Configuration: By default show is selected. It displays the Subscriber operation mapping configuration for fan-out.

Replication Wait Time (in seconds): Specifies the number of seconds the driver waits before expecting the application to have finished replication. By default, the value is 10 seconds.

Subscriber Operation Mappings > Operation: Lets you select the operation triggered by this mapping. The options are Add Account, Delete Account, Enable Account, and Disable Account.

Subscriber Operation Mappings > Trigger: Specifies an XPath 1.0 expression that identifies the operation you are mapping to.

Subscriber Operation Mappings > Realm Lookup-Key Source: Specifies an XPath 1.0 expression that extracts the source of the key you want to use to look up the item.

Subscriber Operation Mappings > Realm Key Extractor: Specifies a regular expression that extracts the key from the realm lookup key source.

Object Class: Adds the object class to track. Class names must be in the application namespace.

Identifiers: Adds the account identifier attributes. Attribute names must be in the application namespace.

Status attribute: Is the name of the attribute in the application namespace to represent the account status.

Status active value: Is the value of the status attribute that represents an active state.

Status inactive value: Is the value of the status attribute that represents an inactive state.

Subscription default status: Specifies the default status that the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.

Publication default status: Specifies the default status that the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.

A.2.5 Managed System Information

These settings help Identity Reporting function to generate reports. There are different sections in the Managed System Information tab.

General Information

Name: Specifies a descriptive name for this SAP system. This name is displayed in the reports.

Description: Specifies a brief description of this SAP system. This description is displayed in the reports.

Location: Specifies the physical location of this SAP system. This location is displayed in the reports.

Vendor: Shows SAP as the vendor of this SAP system. This information is displayed in the reports.

Version: Specifies the version of this SAP system. This version information is displayed in the reports.

System Owner

Business Owner: Browse to and select the business owner in the Identity Vault for this SAP system. You must select a user object, not a role, group, or container.

Application Owner: Browse to and select the application owner in the Identity Vault for this SAP system. You must select a user object, not a role, group, or container.

System Classification

Classification: Specifies the classification of the SAP system. This information is displayed in the reports. The options are:

  • Mission-Critical

  • Vital

  • Not-Critical

  • Other

    If you select Other, you must specify a custom classification for the SAP system.

Environment: Specifies the type of environment the SAP system provides. The options are:

  • Development

  • Test

  • Staging

  • Production

  • Other

    If you select Other, you must specify a custom classification for the SAP system.

Fan-out Configuration

Logical Instances: Click the plus icon to add logical instances of each additional SAP system.

Connection and Miscellaneous Information

Connection and miscellaneous information: This option is always set to hide, so that you don’t make changes to these options. These options are system options for reporting to work. If you make any changes, reporting stops working.

A.2.6 SAP User Management Driver

Logical System for User Distribution: Specifies the logical system name configured in the SAP for User distribution to the Identity Manager driver. Publication works only if the Publisher channel is enabled and the driver’s primary connection goes to a CUA Central client.