3.1 How Identity Manager Works

The following diagram shows how the high-level components interact with one another to provide the NetIQ Identity Manager capabilities: data synchronization, workflow, roles, self-service, and auditing/reporting.

3.1.1 Identity Vault

The Identity Vault contains all information that Identity Manager requires. The Identity Vault saves the data that you want to synchronize among the connected systems. For example, data synchronized from a SAP system to Lotus Notes is first added to the Identity Vault and then sent to the Lotus Notes system. The Identity Vault also stores information specific to Identity Manager, such as driver configurations, parameters, and policies.

The Identity Vault uses a NetIQ eDirectory database. For more information about using eDirectory see the NetIQ eDirectory 9.1 Administration Guide.

3.1.2 Identity Manager Engine

The Identity Manager engine processes all data changes that occur in the Identity Vault or a connected application. For events that occur in the Identity Vault, the engine processes the changes and issues commands to the application via the driver. For events that occur in the application, the engine receives the changes from the driver, processes the changes, and issues commands to the Identity Vault. Drivers connect the Identity Manager engine to the applications. A driver has two basic responsibilities: reporting data changes (events) in the application to the Identity Manager engine and carrying out data changes (commands) submitted by the Identity Manager engine to the application. Drivers must be installed on the same server as connected application.

The Identity Manager engine has also been referred to as Metadirectory engine. The server on which the Identity Manager engine runs is referred to as the Identity Manager server. You can have more than one Identity Manager server in your environment, depending on server workload.

3.1.3 Remote Loader

The Identity Manager Remote Loader loads drivers and communicates with the Identity Manager engine on behalf of drivers installed on remote servers. If the application runs on the same server as the Identity Manager engine, you can install the driver on that server. However, if the application does not run on the same server as the Identity Manager engine, you must install the driver on the application’s server. To help with the workload or configuration of your environment, you can install Remote Loader on a server separate from the servers that have Tomcat and the Identity Manager server.

3.1.4 Connected System

In Identity Manager, a managed system, also called a connected system or application, is any system, directory, database, or operating system whose identity information you want to manage. For example, connected systems can be the PeopleSoft application or an LDAP directory. A driver, such as Active Directory driver, provides the connection between Microsoft Active Directory and the Identity Vault. The application must provide APIs that a driver can use to determine application data changes and effect application data changes. Applications are frequently referred to as connected systems.

3.1.5 Identity Manager Driver

Drivers connect to the applications whose identity information you want to manage. It also enables data synchronization and sharing between systems.

A driver has two basic responsibilities: reporting data changes (events) in the application to the Identity Manager engine, and carrying out data changes (commands) submitted by the Identity Manager engine to the application. It also enables data synchronization and sharing between systems.

3.1.6 Identity Manager Driver Set

Identity Manager stores drivers and library objects in a container called a driver set. When you create an Identity Vault, a driver set is added to the vault by default.

Only one driver set can be active on a server at a time. However, more than one server might be associated with one driver set. Also, a driver can be associated with more than one server at a time. However, the driver should be running on only one server at a time. The driver should be in a disabled state on the other servers. Any server that is associated with a driver set must have the Identity Vault installed on it.

3.1.7 Identity Reporting

Identity Manager includes the Identity Information Warehouse, which is an intelligent repository of information about the actual and desired states of the Identity Vault and the connected systems within your organization. The Identity Information Warehouse gives you a 360-degree view of your business entitlements, providing the knowledge you need to see the past and present state of authorizations and permissions granted to identities in your organization.

When you query the Identity Information Warehouse, you can retrieve all of the information that you need to ensure that your organization is in full compliance with relevant business laws and regulations. With this knowledge, you can answer even the most sophisticated Governance Risk and Compliance (GRC) queries. For more information, see the Administrator Guide to NetIQ Identity Reporting.

3.1.8 Identity Applications

The identity applications comprise of the following high-level components:

User Application

The Identity Manager User Application gives your users and business administrators a view into the information, resources, and capabilities of Identity Manager. The User Application is a browser-based web application that gives the user the ability to perform a variety of identity self-service and roles provisioning tasks. Users can manage passwords and identity data, initiate and monitor provisioning and role assignment requests, manage the approval process for provisioning requests, and verify attestation reports.

The User Application runs on the Roles Based Provisioning Module (RBPM) framework, which includes the workflow engine that controls the routing of requests through the appropriate approval process.

Users can access the User Application from any supported web browser. For more information about the User Application, see the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

Identity Applications Administration

The Identity Applications Administration interface allows you to manage the following tasks with an appropriate Administrator role:

  • Create and manage roles, resources and their assignments

  • Set the Separation of Duties (SoD) constraints to avoid conflicts between two different roles in the system

  • Configure the ability for users to approve permission requests through email

  • Configure the default settings of your identity applications components such as roles, resources, and delegation.

Administrators can access the Administration page with any supported web browser, from either a computer or a tablet. For more information, see the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

Identity Manager Dashboard

The Identity Manager Dashboard (the Dashboard) includes a personalized view of each user’s permissions, tasks, and requests. This helps users focus on the following basic areas of functionality:

I want something.

If you need an item, whether the item is a piece of equipment like a laptop or something intangible like access to a particular server or application, you can request that item.

I need to do something.

If you want to know what tasks you need to manage, My Tasks page shows all of your pending approval or provisioning tasks in the Identity Manager system.

What do I have?

If you want to see your current permissions, the My Permissions page provides a list of the roles and resources to which you have access.

How did I get it?

If you want to see a list of past requests, the Requests History page shows everything that you have requested recently, as well as the status of your pending requests.

If you have an administrative role for the identity applications, you can customize the Applications page in the Dashboard for all users. You can configure the page to show items and links that your users need to see, organized into categories that make sense for your enterprise. You can include the following types of items:

  • Identity Manager functions, such as creating groups or running reports

  • Permissions that most users need to request

  • Links to commonly accessed websites or web-based applications

  • REST endpoints

  • Badges, such as the number of items of a certain type that a user can access

Users can access the Dashboard with any supported web browser, from either a computer or a tablet. For more information, see the NetIQ Identity Manager - Administrator’s Guide to the Identity Applications.

3.1.9 Designer for Identity Manager

Designer for Identity Manager (Designer) helps you design, test, document, and deploy Identity Manager solutions in a network or test environment. You can configure your Identity Manager project in an off-line environment, and then deploy to your live system. From a design perspective, Designer helps do the following:

  • Graphically view all of the components that comprise your Identity Manager solution and observe how they interact.

  • Modify and test your Identity Manager environment to ensure it performs as expected before you deploy part or all of your test solution to your production environment.

Designer keeps track of your design and layout information. With a click of a button, you can print that information in a format of your choice. Designer also enables teams to share work on enterprise-level projects.

For more information about using Designer, see the NetIQ Designer for Identity Manager Administration Guide.

3.1.10 Analyzer for Identity Manager

Analyzer for Identity Manager (Analyzer) provides data analysis, cleansing, reconciliation, and reporting to help you adhere to internal data quality policies. Analyzer lets you analyze, enhance, and control all data stores throughout the enterprise. Analyzer includes the following features:

  • Analyzer’s schema map associates an application’s schema attributes to the corresponding schema attributes in Analyzer’s base schema. This lets you ensure that your data analysis and cleaning operations properly associate similar values between the disparate systems. To accomplish this, Analyzer leverages the schema mapping features in Designer.

  • The Analysis Profile editor lets you configure a profile for analyzing one or more data set instances. Each analysis profile contains one or more metrics against which you can evaluate attribute values to see how the data conforms to your defined data format standards.

  • The Matching Profile editor lets you compare values in one or more data sets. You can check for duplicate values within a specified data set and check for matching values between two data sets.

For more information about using Analyzer, see the NetIQ Analyzer for Identity Manager Administration Guide.

3.1.11 iManager

NetIQ iManager is a browser-based tool that provides a single point of administration for many Novell and NetIQ products, including Identity Manager. After you install the Identity Manager plug- ins for iManager, you can manage Identity Manager and receive real-time health and status information about your Identity Manager system.

With iManager, you can perform similar tasks as performed with Designer and also monitor the health of your system. NetIQ recommends that you use iManager for administrative tasks. Use Designer for configuration tasks that require changes to packages, modeling, and testing prior to deployment.

For more information about iManager, see the NetIQ iManager Administration Guide.