4.1 Creating the Driver in Designer

1. Open Designer.

2. In the toolbar, click Help > Check for Package Updates.

3. Click OK if there are no package updates

   or

   Click OK to import the package updates.

4. In the Outline view, right-click the Package Catalog.

5. Click Import Package.

   

6. Select any Loopback Service driver packages

   or

   Click Select All to import all of the packages displayed.

   By default, only the base packages are displayed. Deselect Show Base Packages Only to display all packages.

   IMPORTANT:If you want the driver to support the Permission Collection and Reconciliation Service functionality, ensure you import the following packages to the driver:

   • NOVLLBACKB_2.0.0 (Base Package)

   • NOVLLBACKENT_2.0.0 (Entitlements Package)

   • NOVLACOMSET_2.0.0 (Common Settings Advanced Edition Package)

   For information about the Permission Collection and Reconciliation service, see Synchronizing Permission Changes from the Connected Systems in the NetIQ Identity Manager Driver Administration Guide.

7. Click OK to import the selected packages, then click OK in the successfully imported packages message.

8. After the current packages are imported, continue with Installing the Driver Packages.

1. In Designer, open your project.

2. In the Modeler, right-click the driver set where you want to create the driver, then click New > Driver.

3. Select Loopback Base, then click Next.

4. Select the optional features to install for the Loopback Service driver.

   There is only one option. It is selected by default.

   • Loopback Entitlements: This package contains policies that allow Identity Manager to consume CSV files containing Identity Vault permission information, dynamically create an entitlement and dynamic resource for each permission type, and load the permission data as entitlement values into Identity Manager Role-Based Provisioning Module. This package also contains GCVs to control the resource mapping. Select this package if you want the driver to support custom and administrator-defined entitlements. For more information about the Permission Collection and Reconciliation Service functionality, see Synchronizing Permission Changes from the Connected Systems in the NetIQ Identity Manager Driver Administration Guide.

     NOTE:If you are enabling Permission Collection and Reconciliation service, ensure that you upgrade the Managed System Gateway driver version to 4.0.0.6.

5. Click Next.

6. (Conditional) If there are package dependencies for the packages you selected to install, you must install them to install the selected package. Click OK to install the package dependencies listed.

7. (Conditional) If not already configured, fill in the following fields on the Common Settings Advanced Edition page, then click Next:

   NOTE:This page is only displayed if you installed the Common Settings Advanced Edition package.

   • User Application Provisioning Services URL: Specify the User Application IdentityManager Provisioning URL.

   • User Application Provisioning Services Administrator: Specify the DN of the User Application Administrator user. This user should have the rights for creating and assigning resources. For more information, see Setting Up Administrative User Accounts in the NetIQ Identity Manager Driver Administration Guide.

8. On the Install Loopback page, specify a name for the driver, then click Next.

9. (Conditional) On the Entitlements Name to CSV File Mappings page, click the Add Name to File Mapping icon to populate the page with the entitlement configuration options.

   Identity Manager uses the CSV file to map Loopback entitlements into corresponding resources in the Identity Manager catalog.

   NOTE:This page is only displayed if you selected to install the Entitlements package.

   • Entitlement Name: Specify a descriptive name for the entitlement to map it to the CSV file that contains entitlement details.

     Entitlement Name is the name of the entitlement. For example, you can define an entitlement called Printer.

     This parameter is used to create a resource in the User Application.

   • Entitlement Assignment Attribute: Specify a descriptive name for the assignment attribute for an entitlement.

     Entitlement Assignment Attribute holds the entitlement values in the Identity Vault. For example, this parameter can hold an attribute called Printer Control.

     You must add this parameter to Field Names in the Driver Parameters page or modify it in driver settings after creating the driver.

   • CSV File: Specify the location of the CSV file. This file must be located on the same server as the driver. This file contains the values for Identity Vault entitlements.

   • Multi-valued?: Set the value of this parameter to True if you want to assign resources and entitlements multiple times with different values to the same user. Otherwise, set it to False.

10. Click Next.

11. Review the settings and click Finish to create the driver.

12. After the driver is created, if you want to change the configuration settings of the driver, continue to Configuring the Driver Settings. If you do not want to change the configuration of the driver, continue to Deploying the Driver.

To access the Driver Properties page in Designer:

1. Open your project.

2. In the Modeler, right-click the driver icon or the driver line, then select Properties.

3. (Conditional) Click GCVs > Entitlements and review the following settings:

   NOTE:These settings are only displayed if you installed the Entitlements package.

   • Enable Permission Collection and Reconciliation: Select the value of this parameter to True for allowing permission collection and entitlement assignment. By default it is set to False, which allows the driver to override any other conditions to reconcile custom entitlements.

   • Enable Permission Reconciliation for Group Entitlement: Ensure the value of this parameter is set to Yes to enable the driver to assign group entitlements. By default, the value is set to Yes.

   • Enable Permission Reconciliation for all Custom Entitlements: If the value of this parameter is set to No, it allows you to select specific custom entitlements for reconciling them. By default, it is set to Yes, which allows reconciling of all custom entitlements.

   • Add Custom Entitlements for Reconciliation: This parameter is presented if the value of Enable Permission Reconciliation for all Custom Entitlements is set to No.

     Click the Add icon to add custom entitlements you want to selectively reconcile and specify Assignment Attribute Name for them.

   NOTE:Ensure that Entitlement Assignment Attributes values are added to the Field Names parameter in the driver configuration if they are not added initially during driver creation.

4. Click Apply.

5. Modify any other settings as necessary.

6. Deploy the driver to the Identity Vault. Proceed to Deploying the Driver.

1. In Designer, open your project.

2. In the Modeler, right-click the driver icon or the driver line, then select Live > Deploy.

3. If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the follow information:

   • Host: Specify the IP address or DNS name of the server hosting the Identity Vault.

   • Username: Specify the DN of the user object used to authenticate to the Identity Vault.

   • Password: Specify the user’s password.

4. Click OK.

5. Read the deployment summary, then click Deploy.

6. Read the successful message, then click OK.

7. Click Define Security Equivalence to assign rights to the driver.

   The driver requires rights to objects within the Identity Vault and to the input and output directories on the server. The Admin user object is most often used to supply these rights. However, you might want to create a DriversUser, for example, and assign security equivalence to that user. For more information about defining a Security Equivalent User in objects for drivers in the Identity Vault, see Establishing a Security Equivalent User in the NetIQ Identity Manager Security Guide.

   For receiving events from the Identity Vault, ensure that the driver’s Security Equals DN has the following rights in the Identity Vault:

   • Entry: Browse rights.

   • Attributes: Read rights.

   1. Click Add, then browse to and select the object with the correct rights.

   2. Click OK twice.

8. Click Exclude Administrative Roles to exclude users that should not be synchronized.

   You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.

   1. Click Add, then browse to and select the user object you want to exclude.

   2. Click OK.

   3. Repeat Step 8.a and Step 8.b for each object you want to exclude, then click OK.

9. Click OK.