Entitlements make it easier to integrate Identity Manager with the Identity Manager User Application and Role-Based Services in eDirectory. The Loopback Service driver supports custom and administrator-defined entitlements with the use of a new entitlement package. This package contains the content that allows you to keep the Resource Catalog up-to-date with the user permissions stored in the Identity Vault, dynamically create an entitlement and dynamic resource for each permission type, and load the permission data as entitlement values into Identity Manager Role-Based Provisioning Module. The new functionality is called Permission Collection and Reconciliation service. It addresses the challenge of synchronizing changes made to the users in the Identity Vault with the Identity Manager Role-Based Provisioning Module. The Permission Collection and Reconciliation service allows the driver to automatically provision or deprovision these resources to Identity Manager identities based on attribute values consumed during standard Publication channel processing.
The Permission Collection and Reconciliation service automatically creates a dynamic group resource and manages user assignments (assign and revoke) in the Role-Based Provisioning Module for the Identity Vault groups. For example, if Alex is a new employee and you want to add him to a Security group, you can modify the Security group membership attribute using iManager. The Resource Administrator can also grant him access to the Security group by assigning him to this group resource in the User Application. This group assignment is immediately reflected in the Identity Vault. In addition, it allows you to migrate existing group memberships as resource assignments into the Role-Based Provisioning Module.
The Permission Collection and Reconciliation service also allows you to manage permissions of identities in the Role-Based Provisioning Module with the use of a CSV file. The driver creates dynamic resources for each of the permission types specified during driver creation. You can use these permission types to control the assignment of values to the user attributes. For example, if Printer is a permission type configured during driver configuration in Designer, the Loopback Service driver creates a dynamic resource, Printer_LoopbackServiceDriver for this permission type in the User Application. The Identity Vault attribute, Printer Control, that holds values for printers available to users, maps to Printer_LoopbackServiceDriver in the User Application. To grant users access to a particular printer using iManager, you need set a value for the Printer Control attribute for specific users. With this service enabled, this change immediately reflects on the Printer_LoopbackServiceDriver resource in the User Application. As a Resource Administrator, if you assign or revoke users from Printer_LoopbackServiceDriver in the User Application, this change immediately reflects in the Identity Vault.
The CSV file must contain the Identity Vault permission information in a correct format so that the driver reads it correctly from the file. A separate CSV file must be maintained for every custom entitlement. For example, a CSV file that holds Printer entitlement details for employees represents this information in the following format:
Printer1, First Floor Printer1, Printer Access for Employees
where Printer1 is the entitlement value, First Floor Printer1 is the display name in the User Application for the entitlement value Printer1, and Printer Access for Employees is the description for the entitlement value. This description is displayed in the User Application.
You must place the CSV file on the same server as the driver. This file contains the values for Identity Vault entitlements.
The following packages contain the content necessary for Permission Collection and Reconciliation service:
NOVLLBACKB_2.0.0 (Base Package)
NOVLLBACKENT_2.0.0 (Entitlements Package)
The Permission Collection and Reconciliation service provides GCVs that you can use to control the flow of Identity Vault changes to the User Application. For more information, see Entitlements.
Before continuing, ensure that you go through the prerequisites needed for enabling this service. For general prerequisites, see Prerequisites
in Synchronizing Permission Changes from the Connected Systems in the NetIQ Identity Manager Driver Administration Guide. In addition to the general prerequisites, ensure that the Loopback Service driver version is 4.0.0.1.
Also, you need to set up administrative user accounts and configure a password policy for them. For more information, see Setting Up Administrative User Accounts
and Setting Up Administrative Passwords
in the NetIQ Identity Manager Driver Administration Guide.
To use the Permission Collection and Reconciliation service included in the Loopback Service driver, you can either create a new driver with the latest packages or upgrade packages on an existing driver. For more information about creating a driver, see Creating the Driver in Designer or Adding Packages to an Existing Driver.
The Loopback Service driver does not synchronize passwords.
The Loopback Service driver synchronizes User and Group objects.