NetIQ Identity Manager is a service that synchronizes data among servers in a set of connected systems by using a robust set of configurable policies. Identity Manager uses the Identity Vault to store shared information, and uses the Identity Manager engine for policy-based management of the information as it changes in the vault or connected system. Identity Manager runs on the server where the Identity Vault and the Identity Manager engine are located.
A connected system is any system that can share data with Identity Manager through a driver. SharePoint is a connected system.
The Identity Vault is a persistent database powered by eDirectory and used by Identity Manager to hold data for synchronization with a connected system. The vault can be viewed narrowly as a private data store for Identity Manager or more broadly as a Identity vault that holds enterprise-wide data. Data in the vault is available to any protocol supported by eDirectory, including NCP (the traditional protocol used by iManager), LDAP, and DSML.
Because the vault is powered by eDirectory, Identity Manager can be easily integrated into your corporate directory infrastructure by using your existing directory tree as the vault.
The Identity Manager engine is the core server that implements the event management and policies of Identity Manager. The engine runs on the Java Virtual Machine in eDirectory.
The SharePoint driver for NetIQ Identity Manager enables user and group membership events to be synchronized between the Identity Vault and a SharePoint 2013 or SharePoint 2016 site collection. A single driver can process these events for a single site collection, which maintains user and group membership information for one or more SharePoint sites.
The SharePoint driver includes both Subscriber and Publisher channels. A Subscriber channel synchronizes events from Identity Vault to SharePoint, and a Publisher channel synchronizes events from SharePoint to the Identity Vault. By using the driver filter, you can configure the SharePoint driver to either use the subscriber channel or the Publisher channel, or both. SharePoint account creation, removal, and group assignments can be entitlement-based, and can be triggered from role assignments that grant or revoke entitlements. They can also be granted and revoked in other ways, depending on the driver policy.
A driver shim is the component of a driver that converts the XML-based Identity Manager command and event language (XDS) to the protocols and API calls needed to interact with a connected system. The shim is called to execute commands on the connected system after the Output Transformation runs. Commands are usually generated on the Subscriber channel but can be generated by command write-back on the Publisher channel.
The shim also generates events from the connected system for the Input Transformation policy. The SharePoint driver shim is implemented in C# and uses the .NET framework API for SharePoint access. The SharePoint driver shim is implemented as a Windows .NET DLL file named DXMLSharepointDriver.dll.
The SharePoint driver must be loaded and run by the .NET Remote Loader. Unlike most other Identity Manager drivers, the SharePoint driver cannot be loaded and run directly by the Identity Manager engine.
A Remote Loader enables a driver shim to execute from a remote machine where the Identity Manager engine is not installed. A Remote Loader is typically used when the driver shim requirement are not met by the Identity Manager server. Because the SharePoint driver shim relies on the SharePoint .NET APIs that are only available on the SharePoint server, the SharePoint driver shim must be loaded and run from the .NET Remote Loader on the SharePoint server.
The .NET Remote Loader is a service that executes the driver shim and passes information between the shim and the Identity Manager engine. When you use a .NET Remote Loader, you install the driver shim on the server where the .NET Remote Loader is running, not on the server where the Identity Manager engine is running. You can choose to use SSL to encrypt the connection between the Identity Manager engine and the .NET Remote Loader.
For more information, see the instructions in Configuring SSL Communication between Application Servers in the NetIQ Identity Manager Setup Guide for Linux or Configuring the Drivers to Run in Remote Mode with SSL in the NetIQ Identity Manager Setup Guide for Windows.
NOTE:When you enable SSL between Engine and .NET Remote Loader, you must manually accept the server certificate to establish the connection.
When you use the Remote Loader with the SharePoint driver shim, a connection exists between the Identity Manager engine and the Remote Loader. The SharePoint driver shim uses local SharePoint .NET APIs to communicate directly with the SharePoint service.