14.5 Managing the Role and Resource Service Driver

On occasion, you might want to change the settings for the Role and Resource Service driver or update the indexes that it uses to display roles in the identity applications.

14.5.1 Configuring the Role and Resource Service Driver Settings

After creating the Role and Resource Service driver at installation time, you can optionally modify some of the driver configuration settings in iManager.

  1. In iManager, click Identity Manager > Identity Manager Overview.

  2. Browse to the driver set where the driver exists, then click Search.

  3. Click the upper-right corner of the Role and Resource Service driver icon, then click Edit Properties.

  4. Click on the Driver Configuration tab.

  5. Scroll down to the Driver Settings section of the page.

  6. Make any changes you would like to the settings, and click OK to commit your changes.

You can modify the following standard driver settings (listed under User Application/Workflow Connection on the Driver Configuration page), which get their initial values at installation time:

Table 14-1 Standard Driver Settings

Option

Description

User Application Driver DN

The distinguished name of the User Application driver object that is hosting the role system. Use the eDirectory format, such as UserApplication.driverset.org, or browse to find the driver object. This is a required field.

User Application URL

The URL used to connect to the User Application in order to start Approval Workflows. This is a required field.

User Application Identity

The distinguished name of the object used to authenticate to the User Application in order to start Approval Workflows. This needs to a user who has been assigned as a Provisioning Administrator for the identity applications. Use the eDirectory format, such as admin.department.org, or browse to find the user.

The identity needs to be entered in LDAP format (for example, cn=admin,ou=department,o=org), rather than dot format. Note that this is different from the format required at driver install time, where dot notation is expected.

This is a required field.

User Application Password

Password of the account specified in the identity applications Identity field. The password is used to authenticate to the identity applications in order to start approval workflows. This is a required field.

Reenter User Application Password

Re-enter the password of the account specified in the identity applications Identity field.

In addition, you can modify the following additional settings (listed under Miscellaneous on the Driver Configuration page) to customize the behavior of the Role and Resource Service driver:

Table 14-2 Additional Settings for Customizing the Role and Resource Service Driver

Option

Description

Number of days before processing removed request objects

Specifies the number of days the driver should wait before cleaning up request objects that have finished processing. This value determines how long you are able to track the status of requests that have been fulfilled.

Frequency of reevaluation of dynamic and nested groups (in minutes)

Specifies the number of minutes the driver should wait before reevaluating dynamic and nested groups. This value determines the timeliness of updates to dynamic and nested groups used by the identity applications. In addition, this value can have an impact on performance. Therefore, before specifying a value for this option, you need to weigh the performance cost against the benefit of having up-to-date information in the identity applications.

Generate audit events

Determines whether audit events are generated by the driver.

For details on audit configuration, see Section 8.0, Setting Up Logging in the Identity Applications.

Enable Parallelization of resource requests on role assignment

When set to true, the driver uses multiple threads to process the resource requests in parallel. This setting is specifically applicable to role assignments for groups, where resources mapped to the role can be simultaneously processed and assigned to the users within the group. By default, the value of is set to false.

Enable multi-threaded Role and Resource driver

Sets the Role and Resource Service driver for multithreaded services to achieve parallel processing of requests. The value is set to true by default.

Allow driver to start if reading unprocessed events fails

This setting allows you to specify whether the driver should start or stop when it encounters an exception while reading unprocessed requests. By default, the value is set to false, which prevents the driver from reading the unprocessed requests. If you set it to true, the driver will restart and process the unprocessed request again.

Maximum number of command’s allowed in the driver storage

Specify the number of requests that the driver storage can accommodate. The default value is 500 requests. It is recommended to use a value less than the default value to avoid any memory issues.

Store resource history for days

The number of days that the driver stores the resource history information before cleaning up the data from the storage.

14.5.2 Indexing for the Role and Resource Service Driver

The Role and Resource Service driver has relevant indexes in the Identity Vault for roles definitions. If you upload a large number of roles, the indexing of these values may take some time. You can monitor these indexes under Index Management in iManager.

Here is the list of Index Names for the indexes d for the Role and Resource Service driver:

nrf(Object Class)
nrf(nrfMemberOf)
nrf(nrfStatus)
nrf(nrfStartDate)
nrf(nrfNextExpiration)
nrf(nrfParentRoles)
nrf(nrfChildRoles)
nrf(nrfCategory)
nrf(nrfRoleCategoryKey)
nrf(nrfLocalizedNames)
nrf(nrfLocalizedDescrs)
nrf(nrfRoles)