2.7 Rights

2.7.1 Driver Equivalences

Designer allows you to define and deploy the Security Equivalences objects for the drivers in eDirectory.

Security Equivalences require rights to the objects within the Identity Vault in order to perform tasks on them. For example, an Oracle™ database driver has a policy to create a user in the Identity Vault in a container every time a user is created in the database, but the driver doesn't have enough permissions on the container to create the user, so the process fails. The driver has similar rights as that of the users/objects who have permissions on the container. All the policies should be carefully evaluated for finding out what permissions should be given to the drivers.

Designer 3.5 and later can store the Security Equivalences and Exclude Administrative Roles of the drivers in the project and can assign them to the drivers. Before moving to another staging environment, ensure that you know the Security Equivalences and Exclude Administrative Roles associated with each driver and ensure that these objects are imported as LDIF objects and moved along with other objects before being assigned in the next stage after deployment.

If the Security Equivalences object and the Exclude Administrative Roles objects are stored as LDIF objects, Designer ensures that they are created in the next stage before they are assigned.

For more information about Security Equivalence, see Establishing a Security Equivalent User in the NetIQ Identity Manager Security Guide.

2.7.2 Roles Based Entitlements Policies

Roles Based Entitlements policies are used by the Entitlements Service driver, which grants entitlements to and revokes entitlements from the users.

An entitlement policy contains the following:

Membership: The list of users assigned to a policy. A user can be dynamically assigned to a policy when he or she meets the criteria for the policy, or the user can be statically (manually) assigned to the policy.

Entitlements: The list of entitlements associated with the policy. Users assigned to the policy receive all of the entitlements associated with the policy. If the user is removed from the policy, he or she loses all entitlements associated with the policy.

You can assign any Identity Vault objects for which you want the entitlement policy to be a trustee. Each member of the policy becomes a trustee of the objects you add.

There are several reasons why you might want to make the policy a trustee of an object:

  • One of the policy’s entitlements requires the policy’s members to have rights to an object.

  • You want to use the policy to assign users as trustees of an object even though rights to the object are not required for an entitlement. In this case, you are using the entitlement policy to grant and revoke trustee rights for members of the policy.

These rights are not stored in Designer. You should assign the rights after moving to the next stage.

2.7.3 Jobs

Identity Manager has a job scheduling utility that schedules events, such as setting the system to disable an account on a specific day, or initiating a workflow to request an extension for a person to access a corporate resource. The Job Manager runs on every Identity Manager server in the background. Based on the job definition, it checks every minute to see if a job needs to run. When it encounters a job, it runs the appropriate Job implementation.

The Job Manager needs appropriate permissions to run successfully. For example, a job that disables a user account from the Identity Vault needs adequate permissions. Appropriate access must be granted to the job object in the Identity Vault so that it can modify a user object. Use iManager to grant the required rights for the jobs because Designer does not allow you to grant rights for jobs.