19.2 Components for Permission Collection and Reconciliation Service
The content for Permission Collection and Reconciliation service contains the following:
-
Common Settings Advanced Edition Package GCVs: This package includes the object, which contains two new GCVs used in permission assignment onboarding process. The new entitlement packages create these GCVs and the job uses them.
-
User Application Provisioning Services URL GCV ()
-
User Application Provisioning Services Administrator GCV ()
For information about configuring the Common Settings GCVs, see Configuring Common Settings GCVs.
-
-
Identity Manager Policy Objects
-
Identity Manager Job Object
-
-
Mapping Table Resource Objects
-
When you install the entitlement package, the following policies of this package are added to the driver Startup policy set:
-
NOVLCOMPCRS-ENT-startup-SetJobNamedPassword: This policy configures the Named Password on the job.
-
NOVLCOMPCRS-ENT-startup-InitEntitlementResourceObjects: This policy builds the resource object and populates the table with values from the mapping table.
-
NOVLCOMPCRS-ENT-startup-UpdateJobConfiguration: This policy is responsible for reloading the job so that it can be executed.
-
NOVLCOMPCRS-ENT-startup-OnboardEntitlements: This policy executes the job.
The driver executes these policies only once when the driver is started. The driver policies automatically configure the following objects for your environment:
-
Entitlement Objects: The driver creates new entitlement objects to represent the native entitlement names identified in the mapping table. The name of entitlement is the value of the column of the mapping table. For more information about mapping table objects, see Mapping Tables.
-
Permission Value Resource Object: The driver adds a new permission value resource object, . This object contains values for , , and for every custom entitlement from the CSV file. It might also contain mappings for legacy value formats. To add more values to the entitlements, update the CSV file.
-
Entitlement Configuration Resource Object: The driver creates a new entitlement configuration resource object, .
19.2.1 PermissionOnboarding Job
The driver policies update the job parameters and the mapping table.
The job is a standard Identity Manager job and part of the entitlement package. The driver creates the job in the Identity Vault when the driver is deployed, and the job runs when the driver starts. You can schedule the job to run periodically. Also, you can run it manually to process an updated CSV file. The NOVLCOMPCRS-ENT-startup-UpdateJobConfiguration Startup policies configure the job.
The job performs the following tasks:
-
Reads the driver's table object to obtain the list of the driver's entitlement objects populated by the Startup policies.
-
Creates or verifies the existence of a dynamic nrfResource object to allow the assignment of the native permissions for each entitlement object in the table. To do this, the job uses the Identity Manager provisioning, resource, and service SOAP APIs.
-
Updates the table with the nrfResource DNs.
-
Reads the CSV file and populates the associated <name>_Values resource object with the values, display names, and descriptions for each entitlement object that specifies a CSV File catalog source in the table.
-
Calls a User Application private API to flush the User Application Entitlement cache so that newly created entitlements are recognized.
-
Calls the User Application Entitlement refresh API to force the User Application to issue an entitlement query to obtain the catalog values for each driver entitlement.
19.2.2 Mapping Tables
The Startup policies update the following mapping table objects:
-
PermissionNameToFile: This object contains entitlement configuration data that you specified in the Entitlements Name to CSV File Mappings page during driver creation in Designer. You can add custom entitlements to this table.
-
PermissionEntMapping: This object is created empty but is populated by the Startup policies and job. It contains the configuration data transferred from the object and DNs of entitlements created by the Startup policies. It also contains the LDAP DNs of the default dynamic User Application resource objects that are used to assign entitlements to users. You should not change the data populated by the Startup policies in this table.
-
StaticValueEntitlementMap: This object is created empty but contains mapping between specific native entitlement values and a User Application static resource DN used by the driver to reconcile that value. You need to populate this table if you want to synchronize assignments bound to a static resource.
You must manually enter the complete DN of the static resource in the column.
IMPORTANT:Restart the driver for it to take effect of any changes made to the and mapping table objects.
These packages also include new policies specific to driver implementation. The drivers apply these policies after the Subscriber and Publisher channels are initialized.
Before continuing, ensure that you go through the prerequisites needed for enabling Permission Collection and Reconciliation service. Also, you need to set up administrative user accounts and configure a password policy for them. For more information, see Setting Up Administrative User Accounts and Setting Up Administrative Passwords.
The following diagrams represent policy execution sequence of permission reconciliation on Publisher and Subscriber channels of the Identity Manager drivers where Permission Collection and Reconciliation service (NOVLCOMPCRS 2.0.0) package is installed.
Figure 19-3 Publisher Channel Permission Assignment Sequence
Figure 19-4 Subscriber Channel Identity Vault Attribute Permission Assignment Sequence
Figure 19-5 Subscriber RBPM Permission Assignment Sequence
