19.6 Creating Drivers

To use the Permission Collection and Reconciliation service included in the Identity Manager drivers, you can either create a new driver with the latest packages or upgrade packages on an existing driver. In both cases, you install the driver packages and then modify the driver configuration to suit your environment. For creating new drivers, NetIQ recommends that you refer to the individual driver documentation.

The following sections provide instructions for upgrading common settings packages on existing drivers:

19.6.1 Installing the Driver Packages

After you have imported the current driver packages into the Package Catalog, you can install the driver packages to create a new driver.

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver set where you want to create the driver, then select New > Driver.

  3. Follow the driver configuration wizard to create the driver.

  4. On the Entitlements Name to CSV File Mappings page, click the Add Name to File Mapping icon to populate the page with the entitlement configuration options.

    Identity Manager uses the CSV file to map entitlements to corresponding resources in the Identity Manager catalog.

    The information that you specify in this page is used for creating the permission catalog. Fill in the following fields, then click Next:

    • Entitlement Name: Specify a descriptive name for the entitlement to map it to the CSV file that contains the connected system entitlement details.

      Entitlement Name is the name of the entitlement. This parameter corresponds to the Entitlement Assignment Attribute in the connected system. For example, you could define an entitlement called BuildingAccess.

      This parameter is used to create a resource in the User Application.

    • Entitlement Assignment Attribute: Specify a descriptive name for the assignment attribute for an entitlement.

      Entitlement Assignment Attribute holds the entitlement values in the connected system. For example, you could have an attribute called Parking.

      You must add this parameter to Field Names in the Driver Parameters page or modify it in driver settings after creating the driver.

    • CSV File: Specify the location of the CSV file. This file must be located on the same server as the driver. This file contains the values for the application entitlements.

    • Multi-valued?: Set the value of this parameter to True if you want to assign resources and entitlements multiple times with different values to the same user. Otherwise, set it to False.

  5. Review the summary of tasks that will be completed to create the driver, then click Finish.

The driver is now created. You can modify the configuration settings, by continuing with the next section, Section 19.6.2, Configuring the Driver. If you don’t need to configure the driver, continue with Section 19.6.3, Deploying the Driver.

19.6.2 Configuring the Driver

When you install the Permission Collection and Reconciliation service package, there are some settings that you must review and configure for the driver to start properly. These settings are located under Driver Parameters and Global Configuration Values on the Driver Properties page in Designer. In the Modeler, right-click the driver icon or the driver line, then select Properties and click GCVs > Entitlements.

In addition to the driver settings, you should review the set of default policies and rules provided by the basic driver configuration. The default policies and rules are discussed in the Default Driver Configuration section of the each Driver Implementation Guide.

19.6.3 Deploying the Driver

After a driver is created in Designer, you must deployed it into the Identity Vault.

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver icon or the driver line, then select Live > Deploy.

  3. If you are authenticated to the Identity Vault, skip to Step 5; otherwise, specify the following information:

    Host: Specify the IP address or DNS name of the server hosting the Identity Vault.

    Username: Specify the DN of the user object used to authenticate to the Identity Vault.

    Password: Specify the user’s password.

  4. Click OK.

  5. Read through the deployment summary, then click Deploy.

  6. Read the success message, then click OK.

  7. Click Define Security Equivalence to assign rights to the driver.

    The driver requires rights to objects within the Identity Vault. The Admin user object is most often used to supply these rights. However, you might want to create a user account called DriversUser, for example, and assign security equivalence to that user.

    1. Click Add, then browse to and select the object with the correct rights.

    2. Click OK twice.

  8. Click Exclude Administrative Roles to exclude users that should not be synchronized.

    You should exclude any administrative User objects (for example, Admin and DriversUser) from synchronization.

    1. Click Add, then browse to and select the user object you want to exclude.

    2. Click OK.

    3. Repeat Step 8.a and Step 8.b for each object you want to exclude.

    4. Click OK.

  9. Click OK.

19.6.4 Starting the Driver

When a driver is created, it is stopped by default. To make the driver work, you must start the driver and cause events to occur. Identity Manager is an event-driven system, so after the driver is started, it won’t do anything until an event occurs.

To start the driver:

  1. In Designer, open your project.

  2. In the Modeler, right-click the driver icon or the driver line, then select Live > Start Driver.