3.1 Identity Manager Architecture in Relation to Policies

Identity Manager provides for the clean movement of data between the Identity Vault and any application, directory, or database. To accomplish this, Identity Manager has a well-defined interface that translates the Identity Vault data and events into XML format. This interface allows the data to flow in and out of the directory.

The following figure illustrates the basic Identity Manager components and their relationships.

Figure 3-1 Identity Manager Components

The Metadirectory engine is the key module in the Identity Manager architecture. It provides the interface that allows Identity Manager drivers to synchronize information with the Identity Vault, allowing even disparate data systems to connect and share data.

The Metadirectory engine exposes the Identity Vault data and the Identity Vault events by using an XML format. The Metadirectory engine employs a rules processor and a data transformation engine to manipulate the data as it flows between two systems. Access to the rules processor and transformation engine is provided through control points called Policy Sets. Policy Sets can contain zero or more policies.

A policy implements business rules and processes primarily by transforming an event on a channel input into a set of commands on the channel output. The way each driver synchronizes data and events is configured by the administrator through a series of policies. For example, if a Creation Policy specifies that a User object must have a value for the Given Name attribute, any attempt to create a User object without a given name value is rejected.