Notes ID Vault is a new Notes ID recovery and management feature introduced in Lotus Notes and Domino 8.5. It allows copies of Notes user IDs to be uploaded to an Identity Vault application on a Domino server. The Identity Manager driver for Lotus Notes now supports the Notes Identity Vault feature.
You should manually add inactive-IDVault-delete-flag, delete-user-from-IDVault-support, and IDVault-database options to the list of subscriber options. These options allow you to use one Notes ID Vault database. For using multiple ID Vault databases, additional GCVs and corresponding policies are required.
Example 1: ID vault and Primary Server (on which the names.nsf file resides) are running on the same server.
Assume that an organization has three different organizational units (OU): Sales, Engineering, and Marketing, where the Sales OU uses the sales.nsf ID Vault database, the Engineering OU uses the eng.nsf ID Vault database, and the Marketing OU uses the marketing.nsf ID Vault database.
Use iManager or Designer to add the following GCVs:
<definition display-name="Sales organization ID Vault DB Name" name="account.idVault.salesIDVaultDB" type="string"> <description>Enter the Sales organization ID Vault database name.</description> <value>sales.nsf</value> </definition> <definition display-name="Marketing organization ID Vault DB Name" name="account.idVault.markIDVaultDB" type="string"> <description>Enter the Marketing organization ID Vault database name.</description> <value>marketing.nsf</value> </definition> <definition display-name="Engineering organization ID Vault DB Name" name="account.idVault.engIDVaultDB" type="string"> <description>Enter the Engineering organization ID Vault database name.</description> <value>eng.nsf</value> </definition>
Use iManager or Designer to add the following policy to the Subscriber Command Transformation Policies:
<?xml version="1.0" encoding="UTF-8"?>
<policy>
<rule>
<description>setting the Sales idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.SalesName~</if-src-dn>
<if-global-variable name="account.idVault.salesIDVaultDB" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.salesIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Marketing idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.MktgName~</if-src-dn>
<if-global-variable name="account.idVault.markIDVaultDB" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Engineering idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.EngName~</if-src-dn>
<if-global-variable name="account.idVault.engIDVaultDB" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.engIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
</policy>
Example 2: ID Vault and Primary (on which the names.nsf file resides) are on different servers, use the policy given below.
In this example the admin-p parameter is used to specify the ID Vault server name from which the IDs should be either deleted or moved to inactive state.
<?xml version="1.0" encoding="UTF-8"?>
<policy>
<rule>
<description>setting the Sales idVault Server Names & Database Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree" xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.SalesName~</if-src-dn>
<if-global-variable name="account.idVault.salesIDVaultDB" op="not-equal"/>
<if-global-variable name="account.idVault.salesIDVaultServerName" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']" name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.salesIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../delete[@class-name='User']" name="adminp-server">
<arg-string>
<token-global-variable name="account.idVault.salesIDVaultServerName"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Marketing idVault Server Names & Database Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree" xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.MktgName~</if-src-dn>
<if-global-variable name="account.idVault.markIDVaultDB" op="not-equal"/>
<if-global-variable name="account.idVault.markIDVaultServerName" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']" name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../delete[@class-name='User']" name="adminp-server">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultServerName"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
<rule>
<description>setting the Engineering idVault Names</description>
<conditions>
<and>
<if-operation op="equal">delete</if-operation>
<if-class-name op="equal">User</if-class-name>
<if-src-dn op="in-subtree" xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.EngName~</if-src-dn>
<if-global-variable name="account.idVault.engIDVaultDB" op="not-equal"/>
<if-global-variable name="account.idVault.engIDVaultServerName" op="not-equal"/>
</and>
</conditions>
<actions>
<do-set-xml-attr expression="../delete[@class-name='User']" name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.engIDVaultDB"/>
</arg-string>
</do-set-xml-attr>
<do-set-xml-attr expression="../delete[@class-name='User']" name="adminp-server">
<arg-string>
<token-global-variable name="account.idVault.engIDVaultServerName"/>
</arg-string>
</do-set-xml-attr>
</actions>
</rule>
</policy>