A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Active Directory driver includes several predefined GCVs. You can also add your own if you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit:

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the Active Directory driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the Active Directory driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

A.2.1 Configuration

The following GCVs contain configuration information for the Active Directory driver. They are divided into the following categories:

Synchronization Settings

Domain DNS Name: Specify the DNS name of the Active Directory domain managed by this driver.

Subscriber Channel Placement Type: Specify the type of placement for the Subscriber Channel. Select Flat to strictly place objects within the base container. Select Mirrored to hierarchically place objects within the base container. This is used to determine the Subscriber Channel Placement policies.

Active Directory User Container: Specify the container where user objects reside in Active Directory.

Publisher Channel Placement Type: Specify the type of placement for the Publisher Channel. Select Flat to strictly place objects within the base container. Select Mirrored to hierarchically place objects within the base container. This is used to determine the Publisher Channel Placement policies.

Name Mapping Policy

Show name mapping policy: Select show to display the global configuration values for the name mapping policy. Select hide to not have the global configuration values displayed.

The following GCVs are used in the name mapping policy. If the policy does not meet your needs, you can modify it by editing the UserNameMap policies in the Subscriber and Publisher Command Transformation policies.

Full Name Mapping: Select True to synchronize the Identity Vault user’s Full Name with the Active Directory object name and display name. This policy is useful when creating user accounts in Active Directory by using the Microsoft Management Console Users and Computers snap-in.

Logon Name Mapping: Select True to synchronize the Identity Vault user’s object name with the Active Directory Pre-Windows 2000 Logon Name (also known as the NT Logon Name and the sAMAccountName).

User Principal Name Mapping: Allows you to choose a method for managing the Active Directory Logon Name (also known as the userPrincipalName). userPrincipalName takes the form of an e-mail address, such as usere@domain.com. Although the driver can place any value into userPrincipalName, it is not useful as a logon name unless the domain is configured to accept the domain name used with the name.

  • Follow Active Directory e-mail address: Sets the userPrincipalName to the value of the Active Directory mail attribute. This option is useful when you want the user’s e-mail address to be used for authentication and Active Directory is authoritative for e-mail addresses.

  • Follow Identity Vault e-mail address: Sets the userPrincipalName to the value of the Identity Vault e-mail address attribute. This option is useful when you want the user’s e-mail address to be used for authentication and the Identity Vault is authoritative for e-mail addresses.

  • Follow Identity Vault name: This option is useful when you want to generate userPrincipalName from the user logon name plus a hard-coded string defined in the policy.

  • None: This option is useful when you do not want to control userPrincipalName or when you want to implement your own policy.

A.2.2 Entitlements

There are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled or displayed.

Entitlements and Exchange Configuration

For more information about entitlements, see Section 1.3.3, Entitlements.

Use User Account Entitlement: Entitlements act like an On/Off switch to control account access. Enable the driver for entitlements to create accounts, and remove/disable it when the account entitlement is granted to or revoked from users. If you select True, user accounts in Active Directory can be controlled by using entitlements.

Enable Login Disabled attribute sync: Specify whether the driver syncs the changes made to the Login Disabled attribute in the Identity Vault even if the User Account entitlement is enabled.

When account entitlement revoked: Select the desired action in the Active Directory database when a User Account entitlement is revoked from an Identity Vault user. The options are Disable Account or Delete Account.

Parameter Format: Select the parameter format the entitlement agent must use. The options are Identity Manager 4 or Legacy.

Use Group Entitlement: Select True to enable the driver to manage Active Directory group membership based on the driver’s Group entitlement.

Select False to disable management of group membership based on entitlement.

Parameter Format: Select the parameter format the entitlement agent must use. The options are Identity Manager 4 or Legacy.

Exchange Mailbox Provisioning: Select Disable Exchange Provisioning to disable the Exchange Provisioning.

Select Use Exchange Mailbox Enablement to enable the driver to manage Exchange Mailboxes based on the driver's Exchange Mailbox Entitlement, in Active Directory.

Select Use Policy to enable the driver to manage Exchange Mailboxes based on the driver's policies, in Active Directory.

Parameter Format: Select the parameter format the entitlement agent must use. The options are Identity Manager 4 or Legacy.

Permissions Collection and Reconciliation

If you installed the Entitlements package, iManager and Designer display the following options. For more information about Permission Collection and Reconciliation service, see Understanding Permission Collection and Reconciliation Service , in the NetIQ Identity Manager Driver Administration Guide.

Enable Permissions Collection and Reconciliation: Set the value of this parameter to true for permission reconciliation and entitlement assignment. By default, the value is set to false.

Enable Permissions Reconciliation for User Account Entitlement: Ensure the value of this parameter is set to Yes to enable the driver to map Active Directory user accounts to users in the Identity Vault and assign user account entitlements through the Publisher channel. By default, the value is set to Yes.

Allow User add via publisher channel: Set the value of this parameter to Yes to allow the driver to add new user accounts to the Identity Vault through the Publisher channel. By default, the value is set to No.

Enable Permissions Reconciliation for Group entitlement: Ensure the value of this parameter is set to Yes to enable the driver to assign group entitlements through the Publisher channel. By default, the value is set to Yes.

IMPORTANT:If you set the value of this parameter to No, the user and group resource is not created in the User Application.

Enable Permissions Reconciliation for Exchange entitlement: Ensure the value of this parameter is set to Yes to enable the driver to assign Exchange entitlements through the Publisher channel. By default, the value is set to Yes.

Enable Permissions Reconciliation for all Custom entitlements: If the value of this parameter is set to No, this parameter allows you to select custom entitlements for permission reconciliation. By default, the value is set to Yes, which allows permission reconciliation of all custom entitlements.

Data Collection

Data collection enables the Identity Report Module to gather information to generate reports. For more information, see the NetIQ Identity Reporting Module Guide.

Enable data collection: Select Yes to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: Select Yes to allow data collection by the Data Collection Service through the Managed System Gateway driver for the user accounts.

Allow data collection from groups: Select Yes to allow data collection by the Data Collection Service through the Managed System Gateway driver for groups.

Allow data collection from Exchange mailboxes: Select Yes to allow data collection by the Data Collection Service through the Managed System Gateway driver for Exchange mailboxes.

Role Mapping

NetIQ Catalog Administrator allows you to map business roles with IT roles.

Enable role mapping: Select Yes to make this driver visible to the Catalog Administrator.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Catalog Administrator. An account is required before a role, profile, or license can be granted through Catalog Administrator.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in Catalog Administrator.

Allow mapping of Exchange mailboxes: Select Yes if you want allow mapping of Exchange mailboxes in Catalog Administrator.

Resource Mapping

The Roles Based Provisioning Module allows you to map resources to users. For more information, see the NetIQ User Application: User Guide.

Enables resource mapping: Select Yes to make this driver visible to the Roles Based Provisioning Module.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Roles Based Provisioning Module. An account is required before a role, profile, or license can be granted.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in the Roles Based Provisioning Module.

Allow mapping of Exchange mailboxes: Select Yes if you want to allow mapping of Exchange mailboxes in the Roles Based Provisioning Module.

Entitlement Extensions

User account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Group extensions: The content of this field is added below the entitlement element in the EntitlementConfiguration resource object.

Exchange mailbox extensions: The content of this field is added below the entitlement element in the EntitlementConfiguration resource object.

A.2.3 Password Synchronization

These GCVs enable password synchronization between the Identity Vault and the Active Directory system.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

For more information about how to use the Password Management GCVs, see Configuring Password Flow in the NetIQ Identity Manager Password Management Guide.

Connected System or Driver Name: Specify the name of the Active Directory system or the driver name. This value is used by the e-mail notification template to identify the source of the notification message.

Application accepts passwords from Identity Manager: If True, allows passwords to flow from the Identity Manager data store to the connected system.

Identity Manager accepts passwords from application: If True, allows passwords to flow from the connected system to Identity Manager.

Publish passwords to NDS password: Use the password from the connected system to set the non-reversible NDS password in eDirectory.

Publish passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require password policy validation before publishing passwords: If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If True, on a publish Distribution Password failure, attempt to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If True, notify the user by e-mail of any password synchronization failures.

A.2.4 Account Tracking

Account tracking is part of the Identity Reporting Module. For more information, see the NetIQ Identity Reporting Module Guide.

Enable account tracking: Set this to True to enable account tracking policies. Set it to False if you do not want to execute account tracking policies.

Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique.

Object Class: Add the object class to track. Class names must be in the application namespace.

Identifiers: Add the account identifier attributes. Attribute names must be in the application namespace.

Status attribute: Name of the attribute in the application namespace to represent the account status.

Status active value: Value of the status attribute that represents an active state.

Status inactive value: Value of the status attribute that represents an inactive state.

Subscription default status: Select the default status that the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.

Publication default status: Select the default status that the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.

A.2.5 Managed System Information

These settings help the Identity Reporting Module function to generate reports. There are different sections in the Managed System Information tab.

General Information

Name: Specify a descriptive name for this Active Directory system. This name is displayed in the reports.

Description: Specify a brief description of this Active Directory system. This description is displayed in the reports.

Location: Specify the physical location of this Active Directory system. This location is displayed in the reports.

Vendor: Select Microsoft as the vendor of the Active Directory system. This information is displayed in the reports.

Version: Specify the version of this Active Directory system. This version information is displayed in the reports.

System Ownership

Business Owner: Browse to and select the business owner in the Identity Vault for this Active Directory system. You must select a user object, not a role, group, or container.

Application Owner: Browse to and select the application owner in the Identity Vault for this Active Directory system. You must select a user object, not a role, group, or container.

System Classification

Classification: Select the classification of the Active Directory system. This information is displayed in the reports. The options are:

  • Mission-Critical

  • Vital

  • Not-Critical

  • Other

    If you select Other, you must specify a custom classification for the Active Directory system.

Environment: Select the type of environment the Active Directory system provides. The options are:

  • Development

  • Test

  • Staging

  • Production

  • Other

    If you select Other, you must specify a custom classification for the Active Directory system.

Connection and Miscellaneous Information

Connection and miscellaneous information: This options is always set to hide, so that you don’t make changes to these options. These options are system options that are necessary for reporting to work. If you make any changes, reporting stops working.