A.2 Global Configuration Values
Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.
The GroupWise driver includes many GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.
To access the driver’s GCVs in iManager:
-
Click
to display the Identity Manager Administration page.
-
Open the driver set that contains the driver whose properties you want to edit.
-
In the list, click .
-
If the driver set is not listed on the tab, use the field to search for and display the driver set.
-
Click the driver set to open the Driver Set Overview page.
-
-
Locate the driver icon, click the upper right corner of the driver icon to display the menu, then click .
or
To add a GCV to the driver set, click, then click .
To access the driver’s GCVs in Designer:
-
Open a project in the Modeler.
-
Right-click the driver icon
or line, then select
or
To add a GCV to the driver set, right-clickthe driver set icon
, then click .
The global configuration values are organized as follows:
A.2.1 Driver Configuration
GroupWise Domain Database Version: The version of the GroupWise domain database to which this driver should connect.
Default Sync Destination: GroupWise Post Office Specify the GroupWise post office in which newly added eDirectory objects are created. Use the browse button to select the GroupWise post office or specify the GroupWise post office name as an eDirectory distinguished name (DN) in slash format. For example: GW\GWSystem\PO1.
Enforce Admin Lockout Setting: Enforces the Minimum Snap-in Release Version and Minimum Snap-in Release Date set in the tab of System Preferences in ConsoleOne. If the domain to which the driver connects has overridden these settings, the domain settings are used. This means that the GroupWise driver must be running with GroupWise support files equal to or later than these settings.
Normally, it is set to . You might need to set it to , if the GroupWise support pack is installed and ConsoleOne is configured to lock out previous versions. enforces this lockout setting. disables this lockout setting.
Synchronize Groups: Allows the driver to synchronize eDirectory groups to GroupWise distribution lists. enables the synchronization. disables the synchronization.
Cleanup Group Membership: Available only if is set to . Removes the user from the Group Membership attribute when the user is removed from the GroupWise distribution lists.
Synchronize GroupWise Distribution Lists: Select if you want this driver to synchronize eDirectory’s GroupWise Distribution List objects with distribution lists in GroupWise. By default, it is set to .
Sync GroupWise External Entities to this Domain: Available only if is set to . Specify a non-GroupWise domain name that exists within the GroupWise system. This domain must host at least one external post office, defined in .
Synchronize GroupWise External Entity Objects: Select to synchronize eDirectory’s GroupWise External Entity objects with external users in GroupWise. By default, it is set to .
Sync GroupWise External Entities to this External Post Office: Available only if is set to . Specify an external post office name that exists within the GroupWise system. This post office must be subordinate to the GroupWise domain defined in .
Synchronize eDir OrgUnit To GroupWise External Post Office: Allows the driver to synchronize eDirectory organizational units to GroupWise external post offices. enables the synchronization. disables the synchronization.
Create External Post Offices in the Non-GroupWise Domain: Available only if is set to . Specify a non-GroupWise domain name that exists within the GroupWise system. This domain hosts the external post offices created by the GroupWise driver when synchronizing eDirectory organizational units to GroupWise post offices.
Create Nicknames: Allows the driver to create GroupWise nicknames when GroupWise accounts are renamed or moved to another post office. creates nicknames when the accounts are renamed or moved. does not create nicknames when the accounts are renamed or moved.
NOTE:This option should not be used with GroupWise 6.5.0 or earlier.
Reassign Resource Ownership: The driver reassigns ownership of resources when GroupWise accounts are disabled or expired.
assigns the resources to the default User ID you specify in the next parameter. This setting does not apply when a GroupWise account is deleted because the resources must be reassigned. is the default.
Default Resource Owner User ID: Specify the prefix of the default user to become the new owner of resources that are reassigned. The default is IS_admin.
You must specify this name even when the option is . When a GroupWise account is deleted, its resources are assigned to this account. If the default User ID does not have a GroupWise account in the post office of the deleted account, an account is created.
IMPORTANT:The driver does not start if a default user prefix is not specified.
Create Accounts During Migration: Allows the driver to create new GroupWise accounts for users without a current account during a migration from eDirectory. allows the accounts to be created. does not create the accounts.
Migration causes Identity Manager to examine every object specified. When an object does not have a driver association, the Create policy is applied. If the object meets the Create rule criteria, the object is passed to the driver as an Add event. When you specify , the driver creates a GroupWise account. When is specified, the Add event is ignored and the driver issues a warning that this option is set to . The default value is .
Migration sets the driver association on all users with GroupWise accounts. See Section 3.3, Associating Identity Vault Users and GroupWise Users for more information.
Action On eDirectory GroupWise External Entity Delete: Select the action you want the driver to take on an associated GroupWise account (mailbox), when a GroupWise external entity is deleted in eDirectory. The options are:
Action On eDirectory GroupWise External Entity Expire/Unexpire: Select the action you want the drive to take on the associated GroupWise account (mailbox), when an expired or unexpired GroupWise external entity logs into eDirectory. The options are:
Action On eDirectory GroupWise External Entity Disable/Enable: Select the action you want the driver to take on the associated GroupWise account (mailbox), when a disabled or enabled GroupWise external entity logs into eDirectory. The options are:
Remove GroupWise External Entity from all Distribution Lists on expire: Select if you want the driver to remove the GroupWise external entity from all distribution lists when the GroupWise account is expired; otherwise, select .
Remove GroupWise External Entity from all Distribution Lists on disable: Select if you want the driver to remove the GroupWise external entity from all distribution lists when the GroupWise account is disabled; otherwise, select .
Publisher Heartbeat interval: Specify the Publisher channel heartbeat interval in minutes. Enter 0 to disable the heartbeat.
A.2.2 Entitlements
There are multiple sections in the tab. Depending on which packages you installed, different options are enabled and displayed. This section documents all of the options.
Entitlements Options
Use Driver GWAccount Entitlement: Select to allow the driver to manage GroupWise accounts based on the GroupWise account entitlement. Select to not use the GroupWise account entitlement.
If you select , the following options are not displayed.
Account On GroupWise Account Entitlement Add: Select the action you want the driver to take on the associated GroupWise account (mailbox), when a user is created in the Identity Vault with a GroupWise account entitlement. The options are:
Action On GroupWise Account Entitlement Remove: Select the action you want the driver to take on the associated GroupWise account (mailbox), when a user’s GroupWise account entitlement is removed. The options are:
Data Collection
Data collection enables the Identity Report Module to gather information to generate reports. For more information, see the NetIQ Identity Reporting Module Guide.
Enable data collection: Select to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select .
Allow data collection from user accounts: Select to allow data collection by the Data Collection Service through the Managed System Gateway driver for the user accounts.
Role Mapping
The Role Mapping Administrator allows you to map business roles with IT roles.
Enable role mapping: Select to make this driver visible to the Role Mapping Administrator.
Allow mapping of user accounts: Select if you want to allow mapping of user accounts in the Role Mapping Administrator. An account is required before a role, profile, or license can be granted through the Role Mapping Administrator.
Resource Mapping
The Roles Based Provisioning Module allows you to map resources to users. For more information, see the NetIQ User Application: User Guide.
Enables resource mapping: Select to make this driver visible to the Roles Based Provisioning Module.
Allow mapping of user accounts: Select if you want to allow mapping of user accounts in the Roles Based Provisioning Module. An account is required before a role, profile, or license can be granted.
A.2.3 Account Tracking
Account tracking is part of the Identity Reporting Module. For more information, see the NetIQ Identity Reporting Module Guide.
Enable account tracking: Set this to to enable account tracking policies. Set it to if you do not want to execute account tracking policies.
Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique.
Object Class: Add the object class to track. Class names must be in the application namespace.
Identifiers: Add the account identifier attributes. Attribute names must be in the application namespace.
NOTE:A new identifier, , has been added to the Identifiers list. You must add it manually because the package upgrade doesn't add it to the Account Tracking GCV.
Status attribute: Name of the attribute in the application namespace to represent the account status.
Status active value: Value of the status attribute that represents an active state.
Status inactive value: Value of the status attribute that represents an inactive state.
Subscription default status: Select the default status the policies assume when an object is subscribed to the application and the status attribute is not set in the Identity Vault.
Publication default status: Select the default status the policies assume when an object is published to the Identity Vault and the status attribute is not set in the application.
A.2.4 Password Synchronization
The following GCVs control the follow of passwords between GroupWise and the Identity Vault. For more information about how to use the Password Management GCVs, see Configuring Password Flow
in the NetIQ Identity Manager Password Management Guide.
Set the initial/default GroupWise password on account creation: If , the GroupWise initial/default password is set when an account is created. The initial password value is specified in the Create policy. If , the initial password is not set.
GroupWise has two passwords, the initial password and the regular password. The initial password is stored in clear text and can be seen by an admin. The regular password is encrypted and cannot be viewed. When it is set, the regular password is used by GroupWise instead of the initial password. When a GroupWise user changes his or her password, it is stored as the regular password. For security, the initial password is never set to a password sent from eDirectory.
Synchronize the eDirectory password to the GroupWise regular password: If , allows passwords to flow from eDirectory to GroupWise. If , the regular password is not set.
GroupWise has two passwords, the initial password and regular password. The initial password is stored in clear text and can be seen by an admin. The regular password is encrypted and cannot be viewed. When it is set, the regular password is used by GroupWise instead of the initial/default password. When a GroupWise user changes his or her password, it is stored as the regular password. For security, the initial password is never set to a password sent from eDirectory.
A.2.5 Managed System Information
These settings help the Identity Reporting Module function to generate reports. For more information, see the NetIQ Identity Reporting Module Guide.
ID: Specify a unique ID for the GroupWise system. This ID is displayed in the reports.
Name: Specify a descriptive name for this GroupWise system. The name is displayed in the reports.
Description: Specify a brief description of this GroupWise system. The description is displayed in the reports.
Type: Specify the type of system the GroupWise system provides in your environment. This information is displayed in the reports.
Classification: Specify the classification for this GroupWise system in your environment. For example, Mission-Critical. This information is displayed in the reports.
Vendor: Select as the vendor of this system. The vendor information is displayed in the reports.
Version: Specify the version of this GroupWise system. The version is displayed in the reports.
Business Owner: Select a user object in the Identity Vault that is the business owner of this GroupWise system. This can only be a user object, not a role, group, or container.
Application Owner: Select a user object in the Identity Vault that is the application owner for this GroupWise system. This can only be a user object, not a role, group, or container.
Location: Specify the physical location of the GroupWise system. This information is displayed in the reports.
Environment: Specify the type of environment the GroupWise system provides. For example, development, test, or production. This information is displayed in the reports.
Authentication IP Address: Specify the IP address used to authenticate to the GroupWise system.
Authentication Port: Specify the port used to authenticate to the GroupWise system.
Authentication ID: Specify the user ID used to authenticate to the GroupWise system.