B.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Fan-Out driver includes several predefined GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit:

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

B.2.1 Global Configuration Values

The following global configuration values are used for database options and base configuration options.

JDBC connection URL format used: Specify the connection URL format used for the JDBC driver to connect to the databases. Use '<HOST>','<PORT> and '<DB>' tokens to specify the location of host's IP address, port and database/SID in the connection URL.

NOTE:

  • The tokens are case-sensitive and angle-brackets are mandatory since they are used as delimiters.

    If you use the same Fan-Out driver to connect oracle pluggable database and oracle traditional database, the url template of the databases should be separated using a comma. For example: jdbc:oracle:thin:@<HOST>:<PORT>/<DB>, jdbc:oracle:thin:@<HOST>:<PORT>:<DB>

Synchronization model: Select the synchronization model. The synchronization options are: Direct and Indirect. Direct synchronization uses views to synchronize directly to existing tables of arbitrary structure. Indirect synchronization synchronizes to intermediate staging tables with a particular structure.

UserName Column: Specify the exact column name of the usr table that store the usernames.

B.2.2 Managed System Information

These settings help the Identity Reporting Module function to generate reports. There are different sections in the Managed System Information tab.

General Information

Name: Specify a descriptive name for the managed system.

Description: Specify a brief description of the managed system.

Location: Specify the physical location of the managed system.

Vendor: Specify the vendor of the managed system.

Version: Specify the version of the managed system.

System Ownership

Business Owner: Browse to and select the business owner in the Identity Vault for the connected application. You must select a user object, not a role, group, or container.

Application Owner: Browse to and select the application owner in the Identity Vault for the connected application. You must select a user object, not a role, group, or container.

System Classification

Classification: Select the classification of the connected application. This information is displayed in the reports. The options are:

  • Mission-Critical

  • Vital

  • Not-Critical

  • Other

    If you select Other, you must specify a custom classification for the connected application.

Environment: Select the type of environment the connected application provides. The options are:

  • Development

  • Test

  • Staging

  • Production

  • Other

    If you select Other, you must specify a custom classification for the connected application.

Connection and Miscellaneous Information

Connection and miscellaneous information: This set of options is always set to hide, so that you don’t make changes to these options. These options are system options that are necessary for reporting to work.

JDBC Fan-Out Instances Information

These settings help to configure the Managed System Service related details of each JDBC FanOut instance. To create a new instance, click the plus sign and fill in the following information:

  • JDBC FanOut Instance Name: Specify the descriptive name of the new logical instance of the managed system.

  • Show other configuration values: Select Show to display additional information related to the FanOut instance. For more information, see Section B.2.2, Managed System Information.

  • Connection and miscellaneous information: Select Show to display the system options. The options are:

    • Instance ID

    • Authentication IP Address

    • Authentication Port

    • Authentication ID

    • Database Schema

    • Type

    NOTE:The connection information options are auto-generated and always set to hide.

B.2.3 Entitlements

There are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled or displayed.

Entitlements

Account Entitlement Value: Specify the entitlement value to assign for user account during the account creation. Role Based Provisioning Module displays this value to the user during account provisioning.

Use Entitlements to Control DB Accounts: Select True to enable the driver to manage database accounts based on the driver’s defined entitlements. Select False to disable management of database accounts based on the entitlements.

Use Group Entitlement: Select True to enable the driver to manage group membership based on the driver’s defined entitlements.

Allow Login Disabled in Subscriber Channel: Select True to enable the driver to control the flow of Login Disabled attribute in the Subscriber Channel and only on a regular attribute change.

Advanced Settings: Entitlement options that allow or deny additional functionality like data collection, role mapping, resource mapping, parameter format, and entitlement extensions. Leave these settings as default.

Data Collection

Data collection enables the Identity Report Module to gather information to generate reports. For more information, see the NetIQ Identity Reporting Module Guide.

Enable data collection: Select Yes to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: Select Yes to allow data collection by the Data Collection Service for the user accounts.

Allow data collection from groups: Select Yes to allow data collection by the Data Collection Service for groups.

Role Mapping

The Identity Manager Catalog Administrator allows you to map business roles with IT roles. For more information, see the NetIQ Identity Manager Catalog Administrator User Guide .

Enable role mapping: Select Yes to make this driver visible to the Catalog Administrator.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Role Mapping Administrator. An account is required before a role, profile, or license can be granted through Catalog Administrator.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in Catalog Administrator.

Resource Mapping

The Roles Based Provisioning Module allows you to map resources to users. For more information, see the NetIQ User Application: User Guide.

Enables resource mapping: Select Yes to make this driver visible to the Roles Based Provisioning Module.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Roles Based Provisioning Module. An account is required before a role, profile, or license can be granted.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in the Roles Based Provisioning Module.

Parameter Format

Format for Account entitlement: Specify the parameter format the entitlement agent must use when granting the user account entitlement. The options are Identity Manager 4 and Legacy.

Format for Group entitlement: Specify the parameter format the entitlement agent must use when granting the group entitlement. The options are Identity Manager 4 and Legacy.

Entitlements Extensions

User account extension: Specify the user account extension. The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object

Group extensions: Specify the group extensions. The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object

B.2.4 Account Tracking

The following controls the Account tracking is part of the Identity Reporting Module. For more information, see the NetIQ Identity Reporting Module Guide.

Enable Account Tracking: Set this to True to enable account tracking policies for the Fan-Out driver. Set it to False if you do not want to execute account tracking policies.

  • Object class

  • Realm

  • Identifiers for Account

  • Status Attribute

  • Status active value

  • Status inactive value

  • Subscription default status

  • Publication default status

B.2.5 Password Synchronization

The following GCVs control password synchronization for the Fan-Out driver. For more information, see the NetIQ Identity Manager Password Management Guide.

Application Accepts Passwords from Identity Manager: If this option is set to True, the driver allows passwords to flow from the Identity Manager data store to the connected server.

Identity Manager Accepts Passwords from the Application: If this option is set to True, it allows passwords to flow from the connected system to Identity Manager.

Publish Passwords to NDS Password: Use the password from the connected system to set the non-reversible NDS password in the Identity Vault.

Publish Passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require passwords policy validation before publishing passwords: Select True to apply NMAS password policies when publishing passwords. Password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If this option is set to True, and the Distribution Password fails to distribute, attempt to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If this option is set to True, notify the user by e-mail of any password synchronization failures.

Connected System or Driver Name: Specifies the name of the connected system, application or Identity Manager driver. This value is used by the e-mail notification templates to identify the source of notification messages.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

B.2.6 JDBC Fan-Out Common

Allow ‘Group add’ in Fanout mode: This GCV controls the creation of groups in the Subscriber channel. By default, this is Disabled. The driver vetoes the group add operations. Enabling this option allows the driver to send the group add events to each of the JDBC instances configured by the driver.

Synchronize the first or the last replica value: Select the appropriate option to synchronize the first or last replica value of multi-valued attributes mapped to single-valued columns. The options are: First and Last.