A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The Office 365 driver includes several GCVs that are created from information supplied during importing the driver configuration file. For more information, see Section 5.0, Creating a New Driver Object.

The driver also includes the GCVs that are used with password synchronization. In Designer, you can click the icon next to a password synchronization GCV to edit the object. This displays the Password Synchronization Options dialog box, which displays a better view of the relationship between the different settings. In iManager, you should edit the password synchronization settings on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

You can add your own GCVs if you discover you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit:

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The driver Global Configuration Values are divided into following categories:

A.2.1 Password Synchronization

The following GCVs control password synchronization for the Office 365 driver. For more information, see the NetIQ Identity Manager Password Management Guide.

Connected System or Driver Name: Specifies the name of the connected system, application or Identity Manager driver. This value is used by the e-mail notification templates to identify the source of notification messages.

Set Password Never Expires: If you set this option to True on the newly created users, the password does not expire for them.

Disable Force Change Password at First Login: If you set the option to True, it disables a forced password change when a user logs into Office 365 for first time.

Set Strong Password Required: Set this option to True to enforce strong password requirement for user passwords.

Application Accepts Passwords from Identity Manager: If this option is set to True, the driver allows passwords to flow from the Identity Manager data store to the connected Office 365 server.

Identity Manager Accepts Passwords from the Application: If this option is set to True, it allows passwords to flow from the connected system to Identity Manager.

Publish Passwords to NDS Password: Use the password from the connected system to set the non-reversible NDS password in the Identity Vault.

Publish Passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Reset user’s external system password to the Identity Manager password on failure: If this option is set to True, and the Distribution Password fails to distribute, attempt to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If this option is set to True, notify the user by e-mail of any password synchronization failures.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

A.2.2 Driver Configuration

Use the following GCVs to control how the driver is configured:

Office 365 Domain Name: Specify the Office 365 site context suing the admincentral.onmicrosoft.com format.

Identities to be Synchronized: Specify if the driver should synchronize identities from Active Directory or configure the Identity Vault to act as the identity provider. If you choose to configure the Identity Vault as the identity provider, no association to any other directory is required. With Active Directory as the identity provider, you can synchronize only users that have an association with Active Directory. If you selected Active Directory, fill in the following fields, then click Next:

  • AD Driver: If a driver is specified here, a valid association from that driver on the user is a required to synchronize users to Office 365. The new users will synchronize to Active Directory before synchronizing to Office 365.

  • AD Domain Name: Specify the Active Directory domain name of the domain used to authenticate users to Office 365 portal.

Usage Location: Specify a two-letter country code that needs to be set in Office 365. For example, if the Office 365 service is hosted in different location and you select your country, the servers hosted in your country are used to make the service available to you.

A.2.3 Entitlements

There are multiple sections in the Entitlements tab. Depending on which packages you installed, different options are enabled or displayed.

Entitlements Configuration

For more information about entitlements, see Section 1.3.8, Supporting Entitlements.

Use User Account Entitlement: Select True to enable the driver to manage user accounts based on the driver’s defined entitlements. Select False to disable management of user accounts based on the entitlements.

Enable Login Disabled Attribute Sync: Select True if the changes made to the LoginDisabled attribute in the Identity Vault should be synchronized even if the User Account entitlement (Account) is enabled.

When Account Entitlement Revoked: Select the action to take when a user account entitlement is revoked. The options are Disable Account or Delete Account. By default, Disable Account is selected.

Parameter Format: Specify the parameter format the entitlement agent must use. Under the Identity Manager 4 option, the entitlement parameters are parsed as a JSON string arranged in a "name":"value" format.

Use Group Entitlement: Select True to enable the driver to manage group membership based on the driver’s defined entitlements.

Parameter Format: Select the parameter format the entitlement agent must use. The options are Identity Manager 4 or Legacy. Under the Identity Manager 4 option, the entitlement parameters are parsed as a JSON string arranged in a "name":"value" format.

Select False to disable management of group membership based on entitlements.

Use License Entitlement: Select True to enable the driver to manage user licenses based on the driver’s defined entitlements. To assign multiple Office 365 licenses, you must create multiple resources on user application. This is required because an Office 365 license entitlement can have only single value.

Parameter Format: Select the parameter format the entitlement agent must use. The options are Identity Manager 4 or Legacy. Under the Identity Manager 4 option, the entitlement parameters are parsed as a JSON string arranged in a "name":"value" format.

Select False to disable management of license assignments based on the entitlements.

Use Roles Entitlement: Select True to enable the driver to manage user roles based on the driver’s defined entitlements.

Parameter Format: Select the parameter format the entitlement agent must use. The options are Identity Manager 4 or Legacy. Under the Identity Manager 4 option, the entitlement parameters are parsed as a JSON string arranged in a "name":"value" format.

Select False to disable management of role assignments for users based on the entitlements.

Advanced Settings: Select show to display the entitlement options that allow or deny additional functionality like data collection and others. These settings should rarely be changed.

Data Collection

Data collection enables the Identity Report Module to gather information to generate reports.

Enable data collection: Select Yes to enable data collection for the driver through the Data Collection Service by the Managed System Gateway driver. If you are not going to run reports on data collected by this driver, select No.

Allow data collection from user accounts: Select Yes to allow data collection by the Data Collection Service for the user accounts.

Allow data collection from groups: Select Yes to allow data collection by the Data Collection Service for groups.

Allow data collection from licenses: Select Yes to allow data collection by the Data Collection Service for licenses.

Allow data collection from roles: Select Yes to allow data collection by the Data Collection Service for roles.

Role Mapping

The Identity Manager Catalog Administrator allows you to map business roles with IT roles. For more information, see the NetIQ Identity Manager Catalog Administrator User Guide .

Enable role mapping: Select Yes to make this driver visible to the Catalog Administrator.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Role Mapping Administrator. An account is required before a role, profile, or license can be granted through Catalog Administrator.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in Catalog Administrator.

Allow mapping of licenses: Select Yes if you want to allow mapping of licenses in Catalog Administrator.

Allow mapping of roles: Select Yes if you want to allow mapping of roles in Catalog Administrator.

Resource Mapping

The Roles Based Provisioning Module allows you to map resources to users.

Enables resource mapping: Select Yes to make this driver visible to the Roles Based Provisioning Module.

Allow mapping of user accounts: Select Yes if you want to allow mapping of user accounts in the Roles Based Provisioning Module. An account is required before a role, profile, or license can be granted.

Allow mapping of groups: Select Yes if you want to allow mapping of groups in the Roles Based Provisioning Module.

Allow mapping of licenses: Select Yes if you want to allow mapping of licenses in the Roles Based Provisioning Module.

Allow mapping of roles: Select Yes if you want to allow mapping of roles in the Roles Based Provisioning Module.

Entitlement Extensions

User account extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Group extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

License extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

Role extensions: The content of this field is added below the entitlement elements in the EntitlementConfiguration resource object.

A.2.4 Account Tracking

Account tracking is part of the Identity Reporting Module.

Enable account tracking: Set this to True to enable account tracking policies. Set it to False if you do not want to execute account tracking policies.

Realm: Specify the name of the realm, security domain, or namespace in which the account name is unique. You must set the Realm to the Office 365 Domain Name.

A.2.5 Managed System Information

These settings help the Identity Reporting Module function to generate reports. There are different sections in the Managed System Information tab.

General Information

Name: Specify a descriptive name for the managed system.

Description: Specify a brief description of the managed system.

Location: Specify the physical location of the managed system.

Vendor: Specify Microsoft as the vendor of the managed system.

Version: Specify the version of the managed system.

System Ownership

Business Owner: Browse to and select the business owner in the Identity Vault for the connected application. You must select a user object, not a role, group, or container.

Application Owner: Browse to and select the application owner in the Identity Vault for the connected application. You must select a user object, not a role, group, or container.

System Classification

Classification: Select the classification of the connected application. This information is displayed in the reports. The options are:

  • Mission-Critical

  • Vital

  • Not-Critical

  • Other

    If you select Other, you must specify a custom classification for the connected application.

Environment: Select the type of environment the connected application provides. The options are:

  • Development

  • Test

  • Staging

  • Production

  • Other

    If you select Other, you must specify a custom classification for the connected application.

Connection and Miscellaneous Information

Connection and miscellaneous information: This set of options is always set to hide, so that you don’t make changes to these options. These options are system options that are necessary for reporting to work.