A.2 Global Configuration Values

Global configuration values (GCVs) are values that can be used by the driver to control functionality. GCVs are defined on the driver or on the driver set. Driver set GCVs can be used by all drivers in the driver set. Driver GCVs can be used only by the driver on which they are defined.

The SOAP driver includes several predefined GCVs. You can also add your own if you discover you need additional ones as you implement policies in the driver.

To access the driver’s GCVs in iManager:

  1. Click to display the Identity Manager Administration page.

  2. Open the driver set that contains the driver whose properties you want to edit:

    1. In the Administration list, click Identity Manager Overview.

    2. If the driver set is not listed on the Driver Sets tab, use the Search In field to search for and display the driver set.

    3. Click the driver set to open the Driver Set Overview page.

  3. Locate the driver icon, click the upper right corner of the driver icon to display the Actions menu, then click Edit Properties.

    or

    To add a GCV to the driver set, click Driver Set, then click Edit Driver Set properties.

To access the driver’s GCVs in Designer:

  1. Open a project in the Modeler.

  2. Right-click the driver icon or line, then select Properties > Global Configuration Values.

    or

    To add a GCV to the driver set, right-clickthe driver set icon , then click Properties > GCVs.

The global configuration values are organized as follows:

A.2.1 Password Synchronization

These GCVs enable password synchronization between the Identity Vault and the connected system.

In Designer, you must click the icon next to a GCV to edit it. This displays the Password Synchronization Options dialog box for a better view of the relationship between the different GCVs.

In iManager, you should edit the Password Management Options on the Server Variables tab rather than under the GCVs. The Server Variables page has a better view of the relationship between the different GCVs.

For more information about how to use the Password Management GCVs, see Configuring Password Flow in the NetIQ Identity Manager Password Management Guide.

Connected System or Driver Name: Specify the name of the SOAP system or the driver name. This valued is used by the e-mail notification template to identity the source of the notification message.

Application accepts passwords from Identity Manager: If True, allows passwords to flow from the Identity Manager data store to the connected system.

Identity Manager accepts passwords from application: If True, allows passwords to flow from the connected system to Identity Manager.

Publish passwords to NDS password: Use the password from the connected system to set the non-reversible NDS password in eDirectory.

Publish passwords to Distribution Password: Use the password from the connected system to set the NMAS Distribution Password used for Identity Manager password synchronization.

Require password policy validation before publishing passwords: If True, applies NMAS password policies during publish password operations. The password is not written to the data store if it does not comply.

Reset user’s external system password to the Identity Manager password on failure: If True, on a publish Distribution Password failure, attempts to reset the password in the connected system by using the Distribution Password from the Identity Manager data store.

Notify the user of password synchronization failure via e-mail: If True, notifies the user by e-mail of any password synchronization failures.

A.2.2 Permission Collection and Reconciliation

If you installed the Permission Collection and Reconciliation package, iManager and Designer display the following options. For more information about permission reconciliation feature, see Understanding Permission Collection and Reconciliation Service , in the NetIQ Identity Manager Driver Administration Guide.

Enable Permissions Collection and Reconciliation: Set the value of this parameter to true for allowing permission collection and entitlement assignment. By default, the value is set to false, which allows the driver to override any other conditions to reconcile custom entitlements.

Enable Permissions Reconciliation for Account Entitlement: Ensure the value of this parameter is set to Yes to enable the driver to map the target system accounts to users in the Identity Vault and assign user account entitlements through the Publisher channel. By default, the value is set to Yes.

Allow User add via publisher channel: Set the value of this parameter to Yes to allow the driver to add new user accounts to the Identity Vault through the Publisher channel. By default, the value is set to No.

Enable Permissions Reconciliation for Group entitlement: Ensure the value of this parameter is set to Yes to enable the driver to assign group entitlements through the Publisher channel. By default, the value is set to Yes.

Enable Permissions Reconciliation for all Custom entitlements: If the value of this parameter is set to No, it allows you to select the custom entitlements for reconciling them. By default, it is set to Yes, which allows reconciling of all custom entitlements.

Add Custom Entitlements for Reconciliation: This parameter is presented if the value of Enable Permission Reconciliation for all custom entitlements is set to No.

Click the Add icon add custom entitlements you want to selectively onboard and specify Assignment Attribute Name for them.