1.2 User Application Architecture

The Identity Manager User Application relies on a number of independent components acting together. The core components are shown in Figure 1-2.

Figure 1-2 User Application Core Components

1.2.1 User Interface

The Identity Manager User Application is a browser-based Java* application. It is comprised of a collection of JSR168-compliant portlets, JavaServer* Pages, and JavaServer Faces that run within a Java Web application on a J2EE*-compliant application server. The User Application framework provides container services, such as managing window state, portlet preferences, persistence, caching, theming, logging, and acts as a security gatekeeper. The application server, on which the User Application runs, provides various services to the application as a whole, such as scalability through clustering, database access via JDBC*, and support for certificate-based security.

1.2.2 Directory Abstraction Layer

The directory abstraction layer provides a logical view of the Identity Vault data. You define a set of entities and their related attributes based on the Identity Vault objects that you want users to view, modify, or delete in the User Application. The Directory Abstraction layer:

  • Performs all of the User Application’s LDAP queries against the Identity Vault. This isolates presentation-layer logic from the Identity Vault, so that all requests for identity data go through the directory abstraction layer.

  • Checks constraints and access control on data requests made via the User Application.

  • Caches runtime configuration and entity-definition data obtained from the Identity Vault. See Section 5.1.1, Caching Management

You use the directory abstraction layer editor plug-in (available in Designer for Identity Manager) to define the structure of the directory abstraction layer data definitions. To learn more, see the section on the directory abstraction layer editor in the Identity Manager User Application: Design Guide.

1.2.3 Workflow Engine

The Workflow Engine is a set of Java executables responsible for managing and executing steps in an administrator-defined workflow and keeping track of state information (which is persisted in a database). When the necessary approvals have been given, the Provisioning System provisions the resource as requested.

During the course of workflow execution, the Workflow Engine can send one or more e-mail messages to notify users of changes in the state of the workflow. In addition, it can send e-mail messages to notify users when updates have been made to proxy, delegate, and availability settings.

You can edit an e-mail template in the Designer for Identity Manager or in iManager and then use this template for e-mail notifications. At runtime, the Workflow Engine retrieves the template from the directory and replaces tags with dynamic text suitable for the notification.

Additional details about the Workflow Engine, including how to configure and manage provisioning workflows, are in Section V, Configuring and Managing Provisioning Workflows.

1.2.4 SOAP Endpoints

The User Application provides the following SOAP endpoints to allow third-party software applications to take advantage of User Application services:

Table 1-1 SOAP Endpoints

SOAP Endpoint

Description

Provisioning Web Service

To support third-party access, the provisioning Workflow Engine includes a Web service endpoint. The endpoint offers all provisioning functionality (for example, allowing SOAP clients to start a new approval flow, or list currently executing flows).

Metrics Web Service

The workflow engine also includes a Web Service for gathering workflow metrics. The addition of the Metrics Web Service to the Workflow Engine lets you monitor an approval flow process. In addition, it provides indicators the business manager can use to modify the process for optimal performance.

Notification Web Service

The Provisioning System includes an e-mail notification facility that lets you send e-mail messages to notify users of changes in the state of the provisioning system, as well as tasks that they need to perform. To support third-party access, the notification facility includes a Web service endpoint that lets you send an e-mail message to one or more users.

Directory Abstraction Layer (VDX) Web Service

The directory abstraction layer provides a logical view of the Identity Vault data. To support access by third-party software applications, the directory abstraction layer includes a Web service endpoint called the VDX Web Service. This endpoint lets you access the attributes associated with entities defined in the directory abstraction layer. It also lets you perform ad hoc searches for entities and execute predefined searches called global queries.

Role Web Service

To support access by third-party software applications, the Role subsystem includes a Web service endpoint called the Role Web Service. It supports a wide range of role management and SoD management functions.

1.2.5 Application Server (J2EE-Compliant)

The application server provides the runtime framework in which the User Application, directory abstraction layer and Workflow Engine execute. The User Application is packaged as a Java Web Application Archive, or WAR file. The WAR is deployed to the application server.

The User Application runs on JBOSS and WebSphere. For a complete list of supported platforms, see the Roles Based Provisioning Module Installation Guide.

1.2.6 Database

The User Application relies on a database (MySQL* by default; see the Roles Based Provisioning Module Installation Guide for a list of supported databases) to store several kinds of information:

  • User application configuration data: for example, Web page definitions, portlet instance registrations, and preference values.

  • Workflow state information is persisted in the database. (The actual workflow definitions are stored in the User Application driver in the Identity Vault.)

  • Novell Audit logs

1.2.7 User Application Driver

The User Application driver is an important enabling piece of the User Application. It is responsible for:

  • Storing application-specific environment configuration data.

  • Notifying the directory abstraction layer when important data values change in the Identity Vault. This causes the directory abstraction layer to update its cache.

The User Application driver can be configured to:

  • Allow events in the Identity Vault to trigger workflows.

  • Communicate the success or failure of a workflow's provisioning activity back to the User Application database, which allows users to view the final status of their requests.

  • Start workflows automatically in response to changes of attribute values in the Identity Vault.

The User Application driver is not only a runtime component but a storage wrapper for directory objects (comprising the User Application’s runtime artifacts).

Table 1-2 Artifacts Stored in the User Application Driver

Artifacts

Description

Driver Set Object

Every Identity Manager installation requires that drivers be grouped into driver sets. Only one driver set can be active at a time (on a given directory server). The drivers within that set can be toggled on or off individually without affecting the driver set as a whole. The User Application driver (like any other Identity Manager driver) must exist inside a driver set. The driver set is not automatically created by the User Application; you must create one, then create the User Application driver within it.

User Application

The User Application driver object is the container a variety of artifacts. The User Application driver implements Publisher and Subscriber channel objects and policies. The Publisher channel is not used by the User Application but is available for custom user cases.

App Config Object

The AppConfig object is a container for the following User Application configuration objects.

  • RequestDefs: Container for Provisioning Request Definitions. The definitions stored here (as XML) represent the classes of requests that end users with appropriate rights can instantiate via the User Application.

  • WorkflowDefs: :Container for Workflow objects, including design-time descriptions plus any template or unused flows.

  • ResourceDefs: Container for Provisioned Resource definitions, including design-time descriptions plus any templates or unused targets.

  • ServiceDefs: Container for Service Definition objects, which wrap Web Services called by workflows.

  • DirectoryModel: Directory abstraction layer objects that represent different types of content of the Identity Vault that can be exposed in the User Application.

  • AppDefs: Container for configuration objects that initialize the runtime environment, such as cache configuration information and e-mail notification properties.

  • ProxyDefs: Container for proxy definitions.

  • DelegateeDefs: Container for delegate definitions.

1.2.8 Role and Resource Service Driver

The Roles subsystem uses the Role and Resource Service driver to manage backend processing of roles. For example, it manages all role assignments, starts workflows for role assignment requests and SoD conflicts that require approvals, and maintains indirect role assignments according to group and container membership, as well as membership in related roles. The driver also grants and revokes entitlements for users based on their role memberships, and performs cleanup procedures for requests that have been completed.

The Role and Resource Service driver performs the following functions:

  • Starts an SoD workflow and waits for approvals in situations where a role request requires an SoD workflow

  • Starts a role assignment workflow and waits for approvals in situations where a role request requires a workflow

  • Adds users to and remove users from roles. To do this, the Role and Resource Service driver:

    • Waits for a start date before making assignments

    • Terminates a role assignment when the end date is reached

  • Adds and removes higher-level and lower-level role relationships

  • Adds and removes role assignments for groups

  • Adds and removes role assignments for containers

  • Maintains all role membership information for indirect role assignments, including:

    • Role assignments acquired through role relationships

    • Role assignments that result from membership in groups

    • Role assignments that result from membership in containers

  • Grants and revokes entitlements to and from users according to their role memberships

  • Maintains additional reporting information that is associated with each role assignment

  • Maintains additional reporting information on objects in eDirectory, such as:

    • Approval information

    • Where indirect assignments come from

    • Where entitlements come from

  • Logs events to Novell Audit

  • Cleans up processed requests after a user-specified amount of time

  • Recalculates role assignments based on dynamic and nested groups on a polled basis

1.2.9 Designer for Identity Manager

Designer for Identity Manager provides a set of plug-ins you can use to define the directory abstraction layer objects and provisioning requests and their associated workflows. For more information, see Section 1.4, Design and Configuration Tools

1.2.10 iManager

iManager provides a set of plug-ins you can use to view provisioning requests and manage their associated workflows. For more information, see Section 1.4, Design and Configuration Tools.

1.2.11 Identity Manager Engine

The Identity Manager engine provides the runtime framework that monitors events in the Identity Vault and connected systems. It enforces policies and routes data to and from the Identity Vault. The Identity Manager User Application is a connected system. Communication between the Identity Vault, the User Application’s directory abstraction layer, and the Workflow Engine occurs through the User Application driver.

1.2.12 Identity Vault

The Identity Vault is the repository for user data (and other identity data) plus the Identity Manager driver set and the User Application driver. Because the User Application relies on various Identity Vault objects, it’s necessary to extend the eDirectory schema to accommodate the custom LDAP objects and attributes required by the User Application. The schema extension occurs automatically as part of the User Application install. The custom objects and attributes are populated with default values after the User Application driver is installed and activated.

1.2.13 Novell Audit

Novell Audit is an independent logging server that can persist a variety of kinds of data (such as data generated by steps of a workflow). For more information, see Section 3.0, Setting Up Logging.