2.1 Setting Up a Provisioning Project

The Provisioning view is only available for Designer projects that contain a User Application driver. After you set up an Identity Manager project (see “Creating a Project” in the Designer for Identity Manager 3.5: Administration Guide) and configure an Identity Vault and driver set for the project, you add and configure a User Application driver.

To use Designer to configure the Roles tab of the User Application, you must additionally add a Role Service driver to your project. See Section 2.1.2, Adding a Role Service Driver after completing Creating a User Application Driver.

2.1.1 Creating a User Application Driver

  1. Expand the project in Project view.

  2. Double-click System Model.

  3. Access the driver configuration page for a new driver by using one of these methods:

    • Right-click the driver set for your project and select New > Driver.

    • Click Provisioning in the Palette, then drag a User Application icon onto the canvas.

    • Click the driver set for your project and select Model > Driver > New.

    Designer displays the Driver Configuration Wizard.

  4. Select one of these driver configurations.

    Driver Configuration

    Description

    User Application 3.0.1

    Creates a Version 3.0.1 User Application driver.

    User Application 3.5

    Creates a Version 3.5 User Application driver.

    User Application 3.5.1

    Creates a Version 3.5.1 User Application driver.

    User Application 3.6 Roles Based Provisioning Module

    Creates a Version 3.6 User Application driver (minimum needed to support roles)

    User Application 3.6.1 Roles Based Provisioning Module

    Creates a Version 3.6.1 User Application driver (minimum needed to support compliance)

    This procedure describes how to configure all versions and indicates where fields are specific to one version or another.

    Designer launches the following:

  5. Fill in the fields as follows:

    Property

    What to Specify

    Driver Name

    The name of an existing User Application driver (the driver specified during the User Application installation), or the name of a new User Application driver.

    Authentication ID

    The DN of the User Application Administrator.

    Application password/Reenter password

    The password for the User Application Administrator (above).

    Application context

    The name of the User Application context, for example, IDM.

    Host

    The hostname or IP address of the application server where the Identity Manager User Application is deployed. This information is used:

    • To trigger workflows on the application server to connect to access workflows (terminate, retract, and so on).

    • To update cached data definitions.

    Port

    The port for the Host (above).

    Allow Override Initiator

    Applies to User Application Version 3.5 and later.

    This property applies to workflows that are started automatically. Workflows started automatically are typically started under the Admin identity. Selecting Yes for this property allows those workflows to be started under another user identity. For more information, see the Identity Manager User Application: Administration Guide.

  6. Click Finish.

NOTE:When you create a User Application driver, e-mail templates for the User Application are added to the Default Notification Collection. You must explicitly deploy them. They are not deployed by default when you deploy the User Application driver.

2.1.2 Adding a Role Service Driver

  1. In the same project where you created a User Application driver, click Provisioning in the Palette, then drag a Role Service icon onto the canvas.

  2. Select one of the driver configurations, then click Run.

    Driver Configuration

    Description

    RoleService

    Creates a Version 3.6 Role Service driver.

    RoleService_3_6_1

    Creates a Version 3.6.1 Role Service driver (minimum needed to support compliance)

    Designer displays the Driver Configuration Wizard.

  3. Fill in the fields as follows:

    Field

    Description

    Driver name

    The name of an existing Role Server driver (the driver specified during the User Application installation), or the name of a new Role Service driver.

    User-Group base Container DN

    (Version 3.6.1 only.) The driver acts only on users, containers, and groups in this base container. If there are group role assignments, the roles driver only grants/revokes roles on members within the domain of the container.

    User Application Driver DN

    The DN of the User Application Administrator.

    User Application URL

    The hostname or IP address of the application server where the Identity Manager User Application is deployed.

    User Application Identity

    The name of the User Application context, for example, IDMProv.

    User Application password

    The password for the User Application Administrator (above).

  4. Click Next or Finish.

2.1.3 Modifying the Role Service Driver Properties

After creating the Role Service driver, you can optionally modify some of the driver configuration settings and modify the additional settings described in Table 2-1. To customize the additional settings:

  1. From the Outline view, select the Role Service driver, then right-click and select Properties.

  2. Select Driver Configuration (in the left pane).

  3. Open the Driver Parameters tab.

  4. Navigate to the Driver Options tab. You can modify the driver’s properties that you specified when you created the driver as well as the properties described in Table 2-1.

Table 2-1 Additional Settings for Customizing the Role Service Driver

Option

Description

Number of days before processing removed request objects

The number of days the driver should wait before cleaning up request objects that have finished processing. This value determines how long you are able to track the status of requests that have been fulfilled.

Frequency of reevaluation of dynamic and nested groups (in minutes)

The number of minutes the driver should wait before reevaluating dynamic and nested groups. This value determines the timeliness of updates to dynamic and nested groups used by the User Application. In addition, this value can have an impact on performance. Therefore, before specifying a value for this option, you need to weigh the performance cost against the benefit of having up-to-date information in the User Application.

Generate audit events

Determines whether audit events are generated by the driver.

2.1.4 About E-Mail Notification Templates

Identity Manager includes a standard set of e-mail notification templates (see “Working with E-Mail Templates” in the User Application: Administration Guide). When you create a User Application driver, any e-mail notification templates that are missing from the standard set are replaced. However, existing e-mail notification templates, which might come from an earlier version of Identity Manager, are not updated. To replace existing templates with new templates:

  1. Expand the Outline view.

  2. In the Default Notification Collection, delete the e-mail notification templates that you want to replace.

  3. Right-click Default Notification Collection and select Update Templates.

    You can also use this command at any time to update e-mail notification templates without creating a new User Application driver.

  4. To deploy the e-mail notification templates to the Identity Vault, right-click Default Notification Collection and select Live > Deploy.