User manual NOVELL IDENTITY MANAGER 3.6.1 STAGING BEST PRACTICES GUIDE 2010

[. . . ] novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Identity Manager 3. 6. 1 Staging Best Practices Guide Novell® 3. 6. 1 June 24, 2010 Identity ManagerTM www. novell. com Identity Manager 3. 6. 1 Staging Best Practices Guide novdocx (en) 16 April 2010 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. [. . . ] The following objects must be included in the list: All custom objects that are Security Equivalences objects for all the drivers. Custom objects that are used in any policies. Custom objects that are used in any job configurations. Custom objects that are used in GCVs. Preparing for Staging 13 novdocx (en) 16 April 2010 Designer 3. 5 and later allows you to import objects listed in the above table in LDIF format and then deploy them along with other objects that are being deployed. NOTE: These objects are not modeled as drivers or driver sets in Designer. They can be modified by modifying the LDIF file that contains these objects in Designer. For more information, refer to Enabling Staging of Projects (http://www. novell. com/documentation/designer35/admin_guide/data/ staging_projects. html) in the Designer 3. 5 Administration Guide (http://www. novell. com/ documentation/designer35/index. html). 2. 5 Rights Section 2. 5. 1, "Driver Equivalences, " on page 14 Section 2. 5. 2, "Roles Based Entitlements Policies, " on page 14 Section 2. 5. 3, "Jobs, " on page 15 2. 5. 1 Driver Equivalences Security Equivalences require rights to the objects within the Identity Vault in order to perform tasks on them. For example, an OracleTM database driver has a policy to create a user in the Identity Vault in a container every time a user is created in the database, but the driver doesn't have enough permissions on the container to create the user, so the process fails. The driver has similar rights as that of the users/objects who have permissions on the container. All the policies should be carefully evaluated for finding out what permissions should be given to the drivers. Designer 3. 5 and later can store the Security Equivalences and Exclude Administrative Roles of the drivers in the project and can assign them to the drivers. Before moving to another staging environment, ensure that you know the Security Equivalences and Exclude Administrative Roles associated with each driver and ensure that these objects are imported as LDIF objects and moved along with other objects before being assigned in the next stage after deployment. If the Security Equivalences object and the Exclude Administrative Roles objects are stored as LDIF objects, Designer ensures that they are created in the next stage before they are assigned. 2. 5. 2 Roles Based Entitlements Policies Roles Based Entitlements policies are used by the Entitlements Service driver, which grants entitlements to and revokes entitlements from the users. An entitlement policy contains the following: Membership: The list of users assigned to a policy. A user can be dynamically assigned to a policy when he or she meets the criteria for the policy, or the user can be statically (manually) assigned to the policy. Entitlements: The list of entitlements associated with the policy. Users assigned to the policy receive all of the entitlements associated with the policy. If the user is removed from the policy, he or she loses all entitlements associated with the policy. You can assign any Identity Vault objects for which you want the entitlement policy to be a trustee. Each member of the policy becomes a trustee of the objects you add. 14 Identity Manager 3. 6. 1 Staging Best Practices Guide novdocx (en) 16 April 2010 There are several reasons why you might want to make the policy a trustee of an object: One of the policy's entitlements requires the policy's members to have rights to an object. You want to use the policy to assign users as trustees of an object even though rights to the object are not required for an entitlement. In this case, you are using the entitlement policy to grant and revoke trustee rights for members of the policy. [. . . ] These default indexes are for the following attributes: CN 22 Identity Manager 3. 6. 1 Staging Best Practices Guide novdocx (en) 16 April 2010 Aliased Object Name dc Obituary Given Name Member Surname Reference uniqueID Equivalent to Me GUID NLS: Common Certificate cn_SS Revision uniqueID_SS extensionInfo ldapAttributeList ldapClassList You can visit each Identity Vault server and collect the customized index information by doing the following: 1. In Novell® iManager, click the Roles and Tasks tab. Click eDirectory Maintenance > Index Management. Select a server from the list of available servers. [. . . ]