Novell 4.0.2 Designer Identity Manager Administration Guide
Below you will find brief information for Identity Manager 4.0.2 Designer. This guide provides detailed instructions on configuring and managing Identity Manager 4.0.2 Designer, including its various features and functionalities. It covers topics such as installation, project creation, modeling, object configuration, package management, schema management, dataflow management, and best practices for development.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
▼
Scroll to page 2
of
692
Designer for Identity Manager 4.0.2 Administration Guide November 2013 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright © 2013 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. 1800 South Novell Place Provo, UT 84606 U.S.A. www.novell.com Online Documentation: To access the online documentation for this and other Novell products, see the Novell Documentation Web page (http://www.novell.com/documentation). Novell Trademarks For a list of trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/trademarks/ tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners. Contents About This Guide 15 1 Installing Designer 1.1 1.2 1.3 1.4 1.5 17 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.1.1 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.1.2 Platform Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.1.3 Additional Software Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Installing Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Upgrading Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Using the Silent Install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Uninstalling Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2 Creating a Project 2.1 2.2 2.3 2.4 23 When No Project Exists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 When You Want to Create an Additional Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 When You Want to Import a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 When You Want to Disable a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3 Creating a Model 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 29 Basic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Accessing the Modeler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Selecting a Modeling Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3.1 Developer Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.3.2 Architect Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.3.3 Dataflow Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 3.3.4 Table Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Working from the Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.1 About the Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.4.2 Palette Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.4.3 Using Generic Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.4.4 Fly-Out Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.4.5 Resizing the Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.4.6 Docking the Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.4.7 Arranging Folders and Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.4.8 Changing the Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 3.4.9 Keyboard Support for the Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Creating a Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Copying and Pasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.6.1 Copying Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.6.2 Copying a Driver Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.6.3 Copying an Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.6.4 Copying a Domain Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.6.5 Copying between Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Moving Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 In Line Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Tooltips and Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Organizing by Domain Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Contents 3 3.11 3.12 3.13 3.14 3.15 3.10.1 About Domain Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.10.2 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.10.3 Creating a Domain Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.10.4 Minimizing (Collapsing) Domain Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.10.5 Restoring Domain Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.10.6 Maximizing Domain Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.10.7 Using a List View of Domain Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.10.8 Auto-Placement of Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.10.9 Grouping into a New Domain Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.10.10 Ungrouping a Domain Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.10.11 Clearing Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.10.12 Changing a Domain Group Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.10.13 Keyboard Support for Domain Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Connecting Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.11.1 Automatic Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.11.2 Connection Target Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.11.3 Automatically Creating Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.11.4 Auto Redraw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.11.5 Manually Connecting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.11.6 eDir-to-eDir Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.11.7 Multiple Driver Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.11.8 Straightening Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.11.9 Reconnecting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.11.10 Driver Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.11.11 Selected Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.11.12 Auto-Layout of Imported Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 3.11.13 Keyboard Support for Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Aligning and Laying Out Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 3.12.1 Alignment Hints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 3.12.2 Using Rulers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.12.3 Using a Grid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.12.4 Distributing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.12.5 Auto-Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 3.12.6 Layouts to Use for Imports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Editing Multiple Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Modeling Active Directory Domain Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.14.1 Configuring a Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 3.14.2 Discovering Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.14.3 Information about Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Saving Your Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4 Configuring Objects in Designer 4.1 4.2 4.3 4.4 4.5 4 85 Viewing Object Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.1.1 Properties View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.1.2 Properties Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.1.3 Operations Relating to Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Configuring a Domain Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configuring Identity Vaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.3.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 4.3.2 Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.3.3 Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.3.4 Server List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.3.5 iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.3.6 Local Hostname. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Configuring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Configuring Driver Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 4.5.1 Driver Set General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.5.2 Driver Set Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.5.3 Driver Set Global Configuration Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 4.5.4 Java Environment Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 4.5.5 Driver Set Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 4.5.6 Driver Set Named Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 4.5.7 Driver Set Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 4.5.8 Driver Set Server List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 4.5.9 Driver Set Trace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Configuring Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.7.1 Driver General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 4.7.2 Driver Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 4.7.3 Engine Control Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.7.4 Driver Global Configuration Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 4.7.5 Driver Health Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.7.6 Driver Log Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 4.7.7 Driver Manifest. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.7.8 Driver Named Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.7.9 Driver Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 4.7.10 Reciprocal Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 4.7.11 Driver Trace Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 4.7.12 Driver iManager Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Configuring Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 4.8.1 Editing a Policy Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 4.8.2 Viewing References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Configuring Resource Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Configuring Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Configuring Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Configuring Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 4.12.1 Package General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 4.12.2 Package Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 4.12.3 Package Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 4.12.4 Package Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.12.5 Package Initial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.12.6 Package Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.12.7 Package License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.12.8 Package Linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.12.9 Package Readme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.12.10 Package Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.12.11 Package Vendor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Configuring Package Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.13.1 Package Content General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4.13.2 Package Content Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.13.3 Package Content Linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Configuring Prompts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.14.1 Prompts General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 4.14.2 Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 4.14.3 Prompts Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 4.14.4 Target Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Configuring Global Configuration Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 4.15.1 Global Configuration Object General Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 4.15.2 Global Configuration Object GVCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Configuring Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.16.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 4.16.2 Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Configuring ID Policy Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring ID Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Configuring a Notification Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Configuring Application Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Contents 5 4.21 4.22 4.20.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 4.20.2 AD Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 4.20.3 Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 4.20.4 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 4.20.5 Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Adding Prompts to a Driver Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Synchronizing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 5 Managing Identity Manager Versions 5.1 5.2 5.3 5.4 5.5 5.6 Key Differences in Identity Manager Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Changing the Identity Manager Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Tracking Versions of Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Support for Driver Configuration Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Checking Projects for Version Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Adjusting the UI Based on the Version Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 6 Managing Packages 6.1 6.2 6.3 6.4 7.4 7.5 7.6 6 147 Understanding Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 6.1.1 Advantages of Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 6.1.2 Understanding Package Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 6.1.3 Package Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Installing or Upgrading Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 6.2.1 Installing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 6.2.2 Adding Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 6.2.3 Upgrading Installed Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 6.2.4 Importing Packages into the Package Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Customizing Default Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Removing or Downgrading Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 6.4.1 Uninstalling Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 6.4.2 Downgrading Installed Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 6.4.3 Removing Packages from the Package Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.4.4 Running a Driver in Factory Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 6.4.5 De-activating Factory Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 7 Developing Packages 7.1 7.2 7.3 139 161 Why Use Custom Packages? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Developing Custom Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Preparing to Develop Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 7.3.1 Setting Default Package Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 7.3.2 Creating a Development Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 7.3.3 Enabling Package Development Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 7.3.4 Defining Custom Package Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Creating a Base Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Configuring Initial Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Working with Package Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 7.6.1 Understanding Package Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 7.6.2 Understanding Package Prompt Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 7.6.3 Understanding Package Prompt Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 7.6.4 Example Default Prompt Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 7.6.5 Example Default Target Transformations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 7.6.6 Examples of Modified Prompt Transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 7.6.7 Example of Modified Target Transformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 7.6.8 Adding Default Package Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 7.6.9 Creating Custom Package Prompts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.6.10 Editing Package Prompts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Creating Identity Vault and Driver Set Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 7.7.1 Creating Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 7.7.2 Adding GCV Resource Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 7.7.3 Adding Notification Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Creating Feature Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Configuring Mandatory and Optional Feature Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Adding Content to Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 7.10.1 Adding GCVs to Feature Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 7.10.2 Adding Prompt Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 7.10.3 Adding Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 7.10.4 Adding Filter Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Copying Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Building Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Versioning Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Localizing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Adding and Configuring Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Releasing and Publishing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Best Practices for Package Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 7.17.1 Creating Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 7.17.2 Naming Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 7.17.3 Package Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 7.17.4 Defining Package Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 7.17.5 Documenting Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 7.17.6 Naming Package Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 7.17.7 Reusing Package Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 8 Managing the Schema 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 205 Using the Manage Schema Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 8.1.1 The Classes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 8.1.2 The Attributes Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Creating Classes and Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 8.2.1 Creating Identity Vault Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 8.2.2 Creating Identity Vault Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Modifying the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 8.3.1 Deleting Schema Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 8.3.2 Modifying Classes or Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 8.3.3 Renaming Schema Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Deploying the Schema into the Identity Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Exporting the Schema to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 8.5.1 Exporting the Schema to a .sch File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 8.5.2 Exporting the Schema to an LDIF File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Importing the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 8.6.1 Importing the Schema from the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 8.6.2 Importing the Schema from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Managing a Copy of an Application Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 8.7.1 Editing an Application’s Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 8.7.2 Refreshing the Application Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Mapping Identity Vault to an LDAP Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Comparing the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 9 Managing the Flow of Data 9.1 241 The Dataflow View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 9.1.1 Accessing the Dataflow View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 9.1.2 Flow Arrows in the Modeler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Contents 7 9.2 9.3 9.4 9.5 9.6 9.7 9.1.3 Viewing How Attributes Are Synchronized. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 9.1.4 Changing the Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 The Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 9.2.1 Filtering Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 9.2.2 Filtering Identity Vaults and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 9.2.3 Pinning the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 9.2.4 Expanding and Collapsing the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 9.2.5 Switching to an eDirectory Tree Icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 9.2.6 Viewing an eDir-to-eDir Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 9.2.7 Keyboard Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Adding Items in the Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 9.3.1 Adding an Identity Vault in the Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 9.3.2 Adding a Driver in the Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 9.3.3 Adding an Application in the Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 9.3.4 Adding Classes and Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 9.3.5 Adding Non-Filter Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Removing Items from the Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 9.4.1 Removing an Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 9.4.2 Removing Classes and Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Editing Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 9.5.1 Editing within the Dataflow Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 9.5.2 Editing Non-Filter Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 9.5.3 Managing Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 9.5.4 Removing a Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 9.5.5 Changing How Data Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Generating HTML Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Integrating Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 10 Creating and Managing Policies 275 11 Setting Up E-Mail Notification Templates 277 11.1 11.2 11.3 11.4 11.5 Viewing Notification Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Editing a Notification Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 11.2.1 Selecting a Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 11.2.2 Specifying a Subject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 11.2.3 Working with Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 11.2.4 Attaching an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 11.2.5 Editing a Template Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Adding and Deploying a Notification Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 11.3.1 Adding a Notification Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 11.3.2 Importing a Notification Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286 11.3.3 Deploying a Notification Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Policy Builder and Notification Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Configuring the E-Mail Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 12 Importing into Designer 12.1 12.2 8 289 Importing Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 12.1.1 Importing a Project from the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 12.1.2 Importing a Project from the File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 12.1.3 Importing a Project from iManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 12.1.4 Importing a Project from a Version Control Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Importing a Library, a Driver Set, or a Driver from the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . 305 12.2.1 Associating a Server to the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 12.2.2 Importing a Library from the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 12.2.3 Importing a Driver Set from the Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 12.3 12.4 12.5 12.6 12.7 12.2.4 Importing a Driver from the Identity Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Importing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Importing a Driver Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 12.4.1 Importing an Identity Manager Project from the File System . . . . . . . . . . . . . . . . . . . . . . . 318 12.4.2 Importing a Driver Configuration from a File in the Modeler View . . . . . . . . . . . . . . . . . . . 318 12.4.3 Importing from a File through the Outline View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Importing Channels, Policies, and Schema Items from the Identity Vault . . . . . . . . . . . . . . . . . . . . 323 12.5.1 Importing a Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 12.5.2 Importing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 12.5.3 Importing a Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Using the Compare Feature When Importing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 12.6.1 Using Compare When Importing a Driver Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 12.6.2 Using Compare on a Channel Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 12.6.3 Using Compare on a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 12.6.4 Matching Attributes with Designer Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Error Messages and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 13 Documenting Projects 13.1 13.2 13.3 13.4 13.5 13.6 345 Creating a Document Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Editing a Document Style for Your Needs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 13.2.1 Editing a Style Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 13.2.2 Editing Sections of a Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Generating a Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349 Using Your Style Template for Other Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 13.4.1 Documenting a Section of the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 13.4.2 Documenting Multiple Sections of the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Customizing Styles to Include or Exclude Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 13.5.1 Identity Vault Schema and Application Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357 13.5.2 Using Project Configuration to Limit Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 Advanced Editing of a Document Style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 13.6.1 What’s In the Advanced Editing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 13.6.2 A Walk-through Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 13.6.3 Selecting a Language for Generated Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 13.6.4 Double-Byte Font Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 14 Using Entitlements 14.1 14.2 14.3 14.4 14.5 381 How Entitlements Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Designing Entitlements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 14.2.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 14.2.2 Entitlement Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 14.2.3 Identity Manager Drivers with Preconfigurations that Support Entitlements . . . . . . . . . . . 384 14.2.4 Enabling Entitlements on Identity Manager Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Creating Entitlements through the Entitlement Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 14.3.1 Valueless Entitlements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 14.3.2 Valued Entitlement that Queries an External Application. . . . . . . . . . . . . . . . . . . . . . . . . . 390 14.3.3 Administrator-Defined Entitlements with Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 14.3.4 Administrator-Defined Entitlements without Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Editing and Viewing Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 14.4.1 Entitlement XML Source and XML Tree Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 14.4.2 Using the Novell Entitlement DTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Managing Entitlements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 15 Scheduling Jobs 15.1 409 Job Scheduler Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Contents 9 15.2 15.3 Creating a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 15.2.1 Copying a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Editing a Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 15.3.1 Job Editor Selections on the General Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 15.3.2 Job Editor Selections on the Job Parameters Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 15.3.3 Job Editor Selections on the Scheduler Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 15.3.4 Job Editor Selections on the Notification Settings Page . . . . . . . . . . . . . . . . . . . . . . . . . . 423 16 Deploying and Exporting 427 16.1 16.2 16.3 Preparing to Deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Deploying a Project to an Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 Deploying a Driver Set to an Identity Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 16.3.1 eDir-to-eDir Deployments and SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 16.4 Deploying a Driver to an Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 16.5 Deploying a Channel to an Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433 16.6 Deploying a Policy to an Identity Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 16.7 Using the Compare Feature When Deploying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 16.7.1 Using Compare when Deploying a Driver Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 16.7.2 Using Compare Before Deploying a Channel Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 16.7.3 Using Compare Before Deploying a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 16.7.4 Matching Attributes with Designer Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 16.7.5 Comparing Driver Set and Driver Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 16.7.6 Renaming and Deleting Deployed Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 16.8 Troubleshooting Deployed Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 16.9 Exporting a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 16.10 Exporting to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 16.10.1 Using the Export Context Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 16.10.2 Exporting Configuration Files from the Modeler View . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 16.10.3 Exporting Configuration Files from the Outline View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 17 The Novell XML Editor 17.1 17.2 17.3 17.4 17.5 About the Novell XML Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 17.1.1 Creating XML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453 17.1.2 Validating Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 17.1.3 Outline View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 17.1.4 XPath Navigator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Using the Source Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Using the Tree Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Attaching a Schema or DTD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Setting XML Editor Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 18 Tools 18.1 18.2 18.3 18.4 18.5 10 453 465 Converting Earlier Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 18.1.1 Converting Projects from Designer 3.5 to Designer 4.0.2 . . . . . . . . . . . . . . . . . . . . . . . . . 465 18.1.2 Converting Projects with the Project Converter Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 18.1.3 Running Later Projects on Earlier Designer Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Migrating Driver Configuration Data to a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 18.2.1 Using the Server Migration Wizard to Migrate the Driver Set . . . . . . . . . . . . . . . . . . . . . . 470 18.2.2 Migrating a Driver Set to a Server in a Different Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 18.2.3 Migrating Server Data for Each Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Opening a Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Launching iManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Checking Your Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 18.5.1 Checking a Project. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 18.5.2 Customizing the Project Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 18.5.3 Items That Are Checked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 18.6 Managing Directory Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 18.6.1 Tool-Based Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 18.6.2 Task-Based Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 18.6.3 Browsing, Viewing, or Modifying Object Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 18.7 Configuring TLS for eDir-to-eDir Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 18.7.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 18.7.2 Enabling TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 18.7.3 Creating Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 18.8 Using DS Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491 18.8.1 Viewing DS Trace Live. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 18.8.2 Creating a DS Trace Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 18.8.3 Viewing a DS Trace Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 18.9 Working with Generic Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 18.9.1 Creating a Generic Resource Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 18.9.2 Editing a Generic Resource Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 18.10 Updating Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 19 Editing Icons for Drivers and Applications 19.1 19.2 501 Editing Driver Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Editing Application Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 20 Version Control 20.1 20.2 20.3 20.4 20.5 20.6 509 Installing a Subversion Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 20.1.1 Downloading and Installing the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 20.1.2 Configuring the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Checking In a Project to a Version Control Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Importing a Project from a Version Control Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Accessing the Version Control View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 20.4.1 Version Control Icons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 20.4.2 Version Control View Headings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 20.4.3 Version Control Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Comparing Revisions and Resolving Conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 20.5.1 Comparing Revisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532 20.5.2 Resolving Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 20.5.3 The Modeler View Layout In a Team-Enabled Environment . . . . . . . . . . . . . . . . . . . . . . . 538 20.5.4 Provisioning Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Version Control Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 20.6.1 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 20.6.2 Managing Packages Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544 20.6.3 Best Practice Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 20.6.4 Subversion and Version Control Interaction Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 21 Setting Preferences 21.1 21.2 551 Finding Preference Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551 21.2.1 Appearance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 21.2.2 Compare/Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 21.2.3 Content Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 21.2.4 Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 21.2.5 Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 21.2.6 Network Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Contents 11 21.3 21.4 21.5 21.6 21.7 21.2.7 Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 21.2.8 Startup and Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 21.2.9 Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 21.2.10 Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 21.3.1 Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 Novell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 21.4.1 Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 21.4.2 Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 21.4.3 Package Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 21.4.4 Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 21.6.1 CSS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 21.6.2 HTML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 21.7.1 XML Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 21.7.2 XML Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 22 Troubleshooting Designer 595 22.1 22.2 Running the Project Checker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 Viewing the Error Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 22.2.1 Browsing the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 22.2.2 Using Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 22.2.3 Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 22.2.4 Customizing Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 22.3 Turning on Trace Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 22.4 Checking Loaded Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 22.5 Deploying Identity Manager Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 22.5.1 Deployment Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 22.5.2 An Example Deployment Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 22.6 Display Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 22.6.1 No F1 Help in Maximized Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604 22.6.2 Running Designer with 120 DPI Fonts in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 22.6.3 Display Issues on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 22.6.4 Copying, Pasting, and Dragging in the Navigator View Don't Update Version Control . . . 606 22.7 Freeing Heap Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 22.8 Project Files Are Not Encrypted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 22.9 Users Cannot Import and Check In Multiple Instances of the Same Package Under Version Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 22.10 Drivers Not Associated with Base Packages After Live Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 22.11 Error Messages and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 22.11.1 Identity Vault Configuration Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 22.11.2 Driver Configuration Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 22.11.3 Internal Designer Errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 22.11.4 eDirectory Access Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 22.11.5 eDirectory Object/Attribute Creation Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 22.11.6 Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 22.12 Reporting Bugs and Giving Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619 A Modeler Operations A.1 A.2 A.3 A.4 12 621 Modeler Space Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621 Identity Vault Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 Driver Set Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 Driver Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A.5 A.6 A.7 Application Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 Submenus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 Keyboard Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 B Document Generator Core Support Templates B.1 B.2 B.3 B.4 641 dgSection.xsl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 dgFormat.xsl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 idmConfig.xsl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 idmUtil.xsl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 C Adding Applications and Drivers to the Palette C.1 C.2 C.3 649 Definition Folders and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 C.1.1 Driver Configuration and Localization Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 C.1.2 Palette Folders and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 C.1.3 The Notification Templates Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 C.1.4 The Themes Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Adding to the Palette . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 C.2.1 Copying Configuration Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 C.2.2 Creating the Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 C.2.3 Adding a Key_Value Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 C.2.4 Creating a Driver Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 C.2.5 Creating the Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 C.2.6 Hooking Up the Custom Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 Protecting Your Customized Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 D Moving Data from Older Projects D.1 D.2 D.3 673 Importing Data from a Live System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 Exporting Data from the Old Project to Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 D.2.1 If Multiple Servers Are Associated with a Driver Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 D.2.2 Customized E-Mail Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 Manually Configuring Information That Is Not Imported. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 E Version Control with Subversion and Identity Manager Designer E.1 E.2 E.3 E.4 677 Understanding Subversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 E.1.1 How Revisions Work In Subversion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 E.1.2 Understanding Atomic Commits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679 E.1.3 Where Subversion Stores the Project Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679 E.1.4 Moving an Existing Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679 Administering Your Subversion Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 E.2.1 Server Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 E.2.2 Network Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681 E.2.3 Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 E.2.4 Using Client Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 E.2.5 Configuring Subversion with Apache HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 E.2.6 Proxy Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 E.2.7 Subversion Server Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Taking Full Advantage of Version Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 E.3.1 When to Commit and When to Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 E.3.2 Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 E.3.3 Creating and Using Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 E.3.4 Subversion Keyword Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 Contents 13 14 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide About This Guide Designer for Identity Manager can help you design, test, document, and deploy Identity Manager solutions in a highly productive environment. Newcomers can use wizards to build Identity Management solutions. Veterans and expert users can bypass the wizards and interact directly at any level of detail. Use the following list to access the information you need: Chapter 1, “Installing Designer,” on page 17 Chapter 2, “Creating a Project,” on page 23 Chapter 3, “Creating a Model,” on page 29 Chapter 4, “Configuring Objects in Designer,” on page 85 Chapter 5, “Managing Identity Manager Versions,” on page 139 Chapter 6, “Managing Packages,” on page 147 Chapter 7, “Developing Packages,” on page 161 Chapter 8, “Managing the Schema,” on page 205 Chapter 9, “Managing the Flow of Data,” on page 241 Chapter 10, “Creating and Managing Policies,” on page 275 Chapter 11, “Setting Up E-Mail Notification Templates,” on page 277 Chapter 12, “Importing into Designer,” on page 289 Chapter 13, “Documenting Projects,” on page 345 Chapter 14, “Using Entitlements,” on page 381 Chapter 15, “Scheduling Jobs,” on page 409 Chapter 16, “Deploying and Exporting,” on page 427 Chapter 17, “The Novell XML Editor,” on page 453 Chapter 18, “Tools,” on page 465 Chapter 19, “Editing Icons for Drivers and Applications,” on page 501 Chapter 20, “Version Control,” on page 509 Chapter 21, “Setting Preferences,” on page 551 Chapter 22, “Troubleshooting Designer,” on page 595 Appendix A, “Modeler Operations,” on page 621 Appendix B, “Document Generator Core Support Templates,” on page 641 Appendix C, “Adding Applications and Drivers to the Palette,” on page 649 Appendix D, “Moving Data from Older Projects,” on page 673 Appendix E, “Version Control with Subversion and Identity Manager Designer,” on page 677 Audience Designer for Identity Manager was created for the following audiences: Enterprise IT developers About This Guide 15 Consultants Sales engineers Architects or system designers System administrators Designer is aimed at information technology professionals who: Have a strong understanding of directories, databases, and the information environment Act in the role of a designer or architect of identity-based solutions Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comment feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there. Documentation Updates For the most recent version of the Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide, visit the Identity Manager Web site (http://www.novell.com/documentation/idm402). Additional Documentation Understanding Designer for Identity Manager Identity Manager 4.0.2 Integrated Installation Guide Understanding Policies for Identity Manager 4.0.2 Policies in Designer 4.0.2 Novell Credential Provisioning for Identity Manager 4.0.2 Identity Manager 4.0.2 DTD Reference Identity Manager 4.0.2 driver guides (http://www.novell.com/documentation/idm402drivers/) For more documentation concerning Identity Manager 4.0.2, see the Identity Manager 4.0.2 Documentation Web site (http://www.novell.com/documentation/idm402/index.html). 16 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 1 Installing Designer 1 Section 1.1, “System Requirements,” on page 17 Section 1.2, “Installing Designer,” on page 20 Section 1.3, “Upgrading Designer,” on page 20 Section 1.4, “Using the Silent Install,” on page 21 Section 1.5, “Uninstalling Designer,” on page 22 1.1 System Requirements Review the following system requirements before installing Designer. Section 1.1.1, “Hardware Requirements,” on page 17 Section 1.1.2, “Platform Requirements,” on page 17 Section 1.1.3, “Additional Software Requirements,” on page 19 1.1.1 Hardware Requirements Minimum resolution is 1024 x 768. The recommended resolution for Designer is 1280 x 1024. 1024 MB RAM. 1 GB available disk space (recommended) 1 GHz processing speed 1.1.2 Platform Requirements The following tables provide a list of the certified and supported platforms and virtualization systems on which you can install Designer. IMPORTANT: Certified platform means that the platform has been fully tested. Supported platform means that the platform has not been tested, but is expected to be functional. Table 1-1 Certified and Supported Platforms Certified Platform Versions Supported Platforms Notes Windows Server 2003 SP2 (32-bit) Supported on later versions of service packs Only the 32-bit version is certified. Windows Server 2008 SP2 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. Windows Server 2008 R2 SP1 (64- Supported on later versions of bit) service packs Only the 64-bit version of the platform is available. Installing Designer 17 Certified Platform Versions Supported Platforms Notes Windows Vista Business (32-bit and Both the 32-bit and 64-bit versions 64-bit) are supported but not certified. Windows XP Professional SP3 (32- Supported on later versions of bit) service packs Only the 32-bit version is certified. Windows 7 SP1 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. openSUSE 10.3 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. openSUSE 11.4 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. Internal browser will not work as expected in OpenSuSE 11.4.Hence, it is recommended to use external browser. To do so, browse to Windows > Preferences > General > Web Browser and select Use external web browser. SUSE Linux Enterprise Desktop 10 Supported on later versions of SP4 (32-bit and 64-bit) service packs Both the 32-bit and 64-bit versions are certified. SUSE Linux Enterprise Desktop 11 SP1 (32-bit and 64-bit) Both the 32-bit and 64-bit versions are supported but not certified. SUSE Linux Enterprise Desktop 11 SP2 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. SUSE Linux Enterprise Server 10 SP4 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. SUSE Linux Enterprise Server 11 SP1, SP2 (32-bit and 64-bit) Supported on later versions of service packs Both the 32-bit and 64-bit versions are certified. Table 1-2 Certified and Supported Virtualization Systems 18 Certified System Versions Supported Notes Xen All platforms listed in Table 1-1 and supported by Xen. Xen is supported when the Xen Virtual Machine is running SLES 10, SLES 11, or Windows 2008 R2 as the guest operating system in paravirtualized mode and SLES 10 SP2. as the host operating system. Windows Server 2008 R2 Virtualization with Hyper-V All platforms listed in Table 1-1 and supported by Hyper-V. VMware ESX, ESXi 4.0, ESXi 5.0 Supported on SLES 11 SP2 (64-bit) as the guest operating system for VMware and all the certified platforms supported by VMWare ESX in Table 1-1. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 1.1.3 Certified System Versions Supported VMware Workstation 6.5 Supported on SLES 11 SP1 as the base operating system. The base operating system can be any system supported by VMware workstation 6.5 and later. All the certified platforms listed in Table 1-1 are supported by VMWare workstation as the guest operating system. Notes Additional Software Requirements Designer requires the GNU gettext utilities in Linux environments. When you install support packages for Designer, such as the NICI package, certain Linux core utilities are needed. The GNU gettext utilities provide a framework for internationalized and multilingual messages. Before installing Designer, make sure that you have installed this package. You can use YaST to check for dependencies and installed packages. In SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop 11 environments, Designer requires version 1.9.2.24 - 2011110900 of the XULRunner runtime environment. In openSUSE environments, Designer also requires all libraries from openSUSE.org (http:// www.opensuse.org/). Ensure you include the following libraries: bug-buddy gtk2 (32-bit) libgthread IMPORTANT If you are installing Designer on a 64-bit system, ensure that the libgthread-2_0-0-32bit2.17.2+2.17.3+20080708+r7171-3.1.x86_64.rpm compat library is installed before starting the Designer installation. Designer requires the 32-bit version of the gtk2 RPM, even when you install Designer on a 64bit system. You can install Designer in the following languages: Brazilian Portuguese Dutch French German Italian Japanese Simplified Chinese Spanish Traditional Chinese Installing Designer 19 For more information about the languages supported by the Identity Manager installers, see “Language Support for the Identity Manager Installers” section in the Identity Manager 4.0.2 Framework Installation Guide. 1.2 Installing Designer Designer is installed through the Identity Manager integrated installer or you can install it separately. Designer runs in an Eclipse environment. For detailed instructions for the installation, see “Installing Identity Manager” in the Identity Manager 4.0.2 Integrated Installation Guide. You can also install Designer without the integrated installer. For detailed instructions, see “Installing Designer” in the Identity Manager 4.0.2 Framework Installation Guide. IMPORTANT: For updating your JRE, you must note that JRE 1.6 versions up to update 23 ship with CVE-2010-4476 security vulnerability (http://www.oracle.com/technetwork/topics/security/alert-cve2010-4476-305811.html). This security vulnerability has been addressed in JRE 1.6.0-24 version. You must use the FPUpdater tool that Sun has recently released to update your JRE to JRE 1.6.0-24 version. The instructions for installing the latest JRE versions are available at the JRE Patch Download Site (http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html). 1.3 Upgrading Designer To upgrade to Designer 4.0.2, follow the same procedure that is outlined in Section 1.2, “Installing Designer,” on page 20. If you install Designer 4.0.2 in the same location as the earlier version of Designer you see the Designer Found message, asking if you want to upgrade. Select Yes to delete the older version of Designer and install Designer 4.0.2 in its place. When upgrading to Designer 4.0.2, take note of three items: Do not use Designer 2.1x workspaces for Designer 3.0 and above. Designer stores projects and configuration information in a workspace and these are not compatible between Designer versions. In Designer 4, default workspaces are stored under the %UserProfile%\designer_workspace directory for Windows XP, the %UserProfile%\designer_workspace directory for Windows Vista and Windows 7, and the $HOME/designer_workspace for Linux. Import all Designer 2.1x projects into Designer 4.0.2. This runs the Project Converter Wizard, making the projects compatible with Designer 4.0.2. Be sure the Copy project into the workspace option is selected. For more information about the Project Converter, see Section 18.1, “Converting Earlier Projects,” on page 465. If you are running workflow provisioning and provisioning with roles, follow the installation or upgrade procedures “Migrating the User Application Driver” in the Identity Manager 4.0.2: RBPM and Reporting Migration Guide (https://www.netiq.com/documentation/idm402/migration/data/ buh2nsr.html). 20 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 1.4 Using the Silent Install You can use scripts to install Designer without user interaction. This feature is known as a silent install. To use the silent install, run the install program with -i silent option. The option is the same whether you install on Windows or Linux. For example: Windows: install.exe -i silent [-f Path\designerInstaller.properties] Linux: ./install -i silent [-f Path/designerInstaller.properties] Configuring Silent Install Parameters The -i silent option uses the default parameter values in the installation. You can configure the following installation parameters: Parameter Description USER_INSTALL_DIR This parameter specifies the path to the location where you want to install Designer. For example: USER_INSTALL_DIR=/home/user/designer If you specify a path that does not end with the designer directory, the Designer installer automatically appends a designer directory. SELECTED_DESIGNER_LOCALE This parameter specifies the locale in which you want Designer to start after installation. You can specify the following values: zh_CN - Chinese Simplified zh_TW - Chinese Traditional nl - Dutch en - English fr - French de - German it - Italian ja - Japanese pt_BR - Portuguese Brazil es - Spanish To change the default parameter values, complete the following steps: 1 Download and unzip or unpack the Designer installation kit. 2 Navigate to the following directory: Location of unzipped Designer files/designer_install/ designerInstaller.properties 3 Edit the designerInstaller.properties file and modify the values for the USER_INSTALL_DIR and SELECTED_DESIGNER_LOCALE parameters as necessary. 4 Save and close the designerInstaller.properties file. Installing Designer 21 5 Enter one of the following commands: install -i silent -f Path\designerInstaller.properties (Linux) install -i silent -f Path/designerInstaller.properties (Windows) 1.5 Uninstalling Designer “Uninstalling on Windows” on page 22 “Uninstalling on Linux” on page 22 Uninstalling on Windows 1 In the Control Panel, select Add/Remove Programs. 2 Click Designer for Identity Manager > Change/Remove > Uninstall > Yes. To easily uninstall on English-language workstations, select Uninstall from the Start menu. For example, on Windows, click Start > All Programs > Novell Designer for Identity Manager > Uninstall. Uninstalling on Linux 1 Make sure that you have the correct privileges necessary to uninstall the application. 2 Run Uninstall_Designer_for_Identity_Manager. This file is in [path you chose to install into]/designer/UninstallDesigner. 22 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Creating a Project 2 IMPORTANT: Projects created in Designer releases earlier than Designer 4.0.2 work in Designer 4.0.2 after they are converted. However, projects created in Designer 2 or 3 don’t work in Designer 1.1 or earlier releases. Section 2.1, “When No Project Exists,” on page 23 Section 2.2, “When You Want to Create an Additional Project,” on page 24 Section 2.3, “When You Want to Import a Project,” on page 27 Section 2.4, “When You Want to Disable a Project,” on page 28 2.1 When No Project Exists 1 Make sure that the Designer perspective (in the upper right corner) is selected. 2 If you are just starting Designer and have no projects in the Project tab, you see the following window: Creating a Project 23 3 Click New Identity Manager Project to launch the Identity Manager Project Wizard. 4 Name the project, then click Finish. 5 Select whether or not to import packages into the package catalog, then decide whether to allow Designer to always import package updates. For more information about packages, see Chapter 6, “Managing Packages,” on page 147. 6 (Conditional) If you selected to import packages, choose the packages you want to import, then click OK twice. 2.2 When You Want to Create an Additional Project 1 Right-click in the Project view pane, then click New > Identity Manager Project. 24 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 In the Identity Manager Project Wizard, name the project. Creating a Project 25 Designer stores the project in a local directory. You specified this directory when you installed Designer. Typically, this default directory is %UserProfile%\designer_workspace for Windows XP and %UserProfile%\designer_workspace for Vista and Windows 7, and the $HOME/ designer_workspace for Linux. To specify a different directory, deselect Use Default, then browse to and select the desired directory. WARNING: Earlier Designer workspaces are not compatible with Designer 3.0 and later. Designer stores projects and configuration information in a workspace. These workspaces are not compatible from one version of Designer to another. You need to point Designer 4.0.2 to a new workspace, and not to a workspace used by a previous version of Designer. If you have Designer 2.x or 3.0 Milestone projects, you can import the projects into Designer 4.0.2 (File > Import > Project from File System). Be sure Copy project into the workspace is selected. Importing the project runs the Converter Wizard, making the project compatible with Designer 4.0.2 architecture and placing it under your designated Designer 4.0.2 workspace directory (designer_workspace by default). 3 Click Finish. 4 Select whether or not to import packages into the package catalog, then decide whether to allow Designer to always import package updates. 26 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide For more information about packages, see Chapter 6, “Managing Packages,” on page 147. 5 (Conditional) If you selected to import packages, choose the packages you want to import, then click OK twice. The project is stored in a directory structure with the project name as the initial directory containing files with a .proj and a .project extension. In this example, the project is stored in the c:\Documents and Settings\Novell User\designer_workspace\Blanston1 directory on a Windows XP workstation. The project name appears in the Project view. When you select the System Model icon under the project name, Designer opens the Modeler (an editor) for the new project. For information on saving a project, see “Section 18.1, “Converting Earlier Projects,” on page 465”. 2.3 When You Want to Import a Project To import a project from an Identity Vault or from the File System, see Chapter 12, “Importing into Designer,” on page 289. Creating a Project 27 2.4 When You Want to Disable a Project You can disable and enable projects from the Project view. 1 To disable a project, right-click a project in the Project view and select Disable Project. When a project is disabled, it is not accessible from any of the other views, including the Version Control view, and the project is converted to a placeholder in the Project view. 2 To enable the project, right-click the project placeholder in the Project view and select Enable Project. The project is again accessible in the other views. 28 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 Creating a Model 3 The Designer Modeler lets you create and manipulate a model of your Identity Manager environment within a Designer project. Section 3.1, “Basic Tasks,” on page 29 Section 3.2, “Accessing the Modeler,” on page 30 Section 3.3, “Selecting a Modeling Mode,” on page 31 Section 3.4, “Working from the Palette,” on page 40 Section 3.5, “Creating a Driver,” on page 45 Section 3.6, “Copying and Pasting,” on page 46 Section 3.7, “Moving Items,” on page 50 Section 3.8, “In Line Editing,” on page 51 Section 3.9, “Tooltips and Toolbar,” on page 51 Section 3.10, “Organizing by Domain Groups,” on page 52 Section 3.11, “Connecting Applications,” on page 63 Section 3.12, “Aligning and Laying Out Components,” on page 72 Section 3.13, “Editing Multiple Objects,” on page 80 Section 3.14, “Modeling Active Directory Domain Controllers,” on page 80 Section 3.15, “Saving Your Model,” on page 83 3.1 Basic Tasks You need to perform several basic tasks for creating a model after you have created a project. 1 In Designer, select a project. If your project does not appear in the Modeler, open the Project view (Window > Show View > Project), expand the project, then double-click System Model. 2 Drag an Identity Vault object from the palette to the Modeler. When you create an Identity Vault or server in Designer 4.0.2, the default Identity Manager engine version is 4.0.2. Designer assumes that the Identity Vault has 4.0.2 capabilities. You can successfully deploy and run 4.0.2 projects only on Identity Manager 4.0.2 servers. You can easily change the engine version by selecting a version from the Server DN field. However, selecting earlier engine versions removes any later version capabilities and features from within Designer. Before you deploy a project, you must associate a server with the Identity Vault. You do this through the Identity Vault properties. See Section 4.3, “Configuring Identity Vaults,” on page 88. You can add multiple Identity Vaults. 3 Configure a driver set. Each Identity Vault contains a driver set. See Section 4.5, “Configuring Driver Sets,” on page 91. 4 Add applications. Creating a Model 29 Drag applications from the palette to the Modeler view. See Section 4.20, “Configuring Application Properties,” on page 133. 5 Create or configure drivers. Driver connections are automatically drawn between the application and the driver set. See Section 3.5, “Creating a Driver,” on page 45 or Section 4.7, “Configuring Drivers,” on page 99. 6 Develop and customize your model. Develop according to what you planned in “Planning an Identity Project” in Understanding Designer for Identity Manager. 7 Save your model (design). Do one of the following: From the main menu, select File > Save (or Save All). From the main menu, select File > Close > Yes. Click the X in the Modeler’s tab, then select Yes. 3.2 Accessing the Modeler The Modeler space is the main working area. It is an editor where you design projects. It is the main workspace and primary means of interacting with Designer. All other editors, views, and dialog boxes support and provide functionality for the Modeler. Figure 3-1 Designer’s Modeler Modeler Palette Views 30 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To get started, you create a project and drag items from the palette into the Modeler space. Then you arrange and configure the items. If the Modeler does not display: 1 Expand a project in the Project view. If you haven’t yet created a project, create one. 2 Double-click System Model. 3.3 Selecting a Modeling Mode Section 3.3.1, “Developer Mode,” on page 33 Section 3.3.2, “Architect Mode,” on page 34 Section 3.3.3, “Dataflow Mode,” on page 38 Section 3.3.4, “Table Mode,” on page 39 The Modeler has tabs along the bottom, so that you can switch among different modeling modes. The modes have different advantages, depending on the task you’re trying to do and the role that you are acting in. Figure 3-2 Modeler Modes The modes are synchronized with each other with selection, data, and content. They are also synchronized with the Outline view and Thumbnail view. As you switch modes in the Modeler editor, the editor tab at the top displays the mode that you are in as you switch modes, Designer also remembers and restores to the Modeler page you were last on when you close and re-open a project. This helps you return to the last mode you were in. Creating a Model 31 By default, the theme preference is different for each mode. You can configure each theme independently in the Modeler preferences: 1 Click Window > Preferences, then select Novell > Identity Manager > Modeler. 2 Click the Themes tab. 3 Select a theme, then click OK. 32 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3.3.1 Developer Mode Figure 3-3 Developer Mode in Designer Use Developer mode to do all low-level operations with driver sets, drivers, policies, and applications. This mode lets you manage all of the visual elements and configuration details that you need to fully build and deploy an identity solution. In Developer mode, the palette organizes the applications and systems into categories. You can customize them to display as one alphabetical list by using the Modeler Preferences. See “Palette Page” on page 577. Working with Labels Figure 3-4 An Application’s Label By default in both Developer and Architect modes, labels appear under application icons in the Modeler. They also appear above Identity Vaults in Architect mode.To configure these labels to not appear, use the Modeler Preferences. See “Modeler” on page 574. Creating a Model 33 3.3.2 Architect Mode Figure 3-5 Architect Mode in Designer Use the Architect mode to work at a design level for your projects. Because the design level does not show drivers, driver sets, or policies, you focus more on systems. This mode helps you do large-scale design, which is more intuitive to architects and business strategists. It is quite likely that you will start in this mode when you begin each project. You will probably spend time putting together an accurate diagram of your enterprise as you consult with various people throughout your organization. As you do so, you should capture key information on each system, such as the owner, contact information, machine environment, software versions, and authentication credentials. As you go through this process, you will also define your project requirements, start thinking about your data, and capture that information in your project. When the time is right, you can switch to the Developer mode and delve into the technical details of building a working solution. Depending on the size of your project and the makeup of your team, you could have architects and designers build high-level solutions with Designer in the Architect mode, and then send the project to identity developers who understand the details of writing policies and configuring systems. They can share the same project. 34 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide In Architect mode, you can connect any design element with any other design element, application, image, or Identity Vault. The connecting lines enable you to express any relationship, making Architect mode a general-purpose, high-level business model. The Architect-mode lines don’t display when you switch to the Developer mode. NOTE: When you add icons representing driver applications through the Architect mode, you need to configure those drivers in the Developer mode. When you have added the necessary drivers and switch to the Developer tab, right-click the line between the driver icon and the driver set, then select Run Configuration Wizard. The design elements have connectivity information tied to them. You can use design elements to perform live operations or to remotely control other elements that are in your environment but are not necessarily included in your Identity Manager infrastructure. When using the Architect mode, you should be familiar with the following: “The Palette in Architect Mode” on page 35 “High-Level Data Flows in Architect Mode” on page 36 “Tasks” on page 37 The Palette in Architect Mode In Architect mode, the palette lists all applications in one folder and design elements in another folder. The Architect Modeler view now contains all of the graphical modeling tools that are present in the Developer Modeler view. This includes: Rulers Snap-in guides Alignment hints Grid Snap-in movement The Graphics folder has an Image icon. When you drag this icon to the Modeler, Designer displays a generic graphic: Figure 3-6 The Image Icon To edit the properties of this icon: 1 Right-click the icon, then select Properties. Creating a Model 35 2 In the Name field, replace Image with a caption. 3 Browse to and select a replacement graphic, then click OK. You might need to reduce the size of the graphic before importing it. After the image is in the Modeler, you can drag it, change it, connect lines to it, align or distribute it, or delete it. High-Level Data Flows in Architect Mode To set data flows in Architect mode: 1 Right-click the line between an application and an Identity Vault. 2 Select Show Dataflow View. 3 Right-click the line again and select Dataflow. 4 Specify synchronization and notification events, then click OK. This option is used the same way as in Developer mode except that in Architect mode, Designer automatically configures all the details (schema, filters, and mapping policies) for you. You won’t see the Data Flow Wizard for these details. Before deployment, you can edit the details by using Developer mode. 36 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Tasks You can perform the following tasks in Architect mode: Straighten connections (edges). See Section 3.12, “Aligning and Laying Out Components,” on page 72. View Password Sync icons and edit synchronization. See Section 9.7, “Integrating Passwords,” on page 272. Auto-connect eDir-to-eDir. When deleting the driver line, view a prompt to confirm drivers being deleted. Display design elements in your model. Open the Design Elements folder on the palette, drag design elements onto the Modeler, and connect the design elements. Figure 3-7 Items in the Design Elements Folder Creating a Model 37 3.3.3 Dataflow Mode Figure 3-8 Dataflow Mode The Dataflow mode launches the Dataflow editor, so that you can see all of the filters that control how data flows between the managed systems and Identity Vaults. In the Dataflow editor, you can rightclick an eDir-to-eDir connection and have the option to remove the connection. The Dataflow mode is synchronized with the Modeler and with the Outline view when you add, delete, change, or synchronize objects. Also, you can see how passwords flow from each server. See Chapter 9, “Managing the Flow of Data,” on page 241. The Dataflow toolbar enables you to perform the following actions: Deploy driver filters for all drivers in the Dataflow view. Refresh the Dataflow view’s UI screen. Save the current Dataflow view to an HTML file. You can select the directory where you want to save the file. Save all of the filtered views (Notify, Sync, Reset, Password Sync) to an HTML files. You can select the directory where you want to save the files. Go up and down to the Identity Vaults. Create a new Identity Vault. 38 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Add an application driver for a managed system. Filter Identity Vaults and application drivers out of the Dataflow view. The pull-down menu allows you to perform the following: Expand all containers Collapse all containers Launch Dataflow preferences Get help The Architect and Modeler views contain the same pull-down menu with the same functionality. 3.3.4 Table Mode Figure 3-9 Global Table Editor Table mode provides a Global Table editor, which lists all design elements in the project. You can scroll through this table to quickly scan essential information, such as the element’s type, the container where the element resides, and details, such as an element’s size, or driver and server information. You can efficiently find all items of a particular type and edit their settings. To edit an entry in the table, double-click a line, or right-click a line and select Open With, then select an editor. You can also right-click a line, select Open, and Designer launches the editor that has been associated with the action. For example, drivers open their Properties page, and policies open in the Policy Builder. When you select an entry in the table, Designer synchronizes the selection with the Outline view, so that you can view the selection’s container. To sort the lists, click a column header. Creating a Model 39 3.4 Working from the Palette Section 3.4.1, “About the Palette,” on page 40 Section 3.4.2, “Palette Operations,” on page 41 Section 3.4.3, “Using Generic Applications,” on page 42 Section 3.4.4, “Fly-Out Palette,” on page 42 Section 3.4.5, “Resizing the Palette,” on page 43 Section 3.4.6, “Docking the Palette,” on page 43 Section 3.4.7, “Arranging Folders and Applications,” on page 43 Section 3.4.8, “Changing the Layout,” on page 44 Section 3.4.9, “Keyboard Support for the Palette,” on page 45 3.4.1 About the Palette Figure 3-10 Designer’s Palette 40 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The palette is the source of all of the items that you add into the Modeler. To build a model, do one of the following: Drag and drop items from the palette to the Modeler space. When you drag and drop an application, it auto-connects to the closest driver set. Click an item in the palette, then click in the Modeler space where you want the item to go. 3.4.2 Palette Operations Table 3-1 Palette Operations in Designer Operation Description Connection Connects items in the Modeler space. Identity Vault Places an Identity Vault in the Modeler space. Driver Set Places an eDirectory Driver Set object in an Identity Vault. All applications that you want to connect use a Driver Set object as a hub between the two applications. Domain Group Lets you group and organize items in the Modeler space. Folders Applications are organized within folders or drawers. To open or close a folder, click it. To hold the folder in place and make sure that it does not fully collapse (even when you open other folders), click the pin. When the Palette is full, unpinned folders automatically close when you open another folder. Applications The various applications that you can connect are grouped into folders by type. You can drag and drop these applications to the Modeler space and begin editing them. The Modeler automatically adds a connecting line, which represents a driver. Scrolling Arrows Small directional arrows. If a folder has many items, or if the screen area is restricted, scrolling arrows appear. To scroll through he contents of a folder, click the arrows. Creating a Model 41 3.4.3 Using Generic Applications Figure 3-11 The Generic App Option on the Palette Scenario: A Generic Application. Fridrik creates a project with his own items and graphics, in his own version of Designer. He transfers the project to you, but you are using a different version of Designer, which doesn’t understand those items. Your version renders the transferred objects as Generic applications. 3.4.4 Fly-Out Palette Figure 3-12 The Palette’s Control Arrow To hide the palette, click the small control arrow on the palette. The palette collapses. To open the palette again and keep it open, click the arrow. To temporarily open the palette again, hover the cursor over the collapsed palette, below the control arrow. The palette quickly expands. This is fly-out mode. To change the palette from fly-out mode, click the control arrow again. The state persists and is restored the next time you run the application. 42 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3.4.5 Resizing the Palette 1 Click the palette’s thick border that faces the Modeler space. 2 Drag the line. The size persists and is restored the next time you run the application. 3.4.6 Docking the Palette To dock the palette on the left or right of the Modeler space: 1 Click the top palette header. 2 Drag the palette to the desired location. The location persists and is restored the next time you run the application. 3.4.7 Arranging Folders and Applications By default, applications are placed in folders. To arrange applications alphabetically instead of in folders: 1 Click Window > Preferences > Novell > Identity Manager> Modeler > Palette. Creating a Model 43 2 Select Arrange applications in alphabetical list, then click OK. 3.4.8 Changing the Layout 1 Right-click the palette. 2 Select Layout. 3 Select an option. 44 Setting Description Layout: Columns Displays folders and applications in columns. Layout: List Arranges folders and applications in a list. Layout: Icons Only Removes descriptive labels. Layout: Details Briefly describes palette items. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3.4.9 Setting Description Use Large Icons Toggles the size of icons used for applications. Settings Enables you to set the layout and icon size in one dialog box. Controls how folders (drawers) behave. Keyboard Support for the Palette Table 3-2 Shortcut Keys for the Palette 3.5 Keystroke Description Left-arrow Collapses an open folder. The focus must be on the folder, not the application. Right-arrow Opens a collapsed folder. Moves into an open folder. Up-arrow Moves up to the next folder. Down-arrow Moves down to the next folder. Creating a Driver Drivers connect the applications to the Identity Vault and provide the means for the data to synchronize. To create a driver, select an application from the palette, then drag and drop it on the Modeler. The application is connected to the closet driver set and the Driver Configuration Wizard launches. Figure 3-13 Driver Configuration Wizard Creating a Model 45 The purpose of the Driver Configuration Wizard is to help you install drivers. In the past, that meant walking through the import of a driver configuration file. Now, the Driver Configuration Wizard walks you through installing packages or driver configuration files. However, only packages contain new driver content. The driver configuration files are not updated from this point on. To create a driver with packages, select the available base package listed. If there are no packages listed, then the packages are not imported into the package catalog. For more information about importing and installing packages, see Section 6.2, “Installing or Upgrading Packages,” on page 151. To create a driver with a driver configuration file, click Import Driver Configuration. All of the driver configurations files for the version of your Identity Manager server are listed. For more information about importing a driver configuration file, see Section 12.4, “Importing a Driver Configuration File,” on page 318. 3.6 Copying and Pasting Section 3.6.1, “Copying Applications,” on page 46 Section 3.6.2, “Copying a Driver Set,” on page 47 Section 3.6.3, “Copying an Identity Vault,” on page 48 Section 3.6.4, “Copying a Domain Group,” on page 49 Section 3.6.5, “Copying between Editors,” on page 49 3.6.1 Copying Applications Figure 3-14 Applications to Copy You can copy and paste the following items within the same editor or to another editor: Applications, including custom applications 46 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Disconnected applications Driver icons 1 Select an application or driver icon. 2 Press Ctrl+C, then Ctrl+V. The copy and paste operations are also accessible from the Clipboard context menu. (Currently, they aren’t accessible from the main menus.) When you copy an application in the same editor, Designer copies all of the application’s attributes, and copies all sub-elements. Therefore, all drivers that the application is connected to are copied, and all policies that the drivers contain are also copied. The new application connects to the same driver sets that the previous application connected to. To copy an application to a different driver set (in the same editor or in another editor): 1 Select the application. 2 Press Ctrl+C. 3 Select the target driver set that the application connects to. 4 Press Ctrl+V. If you copy and paste an application without selecting a target driver set, Designer makes a copy and connects it to the current driver set. You can select multiple applications and then copy and paste them. 3.6.2 Copying a Driver Set Figure 3-15 Driver Sets Creating a Model 47 You can copy and paste driver sets within the same Identity Vault or to another Identity Vault in the same editor or in another editor. 1 Select a driver set. 2 Press Ctrl+C, then Ctrl+V. When you copy a driver set in the same editor, Designer copies all of the attributes of the driver set, including the following: All drivers that the driver set is connected to All policies that the drivers contain All target applications To copy to a different editor: 1 Select a driver set. 2 Press Ctrl+C. 3 Select the target Identity Vault in the other Modeler editor where you want the driver set to be copied to. 4 Press Ctrl+V. By default, the new driver set is created in the same Identity Vault as the one that it was copied from. However, if you select another Identity Vault, the driver set is copied there. After you copy and paste, you might need to move the pasted objects to a better location so that they don’t cover up an existing object. To do this, leave the objects selected after you paste them, then move them. Or, use the following procedure to easily select objects: 1 Right-click a driver set. 2 Click Select All Connected Applications. 3 Move one of the selected applications. All connected applications move together. When you copy a driver set, it has the same settings, except for the selected servers, which are blank. This exception occurs because the Identity Manager engine does not allow more than one driver set on an Identity Vault to be associated with the same server. Therefore, you need to set up the servers for the new driver set. If you copy an Identity Vault, Designer copies the driver sets. The new driver set has the same server settings set up for you. You can select multiple driver sets and then copy and paste them. To copy and paste multi-driver connections, you must copy the driver set or Identity Vault that contains them. In Designer 2.0, if you copy the application that has a multi-driver connection, the application and only one of its drivers are copied. 3.6.3 Copying an Identity Vault You can copy and paste Identity Vaults within the same editor, to another editor in the same Modeler space, or in a specific Domain Group. 1 Select an Identity Vault. 2 Press Ctrl+C. 3 Select nothing or select the target Domain Group (in the same editor or another) where you want the Identity Vault to be copied to. 48 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide If you select nothing, the new Identity Vault is copied to the right of the previous Identity Vault in the current editor. 4 Press Ctrl+V. The new Identity Vault appears to the right of the previous Identity Vault and is the same size as the one that it is being copied from. When you copy an Identity Vault, Designer copies all of the elements of the Identity Vault. The elements include servers, e-mail templates, driver sets, and connected applications. You can select multiple Identity Vaults and then copy and paste them. 3.6.4 Copying a Domain Group You can copy and paste Domain Groups within the same editor, to another editor in the same Modeler space, or in a specific Domain Group. 1 Select a Domain Group. 2 Press Ctrl+C. 3 Select the location for the new Domain Group. If you select nothing, the new Domain Group is copied to the right of the previous Domain Group in the current editor. 4 Press Ctrl+V. The new Domain Group appears to the right of the previous Domain Group, and is the same size as the one it was copied from. When you copy a Domain Group in the same editor, Designer copies all of the attributes of the Domain Group. However, Designer doesn’t copy all sub-elements. You can select multiple Domain Groups and then copy and paste them. 3.6.5 Copying between Editors To easily copy and paste between two editors: 1 Using the Project view, open two projects. One project is active. The second project’s tab displays at the top of the Modeler. 2 Close the palette by clicking the control arrow on the palette’s title bar. 3 Click the second project’s tab and drag it to the Modeler’s right border. The tab changes to a folder icon until it arrives near the border, where the folder changes to an arrow. 4 Release the mouse button. Creating a Model 49 5 Copy items from one editor to the other. 3.7 Moving Items After an item is in the Modeler space, you can move it by dragging it to a new location. The Modeler prevents you from placing objects where they don’t belong. For example, you cannot move a driver set out of an Identity Vault to the Modeling space, or drop an application inside of an Identity Vault. You can always drag objects into a Domain Group, or drag a driver set from one vault into another. If you drag a driver set into an Identity Vault, the Identity Vault automatically grows or shrinks to fit the driver set, so you don’t need to manually resize the vault. This behavior can be turned on or off in Preferences. See “Modeler” on page 574. 50 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 3-16 Example Driver Sets in an Expanded Identity Vault 3.8 In Line Editing Figure 3-17 An In Line Edit To edit the names of objects, do one of the following: Select the item, press F2, then edit the label. Double-click the item, then edit the Name field. You can do an in line edit for any type of item in the Modeler, including the driver lines. 3.9 Tooltips and Toolbar As you mouse over objects in the Modeler, a tooltip appears with the name of the object. Creating a Model 51 Figure 3-18 A Tooltip The Modeler also provides a toolbar. Figure 3-19 The Modeler Toolbar The Modeler toolbar enables you to quickly find often-used features: Search Find a driver’s status (also available from the Live menu when you select a driver set or Identity Vault) Start, stop, or restart a driver (also available from the Live menu when you select a driver set or Identity Vault) Clear all items Save a snapshot of the model The drop-down menu allows you to perform the following: Expand all containers Collapse all containers Launch Modeler preferences View demos on how to use the Designer Get help The Architect and Dataflow views contain the same drop-down menu with the same functionality. 3.10 Organizing by Domain Groups Section 3.10.1, “About Domain Groups,” on page 53 Section 3.10.2, “Key Features,” on page 54 52 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Section 3.10.3, “Creating a Domain Group,” on page 55 Section 3.10.4, “Minimizing (Collapsing) Domain Groups,” on page 57 Section 3.10.5, “Restoring Domain Groups,” on page 58 Section 3.10.6, “Maximizing Domain Groups,” on page 58 Section 3.10.7, “Using a List View of Domain Groups,” on page 58 Section 3.10.8, “Auto-Placement of Neighbors,” on page 59 Section 3.10.9, “Grouping into a New Domain Group,” on page 59 Section 3.10.10, “Ungrouping a Domain Group,” on page 61 Section 3.10.11, “Clearing Contents,” on page 62 Section 3.10.12, “Changing a Domain Group Icon,” on page 62 Section 3.10.13, “Keyboard Support for Domain Groups,” on page 63 3.10.1 About Domain Groups Figure 3-20 The Domain Group Option on the Palette Domain Groups enable you to organize your model into logical groupings that help to keep your diagram clean. Domain Groups have no technical function, and they have no impact on how items and relationships are stored in the Identity Vault. This option is just a tool to help you better organize and view items in the Modeler. Using Domain Groups is the key to modeling your entire enterprise, no matter how large it is. You can create a model that is manageable, useful, and logical, according to how you want to organize and diagram your enterprise. Creating a Model 53 Figure 3-21 A Domain Group in the Modeler 3.10.2 Key Features Change a group name through the Properties view. Drag and drop items in and out of groups. Minimize or restore groups. Move everything in a group. Remove everything in a group. Nest groups within groups (no limit). Resize groups. A minimum size is enforced. Ungroup. Remove the group but leave the children. 54 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3.10.3 Creating a Domain Group 1 Drag and drop a Domain Group from the palette to the Modeler space. 2 Organize items inside Domain Group items. To add another Domain Group, drag and drop one from the palette. To add an Identity Vault, do one of the following: Drag an Identity Vault from the palette. Right-click in the Domain Group, then select New > Add Identity Vault. The Add Server to Identity Vault dialog box appears. If you select Specify a Server, Designer provides a dialog box that enables you to select an eDirectory server or specify a server manually. To add a driver set: 1 Right-click inside an Identity Vault. 2 Select Add Driver Set. To add an application: 1 Right-click a Driver Set object. 2 Select Add Connected Application. The application is added to the right of the right-most connected application. If this is the first application, it is placed under the driver set. The application defaults to a generic application type. To change the type: 1 Right-click the application, then select Properties. 2 Select a different application, then click OK. When you add selected items to a Domain Group, the Domain Group expands. Creating a Model 55 Figure 3-22 A Domain Group If you move an item to the edge of the Domain Group, the boundaries expand, so that the items remain inside the Domain Group. You can drag an item from the Domain Group to remove it from the group. You can have nested domains. If you expand a nested domain, the outer (hosting) domain automatically increases in size. You aren’t required to manually resize parent domains. By expanding, the hosting domain displays the nested domain, so that the nested domain isn’t cut off. 56 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3.10.4 Minimizing (Collapsing) Domain Groups To minimize a Domain Group, click the Minimize icon. When a Domain Group is minimized, it defaults to a random icon. You can use Properties to change the icon. (See “Changing a Domain Group Icon” on page 62.) The icon and minimized state of the group are saved in the Project file. When a group is minimized, you can’t see its contents, nor can you drag new items into the group. However, you can move, rename, or delete it. When you minimize a group, lines that were connected to items in the group now connect to the group. This functionality enables you to see that there is a relationship with items in the group and items outside the group. Depending on your objects, their relationships, and state of other related groups, multiple lines might collapse into one line. Figure 3-23 A Collapsed Group When you expand the group, the lines are moved back to the actual items they connect with. This functionality works for any level of nesting of groups. Creating a Model 57 3.10.5 Restoring Domain Groups To restore the Domain Group to its original size, click the Restore icon. 3.10.6 Maximizing Domain Groups To maximize a Domain Group, click the Maximize icon. The group expands to a much larger size. To return it to the original size, click the Restore icon. You can maximize only first-level groups. For inner groups, the Maximize function is disabled. 3.10.7 Using a List View of Domain Groups To open a Domain Group in a list view, click the List View icon. The group lists the applications in a list format. To return it to the original size, click the Restore icon. Figure 3-24 List View of a Domain Group List view of Domain Groups shows only connections of the selected application while the connections of other applications are hidden. You cannot add or delete additional applications in the list view. To perform any operation, right-click the corresponding driver connector. List view of Domain Groups does not support nesting of Domain Groups or Identity Vaults within a Domain Group. Attempting nesting of Domain Groups or Identity Vaults results in a warning message. 58 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 3-25 Warning Message 3.10.8 Auto-Placement of Neighbors To push or pull the neighboring items when you expand or contract Domain Groups, hold down the Ctrl key while you expand or contract the Domain Group. Any item that is to the right or below a Domain Group is affected. 3.10.9 Grouping into a New Domain Group 1 In the Modeler, select multiple items. 2 Right-click, then select Add to Group. The Modeler creates a new Domain Group and adds those items, preserving their relative spacing to each other. This process removes the items from wherever they previously existed and places them in the proper area in the new group. The following figure illustrates two Applications that have been added to a new Domain Group and removed from their previous groups. Creating a Model 59 Figure 3-26 Grouping into a New Domain Group 60 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3.10.10 Ungrouping a Domain Group Figure 3-27 Ungrouping a Domain Group To ungroup a Domain Group, right-click it, then select Ungroup. This process removes the Domain Group but leaves all contents where they are, so that they won’t be deleted. This is just a way to ungroup the items. Depending on what level you are in the Modeler, the ungrouped items are automatically added to the host group or to the main Modeling space. Creating a Model 61 3.10.11 Clearing Contents Figure 3-28 Clear All Items To remove all contents from the Modeler, click Model, then select Clear All Items. To remove all contents from a Domain Group, right-click, then select Clear Domain Contents. Designer prompts you before clearing the Modeler space. 3.10.12 Changing a Domain Group Icon 1 Right-click a Group Domain item in the Modeler, then select Properties. 62 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Browse to and select an image (for example, finance.png). Icons for Domain Group components reside in the Group directory in the Modeler plug-in directory. By default, Designer opens the Group directory. Designer supports .GIF, .JPEG, .PNG, and Windows .BMP formats. You can add your own icons to the Group directory. 3 Click Open, then click OK. The minimized 16x16 version of the image also now appears in the Domain Group title bar. As you add Domain Group items, Designer randomly assigns icons from the Group directory to the new Domain Group. 3.10.13 Keyboard Support for Domain Groups Table 3-3 Shortcut Keys for Domain Groups 3.11 Keystroke Description Alt+Down-arrow Navigates into a Domain Group Alt+Up-arrow Navigates out of a Domain Group Delete Deletes the selected items Connecting Applications Section 3.11.1, “Automatic Connections,” on page 64 Section 3.11.2, “Connection Target Highlights,” on page 64 Section 3.11.3, “Automatically Creating Objects,” on page 65 Creating a Model 63 Section 3.11.4, “Auto Redraw,” on page 65 Section 3.11.5, “Manually Connecting,” on page 66 Section 3.11.6, “eDir-to-eDir Connections,” on page 66 Section 3.11.7, “Multiple Driver Connections,” on page 67 Section 3.11.8, “Straightening Connections,” on page 68 Section 3.11.9, “Reconnecting,” on page 70 Section 3.11.10, “Driver Icons,” on page 70 Section 3.11.11, “Selected Drivers,” on page 71 Section 3.11.12, “Auto-Layout of Imported Objects,” on page 71 Section 3.11.13, “Keyboard Support for Connections,” on page 72 3.11.1 Automatic Connections When you drag an application into the Modeler space, and the Modeler contains a driver set, Designer automatically draws a connecting line between the Driver Set object and the application. When you use the palette’s Connection function to connect an application to an Identity Vault, you can begin or end your driver line at the Identity Vault. The line automatically connects to a driver set in an Identity Vault. If the Identity Vault contains more than one driver set, the Connection function connects the driver line to the first driver set. This functionality also works for multi-driver connections. All multi-driver driver lines are bendable. You can lay them out so that the lines don’t overlap at any angle. Also, you can reconnect multi-driver connections. If an Identity Vault has multi-driver connections in a Domain Group and you minimize that Domain Group, a single collapsed line represents all of the multi-driver connections. 3.11.2 Connection Target Highlights When you drag an application across the Modeler space, the closest Identity Vault and closest driver set in that Identity Vault are highlighted. The highlights indicate the item that the application will connect with when you drop the application. 64 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 3-29 Connected Objects 3.11.3 Automatically Creating Objects If you drop an application into the Modeler space, and that space has no Identity Vaults, Designer automatically creates an Identity Vault. If you add a driver application in the Modeler by right-clicking in the Modeler, then selecting New > Application, the driver application is now added at the place where you right-clicked. This makes it easier to locate items in the view. 3.11.4 Auto Redraw If you move items, lines are automatically redrawn. Creating a Model 65 3.11.5 Manually Connecting To manually connect an application to a driver set: 1 Click Connection in the palette. 2 Draw a line between the application and the driver set. To reconnect an application, select the driver line, then drag one end of the line to another driver set or application. The drag gesture gravitates the line towards the nearest connectable point. This functionality helps you know what you can connect to and where you can connect the item. If you try to connect to something that isn’t allowed, the cursor usually indicates so, or nothing happens when you drop the item. 3.11.6 eDir-to-eDir Connections Figure 3-30 eDir-to-eDir Connections An eDir-to-eDir connection is a special type of connection. It is used frequently in Identity Manager environments. This connection is a way to configure two eDirectory drivers to communicate directly with each other. (No other drivers are able to communicate directly with any other type of driver.) This type of connection is most commonly used for synchronizing a local directory tree with a Metadirectory Identity Vault. 66 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To create an eDir-to-eDir connection, do one of the following: Drag a line between two Identity Vaults Drag a line between two driver sets When you connect a line between two eDirectory applications, the line automatically turns into an eDir-to-eDir connection. See the illustration in Section 9.2.6, “Viewing an eDir-to-eDir Driver,” on page 258. To disconnect an eDir-to-eDir connection, right-click an eDir item, then select Disconnect eDir-toeDir. Designer creates two new eDirectory applications and redirects each driver to its respective application. A new driver is not created. No data is lost. Designer keeps the same drivers. If you delete one side of an eDir-to-eDir connection, Designer converts the remaining half into a regular driver connection to an eDirectory application. 3.11.7 Multiple Driver Connections To connect more than one driver from a driver set to an application: 1 Select Connection in the palette. 2 Connect the driver set and the application again and again. Each time you connect, a new line is added. All lines are bendable, so that the lines don’t overlap. To get the model to look optimal, you probably need to move the application slightly from its default position. You can also connect more than one driver to a single application. This actually causes the application to act as a hub. Each driver can connect to and authenticate to the application or system the same or differently, depending on your needs. Each driver can access the same part of the application or system or different parts (for example, different tables in a database). The Modeler lets you diagram a layout according to your needs. Creating a Model 67 Figure 3-31 Multi-Driver Connections 3.11.8 Straightening Connections To straighten connecting lines: 1 Press Ctrl, then select one or more items in the Modeler. 68 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Right-click, then select Straighten Connections. What is straightened depends on what you select: Table 3-4 Straightened Connections Selected Item What Is Straightened A driver That driver’s line An application The connecting driver’s line An Identity Vault All lines that originate from that driver set in that Identity Vault A Domain Group Everything in the Domain Group A project (selected by clicking the Modeler’s background) Everything in that project Lines are straightened only if they are less than 20 pixels from a north, west, south, or east alignment. The intent of this operation is to quickly nudge lines that are almost straight, so that they become perfectly straight. Creating a Model 69 This nudging removes the tedium of meticulously dragging items into perfect alignment and being concerned with the pixels. If a line isn’t almost straight, it is left alone. In fact, the Straighten Connection operation is disabled unless the selected items qualify to be straightened. If some of the selected items qualify but others don’t, the operation is still enabled, but only eligible lines are straightened. 3.11.9 Reconnecting To reconnect components, do one of the following: Drag the end of a line (driver) from one application to another. Drag the end of a line (driver) from one driver set to another. 3.11.10 Driver Icons Table 3-5 Driver Icons Icon Description A driver. The entire line between a driver set object and an application represents a driver. A remote driver. A firewall. Indicates that the driver is communicating across a firewall. The following figure illustrates these icons. 70 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 3-32 Driver Icons To see, turn on, or turn off driver icons: 1 Right-click a driver line. 2 Select an option (for example, Mark as Firewall) to turn on or turn off. 3.11.11 Selected Drivers As you move the mouse over a driver, the line thickens so that it is more obvious. You can click and interact with this line. 3.11.12 Auto-Layout of Imported Objects When you import objects from the directory, they are automatically laid out, connected with lines, and assigned an icon that matches objects and relationships as closely as possible. For example, if you import a Driver Set object, Designer imports all of the drivers and connects them with lines. Also, each driver points to an application icon. Application icons include the following: The exact Application icon (for example, Avaya or PeopleSoft) The image stored on the driver The image is embedded in a square application icon. A generic application icon Creating a Model 71 If no image is stored on the driver, Designer supplies an icon for one of the following applications: Generic JDBC LDAP Delimited Text The auto-layout mechanism uses the layout topology that you have selected. The default is Fan Out - Bottom. You can customize this setting in Preferences. See “Modeler” on page 574. 3.11.13 Keyboard Support for Connections Table 3-6 Shortcut Keys for Connections 3.12 Keystroke Description / Navigates to the item’s next connection \ Navigates to the item’s previous connection Aligning and Laying Out Components Section 3.12.1, “Alignment Hints,” on page 73 Section 3.12.2, “Using Rulers,” on page 74 Section 3.12.3, “Using a Grid,” on page 76 Section 3.12.4, “Distributing Applications,” on page 78 Section 3.12.5, “Auto-Layouts,” on page 78 Section 3.12.6, “Layouts to Use for Imports,” on page 79 Alignments place objects in the same horizontal or vertical plane. Alignments help you see relationships in your model. You can align or attach items to the left, center, or right of alignment guides. When you move the guide, attached items move with it, staying attached in the same relative positions. To align components: 1 Press Ctrl, then select more than one item. 72 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Right-click, then select Align. 3 Select an alignment option. You can also attach an item by dragging it to a guide. After you wait a moment, the guide line is highlighted, indicating that the item is attached.You can align within the same group but not across groups. Guides that you set up are restored the next time that you run Designer. You don’t need to re-create them. Also, the alignments and attachments (left, center, or right) are stored in the project on a per-item basis, so that they are also restored. 3.12.1 Alignment Hints Click View > Alignment Hints to automatically show horizontal and vertical “hint” lines as you drag items into vertical or horizontal alignment with neighboring items. Creating a Model 73 Figure 3-33 Alignment Hints The Alignment Hints feature is off by default. To turn it on, click View > Alignment Hints. 3.12.2 Using Rulers To turn on the horizontal and vertical rulers: 1 Click the Modeler space to make it active. 2 Click View > Rulers. 74 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To create a guide (line), click either ruler. To anchor items to a guide, drag the items in the model to the line. To simultaneously move all anchored items, drag the line. Creating a Model 75 3.12.3 Using a Grid Figure 3-34 The Modeler’s Grid When the grid is on, the snap-to-grid functionality is on. 76 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To turn grid lines on and off: 1 Click the Modeler, so that the Modeler is the active view. 2 Click View > Grid. To coerce objects to not align with the grid, temporarily turn off snap-to-grid by holding down the Alt key. (Linux doesn’t support this functionality.) To constrain items to north-south or east-west coordinates, press Shift while dragging the items. To change the grid size: 1 Click Window > Preferences > Novell > Identity Manager > Modeler > Display. 2 Type a value in the Grid Width field. Creating a Model 77 3.12.4 Distributing Applications Figure 3-35 Distributing Applications To equally distribute (space) applications horizontally or vertically: 1 Press Ctrl, then select three or more items. 2 Right-click, then select Distribute. 3 Select a distribution (for example, Vertical). 3.12.5 Auto-Layouts Designer ships with a number of predefined layout topologies: circle, half-circle, star, box, and different fan-out layouts. 78 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 3-36 A Half-Circle Layout These layouts are set on a per-driver-set basis. Therefore, each driver set can have its own layout. To select a layout: 1 Right-click a driver set, then select Arrange Applications. 2 Select an arrangement (for example, Fan Out - Left). If your model has an incorrect layout, the layout options are dimmed. After you set a layout, applications that you connect will automatically snap into that layout. Certain connected objects (for example, multi-driver connections, eDir-to-eDir connections, and applications that are connected but reside in a different Domain Group) are ignored. They aren’t included in the layout, and they don’t disturb it. An option on the Arrange Applications submenu on the Modeler’s context menu enables you to expand or contract the layout arrangement. This option makes all spokes of the layout longer or shorter when you drag a slider. 3.12.6 Layouts to Use for Imports To specify what layout to use on new driver sets that you import: 1 Select Window > Preferences > Novell > Identity Manager. 2 Click Modeler > Layouts. 3 Select an arrangement (for example, Half Circle), then click OK. Creating a Model 79 3.13 Editing Multiple Objects You can open multiple objects and edit them at the same time. These objects must be of the same type (for example, policies). To find out whether you can edit an object, right-click it. If Edit displays among the menu items, you can edit that object. 1 In the Outline view, expand the project that contains the objects that you want to edit. 2 Select the objects. 3 Right-click, then select Edit. 4 Edit the objects. You can copy and paste from one editor to another. Data must be of the same type. 3.14 Modeling Active Directory Domain Controllers Section 3.14.1, “Configuring a Connection,” on page 80 Section 3.14.2, “Discovering Controllers,” on page 81 Section 3.14.3, “Information about Domain Controllers,” on page 82 3.14.1 Configuring a Connection You can configure an LDAP connection to an Active Directory system so that you can discover its domain controllers. 1 Right-click the Active Directory application, then select Properties > Connectivity. 80 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Complete the LDAP authentication information. As you tab from the Host field to the User field, Designer automatically builds a full user context. You can modify this context. 3.14.2 Discovering Controllers 1 Right-click the Active Directory application. 2 Select Discover Domain Controllers. Creating a Model 81 If Designer finds any controllers, it lays them out and expands the Active Directory application as a container. 3.14.3 Information about Domain Controllers Information about each controller is loaded into the Modeler. To view this information, edit the Domain Controller object and select the AD Domain page. 82 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 3-37 The AD Domain Page If the LDAP connection information is filled out, you can reread the information from that system by clicking the Refresh icon. 3.15 Saving Your Model To save your model, do one of the following: From the main menu, select File > Save (or Save All). From the main menu, select File > Close > Yes. Click the X in the Modeler’s tab, then select Yes. For more information, see “The Project View” in Understanding Designer for Identity Manager. Creating a Model 83 84 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Configuring Objects in Designer 4 Designer allows you to easily view, configure, and modify settings for Identity Vaults, driver sets, drivers, and managed systems. Section 4.1, “Viewing Object Properties,” on page 85 Section 4.2, “Configuring a Domain Group,” on page 88 Section 4.3, “Configuring Identity Vaults,” on page 88 Section 4.4, “Configuring Servers,” on page 91 Section 4.5, “Configuring Driver Sets,” on page 91 Section 4.6, “Configuring Libraries,” on page 98 Section 4.7, “Configuring Drivers,” on page 99 Section 4.8, “Configuring Policies,” on page 122 Section 4.9, “Configuring Resource Objects,” on page 123 Section 4.10, “Configuring Categories,” on page 123 Section 4.11, “Configuring Groups,” on page 123 Section 4.12, “Configuring Packages,” on page 123 Section 4.13, “Configuring Package Content,” on page 127 Section 4.14, “Configuring Prompts,” on page 128 Section 4.15, “Configuring Global Configuration Objects,” on page 129 Section 4.16, “Configuring Jobs,” on page 130 Section 4.17, “Configuring ID Policy Containers,” on page 131 Section 4.18, “Configuring ID Policies,” on page 131 Section 4.19, “Configuring a Notification Template,” on page 133 Section 4.20, “Configuring Application Properties,” on page 133 Section 4.21, “Adding Prompts to a Driver Configuration File,” on page 137 Section 4.22, “Synchronizing Passwords,” on page 138 4.1 Viewing Object Properties To quickly view or edit properties of items (for example, an Identity Vault or a driver), you can use the Properties view or a Properties dialog box. Section 4.1.1, “Properties View,” on page 85 Section 4.1.2, “Properties Dialog Box,” on page 86 Section 4.1.3, “Operations Relating to Properties,” on page 87 4.1.1 Properties View If the Properties view is open when you select an item in the Modeler, information about that item displays in the Properties view. You can then quickly view or edit information. Configuring Objects in Designer 85 Figure 4-1 The Properties View To open the Properties view, click Window > Show View > Other > General > Properties. For additional information, see “The Properties View” in Understanding Designer for Identity Manager. 4.1.2 Properties Dialog Box The list of property pages in the Properties dialog box is organized alphabetically across Designer with the exception of the General page, similar to that of Eclipse. To view or edit properties of items: 1 Open the Properties dialog box by doing one of the following: Double-click an item in the Modeler or in the Outline view. Right-click an item (for example, an Identity Vault) in the Modeler or Outline view, then select Properties. Select an item, then press Enter. Select an item, then select File > Properties. Select an item, then select Model > [object] > Properties. The following figure illustrates a driver’s properties page: 86 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Edit settings, then click OK to save. 4.1.3 Operations Relating to Properties Table 4-1 Operations Relating to Properties Operation Description Open the Properties view Click Window > Show View > Other > General > Properties. Open the Properties dialog box Edit settings View a server’s properties Double-click an item, or right-click the item, then select Properties. You can edit the settings of any item selected in the Modeler or Outline view. In the Outline view, right-click the server icon, then select Properties. Save to memory or disk When you click Apply or OK in a properties dialog box, changes are committed to memory. However, changes are not saved to disk unless you select File > Save. Configuring Objects in Designer 87 4.2 Configuring a Domain Group To view or change a domain group’s settings, double-click the domain group. 1 To change the domain group’s icon, click Browse, then navigate to and select an image file. By default, the Browse button opens the icons/group folder in the com.novell.designer.core plug-in. The default image selected is administrative.png. To select a different image, double-click the new image. 2 Click Apply. 3 To change the name of the domain group, edit the Name field. 4 Add details in the Notes pane. 5 Click OK. The image (for example, administrative.png) appears to the left of the domain name in the Modeler. 4.3 Configuring Identity Vaults To view or change an Identity Vault’s settings, double-click the Identity Vault object in the Outline view or the Modeler. The Identity Vault Properties page has several options. In addition, you can configure a hostname in the hosts file. Section 4.3.1, “Configuration,” on page 88 Section 4.3.2, “Administrator,” on page 89 Section 4.3.3, “Packages,” on page 89 Section 4.3.4, “Server List,” on page 90 Section 4.3.5, “iManager,” on page 90 Section 4.3.6, “Local Hostname,” on page 91 4.3.1 Configuration The following table contains a description of each of the Identity Vault configuration settings. Table 4-2 Configuration Settings for an Identity Vault 88 Field Description Vault name The name of the Identity Vault object. The default is Identity Vault. Host The eDirectory host where you plan to log in and deploy. Username The eDirectory username that has sufficient rights to make changes to objects associated with this deployment. Password The password for the above user. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Field Description Save password Saves the password permanently, so you are authenticated into this Identity Vault each time you open Designer. If you use this option, the password is saved locally in Designer’s file system and is not secure. If you do not select this option, the password is remembered only until you close Designer. 4.3.2 Test connection Selecting this button allows the user to create, or, if a connection is unresponsive, to re-create a connection to the Identity Vault. If a connection has not been established to the Identity Vault, the button displays Test connection. After a connection is established, the button displays Refresh connection. Deploy context The default DN container assigned to all driver sets that are associated with this Identity Vault. If you specify a DN container on the Driver Set object, that setting takes precedence over the default setting. Enable Package Developer Mode Enables additional features in Designer to allow developers to create packages. For more information, see Section 7, “Developing Packages,” on page 161. Administrator The Administrator option is divided into three sections. Entering information in these sections is optional. Personal Information: Lets you enter information specific to the Identity Vault, such as Name, Title, Department, and Location. Contact Information: Lets you enter information such as Email, Phone, Cell Phone, Pager, and Fax. Notes: Allows you to type any reminders you might need for future reference. 4.3.3 Packages The Packages option allows you to manage any packages at the Identity Vault level. A package at the Identity Vault level contains Notification Templates or sample data such as users or the Identity Vault structure. Identity Vault packages are applied to all of the drivers that reside in the selected Identity Vault. The following table lists the options available to manage packages. For more information about packages, see Chapter 6, “Managing Packages,” on page 147. Table 4-3 Managing Packages Options Options Descriptions Add package Adds a package to the Identity Vault. You must add a package before you can install a package. Click the Add package icon, then select the package to install and click OK. Create package The Create package option is only available if the Enable Package Developer Mode is selected in the Identity Vault Configuration page. Only developers create packages for redistribution. Configuring Objects in Designer 89 Options Descriptions Package Lists the name and current state of the package. Version Lists the version of the package. Upgrades Indicates that there is a newer version of a package imported into the package catalog, but it has not been installed. The package needs to be upgraded. Operation Lists the following operations that can be performed on a package: Install: The Install option is only available after a package is added to the Identity Vault. Select Install, then click Apply to install the package. Uninstall: The Uninstall option is only available after a package is installed to the Identity Vault. Select Uninstall, then click Apply to uninstall the package. Upgrade: The Upgrade option is only available if there is a newer version of the package available for installation. Select Upgrade, then click OK to upgrade the package. Downgrade: The Downgrade option is only available if you have upgraded a package and the older package is installed in the package catalog. Select Downgrade, then click OK to downgrade the package. Revert Customizations: The Revert Customizations option is only available if you have made changes to the policies that are installed with a package. Select Revert Customization, then click Apply to remove the customization. 4.3.4 Server List The Server List option displays the servers that are associated with the selected Identity Vault. You can add, edit, or remove the server entries. NOTE: If you select the option to allow a default server to be created, that server shows up as Default Server.default_container in the list. You cannot deploy a driver set into an existing eDirectory tree if you have Default Server.default_container in the Server List. You must first remove this reference and add a Metadirectory server in an eDirectory tree. 4.3.5 iManager The iManager option displays the URL that Designer uses to launch the Novell iManager administrative tool. You can modify this URL as needed. To launch iManager from Designer, select Tools > iManager. 90 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.3.6 Local Hostname If desired, Designer supports designating a hostname for your Identity Vault by adding an entry to the hosts file of your local OS. After assigning a hostname to the Host address of your Identity Vault, you can use the hostname instead of an IP address or DNS name to access the Identity Vault. For example, if your Identity Vault has a host address of 192.168.100.254, you can associate the name ID-VAULT to that address in your local hosts file. Then, in Designer, you can refer to the Identity Vault by the name ID-VAULT instead of using the IP address. For more information about using your local hosts file, consult your operating system’s documentation. 4.4 Configuring Servers 1 Right-click the server icon in the Outline view. 2 Select Properties. Table 4-4 lists settings for the Server Properties page: Table 4-4 Settings for the Server Properties Page Field Description Name The name of the Server object. The Identity Vault lists the server. You can browse to and select the server. Context The server’s context. The Identity Vault assigns the context. You can browse to and select the context. Host address The server’s IP address. DNS name The domain name or complete directory context name. Identity Manager version The version of Identity Manager that is running on the server. The default is Identity Manager 4.0.2. You can change the version by using the drop-down list. See Section 5.2, “Changing the Identity Manager Version,” on page 140. eDirectory version The version of eDirectory that the server is using. Assigned Driver Set The driver set the server is assigned to. Notes Information that you want to specify, to help you maintain the server. Use the Contact Information tab to provide information on the person to contact and other items of interest concerning the server. 4.5 Configuring Driver Sets A driver set is a container that holds Identity Manager drivers. Only one driver set can be active on a server at a time. As a result, all active drivers must be grouped into the same driver set. To view or change settings, double-click a driver set in the Modeler. Section 4.5.1, “Driver Set General Options,” on page 92 Section 4.5.2, “Driver Set Configuration,” on page 93 Configuring Objects in Designer 91 Section 4.5.3, “Driver Set Global Configuration Values,” on page 93 Section 4.5.4, “Java Environment Parameters,” on page 93 Section 4.5.5, “Driver Set Log Levels,” on page 94 Section 4.5.6, “Driver Set Named Passwords,” on page 94 Section 4.5.7, “Driver Set Packages,” on page 95 Section 4.5.8, “Driver Set Server List,” on page 95 Section 4.5.9, “Driver Set Trace,” on page 96 4.5.1 Driver Set General Options When you create an Identity Vault, a driver set is added to the vault by default. Figure 4-2 A Driver Set in an Identity Vault You can add other driver sets by dragging the Driver Set object from the palette to the Modeler. From the General page, you can specify or change driver set values. Table 4-5 Driver Set Settings Field Description Name The name of the Driver Set object (for example, DriverSet1.) Create a new partition on this driver set We recommend that you select this option. For details, see “Technical Guidelines” in the Identity Manager 4.0.2 Framework Installation Guide. Deploy context The Identity Vault assigns the default DN container value to all driver sets. If you specify a DN container here on the Driver Set object, that setting takes precedence over the Identity Vault setting. You can manually enter this value or browse for it. 92 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.5.2 Driver Set Configuration You can link in Global Configuration objects to the driver set GCVs. This allows you to reuse Global Configuration objects instead of creating multiple GCVs for the driver set. To add a Global Configuration object: 1 Click Add, then browse to and select the Global Configuration object. 2 Click Apply to save the change. You can change the order that the Global Configuration objects are listed by selecting the object, then clicking Up or Down. 4.5.3 Driver Set Global Configuration Values Global configuration values (GCVs) are settings that are similar to driver parameters. Global configuration values can be specified for a driver set as well as an individual driver. If a driver does not have a GCV, the driver inherits the value for that GCV from the driver set. GCVs allow you to specify settings for Identity Manager features such as password synchronization and driver heartbeat, as well as settings that are specific to the function of an individual driver configuration. Some GCVs are provided with the drivers, but you can also add your own. You can refer to these values in a policy to help you customize your driver configuration. To view or change the driver set's GCV settings, double-click the driver set. From the Global Configuration Values page, you can add, edit, or remove values, or edit the XML file for the driver set. 4.5.4 Java Environment Parameters The Java Environment Parameters enable you to configure the Java virtual machine (JVM) on the Metadirectory server associated with the driver set. Table 4-6 Java Environment Parameters Settings Field Description Classpath Additions Specifies additional paths for the JVM to search for package (.jar) and class (.class) files. Using this parameter is the same as using the java -classpath command. When you enter multiple class paths, separate them with a semicolon (;) for a Windows JVM and a colon (:) for UNIX/ Linux JVMs. JVM Options Specifies additional options to use with the JVM. Refer to your JVM documentation for valid options. Initial Heap Size Specifies the initial (minimum) heap size available to the JVM. Increasing the initial heap size can improve startup time and performance. Enter a numeric value followed by g, m, or k (case insensitive). If no letter size is specified, the size defaults to bytes. Using this parameter is the same as using the java -Xms command. Refer to your JVM documentation for information about the default initial heap size for the JVM. Configuring Objects in Designer 93 Field Description Maximum Heap Size Specifies the maximum heap size available to the JVM. Enter a numeric value followed by g, m, or k (case insensitive). If no letter size is specified, the size defaults to bytes. Using this parameter is the same as using the java -Xmx command. Refer to your JVM documentation for information about the default maximum heap size for the JVM. 4.5.5 Driver Set Log Levels The Driver Set Log Level options enable you to view high-level information. For lower-level information, use the Trace option. By default, logging is turned off. To track errors, messages, or events, change the default. 1 Double-click the driver set. 2 Select Driver Set Log Level. 3 Select a logging option. The log option that you select determines which messages are available in the log. 4 To configure audit instrumentation, select Log specific events, click the event selector button, select events, then click OK. The Update only the last log time option updates the time stamp to indicate the last activity of the driver. 5 Specify the number of entries in the log. The default is 50 entries (lines) in the log. If you want a longer history, increase the number. 6 Save changes by clicking OK. The driver set log contains messages from the engine when it tries to start or stop drivers. To view the log, use iManager. Select the Status Log icon above the Identity Vault in the Identity Manager Overview. 4.5.6 Driver Set Named Passwords The Named Passwords property page allows you to manage (add, edit, delete) named passwords for the selected driver set. When named passwords are defined in the driver set, the passwords are available to all drivers in the driver set. NOTE: If you create a named password of the same name in both the driver set and a driver in the driver set, the named password settings in the driver take precedence. You can define named passwords on both drivers and driver sets. For more information about named passwords, see Section 4.7.8, “Driver Named Passwords,” on page 115. 94 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.5.7 Driver Set Packages The Packages option allows you to manage any packages at the driver set level. A package at the driver set level is applied to all of the drivers that reside in the selected driver set. The following table lists the options available to manage packages. For more information about packages, see Chapter 6, “Managing Packages,” on page 147. Table 4-7 Managing Packages Options Options Descriptions Add package Adds a package to the driver set. You must add a package before you can install a package. Click the Add package icon, then select the package to install and click OK. Create package The Create package option is only available if the Enable Package Developer Mode is selected in the Identity Vault Configuration page. Only developers create packages for redistribution. Package Lists the name and the current state of the package. Version Lists the version of the package. Upgrades Indicates that there is a newer version of a package imported into the package catalog, but it has not been installed. The package needs to be upgraded. Operation Lists the operations that can be performed on a package. Install: The Install option is only available after a package is added to the driver set. Select Install, then click Apply to install the package. Uninstall: The Uninstall option is only available after a package is installed to the driver set. Select Uninstall, then click Apply to uninstall the package. Upgrade: The Upgrade option is only available if there is a newer version of the package available for installation. Select Upgrade, then click OK to upgrade the package. Downgrade: The Downgrade option is only available if you have upgraded a package and the older package is installed in the package catalog. Select Downgrade, then click OK to downgrade the package. Revert Customizations: The Revert Customizations option is only available if you have made changes to the policies that are installed with a package. Select Revert Customization, then click Apply to remove the customization. 4.5.8 Driver Set Server List After adding one or more servers to the Identity Vault, you can view or change the driver set’s server association. Select a server in the Available Servers list, then use the arrows to move the server to the Selected Server list. If a server is not in the Available Servers list, you must first add it by editing the Identity Vault properties. See Section 4.3, “Configuring Identity Vaults,” on page 88. Configuring Objects in Designer 95 4.5.9 Driver Set Trace Although a driver set has nothing to trace, you can add a trace level to a driver set. The Trace setting specifies a trace level used with all drivers associated with the driver set. With the trace set, DS Trace displays Identity Manager and DirXML events as the engine processes the events. The trace level affects each driver in the driver set. Use the trace level for troubleshooting issues with the drivers when they are deployed. DS Trace displays the output of the specified trace level. IMPORTANT: You should use the trace level only for testing or for troubleshooting driver issues. Setting a driver trace level on a production driver can cause Identity Manager server to process events slowly. To set a driver set’s trace characteristics: 1 In the Outline view or Modeler, right-click the driver set, then select Properties. 2 In the driver properties, select Trace in the left navigation area. 3 On the Trace page, specify the trace settings for the driver set, then click OK. Table 4-8 Driver Set Trace Settings Field Description Trace level The IDM engine supports the following trace levels: Trace level 0: Displays fatal messages, errors, warnings and successes. Trace levels 1: Displays informational messages in addition to the information from Trace level 0. Trace level 2: Displays contents of XML documents in addition to the information from Trace level 1. Trace level 3: Displays policy information in addition to the information from Trace level 2. XSL Trace Level DS Trace displays XSL events. Set this trace level only when troubleshooting XSL style sheets. If you do not want to see XSL information, set the level to 0. Java Debug Port Allows developers to attach a Java debugger. Trace File When a value is set in this field, all Java information for the driver is written to file. The value for this field is the path for that file. As long as the file is specified, Java information is written to this file. If you do not need to debug Java, leave this field blank. 96 Trace File Encoding The trace file uses the system’s default encoding. You can specify another encoding if desired. Trace File Size Limit Sets a limit for the Java trace file. Select Unlimited to allow the file to grow to fill the disk. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The following methods help you capture and save Identity Manager trace information. “Windows” on page 97 “UNIX” on page 97 “iMonitor” on page 97 Windows Open the Control Panel, select NDS Services, then click DS Trace.DLM > Start. A window named NDS Server Trace Utility opens. To set the filters to capture the DirXML trace information: 1 Click Edit > Options > Clear All. 2 Click the boxes next to DirXML and DirXML Drivers, then click OK. To save the information to a file: 1 Click File > New. A dialog box prompts for a filename. 2 Enter a filename with the extension of .log. 3 To stop capturing information, click File > Close. The file is saved. UNIX Use the ndstrace command at the console to display the Identity Manager events. The exit command quits the trace utility. Table 4-9 ndstrace Commands Command Description Set ndstrace=nodebug Turns off all trace flags. Set ndstrace on Displays trace messages to the console. Set ndstrace file on Captures trace message to the ndstrace.log file in the /var/nds directory. Set ndstrace file off Stops capturing trace messages to the file. Set ndstrace=+dxml Displays the Identity Manager events Set ndstrace=+dvrs Displays the Identity Manager driver events. iMonitor Use iMonitor to get DS Trace information from a Web browser. Configuring Objects in Designer 97 Table 4-10 Platforms and Commands for Web Browsers Platform Command Windows ndsimon.dlm Linux/Solaris/AIX/HP-UX ndsimonitor 1 Access iMonitor from http://server_ip:8008/nds (the default port). 2 Click Trace Configuration. 3 Click Clear All. 4 Click DirXML and DirXML Drivers. 5 Click Trace On, then click Trace History. 6 Click the Current document icon to view the live trace. 4.6 Configuring Libraries The Library object is a repository of commonly used policies that can be referenced from multiple locations. You can place a policy in the library that every driver in the driver set can reference. You can find the Library object in the Outline view. The following table lists settings for libraries: Table 4-11 Library Settings Field Description Name The name of the library. You can modify the name to be more descriptive, especially if you have more than one library in a tree. For example, you might have one library at the Identity Vault level containing policies that are generic to most drivers, and another library at the Driver Set level containing policies that are specific to that driver set. Deploy Context The Identity Vault assigns the default DN container value to a library created or deployed at the Identity Vault level. If you specify a DN container here on the Library object, that container setting takes precedence over the Identity Vault setting. You can manually enter this value or browse to and select the context. Libraries created under the driver set do not have the Deploy Context option. Description This field allows you to type a description of the selected library. For more information about what you can add to a library, see “Library Objects” in Policies in Designer 4.0.2. 98 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.7 Configuring Drivers A driver provides the connection between an application and the Identity Vault. The driver is the connector that enables data synchronization and sharing between systems. To view or change settings, double-click a driver or driver line in the Modeler. Section 4.7.1, “Driver General Settings,” on page 99 Section 4.7.2, “Driver Configuration,” on page 100 Section 4.7.3, “Engine Control Values,” on page 103 Section 4.7.4, “Driver Global Configuration Values,” on page 105 Section 4.7.5, “Driver Health Configuration,” on page 107 Section 4.7.6, “Driver Log Level,” on page 114 Section 4.7.7, “Driver Manifest,” on page 115 Section 4.7.8, “Driver Named Passwords,” on page 115 Section 4.7.9, “Driver Packages,” on page 115 Section 4.7.10, “Reciprocal Attributes,” on page 116 Section 4.7.11, “Driver Trace Levels,” on page 119 Section 4.7.12, “Driver iManager Icon,” on page 122 4.7.1 Driver General Settings The following table contains a description of the general settings for drivers. Table 4-12 General Settings Field Description Name Displays the driver name, which you can change. Notes Enables you to type notes about your driver implementation. Server/Driver Version Displays the server name to which driver is associated. The driver version only shows if the driver is running. Driver versions vary for each driver. (Deprecated) Basic configuration The field is populated only if you configured your driver by using a driver configuration file instead of packages. file Displays the configuration filename that this driver uses. Contains the filename of the configuration file that was used during import. To view the path to this file, click the information icon next to the filename. You might want to view the file to find out version information. If you haven’t yet run the import wizard, this field is set to None. Supported DN format Displays the format (for example, LDAP) that is supported for each driver. This DN information is important for policy building and simulation. For additional details, click the information icon next to the format field. Configuring Objects in Designer 99 4.7.2 Driver Configuration The driver configuration page is dynamic. Labels and descriptions are dynamically read from the driver configuration information.This information is unique for each driver. The two required options for every driver are Driver Configuration and GCVs. With the Driver Configuration option selected, fill in the required values and parameters that are necessary to have the driver run in your network environment. However, because each driver contains different values and parameters, you need to consult the driver manual for specific values. Go to the Identity Manager Drivers Web site (http://www.novell.com/documentation/idm402drivers/index.html), then select the manual for the driver you are configuring. “Driver Module” on page 100 “Authentication” on page 101 “Startup Option” on page 102 “Driver Parameters” on page 102 “ECMAScript” on page 102 “Global Configuration” on page 103 Driver Module Table 4-13 Driver Module Settings Field Description Java: Name of the Java class Specify the name of the Java class that will be instantiated for the shim component of the driver. This class can be located in the classes directory as a class file, or in the lib directory as a .jar file. Native: Name of the DLL Specify the name of the .dll file that will be instantiated for the application shim component of the driver. Connect to Remote Loader Select this option if you want to connect the driver to the Metadirectory engine that uses the Remote Loader. Driver object password: Set Password Set a password for the Driver object. If you are using the Remote Loader, you must enter a password on this page or the remote driver cannot run. The Remote Loader uses this password to authenticate itself to the remote driver. Remote Loader client configuration for documentation: Include in documentation Enables you to document your Remote Loader configuration for the driver. From the drop-down list, select a name that you specified on the driver’s documentation property page. To use this option, see Section 4.7.3, “Engine Control Values,” on page 103. 100 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Authentication Table 4-14 Authentication Settings Field Description Authentication information for server The server that the driver is associated with. Authentication ID Specify the application user ID. This ID is used to pass Identity Vault subscription information to the application. If you have enabled SSL/TLS for eDirectory drivers, this option is dimmed. Connection Information Specify the address or name and port of the server that the application shim should communicate with. Set Password Enables you to set or change an application password (for example, Active Directory). Remove Password Deletes the password to the application. Host name Specifies the address or name of the machine where the Remote Loader runs. For example, enter hostname=192.168.0.1. If you don't specify this communication parameter, this value defaults to localhost. Port Specifies the port that the Remote Loader uses to accept connections from the remote interface shim. For example, enter port=8090. If you don't specify this communication parameter, this value defaults to 8090. KMO Specifies the Key Name of the Key Material Object containing the keys and certificate used for SSL. For example, enter kmo=remote driver cert. If you don't specify this communication parameter, no value is stored for this parameter. SSL won’t be available. Other parameters Provides reference information. It is included when you document your entire project. Driver Cache Limit Figure 4-3 Options for the Driver Cache The driver cache is a file that holds Identity Vault events until a driver can process them. Configuring Objects in Designer 101 This file can become very large in the following situations: If events occur at a steady rate that is faster than Identity Manager can process them over a long period of time. If the driver is shut down for long period of time but is not disabled. By default, the driver cache (file) size is limited only by available disk space. This is the recommended setting. The only reason to set some other limit is to protect against accidentally filling up the disk. The number that you use depends on the difference between projected amount of available disk space without anything in the cache and the amount of free disk space that you want to ensure will always be left available, divided by the number of drivers on the server. The primary reason that the cache file becomes very large is if the driver is left not running over a long period of time. In this case, the recommendation is to disable the driver rather than set a cache limit. After the limit is reached, all the cached events are discarded. Startup Option Table 4-15 Startup Settings Setting Description Auto start The driver starts automatically when the Metadirectory engine loads. Manual You must start the driver manually from the driver state location. Disabled Disables the driver. Do not automatically synchronize the driver If you don't select this option, a driver that has been deployed but disabled resynchronizes on startup. If you select this option, a driver that has been deployed but disabled does not resynchronize. Driver Parameters From this tab, you can enter common driver options, Subscriber and Publisher channel options, as well as edit XML. Because the Driver Parameters options are different for each driver, refer to the Identity Manager Drivers Web site (http://www.novell.com/documentation/idm402drivers/index.html) for configuration information on the driver you have selected. ECMAScript Displays an ordered list of ECMAScript resource files that are loaded when the driver starts. The ECMAScript files contain extension functions that can be used in policies. To add an ECMAScript from another driver: 1 Click Add, then browse to and select the ECMAScript object from another driver. 2 Click OK. 3 Click Apply to save the change. For more information, see “Using ECMAScript in Policies” in Policies in Designer 4.0.2. 102 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Global Configuration You can link in Global Configuration objects to extend GCV definitions for the driver that Identity Manager loads when the driver starts. This allows you to reuse Global Configuration objects instead of creating multiple GCVs for the driver. To add a Global Configuration object: 1 Click Add, then browse to and select the Global Configuration object. 2 Click Apply to save the change. You can change the order that the Global Configuration objects are listed by selecting the object, then clicking Up or Down. 4.7.3 Engine Control Values The engine control values enable you to change certain default behaviors of the Metadirectory engine. You can access the values only if a server is associated with the Driver Set object. The values are populated based on the Identity Manager version of the servers that are associated with the driver set (servers can be associated through the Engine Controls for Server entry). Changing a version of an Identity Manager server affects the engine controls for all drivers in a driver set that is associated with the server. When the Identity Manager version is changed, the engine controls for all associated drivers are updated to match the specified version. During the update process, all current settings for existing engine controls are merged into the new engine controls. If the engine controls are not valid for the version of the selected server, they are removed as options. 1 In the Modeler, right-click the driver line. 2 Select Properties > Engine Control Values. 3 Click the tooltip icon to the right of the Engine Controls for Server field. If a server is associated with the Identity Vault, and if you are authenticated, the engine control values display in the large pane. Table 4-16 Engine Control Values Field Description Subscriber channel retry interval in seconds The Subscriber channel retry interval controls how frequently the Metadirectory engine retries the processing of a cached transaction after the application shim's Subscriber object returns a retry status. Qualified form for DNsyntax attribute values The qualified specification for DN-syntax attribute values controls whether values for DN-syntax attribute values are presented in unqualified slash form or qualified slash form. A True setting means the values are presented in qualified form. Qualified form from rename events The qualified form for rename events controls whether the new-name portion of rename events coming from the Identity Vault is presented to the Subscriber channel with type qualifiers. For example, CN=. A True setting means the names are presented in qualified form. Configuring Objects in Designer 103 Field Description Maximum eDirectory replication wait time in seconds The maximum eDirectory replication wait time controls the maximum time that the Metadirectory engine waits for a particular change to replicate between the local replica and a remote replica. This only affects operations where the Metadirectory engine is required to contact a remote eDirectory server in the same tree to perform an operation and might need to wait until some change has replicated to or from the remote server before the operation can be completed (for example, object moves when the Identity Manager server does not hold the master replica of the moved object; file system rights operations for Users created from a template.) Use non-compliant backwards-compatible mode for XSLT This control sets the XSLT processor used by the Metadirectory engine to a backward-compatible mode. The backwards-compatible mode causes the XSLT processor to use one or more behaviors that are not XPath 1.0 and XSLT 1.0 standards-compliant. This is done for backwards compatibility with existing DirXML style sheets that depend on the nonstandard behaviors. For example, the behavior of the XPath “!=” operator when one operand is a node set and the other operand is other than a node set is incorrect in DirXML releases up to and including Identity Manager 2.0. This behavior has been corrected; however, the corrected behavior is disabled by default through this control in favor of backwards compatibility with existing DirXML style sheets. Maximum application objects to migrate at once This control is used to limit the number of application objects that the Metadirectory engine requests from an application during a single query that is performed as part of a Migrate Objects from Application operation. If java.lang.OutOfMemoryError errors are encountered during a Migrate from Application operation, this number should be set lower than the default. The default is 50. NOTE: This control does not limit the number of application objects that can be migrated; it merely limits the batch size. Set creatorsName on objects created in Identity Vault This control is used by the Identity Manager engine to determine if the creatorsName attribute should be set to the DN of this driver on all objects created in the Identity Vault by this driver. Setting the creatorsName attribute allows for easily identifying objects created by this driver, but also carries a performance penalty. If a value is not set, the creatorsName attribute defaults to the DN of the NCP Server object that is hosting the driver. Write pending associations This control determines whether the Identity Manager engine writes a pending association on an object during Subscriber channel processing. Writing a pending association confers little or no benefit but does incur a performance penalty. Nevertheless, the option exists to turn it on for backwards compatibility. 104 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Field Description Use password event values This control determines the source of the value reported for the nspmDistributionPassword attribute for Subscriber channel Add and Modify events. Setting the control to False means that the current value of the nspmDistributionPassword is obtained and reported as the value of the attribute event. This means that only the current password value is available. This is the default behavior. Setting the control to True means that the value recorded with the eDirectory event is decrypted and is reported as the value of the attribute event. This means that both the old password value (if it exists) and the replacement password value at the time of the event are available. This is useful for synchronizing passwords to certain applications that require the old password to enable setting a new password. Enable password synchronization status reporting This control determines whether the Identity Manager engine reports the status of Subscriber channel password change events. Reporting the status of Subscriber channel password change events allows applications such as the Identity Manager User Application to monitor the synchronization progress of a password change that should be synchronized to the managed application. Regular Expression escape meta-characters This control determines the meta-characters that will be escaped while expanding the local variable when used in a regular expression context. All characters that need to be escaped must be added as a comma separated list for this control value. If a meta-character is not present in the control value, then it will not be escaped during local variable expansion containing a regular expression. While using this control, ensure the following: The value is not left empty. To escape any meta character, specify the meta character and include a back slash (\). For example, to escape ^, specify the following value: ^,\ NOTE: This control is available only from Identity Manager 4.0.2 Engine Patch 4. 4.7.4 Driver Global Configuration Values Global configuration values (GCVs) are settings that are similar to driver parameters. GCVs can be specified for an individual driver as well as a driver set. If a driver does not have a GCV, the driver inherits the value for that GCV from the driver set. GCVs allow you to specify settings for Identity Manager features such as password synchronization and driver heartbeat, as well as settings that are specific to the function of an individual driver configuration. Some GCVs are provided with the drivers, but you can also add your own. You can refer to these values in a policy to help you customize your driver configuration. To edit the driver set’s GCV settings, double-click the Driver Set object in the Modeler view. From the Global Configuration Values page, you can add, edit, remove, or edit the XML for GCVs. Configuring Objects in Designer 105 To view or change the driver’s GCV settings, double-click the driver. From the Global Configuration Values page, you can add, edit, or remove values, or edit the XML file for the driver. To select a value, click the value or the control field to the right of the value’s name. Use the Add, Edit, Remove, and Edit XML buttons at the bottom of the page. Figure 4-4 The Global Configuration Values Page You can add, edit, and remove GCVs on the Global Configuration Values page, except for those values found under the Password Management heading. Password values are accessed through the Password Synchronization page; click the Launch Password Sync Dialog icon to the right of the Information icon for the control field. The two required options for configuring a driver are Driver Configuration and GCVs. However, because each driver contains different values and parameters, you need to consult the driver manual for specific values. Go to the Identity Manager Drivers Web site (http://www.novell.com/ documentation/idm402drivers/index.html), then select the manual for the driver you are configuring. 106 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.7.5 Driver Health Configuration The Driver Health Configuration allows you to monitor a driver’s state of health (green, yellow, or red), and to specify the actions to perform in response to each of these health states. To do so, you define the conditions (criteria) that determine each of the health states, and the associated actions to perform whenever the driver’s health state changes. For example, if the driver’s health changes from a green state to a yellow state (based on the conditions you establish), you can perform such actions as restarting the driver, shutting down the driver, and sending an e-mail to the person designated to resolve issues with the driver. You can also define custom driver states that are independent of the standard green, yellow and red. Whenever the driver meets the conditions for the custom state, Designer performs the associated actions. To use the Driver Health Configuration to monitor a driver’s health state, you must complete the following tasks: “Creating a Driver Health Configuration” on page 107 “Modifying the Health State Conditions” on page 108 “Creating a Driver Health Job” on page 110 Additionally, you can perform the following tasks to further configure the Driver Health Check environment: “Modifying the Health State Actions” on page 111 “Creating a Custom State” on page 112 “Modifying the Driver Health Job Settings” on page 113 NOTE: Monitoring driver health is applicable only to deployed drivers. Designer does not indicate driver health in the Modeler or any other pre-deployment interface. After you set up the health configuration, you use iManager to actually monitor the health of deployed drivers. For more information about driver health monitoring in iManager, see “Monitoring Driver Health” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide. Creating a Driver Health Configuration The health configuration of drivers is configured automatically, unless you are running older versions of Identity Manager. If you are running anything older than Identity Manager 3.6, you must complete the following section to create a driver health configuration. Otherwise, skip this section. 1 In the Modeler or Outline view, right-click the driver, then select Properties. 2 In the left-side navigation, select Health. 3 Select New Driver Health Configuration. Configuring Objects in Designer 107 Designer creates a basic health configuration with sample conditions for the green and yellow states (none for red). 4 Continue with “Modifying the Health State Conditions” on page 108. Modifying the Health State Conditions The driver health configuration lets you define the conditions that determine each health state. The green state contains conditions intended to represent a healthy driver, and a red state represents an unhealthy driver that has failed the conditions for both green and yellow states. The Driver Health job evaluates the conditions for the green state first. If the driver fails to meet the green conditions, it evaluates the yellow conditions. If the driver fails to meet the yellow conditions, it is automatically assigned a red state. To modify the conditions for a state: 1 In the Modeler or Outline view, right-click the driver where you want to modify the health check configuration, then select Properties. 2 In the left-side navigation, select Health. 3 Click the state tab (Green or Yellow) that you want to modify. 108 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The tab displays the current conditions for the health state. Conditions are organized into groups, with logical operators (either AND or OR), to link each condition and condition group. Table 4-17 describes the conditions that the Driver Health job can evaluate. Table 4-17 Driver Health Check Conditions Condition Description Driver State Running, stopped, starting, not running, or shutting down. For example, one of the default conditions for the green health state is a Driver State that indicates the driver is running. Driver in Cache Overflow The state of the cache used for holding driver transactions. If the driver is in cache overflow, all available cache has been used. For example, the default condition for the green health state is Driver in Cache Overflow is false and the default for the yellow health state is Driver in Cache Overflow is true. Newest The age of the newest transaction in the cache. Oldest The age of the oldest transaction in the cache. Total Size The size of the cache in bytes. Unprocessed Size The size of all unprocessed transactions in the cache. Unprocessed Transactions The number of unprocessed transactions in the cache. You can specify all transactions types or specific transaction types (such as adds, removes, or renames). Transaction History The number of transactions processed at various points in the Subscriber or Publisher channel over a given period of time. This condition uses multiple elements in the following format: <transaction type> <transaction location and time period > <relational operator> <transaction number>. <transaction type>: Specifies the type of transaction being evaluated. For example, adds, removes, renames, and so forth. <transaction location and time period>: Specifies the point in the Subscriber or Publisher channel and the time period being evaluated. For example, you might evaluate the total number of transactions processed as Publisher events over the last 48 hours. The time period cannot exceed the Transaction Data Duration setting, which is configurable in the Driver Health job. For more information, see “Modifying the Driver Health Job Settings” on page 113. <relational operator>: Specifies the relationship between the identified transactions and the <transaction number> (equal to, less than, greater than, and so forth.) <transaction number>: Specifies the number of transactions being used in the evaluation. For example: <number of adds> <as publisher commands> <over the last 10 minutes> <is less than> <1000> Configuring Objects in Designer 109 Condition Description Available History The amount of transaction history data that is available for evaluation. This condition helps ensure that a Transactions History condition does not cause the current state to fail because it does not have enough transaction history data collected for the time period being evaluated. For example, assume that you want to use the Transactions History condition to evaluate the number of “Add as Publisher” commands over the last 48 hours. However, you don't want the condition to fail if there is less than 48 hours of data. You could create condition groups similar to the following: Group1 Available History <is less than> <48 hours> or Group2 Available History <is greater than or equal to> <48 hours> and Transactions History <number of adds> <as publisher commands> <over the last 48 hours> <is less than> <1000> The state evaluates to true if either condition group is true. The state evaluates to false if both conditions evaluate to false. 4 Modify the condition criteria as desired. To add a new group, select the Conditions tab, then click Append Condition Group . To add a condition, select an existing condition group, then click Append Condition . To reorder condition groups or individual conditions, select the condition group or condition, then click Move Up or Move Down . You can also use these buttons to move a condition from one group to another. Cut, copy, and paste a condition group or condition to the clipboard by right-clicking the item, then selecting the appropriate clipboard action. 5 Click Apply to save your changes without closing the Properties page, or click OK to save the changes and close the Properties page. 6 If you want to change the actions associated with the conditions you set, continue with “Modifying the Health State Actions” on page 111. Creating a Driver Health Job The Driver Health job executes periodically to evaluate the health of a driver configured for health checks. The job evaluates the conditions defined for each of the driver’s health states, then assigns the driver the appropriate state. The job also executes any actions associated with the assigned state. If a Driver Health job does not exist, the Driver Health Configuration page displays a New Driver link from which you can configure the Driver Health job. If a Driver Health job already exists, the Driver Health Configuration page does not display this prompt. To create a Driver Health job: 1 In the Modeler or Outline view, right-click the driver, then select Properties. 2 In the left-side navigation, select Health. 3 Click Driver Health Job to open the Job dialog box. Select the appropriate job, then click OK. 110 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Follow the prompts to import the configuration file for the Driver Health job. Refer to the following information for details: Where to place the driver: Place the job in the same driver set as the driver. The correct driver set is selected by default. You can only have one Driver Health job per driver set. Import a configuration: Import the configuration from the server. In the Show field, select Identity Manager 4.0.2 configurations, then select the Driver Health job in the Configurations field. Email server: Select the e-mail server that you want used for any actions that initiate email. If you have not defined additional e-mail servers, select the Default Notification Collection server. Servers: If the driver set is associated with only one server, that server is selected and cannot be changed. If the driver set is associated with multiple servers, select the server where you want to run the job. After creating the Driver Health job, you can modify job settings as needed. For example, you can configure how often the job runs, which drivers use the job, and how much data the job maintains to support transaction history. For more information, see “Modifying the Driver Health Job Settings” on page 113. Modifying the Health State Actions The Driver Health Configuration lets you define the actions that the Driver Health job performs when the driver health state changes. For example, if the state changes from green to yellow, you can shut down or restart the driver, generate an event, or start a workflow. The Driver Health job performs a health state’s actions only once each time the conditions are met; as long as the driver state remains the same, the actions do not repeat. If the driver state changes because its conditions are no longer met, the Driver Health job performs the state’s actions again the next time its conditions are met. 1 In the Modeler or Outline view, right-click the driver where you want to modify the health check configuration, then select Properties. 2 In the left-side navigation, select Health. 3 Select the state tab (Green or Yellow) that you want to modify. The tab displays the current actions for the health state. If no action is assigned, the Driver Health Configuration displays Define new action here in the Actions tab. 4 Select the Actions tab, then click Append Action to add an action to the health state. 5 Select an action from the drop-down list.The table below describes the actions that the Driver Health job can perform. Some actions require additional information before they will execute. Configuring Objects in Designer 111 Action Description Clear Driver Cache Removes all transactions, including unprocessed transactions, from the cache. Execute ECMAScript Executes an existing ECMAScript. Specify the DirXML-Resource object that contains the ECMAScript. Generate Event Generates an event that can be used by Novell Sentinel and the Identity Reporting Module. On Error If an action fails, this action tells Designer what to do with the remaining actions, the current health state, and the Driver Health job. Restart Driver Restarts the driver (stop, then start) Send Email Sends an e-mail to one or more recipients. The template you want used in the e-mail message body must already exist. Start Driver Starts the driver. Start Workflow Starts a provisioning workflow. Stop Driver Stops the driver. Write Trace Message Writes a message to the driver’s log file, using the message parameters specified in the action. 6 Click Apply to save your changes without closing the Properties page., or click OK to save the changes and close the Properties page. Creating a Custom State The Driver Health Configuration lets you create one or more custom states to perform actions independent of the driver’s current health state (green, yellow, red). If the driver meets the custom state’s conditions, the Driver Health job performs its actions. As with the standard driver health states (green, yellow, red), the Driver Health job performs a custom state’s actions only once each time the conditions are met; as long as the driver state remains the same, the actions do not repeat. If the driver state changes because the custom state’s conditions are no longer met, the Driver Health job performs the custom state’s actions again the next time its conditions are met. 1 In the Modeler or Outline view, right-click the driver where you want to create a custom state, then select Properties. 2 In the left-side navigation, select Health. 3 Select the drop-down menu 112 , then select New Custom State. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Define the conditions and actions for the custom state, then click Apply to save the changes without closing the Properties page, or click OK to save the changes and close the Properties page. For information about defining state conditions, see “Modifying the Health State Conditions” on page 108. For information about defining state actions, see “Modifying the Health State Actions” on page 111. Modifying the Driver Health Job Settings The Driver Health job evaluates the conditions for the health states and assigns the driver the appropriate state. The job also executes any actions associated with the assigned state. As with all driver jobs, there are several settings that you can modify to optimize the job’s performance for your environment, including how often the job runs, which drivers use the job, and how much data the job maintains to support transaction history. 1 In the Modeler or Outline view, open the driver set object where the driver health job is stored. 2 Right-click the appropriate job object, then select Edit. 3 Change the desired settings on the following tabs, then click OK to save your changes: Tab Description Schedule The Driver Health job is a continuously running job, meaning that it does not stop unless a health state action shuts it down or you shut it down manually. The job must run continuously to be able to support transaction data collection for use in Transactions History conditions. If the job does stop, it is restarted based on the schedule. The default schedule checks every minute to see if the job is running. If the job is not running, it is started. Configuring Objects in Designer 113 Tab Description Scope By default, the job applies to all drivers in the driver set. This means that you only need one Driver Health job per driver set. However, you can create multiple Driver Health jobs for different drivers within the same driver set. For example, you might have some drivers whose health you want updated more frequently than other drivers, in which case you would need at least two Driver Health jobs. Parameters You can change any of the following job parameters: Login ID: This defaults to the login ID that was used when creating the driver job. You should only change this if you want the driver to authenticate using different credentials. Login password: This is the password required for the login ID that you supplied in the Login ID field. Polling interval: Determines how often the job evaluates the conditions for the health states, assigns the driver the appropriate state, executes any actions associated with the assigned state, and stores the driver’s transaction data. The default polling interval is one minute. Polling interval units: Specifies the time unit (minutes, hours, days, weeks) for the number specified in the Polling interval setting. Duration transaction data is kept: Specifies how long a driver’s transaction data is kept. The default retains a transaction for two weeks before being deleted. Longer transaction durations require more memory. For example, to store transaction data for one driver every minute (Polling interval) for two weeks requires approximately 15 MB of memory. Duration units: Specifies the time unit (minutes, hours, days, weeks) for the number specified in the Duration transaction data is kept setting. 4.7.6 Driver Log Level The Driver Log Level options enable you to view high-level information. For lower-level information, use the Trace option. See Section 4.7.11, “Driver Trace Levels,” on page 119. By default, logging inherits the setting from the driver set. To change the default: 1 Right-click the driver and select Driver > Properties. 2 Select Log Level. 3 Select a logging option. The option that you select determines which information is available in the log. 4 To configure the audit instrumentation, select Log specific events, click the event selector button, select events, then click OK. 5 Specify the number of entries in the log. The default is 50 entries (lines) in the log. If you want a longer history, increase the number. 6 Save changes by clicking OK. The driver log contains messages from the driver. The messages are related to operations that the driver performed or tried to perform. To view the log, use iManager. Select the log icon on the Driver object in the Identity Manager Overview. 114 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.7.7 Driver Manifest The driver manifest is like a resume for the driver. The driver manifest states what the driver supports, and includes a few configuration settings. The driver developer should provide the driver manifest. Usually a network administrator does not need to edit the driver manifest. For more information, see the developer documentation for Identity Manager drivers. 4.7.8 Driver Named Passwords The Named Passwords property page allows you to manage (add, edit, delete) named passwords for the selected driver. You can define named passwords on both drivers and driver sets. Named passwords let you store multiple passwords securely by referring to each password by a key, or name. When you refer to the named password in a driver policy, you use the name only, not the password value. Then, when the driver needs the password value to execute the policy, it requests the password value from the Metadirectory engine. This method lets you avoid revealing the password value in the code for a driver policy. The following example shows how a named password can be referenced in a driver policy on the Subscriber channel in XSLT: <xsl:value-of select="query:getNamedPassword($srcQueryProcessor,'mynamedpassword')" xmlns:query="http://www.novell.com/java/ com.novell.nds.dirxml.driver.XdsQueryProcessor/> You can store and retrieve named passwords for any driver without making changes to the driver shim. As a security measure, in addition to using named passwords, you should control access to all Identity Manager objects in eDirectory. NOTE: A driver developer can also customize a driver to use named passwords in other ways, such as retrieving named passwords when the driver starts up, instead of requesting them from the Metadirectory engine each time they are needed. For example, the Identity Manager Driver for Lotus Notes has been customized to support additional ways of using named passwords, and examples of those methods are included in the sample driver configurations. For more information, see the Identity Manager driver guides (http://www.novell.com/ documentation/idm402drivers/index.html). 4.7.9 Driver Packages The Packages option allows you to manage any packages at the driver set level. A package at the driver set level is applied to all of the drivers that reside in the selected driver set. The following table lists the options available to manage packages. For more information about packages, see Chapter 6, “Managing Packages,” on page 147. Configuring Objects in Designer 115 Table 4-18 Options for Managing Packages Options Descriptions Add package Adds a package to the driver. You must add a package before you can install a package. Click the Add package icon, then select the package to install and click OK. Create package The Create package option is only available if the Enable Package Developer Mode is selected on the Identity Vault Configuration page. Only developers create packages for redistribution. Package Lists the name and current state of the package. Version Lists the version of the package. Upgrades Indicates that there is a newer version of a package imported into the package catalog, but it has not been installed. The package needs to be upgraded. Operations Lists the operations that can be performed on a package: Install: This option is only available after a package is added to the driver. Select Install, then click Apply to install the package. Uninstall: This option is only available after a package is installed to the driver. Select Uninstall, then click Apply to uninstall the package. Upgrade: This option is only available if there is a newer version of the package available for installation. Select Upgrade, then click OK to upgrade the package. Downgrade: This option is only available if you have upgraded a package and the older package is installed in the package catalog. Select Downgrade, then click OK to downgrade the package. Revert Customizations: This option is only available if you have made changes to the policies that are installed with a package. Select Revert Customization, then click Apply to remove the customization. Sync Customizations: This option is only available if the Enable Package Developer mode is enabled on the Identity Vault and you have made changes to content in a custom package that is installed on this driver. The Sync Customizations option synchronizes any changes you have made to the package content to the package. For more information, see Section 7, “Developing Packages,” on page 161. Run driver in Factory Mode 4.7.10 Allows you to revert any customizations to content installed with packages. For more information, see Section 6.4.4, “Running a Driver in Factory Mode,” on page 158. Reciprocal Attributes The Reciprocal Attributes property page lets you create and manage backlinks between objects. For example, the Group object includes a Members attribute that contains pointers to all User objects that belong to that group. Similarly, each User object includes a Group Membership attribute that points to the Group objects of which that user is a member. These two-way links between objects are known as reciprocal mappings. 116 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 4-5 Custom Reciprocal Attribute Mapping Property Page for Driver Objects You can manage all reciprocal mapping configuration from the toolbar in the property page, which contains the following toolbar icons: Icon Description Use the New Attribute icon to add a new attribute to the reciprocal mapping list. Use the Delete icon to delete the currently selected reciprocal mapping entry from the list. Use the Clear All Attribute Mappings icon to delete all reciprocal mappings. Use the Move Up icon to move the currently selected attribute up in the mapping list. To do so, select the attribute entry you want to move up, then click Move up. Use the Move Down icon to move the currently selected attribute down in the mapping list. To do so, select the attribute entry you want to move down, then click Move Down. Use the Expand All icon to expand all reciprocal attribute mapping entries. Use the Collapse All icon to expand all reciprocal attribute mapping entries. Configuring Objects in Designer 117 The Custom Reciprocal Mapping page lets you do the following: “Adding a Reciprocal Attribute Mapping” on page 118 “Removing a Reciprocal Attribute Mapping” on page 119 “Removing an Attribute from the Reciprocal Mapping List” on page 119 “Editing Reciprocal Attribute XML” on page 119 Adding a Reciprocal Attribute Mapping When you create a reciprocal attribute mapping, you must first add one of the attributes to the reciprocal mapping list: 1 On the Reciprocal Attributes page, click New Attribute . 2 In the new attribute entry, select the desired attribute from the drop-down list, then click OK. 3 Specify the details of the reciprocal mapping, then click OK. 118 Source Class Specifies the class name to which the attribute in the mapping list is associated. For example, if you placed the Group Membership attribute in the reciprocal mapping list, the associated Source Class is User. Destination Class Specifies the class name associated with the attribute to which you want to create a reciprocal mapping. Reciprocal Attribute Specifies the attribute name to which you want to create a reciprocal mapping. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Removing a Reciprocal Attribute Mapping To remove a reciprocal mapping between attributes: 1 In the reciprocal mapping list, select the reciprocal mapping you want to remove. When the mapping is selected, the attribute name in the Attribute tab is highlighted. 2 Click Delete . Removing an Attribute from the Reciprocal Mapping List 1 Select the attribute you want to remove by selecting it in the reciprocal mapping list. When selected, the attribute name in the Attribute tab is highlighted. 2 Click Delete . To remove all attributes from the reciprocal attribute mapping list, click Clear All Attribute . Mappings Editing Reciprocal Attribute XML If desired, you can directly edit the XML for a reciprocal attribute. To do so, click Edit XML on the Custom Reciprocal Attribute Mapping page. This opens a basic XML editor that lets you modify the XML. When you finish, click OK or Cancel to close the XML editor. 4.7.11 Driver Trace Levels You can add a trace to your driver. With the driver trace level set, DS Trace displays driver-related Identity Manager events, at the level of detail specified by the driver trace level, as the engine processes the events. The driver trace level affects only the driver or driver set where it is set. IMPORTANT: You should use the trace level only for testing or for troubleshooting driver issues. Setting a driver trace level on a production driver can cause Identity Manager server to process events slowly. Configuring Objects in Designer 119 To set a driver’s trace characteristics: 1 In the Outline view or Modeler, right-click the driver, then select Properties. 2 In the driver properties, select Trace in the left navigation. 3 On the Trace page, specify the driver’s trace settings, then click OK. Field Description Trace level The Metadirectory engine supports the following trace levels: Trace level 0: Displays fatal messages, errors, warnings and successes. Trace levels 1: Displays informational messages in addition to the information from Trace level 0. Trace level 2: Displays contents of XML documents in addition to the information from Trace level 1. Trace level 3: Displays policy information in addition to the information from Trace level 2. Consult the driver documentation for additional trace options that might be available. NOTE: You can also set the driver trace level in Designer by rightclicking a driver (in the Outline or Modeler views) and selecting Live > Set Driver Trace Level. This immediately deploys the trace level to the selected driver. To update the driver trace level in your project as well, select Update local model. Trace level: Use setting from the driver set If you select this option, all trace levels set at the driver set take precedence over any driver settings. Otherwise, the driver settings are effective. Trace file Specify a filename and location where the Identity Manager information is written for the selected driver. When a value is set in this field, all Java information for the driver is written to file. As long as the file is specified, Java information is written to this file. If you do not need to debug Java, leave this field blank. Trace file: Use setting from the driver set If you select this option, all trace levels set at the driver set level take precedence over any driver settings. Otherwise, settings at the driver level are effective. Trace File Encoding The trace file uses the system’s default encoding. You can specify another encoding if desired. Trace file size limit Allows you to set a limit for the Java trace file. Select Unlimited to allow the file to grow to fill the disk. NOTE: The trace file is created in multiple files. Identity Manager automatically divides the maximum file size by ten and creates ten separate files. The combined size of these files equals the maximum trace file size. Trace file size limit: Use setting from the driver set 120 If you select this option, all trace levels set at the driver set level take precedence over any driver settings. Otherwise, settings at the driver level are effective. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Field Description Trace name Helps you track trace messages. The name that you specify here appears with the driver trace messages. Use a trace name if the driver name is very long. The following methods help you capture and save Identity Manager trace information. Windows Open the Control Panel, select NDS Services, then click DS Trace.DLM > Start. A window named NDS Server Trace Utility opens. To set the filters to capture the Identity Manager trace information: 1 Click Edit > Options > Clear All. 2 Click the boxes next to DirXML and DirXML Drivers, then click OK. To save the information to a file: 1 Click File > New. A dialog box prompts for a filename. 2 Enter a filename with the extension of .log. 3 To stop capturing information, click File > Close. The file is saved. UNIX Use the ndstrace command at the console to display the Identity Manager events. The exit command quits the trace utility. Table 4-19 ndstrace Commands Command Description Set ndstrace=nodebug Turns off all trace flags. Set ndstrace on Displays trace messages to the console. Set ndstrace file on Captures trace message to the ndstrace.log file in the /var/nds directory. Set ndstrace file off Stops capturing trace messages to the file. Set ndstrace=+dxml Displays the Identity Manager events Set ndstrace=+dvrs Displays the Identity Manager driver events. iMonitor Use iMonitor to get DS Trace information from a Web browser. Configuring Objects in Designer 121 Table 4-20 Platforms and Commands for Web Browsers Platform Command Windows ndsimon.dlm Linux/Solaris/AIX/HP-UX ndsimonitor 1 Access iMonitor from http://server_ip:8008/nds (the default port). 2 Click Trace Configuration. 3 Click Clear All. 4 Click DirXML and DirXML Drivers. 5 Click Trace On, then click Trace History. 6 Click the Current document icon to view the live trace. 4.7.12 Driver iManager Icon You can see and edit the iManager icons that each driver uses. This is important because iManager renders driver icons in a particular way. However, those icons don't appear in Designer. Conversely, Designer's application icons don't appear in iManager's user interface. To help bridge that gap, you can view the iManager icon to be used in Designer: 1 In the Modeler, right-click a driver (for example, eDirectory), then select Properties. 2 In the left navigation area, select iManager Icon. Designer displays an icon. It is associated with the driver in Designer, unless a different one was imported and stored on the driver. For information about editing or changing icons, see Chapter 19, “Editing Icons for Drivers and Applications,” on page 501. 4.8 Configuring Policies Section 4.8.1, “Editing a Policy Name,” on page 122 Section 4.8.2, “Viewing References,” on page 123 4.8.1 Editing a Policy Name 1 In the Outline view, right-click a policy or rule. 2 Select Properties. The General setting displays by default. 3 Edit the name in the Policy Name field, then click OK. 122 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.8.2 Viewing References The References page lists policy sets and policies that reference the policy listed in the General page. To view the references to this policy: 1 In the Outline view, right-click a policy or rule. 2 Select Properties > References. Linkage is how the policies reference each other. In Identity Manager versions earlier than 3.5, linkage determined the order that policies were executed. To change the linkage, use the Policy Builder. 4.9 Configuring Resource Objects Resource objects store arbitrary data in any format that drivers use. There are different types of Resource objects. For more information, see “Storing Information in Resource Objects” in Policies in Designer 4.0.2. The configuration options for Resource objects are: Policy Name: Stores the name of the resource object. You can change the name. Supported Mime Types: Allows you to change the type of Resource object. For example, you can change a text Resource object to an XML Resource object. 4.10 Configuring Categories Packages are organized by categories so it is easier to find the packages you need. When you configure the category, you can change the name or add a description. 4.11 Configuring Groups Packages are organized by categories and then groups. This makes finding packages much easier. When you configure the group, you can change the name or add a description. 4.12 Configuring Packages Packages contain Identity Manager content used to create drivers. You can make configuration changes to packages by right-clicking a package and selecting Properties. For more information about packages, see Chapter 6, “Managing Packages,” on page 147. Section 4.12.1, “Package General Settings,” on page 124 Section 4.12.2, “Package Configuration Wizard,” on page 124 Section 4.12.3, “Package Constraints,” on page 125 Section 4.12.4, “Package Dependencies,” on page 126 Section 4.12.5, “Package Initial Settings,” on page 126 Section 4.12.6, “Package Languages,” on page 126 Section 4.12.7, “Package License,” on page 126 Section 4.12.8, “Package Linkage,” on page 126 Configuring Objects in Designer 123 Section 4.12.9, “Package Readme,” on page 126 Section 4.12.10, “Package Targets,” on page 127 Section 4.12.11, “Package Vendor,” on page 127 4.12.1 Package General Settings This property page lists the general settings for the package. These options can be changed only when a package is being developed. After a package is released or imported, these items cannot change. Table 4-21 Package General Settings Setting Description Name Displays the package name. Short Name Displays the unique short name for the package. This name is unique for the package in the Identity Vault. Version Displays the package version. Description Displays a description for the package. Type Lists what type of package it is. It lists whether it is a base package, and if it can be installed on an Identity Vault, driver set, or driver. Protected If this option is selected, the Copy package option is disabled on imported packages. This allows a developer to protect the content of a package and not allow someone else to create a new package with this content. Category Lists the category the package is stored in. Group Lists the group the package is stored in. Meta data Lists specific information about a package. It lists: When the package was created. When the package was built. If the package is released or not. If the package has been imported. Lists where the package is hosted. Lists the name of the user who built the package. 4.12.2 Package Configuration Wizard This property page is displayed only on driver base packages. The settings customize what is displayed when users use the Driver Configuration Wizard to install a driver base package. The Configuration Wizard is an XML editor. Copy the contents of from an existing driver base package that contains the functionality you want to have in this driver base package to this page. The following is taken from the Active Directory driver base package as an example: 124 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide <?xml version="1.0" encoding="UTF-8"?><features> <mandatory/> <optional> <group display-name="Default Configuration" expanded="false"> <package id="5DRKWAWH_201009040020200702" name="Defautl Configuration" selected="true"/> </group> <group display-name="Entitlements and Exchange Mailbox Support" expanded="false"> <package id="PJP89Z9R_201003031352370466" name="Active Directory Entitlements and Exchange Mailbox Support" selected="true"/> <package id="DETECXTK_201004161538110582" name="Audit Entitlements Common" selected="true"/> <package id="YMO9C1Y3_201006291302430386" name="Active Directory Audit Entitlements" selected="true"/> </group> <group display-name="Password Synchronization" expanded="false"> <package id="XTEF1YO3_201006231733410161" name="Password Synchronization Common" selected="true"/> <package id="4EHOWL6T_201006291417220804" name="Active Directory Password Synchronization" selected="true"/> </group> <group display-name="Data Collection" expanded="false"> <package id="IJLG31AY_201006141353520247" name="Managed System Information for AD" selected="true"/> <package id="S3NVESCX_201005251632080655" name="Generic Data Collection Query Support" selected="true"/> </group> <group display-name="Account Tracking" expanded="false"> <package id="WUHJYFNL_201003011427170743" name="Account Tracking Common" selected="true"/> <package id="MMXLVRGT_201003011554580470" name="Active Directory Account Tracking" selected="true"/> </group> </optional> </features> 4.12.3 Package Constraints The package constraints list the restrictions associated with a package. These options can only be changed when a package is being developed. After a package is released or imported, these items cannot change. Table 4-22 Package Constraints Settings Constraint Description IDM Compatibility Lists the minimum and maximum versions of Identity Manager that the package supports. These settings are always populated. Application Compatibility Lists the minimum and maximum versions of the application the package supports. These settings are not required for all packages. Driver Type Lists all of the supported driver types the package can be used with. Configuring Objects in Designer 125 4.12.4 Package Dependencies The Package Dependencies property page list the packages that the current package needs to run. Packages are divided up into much smaller pieces than a driver configuration file. Some packages have dependencies on other packages and some do not. Table 4-23 Package Dependencies Settings 4.12.5 Setting Description Name Lists the name of the package that is a dependency. Minimum Lists the minimum version of the package dependency. Less than Lists the highest version of the package dependency. Exceptions If there is a version of the package that is not a dependency, it is listed as an exception. Add dependency Allows you to add dependencies to the package you are currently developing. This option is not available for released packages. Remove dependency Allows you to remove dependencies to the package you are currently developing. This option is not available for released packages. Package Initial Settings The initial settings are used by package developers to create a template of items that are required for a driver to start. This information is specified in ds-object code that modifies the driver object at installation. The ds-object code installs driver shim parameters, driver start options, named passwords, GCVs, and filters. Unlike other package content, these settings cannot be uninstalled. 4.12.6 Package Languages The Package Languages property page lists the languages that package is translated into. 4.12.7 Package License The Package License property page lists the license for the package. 4.12.8 Package Linkage The Package Linkage property page lists all of the places the package is linked to in your project. Linking allows you to install content in package A and link to this content in package B. This allows you to create generic policies that can be reused, then link the policies with minor differences for a specific driver. 4.12.9 Package Readme The package Readme lists the information the developer wants you to know about the package. For example, it can contain a list of new features in a package version, what the linkage directives should be for a package, and a change log for the package. For more information about package development, see Section 7, “Developing Packages,” on page 161. 126 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.12.10 Package Targets The package targets are all of the places where the package is installed in your project. This allows you to see where the package is being used if you need to uninstall a package. 4.12.11 Package Vendor The package vendor information is listed on this property page. This allows you to contact the vendor of a package if you need more information about a package. Table 4-24 Vendor Settings 4.13 Setting Description Vendor Name Specify the vendor name. If this is for internal consumption, specify the name of your company. Vendor Address Specify the address for the vendor or your company. Vendor URL Specify the URL of the vendor or your company. Vendor eMail Specify an e-mail for the vendor or your company. Contact Name If there is a specific contact person for this package, specify his or her name. Contact eMail If there is a specific e-mail address for the contact person, specify it in this field. Configuring Package Content You can view or change configuration settings for the content of a package. You can change the content only when the package developer mode is enabled on the Identity Vault. For more information, see Section 7, “Developing Packages,” on page 161. To view the properties of the package content, expand any package, then right-click the content and click Properties. Section 4.13.1, “Package Content General Settings,” on page 127 Section 4.13.2, “Package Content Installation,” on page 128 Section 4.13.3, “Package Content Linkage,” on page 128 4.13.1 Package Content General Settings You can either view or change the general settings for the package content. Field Description Name Displays the name of the item in the package. Notes Displays any notes about the content of the package. Configuring Objects in Designer 127 4.13.2 Package Content Installation This page displays the installation directive for the package content. It lists the order of installation of the content in the package. If you have multiple policies, it lists the order that the policies are executed. 4.13.3 Package Content Linkage This page displays the order of how the policy is linked in the policy set. This displays the order that the policies are executed in the policy set even if the policies are part of separate packages. 4.14 Configuring Prompts Prompts are Global Configuration objects that are contained in packages. The prompts are the fields that are presented to users when they create a driver. The prompts are created by developers so users can configure the driver correctly. For more information, see Section 7.6.8, “Adding Default Package Prompts,” on page 185. Prompts are stored in a Resources folder under the package in the package catalog. To see the properties of the prompt, right-click the prompt, then click Properties. Section 4.14.1, “Prompts General Settings,” on page 128 Section 4.14.2, “Prompts,” on page 129 Section 4.14.3, “Prompts Transformation,” on page 129 Section 4.14.4, “Target Transformation,” on page 129 4.14.1 Prompts General Settings You can change many of the general settings for the prompts. Table 4-25 Prompts General Settings Setting Description Name Displays the name of the prompt. You cannot change the name of the prompt. It is set when the prompt is created. The name of the prompt is a combination of the package name and the prompt type. Type A list of the different prompt types. You can change the prompt type. The prompt types are: Driver Name Global Configuration Initial Settings Job Remote Loader Upgrade Settings MSysInfo Classification Custom 128 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.14.2 Setting Description Order This is the order in which the prompts are displayed when a driver is configured. 0 is the first prompt that is displayed and the rest are in ascending order. Targets Click Add or Remove to add and remove the packages the prompt is part of. The package you created the prompt on is the first package listed. Prompts The Prompts field is an example of what is displayed when the package is configured. You can validate that the prompts are displayed properly before configuring a package. 4.14.3 Prompts Transformation Displays the transformation style sheet for the prompt resources GCV document, based on the GCVs of other prompts that appear before this prompt in the sorted package prompt list. This style sheet is created by default when the prompt is created. You can modify the style sheet on this page. If you have made changes to the style sheet, you can clear the changes and revert to the default style sheet: 1 Click Generate from template. 2 Select the template type, then click OK. 4.14.4 Target Transformation Displays a transformation style sheet that allows the prompts to modify the package items in the targets of the prompts. You can modify the style sheet on this page. If you have made changes to the style sheet, you can clear the changes and revert to the default style sheet: 1 Click Generate from template. 2 Select the template type, then click OK. 4.15 Configuring Global Configuration Objects Global Configuration objects contain global configuration variables (GCVs) and are used when the configuration values are referenced from content in packages. Section 4.15.1, “Global Configuration Object General Settings,” on page 129 Section 4.15.2, “Global Configuration Object GVCs,” on page 130 4.15.1 Global Configuration Object General Settings The General Settings page allows you to change the name of the Global Configuration object. Configuring Objects in Designer 129 4.15.2 Global Configuration Object GVCs The GCVs page displays the GCVs that are contained in the Global Configuration object. You can add, edit, and remove the GCVs through this page. You can also edit the GCVs in XML instead of using the editors provided. 4.16 Configuring Jobs Designer has a job scheduling utility to schedule events. Through this utility, the system can be set to disable an account on a specific day, or to initiate a workflow to request an extension for a person’s access to a corporate resource. Designer’s job scheduler contains the same functionality as the job scheduler found in iManager. For information on creating jobs, see Section 15.2, “Creating a Job,” on page 410. In the Outline view, right-click the Job icon, then select Properties. Section 4.16.1, “General,” on page 130 Section 4.16.2, “Trace,” on page 130 4.16.1 General You have one selection under the General heading: Policy Name. You can change the job’s name by modifying the name that appears in the Policy Name entry, then clicking OK. 4.16.2 Trace Through the Modeler, you can add a trace level to your jobs. With the trace level set, DS Trace displays the Identity Manager events as the engine processes the events. The trace level only affects the driver where it is set. IMPORTANT: You should use the trace level only for testing or for troubleshooting driver issues. Setting a driver trace level on a production driver can cause Identity Manager server to process events slowly. Table 4-26 Job Trace Settings Field Description Trace level As the job trace level increases, the amount of information displayed in DS Trace increases. Trace level 1 shows errors, but not the cause of the errors. To see password synchronization information, set the trace level to 5. Trace file Specify a filename and location where the Identity Manager information is written for the selected driver. When a value is set in this field, all Java information for the job is written to file. As long as the file is specified, Java information is written to this file. If you do not need to debug Java, leave this field blank. Trace File Encoding 130 The trace file uses the system’s default encoding. You can specify another encoding if desired. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Field Description Trace file size limit Allows you to set a limit for the Java trace file. If you set the file size to Unlimited, the file grows in size until no disk space is available. NOTE: The trace file is created in multiple files. Identity Manager automatically divides the maximum file size by ten and creates ten separate files. The combined size of these files equals the maximum trace file size. Trace name Helps you track job trace messages. The name that you specify here appears with the job trace messages. For more information about viewing as saving trace information with DS Trace, see Section 4.7.11, “Driver Trace Levels,” on page 119. 4.17 Configuring ID Policy Containers An ID Policy container is a repository for ID policies and is used in conjunction with the ID Provider driver. For more information about the ID Provider driver, see the Identity Manager 4.0.2 Manual Task Service Driver Implementation Guide. When the ID Provider driver receives an ID request from a client, it generates an identification that is based on the ID policy specified in the request and passes the identification to the client. To configure an ID Policy container, you must first add the ID Provider driver to a driver set that accesses an Identity Vault. Then, under the ID Provider driver, create an ID Policy container by rightclicking the ID Provider driver and selecting New > ID Policy Container. After the container is created, double-click the ID Policy container in the Outline view, or right-click the ID Policy container and select Properties. Table 4-27 ID Policy Container General Settings Field Description Name The name of the ID Policy container. You can change the name as necessary. Notes You can add notes to better define how you are using the ID Policy container. In order for ID policies to work, you must also add and configure an ID policy in the ID Policy container. See Section 4.18, “Configuring ID Policies,” on page 131. 4.18 Configuring ID Policies An ID policy allows the ID Provider driver to generate unique IDs. When the ID Provider driver receives an ID request from a client, it generates an identification that is based on the ID policy specified in the request and passes it to the client. The ID Provider driver can act as a client itself and can assign IDs to objects in the Identity Vault. For more information about the ID Provider driver and its components, see the Identity Manager 4.0.2 ID Provider Driver Implementation Guide. Configuring Objects in Designer 131 To configure an ID policy, you must first add the ID Provider driver to a driver set. Then, under the ID Provider driver, create an ID Policy container and add an ID policy. After the ID policy is created, double-click the ID policy in the Outline view, or right-click the ID policy and select Properties. Figure 4-6 ID Policy General Properties Page Table 4-28 The ID Policy General Settings Field Description Policy Name The name of the ID policy. Policy’s Last ID The last ID number that was used by this ID policy. If you have deployed this ID policy, use the Connect icon to update this field to the last ID number that was stored in the Identity Vault for this ID policy. NOTE: Only the ID Provider driver can update the last value stored in the Identity Vault. 132 Constraints Minimum/ Maximum Numbers must be between 0 and 2147483647. If you have a fixed system that can only handle eight digits, set the Maximum to 99999999. Constraints Exclude/ Include Allows you to include or exclude a set of numbers that you type. Numbers can be typed in a comma-delimited list and you can use ranges, such as 10,100,1000,5000-10000,1099, etc. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4.19 Field Description Constraints Prefix: Allows you to give a prefix to the IDs that are generated using this ID policy. If you create multiple ID policies, a prefix is useful to see which ID policies are being used. An example is WFID, for workforce IDs. Constraints Fill: Yes/No If you choose Yes, the ID is filled with leading zeros (0) up to the maximum length. This helps keep generated IDs at the same length. If you select No, it does nothing and the ID lengths increment over time. Access Control Enabled Check this box if you want to enable access control lists. Access Control ACL: Type the names of the access control lists you want to use. Access control must be enabled before you can type in ACLs. Configuring a Notification Template You can use the property page for a Notification Template to change the name of the notification template. 1 In the Outline view, expand Default Notification Collection. 2 Right-click a notification template (for example, Forgot Password), then select Properties. 3 Edit the name, then click OK. For additional configuration information about notification templates, see Chapter 11, “Setting Up EMail Notification Templates,” on page 277. 4.20 Configuring Application Properties To view or change an application’s settings, double-click the application (for example, LDAP Directory) in the Modeler. Section 4.20.1, “General,” on page 133 Section 4.20.2, “AD Domain,” on page 134 Section 4.20.3, “Administrator,” on page 134 Section 4.20.4, “Connectivity,” on page 134 Section 4.20.5, “Environment,” on page 137 4.20.1 General Table 4-29 Application General Settings Field Description Type Changes the type of application your driver connects to. For example, if you configure a JDBC driver to connect to a MySQL* database, but then need to change to an Oracle database, you can scroll to Database, select Oracle, then click Apply. New Enables you to edit a driver’s icon. See Section 4.7.12, “Driver iManager Icon,” on page 122. Configuring Objects in Designer 133 4.20.2 Field Description Edit Enables you to use the Icon editor to customize the application’s icon. This field is available after you click New, edit an icon, and click Update. Browse Enables you to navigate to and select an image file. Name Enables you to customize the application’s name or label. Version Enables you to document the application’s version. AD Domain You can capture information about an Active Directory application. This information is useful if you want Document Generator to include this information when you document the project. If you provided information in the LDAP settings, Designer populates the AD Domain fields. 4.20.3 Administrator The Administrator option is divided into three sections. Entering information in these sections is optional. Personal Information: Use this section to enter information specific to the Identity Vault, such as Name, Title, Department, and Location, Contact Information: Use this section to enter information such as Email, Phone, Cell phone, Pager, and Fax. Notes: Use this section to type any reminders you might need for future reference. 4.20.4 Connectivity “Host Names” on page 134 “LDAP” on page 135 “VNC” on page 136 “eDirectory” on page 136 “Configuring a Remote Connection” on page 137 “Customizing the Viewer” on page 137 Host Names NOTE: This control is available only for eDirectory applications. The Host Names field lets you create a list of server IP addresses and DNS names for your eDirectory application. Because servers can have multiple IP addresses and DNS names, it is useful to be able to create a list of those host names that you can easily access when configuring connectivity for your eDirectory application. 134 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 4-7 Host Name List for eDirectory Applications You can add, modify, and delete host names from the Host Names list. When you specify a host on the LDAP, VNC, or eDirectory tabs, the host entry is automatically added to the Host Names list. Double-click an entry in the Host Names list to automatically populate the Host field in the LDAP, VNC, or eDirectory tabs. Host entries in the Host Names list are also available from the Host field drop-down list in the LDAP, VNC, and eDirectory tabs. LDAP You can configure some applications (for example, Active Directory, eDirectory, and LDAP) for an LDAP connection. If the application doesn’t support an LDAP connection, the LDAP tab doesn’t display. Host: The server’s IP address or DN. Port: The server port to communicate with the directory. User: The user’s name (in LDAP format). Password: The user’s password. Configuring Objects in Designer 135 VNC From within Designer, you can view the desktop of the machine that is running your applications, and remotely control that desktop by interacting with it. This feature enables you to administer users or your applications with the native tools of that system, from one location. This functionality is hosted in an embedded editor inside Designer. You can have multiple remote control sessions with different systems, all open at the same time. Figure 4-8 A Remote Desktop eDirectory You can configure connectivity to eDirectory applications. This is similar to configuring an LDAP connection, but uses native eDirectory protocols instead of LDAP. Host: The server’s IP address or DN. Port: The server port to communicate with the directory. User: The user’s name (in eDirectory format). Password: The user’s password. 136 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Configuring a Remote Connection To remotely control a desktop, the machine that is running your application needs to have a VNC (virtual network computing) server installed and running. You can usually download a free VNC server from the Internet. You can easily configure any system or design element in Designer for this feature by editing any application or design element: 1 Right-click an application or design element. 2 Select Properties > Connectivity. 3 On the VNC tab, type the authentication information. Host: The DN (for example, server33.houston.company.com) of the server where the VNC is running. Port: Typically 5901 for Linux servers or 5900 for Windows. Password: The password to the VNC server. 4 Click OK. Customizing the Viewer A toolbar at the top of the desktop viewer enables you to configure the following: Encoding type (RAW, RRE, CoRRE, Hextile, Zlib, Tight). The default is Tight. Compression level JPEG Image Quality (0 - 9). The default is 6. Cursor shape updates. The default is Enable. Use CopyRect. The default is Yes. Mouse buttons 2 and 3. The default is Normal. View only. The default is No, so that you can interact with the desktop. Clipboard Record session and save to file. Send Ctrl+Alt+Delete. Refresh For more information, see the TightVNC documentation Web site (http://www.tightvnc.com/). 4.20.5 Environment You can enter notes about the application’s platform, hardware, and environment. 4.21 Adding Prompts to a Driver Configuration File Several node types are defined for driver configuration files. These extensions were made to support the following: Prompting once for a value that is used repeatedly throughout a single driver configuration file. Prompting once for a value that is used across multiple driver configuration files, as part of the Import Drivers Wizard. Configuring Objects in Designer 137 Allowing the user to select a value from a drop-down list of values. Global modification of the driver configuration file according to a contained XSL style sheet. Built-in variables that can be referenced without declaring them, in order to access information about the driver and its environment (a tree name, driver set name, driver set DN, server name, server DN, driver name and driver DN). The ability to “layer” prompts. It is possible to ask the user multiple sets of questions, with the second and later sets being controlled by the user's responses to prior sets. For more information, refer to “Editing Driver Configuration Files” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide. The primary new node types are variable-decl, variable-ref, and xsl-modify. Table 4-30 New Node Types New Node Type Description variable-decl Allows you to define driver configuration variables that are prompted for (optionally) and replaced into a driver configuration file during its import. Multiple variable-decl blocks can be used to define a “layered” set of prompts. Refer to “Editing Driver Configuration Files” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide. variable-ref Used to reference a variable defined in a variable-decl within your driver configuration files. xsl-modify Used to globally modify the driver configuration file after all variables (and prompting) have been resolved. The contents of this node are extracted and used as an XSL style sheet that is applied to the patched driver configuration file. For information on adding prompts to a sample configuration file, see “Editing Driver Configuration Files” in the NetIQ Identity Manager 4.0.2 Common Driver Administration Guide. 4.22 Synchronizing Passwords To view or edit password synchronization, use the Dataflow editor. See Section 9.2.1, “Filtering Views,” on page 249 and “Synchronizing Passwords” on page 249. 138 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 Managing Identity Manager Versions 5 Your environment might have versions of Identity Manager earlier than version 4.0.2, or you might have a mixture of different versions of Identity Manager. Before Designer 2.0, if you configured and wrote policies for an earlier version of Identity Manager in your environment, you might have encountered the following issues: You could easily build a solution that would not deploy. You did not know which features worked in one environment versus another environment. To solve these issues, Designer tracks versions of the following objects: Identity Manager engines Identity Vaults (trees) Drivers As you use Designer, you see only the UI of features that apply to the version that you are working on. Project Checker and Deploy ensure that what you have configured is supported in the target environment. Section 5.1, “Key Differences in Identity Manager Versions,” on page 140 Section 5.2, “Changing the Identity Manager Version,” on page 140 Section 5.3, “Tracking Versions of Identity Manager,” on page 141 Section 5.4, “Support for Driver Configuration Versions,” on page 142 Section 5.5, “Checking Projects for Version Issues,” on page 144 Section 5.6, “Adjusting the UI Based on the Version Number,” on page 144 Managing Identity Manager Versions 139 5.1 Key Differences in Identity Manager Versions Identity Manager 3.5 New object types were added: ECMAScript Objects Jobs Mapping Table Resource Objects Resource Libraries New Policy Linking capabilities where a policy can be in multiple lists Many new DirXML Script actions, conditions, tokens, and verbs Identity Manager 3.6 Support for 64-Bit operating systems New installation Identity Manager 4.0.2 Integrated installer Packages Installation program Management New driver configuration files New Resource Objects Driver health Global monitoring configuration resource objects New ID Provider Package prompt driver resource objects Reciprocal Attribute DS resource Mapping Additional DirXML Script elements objects SharePoint driver Nested group support Salesforce.com driver User Application Identity Reporting Module Ability for DirXML Script to nest conditions Driver-scoped local variables in DirXML Script that let you refer to variables outside of the policy 5.2 Changing the Identity Manager Version You can import and deploy to all versions of Identity Manager that shipped since Identity Manager 2.0, up to and including Identity Manager 4.0.2. You can also import from DirXML 1.x environments. Because versions earlier than Designer 2.0 did not track Identity Manager versions, those earlier projects do not have version information. When you convert an earlier project, Designer defaults the Identity Manager version numbers to the latest version. During conversion, Designer informs you that this default is being applied. You can change this version number by doing either of the following: In the Outline view, right-click the Server object, select Properties, then select from the Identity Manager Version drop-down list. In the Modeler, select an Identity Vault, click Window > Preferences, expand Novell and select Identity Manager, then select a version from the drop-down list. You can also find information on upgrades, information on downgrades, and a link to a help topic. This information explains the key differences between versions of Identity Manager. 140 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide When you import into a new server (or create a server based on a server that you have browsed to in the directory), the new server inherits the imported version of Identity Manager. If you do a live update in the server properties page, Designer updates the server to the current version of Identity Manager that is in the target environment. 5.3 Tracking Versions of Identity Manager Designer tracks the Identity Manager version. Filtering functionality is based on this version information. When multiple servers are associated to a driver set, Designer calculates an “effective engine version.” This version is the earliest Identity Manager version in the driver set. If you want to use the latest Identity Manager 4.0.2 features, it is important that all servers belonging to the driver set are upgraded to 4.0.2. This version can be manually upgraded or downgraded from the server properties page. Additionally, live update icons retrieve current Identity Manager and eDirectory version information on the server properties page. Figure 5-1 Live Update icons The Add Server dialog box allows you to specify version information when an Identity Vault is created. Figure 5-2 The Add Server Dialog Box The Driver Set Log Level and Driver Log Level property pages have dynamic version widgets next to any log event that is not supported by your effective Identity Manager version. The following figure illustrates an unsupported log event: Managing Identity Manager Versions 141 Figure 5-3 Identity Manager Version Message 5.4 Support for Driver Configuration Versions In Identity Manager 4.0.2, driver configuration files are replaced with packages. You can still use driver configuration files. However, new and updated content for drivers is contained only in packages. The Driver Configuration Wizard provides the following versioning information about the driver configuration files and your Identity Manager solution. The engine version that you are importing into. This information is taken from the current project. You control the version number. A descriptive name of the driver configuration. The version of the configuration as a single (undelimited) version number. The minimum required engine version for this configuration to run. The full filename of the selected list item. This name is below the list. It is displayed there for transparency. A check box that indicates possible unrecommended or incompatible configuration files. Figure 5-4 A Deselected Show All Check Box By default, the Show All check box is deselected if unrecommended or possibly incompatible configuration files are available. If all available driver configuration files are recommended and guaranteed compatible, the check box is dimmed and selected, indicating that all available options are displayed. 142 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A deselected Show All check box implies the following: Additional driver configuration files are available but they are not recommended. The additional driver configuration files are probably incompatible with the engine version that you are importing to. In the following figure, the Show All check box is selected. Figure 5-5 A Selected Check Box in the Wizard The list now contains many more items than were displayed when the check box was deselected. These new items were previously hidden because the minimum required engine version for them is 3.5. Because the user is importing to 3.0.1, the configuration might be incompatible. Managing Identity Manager Versions 143 5.5 Checking Projects for Version Issues A full suite of project checks makes sure that what you have configured makes sense for your target environment and can be successfully deployed. Designer's UI blocks the creation of unsupported objects and hides features based on the version number. Nevertheless, unsupported actions might still occur through a few “back-door” methods, such as copying and pasting, importing, and downgrading your server after you have configured for a newer environment. In all of these instances, Project Checker catches the problems. For example, for policy libraries to work, all of the servers on a given driver set need to be at the same Identity Manager 3.5 version. Project Checker catches problems like this where you might have an unsupported mix of servers. In this case, the project check results would look like the following figure: Figure 5-6 Project Checker Version problems are sorted to the top and have a version icon. If you double-click the item, you get more details about the problem and how to resolve it. 5.6 Adjusting the UI Based on the Version Number Designer displays and enables or disables capabilities based on the version of Identity Manager that is associated with the Identity Manager engine. For example, if you edit a policy that is associated with a server that uses Identity Manager 3.5, Policy Builder shows you all of the new actions, conditions, verbs, and tokens that ship with that release. This feature lets you try out the next version of Identity Manager before it is even released. Also, if you set the server to Identity Manager 3.0.1 (or earlier), you get the previous version of Policy Builder that Designer has shipped with in the past. If you try to create an object that is not supported by your server version, a prompt tells you that this action isn't supported. For example, Identity Manager 3.5 introduces the concept of Jobs, Mapping Tables, and Policy Libraries. If you try to create one of these objects on a 3.0.1 server, you see the following message: 144 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 5-7 Prompt: Feature Not Supported Future milestones of Designer will continue to evolve the UI to better handle version differences. Managing Identity Manager Versions 145 146 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6 Managing Packages 6 Identity Manager drivers consist of multiple components like roles, workflows, policies, ECMAScripts, and style sheets. The configuration of each of these components makes each Identity Manager driver unique. This complexity makes it challenging to add new content to drivers, as when you need to create different components multiple times. In order to save time and help manage Identity Manager content, Identity Manager 4.0 and later includes a concept called packages. For information about migrating driver configuration files to packages, see “Upgrading Drivers to Packages” in the Identity Manager 4.0.2 Upgrade and Migration Guide. Section 6.1, “Understanding Packages,” on page 147 Section 6.2, “Installing or Upgrading Packages,” on page 151 Section 6.3, “Customizing Default Packages,” on page 155 Section 6.4, “Removing or Downgrading Packages,” on page 156 6.1 Understanding Packages A package is a container for components of Identity Manager driver content, organized according to the functionality you want to provide to a driver. Packages can contain different types of content that you can move from one environment to another, allowing you to re-use content in multiple places and create and configure drivers more efficiently. Designer allows you to export packages as .jar files. This enables you to easily share packages with other users and import packages into different instances of Designer. Figure 6-1 Identity Manager Package Workflows Package Driver Roles Polices Managing Packages 147 Designer allows you manage and develop packages. Packages are the delivery mechanism for Identity Manager content. When you create a package, you are creating the framework for delivering the content. Packages are stored in the package catalog, which is only visible in Designer. The package catalog is created when you create or import a project and add an Identity Vault. If you have an existing project, the package catalog is created when you open the project after it is converted. Developers can create packages to deliver custom content. For more information about developing packages, see Chapter 7, “Developing Packages,” on page 161. Packages are only supported with Identity Manager 4.0 or later. If you create a driver using a driver configuration file for an earlier version of Identity Manager, we recommend you migrate your existing driver to use packages. For more information, see “Upgrading Drivers to Packages” in the Identity Manager 4.0.2 Upgrade and Migration Guide. For more information about how packages work, see the following sections: Section 6.1.1, “Advantages of Packages,” on page 148 Section 6.1.2, “Understanding Package Dependencies,” on page 148 Section 6.1.3, “Package Content,” on page 149 6.1.1 Advantages of Packages Easy to upgrade: In the past, when you wanted to install a driver, you installed the driver configuration file. The driver configuration file contained all of the functionality that could be added to a driver. However, there was no easy way to upgrade the configuration file once installed. Packages allow you to upgrade an installed package. Easy to revert back to factory settings: Packages are easy to install, uninstall, and revert back to a shipping configuration of the driver. Common functionality can be reused: Functions that are common to the drivers can be grouped in a particular package and the same can be referenced by other drivers. This is not possible with configuration files. Easy content life cycle management: Managing the life cycle of content is easier with packages due to versioning. Easy to update: Packages allow you to update the features of a driver without updating the entire driver. 6.1.2 Understanding Package Dependencies Many packages require one or more other packages to function properly. When you install a package, the package may require other packages also be installed, either as feature sub-packages or separate packages entirely. For example, several packages require you install the default Common Settings package before installing or deploying. These dependencies are mandatory and are always enforced, indicating a technical dependency one package has for a component of another package. 148 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Understanding Driver Set Packages and Identity Vault Packages A package can be a driver package, a driver set package, or an Identity Vault package. In general, package dependencies follow a one-way “pyramid” structure. Driver packages can require other driver packages, driver set packages, or Identity Vault packages, and driver set packages can also require Identity Vault packages. However, Identity Vault packages cannot require driver or driver set packages, and driver set packages cannot require driver packages. Understanding Base Packages and Feature Packages In addition, a package can be a base package or a feature package. Feature packages contain the actual functionality a driver uses, broken apart by “feature,” while base packages tell Designer how to assemble those feature sub-packages together into an actual driver. Base packages should be used to create a driver and not to deliver content. Feature packages themselves may be mandatory or optional, depending on the requirements of the base package. Some features may not be strictly necessary for a driver to function but could be useful for some users, while other features are required for the driver to function properly. You configure the mandatory and optional feature packages of a base package in the Properties of the base package. When you install a driver, the Driver Configuration Wizard displays both the mandatory and optional features of that driver’s base package and installs the mandatory feature packages and allows you to select which optional feature packages you want to install. For more information about configuring mandatory and optional packages, see “Configuring Mandatory and Optional Feature Packages” on page 192 6.1.3 Package Content Packages are installed on drivers, driver sets, and Identity Vaults. The content of the packages installed on the Identity Vault can affect all of the drivers in the Identity Vault. The content of the packages installed on the driver set can affect all of the drivers in the driver set. The content of the packages installed on a driver only affects that driver. You can store many different types of objects in a package, including driver objects, library objects, User Application objects, DS object resources, filter extension resources, and package prompt resources. The types of objects you can store in a package depends on the type of the package itself. NOTE: You can install content on a driver without adding that content to a package, including policies, ECMAScripts, and GCVs. However, if you install content directly on a driver, you cannot control what order the driver runs the content. For example, if you have a package that contains 10 policies installed on a driver, and one nonpackage policy also installed on that driver, the non-package policy may run in between two of the package policies, regardless of how you order the policies. The following table lists the objects the can be installed in the different package types. Table 6-1 Package Content in Package Types Object Type/Package Type Notification Templates Driver Driver Set Identity Vault X Managing Packages 149 Object Type/Package Type Driver Library Driver Set Identity Vault X1 X1 Credential Application object X X2 X2 Credential Repository object X X2 X2 DirXML Script X X2 X2 ECMAScript X X2 X2 Mapping Table X X2 X2 Global Configuration object X X X2 DS object X X X2 Resource object X X2 X2 Schema Map X X2 X2 XSLT X X2 X2 Job X X Entitlement X Entities X3 Lists X3 Queries X3 Relationships X3 Configuration X3 Provisioning Request Definitions X3 Teams X3 Roles X3 Role Configuration X3 Resources X3 Separation of Duty (SoDs) X3 1 Libraries are not packaged, only their contents. Packages store the library's name and location and create it at install time, if it doesn't already exist. 150 2 These items can only be added to a package of the respective type if they are in a library. 3 These items can only be added to a User Application driver package. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6.2 Installing or Upgrading Packages Use the following list of tasks to install, add, upgrade, or import packages. For information about creating or copying packages, see “Developing Packages” on page 161. Section 6.2.1, “Installing Packages,” on page 151 Section 6.2.2, “Adding Packages,” on page 153 Section 6.2.3, “Upgrading Installed Packages,” on page 154 Section 6.2.4, “Importing Packages into the Package Catalog,” on page 155 6.2.1 Installing Packages You can install packages on Identity Vaults, on driver sets, or on drivers. You can verify the packages have been imported by following the instructions in Section 6.2.4, “Importing Packages into the Package Catalog,” on page 155. There are three different types of packages based on the package are installation target: Identity vault packages, driver set packages, and driver packages. Driver packages are further grouped as: Driver Base Configuration Packages: Contains the base functionality for a driver. You must install a driver base configuration package first. Mandatory Features Packages: If there is a feature that is required for a driver to function, but is not included in the driver base configuration package, it is added to a mandatory features package. Optional Features Packages: Contains features for a driver that aren’t mandatory for the driver to function. To install packages on an existing Identity Vault, driver set, or driver, see Section 6.2.2, “Adding Packages,” on page 153. To install a new driver, including the packages that make up the driver, use the following procedure: 1 Drag and drop an application from the Palette into the Modeler. or Right-click the driver set in either the Outline view or in the Modeler, then click New > Driver. 2 Click the check box next to the base package you want install, then click Next. NOTE: You can only install one base package per driver. Managing Packages 151 3 (Conditional) If you want to install any of the available optional features for the base package you selected, ensure the check box next to those packages is selected. Most options are selected by default because they are recommend for the driver. NOTE: In most installations, we recommend installing all optional features. 152 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Optional packages are grouped by feature. You can expand features to see the specific packages installed for each. You must select a feature to install the packages for that feature. 4 (Conditional) If you do not want to install a particular optional feature, clear the check box for that package. 5 Click Next. 6 (Conditional) If the base package requires a dependent package, Designer prompts you to install the dependent package. Select the dependent package, then click OK. 7 Respond to any prompts, if necessary, then click Next. The prompts are specific for each driver. Each driver guide contains the specific instructions for that driver. See the Identity Manager driver guides Web site (http://www.novell.com/ documentation/idm402drivers/index.html) for the specific driver information. 8 Review the installation summary, then click Finish. After the packages are installed, the driver contains the functionality included in the packages. 6.2.2 Adding Packages You can add new functionality to an existing driver by adding new packages to an existing Identity Vault, driver set, or driver. 1 Right-click the Identity Vault, driver set, or driver, then click Driver > Properties. 2 Click Packages, then click the Add Packages icon . 3 Select the packages to install. If the list is empty, there are no available packages to install. 4 (Optional) Deselect the Show only applicable package versions option, if you want to see all available packages. This option is only displayed on drivers. By default, only the packages that can be installed on the selected driver are displayed. 5 Click OK. 6 Click Apply to install all of the packages listed with the Install operation. 7 (Conditional) Fill in the prompts with appropriate information to install the package, then click Next. Depending on which package you selected to install, you might have fields that you must fill in. For detailed information about the fields, see the specific driver guide at the Novell Driver Guides documentation Web site (http://www.novell.com/documentation/idm402drivers/index.html). 8 Read the summary of the installation, then click Finish. Managing Packages 153 9 Click OK to close the Package Management page after you have reviewed the installed packages. 10 Repeat Step 1 through Step 9 for each Identity Vault, driver set, and driver where you want to add the new packages. 6.2.3 Upgrading Installed Packages You can upgrade any package that is installed if there is a newer version of the package available. Complete the following steps to upgrade an installed package: 1 Ensure you add any GCVs included in the package to a new GCV Resource object. For more information, see the “Global Configuration Value Definition Editor” in Policies in Designer 4.0.2. 2 Right-click the Identity Vault, driver set, or driver where the package is installed that you want to upgrade, then click Driver > Properties. 3 Click Packages. If there is a newer version of a package, there is check mark displayed in the Upgrades column. 4 Click Select Operation for the package that indicates there is an upgrade available. 5 From the drop-down list, click Upgrade. 6 Select the version that you want to upgrade to, then click OK. NOTE: Designer lists all versions available for upgrade. 7 Click Apply. 8 (Conditional) Fill in the fields with appropriate information to upgrade the package, then click Next. Depending on which package you selected to upgrade, you might have fields that you must fill in to upgrade the package. For detailed information about the fields, see the specific driver documentation located on the Identity Manager Drivers documentation Web site (http:// www.netiq.com/documentation/idm402drivers/index.html). 9 Read the summary of the installation, then click Finish. 10 Review the upgraded package, then click OK to close the Package Management page. 154 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6.2.4 Importing Packages into the Package Catalog Designer adds packages to the Package Catalog dynamically. However, if you need to add a custom package to the Package Catalog, you can import the package .jar file. Use the following procedure to import one or more packages into the package catalog. 1 In the Outline view, right-click Package Catalog, then select Import Package. 2 Select one or more packages from the list. If all of the available packages are already imported, the list is empty. or Click Browse, then browse to and select a package on the file system and click OK. 3 Click OK to import the selected packages. 4 Review the import message, then click OK. After you import a package, you must install the package on a driver before you can use that package. Continue with “Installing Packages” on page 151 for instructions. 6.3 Customizing Default Packages In most cases, when you install a default package shipped by Novell in your environment, you need to customize that package for the driver to function properly. You may need to add new policies to the default package, modify existing policies and filter extensions, and configure schema mapping policies for your environment. You can modify the content of a default package at any time using tools provided in Designer, like the Policy Builder. For more information about creating or modifying policies, see “Managing Policies with the Policy Builder” in Policies in Designer 4.0.2. For more information about modifying filters, see “Controlling the Flow of Objects with the Filter” in Policies in Designer 4.0.2. For more information about configuring schema mapping policies, see “Defining Schema Map Policies” in Policies in Designer 4.0.2. Managing Packages 155 NOTE: If you have previously worked with driver configuration files, note that there are no additional steps required to make changes to the package content. You use Designer as you would in the past to change a policy, filter, or any other object that is delivered in a package. Each package has a checksum file, so that when you make changes to the content delivered in the packages, Designer keeps track of those changes. Designer adds an icon to content that is customized. In the figure below, the pub-cp-ADBS policy has changed, where all of the other policies have not changed since the package was installed. Figure 6-2 Changed Policy If there is a new package available and you have customized the package, Designer prompts you to keep your changes or overwrite the customization with the new package content. You can also revert the customization that you made to any package at anytime. 1 In the Outline view, select an object that has changed. 2 Right-click the selected object, then click Revert Customization. The content is reverted back to the state it was when the package was first installed. The Revert Customization option is like an Undo option. 6.4 Removing or Downgrading Packages Use the following list of tasks to remove, uninstall, or downgrade packages or to enable or disable factory mode on a driver. Section 6.4.1, “Uninstalling Packages,” on page 157 Section 6.4.2, “Downgrading Installed Packages,” on page 157 Section 6.4.3, “Removing Packages from the Package Catalog,” on page 158 156 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Section 6.4.4, “Running a Driver in Factory Mode,” on page 158 Section 6.4.5, “De-activating Factory Mode,” on page 159 6.4.1 Uninstalling Packages 1 Right-click the Identity Vault, driver set, or driver where the package is installed that you want to uninstall, then click Properties. 2 Click Packages, select the package you want to uninstall, then click the Select Operation cell. 3 Click Uninstall from the drop-down list. 4 Click Apply to uninstall the package, then click OK to close the Package Management page. 6.4.2 Downgrading Installed Packages You can downgrade any package that you have upgraded. This allows you to revert the driver back to a known state for troubleshooting purposes. 1 (Optional) Before downgrading an installed package, you may want to create a backup of all of the customized policies in the package. For information about backing up drivers in Identity Manager, see “Creating an Export of the Drivers” in the Identity Manager 4.0.2 Upgrade and Migration Guide. 2 Right-click the Identity Vault, driver set, or driver where the package is installed that you want to downgrade, then click Properties. 3 Click Packages, then click the Select Operation option for the package you want to downgrade. 4 From the drop-down list, select Downgrade. 5 Select the version that you want to downgrade to, then click OK. Managing Packages 157 All versions that are available to downgrade to are listed. 6 Click Apply, then click Finish to downgrade the package. 6.4.3 Removing Packages from the Package Catalog You can remove unused packages from the package catalog all at once or delete a specific package if the package is currently not in use. If you try to delete a package that is in use, you get an error message. If you want to remove all unused packages from the package catalog, complete the following steps: 1 Right-click the package catalog and select Remove Unused Packages. 2 Review the list of packages to be removed and click OK. If you want to delete a specific package from the package catalog, complete the following steps: 1 Verify that the package is currently not installed: 1a Right-click the package in the package catalog, then click Properties. 1b Click Targets. This page lists all of the objects where the package is currently installed in your project. 1c Click OK to close this page. 1d If the package is currently installed, follow the instructions in Section 6.4.1, “Uninstalling Packages,” on page 157 to uninstall the package. After the package is uninstalled, continue with this procedure. 2 Right-click the package in the package catalog, then click Delete. 3 Click Yes to confirm. 6.4.4 Running a Driver in Factory Mode Designer also provides an option to remove any customizations from a driver while retaining package configuration values and parameters. Customizations can include policies, GCVs, and package prompts. To run the driver without customizations is called Factory mode. The Factory mode allows you to remove customizations from the driver through one procedure instead of removing customizations from each package. Factory mode is most useful for package developers who create their own custom packages for use by other users. If you develop a package for a customer, and the customer encounters problems with the driver after installing the package, you can enable Factory mode to troubleshoot those problems on a “clean” driver. NOTE We do not recommend enabling Factory mode for shipped drivers or packages, as the default drivers provided by Novell require customization to work in your environment. You can only enable Factory mode on an individual driver. You cannot enable Factory mode on an Identity Vault or driver set. Enabling Factory mode affects all driver content, including all pre-configured and custom packages installed on the driver. 158 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide There are two options for using Factory mode: Strict: Designer removes all customizations and custom configurations from your driver. Custom configurations are new policies, jobs, mapping policies, or other objects created on the driver. Relaxed: Designer removes all customizations but no custom configurations from your driver. To run a driver in Factory mode: 1 In the Outline view or in the Modeler, right-click the driver, then click Driver > Properties. 2 Click Packages, then select Run driver in Factory mode. 3 Select how Package Manager handles the customizations and custom configuration of your driver. You can select either Strict or Relaxed. 4 Click Activate to save the selected change. 5 (Optional) Click the Configure Factory mode icon then click Activate again. if you want to change the selected option, 6 Click Apply or OK to make the change active. 6.4.5 De-activating Factory Mode When you turn off Factory mode on the driver, Package Manager does the following: Restores all package customizations, including policies, GCVs, and package prompts Restores custom configurations, if you selected Strict Preserves package configuration values and parameters To de-activate Factory mode: 1 In the Outline view or in the Modeler, right-click the driver, then click Properties. 2 Click Packages, then deselect Run driver in Factory mode. 3 (Optional) Select Reset driver to permanently reset the driver to factory defaults. When you select this option, the following tasks are performed: All package customizations are deleted Custom configuration are deleted (only if you are in strict mode) Package configuration values and parameters are preserved 4 (Optional) Select Save driver configuration to create a driver configuration file that contains the currently values, parameters, and customization. 5 Click De-Activate. 6 Click Apply or OK to make the change active. Managing Packages 159 160 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7 Developing Packages 7 In addition to working with and modifying the default set of packages included in Designer, you can create your own custom packages tailored to your particular environment. Section 7.1, “Why Use Custom Packages?,” on page 161 Section 7.2, “Developing Custom Packages,” on page 161 Section 7.3, “Preparing to Develop Packages,” on page 163 Section 7.4, “Creating a Base Package,” on page 164 Section 7.5, “Configuring Initial Settings,” on page 166 Section 7.6, “Working with Package Prompts,” on page 168 Section 7.7, “Creating Identity Vault and Driver Set Packages,” on page 188 Section 7.8, “Creating Feature Packages,” on page 191 Section 7.9, “Configuring Mandatory and Optional Feature Packages,” on page 192 Section 7.10, “Adding Content to Packages,” on page 193 Section 7.11, “Copying Packages,” on page 196 Section 7.12, “Building Packages,” on page 197 Section 7.13, “Versioning Packages,” on page 198 Section 7.14, “Localizing Packages,” on page 198 Section 7.15, “Adding and Configuring Licenses,” on page 200 Section 7.16, “Releasing and Publishing Packages,” on page 201 Section 7.17, “Best Practices for Package Development,” on page 202 7.1 Why Use Custom Packages? For many users, the default set of packages you can install with Designer addresses all the relevant areas of their Identity Manager environment. However, at some point you may need to create a custom package outside of the default packages provided by Novell. You might need to modify a shipped package, copy a shipped package, modify and rebrand that package for use in your environment, or create a completely new package for a custom driver. The following sections help you to create a custom package. 7.2 Developing Custom Packages Creating custom packages involves a different set of tasks than managing packages. You can create packages for Identity Vaults, driver sets, and drivers. You can develop custom packages by completing the following steps. Before you start developing custom packages, we recommend you also read “Best Practices for Package Development” on page 202. Developing Packages 161 Steps 162 See Section 1. Configure default package preferences in your Designer environment. “Setting Default Package Preferences” on page 163 2. Create a development driver. “Creating a Development Driver” on page 163 3. Enable package development mode. “Enabling Package Development Mode” on page 163 4. Define the overall package structure. “Defining Custom Package Structure” on page 164 5. Create a custom base package. “Creating a Base Package” on page 164 6. Configure initial settings for the base package and sub-packages. “Configuring Initial Settings” on page 166 7. Add package prompts to the base package. “Working with Package Prompts” on page 168 8. Create common Identity Vault and driver set packages. “Creating Identity Vault and Driver Set Packages” on page 188 9. (Optional) Add libraries to Identity Vault and driver set packages. “Creating Libraries” on page 189 10. (Optional) Add GCVs to Identity Vault and driver set packages. “Adding GCV Resource Objects” on page 190 11. (Optional) Add notification templates to Identity Vault and driver set packages. “Adding Notification Templates” on page 190 12. Create custom feature packages. “Creating Feature Packages” on page 191 13. Configure mandatory and optional feature packages. “Configuring Mandatory and Optional Feature Packages” on page 192 14. (Optional) Add GCV resources to feature packages. “Adding GCVs to Feature Packages” on page 194 15. (Optional) Add package prompt resources to feature packages. “Adding Prompt Resources” on page 194 16. (Optional) Add policies to feature packages. “Adding Policies” on page 195 17. (Optional) Add filter extensions to feature packages. “Adding Filter Extensions” on page 195 18. (Optional) Copy an existing package, if necessary. “Copying Packages” on page 196 19. Build and test your custom packages. “Building Packages” on page 197 20. If previous versions of your packages exist, update the version. “Versioning Packages” on page 198 21. (Optional) Export strings and prompts from your packages and send for localization. “Localizing Packages” on page 198 22. (Optional) Release and publish your custom packages for other users to download and install. “Releasing and Publishing Packages” on page 201 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7.3 Preparing to Develop Packages The first step in developing custom packages is to prepare your Designer environment. You should create a new Designer project, install a valid Identity Vault, configure any default preferences, create a development driver to use as an installation target, enable package development mode, and define the overall structure for your packages. For more information about creating a project, see “Creating a Project” on page 23. For more information about installing an Identity Vault, see “Creating a Model” on page 29. 7.3.1 Setting Default Package Preferences Before you start creating custom packages, we recommend you configure default Package Manager preferences as necessary in your environment. In particular, you should configure your Vendor Defaults, License Defaults, and Locations Defaults preferences. To configure your preferences, click Window > Preferences, then expand Novell > Package Manager and modify preferences as necessary. For more information about preferences in Designer, see “Setting Preferences” on page 551. 7.3.2 Creating a Development Driver Complete the following steps to create a “blank” development driver you can use as a target for your custom packages. 1 Drag and drop an application from palette into the Modeler to launch the Package Installation Wizard. The application can be of any type. NOTE: The Package Installation Wizard does not show any packages if the catalog is empty. 2 When Designer displays the Driver Configuration Wizard, click Cancel, without installing or configuring any packages. Designer creates an empty driver in the Modeler and links the driver to your Identity Vault. You can then use to add your own custom content. 7.3.3 Enabling Package Development Mode Packages can only be created and modified when the Identity Vault is running in package development mode. 1 Either in the Outline view or the Modeler, right-click the Identity Vault, then click Properties. 2 Select Enable Package Developer Mode, then click OK. NOTE: If you disable package development mode, you can then only view the properties of a package in the Package Catalog or compare the current version of a package to other available package versions. You cannot create packages, add objects to packages, remove objects from packages, or sync packages on a driver or driver set with package development mode disabled. Developing Packages 163 7.3.4 Defining Custom Package Structure At the start of the package-creation process, you should define the structure you want to use for the packages you create, including mapping out the specific base packages and feature packages you need. Use questions like the following to define your package structure: To which package categories and groups will your packages belong? To which driver types does this package apply? On which targets do you plan to install packages? Which feature packages are mandatory? Which feature packages are optional? Which features can be used by other drivers? Which package prompts or settings will be used across feature packages and need to be stored in a base package? Does your package or driver require functionality included in any default packages? Can some functionality be included in higher-level driver set and Identity Vault packages, for use by all packages and drivers? In addition to creating new prompts, GCVs, and other objects, you can use the “common” packages provided by Novell in your own package or driver. For example, the Novell Common Settings (NOVLCOMSET) driver set package configures the default location for storing user and group identity information in the Identity Vault, and the default LDAP Classes (NOVLLIBLDAP) driver set package includes an ECMAScript that allows you to search any LDAP source from Identity Manager. Before developing your own custom packages, we recommend you familiarize yourself with the existing functionality provided in the default packages. For information about configuring mandatory and optional packages, see “Configuring Mandatory and Optional Feature Packages” on page 192. For best practice information about configuring package dependencies, see “Defining Package Relationships” on page 203. 7.4 Creating a Base Package When creating custom packages, you first need to create a new base package. The base package acts as a master list that tells Designer how to assemble all the custom sub-packages you create. Base packages should not contain content such as policies or resource objects. We recommend only including package prompts and initial settings information in your base package. WARNING: Designer does not automatically check if a package functions properly or is complete. If you attempt to deploy a package that is incomplete or does not work correctly, you can inadvertently modify your package targets. 164 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Complete the following steps to create a custom base package. 1 (Optional) If you want to create a new package category, navigate to the Outline view in Designer and complete the following steps: 1a Right-click the package catalog, and then select New Category. 1b Specify the name of the category, then click OK. For example, if you want to create a base package for a database application driver, you could specify Database as the category name. 2 (Optional) If you want to create a new package group within a category, complete the following steps: 2a Right-click the package category where you want to create a group and select New Group. 2b Specify the name of the package group, then click OK. For example, if you want to create a base package for a database application driver, you could specify the name of the specific database application as the group name. 3 Right-click the package group where you want to create a new package and select New Package. NOTE: All packages must belong to a category and a group within that category. You cannot create a package outside of a package group. 4 Specify a name, version number, and description for the package in the appropriate fields. 5 Specify a short name for the package in the appropriate field. Identity Manager and Designer display the specified short name when you open the package in a user interface. This name must be unique in the Identity Vault. NOTE: The standard short name for a package is 12 characters long, separated into three sections of four characters: [Vendor][Target system][What package does]. For example, if you have a base Active Directory package created by NetIQ, the package short name could be NTIQADIRBASE. 6 Click the Type drop-down menu and select Driver. 7 Select Base Package. 8 Verify the package category and group are correct. 9 Click Next. 10 In the IDM Compatibility section, select the minimum and maximum versions of Identity Manager that this package is compatible with. For example, if you create a new package in an Identity Manager 4.0.2 environment that uses a feature only available in 4.0.2, you can use the minimum version to prevent users with Identity Manager 4.0.1 or earlier in install the package. 11 In the Application Compatibility section, select the minimum and maximum versions of the managed application that this package is compatible with. NOTE: Identity Manager does not currently enforce restrictions on the minimum and maximum application versions specified. Identity Manager can only provide a recommendation to user who try to install the package. 12 Select one or more driver types in the Available Driver Types list with which you want the package to be compatible and use the right-arrow icon to move them to the Supported Driver Types list Developing Packages 165 NOTE: The package must support at least one driver type. Ensure you select the type of application you used when creating your development driver, or select <All> if you want the package to support all possible driver types. 13 Click Next. 14 Specify or modify the vendor information you want to include in the package, then click Next. You must specify the vendor name for the package. 15 Review the Summary page and click Finish. 16 (Optional) If you want to require a particular non-feature package, like a common driver set package, be installed along with your base package, complete the following steps: 16a In the Outline window, expand the Package Catalog and navigate to the version of the base package you created in the preceding steps. 16b Right-click the base package and select Properties. 16c In the Properties window, click Dependencies. 16d Click the plus icon to and select the package you want to add as a dependency. For more information about common Identity Vault and driver set packages, see “Creating Identity Vault and Driver Set Packages” on page 188. 16e Click OK. 17 Verify you have a development driver installed. If not, follow the steps in “Creating a Development Driver” on page 163 to install a development driver. 18 In the Modeler, right-click the development driver, then click Driver > Properties. 19 In the Properties window, click Packages to install the base package on the driver. 20 Click the plus icon to display the packages you can install on the driver. The package list is initially filtered by driver types. To see all available driver packages, deselect Show only applicable package versions. 21 Select the base package you want to install and click OK. 22 Click OK. 7.5 Configuring Initial Settings Once you create your custom base package, you should configure the initial settings you want to use for the driver. When you install a driver, the driver’s initial settings create a set of objects that the driver needs to be able to start. The initial settings for your driver are specified as ds-object code. The code installs driver shim parameters, driver start options, named passwords, GCVs, and filters. By default, when you create a package, the initial settings XML for the package is empty, as displayed in the package Properties window. Unless you are extremely proficient with XML and know are familiar with the Identity Manager schema, we recommend you populate your initial settings from an existing template. You can use a working driver as a template, if you want your package to use specific settings in that driver. For example, if you want to create a custom eDirectory package, you can use an eDirectory driver as your development driver and populate your initial settings from the development driver. If you only want to include a minimum of initial settings in your package and configure those settings manually, you can also add an empty Generic App driver. 166 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You can only add certain driver properties as ds-attribute objects in the Initial Settings, as listed in the table below. ds-attribute Object Description name Specifies the name of the driver. application-schema Specifies the schema of the application to which the driver connects. Each application has its own schema, but Identity Manager does not necessarily use all classes or attributes from a particular application schema. configuration-manifest Contains the Driver Health Configuration settings for the driver, which allow you to monitor the state of the driver and configure the driver to perform actions automatically depending on the driver’s health state. For more information about the Driver Health Configuration, see “Driver Health Configuration” on page 107. driver-filter-xml Specifies how the driver should filter incoming data. We recommend you do not use this ds-attribute to configure the base driver filter, but instead create filter extension objects. For more information about creating filter extension objects, see “Adding Filter Extensions” on page 195 java-module Specifies the driver shim XML configuration the driver uses. For example, com.novell.nds.dirxml.driver.nds.DriverShimI mpl or com.novell.idm.driver.ComposerDriverShim. log-events Specifies the types of events you want the driver to log in the audit log. For example, you can configure the driver to log errors, warning, or specific events like object modifications. By default, the driver uses the settings from the driver set, as specified in the Log Level tab in the driver set Properties window. For more information about configuring log levels, see “Driver Set Log Levels” on page 94. shim-config-info Specifies the Driver Parameters settings displayed in the Properties window for the driver. global-config-values Specifies any GCVs configured on the driver. For more information about GCVs, see “Driver Global Configuration Values” on page 105. global-engine-values Specifies the engine control values used by all drivers, including the subscriber channel retry interval and maximum eDirectory replication wait time. For more information about engine control values, see “Engine Control Values” on page 103. Developing Packages 167 ds-attribute Object Description driver-start-option Specifies the default startup option for the driver. For more information about driver startup options, see “Startup Option” on page 102. named-password Specifies any named passwords configured on the driver. For more information about named passwords, see “Driver Named Passwords” on page 115. Complete the following steps to add initial settings to your base package. 1 In the Outline view, right-click the base package, then select Properties. 2 Click Initial Settings. 3 Click Populate From Template. WARNING: When you populate your initial settings from a template, Designer overwrites any XML currently in the Initial Settings window. If you have any previously-customized XML, ensure that you save the existing XML before clicking Populate From Template. 4 In the Model Browser window, select the driver you want to use as a template, then click OK. NOTE: You can use any driver currently available in your workspace to populate your Initial Settings window. 5 Modify the package initial settings as necessary for your environment. 6 When finished, click OK. 7.6 Working with Package Prompts After you create a base package, we recommend you create package prompts for use in your packages. Package prompts should be stored in the base package, rather than in specific feature sub-packages, so that all feature packages can use the configured prompts if needed. 7.6.1 Understanding Package Prompts Package prompts allow users to configure the packages included in a driver during the driver installation process. When a user installs a driver, they provide configuration information necessary for that user’s environment. Some packages include default configuration information built into the package by the package developer, but many configuration properties must be specified at the time of installation. For example, users may need to specify the IP address of the target system or the name of the Identity Vault container used to store user or group information. The Driver Configuration Wizard provides one or more windows that includes fields where the user can configure the driver. The windows the Driver Configuration Wizard displays are package prompts. You can use package prompts to modify any of the properties of a driver, including the driver name, driver configuration parameters, GCVs, or job parameters. Prompts are stored as Resource objects and are typically stored in the base package of a driver. Each prompt Resource object can contain one or more fields, which is displayed to the user in the Driver Configuration Wizard. Each prompt corresponds to a window within the Wizard and can be required or optional, as necessary. 168 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The following graphic provides an example of a default Initial Settings prompt: NOTE A package can contain no prompts or many prompts, depending on the needs of the driver. When you install a package, the Driver Configuration Wizard displays package prompts according to the Order parameter value of each prompt. To configure the order in which your prompts appear, right-click the prompt resource in the Outline view and select Properties, specify the value you want to use for the Order parameter, and click OK. Each package prompt is a Resource object of the type application/vnd.novell.dirxml.pkgprompt+xml. Designer creates a default pair of XSL style sheets when you create a new package prompt. You can modify those style sheets to fit your needs. Designer uses XSL style sheets to transform both the prompt fields displayed in the Driver Configuration Wizard and package items contained in the target packages specified for the prompt. The prompt transform configures the way the prompt looks in the Wizard, while the target transform takes information users input using the prompts and modifies objects in your environment depending on that input. Prompts can set values in GCVs and be used to configure specific features of the driver, such as using entitlements or synchronizing passwords. For more information about package transformations, see “Understanding Package Prompt Transformations” on page 172. Developing Packages 169 7.6.2 Understanding Package Prompt Types There are eight types of default package prompts available in Designer: Driver Name Global Configuration Initial Settings Job Remote Loader Upgrade Settings MSysInfo Classification Custom Each type of package prompt has its own set of default fields. However, you can add new fields to a package prompt to configure other driver configuration properties, as necessary in your environment. When you add a new prompt field, Designer creates a GCV for that field. The following sections describe the different default package prompt types. NOTE You can only generate package prompt resources of the Driver Name, Initial Settings, Remote Loader, or Upgrade Settings types from the Package Catalog. To generate Global Configuration and Job package prompts, you must first create a corresponding object, then generate a prompt for the object and add the prompt to a package. To generate a Custom package prompt, you must create a Resource object of the application/vnd.novell.dirxml.pkg+prompt+xml type. MSysInfo Classification package prompts are created outside of the package prompt interface. You can only generate Driver Name and Remote Loader package prompt resources on a base package. Driver Name This type of package prompt allows users to specify the name of the driver. The only prompt field included in this package prompt is Driver Name. Field Display Name Field Attribute Name Driver Name name This package prompt is only available for base packages. Global Configuration This type of package prompt allows users to modify the properties of one or more GCV resources. For more information about creating a Global Configuration package prompt, see “Creating Global Configuration Prompts” on page 185. 170 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Initial Settings This type of package prompt allows users to configure the initial driver configuration properties of a driver object. For example, a user can specify the connection information and password they want to use for the driver. For more information about configuring the initial settings for a driver, see “Configuring Initial Settings” on page 166. Field Display Name Field Attribute Name Authentication ID shim-auth-id Connection Information shim-auth-server Password shim-auth-password Job This type of package prompt allows users to modify specific parameters of a job contained in the package. Remote Loader This type of package prompt allows users to configure the Remote Loader settings for the driver. If your driver supports the Remote Loader, you must include the Remote Loader package prompt in your package. Packages typically display the Remote Loader package prompt last during driver installation. Field Display Name Field Attribute Name Connect To Remote Loader use-remote-loader Host Name rl-hostname Port rl-port KMO rl-kmo Other parameters rl-other Remote Password rl-password Driver Password driver-password Manager Password ManagerPassword This package prompt is only available for base packages. Upgrade Settings This type of package prompt contains style sheets that maintain your custom package settings so that they are not overwritten when you upgrade or downgrade the package. The Upgrade Settings package prompt contains no prompt fields. Developing Packages 171 MSysInfo Classification This type of package prompt allows users to specify the classification of a particular managed system and the type of environment the managed system provides. The Reporting module can then classify the driver by managed system or environment in reports. NOTE: This package prompt is typically only used in specialized drivers like eDirectory. Users can select one of the following options for the classification of a managed system: Mission-Critical Vital Not-Critical Other Users can select one of the following options for the environment of a managed system: Development Test Staging Production Other Custom This type of package prompt can be customized to modify anything the package installs. The target of a custom package prompt is any object in the package that you want users to be able to change when installing and configuring the driver. For example, if you want users to modify a policy during the installation process, you can create a custom package prompt and specify the policy as the target for the prompt. For more information about creating custom package prompts, see “Creating Package Prompt Resources” on page 186. 7.6.3 Understanding Package Prompt Transformations When you install a package, Designer performs the following tasks for each prompt that belongs to the package: Reads the prompt Applies the prompt transform XSL on the prompt XML Displays the transformed prompt in the Driver Configuration Wizard Receives the values specified by the user in the Driver Configuration Wizard Applies the target transform XSL on the target object using the values specified by the user and the initial package settings The following diagram displays the Designer workflow for prompt transformations: 172 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Prompt transforms are typically used for conditional prompting, where the Driver Configuration Wizard only displays a prompt if specific conditions are met. For example, when you install a driver, the Driver Name prompt allows you to specify a name for the driver. However, when you run view the driver properties after installation, Designer does not display the Driver Name prompt. Target transforms are typically used to modify different types of targets during the driver installation process. For example, target transforms allow you to modify the named password used by a particular driver, based on the password the user specifies in a package prompt. NOTE: Most package developers can use an existing XSL style sheet for their package-creation needs. However, advanced users may need to customize the XSL style sheets. To customize prompt and target transforms, you should understand the style sheets and the inputs the style sheets receive. See the sections below for information about default style sheets and inputs. Each transform includes three XML documents, defsDoc, curDoc, and npDoc, as well as the boolean propertyWizard flag. These four components allow you to apply a transform to a prompt or target, depending on your needs. You add defsDoc, curDoc, npDoc, or propertyWizard to your transform as parameters in the XSL code. For more information about the transform parameters, see the following sections. defsDoc This XML parameter contains the prompts, or configuration value definitions, including the values specified by the user on the prompt page. Sample document: Developing Packages 173 <configuration-values> <definitions> <header display-name="Authentication"/> <definition display-name="SAP User ID" mandatory="true" name="shim-authid" type="string"> <description>The ID of the User this driver will use for SAP Logon. This is referred to as 'User' in the SAP Logon screen.</description> <value>idmdriver</value> </definition> <definition display-name="SAP User Password" mandatory="true" name="shim-auth-password" type="password-ref"> <description>The User password this driver will use for SAP Logon. This is referred to as 'Password' in the SAP Logon screen.</description> <value>shim-auth-password</value> </definition> </definitions> </configuration-values> curDoc In the case of an upgrade or downgrade using the Installation Wizard, this parameter contains the XML content of the currently installed prompt target. In the case of an initial install using the Driver Configuration Wizard, this document is empty. Sample document (only an excerpt, as these docs are rather large): <ds-attributes> <ds-attribute ds-attr-name="shim-auth-id"> <ds-value>idmdriver</ds-value> </ds-attribute> <ds-attribute ds-attr-name="shim-auth-server"> <ds-value>127.0.0.1</ds-value> </ds-attribute> <ds-attribute ds-attr-name="driver-start-option"> <ds-value>2</ds-value> </ds-attribute> </ds-attributes> npDoc In the case of an upgrade or downgrade, this parameter contains an XML representation of all named passwords available on the prompt target. Only the names of existing passwords are available, not their values. If a named password has been set using a prompt, both its name and value are available. To set a named password, append the following structure to the transform target: <ds-attribute ds-attr-name="named-password"> <ds-value display-name="Password 1" name="pwd1">1</ds-value> <ds-value display-name="Password 2" name="pwd2">2</ds-value> </ds-attribute> 174 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide NOTE The transform target must support named passwords. You cannot get or modify passwords using a handle to the npDoc document. For security reasons, the value of the password itself is never displayed. Sample document: <named-passwords> <named-password name="promptedPwd">promptedValue</named-password> <named-password name="existingPwd"/> </named-passwords> propertyWizard Flag This boolean parameter indicates if the package is installed from the Installation Wizard, which is launched from the package Properties window, or from the Driver Configuration Wizard, which Designer launches when you install a new driver. The possible options are true (Installation Wizard) or false (Driver Configuration Wizard). This parameter allows you to configure a package prompt to be displayed or hidden depending on the wizard. For the Driver Name prompt, this parameter is set to false by default, so that Designer only prompts users for the driver name in the Driver Configuration Wizard. 7.6.4 Example Default Prompt Transformations As discussed previously, each of the default package prompt types contains both a prompt transformation and a target transformation. The following subsections provide examples of some of the default prompt transformation stylesheets. Driver Name The default prompt transformation for a Driver Name package prompt uses the propertyWizard flag to check if the user is viewing the prompt in the Installation Wizard or Driver Configuration Wizard, then pre-populates the prompt with an existing value, if a driver name already exists. <xsl:param name="propertyWizard"/> <xsl:template match="header[@driver-name='true']"> <xsl:if test="$propertyWizard='false'"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:if> </xsl:template> <xsl:template match="definition[@driver-name='true']"> <xsl:if test="$propertyWizard='false'"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:if> </xsl:template> <!-- pre-populate prompts with existing values --> <xsl:template match="definition/value"> <xsl:variable name="name" select="../@name"/> <xsl:variable name="curVal"> <xsl:choose> Developing Packages 175 <xsl:when test="$curDoc//ds-value[../@ds-attr-name=$name]/text()"> <xsl:value-of select="$curDoc//ds-value[../@ds-attr-name=$name]/text()"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="$curDoc//value[../@name=$name]/text()"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:choose> <!-- backfilling from current value --> <xsl:when test="$curVal"> <value> <xsl:value-of select="$curVal"/> </value> </xsl:when> <!-- no current value found --> <xsl:otherwise> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:otherwise> </xsl:choose> </xsl:template> <!-- identity transformation template --> <xsl:template match="node()|@*"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:template> Initial Settings The default prompt transformation for an Initial Settings package prompt pre-populates the prompt fields with existing values, if applicable. <xsl:param name="propertyWizard"/> <xsl:template match="header[@driver-name='true']"> <xsl:if test="$propertyWizard='false'"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:if> </xsl:template> <xsl:template match="definition[@driver-name='true']"> <xsl:if test="$propertyWizard='false'"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:if> </xsl:template> <!-- pre-populate prompts with existing values --> <xsl:template match="definition/value"> <xsl:variable name="name" select="../@name"/> <xsl:variable name="curVal"> <xsl:choose> <xsl:when test="$curDoc//ds-value[../@ds-attr-name=$name]/text()"> <xsl:value-of select="$curDoc//ds-value[../@ds-attr-name=$name]/text()"/> </xsl:when> <xsl:otherwise> 176 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide <xsl:value-of select="$curDoc//value[../@name=$name]/text()"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:choose> <!-- backfilling from current value --> <xsl:when test="$curVal"> <xsl:variable name="checkRemote"> <xsl:choose> <xsl:when test="$name='shim-auth-server' or $name='shim-authpassword'"> <xsl:value-of select="'true'"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="'false'"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:choose> <xsl:when test="$checkRemote='true' and starts-with($curVal, 'REMOTE')"> <value> <xsl:value-of select="substring-after($curVal, ')')"/> </value> </xsl:when> <xsl:otherwise> <value> <xsl:value-of select="$curVal"/> </value> </xsl:otherwise> </xsl:choose> </xsl:when> <!-- no current value found --> <xsl:otherwise> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:otherwise> </xsl:choose> </xsl:template> <!-- identity transformation template --> <xsl:template match="node()|@*"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:template> 7.6.5 Example Default Target Transformations The following subsections provide examples of some of the default target transformation stylesheets. Global Configuration The default target transformation for a Global Configuration package prompt applies the specified prompt values to a global configuration object. Developing Packages 177 <xsl:param name="propertyWizard"/> <!-- handle non-existing named passwords --> <xsl:template match="ds-attributes"> <xsl:copy> <xsl:apply-templates select="@*"/> <xsl:choose> <!-- no named passwords defined in initial settings --> <xsl:when test="count(ds-attribute[@ds-attr-name='named-password'])=0"> <ds-attribute ds-attr-name="named-password"> <xsl:for-each select="$npDoc//named-passwords/namedpassword[count($defsDoc//definition[@type='password-ref']/ value[text()=@name])>0]"> <ds-value display-name="a" name="a">bb</ds-value> </xsl:for-each> </ds-attribute> </xsl:when> <!-- named passwords defined in initial settings --> <xsl:otherwise> <xsl:apply-templates select="node()"/> </xsl:otherwise> </xsl:choose> </xsl:copy> </xsl:template> <!-- handle existing named passwords --> <xsl:template match="ds-attribute[@ds-attr-name='named-password']"> <xsl:copy> <xsl:apply-templates select="@*"/> <xsl:for-each select="ds-value"> <xsl:copy> <xsl:apply-templates select="@*"/> <xsl:variable name="npName" select="@name"/> <xsl:variable name="npValue" select="$npDoc//named-passwords/namedpassword[@name=$npName]/text()"/> <xsl:choose> <xsl:when test="string-length($npValue)>0"> <xsl:value-of select="$npValue"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="."/> </xsl:otherwise> </xsl:choose> </xsl:copy> </xsl:for-each> </xsl:copy> </xsl:template> <!-- inject prompt values into target definitions --> <xsl:template match="definition/value"> <xsl:variable name="name" select="../@name"/> <xsl:variable name="promptVal" select="$defsDoc//value[../@name=$name]"/> <xsl:choose> <!-- inject value from prompt --> <xsl:when test="$promptVal"> <xsl:copy> <xsl:value-of select="$promptVal"/> </xsl:copy> </xsl:when> 178 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide <!-- no current value found --> <xsl:otherwise> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:otherwise> </xsl:choose> </xsl:template> <!-- identity transformation template --> <xsl:template match="node()|@*"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:template> Remote Loader The default target transformation for a Remote Loader package prompt handles Remote Loaderspecific prompt fields. The target transformation also provides the Remote Loader parameters and password to the Initial Settings package prompt to use in the Connection Information and Password fields. <xsl:param name="propertyWizard"/> <xsl:template match="ds-attribute[@ds-attr-name='driver-password']"/> <!-- Remove the native module if we are running remote --> <xsl:template match="ds-attribute[@ds-attr-name='native-module']"> <xsl:variable name="useRemoteLoader" select="$defsDoc//definition[@name='useremote-loader']/value/text()"/> <xsl:if test="$useRemoteLoader='false'"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:if> </xsl:template> <!-- Replace the java module with the remote shim if we are running remote --> <xsl:template match="ds-attribute[@ds-attr-name='java-module']/ds-value/text()"> <xsl:variable name="useRemoteLoader" select="$defsDoc//definition[@name='useremote-loader']/value/text()"/> <xsl:choose> <xsl:when test="$useRemoteLoader='true'"> <xsl:value-of select="'com.novell.nds.dirxml.remote.driver.DriverShimImpl'"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="."/> </xsl:otherwise> </xsl:choose> </xsl:template> <xsl:template match="ds-attributes"> <xsl:variable name="useRemoteLoader" select="$defsDoc//definition[@name='useremote-loader']/value/text()"/> <xsl:variable name="rlHost" select="$defsDoc//definition[@name='rl-hostname']/ value/text()"/> <xsl:variable name="rlPort" select="$defsDoc//definition[@name='rl-port']/ value/text()"/> <xsl:variable name="rlKMOTemp" select="$defsDoc//definition[@name='rl-kmo']/ value/text()"/> <xsl:variable name="rlKMO"> <xsl:choose> Developing Packages 179 <xsl:when test="string-length($rlKMOTemp)>0"> <xsl:choose> <xsl:when test="contains($rlKMOTemp, ' ')"> <xsl:variable name="c1" select="concat(&quot;&apos;&quot;, $rlKMOTemp)"/> <xsl:variable name="c2" select="concat($c1, &quot;&apos;&quot;)"/> <xsl:value-of select="concat(' kmo=', $c2)"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="concat(' kmo=', $rlKMOTemp)"/> </xsl:otherwise> </xsl:choose> </xsl:when> <xsl:otherwise> <xsl:value-of select="''"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:variable name="rlOtherTemp" select="$defsDoc//definition[@name='rlother']/value/text()"/> <xsl:variable name="rlOther"> <xsl:choose> <xsl:when test="string-length($rlOtherTemp)>0"> <xsl:value-of select="concat(' ', $rlOtherTemp)"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="''"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:variable name="rlPwd" select="$npDoc//named-password[@name='rlpassword']/text()"/> <xsl:copy> <xsl:apply-templates select="@*|node()"/> <xsl:if test="$useRemoteLoader='true'"> <!-- inject the driver password if running remote --> <xsl:for-each select="$npDoc//named-passwords/named-password[@name='driverpassword']/text()"> <ds-attribute ds-attr-name="driver-password"> <ds-value> <xsl:value-of select="."/> </ds-value> </ds-attribute> </xsl:for-each> <!-- Add a java module attribute node if one does not exist --> <xsl:choose> <xsl:when test="ds-attribute[@ds-attr-name='java-module']"> <!-- Do nothing --> </xsl:when> <xsl:otherwise> <ds-attribute ds-attr-name="java-module"> <ds-value>com.novell.nds.dirxml.remote.driver.DriverShimImpl</dsvalue> </ds-attribute> </xsl:otherwise> </xsl:choose> <xsl:if test="$rlHost"> <!-- Add a shim-auth-server attribute node if one does not exist --> <xsl:choose> <xsl:when test="ds-attribute[@ds-attr-name='shim-auth-server']/ds- 180 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide value/text()"> <!-- Do nothing --> </xsl:when> <xsl:otherwise> <ds-attribute ds-attr-name="shim-auth-server"> <ds-value>REMOTE(hostname=<xsl:value-of select="$rlHost"/> port=<xsl:value-of select="$rlPort"/> <xsl:value-of select="$rlKMO"/> <xsl:value-of select="$rlOther"/>)</ds-value> </ds-attribute> </xsl:otherwise> </xsl:choose> </xsl:if> <xsl:if test="$rlPwd"> <!-- Add a shim-auth-password attribute node if one does not exist --> <xsl:choose> <xsl:when test="ds-attribute[@ds-attr-name='shim-auth-password']/dsvalue/text()"> <!-- Do nothing --> </xsl:when> <xsl:otherwise> <ds-attribute ds-attr-name="shim-auth-password"> <ds-value>REMOTE(<xsl:value-of select="$rlPwd"/>)</ds-value> </ds-attribute> </xsl:otherwise> </xsl:choose> </xsl:if> </xsl:if> </xsl:copy> </xsl:template> <!-- Fix up shim-auth-server if running remote and one already exists --> <xsl:template match="ds-attribute[@ds-attr-name='shim-auth-server']/ds-value/ text()"> <xsl:variable name="useRemoteLoader" select="$defsDoc//definition[@name='useremote-loader']/value/text()"/> <xsl:variable name="rlHost" select="$defsDoc//definition[@name='rl-hostname']/ value/text()"/> <xsl:variable name="rlPort" select="$defsDoc//definition[@name='rl-port']/ value/text()"/> <xsl:variable name="rlKMOTemp" select="$defsDoc//definition[@name='rl-kmo']/ value/text()"/> <xsl:variable name="rlKMO"> <xsl:choose> <xsl:when test="string-length($rlKMOTemp)>0"> <xsl:choose> <xsl:when test="contains($rlKMOTemp, ' ')"> <xsl:variable name="c1" select="concat(&quot;&apos;&quot;, $rlKMOTemp)"/> <xsl:variable name="c2" select="concat($c1, &quot;&apos;&quot;)"/> <xsl:value-of select="concat(' kmo=', $c2)"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="concat(' kmo=', $rlKMOTemp)"/> </xsl:otherwise> </xsl:choose> </xsl:when> <xsl:otherwise> <xsl:value-of select="''"/> </xsl:otherwise> </xsl:choose> Developing Packages 181 </xsl:variable> <xsl:variable name="rlOtherTemp" select="$defsDoc//definition[@name='rlother']/value/text()"/> <xsl:variable name="rlOther"> <xsl:choose> <xsl:when test="string-length($rlOtherTemp)>0"> <xsl:value-of select="concat(' ', $rlOtherTemp)"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="''"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:choose> <xsl:when test="$useRemoteLoader='true'"> <xsl:variable name="curVal" select="."/> <xsl:variable name="tmpVal" select="concat(concat('REMOTE(hostname=', $rlHost), ' port=')"/> <xsl:variable name="remoteVal" select="concat(concat($tmpVal, $rlPort), $rlKMO)"/> <xsl:variable name="withKMO" select="concat($remoteVal, $rlOther)"/> <xsl:variable name="withOther" select="concat($withKMO, ')')"/> <xsl:variable name="serverVal" select="concat($withOther, $curVal)"/> <xsl:value-of select="$serverVal"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="."/> </xsl:otherwise> </xsl:choose> </xsl:template> <!-- Fix up shim-auth-password if running remote and one already exists --> <xsl:template match="ds-attribute[@ds-attr-name='shim-auth-password']/ds-value/ text()"> <xsl:variable name="useRemoteLoader" select="$defsDoc//definition[@name='useremote-loader']/value/text()"/> <xsl:variable name="rlPwd" select="$npDoc//named-password[@name='rlpassword']/text()"/> <xsl:choose> <xsl:when test="$useRemoteLoader='true'"> <xsl:variable name="curVal" select="."/> <xsl:variable name="remoteVal" select="concat(concat('REMOTE(', $rlPwd), ')')"/> <xsl:variable name="pwdVal" select="concat($remoteVal, $curVal)"/> <xsl:value-of select="$pwdVal"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="."/> </xsl:otherwise> </xsl:choose> </xsl:template> <!-- identity transformation template --> <xsl:template match="node()|@*"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:template> 182 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7.6.6 Examples of Modified Prompt Transformations In this section, we provide a few examples to demonstrate how you can modify a prompt transform and why modifying a prompt transform can be useful. Use Case 1: Need to configure different behavior for package installation through the Driver Configuration Wizard and the Installation Wizard If you upgrade a package using the Installation Wizard, Designer does not need to prompt you for the driver name, as the driver name should already be configured. To avoid the Wizard prompting you for the driver name, use the flag propertyWizard in the prompt transform. Depending on the flag, we remove the given prompt from prompt display. Sample XSL code: <xsl:template match="header[@driver-name='true']"> <xsl:if test="$propertyWizard='false'"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:if> </xsl:template> Use Case 2: Need to pre-fill prompts with existing values during the upgrade process During an upgrade or downgrade, Designer ensures that Designer displays the values you entered during the initial installation. The user therefore does not need to remember all the values specified during the first installation. For each definition in the input document (in this case, the prompt document), Designer tries to find the corresponding definition in the current document (curDoc). When Designer finds a matching definition, the application stores the corresponding value in a temporary variable, curVal. Designer then populates the prompt document with the curVal value and displays the pre-filled prompts to the user during the upgrade or downgrade process. Sample XSL code: <xsl:template match="definition/value"> <xsl:variable name="name" select="../@name"/> <xsl:variable name="curVal"> <xsl:choose> <xsl:when test="$curDoc//ds-value[../@ds-attr-name=$name]/text()"> <xsl:value-of select="$curDoc//ds-value[../@ds-attr-name=$name]/text()"/> </xsl:when> <xsl:otherwise> <xsl:value-of select="$curDoc//value[../@name=$name]/text()"/> </xsl:otherwise> </xsl:choose> </xsl:variable> <xsl:choose> Developing Packages 183 <!-- backfilling from current value --> <xsl:when test="$curVal"> <value> <xsl:value-of select="$curVal"/> </value> </xsl:when> <!-- no current value found --> <xsl:otherwise> <xsl:copy> <xsl:apply-templates select="@*|node()"/> </xsl:copy> </xsl:otherwise> </xsl:choose> </xsl:template> 7.6.7 Example of Modified Target Transformation In this section, we provide an example to demonstrate how you can modify a target transform and why modifying a target transform can be useful. Use Case: Need to provide the driver name at the necessary place during target transformation In this case, you want to add the driver name to the initial data so that the driver name prompt changes the name in all necessary locations on the driver. Sample XSL code: <xsl:template match="ds-attributes"> <xsl:copy> <xsl:apply-templates select="@*|node()"/> <xsl:if test="$propertyWizard='false' and boolean(ds-attribute[@ds-attrname='name']/ds-value)=false()"> <!-- Make sure we have a name when called from the DCW --> <xsl:variable name="promptVal" select="$defsDoc//value[../@name='name']"/> <xsl:variable name="driverName"> <xsl:choose> <!-- use prompt value --> <xsl:when test="$promptVal"> <xsl:value-of select="$defsDoc//value[../@name='name']/text()"/> </xsl:when> <!-- no prompt value found, use default value --> <xsl:otherwise>Driver</xsl:otherwise> </xsl:choose> </xsl:variable> <ds-attribute ds-attr-name="name"> <ds-value> <xsl:value-of select="$driverName"/> </ds-value> </ds-attribute> </xsl:if> </xsl:copy> </xsl:template> 184 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7.6.8 Adding Default Package Prompts To add package prompts to a base package: 1 Verify that you have created a base package. Otherwise, follow Section 7.4, “Creating a Base Package,” on page 164 to create a new base package. 2 Right-click the package in the package catalog and select Generate Prompt Resource. 3 Select the type of package prompt you want to configure. NOTE: You can only create one of each type of prompt for a particular package. 4 In the package catalog, expand the package version and Resources directory. 5 Right-click the new package prompt and select Properties. 6 Verify the type of package prompt. 7 Specify the order in which you want the Driver Configuration Wizard to display the current package prompt. The Wizard displays prompts in ascending order starting from 0. 8 Verify the target displayed is correct for the package prompt. If you want to add the prompt to a different package, click Add, browse to the package, and click OK. 9 Click the Prompts tab. The Properties window displays what the current package prompt looks like in the Driver Configuration Wizard. You now have default package prompts created and you can edit and change these prompts for your own needs. 7.6.9 Creating Custom Package Prompts In addition to adding default, auto-generated prompts to your packages, you can create a custom prompt to modify a specific GCV object in your package or create a package prompt resource to modify any non-GCV target object in your package. Creating Global Configuration Prompts You can create a package prompt that modifies a GCV object contained in your custom package. NOTE: To create a Global Configuration prompt, you must first install the base package on the development driver. For more information, see the “Global Configuration Value Definition Editor” in the Policies in Designer 4.0.2. To create and configure a Global Configuration package prompt, complete the following steps: 1 Install the base package you want to use on your development driver. For more information about installing the development driver, see “Creating a Development Driver” on page 163. 2 In the Outline view, right-click the driver name and select New > Global Configuration. 3 Specify a name for the new GCV resource object and click OK. 4 In the Outline view, right-click the new GCV resource object and select Add to Package. 5 Select the base package where you want to add the GCV resource and click OK. 6 In the Outline view, navigate to the base package and expand Global Configurations. Developing Packages 185 7 Right-click the new GCV resource object and select Generate Prompt Resource. Designer creates a new package prompt for the GCV in the Resources directory. 8 Right-click the new GCV package prompt and select Properties. 9 Verify that the target of the package prompt is the GCV resource object you created. 10 Specify the order in which you want the Driver Configuration Wizard to display the GCV package prompt. The Wizard displays prompts in ascending order starting from 0. 11 Click Prompts. 12 Click Add to add each new prompt you want to include in the GCV package prompt Resource object. For information about adding new prompts, see “Adding Prompts” on page 188. 13 When finished adding prompts, click Apply. 14 Click Prompt Transformation. This window allows you to configure how you want to display the prompt in the Driver Configuration Wizard. 15 Modify the default Global Configuration transform as necessary for your GCV package prompt. For more information about the default Global Configuration prompt transform, see “Global Configuration” on page 170. For more information about prompt transforms, see “Understanding Package Prompt Transformations” on page 172. 16 Click Apply. 17 Click Target Transformation. This window allows you to configure how you want to modify the target of the transform. 18 Modify the default Global Configuration transform as necessary for your GCV package prompt. For more information about the default Global Configuration target transform, see “Global Configuration” on page 170. For more information about target transforms, see “Understanding Package Prompt Transformations” on page 172. 19 Click OK. Creating Package Prompt Resources You can create custom package prompts directly as resource objects themselves. You can create a package prompt to modify any object the package installs on the driver. To create a custom package prompt, complete the following steps: 1 In the Outline view, right-click the development driver and select New > Resource. 2 Specify the name you want to use for the custom prompt. 3 In the Content type drop-down menu, select application/vnd.novell.dirxml.pkg+prompt+xml. 4 Clear Open the editor after creating the object and click OK. 5 (Optional) If prompted to save, click Yes. 6 In the Outline view, right-click the custom package prompt Resource object and select Add to Package. 7 Select the base package where you want to add the package prompt resource and click OK. 8 In the Outline view, navigate to the base package and expand Resources. 9 Right-click the custom package prompt and select Properties. 10 Next to the Targets field, click Add. 11 Expand the Package Catalog and select the base package to which you added the custom prompt, then click OK. 12 Specify the order in which you want the Driver Configuration Wizard to display the custom prompt. The Wizard displays prompts in ascending order starting from 0. 186 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 13 Click Prompts. 14 Click Add to add each new prompt you want to include in the custom prompt Resource object. For information about adding new prompts, see “Adding Prompts” on page 188. 15 When finished adding prompts, click Apply. 16 Click Prompt Transformation. This window allows you to configure how you want to display the prompt in the Driver Configuration Wizard. 17 (Conditional) If you want to use a default prompt transform as the prompt transform for your custom prompt, click Generate from template and select the template you want to use, then click OK. Designer automatically populates the Stylesheet window with the selected template. WARNING: When you generate the prompt transform from a template, Designer overwrites any XML currently in the Stylesheet window. If you have any previously-customized XML, ensure that you save the existing XML before clicking Generate from template. 18 Modify the default transform as necessary for your custom package prompt. For more information about default prompt transforms, see “Understanding Package Prompts” on page 168. For more information about transforms, see “Understanding Package Prompt Transformations” on page 172. 19 Click Apply. 20 Click Target Transformation. This window allows you to configure how you want to modify the target of the transform. 21 (Conditional) If you want to use a default target transform as the target transform for your custom prompt, click Generate from template and select the template you want to use, then click OK. Designer automatically populates the Stylesheet window with the selected template. WARNING: When you generate the target transform from a template, Designer overwrites any XML currently in the Stylesheet window. If you have any previously-customized XML, ensure that you save the existing XML before clicking Generate from template. 22 Modify the default transform as necessary for your custom package prompt. For more information about default target transforms, see “Understanding Package Prompts” on page 168. For more information about transforms, see “Understanding Package Prompt Transformations” on page 172. 23 Click OK. 7.6.10 Editing Package Prompts You can edit the properties of a Resource object to change the package prompts to meet your needs. You can add new prompts, edit the existing prompts, or add default values for the prompts that are displayed when the package is installed. “Adding Prompts” on page 188 “Editing Existing Prompts” on page 188 “Setting Default Values for the Prompts” on page 188 Developing Packages 187 Adding Prompts 1 In the Outline view, right-click the Prompt Resource object in the package, then click Properties. 2 Click Prompts, then click Add. For more information about adding a GCV resource as a prompt, see “Global Configuration Value Definition Editor” in Policies in Designer 4.0.2. 3 Click Finish to save the changes and close the page. Editing Existing Prompts 1 In Outline view, right-click the Prompt Resource object in the package, then click Properties. 2 Click Prompts. 3 Select the prompt, then click Edit. 4 Make the desired changes, then click Finish. Setting Default Values for the Prompts 1 In the Outline view, right-click the Prompt Resource object in the package, then click Properties. 2 Click Prompts. 3 Specify the default value in each prompt, then click Apply to save the changes. 4 Click OK to close the Prompts page. 7.7 Creating Identity Vault and Driver Set Packages When creating custom packages, you may determine that some of the content in your base and feature packages can be used at a higher level, in other drivers in the driver set or in the Identity Vault as a whole. You can create common packages on driver sets and Identity Vaults and add libraries, policies, ECMAscript objects, GCVs, password policies, and other object types to those high-level packages. You can also add notification templates to an Identity Vault package. To create an Identity Vault or driver set package, complete the following steps: 1 In the Package Catalog, right-click the package group where you want to create a new package and select New Package. 2 Specify a name, version number, and description for the package in the appropriate fields. 3 Specify a short name for the package in the appropriate field. Identity Manager and Designer display the specified short name when you open the package in a user interface. This name must be unique in the Identity Vault. NOTE: The standard short name for a package is 12 characters long, separated into three sections of four characters: [Vendor][Target system][What package does]. For example, if you have a common settings driver set package created by NetIQ, the package short name could be NTIQCOMMSTNG. If you have an Identity Vault package created by NetIQ that contains password synchronization notification templates, the package short name could be NTIQPSYNNOTF. 4 Click the Type drop-down menu and select DriverSet or Identity Vault, depending on the type of package you want to create. 188 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 Verify the package category and group are correct. 6 Click Next. 7 In the IDM Compatibility section, select the minimum and maximum versions of Identity Manager that this package is compatible with, then click Next. 8 Specify or modify the vendor information you want to include in the package, then click Next. You must specify the vendor name for the package. 9 Review the Summary page and click Finish. 10 (Optional) If you want to require a particular Identity Vault package be installed along with your driver set package, complete the following steps: 10a In the Outline window, expand the Package Catalog and navigate to the version of the driver set package you created in the preceding steps. 10b Right-click the driver set package and select Properties. 10c In the Properties window, click Dependencies. 10d Click the plus icon to and select the Identity Vault package object you want to add as a dependency. NOTE: You can only add an Identity Vault packages as a dependency for a driver set package. You cannot set any type of package as a dependency for an Identity Vault package. 10e Click OK. 11 In the Modeler, right-click the Identity Vault or driver set, depending on the type of package you created, and select Properties. 12 In the Properties window, click Packages to install the package on the Identity Vault or driver set. 13 Click the plus icon to display the packages you can install. 14 Select the package you want to install and click OK. 15 Click OK. 16 Click Finish. 7.7.1 Creating Libraries In order to add policies, style sheets, rules, or other objects to an Identity Vault or driver set package, you must first create a custom library on the Identity Vault or driver set, as appropriate. You then create the new objects in the library and add those objects to your Identity Vault or driver set package. NOTE: You cannot add the library itself to the Identity Vault or driver set package. For more information about working with libraries in Designer, see “Library Objects” in Policies in Designer 4.0.2. To add and populate a custom library, complete the following steps. 1 In the Modeler, right-click the Identity Vault or driver set and select New > Library. 2 Specify a name for the new library and click OK. 3 Right-click the new library and select New, then select the type of object you want to add to the library. For information on adding objects to a library, see “Adding Policies to the Library Objects” in Policies in Designer 4.0.2. Developing Packages 189 4 After you add the new object, right-click the object in the Outline view and select Add to Package. 5 Select the Identity Vault or driver set package where you want to add the object and click OK. NOTE: Only packages that are created in Designer are displayed in the list. Any packages that are imported into Designer are not displayed in the list. 6 Repeat Step 3 through Step 5 for each object you want to add. 7 (Optional) If your driver requires the objects included in the library, complete the following steps: 7a Right-click the library and select Live > Deploy. 7b Click Deploy. 7c Click OK. 7.7.2 Adding GCV Resource Objects After you create an Identity Vault or driver set package, you can create and add new GCV objects to the package. To create and configure a GCV resource object, complete the following steps: 1 Install the feature package you want to use on your development driver. For more information about installing the development driver, see “Creating a Development Driver” on page 163. 2 In the Outline view, right-click the driver name and select New > Global Configuration. 3 Specify a name for the new GCV resource object and click OK. 4 In the Outline view, right-click the new GCV resource object and select Add to Package. 5 Select the feature package where you want to add the GCV resource and click OK. NOTE: Only packages that are created in Designer are displayed in the list. Any packages that are imported into Designer are not displayed in the list. 6 Right-click the GCV resource and select Properties. 7 Click GCVs. 8 Click Add to add a new global configuration value. For more information about adding a GCV, see “Global Configuration Value Definition Editor” in Policies in Designer 4.0.2. 9 Click Finish. 10 Repeat Step 8 through Step 9 for each GCV you want to add. 11 Click OK. 7.7.3 Adding Notification Templates In addition to libraries and GCVs, you can add notification templates to Identity Vault packages. Notification templates allow you to automatically send e-mail messages to users as part of a policy workflow. For example, if you add a password-management feature to your driver where Identity Manager autogenerates a password for a user as soon as that user is provided with an account on your application, you need a notification template to e-mail that user their new password. For more information about creating and using notification templates, see “Setting Up E-Mail Notification Templates” on page 277. 190 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To add a notification template to a package, complete the following steps. 1 In the Outline view, right-click Default Notification Collection and select New Template. 2 Specify a name for the new notification template and click OK. 3 In the E-Mail Template Editor, configure the notification template. For information on configuring notification templates, see “Setting Up E-Mail Notification Templates” on page 277. 4 When finished, close the template and click Yes to save the resource. 5 Right-click the template in the Outline view and select Add to Package. 6 Select the Identity Vault package where you want to add the object and click OK. NOTE: Only packages that are created in Designer are displayed in the list. Any packages that are imported into Designer are not displayed in the list. 7 Repeat Step 1 through Step 6 for each notification template you want to add. 7.8 Creating Feature Packages After creating a base package, you need to create the feature packages that users install with the base package. Feature packages contain the bulk of the actual content for a driver, including policies, GCVs, filters, and prompts. Creating the content for a package is different than creating the package. This section explains how to create the package, then “Adding Content to Packages” on page 193 explains how to add the content to the package. If you need several feature packages that cover a similar area of functionality, you can organize those packages using package groups. For example, when you install the LDAP driver using the LDAP Base package (NOVLLDAPBASE), the optional features listed do not display the name of each specific package by default but instead group features into the package groups Default Configuration, Entitlements, Password Synchronization, Data Collection, and Account Tracking. Users can then choose to install those optional features as a whole, rather than selecting a particular package. NOTE We recommend you create and configure mandatory feature packages sparingly. If a feature or resource is required for all installations of the driver, you should include the feature in the base package, instead. All packages must belong to a category and a group within that category. You cannot create a package outside of a package group. Feature packages should belong to the same package group and category as the base package to which they belong. When you create multiple feature packages, we recommend using package groups to organize packages by feature. This can make the structure of the different features more clear to the end user. 1 Right-click the package group where you want to create a new package and select New Package. 2 Specify a name, version number, and description for the package in the appropriate fields. 3 Specify a short name for the package in the appropriate field. Identity Manager and Designer display the specified short name when you open the package in a user interface. This name must be unique in the Identity Vault. Developing Packages 191 NOTE: The standard short name for a package is 12 characters long, separated into three sections of four characters: [Vendor][Target system][What package does]. For example, if you have an Active Directory feature package created by NetIQ, the package short name could be NTIQADIRBASE. 4 Click the Type drop-down menu and select Driver. 5 Verify the package category and group are correct. 6 Click Next. 7 In the IDM Compatibility section, select the minimum and maximum versions of Identity Manager that this package is compatible with. The selected versions should correspond to the versions selected for the base package. 8 In the Application Compatibility section, select the minimum and maximum versions of the managed application that this package is compatible with. The selected versions should correspond to the versions selected for the base package. 9 Select one or more driver types in the Available Driver Types list with which you want the package to be compatible and use the right-arrow icon to move them to the Supported Driver Types list NOTE: The package must support at least one driver type. Ensure you select the type of application you used when creating your development driver. 10 Click Next. 11 Specify or modify the vendor information you want to include in the package, then click Next. You must specify the vendor name for the package. 12 Review the Summary page and click Finish. 7.9 Configuring Mandatory and Optional Feature Packages Feature packages can be mandatory or optional, depending on the functionality you want to provide. If you need a particular feature, you can configure that feature package to be mandatory, while leaving other, less-essential feature packages as optional. You specify the mandatory and optional feature packages for a base package in the Configuration Wizard Properties page of the base package, using the XML tags <mandatory></mandatory> and <optional></optional>. This XML document configures how the Configuration Wizard displays features for the base package when you install the package on a driver. 1 In the Outline window, expand the Package Catalog and navigate to the version of the feature package you want to configure as mandatory or optional. 2 Select the feature package. 3 In the Properties view, find the Package Id field and copy-and-paste the package ID number into a text file. 4 Repeat Step 1 through Step 3 for each feature package you want to configure, saving all package IDs. 5 In the Designer Outline window, expand the Package Catalog and navigate to the version of the base package for which you want to configure sub-packages. 6 Right-click the base package and select Properties. 7 In the Properties window, click Configuration Wizard. 192 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 8 In the Configuration Wizard Feature Definition window, modify the XML to include all mandatory and optional feature packages, using the following XML structure: <?xml version="1.0" encoding="UTF-8"?><features> <mandatory> <group display-name="Mandatory Package Group Name1" expanded="false"> <package display-name="Mandatory Package Name1" id="PackageIDNumber1" selected="true"/> <group display-name="Mandatory Package Group Name2" expanded="false"> <package display-name="Mandatory Package Name2" id="PackageIDNumber2" selected="true"/> </mandatory> <optional> <group display-name="Optional Package Group Name 1" expanded="false"> <package display-name="Optional Package Name1" id="PackageIDNumber3" selected="true"/> <group display-name="Optional Package Group Name2" expanded="false"> <package display-name="Optional Package Name2" id="PackageIDNumber4" selected="true"/> </optional> </features> Paste the copied package IDs into the XML as the values of your id fields. Each feature package must have a unique package ID. You can have multiple groups within the <mandatory> and <optional> tags. If you want a package to be selected by default in the Configuration Wizard, ensure the value of the selected attribute is true. NOTE: If there are no mandatory feature packages, use the XML tag <mandatory/>. 9 Click OK. 7.10 Adding Content to Packages After you have created a package, you must add Identity Manager content to the package for the package to have value. You can add different types of content to a package, including policies, ECMAScript objects, package prompt resources, and entitlements. For a full list of all types of content you can add to a package, see Table 6-1 on page 149. IMPORTANT: You can only add content to a package you create. You cannot add content to a package you have imported unless you also have the Designer project in which the package was developed. For more detailed information on adding GCVs, prompts, policies, and filter extensions to a feature package, see the following sections: Section 7.10.1, “Adding GCVs to Feature Packages,” on page 194 Section 7.10.2, “Adding Prompt Resources,” on page 194 Section 7.10.3, “Adding Policies,” on page 195 Section 7.10.4, “Adding Filter Extensions,” on page 195 Developing Packages 193 To add content to a feature package, you must first install the package on the driver, add the content item to the driver, then add the configured content item to the package. You can then view the content item under the feature package in the Package Catalog. When users install the package, whatever language Designer is using is the language in which the package itself is installed. Complete the following steps to install the package on the driver: 1 Verify you have a development driver installed. If not, follow the steps in “Creating a Development Driver” on page 163 to install a development driver. 2 Verify that you have created a feature package. Otherwise, follow “Creating Feature Packages” on page 191 to create a new feature package. 3 In the Modeler, right-click the development driver, then click Driver > Properties. 4 In the Properties window, click Packages to install the feature package on the driver. 5 Click the plus icon to display the packages you can install on the driver. The package list is initially filtered by driver types. To see all available driver packages, deselect Show only applicable package versions. 6 Select the feature package you want to install and click OK. 7 Click OK. 8 Specify configuration information for any prompts displayed in the Installation Wizard, then click Next. 9 Click Finish to install the package. 7.10.1 Adding GCVs to Feature Packages As with Identity Vault and driver set packages, you can also add GCVs to a feature package. For information on adding GCVs to a package, see “Adding GCV Resource Objects” on page 190. 7.10.2 Adding Prompt Resources To add package prompts to a feature package, complete the following steps: 1 Verify that you have created a feature package. Otherwise, follow “Creating Feature Packages” on page 191 to create a new base package. 2 Right-click the feature package in the package catalog and select Generate Prompt Resource. 3 Select the type of package prompt you want to configure: Initial Settings: This option creates all of the default attributes required to create a driver object. Upgrade Settings: This option creates a Resource object that contains style sheets that maintain the package settings so that they are not overwritten when the new package is installed. Select this option if the package you are creating is an upgrade to an existing package. NOTE: You can only create one of each type of prompt for a particular package. 4 In the package catalog, expand the package version and Resources directory. 5 Right-click the new package prompt and select Properties. 6 Verify the type of package prompt. 7 Specify the order in which you want the Driver Configuration Wizard to display the current package prompt. The Wizard displays prompts in ascending order starting from 0. 194 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 8 Verify the target displayed is correct for the package prompt. If you want to add the prompt to a different package, click Add, browse to the package, and click OK. 9 Click the Prompts tab. The Properties window displays what the current package prompt looks like in the Driver Configuration Wizard. 7.10.3 Adding Policies To add policies to a feature package, complete the following steps: 1 Verify that you have created a feature package. Otherwise, follow “Creating Feature Packages” on page 191 to create a new base package. 2 In the Outline view, right-click the driver name and select New > DirXML Script. 3 Specify a name for the new policy and click OK. 4 In the Outline view, right-click the new policy and select Add to Package. 5 Select the feature package where you want to add the policy and click OK. NOTE: Only packages that are created in Designer are displayed in the list. Any packages that are imported into Designer are not displayed in the list. 6 Double-click the policy and use the Policy Builder to add rules as necessary. For information about building policies in the Policy Builder, see “Managing Policies with the Policy Builder” in Policies in Designer 4.0.2. 7 Close the policy and click Yes to save the resource. 8 Repeat Step 5 through Step 7 for each policy you want to add. 7.10.4 Adding Filter Extensions When you create a custom feature package, you should configure Identity Manager to allow data flowing through your environment to go through your new driver’s workflow. For your driver and associated packages to process data, you must create a filter. Filters act as gates to stop data going into or out of your driver. Filters allow you to specify criteria against which the driver matches any incoming our outgoing data and then executes a specified action. You can filter data on both the Publisher or Subscriber channels of your driver, or simply set up a filter that notifies you when an object is modified. You should understand the types of data you want the driver with that package installed to process. You can then configure the specific subset of data you want to be processed or synchronized by the driver. For example, you may want the driver to sync data regarding user objects. You can create a filter extension within your feature package that allows any data related to user objects through the workflow, while blocking any other type of data. If the Identity Vault sends an event about a group object to your driver, the filter sees that the event is not about a change to a user object and does not send the event through the driver workflow. To create a filter, you must create a filter extension resource in your feature package and then deploy that package to a driver. For more information about filter extensions, see “Controlling the Flow of Objects with the Filter” in Policies in Designer 4.0.2. Developing Packages 195 Complete the following steps to create a filter. 1 Verify that you have created a feature package. Otherwise, follow “Creating Feature Packages” on page 191 to create a new base package. 2 In the Outline view, right-click the driver name and select New > Resource. 3 Specify a name for the new filter resource. 4 Click the Content type drop-down menu and select application/vnd.novell.dirxml.filter-ext+xml. 5 Click OK. 6 In the Filter Editor, add and configure filters as necessary. For information about configuring filters in the Filter Editor, see “Controlling the Flow of Objects with the Filter” in Policies in Designer 4.0.2. 7 Close the filter and click Yes to save the resource. 8 In the Outline view, right-click the new filter and select Add to Package. 9 Select the feature package where you want to add the filter extension and click OK. NOTE: Only packages that are created in Designer are displayed in the list. Any packages that are imported into Designer are not displayed in the list. 10 Repeat Step 2 through Step 9 for each filter you want to add. 7.11 Copying Packages In addition to creating a new package, you can also copy an existing package in the Package Catalog. Copying packages gives you the same content, but it contains a different global identifier. This allows you to create a new package based on the content of an existing package. 1 Verify that you have a package created with content. Otherwise, follow Section 7.8, “Creating Feature Packages,” on page 191 and Section 7.10, “Adding Content to Packages,” on page 193 to create a package with content. 2 Right-click the package in the package catalog you want to copy, then click Copy Package. 3 Use the following information to create a copy of the package: Name: Change the name of the package, if desired. Short Name: Change the unique short name for the package. This name must be unique in the Identity Vault. Version: Specify the package version you want to use. By default, the package version is set to 0.0.1. Description: Specify a description for the package. Type: This field cannot change. The package type is determined when you create a package, not when you copy a package. Base Package: If you want to use the copied package as a base package, select this option. If you leave this option cleared, Designer creates the copied package as a feature package. Category: Change the package category for this package, if desired. Group: Change the package group for this package, if desired. 4 Click Next. 196 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 Use the following information to define the package constraints: IDM Compatibility: Define the minimum and maximum versions of Identity Manager that the package supports. Application Compatibility: Define the minimum and maximum versions of the managed application that the package supports, if applicable. Driver Type: Select the drivers that the package supports, if applicable. 6 Click Next. 7 Use the following information to define the vendor of the package: Vendor Name: Specify the vendor name. If this package is for internal consumption, specify the name of your company. Vendor Address: Specify the address for the vendor or your company. Vendor URL: Specify the URL of the vendor or your company. Vendor eMail: Specify an e-mail for the vendor or your company. Contact Name: If there is a specific contact person for this package, specify their name. Contact eMail: If there is a specific e-mail address for the contact person, specify it in this field. 8 Click Next. 9 Review the summary of the new package version, then click Finish. The copy of the package is created in the package catalog under the specified category and group. You can now build and release your package. NOTE: When users install the copied package, the package uses the language used by Designer when the package was copied. 7.12 Building Packages After you have created a custom package, you can build the package as a .jar file and prepare the file for consumption by other users. 1 In the Outline window, expand the Package Catalog and navigate to the version of the package you want to build. 2 Right-click the package and click Build. 3 Click Browse, then browse to and select the directory where you want to build the package. 4 Click OK twice. 5 Review the summary information, then click OK. 6 (Optional) After you build the package, provide the package to your QA team to verify, if appropriate. If the QA team finds any issues with the package, create a new version of the package to fix the bug. For more information about creating a new version of a package, see “Versioning Packages” on page 198. Developing Packages 197 7.13 Versioning Packages You can create a new version of a package to provide bug fixes or enhancements to released packages. Versioned packages contain the same unique global identifier to support upgrading and downgrading package installations. The version of a package consists of four parts separated by dots: [Major Version][Minor Version][Patch Version][Package Creation Time Stamp]. The version number parts should be used as follows: Major Version: You should increment the major version if you introduce a major feature in the new version of a package. Minor Version: You should increment the minor version if you introduce a minor or small feature in the new version of a package. Patch Version: You should increment the patch version if you make a small modification to a package. Package Creation Time Stamp: Designer automatically adds the time stamp when you create a new package and updates the time stamp each time you build the package. When you release a package, the time stamp is fixed. To create a new version of a package: 1 In the package catalog, right-click the package you want to version, then click New Package Version. 2 Set the version of the package higher than the current version. All of the other fields stay the same when you are changing the version. 3 Click Next. 4 Modify the package constraints, if necessary, then click Next. 5 Modify the vendor information, if necessary, then click Next. 6 Review the summary of the new package version, then click Finish. The new package with the new version number is created in the package catalog. You can now build and release your package. When users install the package, what ever language Designer is using, this is the language that the package is installed in. 7.14 Localizing Packages You can localize the prompts and strings included in the custom packages you create. This allows you to provide the same package in multiple languages. Designer generates a localization property file that contain the strings that you can have localized. NOTE: When you install a package on a driver, Designer displays the package prompts in the language in which Designer is open, if that localization property file is available. Designer uses specific language codes to determine the language of a property file. For example, if you localize the English-language property file NETQEDIRCFG_2.0.0.20120905154808_en.properties in Spanish, the localized property file name should be NETQEDIRCFG_2.0.0.20120905154808_es.properties. The following table provides the localization language codes available in Designer: 198 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Language Language Code Japanese _ja Chinese Simplified _zh_CN Spanish _es French _fr Portguese Brazil _pt_BR Italian _it Chinese Traditional _zh_TW German _de English _en Dutch _nl To localize a package, complete the following steps: 1 In the Outline view, right-click the package in the package catalog, then click Localization > Generate Property File. 2 Click Browse, then browse to and select the directory where you want to store the property file. 3 Click OK. 4 Repeat Step 1 through Step 3 for each package you want to localize. 5 Take the property files and have them localized. 6 After the property files are localized, add the appropriate language code to the end of the file name. 7 Place the localized property files into a separate localization directory on the machine that is running Designer. 8 Open your project, then right-click the package in the package catalog. 9 Click Localization > Import Property Files. 10 Click Browse, then browse to the directory that contains the localized properties files. 11 Click OK three times. 12 To verify that you correctly localized the package properties, right-click the package and select Properties. 13 Click Languages. The Properties window displays all the languages in which the package is available. 14 Click OK. You can now re-build and release your package. Developing Packages 199 7.15 Adding and Configuring Licenses When developing packages to release to other users or to the public at large, you may need to include a license file with your released and published package. A license file is an HTML file that Designer displays when the user installs a new package. You can either use one license as a default for all custom packages in your Designer environment or add licenses on a package-by-package basis. You can add a localized license for any of the languages listed in “Localizing Packages” on page 198. NOTE: You do not need to add a license to a package for that package to function properly. To add and configure licenses for your custom packages: 1 Obtain an HTML-format license file from the proper authorities in your company. 2 (Optional) If you want to use the license as the default for all packages you create, complete the following steps: 2a Click Windows > Preferences. 2b Click Novell > Package Manager > License Defaults. 2c Click Browse. 2d Click the browse button and navigate to the location of the license file you want to use as the default license. 2e Click OK. 2f Click the Language drop-down menu and select the appropriate language. 2g Click Import. 2h Click OK. 3 (Optional) If you want to use the license for a specific package, complete the following steps: 3a In the Outline view, right-click the package in the package catalog to which you want to add a license and select Properties. 3b Click License. 3c Click Browse. 3d Click the browse button and navigate to the location of the license file you want to use as the default license. 3e Click OK. 3f Click the Language drop-down menu and select the appropriate language. 3g Click Import. 3h Click OK. 200 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7.16 Releasing and Publishing Packages After you have finished developing and testing your custom package and localizing any necessary strings or prompts, you can release and publish the package. When you release and publish the package, other users can then use your package in their own Identity Manager environments. You can publish the packages to a server and have users configure Designer to point to that server for package updates. You can specify a Web server (http://), FTP server (ftp://), or file server, as necessary for your environment. Users can then configure Designer to go to that location to check for package updates. NOTE You can only publish a package to a location on the local system on which you are using Designer. Only packages that have been built and released can be published. WARNING: After you release and publish a package, it becomes read-only. You cannot make any further modifications to the package. 1 In the Outline view, right-click the package in the package catalog you want to release, then click Build. 2 In the Outline view, right-click the package in the package catalog you want to release, then click Build. 3 Click Browse, then browse to and select the directory where the package will be built and released. 4 Click OK. 5 Select Release Package and click OK. 6 Review the summary information, then click OK. 7 Right-click the built and released package, then click Publish. The Publish option is not available until you have released the package. 8 In the Publish Directory field, click Browse, then browse to and select the Web server directory where you want to place the published package. 9 Click OK. 10 In the Build Directory field, click Browse, then browse to and select the directory where you built the package. 11 Click OK twice. Designer stores the published package in the specified location on your Web, FTP, or file server. You can then configure Designer to check that location when checking for package updates. To configure Designer to use additional package update sites: 1 Launch Designer. 2 From Designer’s main menu, click Windows > Preferences. 3 Click Novell > Identity Manager and select the Updates tab. 4 Click the plus icon. Developing Packages 201 5 Specify a name for the Vendor and the URL for the Web, FTP, or file server, the click OK. 6 Click OK to close the Preferences window. 7.17 Best Practices for Package Development We recommend adhering as closely as possible to the following best practices when developing custom packages: Section 7.17.1, “Creating Packages,” on page 202 Section 7.17.2, “Naming Packages,” on page 202 Section 7.17.3, “Package Versioning,” on page 202 Section 7.17.4, “Defining Package Relationships,” on page 203 Section 7.17.5, “Documenting Packages,” on page 203 Section 7.17.6, “Naming Package Items,” on page 203 Section 7.17.7, “Reusing Package Content,” on page 204 7.17.1 Creating Packages Do not create objects in a custom base package. A base package should be as lean as possible and should contain only the following: Prompts Initial settings Information the base package’s relationship to other packages If you have objects that are used by multiple drivers, store those items in a driver set package. You can create a driver set package, then store any often-reused objects in the package where any driver in the driver set can access the objects. 7.17.2 Naming Packages The standard package name is separated into two sections: [Package Group] [Package Type]. For example, if you have a base package for MySQL, the package name could be MySQL Base. Short names must be unique and cannot be longer than 12 characters. The standard short name for a package is separated into three sections of four characters: [Vendor][Target system][What package does]. For example, if you have a base Active Directory package created by NetIQ, the package short name could be NTIQADIRBASE. 7.17.3 Package Versioning When creating a brand-new package, we recommend you begin numbering the package at version 0.0.1. After you finish creating and testing the package and are ready to release, then you can change the version to 1.0.0. Before you provide a custom package to a customer or other user, ensure you release the package. This helps ensure that if the user modifies the package, you do not have two different packages with different content but the same version number. You should release only the package with the most recent time stamp. 202 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 7.17.4 Defining Package Relationships You should configure Package A to be dependent upon another package, Package B, in the following situations: One of the policies in Package A is dependent on a package item in Package B. This includes policies, GCVs, notification templates, and ECMAScripts. Package A depends on some functionality included in Package B. For example, the Active Directory Password Sync package depends on the common password sync package, which defines all the necessary ECMAScript functionality. A mandatory feature relationship is a hard-coded dependency. You should avoid using mandatory features where possible. Instead, we recommend you configure any feature packages to be optional and then selected by default, using the selected XML attribute. Users can then deselect a feature if they do not want to install that feature. For information about configuring mandatory and optional feature packages, see “Configuring Mandatory and Optional Feature Packages” on page 192. 7.17.5 Documenting Packages When you create a new version of a custom package, you should use the package Readme to provide customers and users information on any changes from previous versions. To add change information to a package Readme, right-click the version of the package in the Outline view and select Properties. Click Readme, then click Append Package Change Log to include any changes made since the previous version of the package. Click OK to exit. 7.17.6 Naming Package Items Policies, Entitlements, ECMAScripts, and XSLTs: The standard name for these types of package items consists of four parts separated by hyphens: [Package Short Name]-[Channel Name (Optional)]-[Policy Set and Item Type]-[Item Name]. The item name parts should be used as follows: Package Short Name: This part should specify the short name of the package to which the item belongs. Channel Name: This part should specify if the item belongs to either the Publisher (pub) or Subscriber (sub) channel. If the item does not belong to either channel, do not include this part in the item name. Policy Set and Item Type: The first one or two characters of this part should refer to the policy set to which the item refers, including input transformation (ip), event transformation (et), creation (c), or matching (m). The last character in this part should be the item type, including policy (p), entitlement (e), ECMAScript (c), or XSLT (s). Item Name: This part should specify the job done by the package item. For example, the name of a policy in an eDirectory package that belongs to the Publisher channel could be NOVLEDIRATRK-pub-ctp-WriteAccountsOnAdds. Filters, Schema Maps, and Global Configuration Values: The standard name for these types of package items consists of two parts separated by hyphens: [Package Short Name]-[Item Type]. The first part should specify the short name of the package to which the item belongs. The second part should specify the type of the item, whether filter (Filter), schema map (smp), or global configuration value (GCVs). For example, the name of a filter in an LDAP package could be NOVLLDAPENT-Filter. Developing Packages 203 WARNING: You can only specify a name with a maximum number of 64 characters for any object in a package. If you add an object with a name that is 65 or more characters long to a package, you cannot deploy the object. 7.17.7 Reusing Package Content If a package can be used by all driver sets in the Identity Vault, set the package type as Identity Vault when you create the package. For example, if you create a default notification template package, you must create that package as an Identity Vault package. For more information about creating Identity Vault packages, see “Creating Identity Vault and Driver Set Packages” on page 188. If a package can be used by all drivers in a particular driver set, set the package type as DriverSet when you create the package. For example, if you create a common settings package, you can create that package as a driver set package. For more information about creating driver set packages, see “Creating Identity Vault and Driver Set Packages” on page 188. 204 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 8 Managing the Schema 8 Designer includes a copy of the base Identity Vault schema, which is stored in the BaseIVSchema.xml file. This file is located in \Designer\plugins\com.novell.core.datatools_x.x.x.x\defs\schema, where x.x.x.x represents the specific Designer build. Do not directly modify BaseIVSchema.xml. Instead, use Designer to add the schema information from this file into your project. The Manage Schema tool allows you to change the schema as part of the project without modifying the original BaseIVSchema.xml file. You can add, delete, rename, and modify classes and attributes in the Identity Vault schema. You can import the Identity Vault schema from the production environment, or use the default schema. After modifying the schema, you can deploy it into the production Identity Vault. WARNING: If you do not have a good understanding of how the Identity Vault schema works, changing the default schema can cause data corruption. If you modify classes or attributes and then deploy the modified schema into a tree where these classes are in use, one of the following problems can occur: Those objects can become unknown. Synchronization errors can occur. To understand the basics of the schema, see “Managing the Schema” (http://www.novell.com/ documentation/edir88/edir88/data/a4a9bz0.html) in the online documentation for Novell eDirectory 8.8. If you subscribe to LogicSource, see Novell LogicSource for eDirectory (http://support.novell.com/ subscriptions/articles/novell_logicsource.html) for additional information. LogicSource is a subscription-based service that Novell provides to its customers. Section 8.1, “Using the Manage Schema Tool,” on page 206 Section 8.2, “Creating Classes and Attributes,” on page 215 Section 8.3, “Modifying the Schema,” on page 217 Section 8.4, “Deploying the Schema into the Identity Vault,” on page 219 Section 8.5, “Exporting the Schema to a File,” on page 221 Section 8.6, “Importing the Schema,” on page 226 Section 8.7, “Managing a Copy of an Application Schema,” on page 233 Section 8.8, “Mapping Identity Vault to an LDAP Schema,” on page 236 Section 8.9, “Comparing the Schema,” on page 236 Managing the Schema 205 8.1 Using the Manage Schema Tool To open the Manage Schema tool, right-click an Identity Vault object in the Modeler or Outline View, then select Manage Vault Schema. If a custom schema in the production environment needs to be tested, you can import the schema into Designer. After you have tested and modified the schema, you can deploy it into the production environment. For information about importing schema, see Section 8.6, “Importing the Schema,” on page 226. The Manage Schema tool lets you add, delete, rename, and modify classes and attributes in the Identity Vault schema. The class information and the attribute information is organized into separate tabs in the Manage Schema tool. Section 8.1.1, “The Classes Tab,” on page 206 Section 8.1.2, “The Attributes Tab,” on page 209 8.1.1 The Classes Tab From the Classes tab, the Manage Schema tool lets you add, delete, rename, and modify schema classes. The Classes tab includes the following components: “Class List Toolbar” on page 207 “Only Show Changes” on page 207 “ASN1” on page 207 “Flags” on page 207 “Show Inherited Associations” on page 208 “Associations List” on page 208 206 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Class List Toolbar The Classes list includes the following tools: Table 8-1 Classes List Toolbar Icon Description Add Class Launches the New Class Wizard to create a new Identity Vault class. Rename Class Renames any non-base class. You cannot rename base classes. Delete Class Deletes any non-base class. You cannot delete base classes. Schema Notes Adds descriptive notes to any non-base class.You cannot add notes to base classes. Only Show Changes The Only show changes check box is below the Classes list. When it is selected, the Classes list displays only those classes that are not part of the base schema, as defined in BaseIVSchema.xml. If no non-base classes exist, the Classes list is empty. Deselect Only show changes to see a complete list of base and non-base classes in the Identity Vault schema. ASN1 Specifies the class’s Abstract Syntax Notation number One ID. The ASN1 ID is important as you plan to make the schema definition publicly available. If you register your schema definition with Novell, Novell assigns your class an ASN1 ID. This unique identifier eliminates the possibility of schema collisions caused by duplicate schema names with different definition structures. For more information about ASN1, visit the International Telecommunications Union Web site (http:// www.itu.int/ITU-T/asn1/index.html). Flags The Flags options let you modify the class type: Managing the Schema 207 Table 8-2 Supported Class Types Flag Description Effective You can create an instance of the defined object in the Identity Vault. Noneffective Only used to define other classes. You cannot create an object of a noneffective class. Auxiliary Combines attributes to be added to other classes by extending the object class attribute. Container Sets the object to be a container object instead of a leaf object. If it is set to be a container, this object can contain other objects. Show Inherited Associations The Show Inherited Associations check box determines whether the Associations list displays all attributes associated with a class. When the check box is selected (the default), the Associations list displays both assigned and inherited attributes. When the check box is deselected, the Associations list displays only assigned attributes. NOTE: When you select Show Inherited Associations, you cannot delete entries from the Associations list. Associations List The Associations list displays the classes and attributes associated with the selected class. The Associations list includes four tabs, each with a toolbar. Attributes: The Attributes tab displays the attributes associated with the selected class. It also identifies if attributes are mandatory or naming. All unmarked attributes are optional. The Attributes tab includes the following tools: Class Field Description Add Naming Adds a naming attribute association to the selected class. Add Mandatory Adds a mandatory attribute association to the selected class. Add Optional Adds an optional attribute association to the selected class. Delete Deletes an attribute association from the select class. Super: The Super tab displays the classes from which the selected class inherits attributes. A class that another class inherits from is called a superclass. 208 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A class can inherit attributes from more than one superclass. The superclass that every class inherits from is Top. No class exists above Top. For example, Group inherits directly from Top, but User inherits from Organizational Person. Organizational Person inherits from Person. Person inherits from ndsLoginProperties, and ndsLoginProperties inherits from Top. The Super tab includes the following tools: Class Field Description Add Superclass Association Adds a superclass association to the selected class. Delete Deletes a superclass association from the selected class. Sub: The Sub tab displays all classes that inherit from the selected class. If the Sub tab is empty, no classes inherit from the selected class. The Sub tab includes the following tools: Class Field Description Add Subclass Association Adds a subclass association to the selected class. Delete Deletes a subclass association from the selected class. Containment: The Containment tab displays the container classes that can contain the selected class. For example, if you select the Group class, the Manage Schema tool lists the domain, Organization, and Organizational Unit classes, which can contain the Group class. The Containment tab includes the following tools: 8.1.2 Class Field Description Add Containment Class Association Adds a containment class association to the selected class. Delete Deletes a containment class association from the selected class. The Attributes Tab From the Attributes tab, the Manage Schema tool lets you add, delete, rename, and modify attributes associated with schema classes. Managing the Schema 209 Figure 8-1 The Attributes Tab on the Manage Schema Toll The Attributes tab includes the following components: “Attributes List Toolbar” on page 210 “Only Show Changes” on page 211 “Flags” on page 211 “ASN1” on page 212 “Syntax” on page 212 “Show Inherited Associations” on page 215 “Associations List” on page 215 Attributes List Toolbar The Attributes list includes the following tools: 210 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Icon Description Add Attribute Launches the New Class Wizard to create a new attribute. Rename Attribute Renames the selected non-base attribute. You cannot rename base attributes. Delete Class Deletes the selected non-base attribute. You cannot delete base attributes. Schema Notes Adds descriptive notes to any non-base attribute.You cannot add notes to base classes. Only Show Changes The Only show changes check box is below the Attributes list. When this check box is selected, the Attributes list displays only those attributes that are not part of the base schema, as defined in BaseIVSchema.xml. If no non-base attributes exist, the Attributes list is empty. Deselect Only show changes to see a complete list of base and non-base attributes in the Identity Vault schema. Flags Attribute flags specify the information that is stored in the attribute and limit the list of acceptable operations that the Identity Vault and eDirectory clients can perform on the attribute. Constraint Description Public Read Allows anyone to read this attribute without the read privilege specifically assigned. You can’t use inheritance masks to prevent an object from reading attributes with this constraint. Sync Immediate When the attribute is modified, it is synchronized immediately to all of the servers in the replica ring. Read Only Only the eDirectory server process can read this attribute. String Allows only string information to be stored in the attribute. Write Managed Explicit rights are granted before this attribute can be changed. In order to modify this attribute, users must have managed rights on the object to change the attribute. Hidden Only the eDirectory server process can read this attribute. Single Valued Allows one value to be stored in the attribute. Per Replica Allows one value to be stored in the attribute. Server Read The attribute can be read by an NCP server object even though the right to read is not inherited or explicitly granted. The NCP server object is always able to read this attribute, regardless of the rights granted in the ACL. Managing the Schema 211 Constraint Description Sized Limits the range of values supported by the attribute to some subset of those supported by the attributes data type. For example, you might restrict an Integer attribute to only accept values between 1 and 100. ASN1 Specifies the attribute’s Abstract Syntax Notation number One ID. The ASN1 ID is important is you plan to make the schema definition publicly available. If you register your schema definition with Novell, Novell assigns your attribute an ASN1 ID. This unique identifier eliminates the possibility of schema collisions caused by duplicate schema names with different definition structures. For more information about ASN1, visit the International Telecommunications Union Web site (http:// www.itu.int/ITU-T/asn1/index.html). Syntax An attribute syntax defines a standard data type that an attribute uses to store its values in the Identity Vault. Each attribute must have a syntax. The following table describes the available syntaxes for Identity Vault attributes. Syntax Description Back Link The remoteID field identifies the backlinked object on the server, and the objectName field identifies the server holding an external reference. Boolean Two Boolean attributes match for equality if they are both True or both False. True is represented as one (1), and False is represented as zero (0). Any attribute defined by using this syntax is single valued. Case Exact String Attributes using this syntax can set size limits. Two Case Exact Strings match for equality when they are of the same length and their corresponding characters are identical. Case Ignore List Two Case Ignore Lists match for equality if the number of strings in each is the same, and all corresponding strings match. For two corresponding strings in the list to match, they must be the same length and their corresponding characters must be identical (according to the rules for case ignore strings). Case Ignore String Used in attributes whose values are strings and where the case (upper or lower) is ignored. 212 Class Name Used to match two class names where the case (upper or lower) is ignored. Counter The attribute is single valued. The syntax is similar to Integer, except that any value added to an attribute is arithmetically added to the total, and any value deleted is arithmetically subtracted from the total. Distinguished Name The attribute is the distinguished name of the object up to 256 Unicode characters. This is not case sensitive. EMail Address Used to match attributes whose values are e-mail addresses and whose lengths and corresponding characters are identical; however, it ignores case (upper and lower). Only the EMail Address attribute uses this syntax. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Syntax Description Facsimile Facsimile Telephone Number values are matched based on the telephone number Telephone Number field. The rules for matching fax telephone numbers are identical to those for the Case Exact syntax except that all space and hyphen (-) characters are skipped during the comparison. Only the Facsimile Telephone Number attribute uses this syntax. Hold This syntax is an accounting quantity, which is an amount tentatively held against a subject’s credit limit, pending completion of a transaction. In the wire format, the Subject field is the distinguished name of the object. The Identity Vault treats the Hold amount similarly to the Counter syntax, with new values added to or subtracted from the base total. If the evaluated Hold amount goes to 0 (zero), the Hold record is deleted. Integer The attribute is an integer. Attributes using this syntax can set size limits. Interval The Interval value is the number of seconds in a time interval. Net Address Stores the network address as a binary string. The string is the literal value of the address. It lists the type of communication protocol used. Numeric String Two numeric strings match for equality when they are of the same length and their corresponding characters are identical. It matches the digits 0-9 and spaces if they are contained in the numeric string. Object ACL An Object ACL value can protect either an object or an attribute. The protected object is always the one that contains the ACL attribute. If an ACL entry is to apply to the object as a whole, the protected attribute name should be left empty (NULL). If a specific attribute is to be protected, it should be named in the ACL entry. Octet List A presented octet list matches a stored list if the presented list is a subset of the stored list. Octet strings are so designated because they are not interpreted by the Directory. They are simply a series of bits with no Unicode implications. The length is the number of bits divided by 8 and rounded to the nearest integer. Thus, each octet represents eight bits of data. The number of data bits is always evenly divisible by 8. Octet String For two octet strings to match, they must be the same length and the corresponding bit sequence (octets) must be identical. When comparing two strings, the first pair of octets that do not match are used to determine the order of the strings. Octet strings are not Unicode strings. Path The string represented by the path field is compared for equality by using the same rules that Case Exact String uses. That is, two paths match for equality when their lengths and corresponding characters, including case, are identical. Postal Address An attribute value for Postal Address is typically composed of selected attributes from the MHS Unformatted Postal O/R Address version 1 according to Recommendation F.401. The value is limited to 6 lines of 30 characters each, including a Postal Country Name. Normally the information contained in such an address could include a name, street address, city, state or province, postal code, and possibly a postal office box number depending on the specific requirements of the named object. Managing the Schema 213 Syntax Description Printable String The following characters are in the printable string character set. A...Z a...z 0...9 Space Character ‘ Apostrophe ( Left Parenthesis ) Right Parenthesis + Plus Sign Modeler, Comma - Hyphen . Period / Slash : Colon = Equal Sign ? Question Mark Two printable strings match for equality when they are the same length and their corresponding characters are identical. Case (upper or lower) is significant when comparing printable strings. For example, as printable strings, “Jones” and “JONES” do not match. Replica Pointer Each value of the replica pointer syntax is composed of five parts: The complete name of the server that stores the replica. A value describing the capabilities of this copy of the partition: master, secondary, read-only, or subordinate reference. A value indicating the current state of the replica (new, dying, locked, changing state, splitting, joining, or moving). A number representing the replica. All replicas for a partition have a different number assigned when the replica is created. A referral that contains a count of the addresses and one or more network addresses that hints at the node where the server probably resides. Because servers are accessible over different protocols, the server might have an address for each supported protocol. Stream Streams are files of information. The data stored in a stream file has no syntax enforcement of any kind. It is purely arbitrary data, defined by the application that created and uses it. The attribute is single valued. Telephone Number The length of telephone number strings must be between 1 and 32. Two telephone numbers string match for equality when they are of the same length and their corresponding characters are identical. All spaces and hyphen (-) characters are skipped during the comparison. Time A time value consists of a whole number of seconds, where zero equals 12:00 midnight, January 1, 1970, UTC. Timestamp A Timestamp value contains three components: The wholeSeconds field consists of the whole number of seconds, where zero equals 12:00 midnight, January 1, 1970, UTC. The replicaNum field identifies the server that created the Timestamp. A replica number is assigned whenever a replica is created on a server. The eventID field is an integer that orders events occurring within the same whole-second interval. The event number restarts at one for each new second. Typed Name The syntax names an Identity Vault object and attaches two numeric values to it: The level of the attribute indicates the priority. The interval indicates the frequency of references. The objectName or Distinguished Name identifies the Identity Vault object referred to by the Typed Name. Unknown 214 Unknown syntax is used to stop the loss of data, if the Identity Vault database becomes corrupted. When an object becomes Unknown, there is information stored in this attribute that can allow the object to be recovered. This syntax is used by the Identity Vault. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide NOTE: The information in this table comes from the Novell LogicSource for eDirectory. LogicSource is a subscription-based service Novell provides to its customers. For more information about LogicSource, see Novell Technical Subscriptions (http://support.novell.com/subscriptions/articles/ novell_logicsource.html). Show Inherited Associations The Show Inherited Associations check box determines whether the Associations list displays all classes associated with an attribute. When this check box is selected (the default), the Associations list displays both assigned and inherited classes. When this check box is deselected, the Associations list displays only assigned classes. The schema allows for inheritance of other attributes from superclasses. If you select this item, all attributes that are associated with a class, whether assigned or inherited, are listed. If you don’t select this item, only the assigned attributes are listed. Used by Classes lists all classes that use the selected attribute. If you select Show inherited associations, the list includes classes that inherit the attribute. Associations List The Associations list displays the classes associated with the selected attribute. The Associations list toolbar lets you make changes to the classes associated with the attribute. 8.2 Class Field Description Add as Naming Associates the selected attribute as a naming attribute to a class. Add as Mandatory Associates the selected attribute as a mandatory attribute to a class. Add Optional Associates the selected attribute as an optional attribute to a class. Delete Deletes the selected classes from the association list. Creating Classes and Attributes Designer allows you to create Identity Vault classes and attributes to fit the needs of your environment. You can test and use the new schema with the Identity Manager drivers in Designer before implementing it in the production environment. Section 8.2.1, “Creating Identity Vault Classes,” on page 215 Section 8.2.2, “Creating Identity Vault Attributes,” on page 217 8.2.1 Creating Identity Vault Classes “Adding a Class” on page 216 “Adding a Note” on page 216 Managing the Schema 215 Adding a Class 1 In the Modeler, right-click the Identity Vault, then select Manage Vault Schema. The Classes tab lists all classes that are defined in the schema and stored in Designer. For more information about the Classes tab, see Section 8.1.1, “The Classes Tab,” on page 206. 2 Select the Add a Class icon . 3 In the Create Class Name dialog box, specify the class name (for example, EmpInfo) and ASN1 ID (if applicable), then click Next. For more information about ASN1 IDs, see “ASN1” on page 207. 4 In the Class Flags dialog box, select the class type, then click Next. For information about the class type options, see Table 8-2 on page 208. 5 In the Class Inheritance dialog box, select the classes from which the new class inherits, then click Next. Select one or more classes in the Available classes list and use the right-arrow icon to move them to the Inherited classes list. Use the left-arrow icon to remove classes from the Inherited classes list using the left-arrow icons. 6 In the Mandatory Attributes dialog box, select the mandatory attributes, then click Next. The inherited attributes displayed in the Inherited mandatory attributes pane depend upon the classes from which the new class inherits. 7 In the Optional Attributes dialog box, select optional attributes, then click Next. The Inherited optional attributes pane lists default optional inheritances. 8 In the Naming Attributes dialog box, select the naming attributes, then click Next. The Identity Vault schema allows for inheritance from other classes. A class that another class inherits from is called a superclass. A class can inherit attributes from one or more superclasses. Every class inherits from the superclass Top. No class exists above Top. For example, Group inherits directly from Top, but User inherits from Organizational Person. Organizational Person inherits from Person. Person inherits from ndsLoginProperties, and ndsLoginProperties inherits from Top. 9 In the Containment Classes dialog box, select the containment classes for the new class, then click Next. This specifies the types of container classes that can contain the new class. For example, if you select the class Group, the Manage Schema tool lists Domain, Organization, and Organizational Unit classes as containment classes for the Group class 10 In the New Class Summary, review the new class information, then click Finish. The new class appears in the Classes pane. 11 Click OK to save changes and close the Manage Schema tool. Adding a Note Designer allows you to add notes about any class you create. The information is stored as desc in the .ldif file and as a note in the .sch file. 1 Select the class you want to add a note to, then click the Schema Notes icon 2 Type the note in the window, then click OK. 216 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide . 8.2.2 Creating Identity Vault Attributes To create a new Identity Vault attribute: 1 In the Modeler, right-click the Identity Vault, then select Manage Vault Schema. 2 Select the Attributes tab. The Attributes list displays all attributes that are defined in the schema and stored in Designer. You can view all attributes at once, or view the attributes associated with a specific class by selecting a class from the drop-down list. For more information about the components of the Attributes tab, see Section 8.1.2, “The Attributes Tab,” on page 209. 3 Select the Add an Attribute icon . 4 In the Create Attribute Name dialog box, specify the attribute name (for example, EmpID) and an ASN1 ID, if applicable, then click Next. For more information about the ASN1 ID, see “ASN1” on page 212. 5 In the Attribute Syntax dialog box, select the proper attribute syntax, then click Next. An attribute syntax defines a standard data type that an attribute uses to store its values in the Identity Vault. Each attribute must have a syntax. See “Syntax” on page 212 for more information. 6 In the Attribute Flags dialog box, select the flags for the attribute, then click Next. Attribute flags constrain the information that is stored in the attribute, and the list of acceptable operations that the Identity Vault, and Identity Vault clients, can perform on the attribute. For more information about attribute flags, see “Flags” on page 211. 7 In the New Attribute Summary dialog box, review the new attribute information, then click Finish. The new attribute appears in the Attributes list. 8 Click OK to save changes and close the Manage Schema tool. 8.3 Modifying the Schema Designer allows you to modify the Identity Vault schema. The following sections describe fields and definitions used in the Manage Schema tool for classes and attributes. Section 8.3.1, “Deleting Schema Definitions,” on page 217 Section 8.3.2, “Modifying Classes or Attributes,” on page 218 Section 8.3.3, “Renaming Schema Definitions,” on page 218 8.3.1 Deleting Schema Definitions You can delete an extended schema definition. You cannot delete base schema elements. If you select a base schema class or attribute, the Delete icon is disabled. 1 In the Modeler, right-click an Identity Vault, then select Manage Schema. 2 Select the class or attribute that you want to delete, then click the Delete icon . Managing the Schema 217 8.3.2 Modifying Classes or Attributes 1 In the Modeler, right-click an Identity Vault, then select Manage Vault Schema. 2 Select the class or attribute that you want to modify. 3 Modify the class or attribute as desired. If you select a base schema class or attribute, the following pop-up message appears: It is best to modify only the extended schema and not the base schema. Modifying the base schema can cause data corruption and synchronization errors. 8.3.3 Renaming Schema Definitions You can rename extended schema definitions. You cannot rename any base schema classes or attributes. If you select a base schema item, the Rename icon is dimmed, indicating it is unavailable. “Renaming a Class” on page 218 “Renaming an Attribute” on page 218 Renaming a Class 1 In the Modeler, right-click an Identity Vault, then select Manage Vault Schema. 2 In the Class page, select a class that you want to rename, then click the Rename Class icon 3 In the Rename Class dialog box, specify the new class name, then click OK. Renaming an Attribute 1 In the Modeler, right-click the Identity Vault icon, then select Manage Vault Schema. 2 Select an attribute you want to rename in the Attribute tab, then click the Rename an Attribute icon . 3 In the Rename Attribute dialog box, specify the new attribute name, then click OK. 218 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide . 8.4 Deploying the Schema into the Identity Vault After the Identity Manager driver is tested with the new schema, you can deploy the modified schema into the Identity Vault. 1 In the Modeler, select the Identity Vault. 2 Select Live > Schema > Deploy. 3 Specify the Host Name. The host name can be the server’s IP address or the DNS name of the server. 4 Specify the User Name, which must be a user with administrative rights to the schema. 5 Specify the user’s password, then click Next. 6 Select the classes and attributes to deploy into the Identity Vault schema, then click Next. Managing the Schema 219 7 Review the summary of classes and attributes to be deployed, then click Finish. If you have selected duplicate attributes or classes, a warning box appears 8 Select Yes or No, depending upon whether you want to resolve the duplicate classes or attributes. 220 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9 Review errors or warnings, then click OK. 8.5 Exporting the Schema to a File Section 8.5.1, “Exporting the Schema to a .sch File,” on page 222 Section 8.5.2, “Exporting the Schema to an LDIF File,” on page 223 Managing the Schema 221 8.5.1 Exporting the Schema to a .sch File 1 In the Modeler, right-click an Identity Vault, then select Export to File > Schema. 2 In the Schema Export Wizard, select .sch format. 3 Specify a filename and location where you want to save the schema file, then click Next. Designer appends the .sch extension when you export the file. 4 In the Select Classes and Attributes for Export page, select the classes and attributes to export to the .sch file. 222 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Export all associations (above the Attributes pane) enables you to associate the selected attributes with the classes that might already exist in the Identity Vault. If you do not select this box, the new attributes that should be associated with the class are not associated. For example, if the Employee Photo attribute is associated with the User class, and Export all associations is not selected, Employee Photo is not associated with the User class. The classes and attributes that are in Designer are listed in the two columns. All classes and attributes are selected by default. To prevent a class or attribute from being deployed, deselect it. To add all classes and attributes, click Select All. To remove all classes and attributes, click Deselect All. 5 When you have finished selecting classes and attributes, click Finish. 8.5.2 Exporting the Schema to an LDIF File 1 In the Modeler, right-click the Identity Vault, then select Export to File > Schema. 2 In the Schema Export Wizard, select .ldif format. Managing the Schema 223 3 Specify a name and location where you want to save the schema file, then click Next. Designer appends the .ldif extension when you export the file. 4 In the Select Classes and Attributes for Export page, select the classes and attributes to export to the .ldif file. 224 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Export all associations (above the Attributes pane) enables you to associate the selected attributes with the classes that might already exist in the Identity Vault. If you do not select this box, the new attributes that should be associated with the class are not associated. For example, if the Employee Photo attribute is associated with the User class, and Export all associations is not selected, Employee Photo is not associated with the User class. 5 When you have finished selecting classes and attributes, click Finish. 6 Click OK in the warning. The class and attribute names in Designer are the Identity Vault (eDirectory) names. The names for the classes and attributes in the LDIF file are the LDAP names. The Identity Vault names differ from the LDAP names. Verify that the names listed in the LDAP file are correct for your environment before importing the file. For a list of Identity Vault class and attribute names mapped to LDAP class and attribute names, see Section 8.8, “Mapping Identity Vault to an LDAP Schema,” on page 236. Managing the Schema 225 8.6 Importing the Schema Designer allows you to import the schema from your production environment to do in-depth testing with the Identity Manager drivers. Section 8.6.1, “Importing the Schema from the Identity Vault,” on page 226 Section 8.6.2, “Importing the Schema from a File,” on page 229 8.6.1 Importing the Schema from the Identity Vault 1 In Designer, select an Identity Vault, then select Live > Schema > Import. 2 In the Select Source for Import dialog box, specify the access information to access the server that has the schema to import, then click Next. Specify the appropriate host name (or IP address), username, and password to access the server. NOTE: The specified user must have administrative rights to the schema. 3 In the Select Classes and Attributes for Import page, select the classes and attributes to import into the project, then click Next. 226 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Import All Associations: Enables you to associate the selected attributes with the classes that might already exist in Designer. If you do not select this box, the new attributes that should be associated with the class are not associated. For example, if the attribute of Employee Photo is associated with the User class, and you do not select Import all associations, Employee Photo is not associated with the User class. View Differences: Enables you to view the differences in the schema between the Identity Vault and Designer. When you click View Differences, Designer opens the Schema Differences page, where you can select those differences between the live Identity Vault and the Identity Vault in your project. Managing the Schema 227 You can select schema differences individually, or click Select All to import all the schema differences. 4 Click OK to move the selected class and attribute import selections into the Select Classes and Attributes for Import page. 5 Click Next to bring up the Import Summary page, where you can review classes and attributes to import into the project. Then click Finish. If errors occur during the import process, the Import Messages page lists them. 6 On the Import Messages page of the Schema Import Wizard, click OK. or If you want to save the differences to a log file, click Save to Log. This brings up the Save As dialog box, where you can choose a filename and directory to store the file in. 7 Click Save, then click OK. 228 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 8.6.2 Importing the Schema from a File When you created an Identity Vault in the Modeler, Designer created a base schema in your project. If a .sch file or .ldif file has been saved, you can quickly add classes and attributes for your drivers by importing classes and attributes from the saved file. “Importing the Schema from a .sch File” on page 229 “Importing the Schema from an LDIF File” on page 230 Importing the Schema from a .sch File 1 In the Modeler, right-click the Identity Vault that will use the imported .sch file. 2 Select Import Schema from File. 3 Select .sch format. 4 Browse to and select the .sch file that you want to use, then click Open. 5 Click Next, then review the .sch file. Managing the Schema 229 6 Make changes if necessary, then click Finish. 7 Click OK. If errors occur, a deployment summary screen lists them. Importing the Schema from an LDIF File 1 In the Modeler, right-click the Identity Vault that will use the imported .ldif file. 2 Select Import Schema from File. 3 Select .ldif format. 230 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Specify, or browse to and select, the .ldif file that you want to use, then click Open. 5 Click Next, then review the .ldif file. Managing the Schema 231 6 Make changes if necessary, then click Finish. 7 If you receive a Warning, read the message and click OK. 232 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The class and attribute names in Designer are the Identity Vault (eDirectory) names. The names for the classes and attributes in the LDIF file are the LDAP names. The Identity Vault names differ from the LDAP names. Verify that the names listed in the LDAP file are correct for your environment before importing the file. For a list of Identity Vault class and attribute names mapped to LDAP class and attribute names, see Section 8.8, “Mapping Identity Vault to an LDAP Schema,” on page 236. 8 Click OK. If errors occur, a deployment summary dialog box lists them. 8.7 Managing a Copy of an Application Schema The Identity Manager engine currently uses the application schema for the following: DirXML Script uses the dn-format/dn-delims to figure out how to parse or convert DNs coming from and going to the application. To set the multi-valued flag on attributes that are used during the attribute merge process that happens as part of a match, resync, or migrate. Section 8.7.1, “Editing an Application’s Schema,” on page 233 Section 8.7.2, “Refreshing the Application Schema,” on page 235 8.7.1 Editing an Application’s Schema Designer enables you to manage a copy of the managed system’s schema. You can make changes to a copy of the application schema so that you can test the Identity Manager drivers in Designer. The schema changes cannot be deployed into the live application schema. 1 Right-click the driver connection in Designer, then select Manage Application Schema. 2 Add, rename, or delete the application’s classes or attributes, then click OK. Managing the Schema 233 DN Format: Specifies the separator character used when specifying distinguished names. For example, admin.utah.novell.com. Classes: Lists all of the classes stored in Designer from the application’s schema. Add a class: Adds a new class. Rename class: Renames the selected class. Delete class: Deletes the selected class. Refresh application schema: Provides a new copy of the application’s schema.This option is useful if the application schema changes. Help: Launches the Help documentation for the Manage Schema tool. Flags Container: Specifies whether the class is a container. ASN1: The unique ID of the class. Attributes of This Class: Lists all of the attributes stored in Designer for the selected class from the application’s schema. 234 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Add an attribute: Adds a new attribute for the selected class. Rename attribute: Renames the selected attribute. Delete attribute: Deletes the selected attribute. Flags: Specifies the details of the attribute. To edit the flags, select an attribute. Type: Specifies the syntax of the attribute. To view the syntax, select an attribute. To change the syntax, select an option from the drop-down list. 8.7.2 Refreshing the Application Schema If the application schema changes, you can get a new copy of the application’s schema by refreshing the application schema. NOTE: An application schema is not automatically imported by default. You can always perform a refresh application schema operation on a particular application after the project has been imported. 1 Right-click the driver connection, then select Live > Refresh Application Schema. 2 Click the browse icon. Managing the Schema 235 3 Browse to and select the server where the driver is installed, then click OK twice. 8.8 Mapping Identity Vault to an LDAP Schema When you access the Identity Vault through LDAP, the names of classes and attributes might be different than when it is accessed through the standard NCP-based APIs. For more information about how that mapping is performed, see the following sources: “Class and Attribute Mappings” (http://www.novell.com/documentation/edir88/edir88/data/ h0000007.html#a5bwxyz) NDK: Novell eDirectory Schema Reference (http://developer.novell.com/ndk/doc/ndslib/ schm_enu/data/h4q1mn1i.html) at the Novell Developer Support Web page 8.9 Comparing the Schema Designer allows you to compare schemas from your production environment to do in-depth testing with the Identity Manager drivers. Designer now provides conflict resolution on individual classes and attributes and allows you to view the differences between existing and new values when importing and deploying the schema. For example, before deploying a schema to an Identity Vault, you can run Compare. Compare shows whether the classes and attributes are equal (no action is necessary) or unequal. If they are unequal, you can choose not to reconcile them, choose to update them in Designer, or choose to update them in eDirectory. You can run the Compare feature at any time. If you choose to reconcile the differences between schema in Designer and eDirectory while in Compare, you won’t need to run Import or Deploy. 236 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The following procedure assumes that you want to determine if you have deployed all the changes you made in the Designer schema to the Identity Vault schema. 1 Right-click the driver object in either the Modeler view or in the Outline view. Select Live > Schema > Compare to bring up the Designer/eDirectory Schema Compare window. 2 In the Select a class or attribute portion of the window, you see the listed classes and attributes. Select an individual class or an attribute to see the actual differences displayed in the Text Compare portion of the window. Managing the Schema 237 The plus icon at the right side of the Select a class or attribute allows you to expand all elements in the parent object, and the minus icon collapses all of the elements. The ? icon displays the Summary/Compare dialog box help. 3 By default, the Compare window only displays values that are different between eDirectory and Designer. To view all the classes and attributes, select Show all from the pull-down menu. Your choices are Show differences, Show deletes, and Show all. 4 Check to see the status of the values that are shown. Values that are equal are shown as Equal on the Compare Status line in the Information portion of the Compare window. 238 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The overlay image displayed in the Compare Status entry identifies objects or attributes that need reconciliation. The following table describes what you see in the Compare Status line and the overlays that you can see: Compare Status Description Equal The selected classes or attributes are same in eDirectory and Designer. Unequal The value of the selected class or an attribute, or one or more classes or attributes, are different in eDirectory and Designer. Not Deployed The selected class or an attribute is not deployed to eDirectory. Not Imported The selected class or an attribute does not exist in Designer. 5 Under the Information portion of the Compare window, select how you want to reconcile the differences between the Source and Destination. If Compare Status shows Unequal, you have three choices: To do nothing, keep the default value of Do Not Reconcile. To update the driver in Designer so that it contains the same information as the driver in eDirectory, select Update Designer. To update the driver in eDirectory to reflect the changes you have just made to the driver in Designer, select Update eDirectory. Managing the Schema 239 The green check box in the bottom corner of the icons shows all the child objects that are being reconciled with the parent object. If you select the parent object to perform the update, then all the child objects under the parent reflect that choice and you see the Reconciled By Parent icon selected. If you do not choose a parent object, you can reconcile each child object individually. You can also see a small Designer icon and an eDirectory icon, showing how objects are being reconciled. 6 Check to see the Text Compare values. The Text Compare values displayed in the bottom portion of the Designer/eDirectory Schema Compare window shows the difference at the child object level. The Text Compare dialog box uses the Eclipse Compare editor to compare classes and attributes that contain XML data, such as policy data, driver filters, or configuration data. The differences in the code are highlighted in blue. 7 After you view the differences, click Reconcile to perform the reconciliation actions for each object in the tree, or click Close to close the Designer/eDirectory Object Schema Compare window. 240 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9 Managing the Flow of Data 9 Designer allows you to manage how the data flows between the Identity Vault and the managed systems. You can see how the data flows between all of the managed systems, make changes as needed, create reports about the data, and view the flow of passwords between the systems. The Dataflow view and the Dataflow editor manage the data. The Dataflow view displays the flow of data in the Modeler per driver. The Dataflow editor displays a more granular view. Section 9.1, “The Dataflow View,” on page 241 Section 9.2, “The Dataflow Editor,” on page 248 Section 9.3, “Adding Items in the Dataflow Editor,” on page 260 Section 9.4, “Removing Items from the Dataflow Editor,” on page 265 Section 9.5, “Editing Items,” on page 265 Section 9.6, “Generating HTML Reports,” on page 270 Section 9.7, “Integrating Passwords,” on page 272 9.1 The Dataflow View The Dataflow view displays a toolbar in the upper right corner of the view. For information on the icons in this toolbar, see “The Dataflow View” in Understanding Designer for Identity Manager. The following figure illustrates the Dataflow view. You can use it to control the flow of data between the Identity Vault and managed systems. The Modeler displays the dataflow. Managing the Flow of Data 241 Figure 9-1 The Dataflow View Section 9.1.1, “Accessing the Dataflow View,” on page 242 Section 9.1.2, “Flow Arrows in the Modeler,” on page 244 Section 9.1.3, “Viewing How Attributes Are Synchronized,” on page 246 Section 9.1.4, “Changing the Data Flow,” on page 247 9.1.1 Accessing the Dataflow View If you have closed the Dataflow view, you can access it by selecting Window > Show View > Dataflow. 242 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-2 Selecting the Dataflow View If the Dataflow view is blank and no project is displayed in the Modeler: 1 Expand a project in the Project view. 2 Open the project by double-clicking System Model. Objects and icons appear in the Dataflow view. If you want to change how the data flows from the Modeler: 1 Right-click a driver or application in the Modeler. Managing the Flow of Data 243 2 Select Dataflow, then select how you want the data flow to change. 9.1.2 Flow Arrows in the Modeler When the Dataflow view opens, it automatically reads the filters and shows the classes and attributes. If a filter with classes and attributes doesn’t exist, you can create one. 244 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-3 Flow Arrows in the Modeler As you select a class or attribute in the Dataflow list, the appropriate driver lines are highlighted in red in the Modeler. Icons enable you to see Sync, Notify, Reset, and Ignore filter settings all at the same time. Table 9-1 Dataflow Icons Icon Description Green arrow: the Publisher channel is synchronized. Orange arrow: the Subscriber channel is synchronized. Bell: the attribute is set to Notify. Reset arrow: the attribute is set to Reset. No icon The attribute is set to Ignore. The color coding matches the Dataflow icons in the Filter editor and the Dataflow editor. Managing the Flow of Data 245 9.1.3 Viewing How Attributes Are Synchronized Figure 9-4 Show Effective Flows To view whether attributes are synchronized or whether they will be notified, select Show effective flows. When you select this check box, the synchronize arrows don’t show if the parent class isn’t set to synchronize. Therefore, you view an accurate diagram of actual flows. However, if you want to view how attributes are configured to synchronize, regardless of the parent class, deselect Show effective flows. The synchronize arrows indicate which items are synchronized. If you select an attribute that can't synchronize (whether or not Show effective flows is selected), you see a Blocked warning in the upper left. This warning indicates that this attribute can’t be synchronized or notified because the parent class isn’t synchronized. Figure 9-5 The Blocked Text and Icon To view an explanation, mouse over the Warning icon. 246 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9.1.4 Changing the Data Flow You can change how the data flows for classes and attributes from the Dataflow view. To change the flow for a class: 1 Select a class in the Dataflow view. 2 Right-click a driver line in the Modeler. 3 Select Dataflow. 4 Select the option to change the data flow for the class. To change the flow for an attribute: 1 Select an attribute in the Dataflow view. 2 Right-click a driver line in the Modeler. 3 Select Dataflow. 4 Select the option to change the data flow for the attribute. Managing the Flow of Data 247 9.2 The Dataflow Editor Figure 9-6 The Dataflow Editor The Dataflow editor enables you to do the following: Use filters to display how data flows between all systems and Identity Vaults. View how passwords flow from each server. Generate reports of the data. When object additions, deletions, changes, and selections synchronization occur, the Dataflow editor synchronizes with the Modeler and the Outline view. To access the Dataflow editor, click the Dataflow tab. To adjust the area for the Identity Vaults, move the slider bar. This setting persists and is restored the next time you run the editor. Section 9.2.1, “Filtering Views,” on page 249 Section 9.2.2, “Filtering Identity Vaults and Applications,” on page 251 Section 9.2.3, “Pinning the Identity Vault,” on page 252 Section 9.2.4, “Expanding and Collapsing the Identity Vault,” on page 254 Section 9.2.5, “Switching to an eDirectory Tree Icon,” on page 257 Section 9.2.6, “Viewing an eDir-to-eDir Driver,” on page 258 Section 9.2.7, “Keyboard Support,” on page 259 248 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9.2.1 Filtering Views By default, the Dataflow editor shows all dataflows. The View drop-down list (in the upper left corner of the Dataflow editor, not in the Dataflow view), enables you to view notification, synchronization, reset, or Password Sync information. These filtered views do not allow you as much editing capability as the main view, but just what is necessary in that filter. For example, you can’t add attributes, vaults, or applications, because by default they wouldn’t appear in the filter. Figure 9-7 Options to Filter Views in the Dataflow View “Using the All Filters View” on page 249 “Synchronizing Passwords” on page 249 Using the All Filters View If you are in the All Filters view, you can further filter with the Attributes list. Because the Dataflow editor provides non-filter attributes, you can choose to view regular filter-based attributes, non-filter attributes, or both. Figure 9-8 Options in the All Filters View Synchronizing Passwords The Password Sync view enables you to see and edit how all passwords flow in the project. Designer displays the information on a per-server basis and shows how passwords flow among all of the applications. Managing the Flow of Data 249 Figure 9-9 The Password Flow To edit the password flow: 1 Select Password Sync in the View filter. 2 Double-click the flow arrow. You can also right-click, then select Password Synchronization. 3 Edit the password synchronization options. For more information about password synchronization, see the Identity Manager 4.0.2 Password Management Guide. 250 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Click OK. 9.2.2 Filtering Identity Vaults and Applications You can select the Identity Vaults and applications that you want to view in the editor. 1 In the Dataflow editor, click the Filter View icon. 2 Select Enabled. The Identity Vaults and applications that you select here are included in the HTML reports. For more information, see Section 9.6, “Generating HTML Reports,” on page 270. Managing the Flow of Data 251 You can scroll and resize the dialog box. Also, you can interact with the Dataflow editor in the background, in any mode. This is convenient if you want to scroll a different section into view while this dialog box is up. 9.2.3 Pinning the Identity Vault To change the scope of the editor to show a single Identity Vault, right-click the vault, then select Pin Vault to Top Header Row. 252 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-10 Pinning an Identity Vault With a medium or large-sized project, the dataflow table can contain hundreds of rows and thousands of items. If you have multiple vaults and want to narrow the scope to more easily edit a vault without excessive scrolling, you might want to pin a vault. When an Identity Vault is pinned, a pin icon displays in the upper right corner. Figure 9-11 A Pinned Identity Vault Managing the Flow of Data 253 To unpin the vault, right-click the Identity Vault, then select Unpin Vault from Top Header Row. 9.2.4 Expanding and Collapsing the Identity Vault “Expanding an Identity Vault” on page 254 “Expanding All Identity Vaults” on page 255 “Expanding Classes” on page 256 Expanding an Identity Vault When the editor first loads, all vaults are expanded at the top level by default. To collapse or expand the list of classes and attributes in an Identity Vault, do one of the following: Click the - or + icon below the Identity Vault icon. 254 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-12 Icons to Expand or Collapse the List of Classes Select the Identity Vault, then press the Right-arrow key to expand the information, or press the Left-arrow key to collapse the information. Expanding All Identity Vaults To expand or collapse the list of classes and attributes for all Identity Vaults, click Expand all Identity Vaults or Collapse all Identity Vaults from the drop-down on the toolbar. Managing the Flow of Data 255 Figure 9-13 Select to Expand or Collapse All Identity Vaults Expanding Classes To view all attributes in a class, select the class, then press the Right-arrow key. To collapse the list of attributes, press the Left-arrow key. To view all classes and attributes in an Identity Vault, right-click the Identity Vault icon, then select Expand Vault. To list just classes in an Identity Vault, right-click the Identity Vault, then select Collapse Vault. 256 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-14 Menu Options to Expand an Identity Vault 9.2.5 Switching to an eDirectory Tree Icon To switch from an Identity Vault icon to an eDirectory tree icon, right-click the Identity Vault, then select Change to eDirectory Tree. Managing the Flow of Data 257 Figure 9-15 Changing to an eDirectory Tree 9.2.6 Viewing an eDir-to-eDir Driver You can easily view both ends of an eDir-to-eDir connection so that you can configure the dataflows on both sides. Designer automatically detects the two eDirectory applications and aligns them in the same table column. A red line connects them. 258 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-16 An eDir-to-eDir Connection 9.2.7 Keyboard Support You can navigate by using the Up-arrow, Down-arrow, Left-arrow, and Right- arrow keys as well as PageUp, PageDown, Home, and End. In addition, you can navigate from one Identity Vault to another by clicking the up-arrow or down-arrow on the toolbar. Managing the Flow of Data 259 Figure 9-17 Navigation Icons 9.3 Adding Items in the Dataflow Editor Section 9.3.1, “Adding an Identity Vault in the Dataflow Editor,” on page 260 Section 9.3.2, “Adding a Driver in the Dataflow Editor,” on page 261 Section 9.3.3, “Adding an Application in the Dataflow Editor,” on page 261 Section 9.3.4, “Adding Classes and Attributes,” on page 263 Section 9.3.5, “Adding Non-Filter Attributes,” on page 263 9.3.1 Adding an Identity Vault in the Dataflow Editor Figure 9-18 The Dataflow Editor’s Toolbar To add an Identity Vault, click the Add Identity Vault icon on the toolbar. To configure the Identity Vault, double-click it. To delete an Identity Vault, select it, then press the Delete key. 260 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9.3.2 Adding a Driver in the Dataflow Editor Figure 9-19 An Identity Vault in the Dataflow Editor To add a driver while you are in the Dataflow editor, right-click an Identity Vault, then select Add App/ Driver. To delete an Identity Vault or driver, select it, then press the Delete key. 9.3.3 Adding an Application in the Dataflow Editor 1 On the toolbar, click the Add Application icon. 2 Browse to and select the driver set that you want this application to connect to, then click OK. Managing the Flow of Data 261 3 Select the driver you want to create, then click OK. Designer creates a skeleton of the driver. It does not launch the Driver Configuration Wizard. If you want to configure the driver, right-click the connection icon in the Modeler, then select Run Configuration Wizard. 262 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9.3.4 Adding Classes and Attributes You can add classes and attributes to the dataflow. To add a class: 1 Right-click an Identity Vault, then select Add Classes. 2 Select the class that you want to add, then click OK. If you want to add more than one class, press Ctrl and select the classes. To add an attribute: 1 Right-click a class, then select Add Attributes. 2 Select the attribute that you want to add, then click OK. If you want to add more than one attribute, press Ctrl and select the attributes. 9.3.5 Adding Non-Filter Attributes The Dataflow editor provides non-filter attributes. By default, all classes and attributes in the Dataflow editor come directly from all of the filter policies of the drivers. However, in production environments, it is common to cause data to flow a certain way directly in your Policy Script code, XSLT, or in external code that you call out to. Usually, these non-filter attributes aren’t defined in a policy filter (unless you’re describing “augmented” processing) and aren’t in the schema map. This is because they are generated outside of normal driver operations and you need them in the schema mapping rule only if the engine processes them. Normally, non-filter attributes are operated on in the Publisher Command Transformation policy set or the Subscriber Output Transformation policy set. The Dataflow editor lets you add the non-filter attributes to the table for documentation purposes so that you can capture the attributes and have an accurate picture of your actual enterprise dataflows. To add a non-filter attribute: 1 Right-click the class or attribute name, then select Add Non-Filter Attribute. Managing the Flow of Data 263 2 Specify the name of the attribute or class, or click Browse, then browse to and select the attribute or class. 3 Click OK. 4 Select where the flow of the attribute or class is defined. In Policy: The dataflow is defined in a policy script or an XSLT style sheet. In External Service: The dataflow is defined in a Java RMI call to the driver. 5 Click OK. If the non-filter attribute is defined by a policy, a small P is added to the icon. This icon distinguishes a non-filter attribute from a regular filter attribute. 264 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-20 A Non-Filter Attribute If the attribute is defined by an external service, a small E is added to the icon. Figure 9-21 A Non-Filter External Attribute 9.4 Removing Items from the Dataflow Editor Section 9.4.1, “Removing an Identity Vault,” on page 265 Section 9.4.2, “Removing Classes and Attributes,” on page 265 9.4.1 Removing an Identity Vault To delete an Identity Vault, select it, then press the Delete key. 9.4.2 Removing Classes and Attributes To delete a class or an attribute, select the class or attribute name, then press the Delete key. You can delete multiple objects in one Delete operation. Select the objects that you want to remove from the Dataflow editor, then press the Delete key. 9.5 Editing Items Section 9.5.1, “Editing within the Dataflow Editor,” on page 265 Section 9.5.2, “Editing Non-Filter Attributes,” on page 268 Section 9.5.3, “Managing Schema,” on page 268 Section 9.5.4, “Removing a Flow,” on page 268 Section 9.5.5, “Changing How Data Flows,” on page 269 9.5.1 Editing within the Dataflow Editor As a convenience, you can edit many items within the Dataflow editor. This capability turns the Dataflow editor into a full project editor that allows you to have all the tools you need in one place. You can edit Identity Vault properties, classes, attributes, drivers, and applications. “Identity Vault Properties” on page 266 “Classes and Attributes” on page 266 “Drivers” on page 267 “Applications” on page 267 Managing the Flow of Data 265 Identity Vault Properties Access the Identity Vault’s properties pages by doing one of the following: Double-click the Identity Vault. Select the Identity Vault, then press Enter. Right-click the Identity Vault, then select Properties. Figure 9-22 The Properties Option Classes and Attributes Launch the Manage Schema tool by doing one of the following: Double-click the class or attribute. Select the class or attribute, then press Enter. Right-click the class or attribute, then select Edit Schema. This tool enables you to modify classes and attributes. For more information, see Chapter 8, “Managing the Schema,” on page 205. 266 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 9-23 The Edit Schema Option Drivers To access the driver’s property pages, click the driver name below the application name. Figure 9-24 Location of a Driver Name Applications Access the properties pages for the application by doing one of the following: Double-click the application. Select the application, then press Enter. Right-click the application, then select Properties. Figure 9-25 The Properties Option for an Application Managing the Flow of Data 267 9.5.2 Editing Non-Filter Attributes The directional flow of these attributes is edited in the same way as other attributes. Right-click the arrows and select Publish, Subscribe, Ignore, Reset, or Remove from Filter. Reset means that you have the value reset under certain conditions. The attribute might be in a policy filter, but in addition, you might have some manual logic that resets the value. Occasionally, resets by manual logic occur in production environments. 9.5.3 Managing Schema To import, deploy, and edit the schema in the Dataflow editor, right-click an Identity Vault, then select the option that you want. All schema changes made outside of this editor are synchronized. For more information, see Chapter 8, “Managing the Schema,” on page 205. Figure 9-26 The Manage Schema Option 9.5.4 Removing a Flow If a particular flow (Publisher or Subscriber channel) is not defined in the policy filter’s XML, a red X replaces the Publisher or Subscriber channel arrow. This means that it’s not in the policy and there will be no flow. This scenario is essentially the same as an Ignore Flow icon, which is an empty white arrow. However, the distinction is useful so that you know what is actually in your policy’s XML. To remove the flow from the XML: 1 Right-click the Publisher or Subscriber channel icon. 2 Select Remove from Filter. If a class or attribute is marked to be removed on both channels and nothing references it, Designer removes it from the Dataflow editor’s table. 268 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9.5.5 Changing How Data Flows To change the way data flows, right-click the arrow that displays the dataflow, then select the option that you want. When you right-click the arrow that displays the dataflow for an attribute, you are presented with five options, as shown below: Ignore Notify Subscribe/Publish Reset Remove from Filter The functionality for these options changes depending on whether you have selected the left (Publisher) channel or the right (Subscriber) channel. For the Publisher Channel: Ignore - App’s Changes: Instructs the Identity Vault to ignore changes made in the application. Notify - Vault of App’s Changes: Notifies the Identity Vault about changes made in the application. Publish - App’s Changes to Vault: Transfers the changes made to the application into the Identity Vault. Rest - Changes in Vault Not Made by App: Resets the changes in the Identity Vault that were not made by the application. Remove from Filter: Removes the flow from the XML. For the Subscriber Channel: Figure 9-27 Subscriber Channel Options Ignore - Vault’s Changes: Instructs the application to ignore changes made in the Identity Vault. Notify - App of Vault’s Changes: Notifies the application about changes made in the Identity Vault. Subscribe - Vault’s Changes to App: Transfers the changes made to the Identity Vault into the application. Reset - Changes in the App Not Made by Vault: Resets the changes in the application that were not made by the Identity Vault. Managing the Flow of Data 269 Remove from Filter: Removes the flow from the XML. When you right-click the arrow that displays the dataflow for a class, you are presented with three options, as shown below: Figure 9-28 Changing the Publisher Flow Ignore Publish/Subscribe Remove from Filter The Reset and Notify options are only available when you select an application. 9.6 Generating HTML Reports Designer allows you to generate HTML reports about your project. 1 Click the Save Current View to HTML icon or the Save All Views to HTML icon. Save Current View to HTML generates a report for the current view. Save All Views to HTML generates nine reports. 270 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The HTML files are automatically named. The descriptive names tell what the report is. All images that you need to support the HTML document are copied to an icons subdirectory where the HTML is saved. The process includes all of your custom application icons. You are prompted to save the project to disk. Saving is necessary to make sure that all of your icon information is in a state where it can be successfully copied. 2 Click Yes to save the project. 3 Browse to and select the location where you want to save the reports, then click OK. The directory you select for saving is stored in Designer’s memory and becomes the default directory the next time you save. 4 Click OK in the Information dialog box that indicates where the report is saved. Managing the Flow of Data 271 If you pin an Identity Vault and then generate a report, the report is for that Identity Vault. The Identity Vault’s name is included in the HTML name. Figure 9-29 A Pinned Identity Vault If the Dataflow editor has multiple applications, Designer provides a scroll bar to scroll through all the applications within the Dataflow editor. Figure 9-30 Continuation Rows in a Report 9.7 Integrating Passwords If a driver is synchronizing passwords (in at least one direction), a small password-field icon appears under the driver icon. This icon enables you to know where passwords are being synchronized. To toggle this icon on or off: 1 Select Window > Preferences > Identity Manager > Modeler. 2 Click the Display tab. 272 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 Select or deselect Show password icons in Developer mode. If you mouse over the password icon in Developer mode, a helpful tip explains how your passwords are flowing for each server involved in the flow. To configure the flow of password synchronization: 1 In Dataflow mode, select Password Sync in the View drop-down box. 2 Double-click the flow arrow. 3 Select options, then click OK. Managing the Flow of Data 273 274 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 10 Creating and Managing Policies 10 Policies enable you to customize the flow of information into and out of Novell eDirectory for a particular environment. For example, one company might use the inetorgperson as the main user class, and another company might use User. To handle this, a policy is created that tells the Metadirectory engine what a user is called in each system. Whenever operations affecting users are passed between managed systems, Identity Manager applies the policy that makes this change. Policies also create new objects, update attribute values, make schema transformations, define matching criteria, maintain Novell Identity Manager associations, and many other things. For more information about policies, refer to the following: Understanding Policies for Identity Manager 4.0.2 Policies in Designer 4.0.2 Novell Credential Provisioning for Identity Manager 4.0.2 Identity Manager 4.0.2 DTD Reference Creating and Managing Policies 275 276 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 11 Setting Up E-Mail Notification Templates 1 Notification templates enable you to customize and send e-mail messages that users receive when triggers occur. Section 11.1, “Viewing Notification Templates,” on page 277 Section 11.2, “Editing a Notification Template,” on page 281 Section 11.3, “Adding and Deploying a Notification Template,” on page 285 Section 11.4, “Policy Builder and Notification Templates,” on page 287 Section 11.5, “Configuring the E-Mail Server,” on page 287 11.1 Viewing Notification Templates Designer provides default notification templates, which you can view or edit. To view the templates: 1 Select an Identity Vault in the Modeler. 2 In the Outline view, scroll to and right-click the Default Notification Collection for that Identity Vault. 3 Select Add Default Templates if you want to add the default English version of the notification templates to the Identity Vault. Setting Up E-Mail Notification Templates 277 278 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide If Default Notification Collection isn’t expanded, expand it. The expanded tree shows the default notification templates. The install program no longer installs all of the notification templates with Designer. 4 Select Add All Templates to update all of the notification templates that are installed with Designer to the Identity Vault. You can then use the Filter option in the Outline view to filter out the notification templates that you don’t want to see. To view and edit the internationalized template files, click the Filter icon in the Outline view, then select languages that you want to see. 5 If you want a certain template to have all of the localized templates, right-click that template and select Add Localized Templates. All of the localized templates are added for the selected template. Use the Filter icon to select the languages you want to see. 6 Use the templates in the Default Notification Collection to send e-mail notifications to users in the Identity Vault. You can customize these templates with your own text. Right-click a template (for example, Forgot Hint), then select Edit. You can also open a template by double-clicking it. Template Name Description Attestation Completed Notification Sends an e-mail notification when the workflow process for your attestation request is completed. Setting Up E-Mail Notification Templates 279 280 Template Name Description Attestation Notification Sends an e-mail notification when a new compliance activity is submitted that requires your attention. Availability Sends an e-mail notification when an availability setting has been created or modified. Default Job Notification Sends an e-mail notification to report results of the job as configured in the template. Contains the name of a job and any status information from the job. Delegate Sends an e-mail notification when a a delegate assignment has been created or modified Forgot Hint Sends an e-mail notification when a user forgets a password and requests a hint. Forgot Password Sends an e-mail notification when a user incorrectly enters a password. Password Reset Fail Sends an e-mail notification when a user tries to reset a password but doesn’t meet password policy requirements. Password Set Fail Sends an e-mail notification when a user’s password cannot be set in the managed system. Password Sync Fail Sends an e-mail notification when a user’s password fails to synchronize. Provisioning Approval Completed Notification Sends an e-mail notification when a workflow is completed. Indicates the overall workflow and provisioning decision. Provisioning Notification Sends an e-mail notification to a user or manager for approval. Indicates that action is required from the user or manager. Provisioning Notification Activity Sends an e-mail notification to a user or manager about the activity of the provisioning notification. Provisioning Reminder Sends an e-mail notification when a user activity time out expires. Reminds the user or manager to act. Proxy Sends an e-mail notification when a proxy assignment has been created or modified. Resource Request Approval Completed Notification Sends an e-mail notification when a resource request has been approved. Resource Request Notification Sends an e-mail notification when a resource has been requested. Role Request Approval Completed Notification Sends an e-mail notification to a user or manager that the approval process is completed. Role Request Notification Sends an e-mail notification to a user or manager that a new role request requires approval. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 11.2 Template Name Description Send Info Sends information via an e-mail. Editing a Notification Template 1 Select an Identity Vault. 2 In the Outline view, right-click a template (for example, Forgot Hint), then select Edit. 3 Select a format, specify a subject, add tokens, customize the message that users receive, then save and close the template. Section 11.2.1, “Selecting a Format,” on page 281 Section 11.2.2, “Specifying a Subject,” on page 282 Section 11.2.3, “Working with Tokens,” on page 282 Section 11.2.4, “Attaching an Image,” on page 284 Section 11.2.5, “Editing a Template Message,” on page 284 11.2.1 Selecting a Format Select whether users receive this e-mail notification in HTML or text format. Setting Up E-Mail Notification Templates 281 Figure 11-1 Options for Sending the Notification 11.2.2 Specifying a Subject The subject is the text that a user views in an e-mail’s Subject heading or field. You can change the text in the Subject field. You can also use tokens here. The text or tokens don’t determine the name of the template. Figure 11-2 The Subject Field 11.2.3 Working with Tokens A token is a variable or replacement tag for items such as the user’s name. Tokens help you personalize the message to the user. Figure 11-3 The Tokens Dialog Box Each template includes default tokens. For example, the Forgot Password e-mail template for sending a password to the user includes the default replacement tag named $CurrentPassword$. You can define other tokens for use in the body of the message or in the subject. Your ability to do so depends on the application that uses the templates. To find out how to define additional replacement tags, see the documentation for the application. For example, Identity Manager Password Synchronization can’t use a replacement tag that you create unless the policy in the driver configuration that uses the template also contains the definition of the replacement tag. Adding a Token 1 Click New. 282 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 In the Create a Replacement Tag dialog box, type a name for the token. You don’t need to type the $ characters. Designer provides them. 3 Type a description for the token. 4 Click OK. When you add a token, the tag is automatically added to the XML source for the template. After you add a tag, you can edit it only in the XML Source view. Removing a Token To delete a token, select it, then click Remove. Make sure that you don’t remove tags that are needed for the body of the message. Inserting a Token 1 In the template, click where you want to insert a token. 2 Select a token. 3 Click Insert. Designer inserts the selected token into the e-mail template. Setting Up E-Mail Notification Templates 283 11.2.4 Attaching an Image You can attach images to the e-mail template by using the following steps: 1 Ensure that you place the image files in the correct directories depending on your platform: UNIX/Linux: Place the images in the /opt/novell/eDirectory/lib/dirxml/rules/ manualtask/mt_files directory. Windows: Place the images in the <eDirectory installation folder>\NDS\mt_files directory. 2 In your e-mail template, use the following syntax to attach images: <p> <img ALT="your image" SRC="cid:orchid.gif" height="29 width="80/> </p> where orchid is the name of the image. Because the file name is case sensitive, the name of the file (image) must exactly match with the file name in the directory. 3 Restart the system after placing your image files in the correct directories for your platform. For example, if an e-mail has already been sent, you need to restart ndsd or eDirectory for it to use the new image. UNIX/Linux: Restart ndsd. Windows: Restart eDirectory. 4 Click OK to save the template. 11.2.5 Editing a Template Message The text of the e-mail message appears in the Message field. Customize the text so that it suits your environment. Use tokens to personalize the e-mail message. Figure 11-4 The Message Edit Box 1 In the E-Mail Template Editor, place your cursor in the Message edit box, then press Ctrl+Spacebar. 2 Select an HTML tag by double-clicking a tag in the drop-down list. 284 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 Format text by using the toolbar. 4 Preview the text by clicking the Preview icon . 5 Save the template by selecting File > Save. You can also click the Save icon. If the code isn’t valid, you can’t save the template. 11.3 Adding and Deploying a Notification Template Section 11.3.1, “Adding a Notification Template,” on page 285 Section 11.3.2, “Importing a Notification Template,” on page 286 Section 11.3.3, “Deploying a Notification Template,” on page 287 11.3.1 Adding a Notification Template 1 Select an Identity Vault in the Modeler. 2 In the Outline view, scroll to Default Notification Collection for that Identity Vault. 3 Right-click, then select New Template. Setting Up E-Mail Notification Templates 285 4 Name the template. 5 If you want to automatically open the template editor so that you can view or edit the template, select Open the editor after creating a template. 6 Click OK. 7 Customize the text by editing the template message. 8 Click Save on the Designer toolbar. 11.3.2 Importing a Notification Template To import a notification template from a file: 1 In the Outline view, scroll to Default Notification Collection for an Identity Vault. 2 Right-click, then select Import Template from File. 3 Browse to and select the template. 4 Customize the text for your environment by editing the template message. To import a notification template as a live operation: 1 In the Outline view, scroll to Default Notification Collection for an Identity Vault. 2 Right-click, then select Live > Import. 3 Specify the host name (IP address) for the tree. 4 To authenticate, specify the user name and password. 5 Browse to and select the template, then click OK > Continue > Import > OK. 6 Customize the text for your environment by editing the template message. 286 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 11.3.3 Deploying a Notification Template After you add or import a template, deploy it. 1 Right-click the template. 2 Select Live > Deploy. 11.4 Policy Builder and Notification Templates For information on using the Policy Builder interface to send e-mail notifications, see “Send Email” and “Send Email from Template” in the Policies in Designer 4.0.2 guide. 11.5 Configuring the E-Mail Server The e-mail server sends notification e-mails from applications that use the Notification Configuration templates. 1 Select an Identity Vault in the Modeler. 2 In the Outline view, scroll to Default Notification Collection for that Identity Vault. 3 Right-click, then select Properties. 4 Specify the host name, From, and authentication settings for your SMTP e-mail server. Host Name: The host name of your SMTP e-mail server. This can also be an IP address. From: When a user opens the e-mail, the text that you enter in the From edit box is displayed in the From field of the user’s e-mail heading. Depending on your mail server settings, the text in this field might need to match a valid sender in the system (for example, [email protected] instead of descriptive text such as The Password Administrator). Such a match allows the mail server to do reverse lookups or authentication. Authenticate to the server by using credentials: Use this option for a secured SMTP server. If your server requires authentication before sending e-mail, specify the username and password here. Although the authentication information is specified here, you might also need to specify it separately for the application that is sending the notification e-mails. For example, Forgotten Password e-mail notifications can be sent by using the authentication information you specify here. However, notification e-mails for Identity Manager Password Synchronization require the authentication information to be provided in the driver policy that is used to send notification e-mails. 5 Click OK. Setting Up E-Mail Notification Templates 287 288 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 12 Importing into Designer 12 Designer’s Import feature allows you to import the following items into defined projects: Projects from the File System or from the Identity Vault Libraries Driver sets Individual drivers Packages Channels Policies Schemas Depending on a project’s complexity, importing can save you time in building and rebuilding drivers, channels, packages, and policies. For instance, after a driver, channel, package, or policy is built, you can import it into new projects and modify it to run in the new environment instead of starting from scratch on each new driver, channel, package, or policy. You import projects, drivers, channels, schemas, and policies from an existing eDirectory tree running the Identity Manager system (Identity Vault), or from an exported project located in the file system. You import packages from the file system or the auto update feature in Designer. In Designer, use the Deploy feature to save drivers, channels, and policies into a Metadirectory server in an Identity Vault. Use the Export feature to save project, drivers, channels, and policies to a local, removable, or network directory. What you are able to import depends where you are at within a project. To import an eDirectory object, you must have sufficient rights to access the eDirectory tree that is associated with the Identity Vault you are designing. Each of the following sections explains how to import each component of your Identity Manager solution. During import, Designer does not import anything that is encrypted. This includes named passwords, e-mail notifications, existing certificates, and the Secure Login administrator password. Section 12.1, “Importing Projects,” on page 290 Section 12.2, “Importing a Library, a Driver Set, or a Driver from the Identity Vault,” on page 305 Section 12.3, “Importing Packages,” on page 317 Section 12.4, “Importing a Driver Configuration File,” on page 318 Section 12.5, “Importing Channels, Policies, and Schema Items from the Identity Vault,” on page 323 Section 12.6, “Using the Compare Feature When Importing,” on page 335 Section 12.7, “Error Messages and Solutions,” on page 343 Importing into Designer 289 12.1 Importing Projects Designer’s Import feature allows you to import projects from the File System or from an Identity Vault. When you initially open the Designer utility and close the Welcome view, you have no projects that are currently available. For information on creating a new project, see Chapter 2, “Creating a Project,” on page 23. For information on importing projects, see the following sections: Section 12.1.1, “Importing a Project from the Identity Vault,” on page 290 Section 12.1.2, “Importing a Project from the File System,” on page 297 Section 12.1.3, “Importing a Project from iManager,” on page 300 Section 12.1.4, “Importing a Project from a Version Control Server,” on page 302 12.1.1 Importing a Project from the Identity Vault 1 In Designer, click File > Import. or Click Import Project From Identity Vault from the No Projects Available page in the Projects view, then skip to Step 3. 2 From the Import window, select Identity Manager Project (From Identity Vault) under the Designer for Identity Manager heading. Click Next. 290 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The Import window allows selections under a number of tabs, including Designer for Identity Manager. Selections under the Designer for Identity Manager tab include: Importing an existing Identity Manager project from the file system (the project must have a valid .project file). Importing an existing Identity Manager project from an Identity Vault. Importing an existing Identity Manager project from an iManager export file (Driver Set or Driver). Importing an existing Identity Manager project from a version control server. 3 In the Project (From Identity Vault) window, give the new project a name. Select where the contents of this project are to reside (for Windows workstations, the default is C:\Documents and Settings\Username\designer_workspace). Click Next. Importing into Designer 291 4 In the Import Project From Identity Vault window, specify the information needed to authenticate to the Identity Vault (eDirectory) of your choosing. In the Host Name field, you can use either a tree name or the IP address of the Identity Vault. 292 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 Fill in the User Name and the Password fields. If you select Save Password, Designer remembers your password. Otherwise, the next time you close Designer, you need to re-authenticate when you import, deploy, or compare Designer objects with the Identity Vault. You can use history drop-down lists to choose a previously entered value from a list. 6 Click Next. 7 In the Import Project From Identity Vault page, the Identity Vault Schema and the Default Notification Collection are added as import options. If you do not want to import one of these options, select the option and click the Remove icon. 8 In the Import Project From Identity Vault page, click the Browse icon to select the object you want to import within eDirectory. Click OK to return to the Import Project From Identity Vault page. Importing into Designer 293 9 If there are drivers you do not want to import with the driver set, select the driver and click the Remove icon. You can import multiple driver sets during the import operation. Just browse to the various objects that you want to import and add them to the list. Driver sets that are not associated with a server have a red minus sign in the lower right portion of the driver set icon. These driver sets need a server association in order to be deployed. 10 (Conditional). You can also import policy libraries. Select the Browse icon to browse to and select the library you want to import, then click OK to add the library to the Import Project from Identity Vault page. 11 After you have selected the objects you want to import, click Finish. 294 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide When the driver set imports, you see the Import Results window showing you if there were any problems with the import procedure. Errors during the import procedure are displayed with a red icon, and you see an Error description that is related to the operation results. If you have multiple errors, selecting an error displays the error’s description in the Details > Description field. See “Error Messages and Solutions” on page 609 for further information. 12 To close the Import Results page, click OK. 13 (Conditional) If you are importing more than one eDirectory driver, select the eDirectory driver in the Objects to Import window and click the eDir-to-eDir icon in the Import Project From Identity Vault page to display the Connect to Identity Vault window, where you can import the associated driver in the other eDirectory trees. Novell recommends that you import both eDirectory drivers, especially if you have SSL/TLS enabled. 14 Provide the username and password, then click Continue. (Skip this step if you only want to import one eDirectory driver.) Importing into Designer 295 15 (Conditional) If you specify the username and password and select Continue to import both eDirectory drivers, you then see a Browse Identity Vault window where you select the corresponding eDirectory driver. Select the driver and click Finish. You are returned to the Project (From Identity Vault) window, where you can select or deselect the drivers, allowing you to choose only the drivers in a driver set that you want to import. 296 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 16 Click Finish. By having both drivers available, you can view the complete data flow between the two eDirectory drivers, as well as the other drivers you selected. 12.1.2 Importing a Project from the File System Earlier Designer workspaces are not compatible with Designer 3.0 and above. Designer stores projects and configuration information in a workspace. These workspaces are not compatible from one version of Designer to another. You need to point Designer 4 to a new workspace, and not to a workspace used by a previous version of Designer. If you have Designer 2.x or 3.0 Milestone projects, import the projects into Designer 4.0.2 (File > Import > Project from File System). Be sure Copy project into the workspace is selected. Importing the project runs the Converter Wizard, making the project compatible with Designer 4.0.2 architecture and placing it under your designated Designer 4.0.2 workspace directory (designer_workspace by default). 1 In Designer, click File > Import. or Click Import from file system from the No Projects Available page in the Project’s view, then skip to Step 3. 2 From the Import window, select Designer for Identity Manager > Project (From File System), then click Next. Importing into Designer 297 3 From the Import Existing Projects page, select between the root directory or archive file. The default is Select root directory. Browse to the directory containing valid projects. 298 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Select the directory where the exported project is saved with the .project extension. There must also be a valid project file in the selected directory, or the project does not display in the Projects window. If you have multiple projects you want to import and they are under the same directory, select the directory above the projects and click OK. 5 In the Import Existing Projects window, select or deselect any of the projects, then click Finish. 6 Make sure the Copy Project into Workspace option is selected to copy the contents of the project into the workstation’s local workspace. (Do not use previous Designer workspaces for Designer 3.0 and above.) You can also import multiple projects at the same time by specifying the base or root directory where you want to start your search. The Import Wizard searches the selected directory and all of its subdirectories for valid Designer projects to import. You can then select the projects that you want to import into Designer by using the check boxes. If a project with the same name already exists in Designer, you can’t import that project and you won’t be able to select it from the list. 7 (Optional) If you have selected multiple projects, select whether to open these project’s directories in the Model view. Designer won’t open all of the projects that are imported from the file system unless you select Open projects after imports. 8 (Optional) You can also import projects from ZIP or TAR archives. Click the Select archive file selection and select the directory where the exported project is saved with the .zip or .tar extension. The whole archive is searched for valid Designer projects to import. Importing into Designer 299 If the Projects you are importing need to be converted to this version of Designer, you will see the Project Converter window. See Section 18.1, “Converting Earlier Projects,” on page 465 for more information. 9 In the Import Existing Projects window, you can select or deselect any of the projects, then click Finish. 12.1.3 Importing a Project from iManager You can create a new Designer project by selecting an iManager .xml export file. These include driver set and driver exports as well as Novell sample configuration files. 1 Click File > Import > Designer for Identity Manager > Project (From iManager Export File), then continue with or Click Project (From iManager Export File) from the No Projects Available view, then skip to Step 3. 2 Type a project name. Use the default designer_workspace directory for the project, or type or browse to the directory where you want to import the project. Click Next. 300 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 Select the directory where the exported project is saved with the .xml extension, click Open, then click Finish. 4 When you are importing a driver set or driver into a project, you are asked if you want to validate the values within the drivers you are importing. If you do not want to validate the driver configuration at this time, click No. Otherwise, click Yes and continue importing the project. You can only import the driver functionality that you saved to the .xml file. This file does not contain default driver configurations unless that is what you have saved. 5 Fill in the information requested in all of the Import Information Requested windows that you see for each driver in the driver set, or for each driver selected. The Import Information Requested windows contain different driver information from each selected driver. 6 Click Next or Finish (depending on the number of pages presented). 7 Click OK to close the Import Configuration Results window. Importing into Designer 301 12.1.4 Importing a Project from a Version Control Server The Import dialog box lists projects and enables you to select projects that you want to import. There are a number of ways to access the Import dialog box in order to import projects from a version control server, and this example covers one of those methods. Figure 12-1 The Import Wizard 1 Select File > Import. or If no projects are available, select Import from version control from the Project view. 2 Click Project (From Version Control) > Next. 3 Type a URL in the Version Control Server URL field, then press Enter. For example: https://sun.provo.novell.com/svn svn://123.123.131.120/trunk 4 Provide authentication to the Subversion server if required. Depending on the type of security you have set up, you might need to supply SSH authentication, SSL client certificate authentication, or basic HTTP authentication. 302 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 Select a project or projects. Importing into Designer 303 Version control searches for projects three levels deep from the directory specified in the Version Control Server URL entry. 6 Click Finish. At the Version Control page that shows you the version control server status, click OK. 304 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The projects are imported into Designer and are added to the Project view and the Version Control view. 12.2 Importing a Library, a Driver Set, or a Driver from the Identity Vault To import an eDirectory object, you must have access to the eDirectory tree that is associated with the Identity Vault. Section 12.2.1, “Associating a Server to the Identity Vault,” on page 305 Section 12.2.2, “Importing a Library from the Identity Vault,” on page 307 Section 12.2.3, “Importing a Driver Set from the Identity Vault,” on page 308 Section 12.2.4, “Importing a Driver from the Identity Vault,” on page 312 12.2.1 Associating a Server to the Identity Vault When you add a new Identity Vault to a project, you see the Add Server Association window, where you can accept the default server, specify a server, or browse to a server. The import and deploy features use the server association for later identification. To do this: 1 In the Modeler view, drag an Identity Vault icon from the Palette to the Modeler view to bring up the Add Server Association window. Importing into Designer 305 2 Type the server’s DN context in the Server DN field, or click Browse. 3 If you select Browse, fill in the appropriate host name, user name, and password in the Credentials to Identity Vault window. Click OK. 4 In the Browse for Server Object window, select the server you want to associate with this driver set and click OK. In the Add Server Association window, you also see the Identity Manager version displayed. This is important when importing and exporting driver sets and drivers, because you must match driver sets and drivers to the correct Identity Manager version. 306 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 Click the For version information or to change the default, click here entry for more information. 6 Click OK to close the Add Server Association window and add an Identity Vault to your Modeler view. 12.2.2 Importing a Library from the Identity Vault 1 Right-click the Identity Vault in the Modeler view, then click Live > Import. 2 (Conditional) If you have not yet provided authentication information, specify it now. In the Identity Vault Credentials window, fill in the host name, the user name and password information, then click OK. Use the drop-down lists if they apply to your connection and user information. The Save Password option allows Designer to keep password information for future connections to this Identity Vault. Otherwise, you will see the Identity Vault Credentials page the next time you open Designer. 3 On the Import from Identity Vault page, browse to the Library object by clicking the Browse icon. 4 Select the Library object and click OK. The library is added to the Import from Identity Vault page. 5 Click Continue, then click Import to import the library. 6 On the Import Results page, click OK. Importing into Designer 307 12.2.3 Importing a Driver Set from the Identity Vault To import an Identity Manager Driver Set object (and all contained drivers) into an Identity Vault object in the Modeler view: 1 Right-click the Identity Vault in the Modeler view, then click Live > Import. 2 (Conditional) If the Driver Set that comes with the Identity Vault creation is empty, you are asked if you want to remove the default Driver Set icon from the selected Identity Vault. Click Yes. 3 (Conditional) If you filled out the authentication information when you initially created an Identity Vault icon in the Modeler view, go to the Properties view under the Project view. Specify authentication credentials for the selected Identity Vault, then skip to Step 5. 4 (Conditional) If you have not yet provided authentication information, specify it now. In the Identity Vault Credentials window, fill in the host name, the user name and password information, then click OK. Use the drop-down lists if they apply to your connection and user information. The Save Password option allows Designer to keep password information for future connections to this Identity Vault. Otherwise, you will see the Identity Vault Credentials window the next time you open Designer. 5 In the Import from Identity Vault window, browse to the driver set by clicking the Browse icon. 308 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6 Select the driver set you want to import, click OK to place the driver set in the Objects to Import list in the Import Driver Set from eDirectory window. You can then deselect the drivers you do not want to import by deselecting the box next to the driver name. If you chose the wrong driver set, select the driver set and click Remove. Otherwise, click Continue. You can import multiple driver sets during the import operation. Just browse to the various objects that you want to import and add them to the Objects to Import list. Driver sets that are not associated with a server have a red minus in the lower right portion of the driver set icon. These driver sets need a server association in order to be deployed. An error displays if the application can’t authenticate to the eDirectory tree you have selected. 7 (Conditional) If you are importing one or more eDirectory drivers, select the eDirectory driver in the Objects to Import window, then click the eDir-to-eDir icon. 8 (Conditional.) If you fill in the user name and password and click Continue to import both eDirectory drivers, you then see a Browse Identity Vault window where you select the corresponding eDirectory driver. Select the driver and click OK. You are returned to the Import Driver Sets from eDirectory window, where you can select or deselect the drivers, allowing you to choose only the drivers in a driver set that you want to import. 9 Click Continue. Importing into Designer 309 This brings up the Import Summary window, where you can see all of the Driver Set objects that are being imported into Designer. This summary uses the same format as the Compare window (see Section 12.6, “Using the Compare Feature When Importing,” on page 335 for further information). 10 Click Import to continue. 11 (Optional) As the import operation progresses, you are asked to associate a server with the Identity Vault. Select the option that best suits your needs. Allow default server to be created: Creates a dummy server with global configuration values and other elements that are associated with this project until you specify an actual server for the project. Make sure you have designated a correct Identity Vault server when you deploy the driver set. Specify a server: Brings up the credentials screen, allowing you to designate a host server, a user name, and password for the Identity Vault server for this project. Don’t create a server now: Skips all associations for this project. You need to fill in the host information before you deploy this driver set. Remember selection - don’t prompt again: Continues to use whatever server option you choose the next time Designer needs to associate a server with an Identity Vault. 12 After you decide your plan of action and select the option you want, click OK to continue the import procedure. 13 Click Finish. If you selected in Step 7 to connect eDirectory drivers, you can view the complete data flow between the two eDirectory drivers, as well as the other drivers you selected. 310 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide When the driver set imports, you see the Import Results window, showing you if there were any problems with the import procedure. Importing into Designer 311 Errors during the import procedure are displayed with a red icon, and you see an Error description that is related to the operation results. If you have multiple errors, selecting an error displays the error’s description in the Details > Description field. See “Error Messages and Solutions” on page 609 for further information. 14 Click OK to finish the import process. 12.2.4 Importing a Driver from the Identity Vault To import an Identity Manager Driver object (and all contained channels and policies) into a driver set: 1 Select an Identity Vault in the Modeler view. If you have added a new Identity Vault to a project, see Section 12.2.1, “Associating a Server to the Identity Vault,” on page 305 first, then return to Step 2. 2 Verify that the authentication credentials in the Properties view for the Identity Vault are correct. 3 Right-click a Driver Set object within the Identity Vault, then select Live > Import. 312 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 (Conditional) If the Identity Vault is not authenticated to the eDirectory tree, you see the Identity Vault Credentials window asking for the hostname, username and password. Provide the information, then click Next. 5 In the Import from Identity Vault window, click Browse to select a Driver object from the Identity Vault. Importing into Designer 313 6 Click OK to place the driver in the Import from Identity Vault window, then click Continue to install the driver and bring up the Import Configuration window. 7 In the Import Configuration window, select Configure to edit the driver configuration, or select Close to close the Import Configuration window. Most drivers cannot run with default values. You need to modify the driver configuration values and parameters so the drivers can work properly in your network environment. 314 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You also see the Import Configuration window when you drag an application from the Palette to a driver set in the Modeler view. When you select Configure, the driver’s Property page with the Driver Configuration option is displayed. 8 Fill in the required values and parameters that are necessary to have the driver run in your network environment. Importing into Designer 315 The two required options for every driver are Driver Configuration and GCVs. However, because each driver contains different values and parameters, you need to consult the driver manual for specific values. Go to the Identity Manager Drivers Web site (http://www.novell.com/ documentation/idm402drivers/index.html), then select the manual for the driver you are configuring. 9 (Conditional) If you are importing one or more eDirectory drivers, Novell recommends that you connect to those eDirectory drivers during the import process. Select the eDirectory driver in the Objects to Import window, then click the eDir-to-eDir icon. 10 (Conditional) Fill in the user name and password for the other eDirectory tree and select Continue to import both eDirectory drivers. 11 (Conditional) In the Browse Identity Vault window, select the corresponding eDirectory driver, then select the driver and click OK. You are returned to the Import Drivers from eDirectory window. When the driver imports, you see the Import Results window showing you if there were any problems with the import procedure. Errors during the import procedure are displayed with a red icon, and you see an Error description that is related to the operation results. If you have multiple errors, selecting an error displays the error’s description in the Details > Description field. See “Error Messages and Solutions” on page 609 for further information. 12 Click OK to finish the import process. 316 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 12.3 Importing Packages In Designer 4.0 and later, packages replace driver configuration files. You can still import driver configuration files, but from this point on, new content is delivered in packages. Designer is the only tool that allows you to manage packages. iManager can detect if a driver is created with packages. However, if you make changes to the driver in iManager, Designer cannot track these changes. If you install an updated package, there is a possibility your changes can be overwritten. It is a best practice to always make driver configuration changes through Designer and not iManager. Packages must be imported into the package catalog, then the packages are installed on the Identity Vault, driver sets, or drivers. The package catalog is an object that is only displayed in Designer and it holds all of the packages that are installed into a Designer project. To import packages into the package catalog: 1 Select the package catalog object in the Outline view, then right-click and select Import Package. 2 Select a package from the list. or Click Browse, then browse to and select a package on the file system. If all of the available packages are imported, the list is empty. 3 Click OK to import the package. After the package is imported, you must install the package into the Designer project on an Identity Vault, driver set or driver. To install a package, see Section 6.2.1, “Installing Packages,” on page 151. Importing into Designer 317 12.4 Importing a Driver Configuration File In Designer 4.0 and later, packages replace driver configuration files; however, you can still import driver configuration files. Any new functionality for the drivers is contained in packages, not in the configuration files. You can import an Identity Manager driver configuration file into the selected driver set for a project by using the Import from Configuration File option, which imports an XML configuration file that can be a driver set, an individual driver, driver channels, or policies. If you import a driver configuration file that contains only a policy, Designer creates the framework for parent containment objects, such as a channel, a driver, or a driver set. Such parent containment objects do not contain attributes; they are only the framework of the channel, driver, or driver set from where the policy came. You can import a configuration from a file in three ways: Section 12.4.1, “Importing an Identity Manager Project from the File System,” on page 318 Section 12.4.2, “Importing a Driver Configuration from a File in the Modeler View,” on page 318 Section 12.4.3, “Importing from a File through the Outline View,” on page 320 12.4.1 Importing an Identity Manager Project from the File System The Import an Identity Manager Project from File System option allows you to import an Identity Manager project that has been saved to the file system through the Export > File System option. The project must have a valid .project file and accompanying file structure for the project to completely import. For information about importing a project, see Section 12.1.2, “Importing a Project from the File System,” on page 297. 12.4.2 Importing a Driver Configuration from a File in the Modeler View You can import a previously exported configuration file or one of the sample .xml driver configurations that are included with Designer. To import a configuration file into a driver set: 1 Select an Identity Vault in the Modeler view. 2 Right-click a Driver Set object within the Identity Vault, then select Import from Configuration File. 3 In the Import a Driver Configuration File window, type the name of the configuration file, or browse to and select the .xml file. If you use the Browse feature, by default Designer takes you to the following directories: For Windows: C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.idm_<version><time stamp>\defs\driver_configs\current\drivername For Linux: /home/username/designer/eclipse/plugins/com.novell.idm_<version><time stamp>/defs/driver_configs/current/drivername You can use one of the .xml configuration files in a selected directory or you can browse to a directory containing an exported configuration file. 318 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Click OK. 5 Complete the import by filling out the Import Information Requested prompts for the driver configuration file. The template varies, depending on the driver configuration file selected and the state in which the file was saved. Saved files might only prompt for a driver name, but need other values in order to work in a network environment. The pre-Identity Manager 3.6 Driver Configuration Wizard adds different policies to the driver, depending on which options you select when you initially import the driver. You cannot change an option that you did not initially choose, because the information is not included in the driver. You must delete the driver and create a new one through the Driver Configuration Wizard. WARNING: Do not use the Driver Configuration Wizard on the .xml file that you are importing. The Wizard brings up the Import Information Request forms, but these forms are pulled from the default driver that come with Designer and will overwrite the driver you are importing. Use this method only if you need to start over. Importing into Designer 319 The Identity Manager 3.6 Driver Configuration Wizard adds all policies when the driver is imported, and are not lost if you did not select an option in the Import Information Request forms. If this is a driver configuration file that came with Identity Manager 3.6, you can change the driver’s values through the Properties page. If the driver needs other values and parameters in addition to what appears on the Import Information Requested template, close the template, right-click the driver line in the Modeler view and select Properties > Driver Configuration and GCVs to fill in what you need. You might also need to fill in GCVs at the driver set level. Because each driver contains different values and parameters, consult the driver manual that matches the installed driver at the Identity Manager Drivers Web site (http://www.novell.com/ documentation/idm402drivers/index.html). Then select the manual for the driver you are configuring. 6 Click OK, then click OK in the Import Configuration Results window. 7 You might have imported a single driver or a collection of drivers (a driver set). If you are importing a driver set, repeat Step 4 through Step 5 for each driver in the driver set. 8 When you are finished with each imported driver, click OK at the Import Configuration Results window. 12.4.3 Importing from a File through the Outline View You can use the Outline View to import driver sets, drivers, channels, and policy configuration files from the file system. The following example demonstrates how to import a driver, but the procedure also works for the other files. 1 Double-click the System Model icon under a project name in the Project view. This brings up the project model in the Modeler view. 2 Click the Outline tab. 3 Right-click the Driver Set object and select Import from Configuration File. 320 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 In the Import a Driver Configuration File window, type the name of the configuration file, or browse to and select the .xml file. When a driver is exported, Designer uses the name of the driver set or driver object, to which you can add dates. In this example, it is an Active Directory driver that was exported June 26th and is now being imported. 5 Click Open, then click OK to import the configuration file. To import a policy into a driver set: 1 In the Outline view, click the Driver Set icon, then click Import from Configuration File. 2 In the Import a Driver Configuration File window, browse to or specify the XML configuration filename. Importing into Designer 321 3 Click Open, then click Save to import the selected policy. Each policy is saved to its own .xml file. By default, Designer uses the name of the policy or rule selected. 4 In the Perform Prompt Validation window, you are asked if you want to fill in required driver information. If you answer Yes, you see the Import Information Requested dialog box as described in Step 5 and you must provide values to all of the required fields. If you answer No, you still see the Import Information Requested dialog box, but it isn’t necessary to fill in the required information. 5 Complete the import by filling out the Import Information forms for the driver configuration file as necessary. Policies are saved with a skeleton driver configuration structure, which designates where the policy resides. In this case, the driver already existed and the imported policy was initially written for that driver. 6 Click OK. When the policy or rule is imported, you see the Import Configuration Results window, which indicates if there were any problems with the import procedure. 322 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Errors during the import procedure are displayed with a red icon, and you see an Error description that is related to the operation results. If you have multiple errors, selecting an error displays the error’s description in the Details > Description field. See “Error Messages and Solutions” on page 609 for further information. 7 Click OK to finish the import process and close the Import Configuration Results window. 12.5 Importing Channels, Policies, and Schema Items from the Identity Vault A channel is a combination of rules and policies, and Designer allows you to import a channel instead of the entire driver. The Subscriber and Publisher channels describe the direction in which the information flows. The Subscriber channel takes the event from the Identity Vault and sends that event to the receiving system (application, database, CSV file, etc.) The Publisher channel takes the Importing into Designer 323 event from the application, database, CSV file, etc., and sends that event to the Identity Vault. The Subscriber and Publisher channels act independently; actions in one are not affected by what happens in the other. Section 12.5.1, “Importing a Channel,” on page 324 Section 12.5.2, “Importing a Policy,” on page 328 Section 12.5.3, “Importing a Schema,” on page 331 12.5.1 Importing a Channel To import an Identity Manager channel (a Subscriber channel or a Publisher channel) object and all contained policies into a driver: 1 Select either a Driver object or an Application object in the Modeler view. The Driver object is represented by the line between the Identity Vault and the Application object and has a circle icon to represent it . The Application object connects to the Identity Vault through the Driver object. 2 Right-click a Driver object, then click Live > Import. or Right-click an Application object and click Driver > Import. 324 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide If Designer can’t authenticate to the eDirectory tree specified in the Identity Vault, you see the Identity Vault Credentials window if you have not previously specified the authentication credentials or if you do not save the password. 3 Fill in the appropriate information and click OK. 4 In the Import from Identity Vault window, browse to and select either a Publisher or a Subscriber Channel object from the eDirectory tree under the corresponding driver. Importing into Designer 325 5 You can import more than one channel at a time; if you want to import both channels, select one channel, click OK, then browse to the next channel, select it, and click OK. 6 Click Continue. As the channel imports, you see the Import Summary window showing you the differences between eDirectory (the source of the import) and Designer (the destination). 326 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You can click the different objects in the channel view differences between the two drivers. All channel information is overwritten by the import procedure; however, the rest of the driver is unaffected. 7 Click Import. For more information about Compare, see Section 12.6, “Using the Compare Feature When Importing,” on page 335. Importing into Designer 327 If there are any problems with the import procedure, they are displayed with a red icon in the Import Results window and you see an error description that is related to the operation results. If you have multiple errors, selecting an error displays the error’s description in the Details > Description field. See “Identity Vault Configuration Errors” on page 610 for further information. 8 Click OK to finish the import process. 12.5.2 Importing a Policy A policy is a collection of rules and arguments that allows you to transform the data that an application sends to and receives from eDirectory. You use policies to manipulate the data you receive from eDirectory or from the managed system so they can synchronize the information in their databases. Each driver connects to a different system, and policies tell the driver how to synchronize the data on that managed system to the Identity Vault. You might use the Import feature for policies more than anything else. For example, you can set up a policy to allow users with the title “Manager” to be placed in a specific container, no matter which application the information is coming from, and you can place this information in multiple managed systems. However, because each application is different, you need to modify the arguments and rules within policies to reflect those differences. For more information about policies, see Understanding Policies for Identity Manager 4.0.2 and Policies in Designer 4.0.2. 328 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To import an eDirectory Policy object (for example, a rule or a style sheet) into a driver or channel (Subscriber or Publisher): 1 Select a driver in the Modeler view. or Click the Outline tab and select a Driver or Channel object from the Outline view. 2 Verify that the authentication credentials in the Properties view for the selected Identity Vault are correct. 3 Right-click the Driver or Channel object, then click Live > Import. If the application can’t authenticate to the eDirectory tree, you see the Identity Vault Credentials window asking for the hostname, username, and password if you have not previously specified the authentication credentials or if you do not save the password. 4 Fill in the appropriate information and click OK. 5 In the Import from Identity Vault window, click Browse, then select a policy object from the channel you specified when you started the import process. Importing into Designer 329 Policies are found under either the Publisher or Subscriber channel of a selected driver or under the driver itself. Be sure to match the proper policy to the proper channel or driver object. 6 Click OK, then click Continue to import the policy. You see the Import Summary window showing you the differences between eDirectory (the source of the import) and Designer (the destination). You can click the different objects in the policy to see what is different between the two policies. All selected policy information is overwritten by the import procedure; however, the rest of the driver is unaffected. 7 Click Import. If the importing policy contains the same values as the policy in Designer, you are not allowed to import the policy. (For more information about the Compare feature, see Section 12.6, “Using the Compare Feature When Importing,” on page 335.) Clicking Import brings up the Import Results window. If there are any problems with the import procedure, they are displayed with a red icon, and you see an Error description that is related to the operation results. If you have multiple errors, selecting the different errors displays the error’s description in the Details > Description field. See Section 22.11, “Error Messages and Solutions,” on page 609 for further information. 8 Click OK to finish the import process. For policy design, see the Policy Builder and Policy Management Help topics within the Designer utility. Also see Understanding Policies for Identity Manager 4.0.2 and Policies in Designer 4.0.2. 330 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 12.5.3 Importing a Schema You can import a schema from the Identity Vault or from a .sch file into your project. When you import a schema, you can select the whole Identity Vault schema (not recommended) or just the schema differences between the Identity Vault and your project. 1 Bring up the project in Designer’s Modeler view. Right-click the Identity Vault and select Live > Schema > Import. 2 On the Select Source for Import page, select Import from eDirectory if you can connect to an actual Identity Vault. The specified user must have administrative rights to the schema. Importing into Designer 331 3 In the Import from eDirectory section, specify the hostname, username and password connection information. The Host Name and User Name entries have drop-down menus storing the last information you typed into these fields, which you can use for filling in these entries. 4 Click Next. 5 Decide which classes and attributes to import. On the Select Classes and Attributes for Import page, you can select all of Identity Vault’s schema, including classes and attributes. However, this can create very large documents when you document the project (600 pages or more). 6 If you want to import all the classes and attributes, click Select All, click Finish, then skip to Step 8. Select only the classes and attributes that you want to import. If you only want to import the schema differences between the live Identity Vault and the Identity Vault in your project, click View Differences, then continue with Step 7. 332 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide On the Schema Differences page, you see the schema differences between the live Identity Vault and the Identity Vault in your project. 7 Click Select All if you only want to import schema differences. Otherwise, click Cancel. Importing into Designer 333 8 Do one of the following options: Selecting Select All > OK brings you back to the Select Classes and Attributes for Import page with the schema differences now selected under the Classes and Attributes headings. If you select any classes from the Schema Differences page, the Import all associations box is selected. Leave it selected, because it enables you to associate the selected attributes with the classes that might already exist in Designer. Click Finish. If you selected Cancel on the Schema Differences page, make your schema selections on the Select Classes and Attributes for Import page, select the Import all associations box (recommended), and click Finish. Click Next if you want to see the Import Summary page to see the classes and attributes that you are importing. Then click Finish. 9 On the Import Messages page of the Schema Import Wizard, click OK. or If you want to save the differences to a log file, click Save to Log. This brings up the Save As dialog box, where you can choose a filename and directory to store the file in. 10 Click Save, then click OK. 334 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 12.6 Using the Compare Feature When Importing Designer’s Compare feature allows you to see differences between the driver sets, drivers, channels, and policies that are stored in projects and those that are running in deployed systems, and reconcile any differences to either Designer or Identity Vault. Previous versions of Designer only provided conflict resolution when importing a Driver. While importing, you could select which policies of the driver you wanted to update, but you could not view any differences between existing and new values. Designer provides conflict resolution on an object-by-object basis and allows you to view the differences between existing and new values when importing and deploying driver sets, drivers, channels, and policies. For example, before importing a driver object in Designer to a driver object that already exists in the Identity Vault, you can run Compare. Compare shows whether the driver objects are equal (no action is necessary) or unequal. If they are unequal, you can choose not to reconcile the driver objects, choose to update the driver object in Designer, or choose to update the driver object in the Identity Vault. You can run the Compare feature at any time. If you choose to reconcile the differences between drivers objects in Designer and eDirectory while in Compare, you won’t need to run Import or Deploy. Section 12.6.1, “Using Compare When Importing a Driver Object,” on page 335 Section 12.6.2, “Using Compare on a Channel Object,” on page 339 Section 12.6.3, “Using Compare on a Policy,” on page 340 Section 12.6.4, “Matching Attributes with Designer Properties,” on page 340 12.6.1 Using Compare When Importing a Driver Object Use this procedure if you want to import a Driver object from the Identity Vault and the same driver already exists in Designer. 1 Right-click the driver object in either the Modeler view or in the Outline view, then click Live > Compare to bring up the Designer/eDirectory Object Compare window. Importing into Designer 335 Under the Select an object or attribute, you see the selected object with the differences between Designer’s and eDirectory’s driver object. You can select the attributes and child objects to see the actual differences displayed in the Text Compare area. 336 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The plus icon at the right side of the Select an object or attribute allows you to expand all elements in the parent object, and the minus icon collapses all of the elements. The “?” icon in the bottom left portion of the window displays the Summary/Compare dialog box help. Server-specific attributes are attributes that have a value for each server that is associated with a driver set. These attributes are displayed in the Attributes list with the server name in parentheses to the right of the attribute name. 2 By default, the Compare window only displays values that are different between Identity Vault and Designer. To view all of the object values, select Show All from the drop-down menu. Values that are equal are shown as Equal on the Compare Status line under Information. Importing into Designer 337 The overlay image displayed in the Compare Status entry identifies objects or attributes that need reconciliation. The following table describes what you see in the Compare Status line and the overlays that you can see: Compare Status Description Equal The selected attribute’s value or all attributes of the selected object are the same in eDirectory and Designer. Unequal The value of the selected attribute, or one or more attributes of the selected object, are different in eDirectory and Designer. Not Deployed The selected object or the object containing the selected attribute is not deployed to eDirectory. Not Imported The selected object or object containing the selected attribute does not exist in Designer. Unknown The selected object or object containing the selected attribute cannot be compared, such as a password. Deleted Designer tracks objects that are deployed, then deleted from the Designer project. You can also see an Attribute Note if you select an attribute. 3 In the Information portion of the Compare window, select how you want to reconcile the differences between the Source and Destination. If Compare Status shows Unequal, you have three choices: Do not reconcile: To do nothing, keep the default value of Do Not Reconcile. Update Designer: To update the driver in Designer so that it contains the same information as the driver in the Identity Vault, select Update Designer. 338 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Update eDirectory: To update the driver in eDirectory to reflect the changes you have just made to the driver in Designer, select Update eDirectory. If you select the parent object to perform the update, then all of the child objects under the parent reflect that choice and you see the Reconciled By Parent icon selected. If you do not choose a parent object, you can reconcile each child object individually. 4 View the differences displayed in the Text Compare area. The Text Compare values displayed in the bottom portion of the Designer/eDirectory Object Compare window vary, depending on the object being compared. For instance, Compare shows you changes down to the policy level. The Text Compare dialog box uses the Eclipse Compare editor to compare attributes that contain XML data, such as policy data, driver filters, or configuration data. The differences in the code are highlighted in blue. 5 After you view the differences, click Reconcile to perform the reconciliation actions for each object in the tree, or click Close to close the Designer/eDirectory Object Compare screen. After reconciliation, the object matches both locations and has been imported or deployed through the action. 12.6.2 Using Compare on a Channel Object Use this procedure if you want to import a channel object from the Identity Vault and the same channel already exists in Designer. You can view the differences and decide whether to reconcile them. 1 Right-click the channel object in the Outline view. Click Live > Compare to bring up the Designer/ eDirectory Object Compare window. All Compare windows behave as described in Section 12.6.1, “Using Compare When Importing a Driver Object,” on page 335. After reconciliation, the Channel object matches both locations and has been imported or deployed through the action. Importing into Designer 339 12.6.3 Using Compare on a Policy Use this procedure if you want to import a policy object from the Identity Vault and the same channel already exists in Designer. You can view the differences and decide whether to reconcile them. 1 Right-click the policy object in the Outline view. Select Live > Compare to bring up the Designer/ eDirectory Object Compare window. All Compare windows behave as described in Section 12.6.1, “Using Compare When Importing a Driver Object,” on page 335. After reconciliation, the policy object matches both locations and has been imported or deployed through the action. 12.6.4 Matching Attributes with Designer Properties The attributes of the object are displayed in the single list.in the compare window. Selecting an attribute displays its value below the attribute list with the Designer value on the left and the eDirectory value on the right. The name displayed in the list is the eDirectory attribute name. The following tables map the eDirectory attribute to the Designer property page or control where you can change or set the attribute (you can’t make changes inside the Compare window). Table 12-1 on page 340 shows Driver Set eDirectory attributes Table 12-2 on page 341 shows Driver eDirectory attributes Table 12-3 on page 342 shows Channel eDirectory attributes Table 12-4 on page 342 shows the Job eDirectory attributes Table 12-5 on page 342 shows the Resource eDirectory attributes Table 12-6 on page 343 shows the ID Policy eDirectory attributes Table 12-7 on page 343 shows the Library eDirectory attribute Table 12-8 on page 343 shows the Notification Template eDirectory attributes Table 12-9 on page 343 shows the Notification Template Collection eDirectory attributes Table 12-1 Driver Set eDirectory Attributes 340 Driver Set eDirectory Attribute Designer Property DirXML-DriverTraceLevel Driver Set Properties > Trace > Driver Trace Level DirXML-XSLTraceLevel Driver Set Properties > Trace > XSL Trace Level DirXML-JavaEnvironmentParameters Driver Set Properties > Java DirXML-JavaDebugPort Driver Set Properties > Trace > Java Debug Port DirXML-JavaTraceFile Driver Set Properties > Trace > Java Trace File DirXML-Trace File Encoding Driver Set Properties > Trace - Trace File Encoding DirXML-TraceSizeLimit Driver Set Properties > Trace > Trace File Size Limit DirXML-LogLimit Driver Set Properties > Driver Set Log Level > Log Limit DirXML-LogEvents Driver Set Properties > Driver Set Log Level > Log Specific Events Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Driver Set eDirectory Attribute Designer Property DirXML-NamedPasswords Driver Set Properties > Named Passwords DirXML-ConfigValues Driver Set Properties > Global Configuration Values Table 12-2 Driver eDirectory Attributes Driver eDirectory Attribute Designer Property or View DirXML-InputTransform Policy Set View > Input Transformation DirXML-OutputTransform Policy Set View > Output Transformation DirXML-MappingRule Policy Set View > Schema Mapping DirXML-Driver Filter Policy Set View > Driver Filter DirXML-ConfigValues Driver Properties > Global Configuration Values DirXML-DriverTraceLevel Driver Properties > Driver Log Level > Driver Log Level DirXML-EngineControlValues Driver Properties > Engine Control Values DirXML-LogEvents Driver Properties > Driver Log Level > Log Specific Events DirXML-LogLimit Driver Properties > Driver Log Level > Log Limit DirXML-ConfigManifest Driver Properties > Driver Manifest DirXML-JavaModule Driver Properties > Driver Configuration > Driver Module: Java DirXML-NativeModule Driver Properties > Driver Configuration > Driver Module: Native DirXML-DriverImage Driver Properties > iManager Icon DirXML-ReciprocalAttrMap Driver Properties > Reciprocal Attributes DirXML-TraceLevel Driver Properties > Trace > Trace Level DirXML-TraceFile Driver Properties > Trace > Trace File DirXML-TraceFileEncoding Driver Properties > Trace > Trace File Encoding DirXML-TraceSizeLimit Driver Properties > Trace > Trace File Size Limit DirXML-TraceName Driver Properties > Trace > Trace Name DirXML-DriverCacheLimit Driver Properties > Driver Configuration > Authentication > Driver Cache Limit DirXML-ShimAuthID Driver Properties > Driver Configuration > Authentication > User ID DirXML-ShimAuthServer Driver Properties > Driver Configuration > Authentication > Connection Information DirXML-ShimAuthPassword Driver Properties > Driver Configuration > Authentication > Set Password DirXML-ShimConfigInfo Driver Properties > Driver Configuration > Driver Configuration > Driver Parameters DirXML-DriverStartOption Driver Properties > Driver Configuration > Startup Option DirXML-ECMAScript Driver Properties > Driver Configuration > ECMAScript Importing into Designer 341 Driver eDirectory Attribute Designer Property or View DirXML-NamedPasswords Driver Properties > Named Passwords Table 12-3 Channel eDirectory Attributes Channel eDirectory Attribute Designer View DirXML-EventTransformationRule Policy Set View > Event Transformation DirXML-MatchingRule Policy Set View > Matching DirXML-CreateRule Policy Set View > Creation DirXML-PlacementRule Policy Set View > Placement DirXML-CommandTransformation Policy Set View > Command Transformation Table 12-4 Job eDirectory Attributes Job eDirectory Attribute Designer View XmlData Job Editor, XML cannot be edited directly only through Job Editor UI DirXML-ServerList Job Editor DirXML-Scope Job Editor DirXML-EMailTemplates Job Editor DirXML-EMailServer Job Editor DirXML-NamedPasswords Job Editor DirXML-TraceName Job Properties > Trace DirXML-TraceFile Job Properties > Trace DirXMl-TraceSizeLimit Job Properties > Trace DirXML-TraceFileEncoding Job Properties > Trace > Trace File Encoding DirXML-TraceLevel Job Properties > Trace Table 12-5 Resource eDirectory Attributes 342 Resource eDirectory Attribute Designer View DirXML-ContentType Read only, cannot be edited set at creation time of the object DirXML-DirXMLData Resource Editor DirXML-NamedPasswords Resource Editor Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 12-6 ID Policy eDirectory Attributes ID Policy eDirectory Attribute Designer View DirXML-idPolMin ID Policy Properties > Constraints Minimum DirXML-idPolMax ID Policy Properties > Constraints Maximum DirXML-idPolPrefix ID Policy Properties > Constraints Prefix DirXML-idPolArea ID Policy Properties > Constraints Exclude/Include Text Field DirXML-idPolFill ID Policy Properties > Constratints Fill Yes/No DirXML-idPolAreaEI ID Policy Properties > Constraints Exclude/Include Radio Button DirXML-idPolAccessControl ID Policy Properties > Access Control enabled DirXML-idPolACL ID Policy Properties > Access Control ACL Table 12-7 Library eDirectory Attribute Library eDirectory Attribute Designer View Description Library Properties > Description Table 12-8 Notification Template eDirectory Attributes Notification Template eDirectory Attributes Designer View notfMergeTemplateSubject Template Editor notfMergeTemplateData Template Editor Table 12-9 Notification Template Collection Attributes 12.7 Notification Template Collection Attributes Designer View notfSMTPEmailHost Notification Template Collection Properties > Host Name notfSMTPEmailFrom Notification Template Collection Properties > From notfSMTPEmailUserName Notification Template Collection Properties > User Name Error Messages and Solutions To view error messages along with their possible solutions associated with importing and deploying files, see Section 22.5, “Deploying Identity Manager Objects,” on page 601. Importing into Designer 343 344 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 13 Documenting Projects 13 When you create a project, it’s vital to keep track of how the driver works and how it’s implemented into a network. The Document Generator helps you quickly generate customized documentation for your Designer projects. These documents can save you weeks or months of gathering and writing driver specifications and their implementations. To generate a document, choose a document style (it can be the default style that comes with Designer or one that you customize) and a Designer project or portion of a project. The Document feature combines the information and structure of the selected style with the project information in order to generate customized project documentation. Designer comes with a default document style so you won’t need to create a document from scratch. This default style contains everything that you have placed in a project through Designer. You must first use this default style to create your own document style for the project you are working on, then you can either use it as it is or customize it to meet your particular needs, including or excluding information as needed. After you have edited the style to your liking, you can also use it to document your other projects. There is an advanced editing feature that allows you to create your own sections for adding information that you did not create in Designer. Section 13.1, “Creating a Document Style,” on page 345 Section 13.2, “Editing a Document Style for Your Needs,” on page 347 Section 13.3, “Generating a Document,” on page 349 Section 13.4, “Using Your Style Template for Other Projects,” on page 353 Section 13.5, “Customizing Styles to Include or Exclude Information,” on page 357 Section 13.6, “Advanced Editing of a Document Style,” on page 360 13.1 Creating a Document Style A document style allows you to define how you want your project information to look. In a matter of minutes, you can generate a document that contains all elements that you have placed in a project and define a document style to designate how the information looks, as well as what information you want in a document. 1 Select a project in the Project view, then right-click the Toolbox > DocumentGenerator > Styles icon. 2 Select New > Document Generation Style (.docgen). Documenting Projects 345 The Document Generation Style (.docgen) is the default style that is provided with Designer. You use this as the template for your own .docgen style. 3 Specify a name for the Designer project, or use the default of the project’s name. Then specify a name for the style, with a .docgen extension, or use the default name of the project you are presently in, then click Finish. 346 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A .docgen file is created that you can use as the basis for designing your own style template. The .docgen template is placed in the Style Editor view for your modification (see Section 13.2, “Editing a Document Style for Your Needs,” on page 347). You can use the defined elements in your new style template again and again. 4 Use this basic document style template to generate documentation for a project, or customize it for your needs. Section 13.3, “Generating a Document,” on page 349 Section 13.2, “Editing a Document Style for Your Needs,” on page 347 Section 13.4, “Using Your Style Template for Other Projects,” on page 353 Section 13.5, “Customizing Styles to Include or Exclude Information,” on page 357 Section 13.6, “Advanced Editing of a Document Style,” on page 360 13.2 Editing a Document Style for Your Needs After you have created a .docgen style template, you can edit the file to meet your documentation needs. You can add or modify information in the style template, which in turn affects the documents that you generate. The information that you can customize through the Style Editor appears in the Style Editor view. For more detailed editing, see Section 13.6, “Advanced Editing of a Document Style,” on page 360. Section 13.2.1, “Editing a Style Template,” on page 348 Section 13.2.2, “Editing Sections of a Style,” on page 348 Documenting Projects 347 13.2.1 Editing a Style Template 1 Select a project in the Project view, then expand the Designer > Toolbox > DocumentGenerator > Styles icon. 2 Double-click the .docgen file. The file appears in the Style Editor view. 3 Use the Style editor to edit sections of a style or to modify the style according to your needs. The Style editor is divided into two parts, beginning with the Identity Manager and working through the Appendixes. When you click an item under the Style Editor section, the right portion of the view changes to display the information associated with the heading. For example, clicking Disclaimer under the Document > Legal heading allows you to edit the disclaimer content. 4 Save your changes. Your changes are saved when you close the Style Editor, or when you click the Save icon 13.2.2 . Editing Sections of a Style 1 Select an item (for example, Executive Summary) in the Style Editor view. 2 Enter data or make changes in the left pane. 3 Select other items as appropriate and make changes. The information in the left pane varies, depending on items that you select. The main areas that you need to pay attention to are the information found under Identity Manager System (Title Page and Table of Contents), Document, Legal, Disclaimer, Trademarks, and Executive Summary. 348 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Save your changes. Your changes are saved when you close the Style Editor, or when you click Save . 5 Use this document style to generate documentation for a project, or continue to customize it for specific documentation needs. Section 13.3, “Generating a Document,” on page 349 Section 13.4, “Using Your Style Template for Other Projects,” on page 353 Section 13.5, “Customizing Styles to Include or Exclude Information,” on page 357 Section 13.6, “Advanced Editing of a Document Style,” on page 360 13.3 Generating a Document 1 (Conditional) If you haven’t yet created a Designer Project, create one. 1a Select File > New > Identity Manager Project. 1b Provide a project name, then click Finish. 2 (Conditional) If you haven’t yet created a document style that you want to use as a template for your documentation, create one. See “Creating a Document Style” on page 345 and “Editing a Document Style for Your Needs” on page 347. 3 In the Project view, select and expand a project, then right-click the .docgen icon under Designer > Toolbox > DocumentGenerator > Styles and select Generate Documentation for This Style. Documenting Projects 349 You can also expand the Designer > Toolbox > DocumentGenerator > Styles folder and click the .docgen file to open the file in the Style Editor, then click the Document Generation icon to the right of the Style Editor heading. 4 (Conditional) If the Project folder you selected does not contain a .docgen file, you are asked to select a Base Style. Select a .docgen style, then click Next. 350 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 (Conditional) Designer includes the ability to generate documents to RTF (Rich Text Format). If you want to enable this functionality, click Window > Preferences to bring up the Preferences window. Then, under Novell > Identity Manager, select Document Generation. Documenting Projects 351 By selecting Enable RTF support (experimental), you can select the RTF format when creating documents. 6 On the Generate Documentation page, fill in the needed information. 352 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Select the name you want to call the file, or keep the default name. If you are generating the whole document, the default name often suffices. If you are generating a document for a section, such as an Executive Summary, name the file to reflect the section you are documenting. Select the directory where you want to store the document. If you use the default output location that appears in the Directory field, your generated document is visible under the Documents\Generated folder of the Project View. Select the format for the file. If you have enabled rich text formatting, you can select PDF (Printable Document Format), TXT (Text Document), or RTF (Rich Text Format). 7 Click Finish to generate the document. The document appears in the current Project > Documents > Generated folder unless otherwise specified. PDF files must be viewed through a PDF viewer, such as Adobe Acrobat. If Adobe Acrobat is installed on your workstation, Designer launches the document in Acrobat. RTF files can be viewed in any word processor that can handle Rich Text Formatted files, such as Wordpad in Windows. The Filter editor provides an option to add notes to class and attributes, and these notes are added to the documentation. Password synchronization on drivers is also documented, showing how the administrator has set up password synchronization for the Publisher and Subscriber channels. You can also document contact information on the administrator for Identity Vault and application objects, as well as reciprocal mapping information. 13.4 Using Your Style Template for Other Projects To generate documentation for any project, you can use the default style provided with Designer or you can use your own customized styles. Section 13.4.1, “Documenting a Section of the Project,” on page 354 Section 13.4.2, “Documenting Multiple Sections of the Project,” on page 356 Documenting Projects 353 13.4.1 Documenting a Section of the Project Instead of generating a document for the entire project, you can generate a document for a selected section of a project. 1 With the project’s .docgen file open in the Style Editor pane, right-click a section of the style. 2 Select Generate Documentation for This Section. 3 In the Generate Documentation window, type a different project name in the Filename field (for example, DocHistoryofMerger), then click OK. Specify which portion or portions of the project you want to include in the generated document. You can document domains, Identity Vaults, driver sets, drivers, and applications using the Modeler view or the Outline view (use the Ctrl key to select multiple items). Document generation also ties in with schema notes, classes and attributes. You can find out more about this in Chapter 8, “Managing the Schema,” on page 205. For example: 1 To document a specific driver in a project, right-click the driver in the Modeler or Outline view and select Document Selection. 354 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Select the .docgen style sheet for the document and click Next. 3 Give the document a filename, such as the driver’s name, select the document’s format, and click Finish to generate the driver document. By default, documenting an application includes the connected driver (and its related objects). Likewise, documenting a specific driver includes its connected application. However, you can change this behavior in the Documentation Generation’s Preferences page. 1 Click Window > Preferences to bring up the Preferences window. 2 Under Designer for IDM, select Document Generation. Documenting Projects 355 Under the Modeler heading, the Document applications and drivers related to other selected items option is selected by default, which means that directly related items are included in the documentation. For example, by default, documenting a driver set includes the direct children (the applications) as well as some information of the direct parents (the Identity Vault and domain) to give context to the driver set. Deselecting this option excludes direct children of the selected item. 3 Select or deselect the options you want, then click OK. 13.4.2 Documenting Multiple Sections of the Project If necessary, you can generate only selected sections so that peers can help you with information in the selected sections. 1 If you have not already done so, double-click the .docgen file to bring up the template in the Style Editor. 2 Select or deselect section headings. Each section and child section has a check box entitled Include this section in the final document. By default the box is selected, as shown below. 356 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide To limit the sections you want to document, deselect the check boxes in the sections you don’t want to generate. 3 Click the Generate Document icon to the right of the Style Editor heading and generate your document. Give the document a unique name to reflect the type of information it includes. 13.5 Customizing Styles to Include or Exclude Information Novell does not recommend that you document all Identity Vault schemas unless you need to. Section 13.5.1, “Identity Vault Schema and Application Schema,” on page 357 Section 13.5.2, “Using Project Configuration to Limit Information,” on page 358 13.5.1 Identity Vault Schema and Application Schema The defaults for Identity Vault schemas have been changed to include custom schemas and any modified changes to the Identity Vault base schema. For application schemas, Designer includes all schemas by default. However, these can be turned off. Select the Appendix B: Schema heading the in the Style Editor view. This brings up the Appendix B section template in the right side of the Style Editor view. Documenting Projects 357 Figure 13-1 The Appendix B: Schema Section Template The Appendix B: Schema section has three selections: Include this section. The Include this section in the final documentation check box allows you to include or not include Appendix B information in the documentation. By default, the box is selected to include this information. Deselect the check box if you do not want to include application or Identity Vault schemas in the document. Document Custom and Imported Identity Vault Schema. By default, the Identity Vault Schema to be documented selected documents any schema that you import from the Identity Vault or that you create. The choices are Document custom or imported schema, or None. Document all Application Schema. By default, the Application schema to be documented selection includes all of the application schema. The choices are Document all schema elements, or None. 13.5.2 Using Project Configuration to Limit Information The Project Configuration heading allows you to include or deselect information on: Identity Vault Driver Sets Drivers General The following table shows what type of information can be included or excluded in these areas. 358 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 13-1 Project Configuration Identity Vault Information to Select or Deselect Selected Include host information Selected Include username information Selected Include deployment context information Selected Include driver set names Selected Include policy library on Identity Vaults Deselected Include e-mail notification templates Deselected Include XML source while documenting policies under the policy library Deselected Include XML source while documenting credential provisioning objects under the policy library Deselected Include XML source while documenting mapping table objects under the policy library Driver Set Information to select or deselect Selected Include server information associated with the driver set Selected Include driver set Global Configuration Value (GCV) Selected Include the policy library on driver sets Selected Include job objects on driver sets Deselected Include the XML source for policies under the policy library Deselected Include the XML source for credential provisioning objects under the policy library Deselected Include the XML source for mapping table objects under the policy library Deselected Include the XML source for job objects Driver Information to select or deselect Selected Include the driver filter policy Selected Include policy set Selected Include server-specific information for this driver Selected Include Remote Loader configuration Selected Include entitlements Selected Include credential provisioning Selected Include mapping table Selected Include ECMAScript resource object Selected Include job objects Deselected Include the XML source when documenting entitlement objects Deselected Include the XML source when documenting credential provisioning objects Deselected Include the XML source when documenting mapping table objects Deselected Include the XML source when documenting job objects Documenting Projects 359 Identity Vault Information to Select or Deselect General Information to select or deselect Deselected Include passwords Selected Page break after this section IMPORTANT: Credential provisioning for the XML source might contain passwords that are displayed in clear text. If this option is selected, passwords are displayed in clear text and the documentation includes all passwords in the project. 13.6 Advanced Editing of a Document Style In addition to selecting and deselecting the content of a document style, you can also change the layout and usability of your document style. You do this by editing the attributes that are associated with certain sections. You can also create additional sections for your documents as you see fit. Section 13.6.1, “What’s In the Advanced Editing Mode,” on page 360 Section 13.6.2, “A Walk-through Tutorial,” on page 368 Section 13.6.3, “Selecting a Language for Generated Documents,” on page 376 Section 13.6.4, “Double-Byte Font Support,” on page 377 13.6.1 What’s In the Advanced Editing Mode The Advanced Editing icon lets you toggle between simple editing and advanced editing modes. By using the advanced editing mode, you can define information and a structure that is different from the default template already attached to a predefined style. In this example, the Title Page template is shown in its XSL format, which you must maintain. 360 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 13-2 Viewing a Predefined Template Documenting Projects 361 Table 13-2 Style Editor Legend Icon Name Description Green Page A green page means it’s a titled section. The title appears when you generate the document. Grey Page A grey page means it’s not a titled selection. These pages are also in parentheses; for example, (Title Page). White Page A white page means this section is disabled and is not included when you generate the document. Template A yellow template page gives specific format and styles that are included when you generate a document. Global Attribute A global (red) attribute means it is passed down to every section below it (all children sections). Local Attribute A local (green) attribute means it is only used by the section in which it appears. Grey Attribute A grey attribute is used for comments. Control Icon A Control type defines the functionality that you can give to Attributes. Each Control type has a different functionality. Advanced editing mode allows you to add the following: “Sections” on page 362 “Viewing or Editing Properties of a Section” on page 364 “Templates” on page 365 “Attributes” on page 366 “Controls and Parameters” on page 368 You can have multiple sections in a document, but only one template per section. The template defines the section’s layout; however, you can use the default template for newly created sections. You can also have multiple attributes defining how the section looks, as well as multiple controls. You use parameters (such as names and values) to specify options for a Control type. A Parameter is a general name for a child item of a Control. The name of the Control denotes the type of control and what you can perform by using that type. Sections Sections are blocks of the documentation composed of attributes, parameters, templates, and controls through XSL programming. Section content includes a Title, Body, and children or subordinate information. The following example shows the Section Properties page of the Identity Manager System as seen through the simple edit mode. 362 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 13-3 Section Properties Page The Identity Manager System section contains a section title (this can be changed), along with a number of tabs (attributes): Document Properties, Client Properties, Header, Font Settings, and Other. Each of these tabs contain fields that are editable; for instance, you can give the section title a different name. When you click the Advanced Editing icon, you see that the Identity Manager System section contains one template that includes several attributes, controls, and parameters underneath the heading. Documenting Projects 363 Figure 13-4 Advanced Editing Mode Viewing or Editing Properties of a Section If you click a section within the Style Editor and look in the Properties view (by default the lower left corner of Designer), you see the values associated with the selection. (If you do not see the Properties view by default, right-click a section and select Show Properties View.) 364 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 13-5 The Properties View of the Appendix B: Schema These values are edited in the Properties view. The Values for the section heading are listed in the following table: Table 13-3 Values of a Section Property Name Description Enabled (True/False) Indicates whether this section is enabled. You can change this setting by using the section Style Editor, which is the editor shown to the right of the hierarchical view. ID Used for reference. Most the time, ID is left empty. However, you can specify an ID for convenience in finding this section during the transformation process. NLS ID Used for reference. Most the time, NLS ID is left empty. Numbered (True/False) Indicates whether this section should be included in the numbering and placed in the Table of Contents. Source Data source used to transform the template. For example, designer, style, and none. Title The value to be displayed as the title. You can change this setting by using the section Style editor, which is the editor shown to the right of the hierarchical view. Titled (True/False) Indicates whether the title value should be shown in the generated document. Otherwise, it is used only in the GUI for context. Version The version of the section. NOTE: Values change, depending on what you select under the Style Editor view. For example, an attribute shows different properties than a section or a template. Templates A template is the XML source that defines the overall layout of a generated page. For instance, the Title Page contains a template, as well as a number of headings. The following figure illustrates the parts of the Executive Summary template. For more information about templates, see “A Walkthrough Tutorial” on page 368. Documenting Projects 365 Figure 13-6 Parts of the Executive Summary Template Attributes Attributes are the child elements of a section. For example, clicking the Advanced Editor mode while selecting the section title Identity Manager System reveals the following attributes in red (global), green (local), and grey (comment): 366 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 13-7 Attributes Documenting Projects 367 Controls and Parameters You can add parameters to control the appearance of a style. For example, in the Advanced Editing mode, the structure of the Short (abbreviated) Solution Name entry is a global attribute that contains a control and a label, and the control type known as textbox allows anyone to type a name that appears in the generated document. Use the Properties view to edit controls. Designer’s supported parameters or values for controls include the following: Table 13-4 Supported Parameters 13.6.2 Control Parameter or Value Description Table columns=“3” header=“date” width=“30” label=“show this” addrows removerows Number of columns to show in the control. Column header text. Column width for each column. Explains what you see in this control. Displays a button to perform this function. Displays a button to perform this function. File extensions=“.jpg;*.gif” label=“show this” Supported extensions separated by a semicolon (*.jpg;*.jpeg;*.gif). (One file only.) The label explains what you can do with this control. Select (Identity Manager System/ font Settings) option=“font 1” option=“font 2” label=“show this” Parameters allow font point selection, such as option = “20pt” and option = “24pt” The label indicates what you can do with this control. Checkbox label=“show this” The label explains what you can do with this control. It includes a check box. Textbox or Textarea label=“show this” The label explains what you can do with the text box or text area control. You edit these controls through the Properties view. Comment label=“show this” Allows you to add comments to help users. You edit this control through the Properties view. A Walk-through Tutorial Now that you better understand what components are necessary in order to add advanced functionality to your template, use this section to create a new section, add an attribute, and view the source. “Creating a New Section in a Style” on page 368 “Adding an Attribute to a Style” on page 369 “Enabling Documents to Recognize Your Additions” on page 370 “Viewing the Source” on page 375 Creating a New Section in a Style To insert an additional section into the Style Editor: 1 Create or open an existing .docgen file in the Style Editor. 2 Click the Enable Advanced Editing icon. 368 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The tree view of the document outline expands to include additional objects, (such as attributes, template, and parameters). 3 Right-click the parent section where you want to add your new section, then select New Child > Section. Specify a new section name; for this example, call it “My Section.” 4 (Optional) Reorder the section by dragging the section object to a different location in the navigation tree. You can also copy and paste within this style or other styles. 5 Click the Save icon, then continue with “Adding an Attribute to a Style” on page 369. Adding an Attribute to a Style 1 Right-click a section under the Style Editor view. Select New Child > Attribute. 2 Specify the attribute name in the Attribute Name window. For example, MyAttribute with no spaces. Click OK. 3 Specify a value under the Value property in the Properties view. For example, This is my attribute value. The Properties view shows the following values for attributes (attributes are defined through controls and parameters): Global: Passed down to subsections. Group: Used to group attributes together. These appear as part of a tab in Style Editor’s simple mode. Name: The attribute’s name. NLS ID: The attribute’s NLS identification. Value: The attribute’s value. You can also show your attribute with another control type. The following example first creates a control, then changes the control type from check box (the default) to something else, such as a text area. 1 Right-click MyAttribute and select New Child > Control. 2 With your cursor on the control you just created, change the control type value to Text Area in the Properties view. Documenting Projects 369 3 Click your section to see the changes take place. Enabling Documents to Recognize Your Additions After you have added attributes, your generated document doesn’t include information from these attributes until you do one of the following: Make sure your section is a leaf section (does not contain child sections). Create a template that uses the attribute explicitly. This is usually the preferred method because you can display the attribute values exactly the way you want. Method 1: Set the Section Source to “Style” If you create a section without a template (and the template is a leaf section containing no section children), the default template generates the attribute values with the document. You do not need to do anything. You can generate a document for just that section by right-clicking the section head and selecting Generate Documentation for This Section. Or you can click the Generate Document icon at the top to generate the whole document. NOTE: Text boxes, text areas, and tables are the only attributes that are generated through the default template (check boxes, selects, and comments are not generated). Method 2: Add a Template for a Custom Layout Complete the following tasks: “Creating a Template” on page 371 “Creating Another Section and Template” on page 373 370 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Creating a Template 1 Right-click your newly created section. 2 Select New Child > Template. The template has some default content that consists mostly of comments, which helps you get started on your first template. This is shown in the next task; for now, replace the comments in this template with the following XSL commands: <xsl:param name="MyAttribute"/> Documenting Projects 371 <xsl:template name="Section.Body"> MyAttribute: <xsl:call-template name="Format.OutputTextArea"> <xsl:with-param name="value" select="$MyAttribute"/> </xsl:call-template> </xsl:template> There is a Format.OutputTextArea call in the XSL that is a helper function included with the Document Generator Core Support Templates. Because HTML code is allowed in text areas, this ensures that it’s interpreted and escaped properly. If you want to see the core XSL library calls for documentation generation, see “Document Generator Core Support Templates” on page 641. Your template should look like this: Figure 13-8 Example Template Generating a document for this section should give you something like this: Figure 13-9 Sample Section 372 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Creating Another Section and Template 1 Right-click your newly created section and select New Child > Section. In the Section Name window, name the new section Table of Contents and click OK. 2 Right-click this new section and select New Child > Template. Carefully read through the comments in this template. These details are important. When you create a custom section, you are inserting some information into the document. As the comments mention, developers usually override one of the following template functions: Section Body (most common) Section Content Section Title The following image illustrates which section is being defined. As a developer of the style, you write this template to overwrite the area that is of interest. For this example, you should overwrite the Section.Body because you don’t want to change the default behavior of the Title, nor do you want to change the way other sections are related to this one. (You can use the hierarchical view to control this with the default template if necessary). 3 To overwrite the Section Body, simply uncomment the sample function that is shown in the default template, as shown below: Documenting Projects 373 If you render your document at this point, you get no content in your Table of Contents (other than the surrounding text). This is because this template assumes that the style source has been specified for this section. To specify the source: 4 Click the Table of Contents section. 5 From the Properties view, set the source to style. 374 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6 Right-click MySection and select Generate Documentation for This Section. Viewing the Source When your generate your document, you’ll notice there is an Output XML Source Files option. Click the box next to this option to turn it on. You’ll see .xml source files appear where you are generating the document. These source files are the XML data that is used in your template when you set the source (for example, to “style”). Designer 1.1 and above include the following sources: Table 13-5 Sources Source Key Description none An empty source, used when no source is specified or when “none” is specified. style The XML source of the style, used to build things like the Table of Contents. designer A source that has been defined by an extension point for the Designer model. This contains all information about the configuration of your Designer project. Documenting Projects 375 13.6.3 Selecting a Language for Generated Documents You can select the language you want to print the document in. 1 Click Window > Preference > Designer for IDM > Document Generation. Under the Document Language heading, select the language you want to use for document generation. Current languages include: Chinese Simplified Chinese Traditional Dutch English (default) French German Italian Japanese Portuguese Brazil Spanish 376 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 After you select a language, click Apply. 3 Click OK to close the Preference page. 13.6.4 Double-Byte Font Support Designer now has double-byte font support for the Document Generation feature. If you select a language that uses double-byte characters, such as Chinese Simplified, Chinese Traditional, and Japanese, Designer automatically installs the Proportional Mincho font. You can change this as necessary. A good font that covers both proportional spacing and double-byte support is Arial Unicode MS. For English and other languages, the default font is Arial. To add a font for your specific language: 1 Click Window > Preference then expand Novell > Identity Manager and select Document Generation. Under Document Appearance, select the font you want to use. Documenting Projects 377 To change the font on a Windows workstation, you must first copy the font file from the C:\Windows\Fonts directory to another directory. You can then use the Browse icon to select the font. To change the font on a Linux workstation, browse to the usr/share/fonts/truetype directory, or to another directory containing the fonts you want. 2 Click the Browse icon to bring up the Open window, change to the directory where you placed the font, then click Open. You can also type the directory and font file name into Font Settings field, or use the drop-down menu to select a font that you have previously selected. 3 Click Apply, then click OK. 378 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Using the above steps globally changes the font in the generated document, and also adds doublebyte font support for your selections. Documenting Projects 379 380 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 14 Using Entitlements 14 Identity Manager allows you to synchronize data between managed systems. Entitlements allow you to set up criteria for a person or group that, once met, initiate an event to grant or revoke access to business resources within the managed system. You can think of an entitlement as a permission slip. For example, if you want a new employee to be given an Active Directory account when he is added to your Human Resource system, he must have a permission slip, or entitlement, for the Active Directory account. If the user doesn’t have the permission slip, he doesn’t receive the account. This gives you one more level of control and automation for granting and revoking resources. Use Designer to create entitlements and deploy them into existing Identity Manager drivers. Designer allows you to create entitlements through the Entitlement Wizard, which gives you a graphical interface where you can create the entitlement step by step. Because of this graphical interface, we recommend using Designer for creating and editing entitlements. There are four aspects to making entitlements work effectively: design, creation, editing, and management. Section 14.1, “How Entitlements Work,” on page 381 Section 14.2, “Designing Entitlements,” on page 383 Section 14.3, “Creating Entitlements through the Entitlement Wizard,” on page 387 Section 14.4, “Editing and Viewing Entitlements,” on page 401 Section 14.5, “Managing Entitlements,” on page 406 14.1 How Entitlements Work The following diagram shows the basic entitlement process. Using Entitlements 381 Figure 14-1 Basic Overview of Entitlements 1. An entitlement agent grants an entitlement to a user. There are three ways that entitlements are granted to a user: Role-Based Entitlements: The Entitlements Service driver grants the entitlement based on criteria that places the user in a particular role (or group). This criteria can be based on any event that occurs in the Identity Vault. For example, adding a new employee in an HR system causes a User object to be created in the Identity Vault. Creation of the new User object is the criterion that causes the Entitlements Service driver to grant the Active Directory User Account entitlement to the user. To create role-based entitlements in Designer, see Section 14.3, “Creating Entitlements through the Entitlement Wizard,” on page 387. User Application Role Based Provisioning: The user receives a role assignment through the User Application. The User Application’s Role Service driver grants the user any entitlements associated with the new role. For example, a user is assigned an Accountant role that requires access to the Accounting group in Active Directory. The Role Service driver grants the Active Directory Group Membership entitlement to the user. To create entitlements for role based provisioning, use the Role editor. See “Specifying Entitlements”in the User Application: Design Guide. User Application Workflow-Based Provisioning A provisioning workflow grants the entitlement to the user. For example, a new employee is added to the HR system, which causes a User object to be created in the Identity Vault. Creation of the new User object initiates a workflow that grants the Active Directory User Account entitlement to the user. Creating entitlements to use with workflow-based provisioning is an involved process. To get you started, see “Configuring Provisioning Request Definitions”in the User Application: Design Guide. 2. When an entitlement is added to or removed from a user’s DirXML-EntitlementRef attribute, any entitlement-enabled drivers begin to process the event. To monitor users for entitlement changes, drivers must have the DirXML-EntitlementRef attribute added to their Subscriber channel filter. 382 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3. The driver processes the entitlement event against the Subscriber channel policies. If the entitlement event is for an entitlement that applies to the driver, the policies are processed. Otherwise, no processing occurs. In Figure 14-1, the Grant User Account policy is processed because: a. The Active Directory User Account entitlement was added to the user’s DirXMLEntitlementRef attribute. b. The User Account entitlement is defined on the Active Directory driver. Likewise, if the Active Directory User Account entitlement is later removed from the user’s DirXML-EntitlementRef attribute, the Revoke User Account policy is processed. 4. The policies trigger the granting or revoking of access to the entitled resource. In Figure 14-1, the Grant User Account policy triggers the creation of a user account in Active Directory. 14.2 Designing Entitlements You must know beforehand what you want to accomplish with entitlements. Entitlements work from the functionality you build into Identity Manager drivers through policies. These driver policies implement rules and process the events between the Identity Vault and the managed system. If the policies in the Identity Manager driver do not specify what you want to do, entitlements cannot work. For example, if you don’t specify the action section of the Check User Modify for Group Membership rule in the Command policy, attempts to grant or revoke a group membership entitlement are ignored. When you know what you want to accomplish with Identity Manager, you can correctly design granting and revoking capabilities for any managed system resources. The following four-step procedure can help you plan to create and use entitlements: 1. Know what you want to accomplish in your business situation. You can design and implement many business solutions through Identity Manager, but you need to know what you want to do before implementing something that isn’t defined. Make a numbered list of what you want to do. 2. Define an entitlement that represents one item from your numbered list. You can create valueless and valued entitlements. Valued entitlements can get their values from an external query, they can be administrator-defined, or they can be free-form. There are examples in Section 14.3, “Creating Entitlements through the Entitlement Wizard,” on page 387. 3. Add policies to the Identity Manager Driver to implement the designed entitlement. To create a policy for an Identity Manager driver, you need to be conversant with XSLT or DirXML script to define the way the managed system handles and receives information, and the way Novell eDirectory stores information. Unless you are a good DirXML programmer, this is a job for consultants. 4. Set up a managing agent to grant or revoke the entitlement. If you want an automated process, use Role-Based Entitlements; if you want a manual process, use the User Application’s workflow-based provisioning feature. See “Understanding Entitlements” in the Identity Manager 4.0.2 Entitlements Guide. As you plan your entitlements, use the following sections for more information. Section 14.2.1, “Terminology,” on page 384 Section 14.2.2, “Entitlement Prerequisites,” on page 384 Section 14.2.3, “Identity Manager Drivers with Preconfigurations that Support Entitlements,” on page 384 Section 14.2.4, “Enabling Entitlements on Identity Manager Drivers,” on page 385 Using Entitlements 383 14.2.1 Terminology Following are some terms that are used throughout this section. Entitlement: An Identity Vault object that represents a business resource in a managed system. Entitlement Service driver: Grants and revokes entitlements. For Role-Based Entitlements, the agent is the Entitlements Service driver, which must be initiated for entitlements to work. Grant or revoke: Granting or revoking an entitlement is controlled by Global Configuration Variables (GCVs) on an Identity Manager driver. Entitlement consumer: Anything that uses entitlement-related information. Entitlement consumers include iManager, the User Application, and Identity Manager policies. 14.2.2 Entitlement Prerequisites eDirectory 8.7.3 or eDirectory 8.8 with the latest Support Pack Identity Manager 3 or later An Entitlements Service driver You must have an Entitlements Service driver in each driver set where you want to use entitlements. This requires a very simple, two-step setup for each driver set. To do this, see “Creating Entitlements” in the Identity Manager 4.0.2 Entitlements Guide. A driver configuration that supports entitlements Before you can use entitlements with a managed system, do one of the following: Import the Identity Manager driver configuration for the driver and specify that the driver has entitlements enabled. Enable your driver to support entitlements. To do this: 1. Create entitlements using Designer. 2. Add the DirXML-EntitlementRef attribute to your driver filter as described in Section 14.2.4, “Enabling Entitlements on Identity Manager Drivers,” on page 385. 3. Write policies to implement the entitlements you create in Step 1 under Section 14.2, “Designing Entitlements,” on page 383. 14.2.3 Identity Manager Drivers with Preconfigurations that Support Entitlements The following drivers include configuration files that already contain entitlements and the policies required to implement the entitlements. These entitlements support the most common scenarios: granting and revoking user accounts, groups, and e-mail distribution lists. Active Directory: Grant and revoke accounts, group membership, Exchange Mailbox GroupWise: Grant and revoke accounts, grant and revoke members of distribution lists LDAP: Grant and revoke user accounts Linux and UNIX: Grant and revoke accounts Lotus Notes: Grant and revoke user accounts and group memberships RACF: Grant and revoke group accounts and group memberships 384 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide These are example entitlements and policies that you can use as is if they meet your needs. If not, you can modify them to meet your needs, or you can use them as examples as you implement additional entitlements. 14.2.4 Enabling Entitlements on Identity Manager Drivers Before you can use entitlements, you must first ensure that your driver has entitlements enabled. You can do this through the Entitlements Wizard as you finish creating entitlements; this applies to both preconfigured and non-preconfigured drivers. However, if you want to use the preconfigured driver’s entitlements and the infrastructure that supports them, you must enable entitlements when you initially create a driver in Designer or iManager; the preconfigured policies and rules that support the preconfigured entitlements cannot be added later without re-creating the driver. If you import a driver that has entitlements enabled into Designer from an Identity Vault, the imported driver also has entitlements enabled. If you deploy a driver that has entitlements enabled into an Identity Vault, the deployed driver also has entitlements enabled. You can see if your preconfigured drivers have entitlements enabled by clicking the Outline view, then clicking the Subscriber channel of your selected driver. If entitlements are enabled, you should see the preconfigured entitlements appear under the Subscriber Channel. If entitlements do not appear under the Subscriber Channel in the Outline view, entitlements were not enabled when the driver was initially installed. However, you can still use entitlements on preconfigured Identity Manager drivers that do not have entitlement preconfigurations enabled. To do this, run the Entitlement Wizard. The last page in the Entitlement Wizard asks if you want to add the DirXML-EntitlementRef attribute to the driver filter, with Yes selected. Click OK. However, because the policies and rules are not in place on the driver, you won’t be able to use their preconfigured entitlements without adding those supporting policies and rules yourself. Using Entitlements 385 Figure 14-2 Enabling Entitlements You can also use entitlements on Identity Manager drivers that do not contain entitlement preconfigurations. To enable your driver to support entitlements, add the DirXML-EntitlementRef attribute to your driver filter. Run the Entitlement Wizard as described above to add the DirXMLEntitlementRef attribute to the driver filter. 386 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 14.3 Creating Entitlements through the Entitlement Wizard Designer comes with an Entitlement Wizard. This wizard steps you through the creation of entitlements by asking a series of questions about how the entitlement will be used in the enterprise. Use one of the following methods to access the Entitlement Wizard: To access the Entitlement Wizard from the Outline view: 1 Right-click a Driver object, then click New > Entitlement. To access the Entitlement Wizard from the Modeler view: 1 Right-click the driver icon, then click New > Entitlement. There are two types of entitlements that you can create: valueless and valued. The type you use depends on whether you need to pass additional information to the policies. Section 14.3.1, “Valueless Entitlements,” on page 388 Section 14.3.2, “Valued Entitlement that Queries an External Application,” on page 390 Section 14.3.3, “Administrator-Defined Entitlements with Lists,” on page 396 Section 14.3.4, “Administrator-Defined Entitlements without Lists,” on page 399 Using Entitlements 387 14.3.1 Valueless Entitlements A valueless entitlement has no values to go with it. An example is the Account Entitlement for Active Directory, which is used to turn on account capabilities. You use valueless entitlements if you don’t need to pass any extra information to driver policies. To create a valueless entitlement: 1 Right-click the driver icon in the Outline view or in the Modeler view, then click New > Entitlement. 2 Type the name and description information. For this example, the entitlement is named Account, with a description of “This is an Account Entitlement.” Click Next. 388 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 Because this first example is valueless, select No to Do you want this entitlement to include values? 4 Click Finish. 5 In the Add To Filter dialog box, answer Yes if you want the driver to listen for this entitlement. This enables entitlements for the driver. Using Entitlements 389 The DirXML-EntitlementRef attribute allows the driver filter to listen for entitlement activities. This is necessary in order to use the entitlements you are creating. If you don’t want to see the Add To Filter window on every entitlement you are creating for any driver in Designer, select Remember Selection - Don’t Prompt Again, then click OK. However, after the attribute is added to this driver filter, you won’t see the Add To Filter window again. If you have a file conflict, you are asked to save the editor’s changes before continuing. Once the editor is saved, the entitlement displays in the Modeler view. 14.3.2 Valued Entitlement that Queries an External Application Values are a way of passing data that you might need to use in policies. Valued entitlements can get their values from an external query; they can be administrator-defined, or they can be free-form. 1 Right-click the driver icon in the Outline view or in the Modeler view, then click New > Entitlement. 2 Give the entitlement a name. This example uses Application Query, with the Use Name for Display Name option selected. In the Description box, type Looks for the Class name of Groupx, then click Next. 390 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 On the Set Entitlements Values page, select Yes so you can query values from an application or define a group of values, then click Next. 4 The next Set Entitlements Values page allows you to define where you get the values for this entitlement. Valued entitlements can get their values from an external query, or they can be administrator-defined. For this example, select the Values from an application query option, then click Next. Using Entitlements 391 The Define Application Query window combines two steps: defining the query and mapping the query results. 5 To fill in the Class Query, click the Schema Browser icon on the right side of the Class entry. 392 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6 The Schema Browser shows you the Classes in the eDirectory namespace that are available. If you know the name of the Class type you want to query, click to select a selection in the Classes tab, then start typing the Class name. The browser jumps to the alphabetical order of what you type. Select the Class name, then click OK. Using Entitlements 393 7 Type the base distinguished name (DN) and the scope. For this example, select the Class Group, at the Base Distinguished Name of Blanston, with the Scope of subtree (choices are subtree, entry, and subordinates). This example maps the query results from the managed system to certain values that entitlement consumers can use. At present, the consumers are iManager managing Role-Based Entitlement policies and the User Application managing workflow-based provisioning entitlements. The Value From Query information prepopulates the consumer’s user interface with the following: Display Name: Defines the attribute that displays in the list of values. The example selects Source Distinguished Name for the display name. Click the drop-down button on the Display Name shown to entitlement consumers list to see a list of attributes associated with the class you selected through the Schema Browser. The list includes both the attributes and the inherited attributes for the selected class. Description: Defines the attribute that displays as a description for that value. For the description, select Description from the Value drop-down list to map the query results from the managed system to the entitlement. Value: Defines the attribute or token that is the actual value. The Value entry is not seen in the entitlement consumer, but it is the value that is assigned when the entitlement is granted or revoked. In this case, choose Association. 394 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide If you do not use the Schema Browser icon when selecting the class, you see only two selections in the Value From Query lists: Association and Source Distinguished Name. If these attributes suit your needs, use them. You can also type the attribute name into the text field. However, if you want to select the attributes from the lists, use the Schema Browser icon when selecting a class for the query. You see the attributes and inherited attributes for the selected class. 8 When the values are filled out, select Next. 9 In the Assign Multiple Values window, select Yes if you want the entitlements to be granted more than once and with different values. If you select No, the entitlement can only be granted once. For this example, click Yes, then click Next. It makes sense to assign group entitlements with multiple values, but it does not make sense to assign an account entitlement more than once. 10 You are asked if this entitlement is intended to be used by Role-Based Entitlement policies through iManager. If you want this entitlement to be granted or revoked automatically, select Yes to the Role-Based Entitlements question, click Next, then continue with Step 11. or If you want the granting or revoking of this entitlement to be a manual process (approved by someone), select No to use the User Application, then skip to Step 12. We recommend that you have only one agent control an entitlement. If multiple agents are in control, you have the following consequences: Whatever comes last controls the entitlement results Results are unpredictable Using both agents to control an entitlement is not supported by Novell 11 (Conditional) If you select Yes to the Role-Based Entitlements question, you are asked if you want to use the Role-Based Entitlements priority to resolve any conflicts that might happen when this entitlement is assigned more than once with different values. You can resolve the conflict by either using Role-Based Entitlements priority, or by merging the values. Merging the values merges the entitlements of all involved Role-Based Entitlement policies, so if one policy revokes an entitlement but another policy grants an entitlement, the entitlement is eventually granted. Solving conflicts by priority works if you need to ensure that only one policy is applied to this entitlement at any time. This example uses priority. 12 Click Finish. For this example, the query values look for the Source Distinguished Name attribute of the Class name of Group, starting from the Base DN (Blanston) and checking through the subtree from that beginning point. The values that come back from the query are similar to the following: <instance class-name="Group" src-dn="o=Blanston,cn=group1"> <association>o=Blanston,cn=group1</association> <attr attr-name="Description"> the description for group1</attr> </instance> <instance class-name="Group" src-dn="o=Blanston,cn=group2"> <association>o=Blanston,cn=group2</association> <attr attr-name="Description"> the description for group2</attr> </instance> <instance class-name="Group" src-dn="o=Blanston,cn=group3"> <association>o=Blanston, cn=group3</association> <attr attr-name="Description"> the description for group3</attr> </instance> <!-- ... -> Using Entitlements 395 The information received from the query fills in the various fields. For instance, the <displayname> field receives o=Blanston,cn=group1. The <description> field receives the description for Group1, and the <ent-value> field receives o=Blanston,cn=group1. Because more than one group exists and meets the query criteria, this information is also collected and shown as other instances of the query. The association format value is unique for every external system, so the format and syntax are different for each external system queried. 13 In the Add To Filter window, click Yes if you want the driver to listen for this entitlement. This enables entitlements for the driver. The DirXML-EntitlementRef attribute allows the driver filter to listen for entitlement activities. This is necessary in order to use the entitlements you are creating. If you don’t want to see the Add To Filter window on entitlements you are creating for any driver in Designer, select Remember Selection - Don’t Prompt Again, then click OK. However, after the attribute is added to this driver filter, you won’t see the Add To Filter window again. If you have a file conflict, you are asked to save the editor’s changes before continuing. When the editor is saved, the entitlement displays in the Modeler view. 14.3.3 Administrator-Defined Entitlements with Lists The example in the following procedure is an administrator-defined entitlement that allows you to select a listed entry. This type of entitlement is best used through Workflow entitlements rather than Role-Based Entitlements. 1 Right-click the driver icon in the Outline view or the Modeler view, then click New > Entitlement. 396 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide In this example, the entitlement name is Admin-defined, but the defined display name is Admindefined Entitlement. You need to define a display name only if you want the display name to be different from the name you called the entitlement; otherwise, you can just use the entitlement name as the display name. In this example, the Description field is defined as This will show Administrator-defined Values. 2 Click Next. 3 In the Set Entitlement Values window, select Yes to the question “Do you want this entitlement to include values?” Click Next. 4 In the next Set Entitlement Values window, select Administrator Defined Values, then click Next. 5 In the Define Values window, type the values you want to add to the Entitlement Value entry, click Add to add the value to the Defined List pane, then click Next. Using Entitlements 397 In this example, the values are corporate buildings: Building A through Building D. Through an entitlement client, such as an iManager Role-Based Entitlement task or through the user application, users or defined-task managers can specify the building information, which is then included in an external application, such as Novell eDirectory. Use the Remove icon to remove a value, or use the Edit icon to edit a value. 6 In the Assign Multiple Values window, select Yes if you want the entitlements to be granted more than once and with different values. If you select No, the entitlement can only be granted once. For the example, click No, then click Next. It makes sense to assign group entitlements with multiple values, but it does not make sense to assign building letters more than once. 7 You are asked if this entitlement is intended to be used by Role-Based Entitlement policies through iManager. If you want this entitlement to be granted or revoked automatically, select Yes to the Role-Based Entitlements question, click Next, then continue with Step 8. 398 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide or If you want the granting or revoking of this entitlement to be a manual process (approved by someone), select No to use the User Application, then skip to Step 9. We recommend that you have only one agent control an entitlement. If multiple agents are in control, you have the following consequences: Whatever comes last controls the entitlement results Results are unpredictable Using both agents to control an entitlement is not supported by Novell 8 (Conditional) If you select Yes to the Role-Based Entitlements question, you are asked if you want to use the Role-Based Entitlements priority to resolve any conflicts that might happen when this entitlement is assigned by different Role-Based Entitlement Policies with different values. You can resolve the conflict by either using the Role-Based Entitlements priority, or by merging the values. This example merges the values. Merging the values merges the entitlements of all involved Role-Based Entitlement policies, so if one policy revokes an entitlement but another policy grants an entitlement, the entitlement is eventually granted. Solving conflicts by priority works if you need to ensure that only one policy is applied to this entitlement at any time. 9 Click Finish. 10 If you see the Add To Filter window, answer Yes if you want the driver to listen for this entitlement. This enables entitlements for the driver. The DirXML-EntitlementRef attribute allows the driver filter to listen for entitlement activities, which is necessary in order to use the entitlements you are creating. or If you don’t want to see the Add To Filter window on entitlements you are creating for any driver in Designer, select Remember Selection - Don’t Prompt Again, then click OK. However, after the attribute is added to this driver filter, you won’t see the Add To Filter window again. Before you can edit this entitlement, you are asked to save the editor’s changes before continuing. When the editor is saved, the entitlement displays in the Modeler view. 14.3.4 Administrator-Defined Entitlements without Lists The example in the following procedure is an administrator-defined entitlement that forces the administrator to type a value. You can use this kind of entitlement if you cannot create a task list because you do not have all of the information at the initial setup. 1 Right-click the driver icon in the Outline view or the Modeler view, then click New > Entitlement. Using Entitlements 399 In this example, the entitlement name is Admin-defined (no lists), and it uses the entitlement name as the displayed name because the Use Name For Display Name option is selected. 2 Click Next. 3 Select Yes on the Set Entitlement Values page, then click Next. 4 Select Administrator Defined Values on the second Set Entitlement Values page, then click Next. 5 Select No to the question “Do you want to define a list of values?” on the Define Values page, then click Next. Selecting this option allows the administrator or users to type a value. Be aware that using this option can be risky, because wrong or misspelled information can cause the value to be incorrect and the action in the entitlement to fail. 6 Select No to the question “Allow this entitlement to be assigned multiple times with different values?” on the Assign Multiple Values page, then click Next. 7 You are asked if this entitlement is intended to be used by Role-Based Entitlement policies through iManager. If you want this entitlement to be granted or revoked automatically, select Yes to the Role-Based Entitlements question, click Next, then continue with Step 8. or 400 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide If you want the granting or revoking of this entitlement to be a manual process (approved by someone), select No to use the User Application, then skip to Step 9. We recommend that you have only one agent control an entitlement. If multiple agents are in control, you have the following consequences: Whatever comes last controls the entitlement results Results are unpredictable Using both agents to control an entitlement is not supported by Novell 8 (Conditional) If you select Yes to the Role-Based Entitlements question, you are asked if you want to use the Role-Based Entitlements priority to resolve any conflicts that might happen when this entitlement is assigned by different Role-Based Entitlement Policies with different values. You can resolve the conflict by either using the Role-Based Entitlements priority, or by merging the values. This example uses priority. Merging the values merges the entitlements of all involved Role-Based Entitlement policies, so if one policy revokes an entitlement but another policy grants an entitlement, the entitlement is eventually granted. Solving conflicts by priority works if you need to ensure that only one policy is applied to this entitlement at any time. 9 Click Finish. 10 If you see the Add To Filter window, answer Yes if you want the driver to listen for this entitlement. This enables entitlements for the driver. The DirXML-EntitlementRef attribute allows the driver filter to listen for entitlement activities, which is necessary in order to use the entitlements you are creating. or If you don’t want to see the Add To Filter window on entitlements you are creating for any driver in Designer, select Remember Selection - Don’t Prompt Again, then click OK. However, after the attribute is added to this driver filter, you won’t see the Add To Filter window again. Before you can edit this entitlement, you are asked to save the editor’s changes before continuing. When the editor is saved, the entitlement displays in the Modeler view. 14.4 Editing and Viewing Entitlements After you have created entitlements, you might need to edit them. You can also use the Edit mode to see the entitlements in their XML source code. Section 14.4.1, “Entitlement XML Source and XML Tree Views,” on page 403 Section 14.4.2, “Using the Novell Entitlement DTD,” on page 406 To edit an entitlement: 1 From the Outline view, right-click an entitlement that appears under the Subscriber channel of the selected driver, then click Edit. or Double-click the entitlement icon to bring up the entitlement in the Entitlement editor. You can also right-click the driver icon in the Modeler view, then select Edit Entitlements. 2 If you have more than one entitlement for the selected driver, you see the Edit Entitlements windows listing the available entitlements. Select an entitlement, then click OK. The entitlement appears in the Entitlement editor. Using Entitlements 401 The Entitlement Editor view shows you all of the pages and choices that you see in the Entitlement Wizard, but the information is on one page. Entitlement Editor: Displays the full DN name for the entitlement. If there is a conflict with the entitlement name or some other error, you see a red icon to the left of the Entitlement editor name, followed by an error message. Name and Description: Allows you to edit the name, the display name, and the description that you have given to this entitlement. Multi-Value: Allows you to select if you want an entitlement to be assigned multiple times. Role-Based Entitlements: Allows you to select conflict resolution for Role-Based Entitlements. If you do not select Role-Based Entitlements, the Role-based entitlements with priority icon is the default. Values: Allows you to define how values are defined: no values, administrator defined values, or values from an application. The information that appears in the Entitlement editor depends on what you initially defined in the entitlement. If you choose to edit a valueless entitlement, the Values heading displays No Values. If you are editing a valued entitlement and you want to add values to a list, type the value in the Value field and click Add. If you want to remove a value, select the value in the Values list and click Remove. If you don’t want to select from a list, select Administrator Defined Values under the Values heading and leave the Values list blank. This gives you a blank text box in iManager or in the user application, and you can fill in the value there. 3 When you have made your changes to the entitlement, click the Save icon in the upper left corner of Designer, or click the X on the entitlement’s tab to display a Save Resource window, allowing you to save changes (Yes/No/Cancel). 402 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 14.4.1 Entitlement XML Source and XML Tree Views To view the entitlement in XML source code: 1 From the Outline view, right-click an entitlement that appears under the Subscriber channel of the selected driver, then click Edit. or Double-click the entitlement icon to bring up the entitlement in the Entitlement editor. You can also right-click the driver icon in the Modeler view, then select Edit Entitlements. 2 To see the XML Source view, click XML Source at the bottom of the Entitlement Editor view. The XML Source view shows the XML code in a formatted state. The upper right corner of the XML Source view has the following selections: Using Entitlements 403 Name Description Expand All Allows you to see all items under the item that you have selected. Collapse All Allows you to collapse all items that you have selected. Attach XML Catalog Entry, Allows you to attach an XML Catalog entry, an XML schema file, or a DTD (Document Type Definition) file. For default Windows installation, XML Schema, or DTD the DTD for entitlements is found under C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.designer .idm.entitlements_1.1.0\DTD\dirxmlentitlements.dtd. Copy XML to Clipboard Allows you to copy highlighted XML code to the clipboard. This action removes the DOCTYPE element. Find/Replace (Ctrl+F) Ctrl+F brings up the Find/Replace window, which allows you to query text, structure, and XPath searches in a forward or a backward direction. Other options include case sensitive, wrap search, whole word, incremental, and regular expressions search capabilities. Help Opens the Help view to the right of the XML Source view. Right-clicking in the XML Source view brings up the following options: Undo Text Change (Ctrl+Z) Revert File Save Cut (Ctrl+X) Copy (Ctrl+C) Paste (Ctrl+V) Format the document or active elements Clear Validation Errors Validate Preferences 3 To see the XML Tree view, click XML Tree at the bottom of the Entitlement Editor view. The XML Tree view is a tree control view of the XML source code. You can perform the same edits in this view as you can in the Entitlement Editor view or the XML Source view. To view the entitlement in XML Tree view, select XML Tree at the bottom of the Entitlement Editor view. 404 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The upper right corner of the XML Tree view menu contains the following selections: Name Description Expand All Allows you to see all items under the item that you have selected. Collapse All Allows you to collapse all items that you have selected. Attach XML Catalog Entry, Allows you to attach an XML Catalog entry, an XML schema file, or a DTD (Document Type Definition) file. For default Windows installation, XML Schema, or DTD the DTD for entitlements is found under C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.designer .idm.entitlements_1.1.0\DTD\dirxmlentitlements.dtd. Find/Replace (Ctrl+F) Brings up the Find/Replace window, which allows you to query text, structure, and XPath searches in a forward or a backward direction. Other options include case sensitive, wrap search, whole word, incremental, and regular expressions search capabilities. Help Opens the Help view to the right of the XML Tree view. Right-clicking in the XML Tree view can bring up a number of different options. For example, right-clicking the highlighted value on the right side presents the following options: Undo Cut Copy Paste Delete Select All Using Entitlements 405 Right-clicking an attribute on the left side in the XML Tree view presents the following options: Remove Edit the Selected Attribute Replace with a value Depending on what you select on the left side in the XML Tree view, you see different options. For example, right-clicking an element presents the following options: Remove Element Add New Attribute Add to a Child Element a Comment, a Processing Instruction, a PCDATA, a CDATA Section, a new Element Add Before a Comment, a Processing Instruction, a PCDATA, a CDATA Section, a new Element Add After a Comment, a Processing Instruction, a PCDATA, a CDATA Section, a new Element 14.4.2 Using the Novell Entitlement DTD Some entitlements come predefined on drivers that have entitlements enabled. (For a list of these drivers with predefined entitlements see Section 14.2.3, “Identity Manager Drivers with Preconfigurations that Support Entitlements,” on page 384.) You can use these entitlements or you can create your own entitlements in iManager or Designer. To help you create your own entitlements, you can use the Novell Entitlement DTD as an example to create entitlements. For an example of the Novell Entitlement DTD and an explanation of its functionality, see the “Writing Entitlements in XML” section of the Identity Manager 4.0.2 Entitlements Guide. 14.5 Managing Entitlements After you create entitlements (or use entitlements that come preconfigured with certain Identity Manager drivers), you need to manage them. Entitlements are tied into the eDirectory event system and granting and revoking are initiated through two agents: iManager through Role-Based entitlement policies The User Application as workflow entitlements Role-Based Entitlements allow you to automatically grant or revoke business resources if the criteria are met. In order for workflow entitlements to work with the User Application, manual approval is first required. For instance, you can specify that if user has A, B, and C qualification, then the user is made a member of Group H; but if the user has E and F qualifications, he or she is made a member of Group I. Through Role-Based Entitlements, this action is done automatically, as long as the conditions are met. In order for this entitlement to work with workflow entitlements, the User object must first acquire approval, which you need to set up through the User Application. However, if you do not add to the driver the policies and rules to interpret the event in the designated system, granting and revoking entitlements has no effect. Use either Role-Based Entitlements or workflow entitlements. It is a not good idea to mix them to manage the same resource. We recommend that you have only one agent control an entitlement. If multiple agents are in control, you have the following consequences: Whatever comes last controls the entitlement results 406 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Results are unpredictable Using both agents to control an entitlement is not supported by Novell Using Entitlements 407 408 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 15 Scheduling Jobs 15 Designer has a job scheduling utility to schedule events, such as setting the system to disable an account on a specific day, or initiating a workflow to request an extension for a person’s access to a corporate resource. You can use it to do the following tasks: Create a Job object from an installed job definition. Define when a job is to run, which servers the job is to run on, the scope of the job in terms of eDirectory objects, and the job reports for intermediate and final results. Set values for the job’s parameters, its description, and display name. Enable or disable a job, manually start a job, stop a job that is running, and display a list of running jobs. Figure 15-1 High-level View of the Job Scheduler Process Section 15.1, “Job Scheduler Components,” on page 409 Section 15.2, “Creating a Job,” on page 410 Section 15.3, “Editing a Job,” on page 412 15.1 Job Scheduler Components The Job Scheduler consists of the following principal components: Job Manager: Responsible for launching scheduled jobs. It runs in the background on each Identity Manager server and checks every minute to see if a job needs to run, based on the job definition. When it encounters a job that needs to run, the Job Manager runs the appropriate Job Implementation. Job Object: An object you create in Designer. It contains all the information necessary to invoke the job, including the name, description, schedule, server list, and XML job definition. Job Definition: An XML description of all the parameters necessary to perform a specific job, including the Job Implementation used to actually perform the job on the target servers. The Job Definition is an XML attribute associated with the Job Object. Scheduling Jobs 409 Job Implementation: A JAR file that contains the Java classes that perform the job on the target Identity Manager server. Each server where you want a job to run must have a copy of the Job Implementation file. At the designated time, as specified in the Job Definition, Job Manager runs the Job Implementation to perform the job. 15.2 Creating a Job 1 In the Outline view, right-click a driver and select New > Job. You can also right-click a driver set and select New > Job to create a driver health job. For more information about driver health configuration and the driver health job, see Section 4.7.5, “Driver Health Configuration,” on page 107. This opens the New Job page. 2 In the Names field, specify a descriptive name for the job, or use the default name provided. 3 Select Installed to create a job using an existing job definition, or select Custom to create a custom job definition for this job. 3a If you are creating a job from an existing job definition, select the job definition you want to use from the list of available jobs. The New Job Wizard comes with three job definitions. Random Password Generator: Generates a random password for each object in the job’s scope. The password is generated by NMAS to match the Password Policy object that the job references. These Password Policy objects are not usually the same as those used for eDirectory user password policies. 410 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The job submits the generated passwords one at a time to the driver’s Subscriber channel. The Subscriber channel policies must do something useful with the passwords. Schedule Driver: Starts or stops the associated driver. You can also toggle a driver to start the driver if it is stopped or to stop the driver if it is running. Subscriber Channel Trigger: Submits zero or more trigger documents to the Subscriber channel. The submission can either be a document per object if a scope is defined, or it can be a single trigger event if no scope is defined. Trigger event documents identify the job and the scope object. A trigger event can bypass the cache and go to the head of the queue if desired. You will probably use trigger jobs the most; they allow you to use driver policies that you can customize for your personal requirements. Click the Update Job Definitions from Server icon to display any custom job definitions on the selected server. Because Designer is an offline modeling tool, only the Identity Manager job definitions display by default. 3b If you are creating a custom job definition, paste the job definition XML into the code field. The code field isn’t designed for entering XML directly, although you can do so if desired. Identity Manager provides a Job Scheduler DTD that defines the XML structure for job definitions. For more information, see “Jobs DTD” in the Identity Manager 4.0.2 DTD Reference. The Job Scheduler automatically validates the custom job XML against the DTD specified in the content, or against the default Job Scheduler DTD if none is specified. It marks any errors it finds so you can review them, and requires you to fix serious errors before allowing you to save the custom job. 4 In the Run Jobs on Servers field, select the servers where you want to run the job. Scheduling Jobs 411 5 Select Edit Job configuration after creating the object if you want Designer to open the newly created job in the Job Editor window after saving the job object. 6 Click OK. The File Conflict window informs you that you must save the job object to continue. 7 Click Yes to save the job and continue. 8 Continue with “Job Editor Selections on the General Settings Page” on page 413. 15.2.1 Copying a Job There are two ways to create a new job based on an existing job: In the Outline view, right-click an existing job object, then select Copy. This creates a duplicate job object in the same location as the original job object. Right-click a driver, then select New > Copy From. This is useful if you want to create a job in a different location from the original job object., such as in a different driver. In either case, once you create the new job object, you can then edit the job as needed to fit your needs. For more information, see Section 15.3, “Editing a Job,” on page 412. 15.3 Editing a Job After you create a job, you need to add the necessary information to make the job useful. To edit a job, double-click a newly created job in the Outline view to bring up the job in the Job Editor view. 412 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 15-2 The Job Editor View The Job Editor has four tabs at the bottom of its view: Section 15.3.1, “Job Editor Selections on the General Settings Page,” on page 413 Section 15.3.2, “Job Editor Selections on the Job Parameters Page,” on page 418 Section 15.3.3, “Job Editor Selections on the Scheduler Page,” on page 421 Section 15.3.4, “Job Editor Selections on the Notification Settings Page,” on page 423 15.3.1 Job Editor Selections on the General Settings Page The title of the General Settings Page shows the Java class name of the job. This is followed by the job type, which shows the type of job you selected. Under the Job Type heading, you can enable or disable the job, or delete the job after it runs. Scheduling Jobs 413 Figure 15-3 General Settings Page 1 To delete the job after it runs, select Delete job after running once. 2 To disable the job from running, deselect Enable job. 3 In the Servers column, select the server or servers where this job should run. A filtered list of servers is available to help you assign this job. A custom job can be installed on one server but not on another. In this case, the server without this custom job is filtered out of the Server List. A job can be assigned to multiple servers as long as it has been installed on each server. Designer only allows this association if the jobs are properly installed and packaged so that the Metadirectory engine can see them. 4 To add a scope to the Scopes column, click New Scope. 414 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 To select a scope object, type the Distinguished name of the object or use the Browse icon to browse to the object. Click OK to add the scope object. Scopes allow you to define the objects that this job applies to. An object in eDirectory can be a container, a dynamic group, a group, or a leaf object. If you select a group object, you can apply the job to the group's members, or only to the group. If you select a container object, you can apply the job to all descendants in that container, to all of the children in the container, or to the container only. 6 If the object is a container, select Scope is a Container. Then select how you want to apply the job: Apply job to this container only Apply job to children of this container Apply job to all descendants of this container Scheduling Jobs 415 7 (Optional) If you select Apply job to children of this container or Apply job to all descendants of this container, you can specify the classes and attributes you want to scope. Click the plus icon to bring up the Schema Browser window to select the classes you want to scope. Select the class schema, then click OK. The classes are added to the Classes box. To remove a class, select it and click the minus icon. 8 If the object is a group or a dynamic group, select Scope is a Group/Dynamic Group. You can then select the Scope is the group itself and not its members option if the scope is for the group. 9 If the object is a non-container, select Scope is a Non-Container. 10 After the scope criteria are selected, click OK to return to the General Settings page. 416 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 11 If you need to edit a scope, select the scope name, then click Edit. 12 To remove a scope, select the scope name, then click Remove. Deploying a Job with Scope Objects Jobs might need access to eDirectory data and certain Identity Manager actions, such as starting and stopping drivers. Such access is subject to eDirectory rights assignments and is controlled by the rights that are granted to the DirXMLJob object. Although Identity Manager actions are controlled by special attributes, normal eDirectory rights are needed for data reads and writes. When you deploy a job object that has scope objects, there might be eDirectory rights assignments that Designer cannot properly set up. The rights needed to complete the task depend on the scope objects that are assigned to the job object. Figure 15-4 Warning Messages When Deploying a Job with Scope Objects If you see this warning when deploying job objects, use the iManager utility to assign eDirectory rights to the job object so it can properly access the job scope objects and complete its task. Scheduling Jobs 417 15.3.2 Job Editor Selections on the Job Parameters Page The Job Parameters page allows you to add additional parameters to the job and to view the parameters as they are presently set up. What you can do depends on the type of job you selected. “Parameters for the Schedule Driver Job” on page 418 “Parameters for the Generate Random Passwords Job” on page 419 “Parameters for the Subscriber Channel Trigger Job” on page 420 NOTE: The parameters for a custom job vary based on the job’s design. For more information about creating a custom job, see Section 15.2, “Creating a Job,” on page 410. Parameters for the Schedule Driver Job Figure 15-5 The Job Parameter Page for a Schedule Driver Job 1 If you want the job to start the driver, select Start the driver. 2 If you want the job to stop the driver, select Stop the driver. 3 If you want the job to switch from one to the other, select Toggle the driver. 418 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Parameters for the Generate Random Passwords Job Figure 15-6 The Job Parameter Page for the Generate Random Password Job 1 Type the Password policy object’s Distinguished name, or use the Browse icon to select the Password policy you want to use for password generation. 2 If you want to generate passwords for scoped objects without a driver association, select True. Otherwise, select False. Scheduling Jobs 419 Parameters for the Subscriber Channel Trigger Job Figure 15-7 The Job Parameter Page for the Subscriber Channel Trigger Job 1 If you want to submit a trigger document for scoped objects that do not have a driver association, select True. Otherwise, keep the default of False. 2 If you want to use the job’s Common Name (CN) as a document identifier trigger, keep the default of True. Otherwise, select False. 3 (Optional) If you select False, specify the string that the job can use as the value for the trigger element’s Source attribute. 4 Select a method for submitting the trigger documents. If you want to queue the job the trigger is from, keep the default of Queue (use cache). Otherwise, select Direct (bypass cache). 5 (Optional) If you select Direct (bypass cache), you are presented with the Start driver if not running option. If you want to start the driver if it is not running, keep the default of True. Otherwise, select False. 6 (Optional) If you select True on the Start driver if not running option, you are presented with the Stop driver when finished processing triggers option with the default of True. Use the default to stop the driver when it finishes processing the trigger job, or select False to keep the driver running. A customized job definition has its own parameter set. 420 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 15.3.3 Job Editor Selections on the Scheduler Page The Scheduler page allows you to set up when you want to run the job. Figure 15-8 The Job Options for the Scheduler Page 1 Select the Use schedule option to set the date and time, and whether to run the job daily, weekly, monthly, yearly. or Select the Run job manually option to run the job when you choose to. 2 With Use schedule selected, set the time when you want the job to start running. Use the drop- down menus to select the hours, minutes, and AM or PM. The default is 1:00 AM. 3 If you want to run the job repeatedly, use the Daily, Weekly, Monthly, Yearly, or Custom fields to select when you want it to run. Scheduling Jobs 421 For example, if you want the job to run weekly, select Weekly, then the day you want it to run on. If you want the job to run once a month, select Monthly, then click the plus icon to select the day of the month. 4 (Optional) Select Custom to choose minutes, hours, days, months and days of the week from the Choose Advanced Crontab Criteria page. 422 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 The Choose Advanced Crontab Criteria page default has everything selected. Click Unselect All, choose the time and days you want to run the job, then click OK to return to the Scheduler page. The information displayed in the Crontab Text field displays any settings you make on the Scheduler page. For example, if you click Monthly and select two days, those two days are displayed in the Crontab Text field. 15.3.4 Job Editor Selections on the Notification Settings Page The Notification Settings page allows you to define what you want to do with the job results. It is divided into two parts, Intermediate and Final, with the Success, Warning, Error, and Aborted results for each part. The Notification Settings page allows you to set how you want to be notified for each result. Actions include sending an audit result or sending an e-mail when the result completes. Scheduling Jobs 423 Figure 15-9 Notification Settings Page 1 If you select Send email for this event, Designer allows you to search in the Default Notification Collection directory for an appropriate template to use in the Notification Template field. Click the Model Browser icon to select an appropriate template. 2 Under Notification Recipients, select who you want to send the results to by typing the user’s or group’s fully distinguished name. You can use the plus icon to create a mail profile or click the Model Browser icon to choose a mail profile. 424 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The To and Reply fields are required for a profile. 3 When you have filled in the information, click OK. 4 If you want the results to go to Novell Audit, select Use Novell Audit for this event. 5 Use Step 1 through Step 4 for each of the options: Intermediate Success Intermediate Warning Intermediate Error Intermediate Abort Final Success Final Warning Final Error Final Abort If you do not select an option, no action is taken for the result. Scheduling Jobs 425 426 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 16 Deploying and Exporting 16 The Deploy feature in Designer places a project, a set of drivers, a single driver, channels, and policies into a deployed Identity Manager system in an eDirectory tree. This can be a production tree or a test tree. Use the Export feature to make backups of all of your projects and the drivers you want to implement. This way, if something happens to the driver in production, you have a backup. Use the Deploy feature after you have thoroughly tested the policies that make up your drivers. To test policies, use the Policy Simulator (right-click a policy to see the simulation results of the policy that is being tested) or use the Project Checker to ensure that the project is valid. Then use Deploy to test the policy in a test environment before you deploy the driver into production. You can also use the Import feature to import an existing eDirectory driver, a channel, or a policy; after it is imported, you can modify the object or objects, run the Policy Simulator to ensure that the object is working correctly, then deploy the object back into a test tree for further analysis. For more information about policies, see Understanding Policies for Identity Manager 4.0.2. To help you decide on changes to make before deploying, you can use the Compare feature to see differences between the objects you are deploying and those that already reside in an eDirectory tree. See Section 16.7, “Using the Compare Feature When Deploying,” on page 435. Section 16.1, “Preparing to Deploy,” on page 427 Section 16.2, “Deploying a Project to an Identity Vault,” on page 428 Section 16.3, “Deploying a Driver Set to an Identity Vault,” on page 429 Section 16.4, “Deploying a Driver to an Identity Vault,” on page 430 Section 16.5, “Deploying a Channel to an Identity Vault,” on page 433 Section 16.6, “Deploying a Policy to an Identity Vault,” on page 434 Section 16.7, “Using the Compare Feature When Deploying,” on page 435 Section 16.8, “Troubleshooting Deployed Objects,” on page 444 Section 16.9, “Exporting a Project,” on page 444 Section 16.10, “Exporting to a File,” on page 448 16.1 Preparing to Deploy Before deploying a project, run Project Checker and fix any errors that appear. 1 Click Window > Show View > Project Checker, then click the Run the Project Checker icon. After you have corrected any problems to the project, make a backup copy of the project before deploying. Deploying and Exporting 427 Before you deploy objects into an Identity Vault, you need to designate the Deployment DN (distinguished name), or the place in the tree where you plan on deploying the Identity Manager project or objects. 1 In Designer, select the Identity Vault that contains the object or objects you want to deploy, then look in the Properties view below the Project/Outline view. (You can also open the Identity Vault’s or driver’s Properties window.) 2 In the Properties view, fill in the Identity Vault’s name, host address, user DN, password, and Deployment DN information if it is not already present. 3 Click the Browse icon to find the Deploy Context distinguished name on an existing tree if the other information is accurate and Designer can attach to the tree. You need this information to deploy anything, even a policy. You can also use the driver set’s Deploy Context entry if you want to deploy a driver set to a different context than the one designated in the Identity Vault’s Properties view. The driver set’s Deploy Context entry overrules the Identity Vault’s Deploy Context entry. IMPORTANT: You must have enough rights to access the eDirectory tree that is associated with the Identity Vault to which you want to deploy. 16.2 Deploying a Project to an Identity Vault To deploy a project to an eDirectory tree that is running Identity Manager, you use the same procedure that you use for deploying a driver set, a driver, channels, or policies. The procedure is described in Section 16.3, “Deploying a Driver Set to an Identity Vault,” on page 429. To deploy an Identity Manager-based project or an object in a project, you must have access to the eDirectory tree that is associated with the Identity Vault you are designing. You also need to know the deployment DN (distinguished name) context, or the place in the tree where you plan to deploy the Identity Manager driver set or driver objects. 428 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 16.3 Deploying a Driver Set to an Identity Vault Suppose that you finish a new driver set that you want to deploy into a test tree, or suppose that you have imported a driver set, made modifications, and now you want to deploy the driver set back into its working tree. Use the following procedure to deploy an Identity Manager Driver Set object (and all contained Identity Manager drivers) into an existing Identity Manager system in an eDirectory tree: 1 Right-click the Driver Set icon in the Modeler view, then click Live > Deploy. You can also deploy the Driver Set from the Outline view by right-clicking the Driver Set object, then selecting Live > Deploy. The Identity Vault Credentials window displays if Designer can’t authenticate to the eDirectory tree specified in the Identity Vault, or if you do not have the Deployment DN designated in the Properties tab of the Identity Vault where you are deploying. 2 Use the Compare feature to see differences between the objects you are deploying and those that already reside in an eDirectory tree. See Section 16.7, “Using the Compare Feature When Deploying,” on page 435. 3 In the Deployment Summary window, click Deploy. 4 Click OK to close the Information window. 5 (Conditional.) If you see other informational messages, decide what action to take. You might also see a message in the Deployment Results window stating that the deployment was unsuccessful. Click the error messages in the Operation Results portion of the window to see the error descriptions and possible reasons in the Details portion. 6 (Conditional) If this is a new deployment, the Deploy - New Driver Settings window displays. Define security equivalences on the driver set and identify all objects that represent Administrative roles and exclude them from being replicated. In both instances, Novell recommends that you select the Admin object, and any other objects that qualify in your network environment. 7 Click OK. Deploying and Exporting 429 16.3.1 eDir-to-eDir Deployments and SSL/TLS By default, always deploy both sides of an eDirectory-to-eDirectory connection when you have SSL and TLS enabled. If SSL/TLS are enabled, Designer creates the certificates in the eDirectory tree when you deploy the drivers. SSL and TLS are not enabled or configured by default. To check your present SSL settings, click Window > Preferences, then click Novell > Identity Manager > Configuration and click the eDir-to-eDir SSL/TLS tab. After configuration, the Deploy feature uses the SSL preference settings under Certificate overwrite policy. 16.4 Deploying a Driver to an Identity Vault Suppose you finish a new driver object that you want to deploy into a test tree, or suppose you have imported a driver object, made significant modifications, and now you want to deploy that driver object back into its working tree. Use the following procedure to deploy an Identity Manager Driver object (and all contained channels and policies) into a driver set: 1 Select an Identity Vault in the Modeler view. 2 Right-click a driver object connected to a Driver Set icon in the Identity Vault. The driver object is represented by a circle icon. 3 Click Live > Deploy. 430 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You can also select the driver object from the Outline view. Click the Outline tab, right-click the driver object you want to deploy, then click Live > Deploy. An error displays if Designer can’t authenticate to the eDirectory tree specified in the Identity Vault, or if you do not have the Deployment DN designated in the Properties tab of the Identity Vault you are deploying to. Deploying and Exporting 431 4 Review the information displayed in the Deployment Summary window to see the differences between the objects you are deploying and those that already reside in an eDirectory tree. It is the same as the Compare feature. For more information about how to use the Compare window, see Section 16.7, “Using the Compare Feature When Deploying,” on page 435. When you deploy or reconcile a driver, the Identity Manager version of the Identity Vault server is updated to match the live system. Updating the Identity Manager version allows Designer to correctly set the engine controls for the driver so that invalid engine controls are not deployed to the Identity Vault. 5 Click Deploy to begin the process. 6 Click OK to close the Deployment Results window. 7 (Conditional.) If you see other informational messages, decide what action to take. You might see a message in the Deployment Results window stating that the deployment was unsuccessful. Click the error messages in the Operation Results portion of the window to see the error descriptions and possible reasons in the Details portion. 8 (Conditional) If this is a new deployment, the Deploy - New Driver Settings window displays. Define security equivalences on the driver set and identify all objects that represent Administrative roles and exclude them from being replicated. 432 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide In both instances, Novell recommends that you select the Admin object, and any other objects that qualify in your network settings. You can modify security equivalences and excluded roles after the driver is deployed. To do so, right-click the driver object and select Live > Set Up Driver Security, or right-click the Application object and select Driver > Set Up Driver Security. 16.5 Deploying a Channel to an Identity Vault A channel is a grouping of rules and policies, and Designer allows you to deploy a channel object into a driver if necessary. The Subscriber and Publisher channels describe the direction in which the information flows. The Subscriber channel takes the event from Identity Vault (eDirectory) and sends that event to the managed system (application, database, CSV file, etc). The Publisher channel takes the event from the application, database, CSV file, etc., and sends that event to the Identity Vault. The Subscriber and Publisher channels act independently; actions in one are not affected by what happens in the other. Channel objects must be a part of a newly created driver, or they must be a part of an existing driver that now needs to be modified. Driver objects are created through the Designer or iManager utilities. Because channel objects are a part of a driver object, you deploy a channel object into an existing driver object. If you simply deploy the channel object, Designer creates a skeleton driver as a placeholder for the channel object. To deploy an Identity Manager channel (a Subscriber channel or a Publisher channel) object and all contained policies into a driver in an Identity Vault: 1 In the Outline tab, select the channel object under the driver object. The driver object is represented by a circle icon; the Publisher icon shows a black dot on the icon Subscriber icon shows a white dot . and the 2 Right-click the channel object you want to deploy, then click Live > Deploy. Deploying and Exporting 433 An error displays if Designer can’t authenticate to the eDirectory tree specified in the Identity Vault, or if you do not have the Deployment DN designated in the Properties tab of the Identity Vault you are deploying to. The Deployment Summary window shows you the differences between the objects you are deploying and those that already reside in an eDirectory tree. It is the same window format as the Compare feature. For more information about how to use the Compare window, see Section 16.7, “Using the Compare Feature When Deploying,” on page 435. An error displays if Designer can’t authenticate to the eDirectory tree specified in the Identity Vault, or if you do not have the Deployment DN designated in the Properties tab of the Identity Vault to which you are deploying. 3 In the Deployment Summary window, click Deploy. 4 After the channel deploys, click OK to close the Deployment Results window. 16.6 Deploying a Policy to an Identity Vault A policy is a collection of rules and arguments that allow you to configure an application so it can send and receive events between itself and an Identity Vault (eDirectory). You use policies to manipulate the data you receive from an Identity Vault or from the application. Each driver performs different tasks and policies tell the driver how to manipulate the data to perform those tasks. For more information about policies, see Understanding Policies for Identity Manager 4.0.2. To deploy an Identity Manager Policy object (for example, a rule or a style sheet) into a driver or channel (Subscriber or Publisher): 1 Click the Outline tab and select a policy under a driver object or a channel object. Policies can be of the type DirXML Script, Schema Mapping, or XSLT style sheet, and each type has its own icon. 2 Right-click a policy object, then select Live > Deploy. 434 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide An error displays if Designer can’t authenticate to the eDirectory tree specified in the Identity Vault, or if you do not have the Deployment DN designated in the Properties tab of the Identity Vault you are deploying to. The Deployment Summary window shows you the differences between the objects you are deploying and those that already reside in an eDirectory tree. It is the same window format as the Compare feature. For more information about how to use the Compare window, see Section 16.7, “Using the Compare Feature When Deploying,” on page 435. 3 In the Deployment Summary window, click Deploy. 4 After the policy deploys, click OK to close the Deployment Results window. 16.7 Using the Compare Feature When Deploying Designer’s Compare feature allows you to see differences between driver sets, drivers, channels, and policies that are stored in projects and those that are running in deployed systems. Previous versions of Designer only provided conflict resolution when importing a driver. While importing, you could select which policies of the driver you wanted to update, but you could not view any differences between existing and new values. Designer now provides conflict resolution on an object-by-object basis and allows you to view the differences between existing and new values when importing and deploying driver sets, drivers, channels and policies. For example, before deploying a driver object in Designer to a driver object that already exists in the Identity Vault, you can run Compare. Compare shows whether the driver objects are equal (no action is necessary) or unequal. If they are unequal, you can choose not to reconcile the driver objects, choose to update the driver object in Designer, or choose to update the driver object in eDirectory. You can run the Compare feature at any time. If you choose to reconcile the differences between drivers objects in Designer and eDirectory while in Compare, you won’t need to separately run Import or Deploy to make the changes. Section 16.7.1, “Using Compare when Deploying a Driver Object,” on page 436 Section 16.7.2, “Using Compare Before Deploying a Channel Object,” on page 440 Deploying and Exporting 435 Section 16.7.3, “Using Compare Before Deploying a Policy,” on page 440 Section 16.7.4, “Matching Attributes with Designer Properties,” on page 440 Section 16.7.5, “Comparing Driver Set and Driver Attributes,” on page 440 Section 16.7.6, “Renaming and Deleting Deployed Objects,” on page 441 16.7.1 Using Compare when Deploying a Driver Object Suppose you want to determine if you have deployed all of the changes you have made to a driver object in Designer to the same driver in the Identity Vault. 1 Right-click the driver object in either the Modeler view or in the Outline view. Select Live > Compare to bring up the Designer/eDirectory Object Compare window. 2 In the Select an object or attribute portion of the window, you see the listed objects and attributes. Select the attributes and child objects to see the actual differences displayed in the Text Compare portion of the window. 436 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The plus icon at the right side of the Select an object or attribute allows you to expand all elements in the parent object, and the minus icon collapses all of the elements. The ? icon displays the Summary/Compare dialog box help. Server-specific attributes, which are attributes that have a value for each server that is associated with a driver set, are displayed in the Attributes list with the server name in parentheses to the right of the attribute name. 3 By default, the Compare window only displays values that are different between eDirectory and Designer. To view all of the object values, select Show all from the pull-down menu. Your choices are Show differences, Show deletes, and Show all. 4 Check to see the status of the values that are shown. Values that are equal are shown as Equal on the Compare Status line in the Information portion of the Compare window. Deploying and Exporting 437 The overlay image displayed in the Compare Status entry identifies objects or attributes that need reconciliation. The following table describes what you see in the Compare Status line and the overlays that you can see: 438 Compare Status Description Equal The selected attribute’s value or all attributes of the selected object are the same in eDirectory and Designer. Unequal The value of the selected attribute, or one or more attributes of the selected object, are different in eDirectory and Designer. Not Deployed The selected object or the object containing the selected attribute is not deployed to eDirectory. Not Imported The selected object or object containing the selected attribute does not exist in Designer. Renamed Designer tracks objects that are deployed, then renamed in the Designer project. The Designer and eDirectory DNs are displayed in the value fields. Unknown The selected object or object containing the selected attribute cannot be compared, such as a password. Deleted Designer also tracks objects that are deployed, then deleted from the Designer project. To delete the object from eDirectory during deployment, select Delete the Identity Vault object. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You can also see an Attribute Note if you select an attribute. 5 Under the Information portion of the Compare window, select how you want to reconcile the differences between the Source and Destination. If Compare Status shows Unequal, you have three choices: To do nothing, keep the default value of Do Not Reconcile. To update the driver in Designer so that it contains the same information as the driver in eDirectory, select Update Designer. To update the driver in eDirectory to reflect the changes you have just made to the driver in Designer, select Update eDirectory. The green check box in the bottom corner of the icons shows all of the child objects that are being reconciled with the parent object. If you select the parent object to perform the update, then all of the child objects under the parent reflect that choice and you see the Reconciled By Parent icon selected. If you do not choose a parent object, you can reconcile each child object individually. You can also see a small Designer icon and an eDirectory icon, showing how objects are being reconciled. 6 Check to see the Text Compare values. The Text Compare values displayed in the bottom portion of the Designer/eDirectory Object Compare window vary, depending on the object being compared. For instance, Compare shows changes to policies or XML data. The Text Compare dialog box uses the Eclipse Compare editor to compare attributes that contain XML data, such as policy data, driver filters, or configuration data. The differences in the code are highlighted in blue. 7 After you view the differences, click Reconcile to perform the reconciliation actions for each object in the tree, or click Close to close the Designer/eDirectory Object Compare window. Deploying and Exporting 439 16.7.2 Using Compare Before Deploying a Channel Object Suppose you want to deploy a channel object from the Identity Vault and the same channel already exists in Designer. You can compare the two channels to see similarities and differences. 1 Right-click the channel object in the Outline view. 2 Select Live > Compare to bring up the Designer/eDirectory Object Compare window. All Compare windows behave the same as described in Section 16.7.1, “Using Compare when Deploying a Driver Object,” on page 436. 16.7.3 Using Compare Before Deploying a Policy Suppose you want to deploy a policy object from the Identity Vault and the same policy already exists in Designer. You can compare the two policies to see similarities and differences 1 Right-click the policy object in the Outline view. 2 Select Live > Compare to bring up the Designer/eDirectory Object Compare window. All Compare windows behave the same as described in Section 16.7.1, “Using Compare when Deploying a Driver Object,” on page 436. 16.7.4 Matching Attributes with Designer Properties The attributes of the object are displayed in the single select attribute list. Selecting an attribute displays its value below the attribute list with the Designer value on the left and the eDirectory value on the right. The name displayed in the list is the eDirectory attribute name. Three tables map the eDirectory attribute to the Designer property page or control, where you can change or set the attribute (you can’t make changes inside the Compare window). Table 12-1 on page 340 shows driver set eDirectory attributes, Table 12-2 on page 341 shows driver eDirectory attributes, and Table 12-3 on page 342 shows channel eDirectory attributes. 16.7.5 Comparing Driver Set and Driver Attributes Use the Compare feature to compare the attributes of a driver set or a driver without comparing all of the child objects. 1 Right-click the driver set or driver, then select Live > Driver Set Configuration > Compare Attributes. 440 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide By default, the Compare windows shows only those attributes that are unequal, but you can select to show deletes, or show all attributes. 16.7.6 Renaming and Deleting Deployed Objects Designer now tracks objects that are deployed, then renamed in the Designer project. The Designer and eDirectory DNs are displayed in the value fields. The renamed objects are displayed in the Deployment Summary window and the Compare Status entry displays Renamed. Deploying and Exporting 441 Figure 16-1 Renamed Drivers and Driver Sets During the deploy operation, the renamed Designer object is renamed in eDirectory. When performing a compare operation, you can reconcile the object by updating either the Designer or eDirectory object name. Only objects that are renamed in Designer are tracked. If an object is renamed in eDirectory, Designer might not locate the associated eDirectory object when building the compare summary. Designer also tracks objects that are deployed, then deleted from the Designer project. When you deploy the parent of the object that is deleted, you are given the option to delete the object from the Identity Vault. To delete the object from eDirectory during deployment, select Delete the Identity Vault object. You can select Show deletes from the drop-down menu. Designer removes the object from the deleted object list if the parent is deployed and the object is not marked for deletion. In the following graphic, a driver was deleted from the driver set. 442 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 16-2 Deleting an Object in the Identity Vault You can use the Compare feature to delete a deleted object from eDirectory or you can re-import the object into Designer. Figure 16-3 Reconciling a Deleted Object Deploying and Exporting 443 For example, to delete the object from eDirectory, select Update eDirectory from the Reconcile Action selection. To re-import the object into Designer, select Update Designer. Only objects that are deleted in Designer are tracked. If an object is deleted in eDirectory, Designer shows the object as not deployed and creates a new object when you run Deploy or Compare. 16.8 Troubleshooting Deployed Objects For information on troubleshooting deployed objects, see Section 22.5, “Deploying Identity Manager Objects,” on page 601. 16.9 Exporting a Project Designer’s export feature allows you to export Projects and Driver Configuration files to a local, removable, or network directory. 1 Click File > Export. You use the Export window to export an existing Identity Manager Project to an archive file or to an iManager configuration file. 2 Select Designer for Identity Manager > Export Designer Project, then click Next. 444 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 In the Export File System window, select the projects you want to export. Deploying and Exporting 445 4 Click Select All to select all projects in the designer_workspace directory (for Windows, the default location is C:\Documents and Settings\user's_login_name\designer_workspace). or Click Deselect All to clear the selections. You can then select the projects you want to export. Use the Expand All or Collapse All icons to expand or collapse the objects under each project. You can also select Show hidden files to display any files that have a period (.) at the beginning of the filename. IMPORTANT: You must select all items relating to a project for an export of the project to work. You can also browse to the directory location where you want to select the resources. 5 After you designate the directory to which to export the projects, click Finish. You can also export projects to an archive file: 1 Click File > Export. You use the Export window to export an existing Identity Manager Project to an archive file or to an iManager configuration file. 446 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Select Designer for Identity Manager > Export Designer Project, then click Next. 3 Select the To archive file option in the Export window. 4 Select the projects you want to archive. 5 Designate where you want the archive file saved. You can browse to an already existing file, or type an archive filename. 6 Select the archive format (zip or tar). 7 Select whether you want to compress the contents of the file, then click Finish. With the Project Export Wizard, you don’t need to select the model files that are necessary for the project to work, because these files are exported automatically. You can choose to not export any extra files that are included in a project by deselecting them under the project in the Export Project window. Deploying and Exporting 447 16.10 Exporting to a File You can use the export feature to export everything you create in Designer, from projects containing all Identity Vaults and their driver sets down to a single policy. If you export a driver configuration file that contains only a policy, Designer creates the parent containment objects, such as a channel, a driver, or a driver set, as part of the exported policy object. These parent containment objects do not contain attributes; they are only the framework of the channel, driver, or driver set. The exported .xml files are compatible with those used by the iManager driver configuration file plugins for Identity Manager 2.0.2 and above. This allows you to export configuration files from Designer and import those files through iManager or through Designer’s import feature. You can export a driver configuration to a file from a number of places, including: Section 16.10.1, “Using the Export Context Menu,” on page 448 Section 16.10.2, “Exporting Configuration Files from the Modeler View,” on page 449 Section 16.10.3, “Exporting Configuration Files from the Outline View,” on page 450 16.10.1 Using the Export Context Menu To export a driver set and all of the associated objects such as drivers, channels, and policies: 1 Right-click the driver set in the Outline View. 2 Select Export to Configuration File. 448 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Designer uses the name of the driver sets for the .xml file. 3 For future reference, name each driver set to denote that it is a driver set and denote the Identity Vault it comes from. You can also add a date to the name. 4 Click Save. 5 To close the Export Configuration Results window, click OK. 16.10.2 Exporting Configuration Files from the Modeler View 1 Double-click the System Model icon under a project name in the Project view to open the project model in the Modeler view. 2 Right-click the Driver Set object inside an Identity Vault icon, then select Export to Configuration File. 3 In the Export Driver Configuration window, select a filename and location to use in future references. You can also add a date to the filename if you save a lot of driver iterations. Deploying and Exporting 449 By default, Designer uses the name of the driver or driver set corresponding to the object selected. If you right-click an Identity Vault or Driver Set object, you see the Driver Set name in the File Name entry. If you have more than one Driver Set object in the Identity Vault, you see the Export Driver Configuration window with the name of that driver set in the File Name entry for each Driver Set object. 4 Select the directory where you want to store the file, then click Save. 16.10.3 Exporting Configuration Files from the Outline View You can use the Outline View to save driver sets, drivers, channels, and policy configuration files to local, removable, or network directories. The following procedure documents steps for exporting channels and policies. 1 Double-click the System Model icon under a project name in the Project view. This brings up the project in the Modeler view. 2 Click the Outline tab. 3 Right-click a channel object under a driver object, then select Export to Configuration File. 4 From the Export Driver Configuration window, select a filename and location to use in future references. You can also add a date if you are backing up multiple iterations of the file. 450 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide By default, Designer uses the name of the driver or object corresponding to the object selected. You might also need to designate that it is the Publisher channel of an Active Directory driver, along with the date when you saved the file. 5 Click Save. 6 In the Export Configuration Results window, click OK. To export one or more policies from a driver or channel: 1 From the Outline view, right-click a Policy object and select Export to Configuration File. Deploying and Exporting 451 You can also use the Ctrl key to select more than one policy, then right-click them as a group and select Export Policy to Configuration File. 2 From the Export Driver Configuration window, select a filename and location to use for future reference. You can also add a date if you are backing up multiple iterations of the file. If you are exporting policy files from multiple drivers, include driver and channel information in the filename. 3 Click Save for each policy selected. Each policy is saved to its own .xml file. By default, Designer uses the name of the policy or rule selected. 4 In the Export Configuration Results window, click OK. 452 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 17 The Novell XML Editor 17 This section provides an overview of the features of the Novell XML editor. Section 17.1, “About the Novell XML Editor,” on page 453 Section 17.2, “Using the Source Editor,” on page 457 Section 17.3, “Using the Tree Editor,” on page 460 Section 17.4, “Attaching a Schema or DTD,” on page 461 Section 17.5, “Setting XML Editor Preferences,” on page 463 17.1 About the Novell XML Editor The Novell XML editor lets you create, edit, and validate XML files.You can edit XML files in either the Source or Tree editor. You can customize the certain behaviors, such as code completion, on the Preferences tab. The Novell XML editor is built on the Web Standard Tools (WST) project architecture. 17.1.1 Creating XML Files You use the New XML File Wizard to create new XML files. The wizard can create an empty XML file or a generated XML file based on an XML schema or DTD. Generated files contain skeleton XML data that is based on a given root element and an XML schema or DTD. To launch the New XML File Wizard: 1 Click File > New > Other. 2 Select Show All Wizards. 3 Expand the XML Folder, select XML, then click Next. 4 (Optional) If Designer asks you to enable a particular activity, click OK. 5 Fill in the fields as follows: Field Description Enter or select parent folder Specify where the wizard should create the new file. File name Specify the name of the new file. Advanced >> Click this button if you want to specify that the new XML file should link to another file in the file system. 6 Specify the name and location for the new file and click Next. The Novell XML Editor 453 7 Choose one of the source options on which you want to base the new XML file. 454 Option Description Create XML file from a DTD file Generates an XML document containing a root element and a skeleton based on a DTD that you either import or choose from an existing catalog entry. Create XML File from an XML schema file Generates a skeleton XML document containing a root element and skeleton based on a schema that you either import or choose from an existing catalog entry. Create XML File from an XML template Creates an XML document containing the XML declaration with the version and encoding attributes set to 1.0 and UTF-8 by default. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 8 Click Next. 9 (Conditional) If you selected Create XML File from a DTD file or Create XML File from an XML schema file, complete the following steps: 9a Fill in the fields as follows: Field Description Select file from Workspace If you choose this option, you must select from a list of DTDs or schemas in your workspace. You can also choose to import a new schema into your project if the schema is not available. Select XML Catalog entry Choose one of the XML Catalog entries from the list. You can edit this list in Preferences > Web and XML > XML Catalogs. The Novell XML Editor 455 9b Click Next. You are prompted to specify the root element. 9c Fill in the fields as follows: Root element: Choose or type the new document’s root element. Create optional attributes: Select this option if you want the wizard to generate optional attributes. Create optional elements: Select this option if you want the wizard to generate optional elements. Create first choice of required choice: Select this option if you want the skeleton XML to always contain the first choice in a required choice. If this is not selected, no elements are inserted for the choice. Fill elements and attributes with data: Select this option if you want the wizard to generate dummy data in the file for elements and attributes. The generated XML inserts the node name as the data of the elements 456 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Public ID: Specify the file’s Public ID System ID: Specify the file’s System ID. 10 (Conditional) If you selected Create XML File from an XML template, select the template you want to use or clear Use XML Template to create an empty XML file. 11 Click Finish. 17.1.2 Validating Files You can validate your XML files by using the right-mouse menu in the Source editor. If any validation errors or warnings occur, they are displayed in the Problems view. 17.1.3 Outline View The XML editor provides an Outline view containing a tree that displays the structure of the XML document including its nodes, elements, attributes, text nodes, comments, and so on from the document. The Outline tree is closely connected to the Source editor and the Tree editor. When you edit a document in either the Source or Tree editor, the Outline tree updates automatically. If the editing results in a document that isn't well-formed, the structure displayed in the tree might seem odd. But the structure corresponds as closely as possible to the well-formed parts of the document. Editing or generally moving the cursor in the Source editor or changing the selection in the Tree editor expands and selects the corresponding node (if possible) in the Outline tree. This makes it possible to easily locate the current place in the document. In a similar fashion, selecting a node in the Outline tree moves the cursor in the Source editor to the textual position of the node (if the Source editor is active) or changes the selection in the Tree editor (if the Tree editor is active). The Outline view provides structural editing capabilities such as inserting and removing nodes. 17.1.4 XPath Navigator The XPath Navigator view supports syntax highlighting and context-sensitive editing of XPath expressions. It automatically attaches to the currently selected XML editor and uses its Document node as the evaluation context. The namespace context shows all namespaces in scope on its document element. The view consists of two parts—an editor pane and a results table. When the user types an expression in the editor pane and pauses for 0.5 seconds, the result is shown in the table. If the result is a node list, each row in the table displays an icon for the node type, a short description of the node, and the location of the node in the text (line numbers). Selecting a row in the table selects the text of the corresponding node in the XML editor. However, this is only supported in the Source editor. Typing Ctrl-Space, '/', '[' or '(' triggers code-completion—the expression is evaluated up until the cursor location, and insertable elements are shown in a drop-down box. 17.2 Using the Source Editor The Source editor supports the following features: Syntax highlighting. The Novell XML Editor 457 Context-sensitive code completion based on the DTD and the XML schema. The code completion is based on the existing content of the XML document if no DTD or XML schema is associated with the XML document. When code completion is activated and the XML document contains <root><a><b/></a><a></a></root>, then you type the second <a>, the editor suggests that you add b as a child of the a element. As-you-type validation. If the XML is invalid (for example, the > is removed from a tag), the editor indicates the error. General text editing operations such as undo, redo, cut, copy, paste, select all. Figure 17-1 XML Source Editor The XML Source editor provides the following toolbar options: 458 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 17-1 XML Editor Toolbar Icon Description Expands all folding (if code folding is enabled). You can enable or disable code folding in two ways; Selecting Windows > Preferences > General > Editors. Select Structured Editors. Select Enable Code Folding. In the Source editor, right-click in the left ruler to access the Folding submenu. Collapses all folding (if code folding is enabled) Attaches a schema. For more information about using this feature, see Section 17.4, “Attaching a Schema or DTD,” on page 461. Shows help The Source editor right-click menu contains these options: Table 17-2 XML Source Editor Right-Click Menu Options Menu Choice Description Revert File Removes any changes to the XML file. Cut, Copy, Paste, Undo, Save Performs the common editor function. Format Document: Formats the entire document as specified in the preferences. Active elements: Formats only selected elements. Clear Validation Errors Clears reported validation errors from the Problems view. Validate Validates the XML document and shows errors in the Problems view. Preferences This is the same as setting preferences by using the Windows > Preferences option. For more information, see Section 17.5, “Setting XML Editor Preferences,” on page 463. To save XML updates, do one of the following: Click Save in the Designer toolbar. Right-click in the XML editor, then select Save. Press Ctrl+S. When saving, the XML editor automatically checks the XML to make sure it conforms to the appropriate DTD (Filter DTD, DirXML Script DTD, etc.) It saves non-conforming XML only if you explicitly instruct it to do so. For information about Identity Manager DTDs, see the Identity Manager 4.0.2 DTD Reference. The Novell XML Editor 459 NOTE: You can disable notification of DTD errors in Designer Preferences. To do so, select Window > Preferences, then select Novell > Identity Manager > Configuration in the left navigation. Deselect Prompt for errors when validating XML against DTD for all Policy Editors. 17.3 Using the Tree Editor The Tree editor supports these features: Direct Editing: You can directly edit the text fields, including element names, attribute names and values, namespace names and values, text, and comments. Insertion: You can insert new nodes by using the Tree editor’s right-click menu, which allows you to insert nodes as children before or after the selected node. If the node is an element, you can insert attributes. The submenus for Add Child, Add After, Add Before contain the node that can be legally added. If no schema or DTD is associated with the document, the submenus contain New Attribute or New Element. Deletion: To delete a node, select it and either press the Delete key or right-click, then click Remove. Drag-and-drop: You can use this functionality inside the tree and between trees. General Editing: You can perform operations such as undo, redo, cut, copy, and paste. The Tree editor displays the XML nodes, with the value of each node displayed in a table cell next to the tree node. 460 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 17-2 XML Tree Editor The Tree editor provides the following toolbar options: Table 17-3 Tree Editor Toolbar Icon Description Expands all nodes. Collapses all nodes. Attaches a schema. For more information about using this feature, see Section 17.4, “Attaching a Schema or DTD,” on page 461. Launches help. 17.4 Attaching a Schema or DTD Both the Source editor and Tree editor allow you to attach an XML schema or DTD from the toolbar. 1 In the XML Source or XML Tree editor, click Attach . The Novell XML Editor 461 This opens the Attache Schema or DTD dialog box. 2 Specify the data source (XML Catalog Entry, XML Schema, or DTD) by clicking the appropriate radio button. 3 Provide the necessary information for the selected data source, then click OK. XML Catalog Entry: Choose the appropriate entry from the XML Catalog Entry drop-down list. XML Schema: Specify the namespace URI and the schema file. 462 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide DTD: Specify the Public and System IDs and the DTD file. 17.5 Setting XML Editor Preferences You can customize some Novell XML editor behaviors by setting preferences. You access the preferences page through Windows > Preferences > XML. You can learn more about these preferences in Section 21.7, “XML,” on page 589. The Novell XML Editor 463 464 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 18 Tools 18 Designer provides a variety of additional tools to help you manage Identity Manager projects. This section describes the tasks available through these tools and services: Section 18.1, “Converting Earlier Projects,” on page 465 Section 18.2, “Migrating Driver Configuration Data to a New Server,” on page 470 Section 18.3, “Opening a Web Browser,” on page 476 Section 18.4, “Launching iManager,” on page 476 Section 18.5, “Checking Your Projects,” on page 477 Section 18.6, “Managing Directory Objects,” on page 483 Section 18.7, “Configuring TLS for eDir-to-eDir Drivers,” on page 487 Section 18.8, “Using DS Trace,” on page 491 Section 18.9, “Working with Generic Resources,” on page 496 Section 18.10, “Updating Designer,” on page 498 For information on managing workspaces, perspectives, and views, see “Workspaces, Perspectives, and Views” in Understanding Designer for Identity Manager. For information on editors, builders, and wizards, see “Editors, Builders, and Wizards” in Understanding Designer for Identity Manager. 18.1 Converting Earlier Projects Previous Designer workspaces are not compatible with Designer 3.5 and later. Designer stores projects and configuration information in a workspace. These workspaces are not compatible from one version of Designer to another. You need to point Designer 3.5 to a new workspace, and not to a workspace used by a previous version of Designer. Section 18.1.1, “Converting Projects from Designer 3.5 to Designer 4.0.2,” on page 465 Section 18.1.2, “Converting Projects with the Project Converter Wizard,” on page 466 Section 18.1.3, “Running Later Projects on Earlier Designer Versions,” on page 470 18.1.1 Converting Projects from Designer 3.5 to Designer 4.0.2 Designer 4.0.2 supports conversion of Designer 3.5 and 4.0 projects to Designer 4.0.2. You can import the Designer 3.5 projects into Designer 4.0.2 from the file system or from the version control system. The conversion from Designer 3.5 to Designer 4.0.2 supports the objects that are newly added to Designer 4.0.2. Tools 465 18.1.2 Converting Projects with the Project Converter Wizard To convert an earlier project: 1 To convert projects that were not open in an editor when Designer was closed, open the project by doing one of the following: Double-click the project in the Project view. Right-click the project in the Project view, then select Open. Although you can open a project in the Navigator view by clicking the project’s .proj file, Novell recommends that you use the Project view instead. Otherwise, the Navigator view takes you into the raw file system. 2 In the Project view, expand the project, then double-click Project needs conversion. 3 Designer opens the project in the Project Converter Wizard. Review the steps, then click Next. 466 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 4 Name the project, then click Next. The Project Converter backs up your project before converting. You can accept or change the default name. Tools 467 5 (Optional) If you edited the name but want to return to the default, click Reset. 6 Convert the project by clicking Convert. 468 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The converter changes, adds, and removes references, attributes, and elements. It might also create new files or delete old ones. It converts the project file to the new, correct file format. A progress bar displays during the backup and conversion. Converting very large projects might take a few seconds. 7 View the conversion log by clicking View Log. The conversion.log file is in the project folder in the Workspace directory (for example, c:\documents and settings\skopai\digitalairlines\conversion.log). 8 Open the project. Regardless of the internal format (for example, Designer 1.2 or Designer 3.5 or Designer 4.0.2), Designer always deploys to the proper format of the target Identity Manager environment. The converter ensures only forward compatibility. It is not backward compatible. A project that is converted to a newer release of Designer cannot be converted to an older release. In order to return to an earlier format, use the backup file of your project. Tools 469 18.1.3 Running Later Projects on Earlier Designer Versions Designer 2.0 or later (including Designer 3.5) does not let you load a project created in later Designer versions if the file format has changed between versions. For example, Designer 2.0 and Designer 3.0 use different formats. If you create a project in 3.5, you cannot open that project in 2.0. Instead, a message informs you that you can’t open the project because it requires the later version of Designer. Even if the version formats are the same, it isn’t a good practice to run later projects on earlier versions of Designer. Later versions of Designer have additional bug fixes and features that might make more use of the existing format. Therefore, going back to an earlier Designer version could result in an inferior experience. 18.2 Migrating Driver Configuration Data to a New Server If you have added a new server (right-click the Identity Vault and select New > Server), you might need to migrate the server data from an existing driver set to the new server. You can do this in one of three ways: Section 18.2.1, “Using the Server Migration Wizard to Migrate the Driver Set,” on page 470 Section 18.2.2, “Migrating a Driver Set to a Server in a Different Tree,” on page 473 Section 18.2.3, “Migrating Server Data for Each Driver,” on page 474 After the server data is migrated, you must redeploy the driver set to the new server in order for the server to become active. For more information, see Section 16.2, “Deploying a Project to an Identity Vault,” on page 428. 18.2.1 Using the Server Migration Wizard to Migrate the Driver Set Use the Server Migration Wizard to migrate server-specific data in an existing driver set to a new server. The Server Migration Wizard copies the following server-specific information for the driver set and associated drivers: Global configuration values (GCVs) Engine control values (ECVs) Named passwords Driver authentication information Driver startup option Driver parameters 1 From the Outline view, right-click the server with the associated driver set you want to migrate, then select Migrate. 470 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The Server Migration overview page explains that you are migrating a driver set from its source server to a target server along with its server-specific data. 2 Click Next. 3 On the Select Target Server page, select the server targeted for driver set migration and select Next. The Target Server list shows only servers that are not presently associated with any driver set and have an Identity Manager version that is equal to or newer than the source server. 4 In the Driver Startup Option Settings page, select the server that you want to be active. Tools 471 The default selection is Make the target server active. This option copies the current driver startup settings from the source server to the target server and disables all of the drivers on the source server. The Keep the source server active option copies the current driver startup settings from the source server to the target server and then disables the drivers on the target server. The Make both target and source servers active option copies the current driver startup settings from the source server to the target server and does not disable any drivers on either server. This option is not recommended, because having all service queues active on both servers causes the servers to run the same tasks, which can produce unpredictable behavior. Settings in the Driver Startup Option Settings page only affect the DirXML-DriverStartOption attribute on drivers and not the migration of other server data. You can also set the driver startup options on the driver’s Properties > Driver Configuration > Startup Options tab. Driver startup options are Auto Start, Manual, and Disabled. 5 Select Migrate. The wizard copies the server-specific information for the driver set and associated drivers to the target server while displaying a progress bar. When the migration finishes, you see The server has been successfully migrated! 6 Click Close to close the Server Migration Wizard. 7 After the wizard closes, right-click the driver set object in the Outline view and select Live > Deploy. 472 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 8 If necessary, fill in any needed information in the Identity Vault Credentials window to authenticate to the Identity Vault, then click OK. You see the Operation In Progress window, followed by the Deployment Summary page, which shows what is being deployed to the Identity Vault. 9 Click Deploy. 10 If you see errors on the Deployment Results page, click the error to see a summary of the cause and possible solutions. Click OK to close. 18.2.2 Migrating a Driver Set to a Server in a Different Tree For this procedure, assume that you have created a new tree and server, but you want to use an existing driver set. 1 Right-click the Identity Vault in the Modeler or Outline view and select Properties. 2 In the Configuration section, edit the Host, Username, and Password entries to connect to the new tree, then click OK. 3 Right-click the driver set in the Modeler or Outline view and select Properties. 4 In the General section, edit the Deploy Context to reflect the container where you want to store the driver set. Type the name of the correct container or use the Browse icon to find the new container, then click OK. Tools 473 5 Right-click the server object in the Outline view and select Properties. 6 Under the General > Properties section, edit the Name and Context entries to match the server in the new tree, then click OK. 7 Redeploy the driver set to the new server by right-clicking the driver set object in the Modeler or Outline view and selecting Live > Deploy. You see the Operation In Progress window, followed by the Deployment Summary page, which shows what is being deployed to the new Identity Vault. 8 Click Deploy. 9 If you see errors on the Deployment Results page, click the error to see a summary of the cause and possible solutions. Otherwise, click OK to close. All server-specific data for the driver set is copied to the new server on the new tree. 18.2.3 Migrating Server Data for Each Driver Although using the Server Migration Wizard is the preferred method, you can also migrate server data for a single driver in the driver set. You can either perform this action for each driver in the driver set, or use the Server Migration Wizard as described in Section 18.2.1, “Using the Server Migration Wizard to Migrate the Driver Set,” on page 470. 1 Right-click a driver in the Outline view and select Copy > Server-Specific Settings. 474 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 In the Copy Server Data from Driver.Driver Set window, select the source server. This is the server whose data is copied to the selected targets. 3 Under the Select the drivers/servers to copy to entry, select the target driver or drivers on the target server that you want to copy to. This example selects the Active Directory driver as the target driver on the Terabyte5.novell target server. IMPORTANT: Some server data is specific to a driver type, but other data, like the driver startup option, is not. Know what you want to accomplish before copying one driver’s server data to other driver types. Otherwise, drivers on the target server might behave erratically or fail. 4 In the Select replica data you want to copy section, select the data you want to copy to the target server. The copied data includes: Global configuration values (GCVs) Named passwords Driver authentication information Driver startup option Driver parameters Tools 475 5 After you select the data, click OK, then click OK in the Complete window. You must perform this action for each driver in the driver set, or use the Server Migration Wizard. 18.3 Opening a Web Browser You can open a Web browser from within the Designer utility. The Web browser icon is available from the main toolbar. When you first launch the browser, you are prompted for a home page. After you enter the URL, it is stored in Preferences. To change the URL: 1 Select Window > Preferences. 2 Select Designer for IDM. 3 Click the Browser tab. 4 Type the new URL, then click OK. You can also open an internal Web browser view by selecting Window > Show View > Other and then selecting the Internal Web Browser option under the General heading. 18.4 Launching iManager To launch iManager from within Designer: 1 Right-click the Identity Vault, then select Live > iManager. You can also select Tools > iManager. 2 In the iManager Credentials dialog box, specify the appropriate iManager URL and user credentials to access iManager. 476 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You must specify the iManager URL along with a server name (or IP address) with a replica of the directory tree, username, and password. Select Save password to store the credentials in a history. 3 Click OK. 18.5 Checking Your Projects Designer provides the Project Checker so you can check your project. The Project Checker checks for proper design, contexts, server associations, policies, missing user data, and dependency problems that can cause a project deployment into the Identity Vault to fail. You can check a project at any time, but you should definitely run the Project Checker before deploying a project. Section 18.5.1, “Checking a Project,” on page 477 Section 18.5.2, “Customizing the Project Checker,” on page 478 Section 18.5.3, “Items That Are Checked,” on page 481 NOTE: Project Checker only checks the objects in Designer. It does not check the current objects in the Identity Vault. 18.5.1 Checking a Project 1 In the Project or Outline view, select the project, then select the Launch Project Checker icon in the Designer toolbar. The Project Checker is also available from the Window > Show View menu. 2 Click the Run the Project Checker icon . If you haven’t saved the project, Designer prompts you to save it. The Project Checker displays a list of versioning conflicts, errors, warnings, and information messages about the project. In the Project Checker view, you can do the following: Tools 477 Action Description See detailed information about a list item Double-click a list entry to open a properties page that displays the following information about the entry: The message severity A message description The model object that caused the message The line number where the problem occurred, if available Details about the message, if available A recommended solution for the message, if available Sort the list Click any header in the Project Checker to sort the entry list on that parameter (Severity, Description, and Model Object). By default, Project Checker sorts entries by severity in descending order (most current at the top of the list.) Filter the list Click the Configure Filters icon to customize the Project Checker. For more information, see “Customizing the Project Checker” on page 478. Clear the list Click the Clear Results icon Checker entry list. Save the list Click the Save Project Checker Results to a File icon to save the current Project Checker entry list to a text file so you can review it off-line. Menu options Click the Menu icon to select one of the following: to clear the Project View the messages in a hierarchical layout, according to functions (Identity Manager, provisioning, etc.) View the messages in a flat layout (default). Automatically check the project when you save it. Configure filters View the Project Checker’s Preferences page. 18.5.2 Customizing the Project Checker You can customize the Project Checker by creating and editing filters. The filters allow you to receive messages about the items you want to verify. You can create multiple filters, but only one filter can be used at a time. 478 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 18-1 Customizing the Project Checker To create a filter: 1 In the Project Checker, click the Configure Filters icon . 2 Click New Filter. 3 Specify a name and description for the filter. You can select which items are checked, what types of messages are returned about the items, and use key words to limit the messages returned. For example, you can search for all messages about the Driver Set and Driver objects that contain the word “attribute.” Tools 479 4 Click OK. To edit the name and description of the filter: 1 Select the filter, then click Edit. 2 After you have completed the changes, click OK. To delete a filter: 1 Select the filter. 2 Click Delete. 480 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 18.5.3 Items That Are Checked The Project Checker looks at specific items in the project. It checks the items in the User Application as well as the rest of Identity Manager. The following table describes the specific items that are checked. The list increases with each release of Designer. Table 18-1 Identity Manager Items That Are Checked Item Driver Description Checks for the presence of a Schema Mapping policy. Checks for an invalid Active Directory container. Checks the trace level setting. If it is set to more than 0, an informational message is displayed. Checks to see if the LoopBack driver is being used instead of the eDirectory driver. Verifies that the GUID attribute is set to synchronize on the Subscriber channel. Verifies that the GUID attribute is not set to synchronize on the Publisher channel. Checks the classes on the Publisher and Subscriber channels that are set to Ignore and verifies that the attributes for these classes are not set to Synchronize. Checks for the presence of a filter and makes sure it is not empty. Checks to make sure that the Publisher Placement policy does not contain set operation destination DN or set xml attribute operations. Checks for the presence of a Publisher Placement policy. Checks to make sure that no policy on the Publisher channel contains set operation destination DN or set xml attribute operations. Checks to make sure that the Subscriber Placement policy does not contain set operation destination DN or set xml attribute operations. Checks to see if the Subscriber Placement policy is missing. Checks to make sure that no policy on the Subscriber channel contains set operation destination DN or set xml attribute operations. Checks to make sure that the npsmDistributionPassword attribute and the public-private key pair attributes do not simultaneously exist in the User class. Checks to make sure that the authentication method on the Active Directory driver is set to Negotiate when synchronizing passwords. Checks the filter for invalid data. Checks the driver to see if it is publishing both NDS and Distribution passwords. If it is, this is an invalid setting. Checks for the presence of the nspmDistributionPassword attribute in the User class in the Filter, if password synchronization is enabled. Checks that the nspmDistributionPassword attribute is set to sync or notify, if password synchronization is enabled. Tools 481 Item Driver Set Description Checks to make sure that the deployment context for the Driver Set object is set. Checks to make sure that a server object is associated with the Driver Set object. E-mail Template Entitlements Checks to see if the e-mail notification template is empty. Checks to see if the driver supports entitlements. Checks to see if the attribute DirXML-EntitlementRef is added to the Subscriber channel, if there are policies that use entitlements in the driver. The DirXML-EntitlementRef must be set to Notify or Synchronize for the entitlements to work. ECMAScript Identity Vault Checks to see that the ECMAScript object can run. Checks to see if the username to authenticate to the Identity Vault is missing. Checks to see if the hostname for the Identity Vault server is missing. Checks to see that the password for the user is not stored in the project. Job Checks to see that the job object can run. Library Checks to see that the library object can run. Mapping Table Checks to see that the mapping table object can run. Checks to see if there is an empty column name. Checks to see if there is a duplicate column name. Policy If there are global configuration values in the policy, it checks to make sure they exist on the Driver or Driver Set object. Checks to see if local variables are defined before they are used. Validates the policy against the DTD. Schema Checks to see if the class is missing from the schema. Checks to see if attributes are missing from the schema. Checks to see if the attribute for the class is missing from the schema. 482 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 18-2 Provisioning Items That Are Checked Item Description Configuration Verifies that the XML is well-formed and complies with the schema that defines the elements needed for entities, attributes, lists, relationships, and so on. Entity Checks every entity to ensure that references to other entities and global lists are valid. Ensures that every entity has at least one attribute defined. 18.6 List Ensures that every local and global list contains at least one item. Org Chart Relationship Verifies that the entities and attributes of a relationship have been deployed. Provisioning Request Definition Verifies that a workflow follows rules for activities and flow paths. Managing Directory Objects Sometimes it is necessary to locate or modify objects during your project development. Rather than using a separate management interface, you can use the eDirectory Browser to browse to and edit attributes of objects in the following locations: The Identity Vault Other eDirectory trees Tools 483 Figure 18-2 Sample eDirectory Browser View To launch the eDirectory Browser, use the tool-based method or the task-based method. The method you use is largely a matter of preference and the target directory that you will browse. Section 18.6.1, “Tool-Based Browsing,” on page 485 Section 18.6.2, “Task-Based Browsing,” on page 485 Section 18.6.3, “Browsing, Viewing, or Modifying Object Attributes,” on page 486 484 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 18.6.1 Tool-Based Browsing To access an eDirectory tree other than the Identity Vault, or if there is no Identity Vault defined in your current project, use the tool-based method. You can always launch the eDirectory Browser from the Tools menu, even when an Identity Vault isn’t selected in the Modeler. 1 From the toolbar, select Tools > Manage Directory. 2 Select an Identity Vault. 3 In the Login Credentials dialog box, provide the appropriate authentication credentials, then click OK. 4 Access information by using icons on the eDirectory Browser’s toolbar. Table 18-3 Icons on the eDirectory Browser toolbar Icon Descriptions Expands all containers in the currently selected tree. IMPORTANT: This might be a time-consuming operation if you have a million-object tree. Collapses all expanded containers in the currently selected tree. Adds a new custom tree, which persists across sessions. Removes trees previously added with the Add Tree operation. Automatically discovered trees cannot be removed. Refreshes the currently active tree. Displays an object’s properties. Expansion states and selection states are persistent between sessions per tree. 18.6.2 Task-Based Browsing To use the eDirectory Browser to browse the Identity Vault in your current project: 1 In the Modeler or Outline view, select the Identity Vault, then select Live > Manage Directory. You can also right-click the Identity Vault object and select Live > Manage Directory. 2 In the Login Credentials dialog box, provide the appropriate Identity Vault authentication credentials, then click OK. Tools 485 If you previously saved your authentication credentials, eDirectory Browser automatically populates the fields. 3 In the eDirectory Browser, browse to and select an object. The eDirectory Browser automatically displays the Identity Vault directory structure. To use the eDirectory Browser to browse an eDirectory application in your current project: 1 In the Modeler, select the eDirectory application you want to browse, then select Live > Manage Directory. 2 In the Login Credentials dialog box, provide the appropriate eDirectory authentication credentials, then click OK. 3 In the eDirectory Browser view, browse to and select an object. 18.6.3 Browsing, Viewing, or Modifying Object Attributes After you have populated eDirectory Browser with one or more directories, you can browse the directory tree for specific objects, and view and modify object attributes. Table 18-4 Objects That You Can Modify Object Description Container Object Double-click to expand a collapsed container or to collapse an expanded container. Right-click and select Properties to open that object’s attributes page. Select the object and click the Open properties of this object icon Action bar. Leaf Object Double-click (or right-click and select Properties) to open that object’s attributes page. Select the object and click the Open properties of this object icon Action bar. 486 in the Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide in the Figure 18-3 eDirectory Browser Attributes List 18.7 Configuring TLS for eDir-to-eDir Drivers If you want the eDir-to-eDir drivers to communicate securely, you must perform the following tasks: Section 18.7.1, “Prerequisites,” on page 487 Section 18.7.2, “Enabling TLS,” on page 488 Section 18.7.3, “Creating Certificates,” on page 490 18.7.1 Prerequisites Identity Vaults exist in your physical network tree as well as in the Modeler. Each Identity Vault is set up. Otherwise, you are prompted for setup information when you try to create certificates. Each driver set is associated with a server. Using the eDir-to-eDir driver’s General property page, verify that each driver has a name and a deploy context. The context might be inherited from the driver set. The eDir-to-eDir drivers have been deployed. Otherwise, Designer cannot create certificates. To find out whether the driver has been deployed: Tools 487 1. Right-click the eDir-to-eDir driver. 2. Click Live > Deploy. 3. In the eDir-eDir Driver Deployment dialog box, click No. If the driver has been deployed, the Compare Status field in the Deployment Summary dialog box displays Equal or Unequal. Otherwise, the field displays Not Deployed. After objects have been deployed, the objects should show as equal unless passwords are set in eDirectory that are not set in Designer. Designer does not deploy passwords unless they are specifically set in Designer. This exception prevents overwriting passwords in eDirectory because Designer cannot import them. 18.7.2 Enabling TLS 1 Launch the TLS Configuration dialog box. A common way to launch the dialog box is to right-click the eDir-to-eDir application, then click Secure Connection Settings. Other launch points: Select the eDir-to-eDir application, then click Model > eDir-to-eDir > Secure Connection Settings. Right-click eDir-to-eDir in the Outline view, then click Secure Connection Settings. Right-click an eDir-to-eDir driver, click Properties > Driver Configuration > Authentication, then click Configure TLS. The Configure TLS icon displays only on eDir-to-eDir driver pages. 488 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Click Enable SSL/TLS. 3 (Optional) Use the Advanced TLS Configuration to select key size, hash algorithm, and validity period. The validity period is important for when a certificate has expired and you need to overwrite or create a new one. 4 Select a direction of trust. These options apply to certificates that Novell creates for eDirectory. The options do not apply to third-party security certificates. The default is Mutual Trust, which is considered to be the most secure. Tools 489 Unless you want to use the certificate for authentication, the option that you select doesn’t matter. If only encryption is important, you can select any one of the three options. If authentication is important, select the option that gives you the appropriate trust. Scenario: JJ Infrastructure Tree Trusts JT ID Vault. JJ Infrastructure Tree is the organizational certificate authority. JJ Infrastructure Tree signed a certificate and placed it in JT IDVault. JT ID Vault trusts JJ Infrastructure Tree. The two vaults synchronize data through a secure connection. If the two vaults break their trusted relationship, JJ Infrastructure Tree can prevent sensitive data from being synchronized by revoking its certificate. Scenario: JT ID Vault Trusts JJ Infrastructure Tree. JJ Infrastructure Tree creates two certificates. One is placed in JJ Infrastructure Tree, and the other is placed in JT ID Vault. The two vaults synchronize data through a secure connection. If the two vaults break their trusted relationship, JJ Infrastructure Tree can prevent sensitive data from being synchronized by revoking its certificate. Scenario: Mutual Trust. JT ID Vault and JJ Infrastructure Tree both sign certificates. 5 Click OK. After you click OK, Designer does the following: Modifies both eDirectory drivers. Locks the User ID field, which displays on the driver configuration’s Authentication page, because both drivers must use that field. You can enable or configure TLS without immediately deploying the drivers. You can turn the settings on. However, you can’t create SSL/TLS certificates unless the drivers have been deployed into their respective Identity Vaults. If you enable SSL/TLS but want to create certificates later, you can do so. When you later deploy the eDir-to-eDir drivers, Designer guides you through steps to automatically create certificates. 18.7.3 Creating Certificates A driver’s Properties page enables you to configure a driver so that you can deploy it. Similarly, the Enable SSL/TLS option enables you to set up your configuration for TLS, then create and deploy the certificates when you are ready. When you deploy a configured driver set or select Create eDir-toeDir Certificates, Designer creates the certificates in the directory. This section assumes that you have enabled and configured SSL/TLS for the deployed eDir-to-eDir drivers. 1 In the Modeler, right-click the eDir2eDir application. 490 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Click Live > Create eDir-to-eDir Certificates. You can also do one of the following: Right-click the eDir2eDir object in the Outline view, then click Create eDir-to-eDir Certificates. The first time that you enable and configure SSL/TLS on driver’s Authentication tab, click OK, then follow the prompts. A Create Certificates dialog box appears. Click Yes. Scenario: Enabling TLS. TLS has not been enabled. Sandy selects Live > Create eDir-to-eDir Certificates. Designer prompts Sandy to enable SSL/TLS. Sandy clicks OK, enables TLS, selects a direction of trust, and clicks OK. Designer creates certificates. Scenario: Deploying eDir-to-eDir Drivers. Sandy has configured the eDir-to-eDir drivers and the driver set. A context displays in the driver set’s Deploy Context field. Sandy is ready to deploy the driver set. Sandy right-clicks the driver set, then clicks Live > Deploy Driver Set. Designer prompts Sandy to deploy both eDirectory drivers. (Otherwise, Designer can't successfully create certificates.) Sandy clicks Yes. Designer builds a deployment summary, then lists items that are associated with the Identity Vaults and will be deployed. To deploy the drivers, Sandy clicks Deploy. Because the driver set is already configured, Designer creates the certificates. For additional information on eDir-to-eDir certificates, see eDir-to-eDir SSL/TLS in Preferences. 18.8 Using DS Trace Designer provides DS Trace so you can monitor DirXML events in your Identity Manager environment. DirXML events constitute those events accessible by using the DirXML and DirXML Drivers switches in eDirectory’s DS Trace service. Designer uses LDAP to obtain this information from the Identity Vault. By default, it uses the default LDAP ports (389 or 636) to establish a connection. If your LDAP service runs on non-standard ports, make sure you specify the correct ports. Tools 491 DS Trace lets you view both live DS Trace logs, and create and view stored DS Trace log files. Section 18.8.1, “Viewing DS Trace Live,” on page 492 Section 18.8.2, “Creating a DS Trace Log File,” on page 494 Section 18.8.3, “Viewing a DS Trace Log File,” on page 494 NOTE: The DS Trace view is not the same as the Trace view, which provides information about Designer functionality. For information on the Trace view, see “Trace” on page 565. DS Trace includes the following icons: Icon Description The Resume Trace icon restarts a live DS Trace session that you have previously stopped. It is not available for DS Trace log files. The Stop Trace icon stops a live DS Trace session. It is not available for DS Trace log files. The Connect to Server icon launches the Login Credentials dialog box so you can authenticate to the server where you want to run DS Trace. The Load Trace Log File icon lets opens a previously saved DS Trace log file. The Save Trace icon save the current live DS Trace session to a log file. The Search icon opens a Find/Replace dialog box where you can search the current DS Trace log file for a specific string. It is not available for live DS Trace. The Configure Trace icon provides access to live DS Trace settings. It is not available for DS Trace log files. The Clear Trace icon clears all DS Trace entries from the live DS Trace log. 18.8.1 Viewing DS Trace Live You can view a live DS Trace for any Identity Vault in your Identity Manager environment. NOTE: Designer provides live DS Trace preferences that let you specify how many entries to keep in the log and whether or not to auto-scroll the log so you can always see the most current entries. You can edit these preferences in Windows > Preferences, then select Novell > Designer > DS Trace from the left navigation. If the Identity Vault is in your current Designer Project: 1 In the Object view or the Modeler, select an Identity Vault object, then select Live > DS Trace. Alternatively, you can right-click the Identity Vault object, then select Live > DS Trace. 492 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Review the live DS Trace session as needed. By default, the DS Trace session is running. You can stop, resume, clear, and save the current trace to a file by using the icons in the DS Trace view toolbar. If the Identity Vault is not in your current Designer project: 1 From the main Designer toolbar, select Tools > DS Trace. 2 In the DS Trace view, click the Connect to Server icon. 3 In the Login Credentials dialog box, specify the directory host name (or IP address), username, and password necessary to connect to the appropriate Identity Vault, then click OK. Select Secure Connection if you need to use SSL to connect to the Identity Vault server. Tools 493 You can open a DS Trace session to a different Identity Vault server at any time by clicking Connect to Server and providing the appropriate authentication credentials. 4 Review the live DS Trace session as needed. By default, the DS Trace session is running. You can stop, resume, and save the current trace to a file by using the icons in the DS Trace view toolbar. 18.8.2 Creating a DS Trace Log File DS Trace lets you create log files of DS Trace entries so you can review them offline. 1 From the live DS Trace view, select the Save Trace icon . 2 Specify a name and location for the log file, then click Save. DS Trace saves the log file as a rich text file (.rtf) so it can maintain the color coding used in the live DS Trace view. You can view the log file with any editor that supports the .rtf file format. 18.8.3 Viewing a DS Trace Log File The DS Trace view is an editor that enables you to view DS Trace log files. 494 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 18-4 The DS Trace View To view DS Trace log files: 1 Click Tools > DS Trace. 2 Select the Load Trace Log File icon, then browse to and select the DS Trace log you want to open. 3 Review the DS Trace log file as needed. Use the Start Time, End Time, and Event drop-down lists to filter the trace file. This helps you narrow the displayed trace file data so you can more easily locate specific information. To clear an existing filter, click the Clear Filter icon . Select the Search icon (in the DS Trace icon bar) to open a Find/Replace dialog box that lets you search for a specific string in the DS Trace log file. Tools 495 NOTE: The Eclipse text editor does not support color, so when you view a DS Trace file in Designer it displays in black and white. However, because Designer saves the DS Trace log file in standard Rich Text Format (.rtf), any external text editor that supports color displays the log file in color, as seen in the live DS Trace view. 18.9 Working with Generic Resources A Resource object is stored in a Driver object or a library. A Resource object stores parameters, which drivers use at any time. When multiple drivers need the same set of constant parameters, the drivers use a Resource object. A Generic Resource object in Designer enables you to store information in XML or text format. The information can be a piece of documentation, notes, or some piece of data that policies access. Section 18.9.1, “Creating a Generic Resource Object,” on page 496 Section 18.9.2, “Editing a Generic Resource Object,” on page 498 18.9.1 Creating a Generic Resource Object 1 In the Outline view, right-click a driver, then select New > Resource. 496 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You can also do one of the following: Right-click a driver, then select New > Resource. With the Dataflow view active, right-click a Subscriber or Publisher channel, then select New > Resource. In the Outline view, right-click a library, then select New > Resource. 2 Specify the name of the Generic Resource object. Tools 497 3 Select XML or Text as the content type. 4 Select Open the editor after creating the object, then click OK. 5 In the File Conflict dialog box, click Yes. 6 Specify the desired XML or text, then press Ctrl+S to save the resource object. 18.9.2 Editing a Generic Resource Object 1 In the Outline view, below the library, right-click the Generic Resource object, then select Edit. 2 In the File Conflict dialog box, click Yes. 3 Make changes, then save (Ctrl+S). 18.10 Updating Designer When you start Designer, you are prompted about how you want to receive updates. You can change this setting in Preferences. 498 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 18-5 The Updates Tab If you select to not automatically update Designer, you can get updates by using the Help menu or the Welcome page. To update from the Help menu: 1 Click Help > Check for Designer Updates. If your version of Designer is up-to-date, a prompt informs you that no updates are available. If an update is available, a prompt lists components that you can update. If your version of Eclipse needs to be updated before you can install Designer, a dialog box prompts you to click the URL that takes you to the Designer download site. 2 Select the updates, then click OK. To update from the Welcome page: 1 Click Help > Welcome. 2 Click the What’s New icon. 3 Click New Updates. 4 Follow the prompts to download and install the latest Designer. Tools 499 500 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 19 Editing Icons for Drivers and Applications 19 The Icon editor enables you to create customized icons for your drivers and applications. You can enrich predefined templates or images with labels, choose background images and colors, and overlay images. Within minutes, you can create a custom branded icon for your implementation, including your company’s logo or name. Section 19.1, “Editing Driver Icons,” on page 501 Section 19.2, “Editing Application Icons,” on page 505 19.1 Editing Driver Icons 1 In the Modeler, right-click a driver, then select Properties. 2 In Driver Properties, select the iManager Icon page. The object properties dialog box displays the default icon. 3 Click New to open the Icon editor. Editing Icons for Drivers and Applications 501 4 To add a background color or image to your icon, select the Background tab. Background Color: Select a background color for the icon. Background Image: Select a background image. If you select a background image, you can configure how the image displays by using the Settings tab, which includes controls for Brightness, Hue, Saturation, and Gamma. The Icon editor makes color changes in real time, so you can see the effect of your changes as you make them. 502 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 To specify icon text, select the Labels tab, then click Add. To add a label to the icon, type a new label in the Text column. Text does not automatically wrap around. To create multi-line text, create a separate text entry for each line. You can also control label placement through the Offset X and Offset Y options, and edit font size, font type, and color for each text entry. 6 To add an overlay image to your icon, select the Overlay Images tab, then click Add. To select an image, select a cell in the File column. A small icon appears to the right of the file name. Click the icon and browse to the image you want to use as an overlay image. You can also control image placement through the Offset X and Offset Y options, and control the size of the image in pixels. 7 To create a similar icon for iManager, select the Derivations tab, then select Application. Editing Icons for Drivers and Applications 503 This transfers the icon to the driver’s or application’s iManager properties. (See the iManager icon on the driver properties page.) Some icons don’t convert cleanly between the Driver and Application icon formats, so you might need to clean it up after you create it. 8 When you are finished editing the icon, click Update. 504 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 19.2 Editing Application Icons 1 In the Modeler, right-click an application, then select Properties. 2 In Application Properties, select the General page. The object properties dialog box displays the default icon. 3 Click New to open the Icon editor. Editing Icons for Drivers and Applications 505 4 To add a background color or image to your icon, select the Background tab. Background Color: Select a background color for the icon. Background Image: Select a background image. If you select a background image, you can configure how the image displays by using the Settings tab, which includes controls for Brightness, Hue, Saturation, and Gamma. The Icon editor makes color changes in real time, so you can see the effect of your changes as you make them. 506 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 5 To specify icon text, select the Labels tab, then click Add. To add a label to the icon, type a new label in the Text column. Text does not automatically wrap around. To create multi-line text, create a separate text entry for each line. You can also control label placement through the Offset X and Offset Y options, and edit font size, font type, and color for each text entry. 6 To add an overlay image to your icon, select the Overlay Images tab, then click Add. To select an image, select a cell in the File column. A small icon appears to the right of the file name. Click the icon and browse to the image you want to use as an overlay image. You can also control image placement through the Offset X and Offset Y options, and control the size of the image in pixels. 7 To create a similar icon for iManager, select the Derivations tab, then select Driver. Editing Icons for Drivers and Applications 507 This transfers the icon to the driver’s or application’s iManager properties. (See the iManager icon on the driver properties page.) Some icons don’t convert cleanly between the Application and Driver icon formats, so you might need to clean it up after you create it. 8 When you are finished editing the icon, click Update. 508 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 20 Version Control 20 Designer’s version control enables you to do the following: Provide simple document management by tracking revisions of your project, along with all the objects and files in that project Share those revisions with other members of your team Manage the history of your objects Make sure that every member of your team is using the same version of your project and Designer Designer supports the Subversion version control system. Subversion is a stable open source product that is available for no cost and is released under the Apache license. For information on Subversion, see the Apache Subversion Web page (http://subversion.apache.org/). You can also find some pertinent information about using Subversion with Designer in Appendix E, “Version Control with Subversion and Identity Manager Designer,” on page 677, as well as Section 20.6, “Version Control Best Practices,” on page 543. Version control allows teams to work together across continents or just across the hallway, in groups or as a single user. The Version Control view gives you information about changes that your teammates are making in real time. The version control framework allows you to update, merge, and resolve conflicts with your teammates. If you are a single user, version control allows you to make backups, restore older versions, and have the freedom to explore project changes without risking data. With version control, you can manage the history of your project, and you can go back to a previous revision and create tagged revisions for better release management. Anyone with permission can access these revisions. The Compare Revisions feature allows you to easily scan the history of your project, find relevant changes, and resolve project issues. Version control functionality is available for all Identity Manager objects as well as for the contents of the Documents and Toolbox folders. Designer 3 and above supports version control for provisioning objects, but not for Analyzer. However, that functionality is planned for a future release. Section 20.1, “Installing a Subversion Server,” on page 510 Section 20.2, “Checking In a Project to a Version Control Server,” on page 511 Section 20.3, “Importing a Project from a Version Control Server,” on page 517 Section 20.4, “Accessing the Version Control View,” on page 520 Section 20.5, “Comparing Revisions and Resolving Conflicts,” on page 531 Section 20.6, “Version Control Best Practices,” on page 543 Version Control 509 20.1 Installing a Subversion Server You can either install a Subversion server or use an existing Subversion server. Designer’s version control works with all supported Subversion server platforms. This section provides a quick start for a basic Subversion server on Windows or Linux to use with Designer for Identity Manager. For more in-depth information on installing Subversion, see Subversion’s installation documentation at Installing Subversion (http://svn.apache.org/repos/asf/ subversion/trunk/INSTALL). Section 20.1.1, “Downloading and Installing the Server,” on page 510 Section 20.1.2, “Configuring the Server,” on page 510 20.1.1 Downloading and Installing the Server 1 Download the most recent version of subversion file: Linux: Subversion Packages Web page (http://subversion.apache.org/packages.html) Windows: Tigris.org (http://subversion.tigris.org/servlets/ ProjectDocumentList?folderID=91) 2 Run the installer and accept the license agreement. 3 Specify the location to install Subversion. 4 For Windows, specify a location in the Start menu. 5 Follow the on-screen instructions to complete the installation. 20.1.2 Configuring the Server 1 Create a directory to contain the Subversion server repository. 2 Run the svnadmin create command to create the repository at that directory location: svnadmin create [location_of_Subversion_repository] 3 Go to the [location_of_Subversion_repository]\conf directory, which was created when you installed the Subversion server. 4 Edit the svnserve.conf file by uncommenting the following lines in the General section (there should be no spaces at the beginning of the lines): Line to Uncomment Result anon-access = read Anonymous users can read your repository. auth-access = write Authenticated users can edit your repository. password-db = passwd Usernames and passwords are stored in a file named passwd in your conf directory. 5 Edit the passwd file in the same directory. 6 Remove the sample users from the Users section and add your own users. 7 Open a command prompt and start your server by using the following command: svnserve --daemon --root [location_of_Subversion_repository] 8 Open a second command prompt. 510 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9 Create a trunk folder in your repository with the following command: svn mkdir -m "Creating a trunk directory." svn://localhost/trunk 10 Authenticate to Subversion. If your are using Windows, and your username is the same as your Windows username, enter your password. Otherwise, press Enter at the password prompt and enter a username when prompted. You can also access this server from other computers by substituting localhost for the network name of the server machine in the URL. You are now ready to import or add projects to version control by using Designer for Identity Manager. You might want to create a more complete directory structure before adding Identity Manager projects. For more information about how to best use Subversion with Designer’s version control, see Appendix E, “Version Control with Subversion and Identity Manager Designer,” on page 677. IMPORTANT: Designer is shipped with the SVN client version 1.5. You can use an use newer versions of the SVN server, because the SVN servers are backward compatible. However, if you are using the newer version of the SVN server, the client must communicate with the server using the svn:// or http:// protocols. If you create a SVN repository on the local file system using an external client such as Tortoise SVN and then access the SVN repository through designer using file:/// protocol, Designer fails to work. 20.2 Checking In a Project to a Version Control Server 1 In the Project view, right-click a project name, then click Check In. Version Control 511 You can also select the Check Project Into Version Control Server icon on the main toolbar. 2 If the project you are checking in already exists on the version control server, skip to Step 8. or If the project you are checking in does not exist on the version control server, you see the Check In Project page displayed. Continue with Step 3. 512 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3 If you have multiple projects in the Project view and you clicked the Check Project Into Version Control Server icon, select the project you want to check into the version control server from the Select Project drop-down list. If you select Check In from the Project view, you won’t see the Select Project list. 4 Under Step 1. Specify your repository location, provide a URL pointing to where you want the project to reside on the version control server. The Check In Project page gives three examples: c:/subversionrepo http://subversionserver.mycompany.com Version Control 513 svn://localhost https://subversionserver.mycompany.com/svn/myrepository The list of supported protocols includes: svn http https file svn+ssh You can click the Browse icon to browse for folders that are saved either locally or on a network drive. You can also create a new folder from the Browse For Folder page. 5 Under Step 2. Specify the location of your project, type the folder name that will contain this project on the version control server. You can also click the Browse icon to bring up the Version Control Server Browser page. This browser helps you determine the correct URL where projects are stored and only shows base folders and corresponding projects. The base folder cannot be a directory of a Designer project. However, the base folder can contain multiple projects as subdirectories. You create base folders through an external SVN client. 6 (Optional) Under Step 3. Provide a comment for your project, type a comment concerning the project, then click OK. Whenever you perform an operation that affects the contents of the server, you are prompted for a comment. Comments are useful when keeping track of the changes you make from one session to another. 7 (Optional) If you have made changes to more than one project in the Modeler view, you need to save those changes before checking a project into version control. 7a Select Save All Editors to bring up the Save Resources page, which allows you to save all open projects. 7b On the Save Resources page, click OK. You are returned to the Check In Project page. 8 Provide authentication to the Subversion server if required. Depending on the type of security you have set up, you might need to supply SSH authentication, SSL client certificate authentication, or basic HTTP authentication. 514 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 9 If you are updating an existing project on the version control server, add new information to the Comment section of the Check In Project page. If you are updating a project, you see the selected project, the object’s children that have changes to be checked in, and objects that depend on the project and need to be checked in. If you choose to check in a single object, you only see that object in the Check-in page. Version Control 515 10 If you have more than one project open in the Modeler view, click Select Project to choose which project you want to save to version control. 11 (Optional) If you have made changes to more than one project in the Modeler view, you need to save those changes before checking a project into version control. 11a Select Save All Editors to bring up the Save Resources page, which allows you to save all open projects. 11b On the Save Resources page, click OK. You are returned to the Check In Project page with an updated list of what is being checked in. 516 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 12 Click OK to commit the files to the version control server. When the files are committed, click OK to close the Commit page. 20.3 Importing a Project from a Version Control Server Designer’s Import dialog box lists projects and enables you to select projects that you want to import. There are a number of ways to access the Import dialog box in order to import projects from a version control server, and this example covers one of those methods. Version Control 517 Figure 20-1 The Import Wizard 1 In the toolbar, select File > Import. or If no projects are available, select Import from version control from the Project view. 2 Click Project (From Version Control) > Next. 3 Type a URL in the Version Control Server URL or file path field, then press Enter. For example: https://sun.provo.novell.com/svn svn://123.123.131.120/trunk 4 (Optional) You can also type a file path to the version control repository, or select the Browse icon to browse to the directory where the repository resides. 5 Provide authentication to the Subversion server if required. Depending on the type of security you have set up, you might need to supply SSH authentication, SSL client certificate authentication, or basic HTTP authentication. 518 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6 The projects appear under the Projects: heading in a tree structure. Select a project file under the directory. Use the Refresh icon to see current changes to the repository. Version Control 519 7 Click Finish. On the Version Control page that shows you the version control server status, click OK. The projects are imported into Designer and are added to the Project view and the Version Control view. 20.4 Accessing the Version Control View You access version control functionality by using the Version Control view. 520 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-2 The Version Control View The Version Control view does the following: Gives you a dashboard status of your interaction with version control Lists the files that you are working on Displays the changes that your teammates have made in real time The Version Control view is the main interface with version control. You find most of the version control operations and information in this view. This view is empty until you import from or check in a project to the version control server. The Version Control view automatically displays when you import an existing project from a version control server or check in a project to a version control server. To open the view manually, select Window > Show Views > Version Control. Section 20.4.1, “Version Control Icons,” on page 521 Section 20.4.2, “Version Control View Headings,” on page 523 Section 20.4.3, “Version Control Options,” on page 523 20.4.1 Version Control Icons The Version Control view contains seven icons that allow you to interact with version control. Six icons are to the right of the Version Control tab. They are the Filter icon , the Refresh icon , Expand All and Collapse All , and the Minimize and Maximize icons . The seventh icon is the Version Control Project Status icon , which is located in the bottom right corner of Designer. Figure 20-3 Details in the Version Control View Version Control 521 Filter Icon: Use the Filter icon to limit the number of projects that are displayed in the Version Control view. Click the Filter icon, then select the projects you want to filter out of the Version Control view. Figure 20-4 Version Control Filter Page Refresh Icon: Click the Refresh icon to refresh the Version Control view. Designer communicates with the Subversion server and refreshes the Version Control view with any updates performed by other users who are modifying the same projects. Expand All/Collapes All Icons: Click the Expand All icon to expand all items in the Version Control view. Click the Collapse All icon to collapse all items in the Version Control view. Minimize/Maximize Icons: Click the Minimize icon to minimize the Version Control view. Click the Maximize icon to maximize the Version Control view. Version Control Project Status Icon: Mouse over the Version Control Project Status icon to see the status of the objects in the Version Control view. The Version Control Project Status icon gives you a quick status for version control and works like a traffic light. You can move this icon to a different location in Designer to suit your preferences. 522 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 20-1 Version Control Project Status Icon Colors and Description Icon Status Status Description Green. Everything is up-to-date. Yellow. Updates are available from the version control server. Red. There are conflicts between the local version and the version control server. Grey. Designer is unable to contact the version control server. 20.4.2 Version Control View Headings The Version Control view has four headings: Object, Status, Date, and User. Object: This column displays the objects that are connected to the project that is stored on the version control server. Right-click an object in the Version Control view to display the available options. These options are covered in Section 20.4.3, “Version Control Options,” on page 523. Status: This column displays the current state for objects in a project, as indicated by the following icons: Table 20-2 Status Icons Status Icon Description (none) This object is up-to-date, with no new revisions available. Unversioned. This object has not been added to the version control server. Deleted. This object has been deleted from the version control server. Updates with Merge. This object has updates that might conflict with the changes you have made (see Section 20.5, “Comparing Revisions and Resolving Conflicts,” on page 531). The project object has been updated from an older version selected from the Revision History page. The object changes back to normal when you update (see “History” on page 527). This object has new child objects available. This object has new updates available. This object has been modified locally. Date: This column shows the date when the last changes to the objects in the Version Control view occurred. The date and time change when you modify an object and commit those changes to the version control server. User: Displays the name of the last person who updated the object. 20.4.3 Version Control Options Right-click an object in the Version Control view to display the available options. Version Control 523 Figure 20-5 Available Version Control Options The options affect the object selected, as well as any child objects that correspond to the selected object. For example, performing a Revert on the project object affects the entire project, but performing a Revert on the Subscriber channel of a Lotus Notes driver only affects the Subscriber channel and any objects (such as policies) that depend on the Subscriber channel. “Clean Up” on page 524 “Commit” on page 524 “Get Updates” on page 525 “Revert” on page 526 “Delete” on page 527 “History” on page 527 “Comparing Versions” on page 530 “Properties” on page 530 Clean Up Use the Clean Up option only when you are prompted to. Sometimes a project is in a “locked” state. At this point, version control requires you to run Clean Up before it lets you do anything else with the project, and you receive a message telling you to run the Clean Up option. Commit Use the Commit option to have your local changes checked into the version control server for the object you have selected. 524 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-6 Checking In an Object to the Version Control Server When you click OK, the check-in is committed to the version control server. Click OK to close the Commit screen. There are also Check-in capabilities in the Project and the Outline view (right-click a project and select Check In), and an Check In icon in the main toolbar . Get Updates Use the Get Updates option to get the latest version of the selected object from the version control server. Version Control 525 Figure 20-7 Receiving Updates from the Version Control Server If you have more than one project open that is checked in to the version control server, select which project you want to update from the Update page, then click OK to begin the update. If there are conflicts between your local version and the version control server, you see the Conflict Resolution page, which includes a method to resolve those conflicts. For more details, see Section 20.5, “Comparing Revisions and Resolving Conflicts,” on page 531. There are also Update capabilities in the Project and the Outline view (right-click a project and select Update), and an Update icon in the main toolbar . Revert Use the Revert option to return the selected object to the version you last checked out from the version control server. This allows you to cancel your recent changes; you see a message screen displayed, confirming your choice to revert. You can also use this option to restore files that you have deleted since the last time you checked in. WARNING: By using this option, you lose any changes you have made since the last time you checked it in, including any files in your project that have not been checked into the version control server. Designer deletes all project files that are not in the version control server. 526 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Delete Use the Delete option to delete a project from the version control server. This option is only available for project objects. Although you can delete objects within a project from other views in Designer, you can remove the entire project only through the Version Control view. Selecting the Delete option immediately deletes the selected project, and you are prompted for a comment for your actions. History Use the History option to view the revision history of an object and all the changes that have been made to that object. You can also use this option to select an earlier version of a project. Figure 20-8 Revision History in the Version Control View You can use Revision History page to see who made a change, when the change was made, the tag name (if it is filled out), and the comment provided for the change. The yellow arrow indicates your currently loaded version. Version numbering of projects and how numbering works with the objects in a project is a very complex issue. For more information about how revision numbering works in Subversion, see Section E.1.1, “How Revisions Work In Subversion,” on page 677. The Revision History Page For a Project You have more options when you right-click a project object in version control and then select History. Version Control 527 Figure 20-9 Revision History of Projects If you select History for a project object, the Revision History page allows you to select a version of a project object from the list of revisions. You can then view the contents of earlier versions and bring those versions up-to-date with your latest revision. Get Revision Select the revision for the project you want to work with, then click Get Revision. Answer Yes to save all of the editors in this project. That version of the selected object is downloaded from the version control server and becomes the version of the project you are working on. If you select an older version of a project, the project has a special status icon in the Version Control view. This icon indicates that your project came from history instead of being out-of-date, but its status returns to normal after you select Update. If you make changes to the historical version and select Update, you are presented with a Revert Local Changes page, allowing you to keep your local changes or to revert your local changes. 528 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-10 Reverting Local Changes If you have made deliberate changes and want to now save those changes to the version control server, select Keep my local changes (default). If you made inadvertent changes to the project, or if you just wanted to see what was in this historical version, select Revert my local changes before performing the update. Creating a Tag for a Project If you select a project object, you can create a tag for any of the revisions listed in the Revision History page. This allows you to give a revision project a more memorable name instead of a revision number. To create a tag, right-click a revision and select Create Tag. This brings up the Tag for Revision page. Version Control 529 Figure 20-11 Adding a Tag To a Selected Revision Provide a tag name that is significant to this version of the object and click OK. The tag name is added under the Tag heading in the Revision History page. When you close the Revision History page, you are asked to add a comment to all of the tag names that you have added. Comparing Versions See “Comparing Revisions” on page 532. Properties Use the Properties option to view the properties of an object that has been added to version control. 530 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-12 Object Properties Page Important information includes the location of the object on the version control server, the loaded revision number, the latest revision number, and any comment concerning the most recent check-in. You cannot make changes to this information. 20.5 Comparing Revisions and Resolving Conflicts Section 20.5.1, “Comparing Revisions,” on page 532 Section 20.5.2, “Resolving Conflicts,” on page 535 Version Control 531 Section 20.5.3, “The Modeler View Layout In a Team-Enabled Environment,” on page 538 Section 20.5.4, “Provisioning Objects,” on page 542 20.5.1 Comparing Revisions Use the Compare Revisions option to compare what has changed between your local copy and the latest copy on the version control server. You can compare any object that has been checked in to the version control server. Use this option to compare historical versions to your local copy, or to other historical versions. NOTE: For the Compare Revisions option to work, you must be able to communicate with the version control server. If the version control status icon at the lower right of Designer is grey , Designer is not communicating with the version control server. Mouse over the version control status icon for further connection information. To use the Compare Revisions option, select a project or any other object in the Version Control view and select Compare Revisions. Figure 20-13 Comparing Revision Changes 532 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The Compare view appears in the main editor section of Designer and is displayed as a tree with the object highlighted. The top bar indicates the object that is selected and which revisions are being compared. Version control uses a left-to-right display of information. The left side shows local copy information and the right side shows the version from the version control server. Because there is no information in the Outline view, you can double-click the Compare view tab to expand the view to fill Designer. Double-click the Compare view tab again to have it return to its normal size, or click the Restore icon in the lower right corner. You can select the Change left-side revision or Change right-side revision icons to view the other versions that you have saved to the version control server. For example, if you want to compare your local copy to a different version on the server, click the right-side icon. If you want to compare the server version to an earlier server version, click the left-side icon. When you select a different version from the History page, the top bar title changes to reflect the different copy comparisons. Click the Expand All or the Collapse All icon to expand/collapse all items in the Compare view. To see a snapshot of the changes in an object, click the overview icon bring up the Overview page for the selected object. to the right of the object to Figure 20-14 Viewing a Quick Overview of Changes If the object you selected is made up of more than one file, you see a drop-down menu listing the files. Select a file from the menu to view the changes to that file. Version Control 533 To view the actual changes in more detail, click the Expand icon in the Overview page or double-click the object in the tree view. You can also click the Compare selected item icon next to the tree-view icon. Figure 20-15 Double-click the Object To See a Detailed Description of the Changes You can use the Next Difference/Previous Difference icons or the Next Change/Previous Change icons to move between the file’s changes. You can also click the blocks on the right side to jump to the file’s changes. After you have drilled down and have seen the differences at an object level, click the tree-view icon to return to the tree view. When to Use Compare Revisions There are three good reasons to use the Compare Revisions option. Finding Problems. You can use the Compare Revisions option to locate when a specific problem was introduced to a project. You can determine when a change was made, who made that change, and why the change was made. If someone on your team broke a policy, you can see when it was broken, who broke it, and what their comment was when they checked it in. Change Overview. You can also use the Compare Revisions option to get an overview of the changes that have been made to a project. By choosing different revisions, it is easy to see all of the changes that were made to a project in a given period of time. Conflict Resolution. The Compare Revisions option can help you resolve conflicts. When you compare your local version and the latest from the server, the conflicts are highlighted in red and you can see the specific conflicts. See Section 20.5, “Comparing Revisions and Resolving Conflicts,” on page 531. 534 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 20.5.2 Resolving Conflicts “Example 1: Checking In Changes to the Same Object” on page 535 “Example 2: Core Model Object Conflicts” on page 537 “Example 3: Deleted Projects” on page 537 Example 1: Checking In Changes to the Same Object If Bob and Terri are working on a project and they both try to edit the object in the version control server at the same time, they have a conflict. Suppose Bob checks in first. Designer is communicating with the version control server in the background and collects status information on all of the objects that are checked out. If there is a conflict, the Version Control Project Status icon changes to red and Terri sees a warning message when she mouses over the icon. Figure 20-16 Receiving a Conflict When Terri attempts to check in, she receives an error message telling her to update before she checks in. Figure 20-17 Conflict Message Version Control 535 If she clicks OK and performs the update, version control tries to automatically merge the differences between Bob’s and Terri’s changes. However, if their changes cannot be automatically merged and Terri tries to update, she sees the Resolve Conflict page, allowing her to see the differences between her local version and the version on the version control server. Figure 20-18 Choose Either the Local Version or the Checked-In Version 536 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide The red markers on the right side of the Resolve Conflict page show the data that is in conflict, and the blue markers show the modified local data. Terri can then choose to either keep her local version or to overwrite her local version with the one on the version control server. The Resolve Conflict page also shows the path of the file with the conflict. Example 2: Core Model Object Conflicts In some conflicts, the core model objects can merge manually at an attribute level, allowing you to change the attributes so that they are no longer in conflict. If the conflict is of this nature, you see the Conflict Resolution page, allowing you to manually resolve the conflicts. Figure 20-19 Resolving Attribute Conflicts When you have made the necessary attribute changes, select Resolve Conflict. Example 3: Deleted Projects If the project has been deleted from the version control server, you are given three choices: delete the local project, keep the local project as an unversioned project, or restore the project on the version control server. Version Control 537 Figure 20-20 Choosing What to Do with Deleted Projects 20.5.3 The Modeler View Layout In a Team-Enabled Environment Designer handles saves by multiple users in a complex manner. Your personal Modeler view layout in a team environment changes as others change their Modeler view layout and check in their changes to the version control server. When you perform an Update from the version control server, you get the last Modeler view layout that was checked into version control. Remember that it’s just the layout that is changing and not the data. For example, suppose Bob and Terri are working on a new project. Terri creates the project and checks the project into version control. 538 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-21 Terri Creates a New Project Terri tells Bob about the new project and Bob imports the project from the version control server. Bob then adds a domain group and another driver, and checks those changes into version control. Version Control 539 Figure 20-22 Bob Adds Information to the Project and Checks It Back Into Version Control During this time, Terri was working on the first driver and made only minor changes to the Modeler view, but they were enough to create local differences. When Terri saves her changes locally, then updates the project from the version control server, she sees that her Modeler view changes are merged with Bob’s Modeler view changes. 540 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-23 Terri’s Modeler View Changes are Merged with Bob’s However, if Bob changes the Modeler layout again (and checks in) and Terri does not (no conflict), Terri gets Bob’s Modeler layout the next time that Terri updates from the version control server. Version Control 541 Figure 20-24 Bob’s Last Check-in As a best practice, define a Modeler layout that the team can live with and leave it alone. 20.5.4 Provisioning Objects In Designer 3.0 and above, provisioning objects such as the directory abstraction layer, Provisioning request definitions, teams, and roles, can all participate in version control. The Version Control view below illustrates how provisioning objects appear. 542 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 20-25 Provisioning Objects in the Version Control View The Version Control view reflects provisioning objects in a slightly different hierarchy than the Outline view. Under the User Application entry, you see a node called Components. This is the main node under which all provisioning objects are located. Application Configuration and Locale Configuration are also new nodes in the tree. System objects and unsupported objects are also visible in the Version Control view. 20.6 Version Control Best Practices Managing a team environment with version control can be a challenging task. Combining version control with Identity Manager Designer has its own set of issues. This section includes some tips and best practices for using version control with Designer. Section 20.6.1, “Best Practices,” on page 543 Section 20.6.2, “Managing Packages Best Practices,” on page 544 Section 20.6.3, “Best Practice Scenarios,” on page 545 Section 20.6.4, “Subversion and Version Control Interaction Rules,” on page 550 20.6.1 Best Practices Coordinate all Designer upgrades with your entire team. When you upgrade to a new version of Designer, many of the files in your project are changed by the project converter, so you need to coordinate with the rest of your team. In the ideal upgrade process, everyone checks in all of their changes, one team member runs the project converter and checks in the converted project, then everyone installs the new version of Designer and re-imports the project. Coordinate deployment. When you are using version control and the same eDirectory server with multiple people, it is possible to overwrite changes. You should coordinate deployment with your team members to make sure that you do not overwrite other team members’ changes. Best practice is to assign one person to deploy a project to a production environment. Version Control 543 Assign policies. Assign one team member to a policy rather than having multiple team members work on one policy. Multiple team members writing and modifying shared policies in a driver is a recipe for disaster. Define an acceptable Modeler layout for the team. Personal Modeler layouts in a team environment are only maintained if there is a version control conflict on the Modeler layout between your Modeler view layout and another’s Modeler view layout. If there is no conflict and you perform an update from the version control server, you get the last Modeler layout that was checked into version control. Compare, Check in, and Check out the objects at the root level . This helps to ensure that all objects are stored in the version control repository. Check in the project from the version control view for existing projects . You can check in from the outline view or project view as well, but it may cause performance issues. Use the same version of Designer within the team when working with version control . This is because the newer version of Designer may create objects that the older version of Designer may not be able to process. Update your Identity Vault before migrating from a test environment to a production environment . Change the IP address and the credentials of the Identity Vault to point to the production eDirectory server before you migrate the test eDirectory shared servers to the production environment. Use a production environment administrator account that is located in the production server network . It is recommended to have the production environment administrator on the same network as the production server to avoid network or VPN issues. This is because, importing or deploying of designer projects to Identity Manager can be slow over VPN. 20.6.2 Managing Packages Best Practices This section includes some best practices for managing packages in version control. “Creating Packages” on page 544 “Checking In and Updating Packages” on page 545 “Upgrading and Downgrading Packages” on page 545 Creating Packages A single user should be assigned to create a package and its newer versions, and then check in the packages to enable the other team members to add or modify the content of the packages. A single user should be assigned to create a driver and check in the corresponding packages of the driver. A Designer project cannot contain multiple instances of the same package. When you import or create packages in a version control environment, ensure that you do not import and then check in the same package and version already checked in by another user. Multiple instances of the same package, especially a common package used by more than one parent package or driver, can cause conflicts in Subversion. 544 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Checking In and Updating Packages 1 Check in the entire catalog, and check in the driver and the parent objects of the driver (if available). 2 Update the entire catalog. This ensures that all the objects are imported into the designer workspace. Upgrading and Downgrading Packages A single user must be responsible to upgrade and downgrade the packages and check in. 20.6.3 Best Practice Scenarios There is no one-size-fits-all scenarios for using version control with Designer. This section identifies some user situations that we used for best practice scenarios. These scenarios are specific step-bystep guides to be used in addition to those outlined in the Best Practices section. “One-Person Project” on page 545 “Small Team with One Shared eDirectory Server” on page 546 “Small Team with Individual eDirectory Servers” on page 547 “Medium-Sized Team with a Shared Test and Production Environment” on page 548 “Single Consultant Working for Multiple Companies” on page 549 One-Person Project Figure 20-26 One-Person Project Version Control 545 Version control is very useful in a team environment, but it is also very useful in an individual environment. Version control allows a single developer to make backups, restore older versions, and have the freedom to explore project changes without risking data. Alice decides to work on a project alone. She creates a new project and checks that project in to the version control server. She makes changes to the project and deploys them to a development server for testing. She frequently checks her changes into the version control server so she can easily explore the history of her project later. Alice can optionally use tagging to specify which project revisions are stable revisions. If she is unsatisfied with any project changes, she can revert those changes or get an older copy of her project from history. When she is happy with her changes, she deploys the project to an eDirectory server in the production environment. Small Team with One Shared eDirectory Server Figure 20-27 Small Team Scenario #1 Alice, Bob, and Carol are working together on a project. They are assigned the following roles: Alice - Administrator Bob and Carol - Engineers Alice creates the new project and checks it into the version control server. Bob and Carol import that project and they all work on the project together. Alice, Bob, and Carol agree on ownership of Identity Manager objects and do not often edit each other’s objects. When Alice, Bob, or Carol want to deploy their changes to the shared development environment, they are careful to deploy just their own changes and not corrupt or overwrite the common objects that can overlapped during development. Everyone is diligent about updating frequently in order to avoid conflicts. 546 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide They all deploy to the same shared development server so they can test their changes in the same environment. When each team member is happy with the results, they check in their changes to the version control server. When they are ready to deploy their project to an eDirectory server in the production environment, Alice performs an update to get the latest changes from the version control server and then deploys the project to the production server. Alice manages all deployment to the production server so the team maintains control over the changes in the production environment. Small Team with Individual eDirectory Servers Figure 20-28 Small Team Scenario #2 Alice, Bob, and Carol work together on a project. They are assigned the following roles: Alice - Administrator Bob and Carol - Engineers Alice (the administrator) creates a new project and checks it into the version control server. Bob and Carol then import that project and they all work on the project together. Alice, Bob, and Carol don’t need any boundaries for object editing and they are all welcome to edit every object in the project. They update frequently and resolve conflicts when they occur. Alice, Bob, and Carol each have their own eDirectory development server to deploy to and can deploy changes without the need to consult each other. They change, deploy, and test their changes and then check them into the version control server. Version Control 547 When they are ready to deploy to the production server, Alice updates her project to get the latest changes from version control and then deploys them to her development server. After she has verified that everything works as expected, she deploys the changes to the eDirectory server in the production environment. Alice manages all of the deployment to the production server to make sure it is a controlled environment. Medium-Sized Team with a Shared Test and Production Environment Figure 20-29 Medium Team Scenario Alice, Bob, Carol, Dave, and Edgar all work together on a project. The following roles are assigned to all team members working on this project: Alice - Administrator Frank, George, and Hector - Part time consultants Bob, Carol, Dave, and Edgar - Engineers Ingrid - Integration Test Engineer Pat - Production Environment Administrator Frank, George, and Hector work part-time on this project and consult for other projects. Alice (the administrator) creates the project and checks it into the version control server. Bob, Carol, Dave, and Edgar import the project from the version control server and they all begin working on the project and deploying to the same eDirectory development server. Frank, George, and Hector work mostly in an advisory capacity and do not own any objects in the project. They consult with Alice before making changes. Frank, George, and Hector are careful when they deploy changes so that they don’t overwrite the changes of the object owners. 548 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Alice, Bob, Carol, Dave, and Edgar mostly focus on changing their own objects, but Ingrid (the integration test engineer) focuses on testing the entire project on a separate development server. She imports the project from version control and updates frequently to get changes from the rest of the team. She deploys those changes in the controlled development environment and tests them there. Ingrid makes only the changes necessary to deploy to the test server and does not check any changes into the version control server. When Ingrid is satisfied with a version of the project, she creates a project tag in version control and certifies that revision of the project as deployable to the production environment. She then asks Pat (the production environment administrator) to deploy the project to the production server and tells him which tag should be deployed. Pat imports the project from the version control server. He then uses the Get from History function to get the specific revision that Ingrid has tagged. After he has that version, he makes only the changes necessary to deploy the project to the production server and deploys the project. The rest of the team can continue to work on the project during this time because Pat has locked his version of the project to the revision that Ingrid has certified as deployable to the production environment. Single Consultant Working for Multiple Companies Figure 20-30 Working for Multiple Companies Version Control 549 Constance (the consultant) works for multiple companies, helping them with their Identity Manager projects. On Monday, she works for Ancillary Incorporated. She imports the project from the version control server at Ancillary Inc. and deploys the project to the Ancillary development server. Constance communicates frequently with the Ancillary Inc. team members and makes sure to never overwrite the objects from the Ancillary Inc. team on the eDirectory production server. On Tuesday, Constance works for Beyond Limited. She closes the Ancillary project and imports the project from the Beyond Limited version control server. She follows established procedures when working with the Beyond Limited team and carefully separates the changes for each company. 20.6.4 Subversion and Version Control Interaction Rules Do not use the Subversion command line. People familiar with the Subversion command line might be tempted to use it with Designer to perform simple commits or updates. Designer has many tools to manage the merging and object dependencies within an Identity Manager project. Using the Subversion command line bypasses these tools and can easily lead to a corrupted project and data loss. Do not use other Subversion clients. Tortoise, Subclipse, or any other Subversion client can cause the same problems as the Subversion command line. Do not use them on the same working copy you are using for Designer. 550 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 21 Setting Preferences 21 Section 21.1, “Finding Preference Pages,” on page 551 Section 21.2, “General,” on page 551 Section 21.3, “Help,” on page 561 Section 21.4, “Novell,” on page 562 Section 21.5, “Validation,” on page 585 Section 21.6, “Web,” on page 586 Section 21.7, “XML,” on page 589 21.1 Finding Preference Pages You customize Designer by setting options in Preferences. 1 From the main menu, select Window > Preferences. 2 Select a heading (for example, Novell) or navigate to a subheading. 3 Make changes, then click Apply or OK. 21.2 General The General preferences page includes the following settings: Setting Preferences 551 Table 21-1 Preferences: General Setting Description Searches all the preferences and shortens the tree view, depending upon what you type in the edit box. Always run in background Enables operations to run in the background without disturbing you. Keep next/previous part dialog open Keeps the editor and view dialog boxes open when an activation key is released. Normally, the dialog box closes as soon as the key combination is released. Show heap status Places a field in Designer’s bottom right corner and displays the amount of memory being used of total memory available. Open mode: Double click Opens a project when you double-click it. Single click: Select on hover Selects the setting when the cursor hovers there. Single click: Open when using arrow keys Opens the setting when you select it. Additionally, the following preferences categories appear as General sub-pages: Section 21.2.1, “Appearance,” on page 553 Section 21.2.2, “Compare/Patch,” on page 555 Section 21.2.3, “Content Types,” on page 556 Section 21.2.4, “Editors,” on page 557 Section 21.2.5, “Keys,” on page 559 Section 21.2.6, “Network Connections,” on page 559 Section 21.2.7, “Perspectives,” on page 560 Section 21.2.8, “Startup and Shutdown,” on page 560 Section 21.2.9, “Web Browser,” on page 561 Section 21.2.10, “Welcome,” on page 561 552 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 21.2.1 Appearance Figure 21-1 Preferences: General > Appearance Table 21-2 Preferences: General > Appearance Setting Description Current Presentation Allows you to choose between Designer’s presentation, the current presentation, or the Eclipse 2.1 style presentation. Override presentation settings Alters how the tabs and views appear in the workbench Setting Preferences 553 Setting Description Editor tab positions Positions tabs on the Modeler, Novell XML editor, or Text editor at the top or bottom. View tab positions Positions view tabs (for example, the Project view tab) at the top or bottom of views. Perspective switcher positions Positions the Perspective Switcher the left, top left, or top right of the workbench. Show text on the perspective bar Determines whether text (for example, Designer) displays next to the icons in the Perspective Switcher. Current theme The general theme (colors and fonts) that Designer uses. Choices are Default (current), reduced palette, and R 3.0 theme. Show traditional style tabs Displays square Windows-style tabs. The alternative is rounded tabs. Enable animations Animates views (for example, Fast Views) and editors that you minimize, maximize, or restore. Reinforces tasks in Designer. Enable colored labels Displays colors on labels, if the labels have colors defined. Colors and Fonts To change a color: 1 Under General, expand Appearances. 2 Select Colors and Fonts. 3 Expand an option (for example, Basic). 4 Select an item (for example, Active hyperlink text color). 5 Click the color button. 6 Select a color from the Color palette, then click OK. To change a font: 1 Under General, expand Appearances. 2 Select Colors and Fonts. 3 Expand an option (for example, Basic). 4 Select an item (for example, Banner Font). 5 Click Change. 6 Select a font, style, and size, then click OK. 554 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide at Label Decorations Label decorations display additional information about an item on its label or icon. Select the desired label decorations: Binary Plug-in Projects File Icons Based on Content Analysis Java Method Override Indicator Java Type Indicator Linked Resources Provisioning Element Decorator 21.2.2 Compare/Patch This Eclipse functionality customizes the behavior of the comparison editor. When you select to compare or synchronize two or more resources in the Workbench, one or more comparison editors usually open. Table 21-3 Preferences: General > Compare/Patch General Tab Settings Setting Description Open structure compare automatically Makes visible an additional information area that shows differences in the underlying structure of the resources being compared. This information might not be available for all comparisons. The default is On. Show structure compare in Outline view when possible Displays the structure compare in the Outline view, whenever it is possible. Show additional compare information in the status line Causes the status line to display additional context information about the comparison. The default is Off. Ignore white space Causes the comparison to ignore differences that are white space characters (for example, spaces and tabs). Also causes differences in line terminators (LF versus CRLF) to be ignored. The default is Off. Automatically save dirty editors before patching Controls whether any unsaved changes are automatically saved before a patch is applied. The default is Off. Added/ Removed lines These options control whether a line is counted as added and removed when applying a patch. Both options use regular expressions. Filtered Members Specify names, separated by a comma, that are excluded from the Compare With Each Other option. You can change how the text is displayed in the compare option. Setting Preferences 555 Table 21-4 Preferences: General > Compare/Patch Text Compare Settings 21.2.3 Setting Description Synchronize scrolling between panes in compare viewers The two comparison viewers lock scroll along with one another to keep identical and corresponding portions of the code in each pane side-by-side. Turn this option off if you don’t want the compare viewers to lock scroll. Initially show ancestor pane Sometimes you want to compare two versions of a resource with the previous version from which they were both derived. This is called their common ancestor, and it appears in its own comparison pane during a three way compare. Turn this option on if you want the ancestor pane to always appear at the start of a comparison. Show pseudo conflicts Displays pseudo conflicts, which occur when two developers make the same change. Turn this option on if you want pseudo conflicts to appear in compare browsers. Connect ranges with single line Controls whether differing ranges are visually connected by a single line or a range delimited by two lines. Highlight individual changes Controls whether the individual changes inside conflicts are highlighted. When the end/beginning is reached while navigating an element Use this option to configure what occurs when the end/beginning is reach while navigating an element. Content Types Table 21-5 Preferences: General > Content Types Pane Description Content types The type of content (for example, HTML or XML) that a file contains. File associations The file extension that is associated with a content type. For example, .xml is associated with a file that contains XML content. To add a file association: 1. Select a content type. 2. Click Add. 3. Define a new file type, then click OK. 556 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 21.2.4 Editors Table 21-6 Preferences: General > Editors Setting Description Size of recently opened files list The number of files to add to the file menu of recently opened files, which you can easily reopen. Show multiple editor tabs Displays tabs for all opened projects. If you deselect this option, only one editor tab displays, and an abbreviated name displays on the tab. Restore Editor state on startup Displays the editor in the same state as it was when last closed, as opposed to using default settings. Prompt to save on close even if still open elsewhere Saves the file on close even if the same file is open in another editor. Close editors automatically Automatically closes the first-opened editor when you open additional editors. This option prevents displaying too many editors and cluttering the workbench. Number of opened editors before closing Determines how many editors can be open. For example, if you specify two and then open a third project, the first-opened project automatically closes. When all editors are dirty or pinned Prompts you to save unsaved components in the project that is about to automatically close, or to open an additional editor. “File Associations” on page 557 “Hex Editor” on page 558 “Structured Text Editors” on page 558 “Text Editors” on page 558 File Associations Enables you to associate editors (whether they are internally installed in the Designer, or an external application) with file types (extensions) so that you can edit files. To find out which editor is associated with a file type, select the file type. For example, a .docgen file type is associated with the Style editor, but a .scriptpolicy file type is associated with the Policy Builder. To associate an additional editor with a file type: 1 Select the file type. 2 In the Associated editors pane, click Add. 3 Select an additional editor, then click OK twice. Setting Preferences 557 To add a file type: 1 In the File types pane, click Add. 2 Type the extension (for example, .doc) for the file type, then click OK. 3 In the Associated editors pane, click Add. 4 Select an editor for that file type, then click OK twice. Hex Editor Enables you to configure Designer’s hex editor environment, including font, font style, and colors. You can also associate, or disassociate, the hex editor from Designer’s registered file extensions, and enable hex editor logging. Structured Text Editors For information on structured text editors, refer to the Eclipse documentation (http://help.eclipse.org/ helios/index.jsp). Text Editors Table 21-7 Preferences: General > Text Editors 558 Setting Description Undo history size Determines the size of the undo history. The default is 200 changes. Displayed tab width Specifies the number of characters or spaces in a tab character. The default is 4. The maximum is 16. Insert spaces for tabs Inserts the number of spaces specified in Displayed Tab Width, instead of a tab character, when you press the tab key in the text editor. Highlight current line Highlights the current line. Show print margin Displays the print margin on the right side of the text document. A vertical line identifies the margin. Show line numbers Numbers each line in the editor. Show range indicator Displays a range indicator. Show whitespace characters Displays white space characters so you can see them in the text editor. Enable drag and drop of text Allows you to drag and drop text within the text editor. Warn before editing a derived file Notifies you if you attempt to edit a file generated or maintained by the system. Your changes might be overwritten. Smart caret positioning at the line start and end Enables the Home and End commands to move to the first and last non-white-space character on a line. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Setting Description Show affordance in hover on how to make it sticky Enables the hover over text to grab the text and place it in the clipboard. Appearance color options Lets you configure the display settings for the text editor. Select a particular appearance characteristic from the list to view and change the display settings for that characteristic. For additional information on text editors, see the Eclipse documentation. 21.2.5 Keys Enables you to view a table of all of the keyboard mappings, change those mappings, and add new mappings. 21.2.6 Network Connections Enables you to configure a manual proxy configuration if you use a proxy server to access the Internet. For example, if you have added a custom URL for packages that require authentication, you must enter that information here so auto updates of packages works. The three options are: Table 21-8 Preferences: General Settings > Network Connections Settings Description System proxy configuration (if available) Specifies that the system proxy settings are used to access the Internet. If the settings can’t be retrieved, no proxy should be used. Direction connection to the Internet Select this option if no authentication information is required. This is the default option. Manual proxy configuration Specify that a proxy server is required to access the Internet. Select Enable proxy authentication if you have specified a URL that requires authentication. For example, if you have added a URL to download custom packages, you must specify the username and password here. Setting Preferences 559 21.2.7 Perspectives Table 21-9 Preferences: General > Perspectives Setting Description Open a new perspective In the same window: Places a new icon in the Perspective Switcher, so that you can toggle between perspectives in the same window. In a new window: Opens a new perspective in a different window. You can toggle between perspective windows by selecting icons on the taskbar. Open a new view Within the perspective: Opens the view so that it is contiguous to the Modeler. As fast view: Opens the view and places a Fast View in the bottom left corner of the perspective. 21.2.8 Open the associated perspective when creating a new project Determines how and when you switch to an associated editor when you open a perspective. Available perspectives Designer is the default perspective. Other available perspectives are Eclipse Debug and Resource. Startup and Shutdown Table 21-10 Preferences: General > Startup and Shutdown 560 Setting Description Prompt for workspace on startup Prompts you for a workspace folder. You can have multiple workspace folders and can specify a folder on startup. Refresh workspace on startup Synchronizes the workspace with resources (for example, myfile.xml) on disk. Confirm exit when closing last window Displays an Exit Designer? prompt when you exit Designer. Plug-ins activated on startup Lists plug-ins that are automatically loaded and registered. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 21.2.9 Web Browser Table 21-11 Preferences: General > Web Browser Setting Description Use internal Web browser Enables you to use an internal Web browser. Use external Web browser Enables you to add and use an external browser (for example, Netscape). If you enable this option, you must also enable Use External Browser in the Help section (also found in Preferences). External Web browsers Lists browsers. To add a browser: 1. Click New. 2. Name the new browser. 3. Scroll to and select an executable (for example, netscp6.exe). 4. Specify a parameter, then click OK. 21.2.10 Welcome Table 21-12 Preferences: General > Welcome Setting Description Home: Home Page Theme Enables you to select the theme that appears when you click Help > Welcome. Home: Root Pages Adds tabs (for example, Overview) on the Welcome properties page. You add functionality by customizing these tabs. For information about the Overview and What’s New tabs, refer to the Eclipse documentation. 21.3 Help Table 21-13 Preferences: Help Setting Description Specify how help information is displayed: If an embedded Web browser is supported Use external browser on your system, the Help view uses that browser to display help contents. To force help to use an external browser, enable this option. Specify an external browser in Preferences: General > Web Browser. Setting Preferences 561 21.3.1 Setting Description Open window context help Determines whether the window context help opens in a dynamic Help view or in a pop-up window. Open dialog context help Determines whether the dialog box context help opens in a dynamic help section of the Help view or in a pop-up window. Open help view documents Determines whether the documents selected in the Help view open in place or in the editor area. Content Designer lets you include external information in the help system. Table 21-14 Preferences: Help > Content Settings 21.4 Setting Description Include help content from a remote infocenter Enables including external information in the help system. Location Specifies the hostname, path, and port to the external information. Novell The following Preferences categories appear as Novell sub-pages: Section 21.4.1, “Designer,” on page 562 Section 21.4.2, “Identity Manager,” on page 566 Section 21.4.3, “Package Manager,” on page 579 Section 21.4.4, “Provisioning,” on page 582 21.4.1 Designer The following preferences categories appear as Designer sub-pages: “DS Trace” on page 563 “JavaScript Validation” on page 563 “Language” on page 563 “Project Checker” on page 564 “Schema” on page 565 “Trace” on page 565 “Version Control” on page 566 562 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide DS Trace This setting lets you configure DS Trace settings. Table 21-15 DS Trace Preferences Setting Description Live DS Trace Display Specifies the size of the DS Trace window buffer, in lines (or entries). When the number of DS Trace entries exceeds the Window Size, DS Trace drops the oldest entry for each new entry it captures. Auto-scroll display Enables auto-scrolling of the live DS Trace window so that the latest log entries are always on screen. When this option is deselected, you must manually scroll down the list of log entries. JavaScript Validation Designer automatically validates the JavaScript as it is typed into the UI. By default, it is enabled. Language When you installed Designer, you selected a language to display Designer’s UI. This setting enables you to change the language. Setting Preferences 563 Figure 21-2 Preferences: Novell > Designer > Language 1 Select a language, then click OK. You must restart Designer for the language change to take effect. 2 Restart Designer. NOTE: Restore Defaults reads the config.ini file, detects the previous language setting, and then defaults to that setting. When the changed property is written back to the .ini file, all comments are removed from the file. To preserve these comments, Designer copies the original config.ini to config.ini.bak and uses the backup to determine the default setting. Project Checker This settings lets you configure the Project Checker. 564 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-16 Preferences: Novell > Designer > Project Checker Setting Description Limit Visible Items to Allows you to limit the number of items displayed in the Project Checker. The default value is 100. Prompt me to save the editor before running Project Checker Allows you to receive a prompt asking you to save your project before running the Project Checker. By default, this is enabled. Schema Allows you to manage the Identity Vault and managed system’s schema. Table 21-17 Preferences: Novell > Designer > Schema Setting Description Warn when LDAP names are different from eDirectory names during .ldif import/export Allows you to turn off this warning prompt, which appears during the import or export of the schema. Warn when exporting base classes to .ldif Allows you to turn off this warning prompt, which appears during the export of the schema. Show the information message for the Manage Application Schema context menu Allows you to turn off the information message that appears when managing the application schema. Trace The Trace view is useful in the following situations: To trace internal errors and messages, so that you can find out why something might not work as expected. To provide information for Novell Support, engineers, or other consulting resources. All Designer-specific trace messages go to the Trace view if this view is open. Otherwise, no trace messages are sent. Warnings and error messages are sent to the .log file, found in the run-time workspace metadata directory. Use the Error view to view this information. Table 21-18 Parameters: Novell > Designer > Trace Setting Description Enable tracing Writes events to the Trace view. By default, tracing is off. To increase performance, disable tracing when you don’t need it. Include stack traces Provides separate traces. Dumps the entire stack where an internal exception occurs, so that you can see in the code where the internal exception is failing. Setting Preferences 565 Setting Description Include XML processor traces Provides separate traces that detail all of the processing of XML documents. This trace can become quite verbose. Show plug-In names in the trace In the Trace view, displays names of plug-ins where tracing has occurred. This is useful if you are tracing more than one plug-in. Show view when tracing Automatically brings up the Trace view if a trace is trying to be logged. By default, this setting is On. Trace buffer size Increases the buffer to show more characters. As the buffer increases in size gets higher, performance might degrade, depending on your system. Plug-Ins to Trace Lists all Designer plug-ins (in their simple name form). Select plug-ins that you want to trace. Select All Enables tracing in all Designer plug-ins. Deselect All Disables tracing in all Designer plug-ins. Version Control This setting determines how often Version Control polls the SVN server for updates. The polling interval is in minutes. 21.4.2 Identity Manager The following preferences categories appear as Identity Manager sub-pages: “Identity Manager” on page 566 “Configuration” on page 568 “Document Generation” on page 571 “Entitlements” on page 572 “Import/Deploy” on page 572 “Modeler” on page 574 “Policy Builder” on page 577 “Simulation” on page 578 “iManager” on page 578 Identity Manager The Identity Manager option contains multiple tabs: “Versions” on page 567 “Updates” on page 567 “Prompts” on page 568 “Browser” on page 568 566 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Versions Specifies the Identity Manager version running on a server. Figure 21-3 Preferences: Novell > Identity Manager > Versions Updates Table 21-19 Preferences: Novell > Identity Manager > Updates Settings Description Do not check for updates Prevents Designer from checking for updates on startup. Hides the Designer Updates dialog box. Prompt to check for updates on startup Displays a prompt each time you run Designer. You can disable this prompt. Automatically check for updates on startup Always checks for updates. If you disable the prompts that appear on startup, select this option. Notify me when no updates are available Displays a No New Updates message when you select to check for updates. Setting Preferences 567 Prompts Table 21-20 Preferences: Novell > Identity Manager > Prompts Setting Description Warn when downgrading server versions Prompts you when you select an earlier server version for a project. If you downgrade, some elements of your configuration might not work in your target environment. Warn when upgrading server versions Prompts you when you select a later server version for a project. If you upgrade, some of your configuration might not be deployable unless you have this later server version in your environment. Warn when another editor has updated files in the same project space Warns you that your project might be erased from your workspace. The prompt occurs when overwriting a file in the file system for notification templates and policies. Warn when deleting items from the outline view Confirms that you want to delete the selected items. Browser You can use Designer to open a Web browser. After you enter the URL, Designer stores it. To change the URL, type a new one in Preferences, then click OK. Configuration “General” on page 568 “eDir-to-eDir SSL/TLS” on page 569 “Prompts” on page 570 Each driver has a startup parameter. If it is disabled, the driver never starts until you change the setting. By default, Identity Manager drivers are disabled when you create them in the Modeler or start Designer. You must start them manually. For more information, see Section 4.5, “Configuring Driver Sets,” on page 91. General These general settings specify how drivers start up and how their global configuration values (GCVs) act on specified target servers. The default state uses Disabled and Merge GCVs. 568 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-21 Preferences: Novell > Identity Manager > Configuration > General Tab Settings Setting Description Auto-Start The driver automatically starts after you create it or whenever you start or load Designer. Manual You must start the driver manually. Disabled The driver never starts. Merge GCVs on the target server during copy Copies the GCVs from one driver/driver set to multiple targets of the same type. For example, you might configure GCVs on one driver and then copy them to multiple drivers. You also have the option of overwriting the target GCVs or merging your source GCVs with the existing target driver GCVs, if they exist. Overwrite GCVs on the target server during copy Overwrites existing GCVs when they are copied to the server. eDir-to-eDir SSL/TLS This setting configures how two eDirectory drivers communicate with each other over a secure channel. For more information, see Section 18.7, “Configuring TLS for eDir-to-eDir Drivers,” on page 487. Table 21-22 Preferences: Novell > Identity Manager > Configuration > eDir-to-eDir SSL/TLS Tab Settings Setting Description Preferred key size Specifies the preferred key size that is generated when drivers are encrypted and stored in eDirectory: 512, 768, 1024, or 2048 bytes. Preferred secure hash algorithm Specifies the preferred hash algorithm to use when encrypting drivers: SHA1-RSA, MD2-RSA, or MD5RSA. Preferred validity period Specifies the validity period for a driver certificate, ranging from 6 months to 10 years. Always overwrite existing certificates Specifies that existing driver certificates are overwritten with each deployment. If you select this option, Designer deletes existing certificates and creates new ones. The new certificates are then good for another two years (assuming the default value is two years, as defined in the Preferred Validity Period field.) If you select Live > Create eDir-to-eDir Certificates, Designer deletes old certificates and creates new ones. Overwrite certificates only if they have expired Specifies that only expired driver certificates are overwritten with each deployment. This is the default setting. The default expiration length is two years. If a certificate expires, SSL/TLS stops working. If a certificate is expired, Designer deletes it and creates a new one. Setting Preferences 569 Setting Description Never overwrite existing certificates Never overwrites driver certificates. Restart drivers after building certificates Restarts drivers after certificates have been updated or created. When you create certificates, Designer reads the preferences, including Preferred Key Size, Preferred Secure Hash Algorithm, and Preferred Validity Period. These options are also available through Secure Connection Settings > Advanced TLS Configuration. Figure 21-4 The Advanced TLS Configuration Dialog Box NOTE: Designer reads these preferences after you first set them. If you subsequently change the preferences by using the driver’s configuration page, those changes override the settings in Preferences. After you change default settings and click OK, that configuration information is recorded. When you deploy the driver, Designer creates the certificates, or deletes and creates new certificates with a new time stamp. Prompts These settings specify how users are prompted to manage driver certificates on the target server. All are selected in the default state. Table 21-23 Preferences: Novell > Identity Manager > Configuration > Prompts Tab Settings 570 Setting Description Prompt to replace existing certificates Prompts the user to provide new certificates. Prompt to merge/overwrite GCVs on target server during copy Prompts the user to merge or overwrite when copying GCVs to the target server. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Setting Description Prompt to create certificates after configuration Prompts the user to create certificates after configuring a secure connection. Prompt to overwrite existing settings and policies from the Driver Configuration Wizard In the Driver Configuration Wizard, prompts the user whether to reset (overwrite) all driver settings and policies. Prompt when policy operations affect multiple policy sets Turns on and turns off a warning dialog box associated with policy operations. The dialog box appears when you move policies in a pre-3.5 environment and the move operation affects multiple policy sets. Prompt for server selection on live driver actions Any time you perform a live action on a driver (such as starting or stopping the driver) it prompts you to specify the server associated with the driver. Prompts for errors when validating XML DTD for all Policy Editors Designer validates the policies you create against the Identity Manager DTDs. This helps you verify that the policies you create are valid. Document Generation The Document Generator comes with the following settings: Table 21-24 Preferences: Novell > Identity Manager > Document Generation Setting Description Automatically open the rendered file after document generation. If you have a PDF reader installed on your workstation, the rendered file automatically opens in the reader. If you have enabled the RTF format and have a TRTF reader installed, the rendered file automatically opens in the reader. The default is On. Show warning dialog box when the style is an older version. Displays a warning when generating documents on out-of-version styles. The default is On. Warn me before overwriting existing file during document generation Displays a warning when overwriting previously generated files. Enable RTF support Allows you to save documents to RTF format. The default is Off. Output XML source files Generates XML files as part of the document generation process. Document applications and drivers related to other selected items. With this option selected, parent objects and direct child objects are included to give context to the document. Deselecting this option excludes direct children of the selected item. The default is On. Setting Preferences 571 Setting Description Document Language Allows you to select a language other then English in which to generate documents. Languages include Chinese Simplified, Chinese Traditional, Dutch, English, French, German, Italian, Japanese, Portuguese Brazil, and Spanish. The default is English. Font settings Allows you to select the font you want to use for document generation. This selection adds doublebyte font support. The default is the Arial font. Entitlements Controls whether or how often you receive a prompt whenever you add the DirXML-EntitlementRef attribute to a driver filter. The default is Prompt me, but because this attribute is added only if it doesn’t already exist on the driver filter, you can select Always add it to not see the pop-up window. You can also never add the attribute. However, the DirXML-EntitlementRef attribute is added only if it doesn’t already exist in the driver filter. If the attribute already exists, the options have no effect. Import/Deploy The Import/Deploy preferences window contains three tabs: Behaviors, Prompts, and Trace. The following tables describe their options. “Behaviors” on page 572 “Prompts” on page 574 “Trace” on page 574 Behaviors There are multiple sections in the Behaviors tab. Table 21-25 Preferences: Novell > Identity Manager > Behaviors (Import Settings) Setting Description Perform prompt checking when running a driver configuration file Displays the Do you wish to perform all mandatory and required prompt checking when running this Driver configuration file? prompt. If you select Yes to the prompt, you must then enter information in required fields while configuring the driver. If you select No, you temporarily disable this setting and can skip required fields. Include application schema when importing drivers 572 Imports the eDirectory application schema when you select this option. You might not want to import all the associated data. The default is Off. See Section 12.5.3, “Importing a Schema,” on page 331. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-26 Preferences: Novell > Identity Manager > Behaviors (Deploy Settings) Setting Description Replace driver set/server associations when deploying a driver set If you want driver set and server associations when deploying, select this option. The default is Off. Always deploy both drivers of an eDir-to-eDir connection With this option selected, you are prompted to deploy both sides on the connection. With both drivers deployed, Deploy is integrated with the creation of eDir-to-eDir certificates, if the certificates are created in Designer. Deploy adheres to the settings set in Preferences > Designer for IDM > Configuration > eDir-to-eDir. The default is On. This is the recommended setting. Restart running drivers after deploying the driver Restarts the driver after it is deployed. The default is On. Table 21-27 Preferences: Novell > Identity Manager > Behaviors (Summary Dialog) Setting Description Show the summary dialog prior to performing an import Allows you to view what’s being imported in a summary screen. The default is On. Show the summary dialog prior to performing a deployment Allows you to view what’s being deployed in a summary screen. The default is On. Filter passwords out of summary and compare dialogs Select this box if you want to filter passwords out of summary and compare dialog boxes. Table 21-28 Preferences: Novell > Identity Manager > Behaviors (Export Settings) Setting Description Copy cross driver policy references into exported configuration files Selected by default, this option saves you the trouble of manually inputting cross-driver policy references. Setting Preferences 573 Prompts Table 21-29 Preferences: Novell > Identity Manager > Prompts Tab Settings Setting Description Show dialog to export cross driver policy references to configuration files Selected by default. If you do not want to see a dialog box about these references, deselect the option. Show a warning dialog when overwriting a driver set/server association Warns that the driver set being deployed has a different server association than the server that you are about to deploy to. The association in the deployed driver set overwrites the existing server association. Show the dialog box to deploy both drivers of an eDir-to-eDir connection This is the default, and it is also the recommended setting. With this option selected, you are prompted to deploy both sides of the connection. Show the dialog box to restart drivers after a deployment Selected by default. If you do not want to see a dialog box about these references, deselect the option. Trace Table 21-30 Preferences: Novell > Identity Manager > Trace Tab Settings Setting Description Trace import and deploy event information Deselected by default. If you need to troubleshoot an import or a deploy, select this option, then open the Trace view to inspect the import or deploy. Generate debug messages for the Driver configuration prompt dialog box Deselected by default. If you need to generate debug messages, select this option. Show verbose debug messages Deselected by default. If you need to generate verbose debug messages, select this option. Time import and deploy operations Deselected by default. If you need to time how long it takes to import or deploy an object, select this option. Modeler The Modeler preferences window contains seven tabs: Behaviors, Display, Guidance, Layouts, Pages, Prompts, and Themes. The following tables describe their options. Additionally, the following preferences categories appear as Modeler sub-pages: “Dataflow Page” on page 576 “Palette Page” on page 577 574 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-31 Preferences: Novell > Identity Manager > Modeler > Behaviors Tab Settings Setting Description Auto-create servers when connecting a driver to a Automatically creates a server for a driver set when you connect a driver to a different driver set. different driver set Launch the driver Properties dialog box Launches the driver’s Properties page. Show the driver’s Policy Flow view Displays the driver’s Policy Flow diagram in the Outline view. Table 21-32 Preferences: Novell > Identity Manager > Modeler > Display Tab Settings Setting Description Show labels by Applications and Identity Vaults (Architect. mode) Shows labels below applications (in both modes) and above Identity Vaults (Architect mode only). Show driver icons in Developer mode Displays a driver icon on the line that represents a driver in the Modeler. Show password icons in Developer mode Displays a password sync icon icon in the Modeler. below a driver Auto-expand Identity Vaults to fit contents Causes Identity Vaults to expand to accommodate objects that you place in them. Auto-shrink Identity Vaults to fit contents Causes Identity Vaults to shrink when you remove objects from them. Auto-size Identity Vaults to fit their titles Enables vaults to expand horizontally, to accommodate long titles. Otherwise, the titles concatenate after approximately 20 characters. Grid Width Increases or decreases cells in the Modeler’s grid. To access the grid, select the Modeler, then click View > Grid. Table 21-33 Preferences: Novell > Identity Manager > Modeler > Guidance Tab Settings Setting Description If an Identity Vault doesn’t already exist, one will be created when you drop the application Creates an Identity Vault when you drag or drop an application from the palette into the Modeler. eDir-to-eDir connection tip, when you’ve connected the same eDir app to two driver sets Prompts you to connect a line directly between the end driver sets when you set up an eDir-to-eDir relationship. Setting dataflows in architect mode will default all policy and schema settings Sets policy and schema settings to defaults when you set data flows in architect mode. To edit the settings, use the Developer mode. Saving Dataflow to disk will first force a project save Requires you to save a project before you can save a dataflow to disk. Setting Preferences 575 Table 21-34 Preferences: Novell > Identity Manager > Modeler > Layouts Tab Settings Setting Description Default Layout for Applications on Import Specifies the default layout for application objects when you import a project into Designer. To arrange an existing project in a particular layout: 1 In the Modeler, right-click a driver set. 2 Select Arrange Applications. 3 Select a layout. Table 21-35 Preferences: Novell > Identity Manager > Modeler > Pages Tab Settings Setting Description Check the additional Modeler pages you want visible Determines whether the Architect, Dataflow, and Table pages display as tabs at the bottom of the Modeler. The Developer mode is always enabled. Table 21-36 Preferences: Novell > Identity Manager > Modeler > Prompts Tab Settings Setting Description Show the Driver Config Wizard at connection time Launches the Driver Configuration Wizard when you drag or drop an application in the Modeler. Confirm when a driver is being deleted Provides a Yes/No prompt for you to choose whether you want to delete the driver and its policies. Table 21-37 Preferences: Novell > Identity Manager > Modeler > Themes Tab Settings Setting Description Developer Specifies the theme for Developer mode. Themes define the colors used for background, text, line, domain group background, and domain group title in the Modeler. Architect Specifies the theme for Architect mode. Themes define the colors used for background, text, line, domain group background, and domain group title in the Modeler. Dataflow Page Specifies the number of columns per page that the Dataflow editor saves in the HTML reports. To view or use the Dataflow editor, select the Dataflow tab in the Modeler. 576 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 21-5 The Dataflow Tab Palette Page The Palette page includes the following settings: Table 21-38 Preferences: Novell > Identity Manager > Modeler > Palette Setting Description Arrange applications in folders Displays folders (for example, Database) in the palette and places applications in appropriate folders. Arrange applications in an alphabetical list Places all applications into one folder in the palette, and lists the applications alphabetically. Policy Builder The Policy Builder preferences page includes the following settings: Additionally, the following preferences categories appear as Policy Builder sub-pages: “Policy Description” on page 577 Table 21-39 Preferences: Novell > Identity Manager > Policy Builder Setting Description Localize actions, conditions and tokens Translates the names of policy actions, conditions and tokens into the selected Designer language. When this option is not selected, policy actions, conditions and tokens display in English. Include project name in title Includes project name in the title. Expand all rules when the Policy Builder is loaded Automatically expands rules in the Rules pane when you open the Policy Builder. Show version/author/last changed information Adds additional fields in the Rule Inline editor (available when you double-click a rule.) Designer adds the information from these fields to the policy. Policy Description The Policy Description preferences page includes the following settings: Setting Preferences 577 Table 21-40 Preferences: Novell > Identity Manager > Policy Builder > Policy Description Setting Description Expand the Policy Description field Automatically expands the Policy Description field. You can hide the field by selecting the check box. Number of rows of text to display Determines how many rows to display in the Policy Description field. The default is 10. Policy Description position on the page Places the Policy Description field above or below the Rules pane. Simulation The Simulation preferences page includes the following settings: Table 21-41 Preferences: Novell > Identity Manager > Simulation Setting Description Directories: Java Extensions Enables you to simulate policies that contain references to external Java extensions. Specify the .jar file or the directory where the .jar file is located to add it to the class path. You can specify multiple Java extensions. Referenced Directories A reference directory table and a new configuration option to specify the current working directory have been added in the Simulation preferences page.You can add directories through this table when they need to be included in the Simulator's classpath. The configuration or reference files in the directory are available at runtime while simulating the policy. Options: Clear the policy simulation log file prior to performing a simulation Automatically clears the log file. If you don’t enable this setting, Designer displays a Clear Log icon that you can use. If you do many simulations in succession, you might want to disable this option. The log file then captures and displays the events of all the tests, until you click Clear Log. Options: Show the information prompt when a query is generated Displays a prompt when the Simulator generates a query. It simulates what the engine would do when a query is required to process the policy. Options: Notify user when converting the Input Document schema Notifies a user when the Policy Simulator must convert the Application schema to the ID Vault schema, or vice versa. This is typically necessary when changing the input document’s simulation point. iManager The iManager preferences page includes the following settings: 578 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-42 Preferences: Novell > Identity Manager > iManager 21.4.3 Setting Description iManager URL The IP address and port for the iManager server. Show Novell iManager Information Dialog Prompts you for the URL to the iManager server after you select Tools > iManager. If the URL is missing or incorrect, iManager is unable to launch. Package Manager The following options allow you to manage packages in Designer. You access the preferences page through Windows > Preferences > Novell > Package Manager. “Auto Imports” on page 579 “Custom Shims” on page 580 “License Defaults” on page 580 “Locations Defaults” on page 580 “Online Updates” on page 581 “Package Based Policies” on page 582 “Vendor Information” on page 582 Auto Imports This setting allows you to change how Designer imports package updates into the package catalog. When there are updates to packages that have not been imported into the package catalog, select how you want Designer to handle these updates. Table 21-43 Preferences: Novell > Package Manager > Auto Imports Setting Description Do not import packages when a project opens Designer does not prompt you to import updated packages into the package catalog. If there are package updates that need to be imported, you must manually import these packages before they can be installed. For more information, see Section 6.2.4, “Importing Packages into the Package Catalog,” on page 155. Prompts to import packages when a project opens If there are package updates, every time you open the project, you are prompted to import the package updates into the package catalog. Automatically import packages when a project opens If there are package updates, every time you open the project, Designer automatically imports the package updates into the package catalog. Setting Preferences 579 Custom Shims Allows a developer to specify information about a custom driver shim. The information is used as a template so that a developer does not need to specify this information repeatedly when creating a package. Table 21-44 Preferences: Novell > Package Manager > Custom Shims Setting Description Display Name Displays the driver name and version in the driver manifest. This name can change with each release of the driver. Shim ID Associates the driver with the shim file in the driver manifest. This ID never changes. Driver Palette ID This ID associates the driver shim with a certain types of drivers. This allows you to group packages together. For example, if your driver palette ID associates your custom driver with the JDBC driver, your packages are available for installation if the customer has a JDBC base package installed. To add a custom shim: 1 Click the Add shim type icon . 2 Specify the display name for the driver shim. 3 Specify the shim ID for the driver shim. 4 Specify the driver palette ID for the drivers you want this custom shim to be associated with. 5 Click Apply. License Defaults If you have a license for packages you are developing, you can specify that information in this preference page, so that each time you create a new package you don’t need to specify that information again. To add a license: 1 Click Browse, then browse to and select your license file. 2 Click Apply. Locations Defaults This option allows you to specify your package development directories so that you don’t need to specify this information each time you create a new package. 580 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-45 Preferences: Novell > Identity Manager > Package Manager > Location Defaults Setting Description Build Directory This directory is where you build packages. Import Directory This directory contains all imported packages. Localization Directory This directory contains all of the packages that are localized. Publish Directory This directory contains all packages ready to publish. Online Updates The following settings configure how packages are updated online: Table 21-46 Preferences: Novell > Package Manager > Online Updates Setting Description Do not check for updates Designer does not automatically check for updates. With this option selected, you need to manually check for updates by clicking Help > Check for Package Updates in Designer’s toolbar. Prompt to check for updates on startup Designer prompts you to check for package updates when it starts. Automatically check for updates on startup Designer checks for any package updates when it starts. NOTE: This options fails if a custom site requires authentication and the authentication information has not been added in Designer. You add the authentication information into Window > Preferences > General Settings > Network Connections. For more information, see Section 21.2.6, “Network Connections,” on page 559. Notify me when no updates are available If there are no package updates, Designer returns a message stating that no updates are available. Package Update URLs Lists the URLs where Designer checks for package updates. Partners can add their own URLs for custom packages. For more information see, Section 7.16, “Releasing and Publishing Packages,” on page 201. Add URL Allows you to add the vendor’s name and URL for publishing custom packages. For more information, see Section 7.16, “Releasing and Publishing Packages,” on page 201. Edit URL Allows you to edit the vendor’s name and URL for publishing custom packages. Delete URL Deletes the select URL from the list of URLs. Restore Defaults Restores all settings to their default values. Setting Preferences 581 To add a URL: 1 Click the Add URL icon . 2 Specify the vendor of the package and the URL where packages are available for download. 3 Click OK. Package Based Policies When a user modifies a policy object that belongs to a package, Designer marks the object as being customized. You can configure Designer to warn users that this occurs when they modify a packagebased policy object. This setting is enabled by default. To configure how Designer displays a warning when a user opens a policy that belongs to a package: 1 In the Preferences window in Designer, expand Novell > Package Manager and click Package Based Policies. 2 If you want to disable the warning, select Do not prompt for policy customization on opening package based policies. 3 If you want to enable the warning, select Prompt for policy customization on opening package based policies. 4 Click OK. Vendor Information Allows you to specify your vendor information for your packages in one location, instead of specifying the information each time you create a package. For more information, see Section 7.8, “Creating Feature Packages,” on page 191. Table 21-47 Preferences: Novell > Package Manager > Vendor Defaults 21.4.4 Setting Description Vendor > Name Specify the vendor name. If this is for internal consumption, specify the name of your company. Vendor > Address Specify the address for the vendor or your company. Vendor > URL Specify the URL of the vendor your company. Vendor > eMail Specify an e-mail for the vendor or your company. Contact > Name If there is a specific contact person for this package, specify the name. Contact > eMail If there is a specific e-mail address for the contact person, specify it in this field. Provisioning You can customize some Provisioning view behaviors by setting preferences. You access the preferences page through Windows > Preferences > Novell > Provisioning. The following table explains the settings on Provisioning preferences main page. 582 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-48 General Preferences Setting Description Prompt for deletion of User Application Configuration When this option is selected and you delete a User Application from the Modeler, Designer asks whether to delete the provisioning objects on disk as part of the delete operation. By default, the provisioning objects are left on disk, even if the User Application is deleted. Set delete from Identity Vault as default for all “Confirm Delete” dialogs When you delete an object in the Provisioning view or the directory abstraction layer editor, you are prompted to confirm the deletion. This preference determines whether the check box labeled Delete object in Identity Vault on deploy in the confirmation dialog box is selected by default. Selecting this preference means the default is to delete the Identity Vault object. The local object is always deleted. Show Provisioning View when new User Application is created or imported Select this option if you want Designer to launch the Provisioning view when you create a new User Application driver or import an existing User Application driver. Show Tooltips in Provisioning view Select this option to enable (the default) tooltips in the Provisioning view. Show Categories in Provisioning view Select this option so Designer displays provisioning request definitions organized by category. You specify the category in the Overview panel. Categories are defined in the Provisioning Category list defined in the directory abstraction layer. Show all localized e-mail templates Select this option so Designer displays all localized e-mail templates as selectable options in the E-Mail notification tab. The Java language code is appended to the name of the e-mail template. For example, cn=Provisioning Notification Activity_es, cn=Default Notification Collection,cn=security indicates this is the Spanish language version of this template. When you select a localized template, that language is used regardless of the user’s default language. When you select the default template (the template without a locale code), the e-mail is in the user’s default language (if the default is a supported language). Validate display names for supported locales Select this option if Designer should validate display names. It ensures uniqueness of the display name within a locale, and that a display name is supplied (not blank) for each locale. Applies to display names defined by using the directory abstraction layer editor, provisioning request editor, or provisioning teams editor. Prompt before performing When this option is selected, and you click Run query in the Identity Vault, query on Role Entitlement Designer informs you that the query can take a long time to execute. It prompts to run the query or not. If this option is not selected, Designer runs the query and does not prompt you. Identity Vault Connection Timeout (in milliseconds) The amount of time (in milliseconds) for Designer to connect to the Identity Vault. When it is set too low, you might encounter an error when setting Trustee Rights on a provisioning request definition or when trying to access the Identity Vault through the ECMA expression builder. The following sections explain the additional preferences settings for provisioning: “Import/Deploy Preferences” on page 584 “Migration Preferences” on page 584 Setting Preferences 583 “Novell Integration Manager” on page 585 “Validation Mask Preferences” on page 585 “Workflows Preferences” on page 585 Import/Deploy Preferences Table 21-49 Import/Deploy Preferences Setting Description Import > Delete local Select this option for Designer to delete local objects if the corresponding object on import when Identity Vault objects were deleted. This ensures that the Identity Vault and local object has been files are in sync. Deselect this option if you want to leave the local files alone. deleted in Identity Vault Import > Prompt whether to overwrite runtime configuration on import from file Select this option if you are importing the driver from a test environment and want to deploy to a production environment. The User Application driver runtime relies on objects stored in the driver that you are not able to access in Designer. If you deploy a driver that does not contain these objects, it does not work properly. Deselect this option if you are importing the driver, modifying it, and deploying it back to the same driver set because the driver already has the runtime configuration objects. Deploy > Allow deployment of objects with validation errors Select this option if you want to deploy objects that fail validation checks. At deployment, Designer validates the definitions being deployed following the validation rules outlined in “Validating Provisioning Objects” in the User Application: Design Guide. Deselect this option to prevent deployment of definitions that fail validation. WARNING: Deploying objects that fail validation can result in errors in the User Application runtime. Migration Preferences Table 21-50 Migration Preferences 584 Setting Description Show warning about Identity Vault schema changes When you select Migrate, Designer displays a dialog box warning you that schema changes (needed to support new features) must be made before you can deploy the migrated driver. If the updates have not been made, cancel the migration until they are complete. If you don't want to see this warning when you select Migrate, deselect this option. Always deploy (undeployed) User Application Driver Applies to User Application drivers that have not been deployed to the Identity Vault (for example, User Application drivers imported from a driver configuration file). When you migrate an undeployed User Application driver, Designer prompts you to deploy the driver. Select the Always deploy (un-deployed) User Application driver option if you always want Designer to deploy the User Application driver, and do not want the dialog box displayed. Show warning that editors will be closed When you select the Migrate command, Designer warns you that all editors will be closed. Select this option if you don’t want this warning displayed each time you choose the Migrate command. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Novell Integration Manager The Novell Integration Manager is used by the User Application workflow engine to provide Integration Activity support. Validation Mask Preferences Table 21-51 Validation Mask Preferences Setting Description Validation Mask Table Use this to define the validation masks available to form controls. Validation masks are regular expressions and must follow regular expression syntax. Designer provides a default set of validation masks. If they do not display validation masks in the form controls property sheets, enable them by clicking Restore Defaults, then clicking Apply. Workflows Preferences Table 21-52 Workflow Preferences Setting Description Form Templates Use this dialog box to remove or preview existing form templates. Diagram Preferences Show Activity Id: Select this preference when you want the Workflow tab of the provisioning request definition editor to display the Activity IDs for each activity in the flow. Activity IDs are used by the ECMA expression builder and are written to the User Application’s error logs. Show Flow Path Types: Select this preference when you want the Workflow tab of the provisioning request definition editor to display the Flow Path Types for each activity in the flow. Flow Path Types are used by the ECMA expression builder and are written to the User Application’s error logs. 21.5 Validation The Validation setting is an Eclipse setting that allows you to validate your project. For more details, see the Eclipse documentation (http://help.eclipse.org/helios/index.jsp). Table 21-53 Preferences: Validation Settings Descriptions Allow projects to override these preference settings Allows your project to override these preferences settings. Suspend all validators Allows you to suspend all validation actions that are performed on your project. Save all modified resources automatically prior to validating Saves any modified resource prior to running a validation. This option is not selected by default. Setting Preferences 585 Settings Descriptions Show a confirmation dialog when performing manual validations Allows you to display a confirmation dialog when performing a manual validation. Selecting validators The following validators run when a validation is performed. By default all validators are selected. DTD Validator HTML Syntax Validator MoudleCoreValidator XML Validator Restore Defaults 21.6 Restores all of the settings back to the default values. Web The Web preference lets you specify how Designer should handle the editing and creations of CSS and HTML files. Section 21.6.1, “CSS Files,” on page 586 Section 21.6.2, “HTML Files,” on page 587 21.6.1 CSS Files The CSS Files preferences allow you to specify how Eclipse displays and manages CSS files. This is an Eclipse option; for more details, see the Eclipse documentation (http://help.eclipse.org/helios/ index.jsp). Table 21-54 Preferences: Web > CSS Files > Editor Setting Description Formatting: Line width Specifies the number of characters in a line. Formatting: Insert line break between properties Specifies whether the editor should insert a line between the CSS properties. Formatting: Disable wrapping in style attribute of HTML Specifies whether the HTML editor (used in the email notification template editor) should allow wrapping of the value of a style attribute. Formatting: Indent using tabs > or spaces Specifies how the first line of text indents. Formatting: Indentation size Specifies the size of the indent. Formatting: Capitalization style Specifies the default case for identifiers, property names, and property values. “Syntax Coloring” on page 587 “Template” on page 587 586 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Syntax Coloring Table 21-55 Preferences: Web > CSS Files > Editor > Syntax Coloring Settings Setting Description Syntax Element Choose the content type for which you want to define a style. Foreground/Background/Bold/Italic/Strikethrough/ Specifies the syntax highlighting and formatting for individual CSS elements. Underline Displays sample CSS with the selected syntax coloring options. Sample Text Template Eclipse allows you to use a template file for the initial content of your cascading style sheets (CSS). The CS files are used to format the content in the Eclipse program. You can either create a new CSS file or import and existing CSS file through this page to use as a template. For more information, see the Eclipse documentation (http://help.eclipse.org/helios/index.jsp). 21.6.2 HTML Files The HTML Files preferences allow you to specify how Designer displays and manages HTML files and content. This is an Eclipse option; for more details, see the Eclipse documentation (http:// help.eclipse.org/helios/index.jsp). Table 21-56 Preferences: Web > HTML Files Preference Description Creating or saving files: Line Delimiter Choices are: Windows Unix Mac No translation Creating files: Add this suffix Specifies the file suffix the editor should add when creating a new file. The default is html. Creating files: Encoding Specifies the editor’s encoding for new files. Loading files Choose the encoding for files opened in the editor. Click Use workbench encoding to accept the default UTF-8, or select one from the list. “Editor” on page 588 “Validation” on page 589 Setting Preferences 587 Editor Table 21-57 Preferences: Web > HTML Files > Editor Setting Description Formatting: Line Width Specifies the number of characters for each line. Formatting: Split multiple attributes each on a new Specifies what the editor should do with multiple line attributes. Formatting: Align final bracket in multi-line element tags Specifies what the editor should do with final brackets Formatting: Clear all blank lines Specifies what the editor should do with blank lines Formatting: Indent using tabs or spaces Specifies whether the indent should be using tabs or spaces, and also specifies the indentation size. Indentation size Content assist: Automatically make suggestions Specifies whether to do automatic code completion. Content assist: Prompt when these characters are Specifies the characters that initiate the content assist. inserted Preferred markup: Tag Names/Attribute Names Specifies if the editor’s suggestions should be in uppercase or lowercase. “HTML Styles” on page 588 “HTML Templates” on page 589 “Typing” on page 589 HTML Styles Table 21-58 Preferences: Web > HTML Files > Syntax Coloring Setting Description Syntax Element Choose the content type for which you want to define a style. Foreground/Background/Bold/Italic/Strikethrough/ Specifies the syntax highlighting and formatting for individual CSS elements. Underline Sample Text 588 Displays sample CSS with the selected syntax coloring options. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide HTML Templates Table 21-59 Preferences: Web > HTML Files > Templates Settings Setting Description Templates The templates are used in the code completion in the source editor. Use this preference to add, remove or edit templates. Typing Table 21-60 Preferences: Web > HTML Files > Typing Settings Descriptions Automatically close: Comments The HTML editor automatically closes any comments added to the HTML file. Automatically close: End tags The HTML editor automatically closes any end tags in the HTML file. Automatically remove: End tags The HTML editor automatically removes any end tags when creating empty self-closing tags. Validation Allows you to define how the HTML editor validates the HTML markup. You can set each validation to a warning, error, or to ignore the problem. You can set these options for the following items: Elements Attributes Document Type Comments CDATA Sections Processing Instructions Entity References Text Regions 21.7 XML The XML preferences lets you specify how Designer should handle editing and creation of an XML catalog and XML files. This an Eclipse option; for more details, see the Eclipse documentation (http:// help.eclipse.org/helios/index.jsp). Section 21.7.1, “XML Catalog,” on page 590 Section 21.7.2, “XML Files,” on page 591 Setting Preferences 589 21.7.1 XML Catalog The XML Catalog preferences allow you to manage the WST XML catalog implementation. You can add, edit, or delete user-specified catalogs. You cannot use this preference to manage the plug-in specified entries.The XML editor uses the WST XML catalog implementation to resolve XML schema and DTD references for associating URLs, system, and public identifiers with URLs. Figure 21-6 Preferences: XML > XML Catalog To add a user-specified entry: 1 Click Add. 590 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2 Fill in the fields as follows: Field Description Location Specify a location on disk or a URL of the schema or DTD. Use the Search icon to search Designer’s workspace or the file system. Key Type Specify the key type. Values are public identifiers for DTDs or URIs for XML schemas. Key Specify a unique key. Specify alternative web address Optionally, specify an alternative Web address for locating the schema or DTD. 3 Click OK to save. 21.7.2 XML Files You can set the following general XML File preferences: Table 21-61 Preferences: XML > XML Files Setting Descriptions Creating files: Add this suffix Add a suffix to the file. The default is XML. Creating files: Encoding: Select the encoding used by the user. Creating files: IANA The IANA name is used in the encoding statement of the XML file. Validating files: Indicate when no grammar is specified Specifies whether to display a warning when no grammar (such as XML Schema or DTD) is associated with the XML document. Setting Preferences 591 Setting Descriptions Validating files: Process XML Inclusions If the XML file contains inclusions (snippets from an HTML file used to create the dynamic HTML page), process these inclusions. Editor Table 21-62 Preferences: XML > XML Files > Editor Category Preference Description Formatting Line width Specifies the number of characters in a line. The default is 72. Split multiple attributes each on a new line Specifies how attributes are formatted (whether to show each attribute on a separate line). Align final bracket in multi-line element Allows you to align the final bracket “>” tags in multi-line element tags. Preserve whitespace in tags with PCDATA content Specifies whether to preserve any white spaces that are in tags containing PCDATA content. Clear all blank lines Specifies whether blank lines are removed when formatting. Indent using tabs/ or spaces Specifies whether to use tabs or spaces as indentation and indentation size. Indentation size Content Assist Grammar constraints Automatically make suggestions Specifies whether to do automatic code completion. Prompt when these characters are inserted The list of characters that initiate code completion. Suggestion strategy Specifies whether to use Lax or Strict grammar when making suggestions Use inferred grammar in absence of DTD/Schema Specifies whether to display code completion suggestions based on existing content of the XML document. “Syntax Coloring” on page 592 “XML Templates” on page 593 “Typing” on page 593 Syntax Coloring The XML syntax coloring lets you specify the syntax highlighting (foreground and background color) and the text formatting for individual XML constructs. 592 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table 21-63 Preferences: XML > XML Files > Syntax Coloring Settings Setting Description Syntax Element Choose the content type for which you want to define a style. Foreground/Background/Bold/Italic/Strikethrough/ Specifies the syntax highlighting and formatting for individual CSS elements. Underline Displays sample CSS with the selected syntax coloring options. Sample Text XML Templates Use the XML Templates preference page to define XML templates. The templates are used in the code completion in the XML Source editor. For example, selecting the XSL Processing Instruction template in the code completion inserts <?xml-stylesheet type="text/xsl" href="?"> in the source editor and places the cursor in the href value. Typing Table 21-64 Preferences: XML > XML Files > Typing Settings Descriptions Automatically close: Comments The HTML editor automatically closes any comments add to the HTML file. Automatically close: End tags The HTML editor automatically closes any end tags in the HTML file. Automatically remove: End tags The HTML editor automatically removes any end tags when creating empty self-closing tags. Setting Preferences 593 594 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 22 Troubleshooting Designer 2 Section 22.1, “Running the Project Checker,” on page 595 Section 22.2, “Viewing the Error Log,” on page 595 Section 22.3, “Turning on Trace Messages,” on page 599 Section 22.4, “Checking Loaded Plug-Ins,” on page 601 Section 22.5, “Deploying Identity Manager Objects,” on page 601 Section 22.6, “Display Issues,” on page 604 Section 22.7, “Freeing Heap Memory,” on page 606 Section 22.8, “Project Files Are Not Encrypted,” on page 607 Section 22.9, “Users Cannot Import and Check In Multiple Instances of the Same Package Under Version Control,” on page 607 Section 22.10, “Drivers Not Associated with Base Packages After Live Import,” on page 607 Section 22.11, “Error Messages and Solutions,” on page 609 Section 22.12, “Reporting Bugs and Giving Feedback,” on page 619 22.1 Running the Project Checker Designer provides a Project Checker tool to check your project. The project can be checked at any time, but you should run the Project Checker before deploying your project. The Project Checker checks for proper design, contexts, server associations, policies, missing user data, and dependency problems that would cause the deployment of project into the Identity Vault to fail. It only checks the objects in Designer; it does not check the current objects in the Identity Vault. To learn more about the Project Checker, see Section 18.5, “Checking Your Projects,” on page 477. 22.2 Viewing the Error Log If something isn’t working, messages written to the error log might help you. The log is named .log. It is a hidden file. To view the error log, you can use menus or browse the file system. Section 22.2.1, “Browsing the File System,” on page 595 Section 22.2.2, “Using Menus,” on page 596 Section 22.2.3, “Event Details,” on page 597 Section 22.2.4, “Customizing Filter Settings,” on page 598 22.2.1 Browsing the File System 1 Browse to your Designer workspace. In Windows, the log file is typically in subfolders in the /eclipse/workspace/.metadata directory. Troubleshooting Designer 595 In Linux, the log file is typically in the Home directory, in the /eclipse/workspace/.metadata directory. 2 Open the log file. 22.2.2 Using Menus 1 Select Window > Show View > Other > PDE Runtime > Error Log. 2 Click OK. If you view the log through the application, a list of messages displays. Figure 22-1 The Error Log For a description of the icons located in the upper right corner of the Error Log view, see “Error Log View” in Understanding Designer for Identity Manager. The following options are available when you right-click inside the Error Log view: Table 22-1 Right-Click Options in the Error Log View Operation Description Copy Enables you to copy event details to the clipboard. Clear Log Viewer Clears all the entries in the Error Log viewer. Delete Log Deletes all items in the Error Log. Open Log Opens an error log entry. Restore Log Enables you to restore log entries that have been previously cleared. Export Log Enables you to export the Error Log to a location on the file system. Import Log Enables you to import a file from the file system to the Error Log. Event Details Opens the Event Details window. To sort messages in the Error Log view, click the appropriate header bar. 596 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 22.2.3 Event Details To view event details, double-click an error log message or right-click an error log message, then click Event Details. The following options are available in the Event Details window: Table 22-2 Event Details Window Operation Description Date Displays the date and time the error occurred. Severity States the severity of the error. Message Displays the message of the error. View Details of Previous Event Up and down arrows that enable you to scroll through the event details of each event in the error log. Copy Enables you to copy event details to the clipboard. Exception Stack Trace Displays Exception Stack Trace (if available). Session Data Provides relevant session data. Troubleshooting Designer 597 22.2.4 Customizing Filter Settings To access the Log Filters window: 1 On the Error Log view toolbar, click the Menu icon. 2 Click Filters. The following options are available in the Log Filters window: Table 22-3 Log Filters Window 598 Operation Description Event Types Set what type of information you want displayed in the error log. The error log can be configured to display any combination of Information, Warnings, and Errors. Limit Visible Events Set a limit on how many events you want displayed in the error log at one time. Show Events Logged During: Specify whether to show events logged during all sessions, or your most recent session. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 22.3 Turning on Trace Messages You might want to send trace messages to the error log so that the messages are captured in a file. You can then easily e-mail the trace message to Novell Support or others. Programmers sometimes place hidden messages in their code so that if you are having problems, you can turn on the trace functionality and get additional insight. Even if you don’t understand the hidden messages, they can help Novell Support diagnose the problem. To get trace messages: 1 Click Window > Preferences to display the Preferences dialog box. 2 Click Novell > Designer > Trace. 3 Select Enable tracing, then select the options that you want to include or show. Troubleshooting Designer 599 4 Select the plug-ins that you want to trace, then click OK. To view the results of traces: 1 Select Window > Show View > Trace. 2 View data in the Trace view. 3 You can also turn on trace options from the Trace view by clicking the Preferences icon Trace view. The following options are available when you right-click inside the Trace view: 600 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide in the Table 22-4 Right-Click Options in the Trace View Option Function Undo Undo a previously executed action. Cut, Copy and Paste Cut, copy and paste items in the Trace view by selecting the item, then clicking the desired action. Delete Delete items in the Trace view. Select All Simultaneously select all trace messages in the Trace view. An icon toolbar is located in the upper right corner of the Trace view. For information on the icons in this toolbar, see “Trace View” in Understanding Designer for Identity Manager. 22.4 Checking Loaded Plug-Ins A problem can occur if a plug-in fails to load. To see which plug-ins are loaded: 1 Select Window > Show View > Other. 2 Open the PDE Runtime folder. 3 Click Plug-in Registry > OK. The Plug-in Registry page lists the Designer plug-ins, which have a green triangle in the plug-in icon. 4 Use the Home icon to bring you to the top of the plug-in list. 5 Select a plug-in, then use the right-arrow icon to drill into the plug-in and use the left arrow icon to return. 6 Use the Refresh icon to refresh the Plug-In Registry view. 7 Use the Plug-In Registry view toolbar to select Show Active Plug-Ins Only. 22.5 Deploying Identity Manager Objects When you see an error message in Designer, the message corresponds to the place where Designer could not complete the task, and indicates the best place to start troubleshooting. This section discusses the common problems you face when deploying Identity Manager objects into an eDirectory tree. To see error messages and possible solutions, see Section 22.11, “Error Messages Troubleshooting Designer 601 and Solutions,” on page 609. 22.5.1 Deployment Considerations Ensure that the Metadirectory server meets the system requirements necessary to run Identity Manager. See Overview chapter in the Identity Manager 4.0.2 Integrated Installation Guide for requirements. Ensure that the Metadirectory server you are deploying to has Identity Manager installed and holds a real copy of the objects to which you want to synchronize. The server running eDirectory must have a Master Read-Write or a Filtered Read-Write replica. Ensure that the Java software installed on the server is running correctly, because Identity Manager is dependent on Java. If Java is corrupted, you might be able to deploy to a Metadirectory server but not run the Identity Manager drivers. To deploy an Identity Manager-based project or an object in a project, you must have access to the eDirectory tree that is associated with the Identity Vault you are designing. Select the Identity Vault you want to deploy, then look in the Properties view below the Project/Outline view. Figure 22-2 The Properties View In the Properties view, ensure that the Identity Vault’s Name, Host Address, User DN, Password, Deploy Context’s Distinguished Name (DN), and Metadirectory information is complete and accurate. (You can click the Browse icon to find the Deploy Context’s DN on an existing tree if the other information is accurate and Designer can attach to the eDirectory tree.) You need this information to deploy anything, even a policy, into an existing eDirectory tree running the Metadirectory engine. Use the Deploy feature only after you have thoroughly tested the rules and policies that make up your drivers. To test a policy, use the Policy Simulator (right-click a policy and select Simulate, then click Start to see the simulation results of the policy that is being tested). For policy design, see the Policy Builder Help topics within the Designer utility. You can use the Import feature to import a driver, a channel, or a policy. You can then modify the object or objects, run the Policy Simulator to ensure that the object is working correctly, then deploy the object back into the test tree for further analysis. You can also run the Compare feature to see the differences between your modified driver and the driver that is currently running on an Identity Vault server. 602 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide In the Outline view in the Project Group view, right-click the driver object in question (you can also double-click the driver object). Use the Properties window to make most changes to drivers. Properties are unique to each driver. A simple driver problem is specifying the incorrect context (Distinguished DN) for an eDirectory tree. For example, the context of a user object in eDirectory is shown with the slash notation (for example, Blanston\Sales\Users) on the Properties of the Identity Manager driver or when you import the driver. However, different drivers can use formats other than the slash notation. For example, Active Directory and LDAP drivers use comma-delimited format (OU=Users,OU=Sales,O=Blanston). See the driver guides for further details on the drivers you are deploying. 22.5.2 An Example Deployment Error When you deploy an Identity Vault for the first time, there are several common sources for errors, from incorrectly typing information to not completing the driver set templates. Figure 22-3 Default Server Container Message Troubleshooting Designer 603 Right-click the Identity Vault in the Modeler view, select Properties > Server List, then click the Edit icon to edit the server information. Figure 22-4 Correcting a Server Name Problem 22.6 Display Issues The following sections include display issues users may encounter when using Designer. 22.6.1 No F1 Help in Maximized Editors Context-sensitive help is available when you press F1. However, if you maximize an editor (for example, the Modeler), help topics do not display when you press F1. To view the help, minimize the editor. 604 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 22.6.2 Running Designer with 120 DPI Fonts in Windows 120 DPI is too large for text in standard Windows XP decorations. Adjust the display settings: 1 In the Control Panel, select Display > Appearance > Effects. 2 In Use the following method to smooth edges of screen fonts, toggle Standard to ClearType. If you have a display that needs 120+ DPI fonts, you need ClearType. In addition to the obvious anti-aliasing aspects, ClearType provides better weight to the fonts. Without ClearType, the fonts are too thin and light, decreasing readability. 3 Click OK, then click Advanced. 4 In the Item field, reduce the Icon, Menu, Message Box, Selected Items, and ToolTip sizes. 5 Reduce the title bars and related controls to a preferred size. 6 Fix the icon spacing and scroll bar width. 7 Make sure that the display is set at a high resolution. This helps eliminate most of the display related issues on an HD monitor. 22.6.3 Display Issues on Linux “GNOME” on page 605 “KDE” on page 605 GNOME If you encounter display issues in GNOME: 1 Select the Applications menu. 2 Click Preferences > Font, then decrease the size of the application font. 3 You can also adjust the thematic elements to your liking. Keep in mind that GTK thematic elements can cause performance issues with Designer. If Designer is running slowly, especially when you use pull-down menus and other widgets, you might try changing to a simplified GTK theme. Normally, this process fixes display issues. KDE Because Eclipse (Designer) is a GTK application, you should use GTK themes instead of qt-based themes. First, you need to prepare to use the themes. You must remove the gtk-qt-engine package. This can be done through YaST or by using the instructions given in “Running Designer on Linux with gtk-qt-engine,” in the Novell Identity Manager Designer 4.0.2 Readme (http://www.novell.com/documentation/idm402/readme/data/ designer402_readme.html). You need to have the following packages installed on your Linux system. If you installed the GNOME subsystem, you already have these packages installed: gtk-engines gtk2-engines Troubleshooting Designer 605 control-center2 > Gnome Control Center gtk2-themes > or the themes you downloaded, and all the related dependencies gnome-themes is only needed if you are going to use Gnome Control Center to set your theme After you have completed the prerequisites, do one of the following: Set your GTK theme and font settings from the KDE SUSE menu. Select Utilities > Desktop > Gnome Control Center. You can set this control center application to automatically run each time KDE is started. The following command accomplishes this: ln -s /opt/gnome/lib/control-center-2.0/gnome-settings-daemon /home/user/.kde/ Autostart For user, use your username. Create a GTK control file (usually named .gtkrc-2.0) in your user home directory or the directory where your system is configured to look for GTK2_RC_FILES. Entering set |grep gtk shows how this environment variable is configured and the files it requires. You can use any font and GTK theme that you prefer. For example: include "/opt/gnome/share/themes/Xfce-stellar/gtk-2.0/gtkrc" style "user-font" /gtkrc" style "user-font" { font_name="Sans Serif 6" } widget_class "*" style "user-font" gtk-theme-name="Xfce-stellar" gtk-font-name="Sans Serif 6" 22.6.4 Copying, Pasting, and Dragging in the Navigator View Don't Update Version Control Copying and pasting or dragging and dropping operations in the Navigator View are not handling files properly if the files are under version control. The workaround is to perform these operations from the Project view. 22.7 Freeing Heap Memory A status field at the bottom of Designer displays heap memory used and heap memory available for an application or other item in Designer. Figure 22-5 The Heap Memory Display The information varies, depending on which item (for an example, an application) you click in the Modeler, Outline view, or other editors. To free unused heap memory at any time, click the Run Garbage Collector icon. 606 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure 22-6 The Run Garbage Collector Icon 22.8 Project Files Are Not Encrypted Passwords are obfuscated. However, if you have other sensitive data in your project file, it is not encrypted in any way, and you must take care to safeguard your information. 22.9 Users Cannot Import and Check In Multiple Instances of the Same Package Under Version Control In an environment where you use Designer with Subversion for version control, if a user creates a new driver, imports the required driver packages into the Designer project, and checks the driver and driver packages into Subversion, and then another user tries to create a new driver that imports a package already installed with the first driver, Designer returns the following error: Unable to check in package 'PackageName' (Version). A package with that version is already under version control. A single user should install and check in a particular package or set of packages. After the first user installs and checks in a package, other users can then use that package and check in their changes. If you encounter the error message above, you must revert the Package Catalog in Subversion and then manually re-import the new packages to resolve the issue. For more information about best practices for managing packages with Subversion, see “Managing Packages Best Practices” on page 544. 22.10 Drivers Not Associated with Base Packages After Live Import If you upgrade to Designer 4.0.2 and perform a live import of a package-based Identity Vault configuration, the Properties page of one or more drivers may not display the base package for that particular driver. This indicates that the driver is not associated with its base package. To configure Designer correctly, you must manually associate the appropriate base package with the driver: 1 In Designer, navigate to the Modeler view. 2 Right-click the imported driver and select Driver > Properties. 3 In the Properties window, click Packages. 4 Click the plus icon. 5 In the Select Packages window, select the appropriate base package for the driver. Troubleshooting Designer 607 NOTE: To determine the appropriate base package for a driver if the Select Packages window displays multiple versions of the same base package, you can refer to the pre-upgrade Designer workspace for the correct version number. If your previous Designer workspace is unavailable, select the earliest version available for the version of Identity Manager with which the driver was installed. You should then upgrade to the latest version of the base package. 6 Select Associate base package without complete install and click OK. 7 Repeat Step 2 through Step 6 for each imported driver. For information about the base packages installed with Designer 4.0 and 4.0.1, see Table 22-5. Table 22-5 Base Packages Installed in Designer Base Package Name Base Package Short Name Released Versions Data Collection Service NOVLIDMDCSB 1.0.0 1.0.4 Driver for Active Directory NOVLADBASE 1.0.0 1.0.1 1.0.3 Driver for Avaya PBX NOVLAVYAB 1.0.0 Driver for Blackboard OBNDBKBDBASE 1.0.0 Driver for Delimited Tex NOVLDTXTBASE 1.0.0 Driver for eDirectory NOVLEDIRBASE 1.0.0 Driver for Google Apps NOVLGGLEBASE 1.0.0 1.0.1 Driver for GroupWise NOVLRSERVB 1.0.0 1.0.1 1.0.2 Driver for JMS NOVLJMSBASE 1.0.0 Driver for LDAP NOVLLDAPBASE 1.0.0 Driver for Lotus Notes NOVLNOTEBASE 1.0.0 1.0.1 Driver for PeopleSoft NOVLPSFTB 1.0.0 Driver for RSA TRVRRSABASE 1.0.1 Driver for SalesForce.com NOVLSFBASE 1.0.0 Driver for SAP Business Logic NOVLSAPBLB 1.0.0 1.0.1 608 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Base Package Name Base Package Short Name Released Versions Driver for SAP HR NOVLSAPHRIB 1.0.1 1.0.2 Driver for SAP Portal NOVLPORTB 1.0.0 1.0.1 Driver for SAP User (JCo3) NOVLSAPUBASE 1.0.0 1.0.1 1.0.2 Driver for Sentinel NOVLSENTB 1.0.0 Driver for SharePoint NOVLSPNTBASE 1.0.0 1.0.1 1.0.2 1.0.3 Driver for SOAP NOVLSOAPBASE 1.0.0 Driver for SunGard Banner NOVLBNNRBASE 1.0.0 Driver for Work Order NOVLWOBASE 1.0.0 Entitlements Service Driver NOVLRBEBASE 1.0.0 1.0.1 ID Provider Driver NOVLIDPROVB 1.0.0 Loopback Driver NOVLLBACKB 1.0.0 Managed System Gateway NOVLIDMMSGWB 1.0.1 Null Service Driver NOVLNULLBASE 1.0.0 Role Service Driver NOVLRSERVB 1.0.0 1.0.1 User Application 4.0 Driver NOVLUABASE 1.0.1 1.0.2 User Application 4.0.1 Driver 22.11 NOVLUABASE 1.0.5 Error Messages and Solutions When you see an error message in Designer, the error message corresponds to the place where Designer could not complete the task and indicates the best place to start troubleshooting. This section discusses the error messages you might see when deploying Identity Manager objects into an eDirectory tree, followed by their cause and possible solutions. Section 22.11.1, “Identity Vault Configuration Errors,” on page 610 Section 22.11.2, “Driver Configuration Errors,” on page 610 Troubleshooting Designer 609 Section 22.11.3, “Internal Designer Errors,” on page 611 Section 22.11.4, “eDirectory Access Errors,” on page 612 Section 22.11.5, “eDirectory Object/Attribute Creation Errors,” on page 613 Section 22.11.6, “Warnings,” on page 615 22.11.1 Identity Vault Configuration Errors Cannot connect to host [Identity Vault Host]; verify the address is correct and that the server is running. Possible Cause: The address listed in the Identity Vault properties is incorrect or the server is not running. Solution: Verify that the server address is correct and that the server is up and running. [User] could not be authenticated to [Identity Vault Host]. Cannot proceed. Possible Cause: The username or password listed in the Identity Vault properties is incorrect. Solution: Verify the username specified in the Identity Vault properties and reenter the user’s password. 22.11.2 Driver Configuration Errors The driver configuration file [Driver Config File] is not a valid XML document: [Error Message]. Cause: The Driver Configuration file being imported from the file system does not contain a valid XML document. Solution: Fix the Driver Configuration file format. The XML contained the file named [Driver Config File] is not a driver configuration file. The file cannot be imported. Cause: The Driver Configuration file being imported from the file system is a valid XML document but is not a valid driver configuration file. Solution: Import a driver configuration file. The following 'XML DOM Exception' was thrown. [ExceptionInfo] Cause: The Driver Configuration XML document is incorrectly formatted. This is probably an internal error because driver configuration files are dynamically generated by Designer for deployment. Solution: Turn on trace for Designer. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Attempt to deploy again, then send the trace file to Novell Support. The following 'Number Format Exception' was thrown. [ExceptionInfo] Cause: An integer value in the driver configuration file being deployed is invalid. All integer fields in Designer should validate the content when it is set. 610 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Solution: Turn on trace for Designer. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again and analyze the generated driver configuration file to see if all integer attribute values are correct. Identify the incorrect parameter in Designer, correct the setting, and redeploy. The specified driver configuration file does not contain a valid driver configuration. Cause: Designer attempted to process a dynamically generated driver configuration file with an invalid format. Solution: Turn on XML tracing for the Import/Deploy plug-in. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again, then send the trace to Novell Support. Otherwise, edit and correct the configuration file being imported. Tree population is not supported from a Driver Set configuration. Tree population components will be ignored. Cause: The driver configuration file being processed has a <ds-object> element under a <driverset-configuration> element, which is not permitted. Solution: If this is a dynamically generated configuration file, contact Novell Support; otherwise, move the <ds-object> element under a <driver-configuration> element. The following Driver Set based global variables could not be resolved: [Global Variable List] These variables exist in both the source and target Driver Sets. The two definitions, however, have different types. Cause: The driver configuration file being processed has global variable definitions that could not be resolved. Solution: If this is a dynamically generated configuration file, contact Novell Support. If it is a driver configuration file on disk, check the global variable definitions. The driver configuration file being processed does not contain a valid driver configuration. Cause: The driver configuration file being processed does not contain a <driver-configuration> element. Solution: If this is a dynamically created configuration file, turn on XML tracing for the Import/Deploy plug-in. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again, then send the trace to Novell Support. Otherwise, edit and correct the configuration file that is being imported. The specified driver configuration file was only intended to be imported from a ConsoleOne command line. Cause: The driver configuration file being processed is not a valid document. 22.11.3 Internal Designer Errors An internal error has occurred in the Designer Data Model: The policy named [Policy Name] does not know its container. Cause: The policy being deployed is not contained in a Channel or Driver object. This is an abnormal error, indicating that the Designer model has become corrupted. Troubleshooting Designer 611 Solution: Contact Novell Support. 22.11.4 eDirectory Access Errors The following 'Component Creation Exception' occurred while trying to access eDirectory. [Exception Info] Cause: A value contained in the driver configuration file being deployed could not be successfully created in eDirectory. This is probably an internal error because driver configuration files are dynamically generated by Designer for deployment. However, if the Driver in Designer was created by importing a driver configuration file from the file system and that configuration file contained a Tree Population Segment, a value within a <ds-object> element might be invalid. Solution: Turn on trace for Designer. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. Deploy again and analyze the generated driver configuration file to see if any <ds-object> elements exist. If they do, verify that all attribute values are correct. If no <ds-object> elements exist or if all values seem to be correct, contact Novell Support. The following 'IO Exception' occurred while trying to access eDirectory. [ExecptionInfo] Cause: This is a Java exception indicating that Designer could not perform the requested input or output operation. Solution: Contact Novell Support. DSAccessException: [ExceptionInfo] Cause: Designer could not connect to the target deployment server. Solution: Verify that the server information specified in the Identity Vault properties page is correct and that the eDirectory server is up and running. The following 'Namespace Exception' occurred while trying to access eDirectory. ({0}) Cause: This is a namespace exception indicating that there is a problem with the eDirectory schema, such as a missing attribute or class. Solution: Verify that the eDirectory schema being imported from or deployed to is correct. If the driver being deployed contains Tree Population segments, verify that the objects being created are valid for the target eDirectory schema. An exception occurred during the deployment. Cannot perform the operation. Cause: An unknown exception was encountered. Solution: Contact Novell Support. The following 'Snapin Exception' occurred while trying to access eDirectory. [ExceptionInfo] Cause: Snap-in exceptions can be thrown in certain methods to report exceptions or errors during import/deploy. Subclasses of a snap-in exception include: NotAContainerException: There was a call to get the children of an eDirectory object that is not a container. 612 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide ObjectNotFoundException: The object being resolved cannot be found in eDirectory. SPIException: Unable to connect to the eDirectory tree. Solution: The exception might include the name of the object that caused the exception. Verify that the eDirectory tree being imported or deployed to is up and running and that it has Identity Manager installed. The following exception occurred but was not handled. ({0}) Cause: An unexpected error occurred while resolving an object in eDirectory. Solution: Contact Novell Support. 22.11.5 eDirectory Object/Attribute Creation Errors The driver could not be created. Cause: Designer attempted to create a driver in eDirectory, but the process failed. Solution: Verify that the target eDirectory server has Identity Manager installed. A [ObjectClass] object named [ObjectName] could not be created. Cause: Designer attempted to create a Publisher, Subscriber, or Policy object in eDirectory, but the process failed. Solution: Verify that the target eDirectory server has Identity Manager installed. The driver password could not be saved. Cause: Designer attempted to set the Driver password in eDirectory, but the request failed. Solution: Verify that the target eDirectory server has Identity Manager installed. The password named ''{0}'' could not be saved. Cause: Designer attempted to set a named password in eDirectory, but the request failed. Solution: Turn on stack tracing for the Import/Deploy plug-in to get details of the exception. To do this, select Window > Preferences > Designer for IDM Trace > Enable Tracing. In the Trace window, select the check box for Include Stack Traces. The value for the attribute named [Attribute Name] could not be stored on the object named [Object name]. Cause: Designer attempted to add an attribute to an object in eDirectory, but the request failed. The error message should contain information about the attribute and object. Solution: Verify that the attribute and value are valid for the given eDirectory object type. The value for the attribute named ''{0}'' could not be updated using the XSLT on the object named ''{1}''. Cause: Unable to export shim configuration information. Solution: Contact Novell Support. An exception was thrown updating the value of the [Attribute Name] attribute on the [Item Type] object named [Object Name]. [Exception Info] Troubleshooting Designer 613 Cause: Unable to deploy the Identity Manager object and attributes to eDirectory. The error message should contain details of the exception. Solution: Contact Novell Support. A [Object Class] object could not be created. The name is missing. Cause: An eDirectory object could not be created for the given object class because a name was not provided. Solution: Contact Novell Support. The policy named [Policy Name] contains a cycle in its next transformation list. Cause: This is a warning message generated when Designer encounters a circular loop in the policy chain. Solution: Remove the policy loop by correcting the next policy in the Policy Set view. The policies named [Policy name] contain cycles in their next transformation lists. Cause: This is a warning message generated when Designer encounters a circular loop in the policy chain. Solution: Remove the policy loop by correcting the next policy in the Policy Set view. Driver [Driver name] could not be restarted for the deployed changes to be in effect. Cause: Designer was unable to restart a driver after a deployment. Solution: Turn on DSTrace screen in eDirectory to identity the error preventing the driver from starting. Driver '[Driver Name]' is disabled and could not be restarted for the deployed changes to be in effect. Cause: Designer was unable to restart a driver after a deployment because its Driver Start option is set to Disabled. Solution: Change the Driver Start option to Manual or Auto-start under the driver properties and then deploy the driver. Driver '[Driver Name]' could not be stopped for the deployed changes to be in effect. Cause: Designer was unable to stop a running driver after a deployment. Solution: Turn on DSTrace screen in eDirectory to identify the error preventing the driver from stopping. An invalid request to set up security on an exported driver was made, no Driver objects were provided. The request cannot be processed. Cause: The code to set up the security equivalence for a deployed driver was passed an invalid parameter. Solution: Contact Novell Support. 614 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 22.11.6 Warnings The version of Identity Manager running on the server named '[Server Name]' does not support all the features of Designer. Although you can import a configuration from that server, changes may not work if the configuration is deployed back to it. Cause: An import or deploy action was made to an eDirectory server running an unsupported version. Solution: The server must be upgraded for deployments. An internal error has occurred. The parameters passed into the importer were invalid. Cause: The code that performs the import was passed an invalid parameter. Solution: Contact Novell Support. The '[Attribute Name]' attribute of '[Object Name]' refers to a policy that does not exist or cannot be accessed. Cause: The driver configuration file being processed contains a DN attribute that cannot be resolved in eDirectory. Solution: Verify or correct the DN attribute value on the specified object in eDirectory. An external reference to '[Object Name]' was not handled. Cause: The driver configuration file being processed contains a DN attribute that cannot be resolved in eDirectory. Solution: Contact Novell Support. The XML for the policy named '[Object Name]' contained in the [Policy Type] named '[Policy Name]' does not contain valid XML for a policy. '[Root Node]' is not recognized as the root node for policy XML. The policy is being ignored. Cause: The policy being imported does not contain a valid XML document. Solution: Correct the content of the policy in eDirectory. A [Item Type] can only be imported into a [Item Type]. A [Item Type] can only be imported into a [Item Type] or [Item Type]. Cause: An attempt was made to import an Identity Manager object into an invalid parent object. For example, policies might not be imported into a Driver Set. The code should prevent this from happening, but this error identifies scenarios that were not caught. Solution: Contact Novell Support. An unhandled import request was encountered in DeployImporter_Import method [Object DN]. Cause: An attempt was made to import an unknown object or attribute from eDirectory. The code should prevent this from happening, but this error identifies scenarios that were not caught. Solution: Contact Novell Support. Could not access the driver configuration file named '[File Name]'. Cause: Designer could not open or parse the given driver configuration file. Solution: Contact Novell Support. Troubleshooting Designer 615 The driver filter could not be read from the driver named '[Driver Name]. Cause: Designer could not import the Driver filter. Solution: Turn on the DSTrace in eDirectory to determine the error, then contact Novell Support. An error was encountered processing the driver configuration file. The variable named [Variable Name] is defined more than once. Cause: The driver configuration file has a variable that is being defined multiple times. Solution: If you are importing a driver configuration file from a file, edit the file and remove multiple declarations for the specified variable. If this is a dynamically generated configuration file (import/ deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. An error was encountered processing the driver configuration file. The declaration of the Node variable named [Variable Name] is invalid. The [Attribute name] attribute is missing. Cause: The driver configuration file being processed has an invalid variable declaration. Solution: If you are importing a driver configuration file from a file, edit the driver configuration file and correct the variable declaration. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. An error was encountered processing the driver configuration file. Flexible prompting requires a 'use-when-value' when a 'use-when-var' is specified. Cause: The driver configuration file being processed has an error. Solution: If you are importing a driver configuration file from a file, edit the driver configuration file and add a use-when-value for the specified use-when-var. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. An error was encountered processing the driver configuration file. Flexible prompting requires a 'use-when-var' when a 'use-when-value' is specified. Cause: The driver configuration file being processed has an error. Solution: If you are importing a driver configuration file from a file, edit the file and add a use-when-var for the specified use-when-value. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. The variable named [Variable Name] has been referred to but not defined in the driver configuration file being processed. Cause: The driver configuration file has a variable that is being referenced but has not been defined. 616 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Solution: If you are importing a driver configuration file from a file, edit the driver configuration file and add a declaration for the specified variable. If this is a dynamically generated configuration file (import/deploy to eDirectory), turn on XML tracing for import/deploy to get a trace of the generated configuration file, then contact Novell Support. To turn on trace for Designer, select Window > Preferences > Identity Manager > Application > Trace > Enable Tracing. In the Trace window, select the check box for Include XML Processor Traces. An error was encountered processing the driver configuration file. Built-in variables cannot be used as a flexible prompting control variable. The reference to the variable named '[Variable Name]' is invalid. Cause: The driver configuration file being processed contains an invalid reference to a variable. Solution: If this is a dynamically created configuration file generated during an import/deploy action, contact Novell Support. If this is a driver configuration file being imported from disk, edit and correct the configuration file for the variable specified. An error was encountered processing the driver configuration file. There was a noncheckbox reference to the checkbox variable named '[Check Box Variable name]'. Cause: The driver configuration file being processed contains an invalid reference to a check box variable. Solution: If this is a dynamically created configuration file that is generated during an import/deploy action, contact Novell Support. If this is a driver configuration file being imported from disk, edit and correct the configuration file for the check box variable specified. An error was encountered processing the driver configuration file. An unhandled import prompt was encountered. Cause: The driver configuration file being processed contains an invalid prompt type. Solution: If this is a dynamically created configuration file that is generated during an import/deploy action, contact Novell Support. If this is a driver configuration file being imported from disk, edit and correct the configuration file. The eDirectory tree corresponding to the Identity Vault named '[Identity Vault Name]' cannot be accessed. Directory browsing cannot be performed. Cause: Designer attempted to access eDirectory through an eDirectory browse icon in the Driver Configuration Wizard, but the connection could not be created. Solution: Cancel out of the Driver Configuration Wizard, set up the connection parameters in Identity Vault, and run the Driver Configuration Wizard again. The partition could not be created on the ''{0}'' object. The problem may be that it has not replicated to the master yet. You can try creating the partition manually later. Cause: Designer attempted to create a partition when deploying a driver set and the partition operation failed. Solution: Turn on the eDirectory tracing options for partitioning to determine why the eDirectory partitioning operation failed. The Driver Set was created but did not replicate to all the servers in the replica ring. The deployment cannot proceed. Cause: Designer cannot deploy per-server attributes until the driver set has replicated to the eDirectory server. Troubleshooting Designer 617 Solution: Turn on the eDirectory tracing options for replication and determine why eDirectory replication is not occurring. There are no servers associated with the Driver Set named ''{0}''. There must be at least one server associated with any Driver Set being deployed or the Driver Set containing any objects being deployed. Cause: Designer cannot deploy an Identity Vault or driver set with an empty server list. Solution: Edit the properties of the Identity Vault and the driver set to add a server to the server lists. The Identity Vault name '[Identity Vault Name]'' does not contain any Driver Set objects to deploy. Cause: You cannot deploy an Identity Vault that does not contain at least one driver set. Solution: Add a driver set to the Identity Vault. '[User Name]' could not be authenticated to '[Host Name]'. Cannot proceed. Cause: Designer could not authenticate to the eDirectory tree. Solution: Verify that the hostname, user, and password for the Identity Vault are correct in the Identity Vault properties. The Identity Vault named '[Identity Vault Name]' does not contain the eDirectory tree to access. Cannot proceed. Cause: The Identity Vault does not contain a host address or DNS name for authentication. Solution: Specify the host address or DNS name for the Identity Vault in the Properties view or Properties page. Deploy_Util_NoIdentityVault=The {2} named ''{1}'' is not contained in an {0}. Cannot proceed. The Identity Vault named '[Identity Vault name]' does not contain the DN of the user to authenticate to the target eDirectory tree with. Cannot proceed. Cause: The Identity Vault does not contain a user for authentication. Solution: Specify the user for the Identity Vault in the Properties view or Properties page. The server list on the parent Driver Set for the following eDirectory Driver is empty. We were unable to import the connected eDirectory Driver: Cause: Designer uses the per-server Shim Auth Server attribute of an eDirectory driver to identify the tree and connected eDirectory driver to import. Because the server list is empty, the connected eDirectory driver cannot be imported. Solution: Fix the server list on the driver set for the eDirectory driver and the Drivers Shim Auth Server attribute in eDirectory, or import the connected eDirectory driver separately. The Shim Auth Server parameter for the eDirectory Driver '[Driver Name]' on server '[Server Name]' is empty. We were unable to import the connected eDirectory Driver. Cause: Designer uses the Shim Auth Server parameter of an eDirectory driver to identify the tree and connected eDirectory driver to import. If this parameter is empty, the connected eDirectory driver cannot be imported. Solution: Fix the Shim Auth Server parameter on the eDirectory driver or import the connected eDirectory driver separately. Unable to save Driver Configuration to file '[File Name]'. 618 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Cause: Designer was unable to save an exported driver configuration file. Solution: Try to save the file to a different directory or filename. Unable to clear contents of Driver Configuration file '[File Name]'. Cause: Designer was unable to clear the contents of a driver configuration file that is being overwritten. Solution: Delete the configuration file being overwritten. Setting up the Security Equals and Excluded objects may only be performed on a Driver object. Cause: An invalid object was selected in the Modeler or Outline view. Solution: Select a single Driver object to set up security equivalences or excluded users. The selected Driver ''{0}'' has not been deployed or cannot be found in the eDirectory ''{1}''. Cause: Designer cannot resolve to the Driver object in eDirectory to set up the security equivalences or excluded user list. Solution: Deploy the driver to eDirectory before setting up the security equivalences or excluded users. The eDirectory tree corresponding to the Identity Vault named '[Tree Name]' cannot be accessed. Setting up the Driver Security Equivalence/Excluded Users cannot be performed. Cause: Designer cannot connect or authenticate to the eDirectory tree to set up a driver's security equivalences or excluded user list. Solution: Verify that the eDirectory parameters specified on the Identity Vault are correct and that the eDirectory server is running. The Identity Vault named '[Identity Vault Name]' has no deployment DN specified. It is not deployable. Cause: A deployment context is not specified on the Identity Vault or driver set being deployed. Solution: Add a deploy DN (context) to the properties of the Identity Vault or Driver Set object in Designer. 22.12 Reporting Bugs and Giving Feedback Gathering bugs and getting your ideas are keys to improving the performance of Designer and making Designer a tool of choice for you. To send us your feedback, select Help > Report a Bug or Feedback. We encourage you to try it! 1 Select Help > Report a Bug or Give Feedback. 2 Log in to Bugzilla. Troubleshooting Designer 619 If you don’t have an account, you can easily create one. 3 Select the component in the product that you are reporting on. The Designer 4.0.2 product is preselected. If you don’t know which component you are reporting on, select your best guess (for example, Modeler). 4 In the Summary field, summarize the problem or your request for an enhancement. 5 In the Description field, describe the bug or enhancement. If you are reporting a bug, provide clear steps on how to reproduce the problem. 620 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A Modeler Operations A Modeler operations are available when you right-click inside the Modeler. The list of operations depends upon whether you right-click the Modeler space or one of the objects. Section A.1, “Modeler Space Operations,” on page 621 Section A.2, “Identity Vault Operations,” on page 623 Section A.3, “Driver Set Operations,” on page 626 Section A.4, “Driver Operations,” on page 629 Section A.5, “Application Operations,” on page 634 Section A.6, “Submenus,” on page 637 Section A.7, “Keyboard Support,” on page 639 A.1 Modeler Space Operations The following figure illustrates Modeler options that are available when you right-click empty Modeler space. Modeler Operations 621 Figure A-1 Modeler-Space Operations Table A-1 Modeler-Space Operations 622 Right-Click Operation Description Undo Returns an item to its previous status. New > Application Selects an application from a list and places the application to the Modeler. New > Domain Group Places a Domain Group in the Modeler. New > Identity Vault Launches a dialog box that specifies a server and creates an Identity Vault. Straighten Connections Straightens lines for selected items. For example, you can straighten a line to a driver, all lines in a driver set, everything in a Domain Group, or an entire project. If a line is not within a few degrees of being horizontal or vertical, this option is dimmed. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A.2 Right-Click Operation Description Distribute Evenly distributes applications vertically or horizontally. Press Ctrl, select the items that you want to distribute, then select a pattern. Align Aligns applications according to a pattern that you select. Press Ctrl, select the items, then select a pattern (for example, Align Bottom). Document Selection Launches the Document Generation Wizard, which documents your project. Live > Import Imports an Identity Vault. Identity Vault Operations The following figure illustrates Modeler operations that are available when you right-click an Identity Vault. Modeler Operations 623 Figure A-2 Identity Vault Operations Table A-2 Identity Vault Operations 624 Operation Description Undo Returns an item to its previous status. New > Driver Set Adds a Driver Set object to an Identity Vault. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Operation Description New > Library Launches the New Library Wizard. New > Server Launches the Add Server Wizard. Straighten Connections Straightens lines for selected items. For example, you can straighten a line to a driver, all lines in a driver set, everything in a Domain Group, or an entire project. If a line is not within a few degrees of being horizontal or vertical, this option is dimmed. Select Connected Applications Selects all applications that are connected to the driver set or Identity Vault. This is convenient if you have several applications connected to a driver set. You can quickly move them all or delete them all without browsing to and selecting each one. Distribute Evenly distributes applications vertically or horizontally. Press Ctrl, select the items that you want to distribute, then select a pattern. Align Aligns applications according to a pattern that you select. Press Ctrl, select the items, then select a pattern (for example, Align Bottom). See Table A-6 on page 637. Change to eDirectory Tree Changes an Identity Vault to an eDirectory tree. In Architect mode, this option displays a tree instead of a vault. This is just for diagramming purposes; there is no functional difference. Change to Identity Vault/ Metadirectory Changes an eDirectory tree into an Identity Vault. In Developer mode, this option displays a vault instead of a tree. This is just for diagramming purposes; there is no functional difference. Add to Group Creates a Domain Group, and adds the selected items to it. The selected items are removed from any group to which they were previously associated. Manage Vault Schema Launches the Schema Manage tool, from which you can manipulate schema settings for the selected Identity Vault or directory. Document Selection Launches the Document Generation Wizard, which documents the selected Identity Vault. Import Schema from File Enables you to browse to a file and import a schema into a .sch or .ldif file. Import from Configuration File Allows you to browse to and import a driver configuration file. Export to File > Configuration Exports the Identity Vault to a .xml file. iManager can consume this format, and Designer can re-import it. For more information, see Section 16.10, “Exporting to a File,” on page 448. Export to File > Schema Exports the schema to a .sch or .ldif file. E-mail Templates > E-Mail Server Properties Configures an e-mail server to send e-mail notifications. Edits templates used to notify users concerning password events. For more information, see Section 11.5, “Configuring the E-Mail Server,” on page 287. E-Mail Templates > Edit Templates Launches the E-mail Templates dialog box, from which you can edit the e-mail templates associated with the selected Identity Vault. For more information, see Chapter 11, “Setting Up E-Mail Notification Templates,” on page 277. Modeler Operations 625 Operation Description E-Mail Templates > Update Templates Adds localized templates to the Default Notification Collection. A.3 Live > Import Enables you to connect to a server, browse to and select objects, and import the objects into the Identity Vault. Live > Deploy Prepares a deployment summary and then deploys selected objects and attributes. Live > Compare Compares selected Identity Vaults. Enables you to reconcile or update Identity Vaults. See Section 16.7, “Using the Compare Feature When Deploying,” on page 435. Live > Schema > Import Imports the schema from an existing Identity Vault. Live > Schema > Deploy Deploys the modified or imported schema. Live > iManager Enables you to connect to a server and launch iManager. Live > Manage Directory Launches the eDirectory Object Manager, which allows you to view, and edit attributes for, the selected Identity Vault. For more information, see Section 18.6, “Managing Directory Objects,” on page 483. Live > Status for All Drivers Lists drivers that are stopped or running. Live > Start All Drivers Starts all drivers associated with the selected object. Live > Stop All Drivers Stops all drivers associated with the selected object. Live > Restart All Drivers Restarts all drivers associated with the selected object. Delete Deletes the Identity Vault. Properties Displays the Identity Vault’s properties pages. Driver Set Operations The following figure illustrates Modeler operations that are available when you right-click a driver set. 626 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure A-3 Driver Set Operations Table A-3 Driver Set Operations Operation Description New > Driver Launches the Driver Configuration Wizard to add a driver to the driver set. New > Job Launches the Job Scheduler Wizard to create a job. New > Library Launches the New Library Wizard. New > Role-Based Entitlement Policies Creates an Entitlement policy that is a dynamic group with additional features added to grant entitlements on connected systems. New > DS Object Creates a DS object that is part of packages. A DS object contains information that creates eDirectory objects in the Identity Vault. New > Global Configuration Creates a Resource object that stores global configuration values that can be applied in a package. Modeler Operations 627 628 Operation Description Copy > Driver Set Settings Enables you to browse to a driver set and copy its settings. A pasted copy overwrites data in the target driver set. Copy > Global Configuration Values Enables you to copy Global Configuration Values (GCVs) from one driver set to one or more other driver sets. This option enables you to configure GCVs in one place and then apply GCV settings to selected targets. Straighten Connections Straightens all lines in the driver set. If a line is not within a few degrees of being horizontal or vertical, this option is dimmed. Select Connected Applications Selects all applications that are connected to the driver set. You can quickly move or delete the applications without browsing to and selecting each one. Arrange Applications Arranges application icons around their associated driver set icon. A check mark indicates the current layout for the driver set. After the layout is set, any applications that you connect are automatically snapped into that layout. For more information, see Table A-7 on page 638. Distribute Evenly distributes applications vertically or horizontally. Press Ctrl, select the items that you want to distribute, then select a pattern. Align Aligns applications according to a pattern that you select. Press Ctrl, select the items, then select a pattern (for example, Align Bottom). See Table A-6 on page 637. Document Selection Launches the Document Generation Wizard, which documents the selected driver set. Import from Configuration File Reads in exports made from iManager or Designer. For more information, see Section 12.4, “Importing a Driver Configuration File,” on page 318. Export to Configuration File Exports the driver set to a .xml file. iManager can consume this format, and Designer can re-import it. For more information, see Section 16.10, “Exporting to a File,” on page 448. Live > Import Enables you to connect to a server, browse to and select objects, and import the objects into the driver set. Live > Deploy Prepares a deployment summary and then deploys selected objects and attributes. Live > Compare Compares selected driver sets. Enables you to reconcile or update driver sets. See Section 16.7, “Using the Compare Feature When Deploying,” on page 435. Live > Driver Set Configuration > Import Attributes Imports attributes from an existing driver set. Live > Driver Set Configuration > Deploy Attributes Deploys the modified or imported attributes. Live > Driver Set Configuration > Compare Attributes Compares attributes in Designer to the connected Metadirectory server. Live > Status > for All Drivers Lists drivers that are stopped or running. Live > Start All Drivers Starts all drivers associated with the selected object. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide A.4 Operation Description Live > Stop All Drivers Stops all drivers associated with the selected object. Live > Restart All Drivers Restarts all drivers associated with the selected object. Delete Deletes the driver set. Properties Enables you to configure Identity Vaults, driver sets, drivers, and applications. Driver Operations The following figure illustrates Modeler operations that are available when you right-click a driver. Modeler Operations 629 Figure A-4 Driver Operations 630 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Modeler Operations 631 Table A-4 Driver Operations 632 Operation Description Undo Returns an item to its previous status. New > Credential Application Creates a new Application object, which stores static single sign-on parameters for a specific application. For more information, see Novell Credential Provisioning for Identity Manager 4.0.2. New > Credential Repository Creates a new Repository object, which stores static configuration information for an authentication credential repository such as either Novell SecretStore or Novell SecureLogin. For more information, see the overview section in the Novell Credential Provisioning for Identity Manager 4.0.2. New > DirXMLScript Launches the Policy Builder, creates a policy, and creates a new DirXML Script. DirXML Script is the primary method of implementing policies in the Novell Identity Manager Metadirectory engine. New > ECMAScript Creates an ECMAScript object and opens the ECMAScript editor. New > Entitlement Launches the Entitlement Wizard and adds an entitlement to the selected driver. For more information, see Chapter 14, “Using Entitlements,” on page 381. New > Job Launches the Job Scheduler Wizard to create a job. New > Mapping Table Creates a Mapping Table object. A policy uses a Mapping Table object to map one set of values to another set of corresponding values. New > Resource Creates a Resource object. Resource objects (for example, generic, ECMAScript, mapping table, application, or repository resources) store information that drivers use. The information can be arbitrary data in any format (for example, XML or text). New > DS Object Creates a DS object that is part of packages. A DS object contains information that creates eDirectory objects in the Identity Vault. New > Global Configuration Create a Resource object that stores global configuration values that can be applied in a package. New > Schema Map Creates a schema map policy and launches the Schema Map editor. A schema map policy maps class names and attribute names between the Identity Vault namespace and the application namespace. The schema map policy is applied in both directions. New > XSLT Creates an XSLT policy. XSLT is a standard language for transforming XML documents. You can use the XSLT option to implement policies as XSLT style sheets. New > From Copy Creates a policy by copying from an existing object. Copy > Settings Copies data from the selected driver to a target driver. A pasted copy overwrites data in the target driver. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Operation Description Copy > Server-Specific Settings Copies data from the selected server to a target server. A pasted copy overwrites data in the target server. Mark/Unmark as Firewall Enables you to mark where a driver is communicating through a firewall. Used in Developer mode. If driver icons are turned off, the firewall icon doesn't appear. Straighten Connection Straightens a driver connection line. If a line is not within a few degrees of being horizontal or vertical, this option is dimmed. Show Dataflow View Displays the flow of information between the application and the driver in the Developer view. Launches the Dataflow view. For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Dataflow Displays the dataflow between the application and driver set. Appears only when dataflow view is activated. DirXML Script Tracing Turns on or off the tracing of rules, conditions, condition groups, actions, and tokens at the driver level. Show Policy Sets Launches the Policy Set and Policy Flow views. For more information, see “Policy Set View” in Understanding Designer for Identity Manager. Simulate Runs the Simulate Policy Transformation program against the selected driver. Run Configuration Wizard Guides you through creating a driver. After you fill in the wizard’s forms, Designer automatically generates policies that configure the driver to function as described in the forms. Edit Entitlements Enables you to select an entitlement that is associated with the driver and edit the entitlement’s settings. For more information, see Chapter 14, “Using Entitlements,” on page 381. Password Synchronization Configures and displays the flow of password synchronization. For more information, see Section 9.7, “Integrating Passwords,” on page 272. Manage Application Schema Enables you to manage a copy of the managed system’s schema. You can make changes to a copy of the application schema so that you can test the Identity Manager drivers in Designer. See Section 8.7, “Managing a Copy of an Application Schema,” on page 233. Document Selection Launches the Document Generation Wizard, which documents the selected driver. Export to Configuration File Exports the driver to a .xml file. iManager can consume this format, and Designer can re-import it. For more information, see Section 16.10, “Exporting to a File,” on page 448. Import From Configuration File Imports an exported .xml driver file. Live > Import Enables you to connect to a server, browse to and select a driver, and import the objects into the driver. Live > Deploy Prepares a deployment summary and then deploys selected objects and attributes. Modeler Operations 633 Operation Description Live > Compare Compares selected drivers. Enables you to reconcile or update drivers. See Section 16.7, “Using the Compare Feature When Deploying,” on page 435. Live > Driver Configuration > Import Attributes Imports attributes from an existing driver. Live > Driver Configuration > Deploy Attributes Deploys the modified or imported attributes. Live > Driver Configuration > Compare Attributes Allows you to compare the attributes of a policy to the attributes that are already deployed. Live > Refresh Application Schema Specifies the server on an eDirectory tree where the schema is refreshed after an application’s schema changes. See Section 8.7.2, “Refreshing the Application Schema,” on page 235. Live > Status for All Drivers Reports whether the driver is stopped or running. Live > Start Driver Starts the driver. Live > Stop Driver Stops the driver. Live > Set Driver Trace Level Specifies how much information to display in a trace level log from the driver. Settings go from 0-5. Live > Restart Driver Restarts the drivers. Live > Set Up Driver Security Launches the Driver Security Equals/Exclusions dialog box. Enables you to configure the selected driver’s security equivalences and to exclude selected users from administrative roles. If you select multiple drivers, this dialog box lets you add, modify, and remove common security equivalences and exclusions of the selected drivers. A.5 Delete Deletes the selected driver and its policies. Properties Launches the driver’s property pages. Enables you to configure the driver. Application Operations The following figure illustrates Modeler operations that are available when you right-click an application. 634 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure A-5 Application Operations Table A-5 Application Operations Operation Description Undo Change Location Returns an item to its previous status. Disconnect eDir-to-eDir (Viewable when you select an eDir-to-eDir application) Separates the eDir-to-eDir application into two eDirectory drivers. Straighten Connection Straightens a driver connection line. If a line is not within a few degrees of being horizontal or vertical, this option is dimmed. Distribute Evenly distributes applications vertically or horizontally. Press Ctrl, select the items that you want to distribute, then select a pattern. Align Aligns the selected objects horizontally and vertically. For more information, see Table A-6 on page 637. Change to eDirectory Tree (Viewable when you select an eDirectory application.) Runs the Driver Configuration Wizard to install an eDir-to-eDir driver. Places a tree icon in the Identity Vault. Modeler Operations 635 636 Operation Description Change to Identity Vault/MetaDirectory (Viewable when you select an eDirectory application.) Runs the Driver Configuration Wizard to install an eDir-to-eDir driver. Places a vault con in the Identity Vault. Show/Hide Subsystems Lets you model an application’s or operating system’s subsystems. For example, if you have a Linux system, you can open it and drop MySQL inside as a subapplication that runs on Linux. This is for diagramming purposes only, but can be convenient for accurately capturing the structure of the enterprise systems around which you are building the identity solution. Add to Group Creates a Domain Group, and adds the selected items to it. The selected items are removed from any group that they were previously associated with. Show Dataflow View Displays the flow of information between the application and the driver in the Developer view. Launches the Dataflow view and lists Dataflow on the menu. For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Remote Control Desktop Launches a remote control session for the selected application. The host server must have an existing VNC server running. Manage Application Schema Enables you to manage a copy of the managed system’s schema. You can make changes to a copy of the application schema so that you can test the Identity Manager drivers in Designer. See Section 8.7, “Managing a Copy of an Application Schema,” on page 233. Document Selection Launches the Document Generation Wizard, which documents the application. Driver > DirXML Script Tracing Turns on or off the tracing of rules, conditions, condition groups, actions, and tokens at the driver level. Driver > Show Policy Sets Launches the Policy Set and Policy Flow views. For more information, see “Policy Set View” in the Understanding Designer for Identity Manager. Driver > Simulate Runs the Simulate Policy Transformation program against the selected driver. Driver > Run Configuration Wizard Guides you through creating a driver. After you fill in the wizard’s forms, Designer automatically generates policies that configure the driver to function as described in the forms. Driver > Password Synchronization Configures and displays the flow of password synchronization. For more information, see Section 9.7, “Integrating Passwords,” on page 272. Driver > Document Selection Launches the Document Generation Wizard, which documents the driver. Driver > Export to Configuration File Exports the driver to a .xml file. iManager can consume this format, and Designer can re-import it. For more information, see Section 16.10, “Exporting to a File,” on page 448. Driver > Import from Configuration File Allows you to browse to and import a driver configuration file Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Operation Description Driver > Import Enables you to connect to a server, browse to and select a driver, and import the objects into the driver. Driver > Deploy Prepares a deployment summary and then deploys selected objects and attributes. Driver > Compare Allows you to compare the information structure in Designer on an object, to the object that is deployed or running on an eDirectory server. Driver > Driver Configuration > Import Imports attributes from an existing driver. Attributes Driver > Driver Configuration > Deploy Attributes Deploys the modified or imported attributes. Driver > Driver Configuration > Compare Attributes Allows you to compare the attributes of a policy to the attributes that are already deployed. Driver > Status for All Drivers Reports whether the drivers are stopped or running. Driver > Start Driver Starts the driver. Driver > Stop Driver Stops the driver. Driver > Set Driver Trace Level Allows you to specify how much information you want to see in a trace level log from the driver. Settings go from 0-5. Driver > Restart Driver Restarts the drivers. Driver > Set Up Driver Security Launches the Driver Security Equals/Exclusions dialog box. Enables you to configure the selected driver’s security equivalences and to exclude selected users from administrative roles. If you select multiple drivers, this dialog box lets you add, modify, and remove common security equivalences and exclusions of the selected drivers. A.6 Driver > Properties Launches the driver’s property pages. Enables you to configure the driver. Delete Deletes the application and driver. Properties Enables you to configure Identity Vaults, driver sets, drivers, and applications. Submenus Table A-6 Align Submenu Operation Description Align Top Aligns the top edge of the selected objects. Align Bottom Aligns the bottom edge of the selected objects. Align Left Aligns the left edge of the selected objects. Modeler Operations 637 Operation Description Align Right Aligns the right edge of the selected objects. Align Center Horizontally aligns the centers of the selected objects. Align Middle Vertically aligns the middles of the selected objects. Table A-7 Arrange Applications Submenu Operation Description Arrangement Off Disables a previously selected auto-arrangement method. Box Arranges application icons in a square around the driver set. Circle Arranges application icons in a circle around the driver set. Half Circle Arranges application icons in a semicircle around the driver set. Star Arranges application icons in a star around the driver set. Fan Out - Bottom Arranges application icons in a fan shape below the driver set. Fan Out - Left Arranges application icons in a fan shape to the left of the driver set. Fan Out - Right Arranges application icons in a fan shape to the right of the driver set. Fan Out - Top Arranges application icons in a fan shape above the driver set. Expand/Contract Expands or contracts the layout of the application icons. Selecting this option opens a dialog box from which you drag the slide in the Factor field to change the layout. Table A-8 Dataflow Submenu 638 Operation Description Publish Specifies that the Publisher channel is synchronized for the selected objects (uni directional sync from selected objects.) For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Subscribe Specifies that the Subscriber channel is synchronized on the selected objects (unidirectional sync to selected objects.) For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Operation Description Sync Specifies that both the Publisher and Subscriber channel are synchronized for the selected objects (bidirectional sync.) For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Ignore from Specifies that the selected objects ignore Subscriber channel synchronization. For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Ignore to Specifies that the selected objects ignore both Publisher and Subscriber channel synchronization. For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Ignore both directions Specifies that the selected objects ignore Publisher channel synchronization. For more information, see Chapter 9, “Managing the Flow of Data,” on page 241. Table A-9 Distribute Operations Submenu A.7 Operation Description Horizontal Evenly spaces the selected objects horizontally. Vertical Evenly spaces the selected objects vertically. Keyboard Support The following table describes common keyboard shortcuts available in the Modeler. Table A-10 Shortcut Keys Keystroke Description / Navigates to the item's next connection. \ Navigates to the item's previous connection. Delete Deletes the selected item or line. Left-arrow Navigates left. Right-arrow Navigates right. Up-arrow Navigates up. Down-arrow Navigates down. <Alt>+Down-arrow Navigates into a subgroup. <Alt>+Up-arrow Navigates out of a subgroup. <Ctrl> + = Zooms in. Modeler Operations 639 640 Keystroke Description <Ctrl> + - Zooms out. <Ctrl> + A Selects all objects in the current project. <Ctrl> + C Copies the selected objects to the Clipboard. <Ctrl> + F Opens the Find dialog box for searching the project. <Ctrl> + V Pastes the Clipboard contents to the selected location. Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide B Document Generator Core Support Templates B This is reference information to help you customize the Document Generate feature. Section B.1, “dgSection.xsl,” on page 641 Section B.2, “dgFormat.xsl,” on page 642 Section B.3, “idmConfig.xsl,” on page 645 Section B.4, “idmUtil.xsl,” on page 646 B.1 dgSection.xsl Template Description match “/” Main template that invokes all sub-templates. Users can override this template to create their own template behavior; however, you should override the Section.Content, Section.Body, or Section.Main. Section.Sequence Main template that invokes all sub-templates. Users can override this template to create their own template behavior; however, you should override the Section.Content, Section.Body, or Section.Main. Section.Main This section includes Section.Content and Section.Children. Section.Content This section includes Section.Title and Section.Body. Section.Body The body content of the section. Section.ShowStyleAttrib Describes the default way to display attributes when no utes template is defined. Parameters: border - border used for tables. The default value is 0.5pt solid black. Section.Children Inserts the child sections that are passed as a parameter into this template. Section.PageLayout Formats the page layout, including paper size, headers, page numbering, and so forth. The Section.Main template is called to insert the document into this layout. Section.staticContent Formats the page layout, including paper size, headers, page numbering, and so forth. The Section.Main template is called to insert the document into this layout. Section.Title Creates a title block containing the appropriate title text and link. Document Generator Core Support Templates 641 B.2 Template Description Section.TitleText Gets the text to be displayed for this section. dgFormat.xsl Template Description Format.Title This template handles all of the details involved in formatting a title block. Parameters: text - Text to display. id - id for linking to this title (such as from the table of contents). font - Font size to use. image - Image to show as a bullet. The auto value tries to determine an image based on the current element. Format.FigureTitle This template handles all of the details involved in formatting a figure title block. Parameters: title - Title text. description - Description text. Format.OutputTextArea Formats parameter information returned from a text area control that can contain HTML tags. If there is no HTML prefix, line breaks are inserted. Parameters: value - Value of the textarea to output. Format.EnabledStatus Shows the enabled image if the value is True. The disabled image shows only when the showDisabled parameter is set to True. Parameters: value - Enabled, True/False. showDisabled - Set to True if the disabled image should show when the value is False. The default value is False. Format.Chechbox Shows a check box image if the value is True, or an empty check box image otherwise. Parameters: value - Checked, True/False. default - Default value if “”, False, or some other value other than True exists. The default value is False. 642 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Template Description Format.PropertyRow Shows a table property row with two columns, one for the name and one for the value. Parameters: propertyName - The property name. propertyValue - The property value. border - Border used for the table. The default value is 0.5pt solid black. disable-output-escaping - Disables output escaping on the output value, so you can pass escaped FO content. The default value is False. showEmpty - Show empty values. The default value is False. Format.ContextRow Shows a contextual row with related attribute. Use this inside a table. Parameters: text - Text to display. level - Level or indent. The default value is 1. href - HREF value to link to another portion of the document. image - Image to show as a bullet. The auto value tries to determine an image based on the current element. show-page-ref - Show page reference; True/ False. The default value is True. Format.ShowBulletImage Show a bullet image. Parameters: image - Image to show as a bullet. The auto value tries to determine an image based on the current element. Format.XMLFigure This template takes care of all the details involved in formatting a figure that shows XML content. Parameters: title - Title text. description - Description text. xml - XML data to show in the figure in text. You can also use a "." to get the current node and children. simple-format - If True, this shows the XML without text selecting. This can also be preferred if name space attributes need to be included or if the XML is not well-formed. The default value is False. Document Generator Core Support Templates 643 Template Description match "node()" mode "xml-totext" XML-to-text formatting function. Parameters: attr-name-color, attr-value-color match "@*" mode "xml-to-text" XML-to-text formatting function. Parameters: attr-name-color, attr-value-color match "text()" mode "xml-totext" XML-to-text formatting function. match "comment()" mode "xml- XML-to-text formatting function. to-text" Parameters: comment-color Format.ImageFigure Formats a figure that shows an image for its content. Parameters: title - Title text. description - Description text. Format.PageBreak Inserts a page break. Format.BasicLink Creates a basic link to the given HREF using the given text. If the href parameter is empty, it only outputs the text value. Parameters: text - Link text href - Link HREF Format.BasicLinkToReference dItem Creates a basic link to the XSI referenced item. This uses the @guid attribute to build the link. If no @guid is available, only the text label is rendered. Parameters: xsiHref - XSI value of referenced node. Format.Uppercase Used to convert a string to uppercase text. Parameters: value - The value you want to convert to uppercase. Format.SmartSpace Used to convert a string to smart-spaced text. Parameters: value - The value you want to smart-space. Format.OutputDebugParamete Outputs the debug parameters for a section when the rs DEBUG_PARAMS attribute is enabled. 644 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Template Description Format.Debug Outputs the specified text in a debug format when the DEBUG attribute is enabled. Parameters: text - Debug text. B.3 idmConfig.xsl Template Description match "*" mode "xmlFigure" Build an XML Figure for any policy type. Parameters: title, description, alwaysShowPolicyXmlSource match Filter. "xsl:stylesheet|xsl:transfo Parameters: rm" title, description match "attr-name-map" Attribute mapping. match "policy" Policy matching. Parameters: title, description, alwaysShowPolicyXmlSource opConcat opDelim match "@*" mode "DirXMLScript" match "*" mode "DirXMLScript" match "arg-actions" mode "DirXMLScript" match "arg-dn" mode "DirXMLScript" match "arg-value" mode "DirXMLScript" match "token-text" mode "DirXMLScript" getLabel Utility method used to get policy related text labels. Parameters: name - The name of the label. Document Generator Core Support Templates 645 Template Description match "actions" B.4 idmUtil.xsl Template Description IdmUtil.ItemPropertyTable Shows a table of values for the current Item. Depending on the item, it might filter attributes. Parameters: title - Title text. description - Description text. showEmpty - Show empty values. The default value is False. IdmUtil.StartOptionPropertyR Shows the appropriate icon and text for the startup ow option on the current Item. (0 = Disabled, 1 = Manual, 2 = Auto) Parameters: propertyName, propertyValue, border IdmUtil.ItemNumbering Gets the current item numbering in context to the Designer source (such as "2.4.5.2."). This template helps centralize what should be counted in the numbering process because several places reuse this information. IdmUtil.ItemText Based on the XSI type, returns text for the type, followed by a colon and the name value (for example, Identity Vault: my vault 1) IdmUtil.ItemType Returns text representing the type of the current Item (such as Identity Vault, Domain, or Driver Set) IdmUtil.PolicySetPropertyRo w Builds a property row with a list of the policies based on the next policy value. Parameters: policy - Root policy of the policy set, passed by attribute name (such as mappingPolicy). label - Label for the displayed value. emptyLabel - Text to show if the value is empty. The default value is (none defined). IdmUtil.PolicySetLinks Returns a list of policy set links, called recursively. Parameters: xsiRootPolicyHref - Root policy of the policy set. 646 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Template Description IdmUtil.ConfigValuesTable Shows a Config Value table for the given XML. Parameters: title - Title text. description - Description text. xml - XML value to use to create the table. border - Border used for the table. The default value is 0.5pt solid black. emptyLabel - Text to show if the value is empty. The default value is (none defined). IdmUtil.FilterTable Shows a Filter table for the given XML. Parameters: title - Title text. description - Description text. xml - XML value to use to create the table. emptyLabel - Text to show if the value is empty. The default value is (none defined). IdmUtil.showSyncIcon Show an Identity Manager sync icon based on input type and sub-type. Parameters: type - Type is pub, sub. sub-type - Sub-type is "", sync, ignore, notify, reset. IdmUtil.ValueOfReferencedIt em Returns the value of the node given the XSI expression. When extracting the name of an item, you should use the Format.BasicLinkToReferencedItem method so that the text is created as a link inside the document. Parameters: xsiHref - XSI value of referenced node. suffix - Suffix to append before selecting (the default is the current node). The default value is "." IdmUtil.ItemCustomIconFileN Get the custom icon filename for the given GUID. ame Parameters: guid - The item's GUID IdmUtil.ShowIManagerIcon This method is for backwards compatibility. Use IdmUtil.ShowIcon instead. Document Generator Core Support Templates 647 Template Description IdmUtil.ShowIcon Shows the icon for the current Item. This first checks the cusomIconURI for a referenced image, then builds to a generic path based on the type attribute (for Drivers and Applications). Parameters: image-width - The image width to use. The default value is 49px. 648 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide C Adding Applications and Drivers to the Palette C The following graphic illustrates Designer’s palette. The Directory group is expanded to illustrate applications in that group. Adding Applications and Drivers to the Palette 649 Figure C-1 Designer’s Palette 650 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide You can add a group, application, driver, or driver configuration to the palette. To do so, you must modify or create almost all the file types discussed in Section C.1, “Definition Folders and Files,” on page 651. You must also exactly follow each step as explained in Section C.2, “Adding to the Palette,” on page 658. Section C.1, “Definition Folders and Files,” on page 651 Section C.2, “Adding to the Palette,” on page 658 Section C.3, “Protecting Your Customized Files,” on page 672 C.1 Definition Folders and Files The palette definition is stored in the com.novell.designer.idm plug-in’s defs folder. Figure C-2 The defs Folder The following sections provide information about subfolders and files: Section C.1.1, “Driver Configuration and Localization Files,” on page 651 Section C.1.2, “Palette Folders and Files,” on page 652 Section C.1.3, “The Notification Templates Folder,” on page 658 Section C.1.4, “The Themes Folder,” on page 658 C.1.1 Driver Configuration and Localization Files The com.novell.designer.idm/defs/driver_configs folder contains all the driver configuration files and their localization (.xlf) files. These files contain Identity Manager policies. You can import them by using iManager or Designer. The overlay_configs folder contains the driver overlay files. Adding Applications and Drivers to the Palette 651 Figure C-3 The overlay_configs Folder The ids_transform subdirectory should be left alone. C.1.2 Palette Folders and Files The com.novell.designer.idm/defs/model_items folder contains all the items that make up the palette: Figure C-4 The model_items Folder The following table lists the .xml and .dtd files found in this folder. The .dtd files contain the XML Document Type Definition for the different palette definition files. 652 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Table C-1 Files in the model_items Folder Filename Description Categories.dtd Defines a category Categories.xml Contains all the categories that the palette can consume. Because adding or removing categories breaks existing code or has no impact at all, this file should be left alone. Driver.dtd Elements that make up a driver (for example, configuration files, primary and secondary applications, icons, and capabilities) ItemDef.dtd Defines applications and design elements Palette.dtd Defines the palette's name and its groups The model_items folder also contains several subfolders: “Definition Files for Applications” on page 653 “Design Elements” on page 657 “The Drivers Folder” on page 657 Definition Files for Applications The Applications folder contains definition files for all applications that are available in the palette. Figure C-5 The Applications Folder Adding Applications and Drivers to the Palette 653 The application definition files are grouped into folders that match the groups defined in the Main.xml palette definition file in the Palettes folder. The palette arranges applications in these same groups in Designer. Figure C-6 The Palettes Folder The Applications/Directory folder contains XML files, icons, and localization variables in properties files. “XML Files” on page 654 “The Icons Folder” on page 656 “Localization Files” on page 656 XML Files The defs/model_items/Applications/Directory folder contains .xml files. These files are the application definitions. 654 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure C-7 XML Files in the Directory Folder As the following figure illustrates, the definition files reference icons and localization variables: Figure C-8 The AD.xml File Adding Applications and Drivers to the Palette 655 The Icons Folder The defs/model_items/Applications/Directory/icons folder contains icons in PNG format (.png). Figure C-9 The icons Folder The Modeler (not the palette) uses these icons. The palette uses the small icons in the small subdirectory. The .png files are referenced from the application definition files. The icons are 44x55 pixels in size and use transparency to display well in the Modeler. The small folder contains smaller GIF versions of the icons in the parent directory. Figure C-10 The small folder These icons are actually shown in the palette. The icons are 20x16 pixels in size and use transparency to display well in the palette. Localization Files The defs/model_items/Applications/Directory/props folder contains localization variables that are defined in .properties files. 656 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure C-11 The props Folder The application definition files reference localized strings in the .properties files. In the following figure, Name can be referenced through %Name, illustrated in Figure C-8 on page 655. Figure C-12 A .properties File Design Elements The defs/model_items/DesignElements folder mirrors the Applications folder, but contains design elements instead of applications. Design elements are like unknown applications to Designer. Design elements can be connected to and from anything, but Designer does not do anything with them. They have only a generic properties page, and no logic exists around them. They are basically just icons. The Drivers Folder The defs/model_items/Drivers folder contains the driver definition files (not the driver configuration files that contain Identity Manager policies and can be imported by using iManager or Designer). Adding Applications and Drivers to the Palette 657 Figure C-13 The Drivers Folder The icons and props folders serve the same purpose as explained in “The Icons Folder” on page 656 and “Localization Files” on page 656. C.1.3 The Notification Templates Folder The defs/notification_templates folder contains the default e-mail notification templates that ship with Designer. C.1.4 The Themes Folder The defs/themes folder contains the Modeler theme definition files that ship with Designer. C.2 Adding to the Palette The need to extend the default palette usually arises when additional driver configuration files need to be hooked up to existing applications or to new applications or drivers. Adding to the palette is a very delicate process and only successful if followed exactly step by step. Each step needs to be adapted to your situation. Section C.2.1, “Copying Configuration Files,” on page 658 Section C.2.2, “Creating the Group,” on page 659 Section C.2.3, “Adding a Key_Value Pair,” on page 660 Section C.2.4, “Creating a Driver Definition,” on page 661 Section C.2.5, “Creating the Application,” on page 665 Section C.2.6, “Hooking Up the Custom Application,” on page 669 C.2.1 Copying Configuration Files 1 Copy the new driver configuration file into the driver_configs folder so that the configuration file is accessible (but not yet hooked up) from Designer. In this example, the new driver configuration file is CustomDriver-IDM3_5_0-V1.xml. 658 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Figure C-14 An Example New Driver Configuration File 2 Copy into the driver_configs folder all corresponding .xlf files that belong to CustomDriverIDM3_5_0-V1.xml. 3 Continue with Section C.2.2, “Creating the Group,” on page 659 to connect the driver configuration file with the palette. C.2.2 Creating the Group Before you place the new application Custom Application into the new Custom Applications group, you must first create the group. 1 Decide on the name of the new application that you want to create and the group that you want the new application to go into. For this example, the following names are used: New application: Custom Application New group: Custom Applications 2 Add a group element to the defs/model_items/Palettes/Main.xml file. Give the group element an ID attribute with an intuitive and unique value (for example, CustomApplications). Set the value of the element to %CustomApplications to make it localizable. Adding Applications and Drivers to the Palette 659 3 Save the file. 4 Continue to Section C.2.3, “Adding a Key_Value Pair,” on page 660. C.2.3 Adding a Key_Value Pair 1 Open defs/model_items/Palettes/props/Main.properties. This is the properties file for the Main.xml file that you edited in Step 2 on page 659. 2 Add a key/value pair (for example, CustomApplications = Custom Applications). 3 Save the file. 4 If you want to localize the group name into other languages, copy the properties file and rename it to Main_language_code.properties. For an example of supported languages and their codes, view the .xlf files in the defs/ driver_configs folder. 5 View the new group as an empty group in the palette by starting the copy of Designer that you are manipulating. 660 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 6 Continue with Section C.2.4, “Creating a Driver Definition,” on page 661. C.2.4 Creating a Driver Definition 1 Create a driver configuration file CustomApplication.xml in the defs/model_items/Drivers folder. The new configuration file must follow the Driver.dtd specifications in the folder that you just created. The easiest way to do this is to copy an existing driver definition file, rename the file, then modify it. Adding Applications and Drivers to the Palette 661 2 Edit the configuration file. 662 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 2a Provide an intuitive and unique type (for example, CustomApplication-Driver). 2b Set the primaryApp value to CustomApplication. 2c Set secondaryApp value to GenericApp. 2d Specify the app-dn-format that your application supports. 2e Leave the icons as they are. They are not driver-specific. 2f Specify the shims that your application supports. 2g Specify the driver configuration file to use for this driver. Specify only the filename, without the versioning information.For example, if your driver configuration file is named CustomDriver-IDM3_5_0-v1.xml, you refer to it as Custom.xml). Because Designer 2.0 M5 and later releases hide or display the user interface and features based on the version of the engine that you are working on, driver configuration filenames are important. You need to store the version information in the configuration filename, according to a well-defined format: base name[-type]-idm engine version-configuration file version.xml Adding Applications and Drivers to the Palette 663 Examples: ActiveDirectory-Mirror-IDM3_0_1-V9.xml ActiveDirectory-Flat-IDM3_5-V3.xml SAP-HR-IDM2_0_2-V2.xml SAP-User-IDM3_0_1-V1.xml SAP-User-IDM3_0_1-V2.xml In the example filenames, the IDM element identifies the engine version. The IDM elements to date are the following: IDM2_0 IDM2_0_1 IDM2_0_2 IDM3_0 IDM3_0_1 IDM3_5 IDM3_6 IDM4_0 The V element in the example filenames specifies the version of this particular configuration file. It is a number that is incremented with each release of a new configuration file version. The following are examples: V1 V9 V11 No requirement exists for a more complex numbering schema. 3 Modify the props/CustomApplication.properties localization file. You might need to create this file. If so, the quickest way is to copy, rename, and edit the file. 4 Continue with Section C.2.5, “Creating the Application,” on page 665. 664 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide C.2.5 Creating the Application The next step is to create the Custom Application application and place it in the new Custom Applications group. 1 Create a folder in the defs/model_items/Applications directory. Name the folder the same name as the group ID. In this example, the name is CustomApplications, as specified in Step 2 on page 659. 2 Create icons, icons/small, and props folders in the CustomApplications folder. Adding Applications and Drivers to the Palette 665 3 Create icons for the application. You can copy existing icons and modify them so the transparency is correct. In this example, modify the existing Generic Application icons. 3a Copy defs/model_items/Applications/Tool/icons/generic_app.png to defs/ model_items/Applications/CustomApplications/icons. Rename the file as customapplication.png. 666 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide 3b Copy defs/model_items/Applications/Tool/icons/small/generic_app.gif to defs/ model_items/Applications/CustomApplications/icons/small. Rename the file as customapplication.gif. 4 Create an application definition file (.xml) in the defs/model_items/Applications/ CustomApplications folder. The definition file follows the ItemDef.dtd specifications. (See Table C-1 on page 653.) The easiest way to create the file is to copy an existing application definition file (for example, GenericApp.xml), rename the file, then modify it. The application definition file and the .properties file created in Step 5 need to have the same name as the type. In this example, the files are named CustomApplication.xml and CustomApplication.properties. 4a Make sure that the type attribute of the item-def element is set to an intuitive and unique name (for example, CustomApplication). Adding Applications and Drivers to the Palette 667 4b Leave the category attribute as Application and set the group attribute to the group ID, which is CustomApplication. Reference the icons as you named them and do the same for the supported drivers. In this example, the Delimited Text Driver (Text-Driver) is added as an alternative to the Custom Application Driver (CustomApplication-Driver). If the application can be connected to by using LDAP or VNC, leave these supported protocols in. Otherwise, remove them. Usually, every application runs on a host OS that supports either one or both of the protocols. Having these protocols registered enables certain functionality in Designer for that application. 5 Modify the props/CustomApplication.properties localization file in the same way you modified the group. An easy way is to copy defs/model_items/Applications/Tool/props/ GenericApp.properties to defs/model_items/Applications/CustomApplications/props. Rename the file to CustomApplication.properties, then modify and save the file. 6 Copy the .gif icon file into the com.novell.designer.core/icons/iManager directory. 668 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide This icon is used in iManager after the driver is deployed into the Identity Vault. 7 Continue with Section C.2.6, “Hooking Up the Custom Application,” on page 669. C.2.6 Hooking Up the Custom Application 1 Run Designer. The new Custom Application appears in the new Custom Applications group in the palette. If you drag and drop the application to the Modeler workspace, the Driver Configuration Wizard prompts you to import the following: The new Custom Driver configuration file All the Delimited Text driver configurations as specified in the application definition file Adding Applications and Drivers to the Palette 669 2 For full functionality in Designer, hook up your custom application to the Generic Application (GenericApp): 2a Open the application definition file defs/model_items/Applications/Tool/ GenericApp.xml. 2b Add the new driver CustomApplication-Driver to the list of supported drivers. 670 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Adding Applications and Drivers to the Palette 671 If you now drag and drop a Generic Application from the Tools group, your new custom driver appears as a selectable option in the Driver Configuration Wizard. C.3 Protecting Your Customized Files The files that you created are customized files. If you upgrade Designer, you lose part of the customization in these files. Therefore, before upgrading, you need to save these customized files into a protected directory. After the upgrade, copy or re-create the files. 672 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide D Moving Data from Older Projects D Projects created in Designer 3.0 M2 are not compatible with Designer 3.0 and later. Because there is no project converter from Milestone 2, you can use the procedures in this section to re-create Milestone 2 projects and ensure that data in projects moves over as smoothly as possible. These steps apply any time you want to manually import a project. There are three methods for re-creating old projects: Section D.1, “Importing Data from a Live System,” on page 673 Section D.2, “Exporting Data from the Old Project to Configuration Files,” on page 673 Section D.3, “Manually Configuring Information That Is Not Imported,” on page 674 D.1 Importing Data from a Live System If the Designer project is deployed to an Identity Vault, you can import a project from the Identity Vault by selecting the desired driver sets. This imports the project as it exists in the Identity Vault. This is the safest way to restore the project data; however, it does not restore passwords. D.2 Exporting Data from the Old Project to Configuration Files If you do not have the project deployed, you can export or import configuration files by using the following procedure: First, perform the following steps in the non-compatible version of Designer. 1 Edit the Designer preferences by selecting Windows >Preferences. 2 Select Designer for IDM >Import/Deploy. 3 Select the Export tab and verify that the check box for Copy cross-driver policy references into exported configuration files is not checked. 4 Export all libraries that are not contained by a driver set. They are exported to a file. 5 Export driver sets (if you are prompted to copy linked policies, select no). They are exported to a file. After you finish the above procedure, do the following in Designer 4.0.2: 1 Create a new project. 2 Create Identity Vaults to match a previous project. 3 Provide Identity Vault credentials. 4 Create servers to match a previous project. 5 Delete the default driver set from the Identity Vault. Moving Data from Older Projects 673 6 Import the library configurations into the appropriate Identity Vault. 7 Import the driver set configurations into the appropriate Identity Vault. D.2.1 If Multiple Servers Are Associated with a Driver Set During the export process, the Designer 3.0 M2 version prompts you to select which server to use. Repeat the export for each server, naming the export files something like DriverSet-ServerX. This process exports the server-specific information to the configuration file. For example, if you have two servers named Stage1 and Stage2, you would perform two exports and have two export files: DriverSet-Stage1 and DriverSet-Stage2. After you import the driver set configuration from the first server, perform the following steps: 1 Edit the properties of the driver set and add the second server to the driver set’s server list. 2 Run the import again by right-clicking the Identity Vault and selecting Import from Configuration File. 3 Select the configuration file created for the other server. 4 You are asked which server to use for the import; select the appropriate server for the configuration being imported. 5 Finish the import. 6 Repeat Step 2 through Step 5 for each server configuration that you have exported from the older Designer system. D.2.2 Customized E-Mail Templates. If you have customized e-mail templates, you need to export them from the Designer 3.0 M2 release and import them into Designer 4.0.2. First, perform the following steps in the non-compatible version of Designer (3.0 M2): 1 Right-click the customized template and select Save As. 2 Provide a name and location for the template. 3 Click OK. After you finish the above procedure, do the following in Designer 4.0.2: 1 Right-click the Default Notification Collection in the Outline view and select Import template from file. 2 Select the exported template file. 3 Click OK. D.3 Manually Configuring Information That Is Not Imported After importing from the Identity Vault or from configuration files, there is information that is not migrated from the Designer 3.0 M2 project. This includes: Identity Vault credentials Server objects 674 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Design elements Administrator information Model layout Environment information Custom application icons Project properties Remote load documentation Any custom files added to the Documents or Toolbox folders VNC and LDAP connectivity information on applications If you imported from configuration files, you were prompted for password information during the import process. If you imported from an Identity Vault, you need to manually enter the following information: Driver passwords: The driver shim password is prompted for during import. Shim Auth (Application) passwords: The shim authentication password is prompted for during import. Remote Loader passwords: The remote loader password is prompted for during import. Named Password values: The named password is prompted for during import. You can copy and paste some informational data (text) from old projects to new projects: 1 Open the old project in the non-compatible version of Designer. 2 Open the new project in Designer 3.0 or later, then copy and paste informational data from the old project into the new project. For example, you can copy and paste administrator and environment information in this manner. However, you cannot copy and paste objects. Moving Data from Older Projects 675 676 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide E Version Control with Subversion and Identity Manager Designer E This appendix is intended for people using Identity Manager Designer and Subversion. Identity Manager Designer includes complete documentation covering how to use version control. This appendix section gives more background on Subversion and indicates why you should make certain decisions. The Designer documentation tells you which protocols are supported. This appendix tells you why you should choose one over the others. For more detailed information about using Designer with Subversion, see “Version Control” on page 509. There are many books available on administering a Subversion server and working with Subversion. We recommend Version Control With Subversion. It is available without charge at O’Reilly Media (http://svnbook.red-bean.com). Many topics in the book are touched upon in this paper, and this paper references specific sections of the book. Section E.1, “Understanding Subversion,” on page 677 Section E.2, “Administering Your Subversion Server,” on page 680 Section E.3, “Taking Full Advantage of Version Control,” on page 689 Section E.4, “Glossary,” on page 691 E.1 Understanding Subversion Subversion is a version control system. Version control systems let you manage and create multiple revisions of your project and documents. They also allow you to share those revisions among a team of people. Section E.1.1, “How Revisions Work In Subversion,” on page 677 Section E.1.2, “Understanding Atomic Commits,” on page 679 Section E.1.3, “Where Subversion Stores the Project Data,” on page 679 Section E.1.4, “Moving an Existing Project,” on page 679 E.1.1 How Revisions Work In Subversion Revisions are a the heart of the Subversion functionality. A revision is a number that marks a specific set of changes made to a set of files. A single revision number can cover changes made to multiple files, but all of those files must be in the same repository. Subversion uses a single revision number for the entire repository. This revision number is incremented every time any change is made to the Subversion server. For example, if you import a project at revision 100 and then create an Identity Vault and commit (revision 101), create a driver and commit (revision 102), and create a policy and commit, you are at revision 103. If you have multiple projects in the same repository, every change made to any project increments the revision number for the whole server. Version Control with Subversion and Identity Manager Designer 677 Although revision numbers are created for the entire server, different objects in your project can have different revision numbers. For example, suppose you start with revision 100 and create a policy and commit it; then create a mapping table resource and commit that version. The project will be at revision 100, the policy will be at revision 101, and the mapping table resource will be at revision 102. You can see the current revision of a specific object by using the Revision History or Properties page. The Revision History page indicates the specific object revision with a yellow arrow. In this example, the yellow arrow points to revision 100 for the project even though you see revision 101 and 102. Subversion is meant to work in a team environment. In a team environment, there could be someone else editing the project at the same time as you. Let's look at an example: Alice imports a project at revision 100 to her local workspace. Bob imports the same project, also at revision 100, to his local workspace. Alice adds a new policy and commits, which creates revision 101. Bob adds a different new policy and commits, which creates revision 102 At this point Alice’s project is at revision 100, her policy is at revision 101, and the latest revision on the server is revision 102. If Alice wants to see Bob’s policy, she needs to update her project so she has revision 102. Figure E-1 Viewing Changes Through the Revision History Revisions are a useful way to track the versions of your project. Revisions can help you get projects back from the history and make sure that two users have the same version of a project loaded. 678 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide E.1.2 Understanding Atomic Commits Atomic commits are a major feature of Subversion. The atomic commits treat the commit operation as a single event that either completely succeeds or fails gracefully. That means all of your changes are committed to the server or none of them are. For example, Alice and Bob are working together on a project. Alice makes changes to multiple policies and entitlements that are all interdependent. While Alice is in the process of committing this change, her network connection goes down. Before Alice can connect to the server again, Bob does an update. Subversion ensures that Bob does not get a partial update from Alice. Because Alice had a problem during her commit, Subversion makes sure that none of the files are changed on the server. Alice can then perform the commit after her network connection is restored. Atomic commits are a very powerful tool and an excellent way to avoid broken projects. Atomic commits are always available within Identity Manager Designer and Subversion. You don't need to do anything special to enable them. E.1.3 Where Subversion Stores the Project Data When you commit a project to Subversion, the project is stored in the Subversion repository. The Subversion repository is an based on an internal database Subversion uses to store files. Subversion stores a separate file containing the specific changes made in each revision using the revision number as the filename. These files are combined to maintain the concatenation of all of the changes made in your repository and the history of those changes. These files are iterative in nature and contain only the changes made for that specific revision. You can access these files in the db/revs directory of your Subversion repository. Beyond that one requirement, there are no firm rules about setting up your projects. Here are some guidelines: It is a good practice to place a project in a directory of the same name. For example, a project called project1 would go into a folder such as trunk/projects/project1. Most repositories have a “sandbox” area. Users new to version control can experiment in this area without worrying about corrupting existing projects. It is a good practice to organize groups of projects. You can group projects by user, team, or company. The key is that having a large number of projects at the same level can be difficult to navigate. E.1.4 Moving an Existing Project Identity Manager Designer does not provide support for moving a committed project from one place on your Subversion server to another. However, you can do this with the Subversion command line: Make sure the whole team commits all of their local changes. Have all team members delete their local projects. Use the Subversion move command to move the project location. Have each team member import the project from the new location. The Subversion move command is very simple. You just specify the current location of the project and the new location you want to move it to. For example, if your project is located at trunk/ project1 and you want to move it to trunk/myprojects/project1, use the following command: Version Control with Subversion and Identity Manager Designer 679 svn mv -m "<your comment for the move>" http://myserver/trunk/project1 http:// myserver/trunk/myprojects/project1 Subversion moves the project to the new location and maintains all of the files and history. E.2 Administering Your Subversion Server Larger companies most likely have a Subversion server administrator. Smaller companies might require you to install the Subversion server yourself. You can also choose to install Subversion on your own machine for easy backups. Either way, it is a good idea to know how the server should be configured and administered. Section E.2.1, “Server Specifications,” on page 680 Section E.2.2, “Network Protocols,” on page 681 Section E.2.3, “Authentication Schemes,” on page 684 Section E.2.4, “Using Client Certificates,” on page 686 Section E.2.5, “Configuring Subversion with Apache HTTP,” on page 686 Section E.2.6, “Proxy Server Configuration,” on page 687 Section E.2.7, “Subversion Server Backup,” on page 689 E.2.1 Server Specifications The platform where you run Identity Manager Designer and the platform where you run the Subversion server are completely independent. Identity Manager Designer includes a Subversion client and is supported on any platform where Identity Manager Designer is supported. Subversion provides official builds for the following platforms: Red Hat Linux Debian GNU/Linux FreeBSD OpenBSD NetBSD Solaris Mac OS X Windows NT, 2000, XP, and 2003 HP-UX AIX IBM i5/OS (OS/400) Subversion also works very well on SUSE Linux. Although Novell strongly encourages you to run on SUSE Linux, the Subversion server works well on all of the platforms. The platform you choose might depend on the IT organization you are working with, existing infrastructure, or just personal preference. 680 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide Subversion is a lightweight product and doesn't require a very powerful machine. The specific requirements depend on many factors, such as the number of users, the number of projects, and the other software running on that system. There is a discussion thread with some specific recommendations you can find at the Apache Subversion Mailing Lists (http://subversion.apache.org/ mailing-lists.html). E.2.2 Network Protocols Subversion supports direct file access, and the SVN, HTTP, HTTPS, and SVN+SSH network protocols. These protocols define how Designer communicates with the Subversion server. The server must be configured to support a set of specific protocols. You specify the protocol you are using in the first part of the URL you use to connect to your version control server. The protocol that you are using is transparent while you use Designer. Everything works basically the same, no matter which protocol you use. However, the choice of protocol has significant impact on the network traffic, security, and speed of your interactions with Subversion. Choosing the protocol is an important decision. “Direct File Access” on page 681 “SVN” on page 682 “HTTP” on page 682 “HTTPS” on page 682 “SVN+SSH” on page 683 “Protocol Comparison” on page 683 Direct File Access Direct file access is not actually a network protocol. You can simply point Designer at a repository on your hard driver and access it directly. This is the easiest option to set up because it doesn’t even require the Subversion server to be running. The version control import dialog box has an option to browse for your local repository location. This is a good option for single users, experimenting with version control, and giving demonstrations. The main drawback of direct file access is that it doesn’t support network access for multiple users. Direct file access is not a network protocol; your repository cannot be accessed by other people. As a result, it does not provide good support for authentication schemes. This makes direct file access a poor choice for team environments. You specify this protocol by connecting to your server with a URL that looks like this: C:\subversion\myrepository or /home/<my username>/subversion/myrepository Version Control with Subversion and Identity Manager Designer 681 SVN SVN is a Subversion-specific protocol. This is the protocol that is used when you run the Subversion server without the Apache HTTP Server. Just follow the Subversion server setup instructions in the Identity Manager Designer documentation and you are using this protocol. The SVN protocol supports networking and works well with small teams. It supports password file authentication as well as path-based authentication. The SVN protocol does not support any type of encryption. This means that all information sent between Identity Manager Designer and the Subversion server is in clear text and could potentially be seen by a third party. Another concern with the SVN protocol is accessibility through firewalls. SVN is a specialized protocol and most firewalls need specific configuration to support it. Many firewall administrators are wary of changing their configuration. You should check with all organizations involved before choosing this option. If you do need to configure a firewall to allow the SVN protocol, you must allow connections on TCP port 3690. In addition, the SVN protocol is not supported by most proxy servers. The SVN protocol is a good choice for small teams where everyone works together in the same company. It is fast and easy to configure. You specify this protocol by connecting to your server with a URL that looks like this: svn://mysubversionserver/myrepository or svn://localhost HTTP Subversion supports the use of HTTP by using a protocol called WebDAV. WevDAV allows Designer to access Subversion by using the same protocols that Web browsers use to access the Internet. The Subversion server also requires the Apache HTTP server to support the HTTP protocol. This requires a little more server configuration, but it isn’t too difficult. Using the Apache HTTP server also allows many more authentication options. The main advantage of HTTP is that it works with existing firewalls and proxy servers. This makes HTTP a good choice when working with multiple companies, or working inside corporate networks. HTTP does not support encryption between the Subversion server and Identity Manager Designer. If you need to protect your data, then you should choose a different protocol. You specify this protocol by connecting to your server with a URL that looks like this: http://subversion.mycompany.com/myrepository HTTPS HTTPS works very similarly to HTTP, with the addition of data encryption between the Subversion server and Identity Manager Designer. HTTPS uses the SSL (Secure Socket Layer) encryption protocol to make sure that third parties cannot read the communications between Identity Manager Designer and the Subversion server. HTTPS is slightly slower, but in practice the difference is 682 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide negligible. HTTPS is a good choice for corporate environments concerned about securing their data. HTTPS is the protocol Novell developers use when working on the Identity Manager Designer source code. The main drawback to HTTPS is that it can be difficult to configure. SSL requires a signing certificate that is granted by a certificate authority like Verisign.com. These certificates must be purchased, and applying for and installing them can be time-consuming. However, most server administrators are familiar with this process and should be able to guide you through it You specify this protocol by connecting to your server with a URL that looks like this: https://subversion.mycompany.com/myrepository SVN+SSH SSH (Secure Shell Protocol) is most popular on UNIX. Windows does not support SSH without additional software, and the configuration can be very difficult. SSH security is based on public key encryption using X.509 certificates. SSH is a good choice for UNIX environments looking for additional security. SSH requires a change to firewalls because it is not allowed on most corporate configurations. SSH uses TCP and UDP over port 22. You specify this protocol by connecting to your server with and URL that looks like this: svn+ssh://subversion.mycompany.com/myrepository Protocol Comparison Table E-1 Protocol Comparison Protocol Pros Cons Port Direct File Access Really easy to set up, great for single Doesn’t support team environments. None developers. SVN Easy setup and good network support. Doesn’t support encryption, doesn’t TCP 3690 support complex authentication, and has trouble with firewalls. HTTP Good network support, works well with firewalls, and supports complex authentication. Requires the Apache HTTP server TCP 80 and is not a good choice for running the Subversion server locally. HTTPS Good network support with good security options. A good choice for larger corporations. Requires the Apache HTTP server, a certificate from a third party, and more complicated server configuration. SVN+SSH Good security in UNIX environments. Doesn’t support Windows well and can be difficult to configure. TCP 443 TCP/UDP 22 Version Control with Subversion and Identity Manager Designer 683 E.2.3 Authentication Schemes In addition to deciding which protocols to use, it is important to look at authentication schemes. An authentication scheme defines the way users identify themselves to your Subversion server. This has significant impact on security as well as user management. Authentication schemes can be just a list of usernames and passwords in a flat file, or a multiple-server environment requiring special certificates for each client. “Specifying a Realm” on page 684 “User Management” on page 685 “Specifying Project-Level Access” on page 685 Specifying a Realm Subversion makes use of realms in order to simplify user management. A realm is a string that identifies how your server authenticates its users. This string does not need to be unique to your server. Specifying the same realm in multiple servers indicates that the same username and password can be used in any server using that realm. The realm your server is using shows up when a user is prompted for authentication information in Identity Manager Designer. Figure E-2 Providing Authentication for the Realm By default, Subversion generates a unique ID for your realm, such as: de409a8-8985-4647-ad92-44aef6788420 You can change the realm for your server in the svnserver.conf file located in your repository’s conf directory. If you are using Subversion in conjunction with the Apache HTTP server, you need to use the Apache HTTP server configuration to specify your realm. More information about configuring this information can be found at the Apache Core Features page (http://httpd.apache.org/docs/2.2/ mod/core.html#authname). 684 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide User Management Whether you are just a single user or part of a large team, you need to manage the users who are allowed to access your Subversion server. “Flat Password File” on page 685 “Apache HTTP Authentication” on page 685 “Apache HTTP Authentication with Third-Party Modules” on page 685 Flat Password File The easiest way to manage user access is with a password file. This file specifies a list of users and their passwords. The file looks like this: [users] alice = alicepassword bob = bobpassword carol = carolpassword dave = davepassword This option is easy to configure and works well for small teams where security is not a major concern. However, in environments with larger teams, the management of this file quickly becomes unfeasible. In addition, this system is only as secure as the computer it is running on. If someone gains access to your Subversion server, they have access to this passwords file and every user’s password. Apache HTTP Authentication If you configure Subversion to run with the Apache HTTP server, you can take advantage of the Apache HTTP server authentication. This mechanism also works with a flat file, but is much more flexible than the Subversion mechanism. This mechanism can manage users and groups, deny access by IP address, and much more. You can find information about this feature at Apache’s Authentication, Authorization and Access Control for Apache HTTP Server page (http:// httpd.apache.org/docs/2.0/howto/auth.html). Apache HTTP Authentication with Third-Party Modules Apache includes a large variety of third-party authentication modules. These modules support authentication to Windows NT domain controllers, UNIX password systems, Novell eDirectory, and many more. Novell uses a module to authenticate against an eDirectory server for its internal Subversion servers. As of this writing, there are 76 Apache HTTP modules dealing with authentication. Creating a more complex authentication scheme might seem like a daunting task, but it can pay off in the long run. A good authentication mechanism can be mostly self-sustaining and gives users the opportunity to manage their own accounts. Combining advanced authentication with SSL or SSH provides ample security for a Subversion environment. Specifying Project-Level Access There are times when specifying access on a per-server basis is not sufficient. In those cases, you can use project-level access controls. There is support for this in Subversion as well as in the Apache HTTP server. When you configure this option by using the Subversion server, you can create an authorization DB file. The following sample file grants Alice the rights to read and write everything, Bob the write to read everything, Carol the right to read and write project 1 while only reading project 2, and Dave only the rights to read and write project 2. [/] alice = rw bob = r [/Project 1] carol = rw Version Control with Subversion and Identity Manager Designer 685 [/Project 2] carol = r dave = rw You must specify the location of this file by using the authz-db value in the svnserve.conf file in your Subversion repository conf directory. For more information about configuring this option with the Apache HTTP server, consult the documentation for the mod_auth and mod_access packages. E.2.4 Using Client Certificates Most security schemes in Subversion use a username and password to provide authentication. This is security based on something your know (your password). If you are especially concerned about security, you can use SSL client certificates. This is based on something you know (your password) and something you have (the certificate). You can use client certificates with Identity Manager Designer and Subversion, but you must use the Apache HTTP Server. You will need to configure the Apache HTTP server to accept the client certificates. Apache can be configured to use client certificates by using the mod_ldap package. More information about that package can be found at the Apache Module mod_ldap page (http:// httpd.apache.org/docs/2.2/mod/mod_ldap.html). If your Subversion server is configured to use client certificates, you are prompted to provide a certificate in Identity Manager Designer. If you already have a Web browser configured to provide the client certificate, you can export the certificate for use with Identity Manager Designer. Tell your browser to export the client certificate and specify the PKCS#12 format. You can then browse and select this certificate when you are prompted by Identity Manager Designer. Figure E-3 Authenticating to Version Control E.2.5 Configuring Subversion with Apache HTTP The Subversion server is a set of libraries. These libraries are accessible with the custom SVN protocol by using the svnserve program. They are also accessible with the HTTP and HTTPS protocols by using the mod_dav_svn module for Apache HTTP server. This is a module that knows 686 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide how to use the Apache HTTP server to support Subversion functions by using the WebDAV protocol. You can find information about installing and configuring mod_dav_svn at mod_dav_svn Configuration Directives (http://svnbook.red-bean.com/en/1.1/re58.html). The standalone Subversion server is lightweight, easy to configure, and very stable. However, the Subversion server does not support HTTP, HTTPS, and advanced user authentication as well as other key features. The Subversion server is also not meant for large projects with many users. If you need any of the more advanced features, or if you need to support a large user base, you should use the Apache HTTP server. Both the Apache HTTP server and the Subversion server are free software. E.2.6 Proxy Server Configuration A proxy server is an application that takes requests and sends them on to other servers. Proxy servers are often used by companies to monitor and filter access to the Internet. Many large companies require all Internet access to be routed through the proxy server. If you are trying to access a Subversion server that is outside of such a network, you must configure the proxy settings in Identity Manager Designer. In the main Designer menu, go to Window and then select Preferences. In the Preferences page, select General > Network Connections. This preference page allows you to configure the proxy server settings for Identity Manager Designer. Select the Manual proxy configuration option and supply the proxy settings specified by your network administrator. Version Control with Subversion and Identity Manager Designer 687 Figure E-4 Setting Proxy Server Settings Most proxy servers support only the HTTP and HTTPS protocols. Some proxy servers support the SVN+SSH protocol and almost none support the SVN protocol. NOTE: If you use a proxy server, errors can occur occasionally when the proxy server fails to forward a packet. When errors occur, retry the operation. If you continue to have problems, verify that the proxy server is working correctly. 688 Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide E.2.7 Subversion Server Backup When you are using version control, the Subversion server acts as a backup mechanism for all your project data. It is vital that you back up the Subversion server frequently. If you do not back up the Subversion repository and your server has a hardware failure, you lose your project data. Daily backups are essential for active servers. Subversion provides two tools to help create backups without interruptions of services: dump and hotcopy. The dump command takes your entire repository and sends the contents to standard out. You can also specify revisions to start and stop at. The hotcopy command creates a copy of your Subversion repository, including the database and all other configuration information. You use the output from either of these commands to restore your Subversion repository during disaster recovery. For more information about the dump and hotcopy commands, including examples, see svnadmin dump (http://svnbook.red-bean.com/en/1.1/re31.html) and svnadmin hotcopy (http://svnbook.redbean.com/en/1.0/re33.html). E.3 Taking Full Advantage of Version Control Using version control to simply commit, update, and share projects can be very useful, but there is additional functionality that can be helpful in many of your projects.Version control can change the way you work. It can enable a truly team-oriented development methodology. Section E.3.1, “When to Commit and When to Update,” on page 689 Section E.3.2, “Comments,” on page 690 Section E.3.3, “Creating and Using Tags,” on page 690 Section E.3.4, “Subversion Keyword Substitution,” on page 690 E.3.1 When to Commit and When to Update Version control is a tool for sharing and backing up your project. You should take full advantage of it. That means committing often and updating frequently. You should learn to be comfortable with committing. The project doesn’t need to be perfect, just make sure you won't impede your teammates. You should also update frequently to get your teammate's changes. This ensures that you are working with an up-to-date project, and your changes can work with the changes your teammates are making. You also resolve conflicts in a better way. The earlier you can resolve a conflict, the easier it is be to resolve that conflict. For example, if two individuals are editing the same policy and they work separately for a week, the two versions of the policy will be very different. This makes it very likely that there are conflicts and very likely that those conflicts are difficult to resolve. If those two users update frequently, they can avoid most of the conflicts and make them much easier to resolve. Version Control with Subversion and Identity Manager Designer 689 E.3.2 Comments Whenever you commit a change to the version control server, you are prompted for a comment. Comments are your chance to describe the change for yourself and for your teammates. Comments can explain why you did something and what you were thinking when you did it. Good comments should take the form of sentences. They should describe what you did and why you did it. A well-written comment should give you a good idea of what has changed, but it does not need to describe every change in detail. Good Comments Created a new project for work on the new Active Directory drivers for Unilateral Widgets Incorporated. Added a new AD driver to connect to the second directory and moved policy1 to a library so we can access it from the new driver. Changed the second rule in policy1 to avoid the potential for an infinite loop when handling more than three users. Bad Comments Comments should not be too brief: Added new policy New project Undid Joe’s change Comments should also not be too specific: Changed the condition of policy add password rule operation-data to be the following: <and> <if-operation op="equal">add</if-operation> <if-password op="available"/> <ifxpath op="not-true">operation-data</if-xpath> </and> E.3.3 Creating and Using Tags A tag is a readable name given to a specific revision. For example, you could tag revision 100 as Release 1.0. Tagging is most useful for identifying significant revisions. If you certify that you are ready to send a project to a customer, that is probably a good time to create a tag. You can then access that tag later if you need to roll back a change. The combination of tagging and the Get from History feature gives you a powerful tool to manage releases and deployments. E.3.4 Subversion Keyword Substitution You can use Subversion keyword substitution to give you more information on selected objects. For example, you can use the Description area to track the revision number, the date and time an object was last submitted to Subversion, and who submitted the last revision in the d