Convert Driver Entitlements to New RBPM 3.7 Resource Model

Authors: Volker Scheuber and John DaSilva

With the introduction of Roles Based Provisioning Module 3.7 a new Resource model was introduced. In order to be able to leverage this model you will need to convert any existing drivers that use entitlements so they can be used with resources.

A resource is any digital entity such as a user account, computer, or database that a business user needs to be able to access. The User Application provides a convenient way for end users to request the resources they need. In addition, it provides tools that administrators can use to define resources. Each resource is mapped to an entitlement.

If your driver has already been converted (for example Active Directory driver) you can just upgrade to the new configuration that was shipped with Designer 3.5. But if not, for example the driver you implemented on your own with entitlements, then you need to follow the steps in this cool solution.

Although you will only be preparing the driver for use with Resources, you will really be preparing your driver for future enhancements to Identity Manager and tools that will be provided. It may seem that you are doing more work than is necessary, you are setting yourself for the future, so that you will not need to perform the tasks in the future.

The policy file required for this cool solution can be found here.

You will complete the following:

1.0 Add Policy to Create Resource Configuration Object
     1.1 Add Policy to Library
     1.2 Link Policy to Input Transformation of Driver
2.0 Create GCVs to Control Driver Configuration
3.0 Create Mapping Table(s) for Localization
4.0 Deploy and Start (Restart) the Driver

1.0 Add Policy to Create Resource Configuration Object

The new resource model is driven by new configuration object that contains information from the driver configuration for the entitlements and in the future other configuration options. This configuration file is built on the fly every time a driver is started by a policy that checks the driver configuration and builds a new object built on the latest administrator set options.

This feature allows for the driver to be configured by an administrator without having to go in and change policies. For simple generic type of entitlements a policy can be linked to from the driver by placing it into a library in the driver set. In this way you can use the same policy in several drivers. When specialization is of the policy is required for a particular driver it could be copied into that driver.

You will complete the following:

1.1 Add Policy to Library

The first step is to add the policy to a Library object on the driver set.

Do the following:

  1. On the bottom Quick Launch taskbar select the Designer  icon to start the Designer for Identity Manager.

  • In the Outline view (on the left) select outline and then Library in the DriverSet, see Figure 1.

    Figure 1 Library in Outline view

  • Create a new policy called lib-RMAP-InitEntitlementConfigurationResource-itp then in the Policy editor change to the XML Source tab at the bottom.

  • Open the file in lib-RMAP-InitEntitlementConfigurationResource-itp.xml with a text editor.

  • Select all the text in the file and copy it.

  • Paste the code you just copied from editor into the XML Source of the policy you created in Designer, see Figure 2.

    Figure 2 Policy as XML in Policy Editor

  • Select the Policy Builder tab at the bottom of the Policy Editor.

  • Close text editor, you will no longer need the file.

  • Save the policy in Designer and close it.

  • Deploy the Library object.

  • Continue with the next section.

1.2 Link Policy to Input Transformation of Driver

Now that you have your policy you need to link into the Input Transformation of the Publisher channel of the driver. This policy should be the first policy in the Policy set, it is designed to only execute once when the driver starts.

Do the following:

  1. In the Outline view select the driver you are updating, change the view to the Fishbone view.

  • Select the Input icon then in the Policy Set editor at the bottom use  to add a policy.

  • Select Link a Policy then select Next to continue.

  • Browse for the policy you created in the Library in Add Policy to Library.

  • Select Finish to complete the link to the policy.

  • Do not deploy the driver, yet you still need to set up the configuration.

  • Continue with the next exercise section.

2.0 Create GCVs to Control Driver Configuration

In this section you will create Global Configuration Variables on the driver. These GCVs will be used to driver the policy in its task of creating the resource configuration. In this way an administrator can change if a driver is going to be used for resources by simply changing the variable value and restarting the driver.

It is a good practice to use GCV to control the functions of your policies or provided any information needed by the driver, for example where groups and users are to be placed in the identity vault. The newer driver configurations shipped by Novell are leveraging this technique to make it easier to implement drivers in implementations of Identity Manager.

Do the following:

  1. In the Designer in the Developer editor (blue background) double-click on the channel (the line between the driver icon and the IDVAULT icon) to open the driver configuration properties.

  • Select the GCVs in the left navigation.

  • Select the Add button, do the following steps, use Figure 3 as a guide.

    1. Name is drv.rolemapping.enable

      IMPORTANT: Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

  • Display name is Enable Role Mapping

  • Description is:

    If you turn role mapping on then this driver will be visible to the role mapping administrator.
  • Type is enumeration add two values with the following properties.

    1. Display name of Yes and value of true, OK to save.

  • Display name of No and value of false, OK to save.

  • The completed dialog for the first GCV.

    Figure 3 Role mapping GCV defined

  • Select Finish to save the GCV.

  • Now you need to define under this GCV one to enable the specific entitlement. You can control the overall mapping and then decide that it only be used for certain entitlements.

    1. The Name of the GCV is drv.rolemapping.EntitlementName

      NOTE:The last part of the name (i.e. EntitlementName) is your entitlement name. It is important not to have spaces in your entitlement name.

      IMPORTANT:Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

  • Go ahead and enter the remaining fields, the Type will be the same as in .Step 3.d

  • Now you need to add one for the Resource Mapping, do the following steps, use Figure 3 as a guide.

    1. Name is drv.resourcemapping.enable

      IMPORTANT: Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

  • Display name is Enable Resource Mapping

  • Description is:

    If you turn resource mapping on then this driver will be visible to the role mapping administrator.
  • The Type will be the same as in .Step 3.d.

  • The completed dialog for the third GCV.

    Figure 4 Resource mapping GCV defined

  • Now you need to define under this GCV one to enable the specific entitlement. You can control the overall mapping and then decide that it only be used for certain entitlements.

    1. The Name of the GCV is drv.resourcemapping.EntitlementName

      NOTE: The last part of the name (i.e. EntitlementName) is your entitlement name. It is important not to have spaces in your entitlement name.

      IMPORTANT: Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

  • Go ahead and enter the remaining fields, the Type will be the same as in .Step 3.d

  • You should now have 4 GCVs defined, as in Figure 5.

    Figure 5 All GCVs defined

  • Select Apply to save your changes.

  • Continue with the next exercise section.

3.0 Create Mapping Table(s) for Localization

The information about resource mapping can actually be displayed by another tool and to provide text in different languages we need to provide the name of our entitlements in a Mapping Table on the driver. You would create a mapping table for each language that you want to support.

The name of the mapping table must be in the following format with the last characters (in this example EN for English) being the language being used. And it is a zero (0) not an o in the name.

L10N_EN

In this section you will only define one mapping table for the English language.

Do the following:

  1. In the Outline view select the driver then right-mouse context menu select New->Mapping Table to create the mapping table object.

  • The table name is L10N_EN, with a 0 (zero) not an o.

  • Add 2 columns to the table the first one called key and the second called value.

  • Add one row where the key (column 1) is entEntitlementNameDisplayName this the entitlement name and would be the same for every language mapping table. One entry for each entitlement. See Figure 6.

    NOTE: The last part of the name (i.e. EntitlementName) is your entitlement name. It is important not to have spaces in your entitlement name.

  • The value (column 2) is Group, this is the language specific name for the entitlement, see Figure 6.

  • The completed mapping table.

    Figure 6 Mapping table with one row defined

  • Save and close the editor.

  • Continue with the next exercise section.

4.0 Deploy and Start (Restart) the Driver

Now that you have completed the configuration of your driver you are ready to deploy and start the driver to have the resource configuration created.

Do the following:

  1. Close any open editors, make sure all your changes are saved.

  • Deploy your driver.

  • When prompted to restart the driver, say yes.

  • To see the changes made to your driver configuration by the new policy, use Compare, see Figure 7.

    Figure 7 Driver Compare menu option.

  • The results of the compare should show one difference, a new object called Entitlement Configuration (see Figure 8), you can reconcile it to your driver but you really donâ€Tmt need to because it will be recreated every time you start the driver.

    Figure 8 Entitlement Configuration created

  • If the Entitlement Configuration object was not created, the reason could be because:

    • The policy was not linked or deployed in the library

  • The GCV were not created correctly, there must be 2 that match your entitlement name.

  • You do not have a mapping table created with the proper name and proper column names.

  1. If that is the case go back and trouble shoot your driver configuration.

  • Congratulations you have updated your driver for use with the new resource model!

Labels:

Identity & Access Mgmt
Anonymous
  • Novell support remoted in yesterday to look at my setup. The support person pointed me to the a configuration setting on the 'Configure Roles and Resources Settings' page of the UA. There is a setting on that page for the interval refresh (of the code map table I'm guessing) which was set to 1400 minutes (by default I believe). There is also a button beside the refresh status field to perform an instantaneous refresh. When we clicked that button the database was refreshed with the latest query result. Thank you for your assistance.
  • The localization Map tables are not used with the current version, this will be used in the future with IDM 4 with the RMA tool.
  • The mapping table used for internationalization is not used by the user app. I cerated 3 mapping tables (L10N_EN, L10N_NL and L10N_FR). The policy generates the xml with 3 different display labels. So far so good.
    When, in the user app, I want to select and entitlement or I view a resource with an entitlement, this internationalized value is not displayed. In stead, the (non-internationalizable) display name of the entitlement itself is used.

    Stefaan
  • I asked about the User App driver, is it in the same tree? I will assume so.

    The next step would be look at the User Application logs.

    Probably would be best to work with support. Or post this on the forums with your log file.

    Have you restarted the User Application, since this started?
  • Yes, the eDir driver on the id vault is on the same server and driverset as the roles&resource driver. Of course, its counterpart is on a separate tree, which is the application that I'm attempting to query. Correct, I can view and select the entitlement on the eDir driver in the id vault, but when I attempt to assign the entitlement value there are no items in the list (i.e. group names from the target container). The query does work through Designer, so it's not a connection problem. Please note, the department I work for have a support agreement with Novell, so if we can confirm that this is a bug and not user error :) I can then escalate it. Thanks.