Introduction

In this, part 3 of 4, the Subscriber Command Transform, Filter, Schema Mapping are covered.

• IDM Driver Walkthrough: GroupWise (Part 1 of 4)

• IDM Driver Walkthrough: GroupWise (Part 2 of 4)

• IDM Driver Walkthrough: GroupWise (Part 3 of 4)

• IDM Driver Walkthrough: GroupWise (Part 4 of 4)

Subscriber Command Transform

Policy Set: sub-ctp-EntitlementsImpl

Rule: DL Entitlement: add or remove DL memberships

Rule: Account Entitlement: Enable or Disable account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = disable) to disable the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be enabled or disabled based on the user's entitlement to it.

Rule: Account Entitlement: Expire or Unexpire account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = expire) to expire the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be expired or unexpired based on the user's entitlement to it.

Rule: Account Entitlement: Enable/Unexpire or Disable/Expire account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = dispire) to disable and expire the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be expired and disabled or unexpired and enabled based on the user's entitlement to it.

Rule: Account Entitlement remove: Delete account

Purpose: If the driver has been configured (driver.gw.ent.account.remove = delete) to remove the GroupWise mailbox when the associated User object is deleted, and if the user's entitlement to a GroupWise mailbox (gwAccount) is changing, then this rule transforms the change in entitlements in to events to implement the entitlement. The mailbox will be deleted because the user is no longer entitlement to it.

Policy Set: sub-ctp-Audit-TagEvent

Rule: User gwAccount Entitlement change (Delete Option)

Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Create or Delete the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Add or Modify, and to see if the gwAccount entitlement is what is changing (the reason that this User is being added or modified). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data

• accountAction - why this object is being processed

• sourceDN - the DN of the object

• assocation - the association value for this object

• guid - the eDirectory GUID of the object

• objectClass - User

This data is then forwarded to the configured audit platform agent.

Rule: User gwAccount Entitlement change (Disable Option)

Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Expire/Unexpire or Enable/Disable the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Add or Modify, and to see if the gwAccount entitlement is what is changing (the reason that this User is being added or modified). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data

• accountAction - why this object is being processed

• sourceDN - the DN of the object

• assocation - the association value for this object

• guid - the eDirectory GUID of the object

• objectClass - User

This data is then forwarded to the configured audit platform agent.

Rule: User gwAccount Entitlement remove (Delete Option)

Purpose: This rule checks two Global Configuration Values (drv.entitlement.GWAccount and driver.gw.ent.account.remove) to see if it should activate. This rule is used to handle the GroupWise driver being configured to Create or Delete the GW mailbox when the entitlement is changed. It then also checks to see if the object being processed is a User, if the event is an Delete, and to see if the gwAccount entitlement is what is changing (the reason that this User is being deleted from GroupWise). If all of these conditions are true, then several Operation Properties are added to the current event. These contain data

• accountAction - why this object is being processed

• sourceDN - the DN of the object

• assocation - the association value for this object

• guid - the eDirectory GUID of the object

• objectClass - User

This data is then forwarded to the configured audit platform agent.

Policy Set: sub-ctp-TransformDistributionPassword

Rule: Convert add nspmDistributionPassword attribute to a modify-password operation

Purpose: This is one of the standard Universal Password password synchronization policies. It transforms the nspmDistributionPassword in an <add> document to a <modify-password> event, if the driver has been configured for password synchronization (password subscribe).

Rule: Convert modify nspmDistributionPassword attribute to a modify-password operation

Purpose: This is the second of the standard Universal Password password synchronization policies. It transforms the nspmDistributionPassword in an <modify> document to a <modify-password> event, if the driver has been configured for password synchronization (password subscribe).

Rule: Block empty modify operations

Purpose: The third of three standard Universal Password rules. If nothing remains of the <modify> document, this rule strips it. So if all that changed in the original modify is the password value, the modify-password event replaces it, otherwise, other changes in the document will be processed because the document is non-empty.

Filter

This is a standard Filter, containing the object classes and attributes that this driver is going to process on the Subscriber and Publisher channels. By default, User, GroupWise External Entity, GroupWise Distribution List, GroupWise Post Office, GroupWise Resource, Group, and Organizational Unit objects will be processed. Configuration, via Global Configuration Values, is used to control what this driver actually does.

Schema Mapping

smp-DefaultSchemaMap

This is a standard IDM schema map, containing eDirectory and GroupWise object and attribute values.

Policy Set: smp-ExtendedSchemaMap

Rule: Strip nspmDistributionPassword

Purpose: This rule unconditionally removes nspmDistributionPassword from all documents. Normally this is done in the Command Transform by one of the standard Universal Password password synchronization rules.

Rule: GW 6.5 from eDir

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If not, it assumes then that the driver is working with a GroupWise 6.5 or newer system. It then checks to see if the event being processed is coming from eDirectory (ie: on the Subscriber) via local variable fromNDS (equal to 'true'). Then, if the object being processed is a User, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

Rule: GW 6.5 from GW

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If not, it assumes then that the driver is working with a GroupWise 6.5 or newer system. It then checks to see if the event being processed is coming from GroupWise (ie: on the Publisher) via local variable fromNDS (equal to 'false'). Then, if the object being processed is a User, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

Rule: GW 5.5/6.0 from eDir

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If so, it then checks to see if the event being processed is coming from eDirectory (ie: on the Subscriber) via local variable fromNDS (equal to 'true'). Then, if the object being processed is a User or External Entity, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.

Rule: GW 5.5/6.0 from GW

Purpose: This rule checks to see if the driver is configured to work with a GroupWise 5.50 or a GroupWise 6.00 system. If so, it then checks to see if the event being processed is coming from GroupWise (ie: on the Publisher) via local variable fromNDS (equal to 'false'). Then, if the object being processed is a User or External Entity, it fiddles with some attribute names to map eDirectory to GroupWise. This would normally be done by the schema map, but it appears that some of the GroupWise attribute names have changed between versions, so this bit of policy handles the conditional mapping needed to have one driver preconfig work with multiple versions of GroupWise.