Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Novell's GroupWise is an interesting product. It integrates with eDirectory, or at least appears to on the surface, but under the hood it actually maintains its own database of Users (Mailboxes), Groups (Distribution Lists), and other objects. Its management interface (ConsoleOne GroupWise Snap Ins) combines updates to the eDirectory object with updates to the GroupWise databases, making this appear to be seemless. In order to fully manage GroupWise from Identity Manager, the GroupWise driver must also update eDirectory and GroupWise. To the GroupWise administrator, it appears that everything is done the same way it always has been. Internally, the GroupWise driver gives us policy based access to almost every facet of GroupWise administration.
As with all Identity Manager drivers, the default configuration described here is just a starting point. Your system may require customizations, especially in the Subscriber Creation and Subscriber Placement rules. The Event Transform may also require customization, depending on how (or if) you want the driver to be scoped.
In this, part 1 of 4, the Policy Sets of the Subscriber Channel Event Transform are covered. See also parts 2 (Subscriber Add Processor), 3 (Subscriber Command Transform, Filter, Schema Mapping), and 4 (Input and Output Transforms, Publisher Channel) for more.
Rule: Check Source Location
Purpose: This rule uses the Global Configuration Value idv.dit.data.users to Scope the driver. Only objects in the "Active Users" container will be processed by this driver.
Rule: Reject Group if not configured for Group synchronization
Purpose: Another Scoping rule, this one checks to see if the object being processed is a Group. If so, it checks, using Global Configuration Value driver.gw.Groups, to see if the driver has been configured to synchronize Group objects to GroupWise. If not, then the event is dropped via a veto().
Rule: Reject GroupWise Distribution List if not configured for GroupWise Distribution List synchronization
Purpose: Another Scoping rule, this one checks to see if the object being processed is a GroupWise Distribution List. If so, it checks, using Global Configuration Value driver.driver.gw.DistributionLists, to see if the driver has been configured to synchronize Distribution List objects to GroupWise. If not, then the event is dropped via a veto().
Rule: Reject GroupWise External Entity if not configured for GroupWise External Entity synchronization
Purpose: Another Scoping rule, this one uses Global Configuration Value driver.gw.syncExternalEntity to accept or reject GroupWise External Entity objects.
Rule: Reject eDirectory Organizational Unit if not configured for GroupWise External Post Office Synchronization
Purpose: Another Scoping rule, this time looking at the Global Configuration Value driver.gw.syncOUtoGWPO and either accepting or rejecting Organizational Unit objects.
Rule: Add identification to <sync> command
Purpose: When a Sync event is being processed, either from an initial migration, or during a driver resync, this rule tacks an operation-data element to the current event and a "from-sync=true" value so that the event can later be identified. This will be used on the Subscriber Create Rule, in the sub-cp-DefaultCreatePolicies policy set.
Rule: Remove GroupWise External Entity from all Dist Lists
Purpose: When a GroupWise External Entity object is deleted or disabled, and depending on the Global Configuration Values (driver.gw.RemoveDLonGWExternalEntityDisable, driver.gw.GWExternalEntityDelete, driver.gw.RemoveDLonGWExternalEntityExpire, driver.gw.GWExternalEntityDisable) that are used to configure the driver's behaviour, an event is crafted to clear the Distribution List memberships for the External Entity.
Rule: Disable GroupWise External Entity on eDirectory GroupWise External Entity Delete
Purpose: If a GroupWise External Entity is deleted in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDelete being set to "disable", then the associated object in GroupWise will be disabled. The Modify that is submitted to the driver shim will also be tagged with information that this Modify was created from a Delete event. The original Delete event is then blocked by a veto() to keep the External Entity from being removed from the GroupWise system.
Rule: Expire GroupWise External Entity on eDirectory GroupWise External Entity Delete
Purpose: If a GroupWise External Entity is deleted in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDelete being set to "expire", then the associated object in GroupWise will be expired. The Modify that is submitted to the driver shim will also be tagged with information that this Modify was created from a Delete event. The original Delete event is then blocked by a veto() to keep the External Entity from being removed from the GroupWise system.
Rule: Disable and Expire GroupWise External Entity on eDirectory GroupWise External Entity Delete
Purpose: A combination of the previous two rules, if a GroupWise External Entity is deleted in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDelete being set to "dispire", then the associated object in GroupWise will be disabled and expired. The Modify that is submitted to the driver shim will also be tagged with information that this Modify was created from a Delete event. The original Delete event is then blocked by a veto() to keep the External Entity from being removed from the GroupWise system.
Rule: Expire GroupWise External Entity on eDirectory GroupWise External Entity Disable
Purpose: When a GroupWise External Entity is disabled (Login Disabled is set to True) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to "expire", then the associated object in GroupWise will be expired.
Rule: Unexpire GroupWise External Entity on eDirectory GroupWise External Entity Enable
Purpose: The converse of the previous rule, when a GroupWise External Entity is enabled (Login Disabled is set to False) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to "expire", then the associated object in GroupWise will have their expiration removed.
Rule: Disable and Expire GroupWise External Entity on eDirectory GroupWise External Entity Disable
Purpose: When a GroupWise External Entity is disabled (Login Disabled is set to True) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to "dispire", then the associated object in GroupWise will be disabled and expired.
Rule: Enable and Unexpire GroupWise External Entity on eDirectory GroupWise External Entity Enable
Purpose: When a GroupWise External Entity is enabled (Login Disabled is set to False) in eDirectory, based on the Global Configuration Value driver.gw.GWExternalEntityDisable being set to "dispire", then the associated object in GroupWise will be enabled and its expiration will be removed.
Rule: Rename GroupWise External Entity Login Expiration Time Attribute
Purpose: When a GroupWise External Entity is expired in eDirectory, this rule modifies the event to use the GroupWise attribute name instead of the eDirectory name.