More on what's new in IDM 4

Recently Novell shipped Identity Manager 4.0 Advanced Edition. This is a great new release of Novell Identity Manager and has lots of fun new features.

The high level list of new stuff like a small list, but much of the functionality will have really powerful repercussions on how IDM is used in the future.

There are some high level things like two new drivers (well 4 actually, two are needed for the Reporting service) for Sharepoint and Salesforce,com. The Role Mapping Administrator tool is very useful and something that should be really interesting as it develops. The Reporting service will be a great help as well.

Of course there is a new and updated Designer, now at version 4. I started using Designer 4 on a new project I was working on (actually using IDM 3.6.1 since they are not yet licensed for IDM 4) and tried adding a feature that was not supported on a IDM 3.6.1 engine. A pop up box came up (which was a nice warning) with a link to some documentation on new features within IDM 4. You can find the HTML files in your Designer install (assuming you installed it to c:\Program Files\Novell\Designer) at:

file:///C:/Program Files/Novell//Designer4/plugins/com.novell.idm.doc_4.0.0.201009290717/html/app/appversions.html

What I found quite interesting though was this page:

file:///C:/Program Files/Novell/Designer4/plugins/com.novell.idm.doc_4.0.0.201009290717/html/app/appvkeydiffs.html

This listed the main new features added in the different IDM versions, starting with IDM 3.5, through 3.6 and on to 4.0. This I found quite interesting, as I often forget when a feature was added. This is most painful when I have to go back to IDM 3.0 installs and do work. This was so painful I wrote up a set of workarounds for some of the pain points I often encountered working in IDM 3 after using IDM 3.5 and higher in this article:
Working in IDM 3.0.1 after using 3.5.1

I thought that the table of changed items was sufficiently interesting that it would be worth an article on the topic and take a trip down memory lane, which I did in this series of articles:

As a reminder, here is the listing of features from Designers view.

IDM 3.5 new features:

  • New object types were added:

    • ECMAScript Objects

  • Jobs

  • Mapping Table Resource Objects

  • Resource Libraries

  • New Policy Linking capabilities where a policy can be in multiple lists

  • Many new DirXML Script actions, conditions, tokens, and verbs

  • Ability for DirXML Script to nest conditions

  • Driver-scoped local variables in DirXML Script that let you refer to variables outside of the policy

IDM 3.6 new features:

  • Support for 64-Bit operating systems

  • New installation program

  • New driver configuration files

  • Driver health monitoring

  • New ID Provider driver

  • Reciprocal Attribute Mapping

  • Additional DirXML Script elements

  • Nested group support

  • User Application

IDM 4 new features:

  • Integrated installer

  • Packages

    • Installation

  • Management

  • New Resource Objects

    • Global configuration resource objects

  • Package prompt resource objects

  • DS resource objects

  • SharePoint driver

  • driver

  • Identity Reporting Module

As I was working through these, I realized that these changes are mostly focused on the Designer affected side of the house. That is, things that are reflected in Designer.

However there is much more to the Identity Manager 4.0 release than Designer sees.

I had started reading through the IDM 4 documentation, and left a whole string of comments via the web link, and then I noticed this link, for Whats New in IDM 4.

What’s New

Identity Manager 4.0 includes several new features and enhancements:

Section 10.1, Identity Reporting Module
Section 10.2, New Drivers
Section 10.3, Support for XDAS Auditing Included
Section 10.4, Packages Replace Driver Configuration Files
Section 10.5, Role Mapping Administrator
Section 10.6, Analyzer
Section 10.7, Integrated Installer

I see that several items missed in the Designer view are represented here. So lets talk about those new features.

The two primary things that are new in this list are Analyzer and the Role Mapping Administrator.

Analyzer was available before, but alas, only if you were licensed for the Compliance Management Platform (CMP). CMP was a great idea for not just bundling the great components in the Identity and Access Management Suite along with the Security Identity and Event Management components (Novell Identity Manager 3.6.1, Roles Based Provisioning Module 3.7. Novell Access Manager 3.1, and Sentinel 6), but also for providing configurations to try and make it easier in a fresh install to get it all up, running, and working together. They had a cool model of an identity lifecycle and a driver specifically designed to monitor the stages of that lifecycle called the State Machine. It has a bunch of neat ideas in it, and there is a lot to be learned from it. It is on my list of drivers to dissect and discuss, but too many other things keep grabbing my attention away from it.

Many interesting things came out of this effort, even if it was not the most widely licensed product. For example, the SAP driver configurations saw a lot of work for the CMP project, as you can read about in my series on the SAP HR and Business Logic drivers from that product:

As it turns out the SAP HR driver in the CMP is a huge improvement over the shipping configuration, but even then is not quite complete, and at Brainshare 2010 the author of that configuration showed his version 2.0, and it was way cooler, and had even neater tricks and approaches in it. I hope we see that released at some point. That reminds me, I need to go look at the SAP HR driver configuration in IDM 4 and see what changes were made from earlier ones.

In fact the Role Mapping Administrator itself came out of some the extensive SAP work Novell did when they switched their internal systems from Seibel to SAP. As they started to the do the migration they realized there are a lot of pain points, that their products can solve, and in solving them became products.

Anyway, about the only you could get Analyzer in the past was with a CMP license. Which was a great bonus if you had a CMP license. But for the rest of us, it remained elusively out of reach. There was a demo license code, but it kept expiring (Darn them to sock heck!) which made it really hard to use, I guess they wanted us to buy it or something. It is now included as part of the license for IDM 4 Advanced Edition, which is great.

Analyzer is an Eclipse based application much like Designer is, and shares many features with Designer. It is meant to be used before, during, and after a roll out of an IDM project. Originally it was an additional plugin for Designer, but with Designer 3.5 and Analyzer 1.1 they released both as RCP applications, which is an Eclipse stand alone install. This means you end up duplicating the base Eclipse content on your drive, but disk is cheap, right?

An interesting issue that can come up when rolling out an IDM solution might be, how clean is your data? Well if you are connecting to an HR system, I am confident the HR folk will proclaim their data to be the cleanest most accurate in the company, and that may well be true, but it is not an accurate assessment of the absolute cleanliness of their data. In other words, we often find that the HR folk are confident their data is great, after all everyone is getting paid, right (Unless you are the stapler guy in Office Space)? But in reality we often find all sorts of silly data issues. My favorite was at a university I used to work at in Toronto, we used to discuss the Identity Management (home grown) while ice skating at lunch, and one of our "I wonder" questions discovered that there were 300 users whose last name started with the letter 'space'. Oops.

On a more common note, you might be asking, do we have unique user names? Well we want to map CN in eDirectory to sAMAccountName in Active Directory, and Active Directory requires that sAMAccountName be unique within each domain. You might think you have unique names in your system, but honestly, how do you know? Well you could LDIF out all the CN values, convert it to a CSV file (Or use Apache Directory Studio the LDAP browser, which can save an LDAP query result as CSV or XLS) and then write a uniqueness test in Excel after importing the data.

Well Analyzer goes one better, since you might also want to look into your SAP system which does not support LDAP queries, or maybe your Lotus Domino system and so on. Analyzer can use the existing driver infrastructure, via a second Remote Loader instance, to communicate with the connected systems, in much the same way Identity Manager communicates with connected systems.

This means it has better insight into the data in the target system. Even better, it can read CSV files to import sample data.

Once you have the data in Analyzer you now test it for Uniqueness, which is actually a requirement, since some of the work requires a sufficiently high level of uniqueness to make sense.

You can examine your data from multiple sources and compare for uniqueness, which is very powerful, since this can be quite tricky in a home grown application. What is better, is if you identify bad data that you want to change, you can change it in Analyzer and have Analyzer fix up the data in the source system.

It supports Regular Expressions and scripting languages (ECMA, Ruby, and Python) to process the data found and correct it as needed. This means you can script all sorts of complicated fixes, without a lot of extra effort.

You can use these scripting tools to validate the data. For example, you might have dates stored in a free form text field in one system, and the owners of it will swear up and down that their data formats are 100% consistent, all the time. Great, if you could trust them, you could write a simple Convert Time function to manage it in your drivers. But do you really believe them? Well maybe. They probably mean it, but do they even know? Again you could export all the data into Excel and try to figure it out. But Analyzer has a stack of built validations for just these sort of common questions, so you can quickly answer the question. Trust but verify.

This can be applied to pretty much any data in the system. You can examine it, validate it, call out the errors, and then fix them as needed.

Put this all together and you have a truly powerful tool.

Now the reality is, this is most useful before the Identity management solution is deployed, in order to verify and then scrub your data. But you can use it after the fact as well, in order to check that things you expected, are happening as you expect.

Perhaps you have concerns about synchronizing a particular attribute. Well you could import the data from the various systems, and verify that they are consistent.

It is actually easier to show you how useful Analyzer is, with real data, than it is to explain it. One of those funny products that way. If you get a chance, try it out and it can be useful to examine your current production data, just to be sure it is all as you expect. It is on the Windows or Linux DVD's that are available as ISO files from Novell. This link worked at the time of writing, to get to the download page:

You would need to get a license code from your Customer Center page.

The other major new feature is the Role Mapping Administrator. This is a web based application that is authenticated via the User Application. The rights to use it are themselves assigned via a Role from the Roles Based Provisioning Module. (As is the Role to allow Reporting in the new Identity Reporting Module.) You need rights as both a Roles and a Resource Administrator, since this tool really manages the intersection of these two spaces. That is, you use the Role Mapping Administrator (RMA) tool to pull in and manage Resources, and then build up Roles, which are made out of a collection of Resources (and other Roles). Thus you must have User Application and the Roles and Resource driver working to be able to use this tool.

This was available specifically for access into SAP systems, in the CMP project. With IDM 4 Advanced Edition it has become one of the shipping products.

One of the key changes needed is the use of Resources, instead of Entitlements. However, Resources invariably map one to one to Entitlements. (Actually I am not sure you can do it any other way than a one to one mapping). The purpose of Resources is to give a human friendly name on top of the Entitlement. As a friend (Hey Mike W) said, Resources are for people, Entitlements are for computers.

The RMA tool gives you three columns of information. In the center, you have the current Resources making up the current Role you are working on.

In the column on the left you have the list of Roles you have access too in the Identity Vault. (The Access Control model enforced via the User Application allows a Role (the Resource Administrator (or Manager) and/or Role Administrator (or Manager)) to have a scope as well. Such that you could be a Resource Manager for a set of Resources, or all the Resources. Same is true for Roles. Thus you might only have rights to a subset of the available Roles.

You start by selecting a Role from the Identity Vault, which brings its current state into the middle column, showing you the things that make up the Role. I say things, since there are a couple of things other than Resources that can be added. (Composite Roles, and Profiles being the examples I am thinking of).

Then on the far right column, you can select at the top, which driver you referring too. This might be an Active Directory driver, or perhaps an SAP driver. Once you select a driver, you get shown a list of available Resources in that system. Now you can simply drag the Resource of interest into the center column.

As you can imagine this can make building up Roles much easier. With the help of Aveksa's Access Governance Suite, which can try and suggest common patterns of roles for you, you can take a fairly complex environment and try and bring it under more control.

I think these various pieces that are new in Identity Manager 4 are going to need a lot more discussion and thought, as they bring all sorts of interesting and fun possibilities to the mix.



How To-Best Practice
Comment List