Not only does my knee still work, but I can still snowboard too. We went to Rabbit Hill on Sunday the day after I got back from Brainshare, and again yesterday. Rabbit Hill closes for the season this weekend so we had to get our last few runs in.
Yesterday was very warm, and the snow was melting fast. The wax on my snowboard didn’t like the snow, resulting in progressively less sliding ability all day, and a buildup of gross slimy dirt on the base of the board. Jenn’s board did that too, but not as bad. Apparently, the factory wax is better for warm weather than the wax Scott Currie put on my new board when I bought it from him. I have to figure out how to get the crud off before we go to Marmot Basin for our (probably) last boarding outing of the season.
TUT361 IDM 3 and Provisioning – Beyond the Out-Of-The-Box Templates.
This is very disjointed because it is just a brain-dump written during the presentation and not edited at all.
The workflow pieces are similar to the transformation rules in DirXML. They are documents defined in XML and attached as attributes to entities in the eDirectory driver object for the workflow driver (the user application driver).
There are lots of templates in the IDM manager for creating workflows, that have predefined XML files. These can be used in wizards in iManager or in the Eclipse Designer tool. The iManager piece is the default tool, and it can be used to fill out the standard templates. If you want to go beyond the templates you need to dig in to the XML or use Designer.
You can manually edit the documents by grabbing them inside iManager and getting the into EMACS (insert your xml editor here). Then you are kind-of back into the DirXML (Identity Manager 1) world. Woohoo. That’s where I spent some time when we implemented our identity management stuff.
You can extend the schema with custom attributes, and use them in custom workflows, putting data widgets on the forms on the user application to access them. You can also show any data that is available in the directory abstration layer namespace. These attributes are shown inside the iManager tool. The schema used in the workspace is all in the namespace of the directory abstraction layer of the user application, not the namespace of eDirectory.
There is a function in the xml called flowdata, which allows you to pass your custom data along with the workflow, through the steps.
One limit of the tools, is that the iManager interface is only able to generate Entitlement-type workflows, because that’s all the templates do. For other types of workflows, you have to do custom workflows.
The workflow XML allows you to insert custom controls into the form elements to manage attributes in the directory, including any custom attributes you may have added to the schema.
Some of the tools shown in this demo were just released this week and are available on Cool Solutions.
In the xml, the Process element is the root of the process definition xml document. It is localizable. Form elements are the request and approval form data elements. They can contain data fields, display-labels, props (properties) and controls. Control types determine the display type of the data on the form. They consist of a whole bunch of visual types like text, linebreak, staticlist, datepicker, textarea, etc, depending what you want to display and what data you need to collect for your workflow. Each control can have an Editiable property which can be true or false. There is also the abiltiy to use a regular expression as a property that validates data input on the forms. The DN Display element shows data from the directory abstration layer, and a True False element is just a boolean selector element.
Data-item elements define which data-item elements are available in the workflow. You can hard-set them, or use flow-data.get functions or other functions, to obtain them from the work-flow process. You have to define a data-item in order to pass data from one phase of the workflow process to the next.
All processes have one or more start activities. Attriibutes of start activities are “audit” which can be off or on and forces auditing, and there is a timeout attribute that expires the workflow. Elements of the start activities are Notify, for email notifications, with all the settings you need to alert your auditor or process participants.
It really seems that what you would do is do a lot of your work in Designer, in the gui tool, and then when you get to tweaking, you would do that in a text editor.
I gotta get this working in Engineering.
I just talked to my Mom, and apparently Dad’s doing well today after his quadruple bypass yesterday. He ate breakfast, and was sitting up and acting alert this morning. I also just found out they changed the power supply out in his pacemaker to boot. Anyways, the mood has lightened all around our family today.
We did find out, however, that we’re going to have to go through all this again next week as Jenn’s dad Klaus goes in for a bypass on next Wednesday. It never rains.
I took notes at some sessions that were not super-technical rather than live-blogging. I also ran out of power a couple of times and coudn’t blog in the sessions so I did dead-tree blogging instead. I’ll be adding some more postings for ones I haven’t covered yet as I get time.
Stuff I haven’t posted yet includes:
- Canadian Brainshare Reception
- GroupWise 7 Overview and Futures
- OES Server Overview and Futures
- What’s New With Novell Enterprise Linux Desktop 10 very cool
- Counting Crows Concert
- Identity Manager 3 – Configuring the User Application
- E-mail Archiving Solutions
and later today
- Advanced ZENworks Linux Management
As you can see, I have a lot of writing to do. I have some time Friday afternoon, so I’ll catch up then.
IO163: Novell Identity Manager Overview and Futures
Key concept is that there is a main Identity Vault for Identity Manager. It doesn’t have to be authoritative for everything, but it conttains the whole identity for individuals, aggregated from whatever sources throughout your systems that are authoritative for each piece.
An example is if you have your HR system to be authoritative for most user attributes, but other place are authoritative for filesystem access, and maybe the email system is authoritative for email addresses. This is an example of “Role Based User Provisioning”, where an intial resource creation in one system kicks off an automated provisioning process that creates accounts on servers, dekstops, mail systems and enterprise applications.
The corollory of this is “Role Based De-Provisioning”, which means a single event should be able to kick off a workflow that ensures that access is quickly and completely revoked for departing staff members. We need work in this area, as we have been managing it with paper workflow, and it could be faster if we automated some of it.
IDM 3 was released in 12/2005, and in addition to having much improved configuration tools and tasks and an expanded list of datastore connector drivers, they have included a very amazing workflow tools that incorporate dynamic provisioning workflows for all kinds of iidentity requirements. It also incorporates a lot of features that enable identity regulatory compliance for organizations that have strong regulatory requirements.
Auditing is a key functionality. People who are responsible for resources are able to see exactly who has been given access to what.
We should look at IDM3 to auto-deploy Linux accounts on our gazillion Linux servers. Alternatively, get LDAP LUM integration working.
A new security feature is the ability to have encrypted attributes end-to-end. That includes encrypted data stored right inside the identity vault. Passwords, secrets etc. can be stored inside eDirectory in encrypted form for the use of IDM.
The presenter went through the workflow features again. This is pretty cool technology that we could really leverage. It occurs to me that you need strongly documented policies for corporate work processes if you want to implement this kind of workflow stuff. Detailed documentation would need to be developed and approved with the all the stakeholders prior to implementation. Once the documentation is produced, in general there is no actual programming required for most basic workflow operations.
The system also includes functionality of eguide, but also integrated with the workflow engine, plus email, instant messaging integration, and other advanced features.
Oops, out of laptotp power. Switching to dead-tree blogging. Should be updated later.
TUT273: Novell IDM 3 – Configuring the Workflow Based Provisioning System
This is part of the user application that runs as a J2EE war file on JBoss. It uses database tables to contain it’s data, and it supports the embedded MySQL database that comes with it, or SQL server or Oracle.
The user app includes search, list, org chart portlets, password self service, lightweight user admin, workfow, personalization and portal provisioning portlets. There is an eclipse plugin available on novell forge to manage this.
The main focus of the presentation was demonstrating a lot of the workflow features, but not a lot about setting up workflows. They described the functionalities of IDM3 workflow, including user requesting a provision, and then the whole approval process in the web application.
Then they went into iManager and went through the tasks of configuring a workflow. This is done using an IDM driver for the user application / workflow, that was very similar to any other IDM driver. It should be possible to use this in conjunction with a driver that can talk to SQL Server, to provide automatic provisioning of users from Deltek Vision, with approval and input from network administrators, and that kind of stuff. The iManager tools were very gui-ish and have the ability to let you set up groups for approval, so that anyone in the group can approve a given request for access, and you can setup additional data entry, like setting properties on the provisioning request in-process. You can make requests time-out, or escalate up the chain of command, or fancy stuff like that. It requires a lot of configuration of your actual identity store data, like manager heirarchy and stuff like that if you want it to work.
All in all, it looks like we could implement the hire/fire/cleanup of users with this much more easily than in a custom application.
We need to try it out in Engineering like Ed suggested.