[. . . ] novdocx (en) 16 April 2010 AUTHORIZED DOCUMENTATION Identity Manager 3. 6. 1 Staging Best Practices Guide Novell® 3. 6. 1 June 24, 2010 Identity ManagerTM www. novell. com Identity Manager 3. 6. 1 Staging Best Practices Guide novdocx (en) 16 April 2010 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. [. . . ] Search identities and Memebrship Filter on Dynamic groups and RBE policies. Groups Ensure that the static and dynamic group objects are created before deploying them. The following objects must be included in the list: Groups that are used in any policies. Password Policies Indices Custom Objects Ensure that the policies are created before deploying them. The following objects must be included in the list: All custom objects that are Security Equivalences objects for all the drivers. Custom objects that are used in GCVs. Preparing for Staging 13 novdocx (en) 16 April 2010 Designer 3. 5 and later allows you to import objects listed in the above table in LDIF format and then deploy them along with other objects that are being deployed. NOTE: These objects are not modeled as drivers or driver sets in Designer. They can be modified by modifying the LDIF file that contains these objects in Designer. For more information, refer to Enabling Staging of Projects (http://www. novell. com/documentation/designer35/admin_guide/data/ staging_projects. html) in the Designer 3. 5 Administration Guide (http://www. novell. com/ documentation/designer35/index. html). 2. 5 Rights Section 2. 5. 1, "Driver Equivalences, " on page 14 Section 2. 5. 2, "Roles Based Entitlements Policies, " on page 14 Section 2. 5. 3, "Jobs, " on page 15 2. 5. 1 Driver Equivalences Security Equivalences require rights to the objects within the Identity Vault in order to perform tasks on them. For example, an OracleTM database driver has a policy to create a user in the Identity Vault in a container every time a user is created in the database, but the driver doesn't have enough permissions on the container to create the user, so the process fails. The driver has similar rights as that of the users/objects who have permissions on the container. All the policies should be carefully evaluated for finding out what permissions should be given to the drivers. Designer 3. 5 and later can store the Security Equivalences and Exclude Administrative Roles of the drivers in the project and can assign them to the drivers. Before moving to another staging environment, ensure that you know the Security Equivalences and Exclude Administrative Roles associated with each driver and ensure that these objects are imported as LDIF objects and moved along with other objects before being assigned in the next stage after deployment. If the Security Equivalences object and the Exclude Administrative Roles objects are stored as LDIF objects, Designer ensures that they are created in the next stage before they are assigned. 2. 5. 2 Roles Based Entitlements Policies Roles Based Entitlements policies are used by the Entitlements Service driver, which grants entitlements to and revokes entitlements from the users. An entitlement policy contains the following: Membership: The list of users assigned to a policy. A user can be dynamically assigned to a policy when he or she meets the criteria for the policy, or the user can be statically (manually) assigned to the policy. Users assigned to the policy receive all of the entitlements associated with the policy. If the user is removed from the policy, he or she loses all entitlements associated with the policy. You can assign any Identity Vault objects for which you want the entitlement policy to be a trustee. Each member of the policy becomes a trustee of the objects you add. 14 Identity Manager 3. 6. 1 Staging Best Practices Guide novdocx (en) 16 April 2010 There are several reasons why you might want to make the policy a trustee of an object: One of the policy's entitlements requires the policy's members to have rights to an object. You want to use the policy to assign users as trustees of an object even though rights to the object are not required for an entitlement. [. . . ] Right-click eDir2eDir, then click Live >Create eDir-to-eDir Certificates. Java Environment Parameters: The Java* environment parameters enable you to configure the Java Virtual MachineTM (JVM) on the Metadirectory server associated with the driver set. You might need to change the Java classpath options if the . jar files your Metadirectory server is looking for reside at a different place in the new stage. To change the location, go to DriverSet Properties Page > Java > ClassPath Additions and provide the correct classpaths. [. . . ]