Introduction to Novell Nsure
Identity Manager 2
(formerly DirXML)
Deven Macdonald
Product Manager
dmacdonald@novell.com
Contents
DirXML Today
New Features in Nsure Identity Manager 2
Upgrading to Identity Manager 2
2
© March 16, 2016 Novell Inc,
DirXML 1.x Foundational Features
Features that define where we are today…
Features
Benefits
Bi-directional, real-time connection Does not impose unnatural process
3
Distributed authority
Overcomes deployment politics
Automated provisioning & approval
request
Controlled, automatic distribution
of resources
Robust/flexible policy definition
Compatible with existing business
processes
Cross-platform freedom
Maps to real-life heterogeneous
environments
Scalable, fault-tolerant
architecture
Highly reliable and robust
Extensive connectivity
Relevant
Ability to create custom connectors
Extensible to unique environments
© March 16, 2016 Novell Inc,
Primary Enhancements in
Novell Nsure Identity Manager 2
**Product name is now Novell Nsure Identity Manager 2
Features
4
Benefits
Policy Builder
Greatly simplified configuration
Expanded effective delivery force
Role-based administration
Administration leverage
Password management
Comprehensive, automatic
password policy enforcement
Empowered users
White pages & self-service
Expanded self-service
Logging, monitoring & auditing
Non-repudiative security
© March 16, 2016 Novell Inc,
Policy Builder - New Policy Development
Model
Nsure Identity Manager 2 Policy Builder
• A simple, browser-based, point & click way to create and
modify policies
– Policy: a collection of rules
– Rule: a set of actions, and conditions under which those actions are
executed
• Reduces dependence on XSLT to accomplish common tasks
– Design goal: 80%+ of policy definition within Policy Builder
– Achieved: 100% in most cases
• Use Policy Builder to define:
–
–
–
–
–
–
–
5
Creation policies
Default naming policies
Placement policies
Initial password policies
Schema mapping policies
Event transformation policies
And so on…
© March 16, 2016 Novell Inc,
Policy Builder screenshot
New Policy Development Model
6
© March 16, 2016 Novell Inc,
New Policy Development Model
Bottom Line, What’s Changed?
Rules and Policies definitions
In DirXML 1.1a, the policies used in a driver configuration
were called rules, objects and Stylesheet objects.
In Identity Manager 2, each part of the driver configuration
is called a Policy object, and these policies contain
individual rules.
The Policy Builder helps you set up twenty-five of the most
common rules using the new IDM Script, with NO XSLT.
7
© March 16, 2016 Novell Inc,
New Policy Development Model
The Details
What are Rules, What are Policies?
In DirXML 1.x, the term rule described a set of rules, the
individual rules in this set, and the conditions and actions
within the individual rules, depending on the context. This
overlap caused confusion.
In Identity Manager 2, policy replaces the previous usage of
rule, when describing the high level transformation that is
occurring. You define a set of policies, consisting of one
or more policies, where each policy contains one or
more rules. The term rule describes only an individual
set of conditions and actions.
8
© March 16, 2016 Novell Inc,
New Policy Development Model
Policies are now created in one of two
ways:
1 New Way: Using the Policy Builder to generate
DirXML Script. (Existing, non-XSLT rules are
converted to DirXML Script automatically upon
import.)
2 Old Way: Using XSLT stylesheets.
9
© March 16, 2016 Novell Inc,
A Matching Rule Using XSLT
10
© March 16, 2016 Novell Inc,
Policy Builder Takes a Whack
11
© March 16, 2016 Novell Inc,
The Resulting DirXML Script
12
© March 16, 2016 Novell Inc,
Role-based Entitlements
Provides resource entitlements to users based on their
memberships in a role.
• Role membership is determined dynamically or statically
– Dynamic memberships can be defined by combinations of attributes
– Uses inclusion and/or exclusion to define membership
• Sample entitlements:
– Accounts on connected systems
– Inclusion in a NOS group
– Inclusion in an email distribution list
• Entitlements are re-calculated and provisioned when users
are added or changed
13
© March 16, 2016 Novell Inc,
Entitlement Policy Screen Shot
14
© March 16, 2016 Novell Inc,
Role-based Entitlements
Entitlements on connected systems are defined by the
Identity Manager (IDM) developer who creates the driver
configuration. They can be anything that the driver
supports.
The driver configurations that ship with IDM 2 can be used
out-of-the-box with connected systems, but they show
only a sample of what a IDM developer could do when
defining entitlements.
Because Role-Based Entitlements functionality is based on
IDM, you must have IDM drivers installed and configured
properly in order to be able to administer connected
systems.
15
© March 16, 2016 Novell Inc,
Which Drivers Support RBE?
The driver configurations included with Identity Manager 2
support Role-Based Entitlements for the following
connected systems:
• Active Directory
• Exchange
• GroupWise
• LDAP
• Notes
• NIS
• NT Domain
16
© March 16, 2016 Novell Inc,
Who Should Use Role Based Entitlements
Role-Based Entitlements is an alternative way to administer
Identity Manager. Consider the following:
1. Choose RBE if you prefer a more centralized model of
IDM administration.
2. The Role-Based Entitlement model fits an environment
where one or a few administrators have authority to
control which entitlements are given to groups of users.
3. RBE is a good fit for a small or mid-sized business that
can centralize authority for administering business
policies. It gives you a big-picture view.
However--You should decide between using custom IDM
policies and using Role-Based Entitlements. You should
not use both methods for provisioning user entitlements
on the same connected system.
17
© March 16, 2016 Novell Inc,
Password Management
A suite of password-related security functions:
• System-wide password policy
– Establish password policy that will be used for and enforced on
connected systems
• Password self-service
– Empower users to help themselves with forgotten passwords, password
resets, changing passwords
• Password distribution
– Specify connected systems that will receive the organization’s common
password, as defined in password policy
• Bi-directional password synchronization
– Manage the native password management activities in connected
systems, ensuring consistency
18
© March 16, 2016 Novell Inc,
Password Management
Password Policy
• Administrators specify required properties of an acceptable
password for systems throughout the enterprise
• Examples of password policy controls:
–
–
–
–
–
–
Minimum/maximum number of characters
Minimum number of upper case characters
Minimum number of numerals
Password re-use forbidden
Password exclusion lists
And so on…
• Conformance is checked before allowing password to be set
in the Nsure Identity Manager 2 identity vault
19
© March 16, 2016 Novell Inc,
Password Management
Password Self-Service
• Administrators configure self-service policies
– Challenge/Response options
– Challenge/Response success actions (for example:)
–
–
–
–
Email hint
Reset to last good password
Display hint on the page
Allow users to change their password
• Users configure their own hints and/or answers to challenge
questions
– Hint is not allowed to contain the password
20
© March 16, 2016 Novell Inc,
Password Management
Password Distribution
• User sets a new common password
using the self-service password
interface
• New password is checked against
password policy
• New password is set on user
object within the Nsure Identity
Manager 2 identity vault
• Password is distributed to
associated user objects on
connected systems
21
© March 16, 2016 Novell Inc,
Connected Systems
•
•
•
•
•
•
•
•
•
•
eDirectory
Legacy NDS
Active Directory/Exchange 2000
Windows NT Domains
Network Information Service
(NIS)
• Linux
• Solaris
• other UNIX
GroupWise
Lotus Notes
SunOne
SAP User Management
Relational databases
• Oracle
• DB2
• Sybase
Password Management
Bi-directional Password Synchronization
• Users can perform password management functions through
native password interfaces
–
–
–
–
–
Windows NT (NT Domains)
Windows 2000 (Active Directory)
Windows 2003 (remotely, Active Directory)
eDirectory (all platforms)
NIS (Unix, Linux)
• Nsure Identity Manager 2 detects the change and checks
against policy
• If successful, password is distributed throughout the
connected system
• If unsuccessful
– Failure Notice sent via email
– Password is reset to last good password
22
© March 16, 2016 Novell Inc,
Password Scenario:
Using Self-service portal to change password
1- Self-service gadget is used
to enter a new password.
2- Password is checked for
conformance to policies
Identity Manager 2
Web Server
3- Password is set on user
object in the Identity Vault
Identity Manager 2
Server with
associated Identity
Vault
23
4- Password is distributed to
associated user objects on
connected systems that
support subscription to the
password attribute
© March 16, 2016 Novell Inc,
Connected Systems
• eDirectory
• Legacy NDS
• Active Directory/Exchange 2000
• Windows NT Domains
• SAP User Management
• Network Information Service (NIS)
• Linux
• Solaris
• other UNIX (HP-UX, AIX)
• GroupWise
• Lotus Notes
• SunOne
• Relational databases
• Oracle
• DB2
• Sybase
Password Scenario:
Bi-directional password sync
User sets password on a
participating system
Password is captured, and
sent securely to the Identity
Manager 2 Server.
Failure notice sent
via email
Reset password on
participating
system to last
“good” password
No
Conforms
Conforms
Conforms
tototo
the
the
the
policy?
policy?
policy?
Yes
Password is set on the user
object in the Identity Vault.
Password is distributed to
associated user objects on
connected systems that
support subscription to the
password attribute
24
© March 16, 2016 Novell Inc,
Participating Systems
• Active Directory
• NT Domains
• NIS (Unix)
• eDirectory
Primary Enhancement:
White Pages & Self-Service
eGuide
• Look up information on objects in eDirectory and/or other
LDAP repositories
• Anonymous mode or Authenticated mode
• Allows user to maintain their own information
• Integrated Organizational Chart view
• Supports digital photos, etc.
25
© March 16, 2016 Novell Inc,
Primary Enhancement:
Nsure Audit Integration
Novell’s official logging & auditing framework
• Centralized log for all systems throughout the enterprise
– SQL, flat file or SYSLOG
– Standard for all Novell applications
– Open to 3rd party integration
• Nsure Identity Manager 2 logs all identity management
activity
• Includes reporting and notification capabilities
• Optional upgrades
– Non-repudiative log
– Real-time monitor
26
© March 16, 2016 Novell Inc,
Upgrading to Nsure Identity Manager 2
Upgrade Overview
• New version is backward compatible
– Drivers can be mix of old/new
– XSLT Configuration does not change
• Automatic conversion of XML rules and filters to new
format
• Drivers updated separately from the engine
– Continue administration of previous versions with existing
iManager
27
© March 16, 2016 Novell Inc,
Upgrading to Nsure Identity Manager 2
Upgrade Consists of…
Laying down new Code:
•
•
•
•
•
eDirectory (optional)
DirXML engine
iManager
iManager plugins
Drivers
Converting into new format:
• XML rules (now all policy gates can be done via XML, not
just convert, placement, matching)
• Filters (all one object, filter for notify vs. sync, merge
authority)
28
© March 16, 2016 Novell Inc,
Upgrading to Nsure Identity Manager 2
Upgrade Process
Install on top of existing eDir/DirXML
• Following the process will automatically shut down eDir,
install the new DirXML engine, and restart eDir.
• If existing drivers are set for automatic startup, they will
start up as well
Install new iManager, new plug-ins
Open up driver configuration in iManager
• This will automatically convert XML-based policies (create,
placement, matching), and will convert filters to the new
format
29
© March 16, 2016 Novell Inc,
More Information
For more information about Nsure Identity Manager
please visit:
https://innerweb.novell.com/identitymanager
We will be continually adding information to this
site for your use so please check it regularly
30
© March 16, 2016 Novell Inc,
31
© March 16, 2016 Novell Inc,
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and
trade secret information of Novell, Inc. Access to this work is restricted to
Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed,
copied, distributed, revised, modified, translated, abridged, condensed,
expanded, collected, or adapted without the prior written consent of Novell,
Inc. Any use or exploitation of this work without authorization could subject
the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating
company to develop, deliver, or market a product. Novell, Inc., makes no
representations or warranties with respect to the contents of this document,
and specifically disclaims any express or implied warranties of merchantability
or fitness for any particular purpose. Further, Novell, Inc., reserves the right
to revise this document and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
32
© March 16, 2016 Novell Inc,
