Previous      Contents     Next
Sun Java[TM] System Identity Manager 7.1 Update 1 Release Notes

Documentation Additions and Corrections

This section contains new and corrected information that was required after the Identity Manager 7.1 documentation set was published. This information is organized as follows:

Identity Manager Installation
Identity Manager Upgrade
Identity Manager Administration Guide
Identity Manager Resources Reference
Identity Manager Technical Deployment Overview
Identity Manager Workflows, Forms, and Views
Identity Manager Deployment Tools
Identity Manager Tuning, Troubleshooting, and Error Messages
Identity Manager Service Provider Edition Deployment
Using helpTool

---

Identity Manager Installation

This section provides new information and documentation corrections related to Sun Java^™ System Identity Manager Installation.

The following information should be added to the Note provided in the “Set Up a Java Virtual Machine and Java Compiler” section found in Chapter 1, Before You Install. (ID-17131)

You can run Identity Manager 7.1 and later on BEA WebLogic application servers with all WebLogic-supported 1.4.2 and 1.5 JVMs.

The Exchange 5.5 resource adapter is not supported. Ignore any references to this adapter.
The installation steps in Chapter 6, “Installing Identity Manager for Sun ONE Application Server 7” and Chapter 7, “Installing Identity Manager for Sun Java System Application Server” have been revised because you must edit the server.policy file after installing the Identity Manager software or Identity Manager will not run. Consequently, you must perform the installation steps in the following order (ID-16600):
Step 1: Install the Sun ONE Application Server Software
Step 2: Install the Identity Manager Software
Step 3: Edit the server.policy File
Step 4. Deploy Identity Manager into Sun ONE Application Server
Step 5. Install the Sun Identity Manager Gateway
Specific version numbers should be removed from the “Supported Software and Environments” section in Chapter 1, “Before You Install” and the following note will be added: (ID-16687)

Note	Because software product developers frequently ship new versions, updates, and fixes to their software, the software and environment versions supported by Identity Manager changes often. Review the “Supported Software and Environments” section of the Identity Manager Release Notes before proceeding with installation.

---

Identity Manager Upgrade

This section provides new information and documentation corrections for Sun Java^™ System Identity Manager Upgrade.

Before upgrading, it is important to back up both the directory where Identity Manager is installed and the database that Identity Manager is using. You can use third-party back up software or a back up utility supplied with your system to back up the Identity Manager file system. To back up your database, refer to the database documentation for recommended back up procedures. (ID-2810)

When you are ready to create your backups, you must first shutdown (or idle) Identity Manager. Then, use your backup utilities to back up your database and the file system where you installed Identity Manager.

The AD Active Sync resource has been deprecated and replaced by the AD resource. Perform the following steps to migrate to the AD Active Sync to newer releases: (ID-11363)
Export the existing AD Active Sync resource object to an xml file (either from the command line or debug pages).
Delete the existing resource (this will not affect Identity Manager users or resource account users)
Create a new AD resource that is Active Sync.
Export this new resource object to an XML file.
Edit this file and change the value of the id attribute and the value of the name attribute to match the values from the OLD resource object saved in step 1. These attributes are in the <Resource id='idnumber' name='AD' ...> tag.
Save the changes to the file.
Import the modified object back into Identity Manager using either the Configure->Import Exchange File page or the command line.
Updated the Other Custom Repository Objects section to include instructions for using Identity Manager’s SnapShot feature to create a baseline or “snap shot” of the customized repository objects in a deployment. (ID-14840)

Other Custom Repository Objects

Record the names of any other custom repository objects that you created or updated. You might have to export these objects from your current installation and then re-import them to the newer version of Identity Manager after upgrading.

Admin group
Admin role
Configuration
Policy
Provisioning task
Remedy configuration
Resource form
Resource form
Role
Rule
Task definition
Task template
User form

You can use Identity Manager’s SnapShot feature to create a baseline or “snap shot” of the customized repository objects in your deployment, which can be very useful when you are planning an upgrade.

SnapShot copies the following, specific object types from your system for comparison:

AdminGroup
AdminRole
Configuration
EmailTemplate
Policy
ProvisionTask
RemedyConfig
ResourceAction
Resourceform
Role
Rule
TaskDefinition
TaskTemplate
UserForm

You can then compare two snapshots to determine what changes have been made to certain system objects before and after upgrade.

Note	This feature is not intended for detailed, on-going XML diffs — it is only a minimal tool for “first-pass” comparisons.

To create a snapshot:

From the Identity Manager Debug page ( ), click the SnapShot button to view the SnapShot Management page.

Figure 1  SnapShot Management Page



Type a name for the snapshot in the Create text box, and then click the Create button.

When Identity Manager adds the snapshot, the snapshot’s name displays in the Compare menu list and to the right of the Export label.

To compare two snapshots:

Select the snapshots from each of the two Compare menus ( ).

Figure 2  SnapShot Management Page



Click the Compare button.
If there are no object changes, then the page indicates that no differences were found.
If object changes were found, then the page displays the object type and name, and whether an object is different, absent, or present.

For example, if an object is present in baseline_1, but is not present in baseline_2, then the baseline_1 column indicates Present and the baseline_2 column indicates Absent.

You can export a snapshot in XML format. Click the snapshot name to export the snapshot file.

To delete a snapshot, select the snapshot from the Delete menu, and then clicking the Delete button.

Added the following paragraph to the Modified JSPs section to include information about using the inventory -m command to identify modified JSPs in a deployment: (ID-14840)

You can use the inventory -m command (described on the previous page) to identify any JSP modifications made in your deployment.

If you are upgrading from a 6.x install to version 7.0 or 7.1, and you want to start using the new Identity Manager end-user pages, you must manually change the system configuration ui.web.user.showMenu to true for the horizontal navigation bar to display. (ID-14901)
If you are upgrading from 6.0 or 7.0 to version 7.1, and using LocalFiles, you must export all of your data before upgrading and then re-import the data after doing a clean installation of 7.1. (ID-15366)
Upgrading from 6.0 or 7.0 to version 7.1 requires a database schema upgrade. (ID-15392)
If you are upgrading from 6.0 to 7.1, you must use the upgradeto71.* script appropriate to the type of RDBMS you are using.
If you are upgrading from 7.0 to 7.1, you must use the upgradeto71from70.* script appropriate to the type of RDBMS you are using.
During the upgrade process, Identity Manager analyzes all roles on the system and then updates any missing subroles and super roles links using the RoleUpdater class. (ID-15734)

To check and upgrade roles outside of the upgrade process, import the new RoleUpdater configuration object that is provided in sample/forms/RoleUpdater.xml. For example:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Waveset PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Waveset>
   <ImportCommand class='com.waveset.session.RoleUpdater' >
      <Map>
         <MapEntry key='verbose' value='true' />
         <MapEntry key='noupdate' value='false' />
         <MapEntry key='nofixsubrolelinks' value='false' />
   v</Map>
   </ImportCommand>
</Waveset>

Where:

verbose: Provides verbose output when updating roles. Specify false to enable a silent update of roles.
noupdate: Determines whether the roles are updated. Specify false to get a report that only lists which roles will be updated.
nofixsubrolelinks: Determines whether super roles are updated with missing subrole links. This value is set to false by default and links will be repaired.

If you have a space in the path to the Identity Manager installation directory, you must specify the WSHOME environment variable without double quotes ("), as shown in the following example (ID-15470):

Note	Do not use trailing slashes (\) when specifying the path, even if the path contains no spaces.

set WSHOME=c:\Program Files\Apache Group\Tomcat 5.5\idm

or

set WSHOME=c:\Progra~1\Apache~1\Tomcat~1\idm

The following path will not work:

set WSHOME="c:\Program Files\Apache Group\Tomcat 5.5\idm"

---

Identity Manager Administration Guide

This section provides new information and documentation corrections for Sun Java^™ System Identity Manager Administration.

Chapter 2, Getting Started with Identity Manager

The section titled, Forgotten User ID describes how to use the Forgot Your User ID? button on the Log In to Identity Manager page to retrieve a forgotten user ID. However, when upgrading from previous Identity Manager versions to version 7.1 Update 1, the Forgot Your User ID? feature is disabled by default. (ID-16715)

To enable this feature, you must modify the following attributes in the System Configuration object:

ui.web.user.disableForgotUserId = false

ui.web.admin.disableForgotUserId = false

Chapter 3, User and Account Management

In the section titled Disable Users (User Actions, Organization Actions), the note has been amended.:

Note	If an assigned resource does not have native support for account disabling, but does support password changes, then Identity Manager can be configured to disable user accounts on that resource through the assignment of new, randomly generated passwords. This configuration requires that you enable the resource Disable and Password account features by using the Identity System Parameters page in the Resource Wizard. See Chapter 4, Configuration, for more information.

In the section titled Enable Users (User Actions, Organization Actions), the note has been added:

Note	If an assigned resource does not have native support for account enabling, but does support password changes, then Identity Manager can be configured to enable user accounts on that resource through password resets. This configuration requires that you enable the resource Enable and Password account features by using the Identity System Parameters page in the Resource Wizard. See Chapter 4, Configuration, for more information.

In the section title User Authentication, a description of the authentication question policies has been added.

The authentication question policy determines what happens when a user clicks on the Forgot Password button on the login page or when accessing the Change My Answers page. The following table describes each option:

Table 2  Authentication Question Policy options  

Option	Description
Round Robin	Identity Manager selects the next question from the list of configured questions and assigns this question to the user. The first user is assigned the first question in the list of authentication questions, and the second user is assigned the second question. This pattern continues until the number of questions is exceeded. At that point, questions are assigned to users in sequential order. For example, if there are 10 questions, the 11th and 21st users are assigned the first question. The selected question is the only one that is displayed. If you want the user to answer a different question every time, use the Random policy and set the number of questions to 1. This option does not allow users to define their own authentication questions.
Random	This option allows the administrator to specify how many questions the user must answer. Identity Manager randomly selects and displays the specified number of questions from the list of questions defined in the policy as well as those the user has defined. The user must answer all questions displayed.
Any	Identity Manager displays all policy-defined and user-defined questions. You must specify how many questions the user must answer.
All	The user must answer all policy-defined and user-defined questions.

Chapter 5, Administration

In the section titled “Delegating Work Items,” the following note has been added.

Note	After setting up delegation, any work items created during the effective delegation period are added to your list and the delegate’s list. If you end delegation, then the delegated work items are recovered; this may result in duplicate work items. When you approve or reject one, then the duplicate is automatically removed from your list.

In the section titled “Managing Work Items,” the following information has been added.

           Delegations to Deleted Users

If you have delegated a work item to a user who is later deleted from Identity Manager, then the deleted user is indicated in the Current Delegations list in parentheses. If you subsequently edit or create a delegation that includes the deleted user, then the action fails. Additionally, any user create or update work items that are delegated to a deleted user will fail.

You can recover work items that are delegated to a deleted user by ending the delegation.

In the table titled Identity Manager Capabilities Descriptions, the End User Administrator capability has been added. Any user assigned this capability can view and modify the rights to object types specified in the End User capability, as well as the contents of the end User Controlled Organizations rule. By default, this capability is assigned to Configurator.
In the section titled “Scope of Control,” the following information should be added: (17187)

Identity Manager allows you to control which users are within an end user’s scope of control.

You can use the EndUserControlledOrganizations rule to define whatever logic is necessary to ensure the right set of users are available for delegating, based on your organizational needs.

If you want the scoped list of users to be the same for administrators, whether they are logged into the Administrator interface or the End User interface, you must change the EndUserControlledOrganizations rule as follows:

Modify the rule to first check whether the authenticating user is an administrator, and then configure the following:

If the user is not an administrator, return the set of organizations that should be controlled by an end user, such as the user’s own organization (for example, waveset.organization).
If the user is an administrator, do not return any organizations so the user only controls organizations that are assigned because that user is an administrator.

For example:

<Rule protectedFromDelete='true' authType='EndUserControlledOrganizationsRule' id='#ID#End User Controlled Organizations' name='End User Controlled Organizations'> <Comments> If the user logging in is not an Idm administrator, then return the organization that they are a member of. Otherwise, return null. </Comments> <cond> <and> <isnull><ref>waveset.adminRoles</ref></isnull> <isnull><ref>waveset.capabilities</ref></isnull> <isnull><ref>waveset.controlledOrganizations</ref></isnull> </and> <ref>waveset.organization</ref> </cond> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/> </MemberObjectGroups> </Rule>

The following information should be added to the “Understanding and Managing Capabilities” section. (ID-14630, 15614)

Identity Manager provides a built-in ObjectGroup/organization called End User that, initially, has no member objects. The End User ObjectGroup/organization is implicitly assigned to all users, and enables them to view several types of objects, including tasks, rules, roles, and resources.

Previously, when users logged into the End User interface, they were automatically granted rights to object types specified in the EndUser capability (such as AdminRole, EndUserConfig, and EndUserTask). Now when users log in to the End User interface, Identity Manager also automatically gives them control of the new EndUser ObjectGroup. In addition, Identity Manager evaluates a new, built-in End User Controlled Organizations rule. Any ObjectGroup/organization names returned by this rule will also be automatically controlled by the user logging into the End User interface.

The authenticating user's view is the input argument to the End User Controlled Organization rule. Identity Manager expects the rule to return one (a string) or more (a list) organizations which the user logging into the End User interface will control. A new End User Administrator capability was added that enables users to manage these new objects. Users who are assigned the End User Administrator capability can view and modify rights to object types specified in the EndUser capability and to the contents of the End User Controlled Organization rule.

The End User Administrator capability is assigned to Configurator by default. Any changes made to the list or to organizations returned by the evaluation of the End User Controlled Organization rule will not be reflected dynamically for logged in users. These users must log out and then log in again to see the changes.

If the End User Controlled Organization rule returns an invalid organization (for example, the organization that does not exist in Identity Manager), the problem will be logged in the System Log. You can correct the problem by logging into the Administrator user interface and fixing the rule.

The End User ObjectGroup/organization is a member of Top and cannot have child organizations. This ObjectGroup/organization is not displayed in the tree table on the Accounts tab of the Administrator user interface. However, when editing objects (such as Roles, AdminRoles, Resources, Policy, Tasks, and so forth), you can make any object available to the End User ObjectGroup/organization from the Administrator user interface.

Use this new best practice method (instead of using End User Tasks, End User Resources, System Configuration:EndUserAccess, and End User authTypes) to give end users access to Identity Manager configuration objects such as Roles, Resources, Tasks, and so forth. Although the End User Tasks, End User Resources, System Configuration:EndUserAccess, and End User authTypes methods will continue to be supported for backward compatibility.

Chapter 8, Task Templates

The following information should be added to this chapter, in the Configuring the Audit Tab section: (ID-16797)

The Audited Attribute Report can report attribute-level changes to Identity Manager users and accounts. However, standard audit logging does not generate enough audit log data to support a full query expression.

Standard audit logging does write the changed attributes to the acctAttrChanges field in the audit log, but the changed attributes are written in a way that the report query can only match records based on the changed attribute’s name. The report query cannot accurately match the attribute's value.

You can configure this report to match records containing changes to the attribute lastname, by specifying the following parameters:

Attribute Name = 'acctAttrChanges'

Condition = 'contains'

Value = 'lastname'

Note	Using Condition='contains' is necessary because of the way data is stored in the acctAttrChanges field. This field is not multi-valued. Essentially, it is a data structure that contains the before/after values of all changed attributes in the form attrname=value. Consequently, the preceding settings allow the report query to match any instances of lastname=xxx.

It is also possible to capture only those audit records that have a specific attribute with a specific value, but some additional configuration is required. Use the following instructions:

Open and log in to the Identity Manager Administrator interface:

http://server-name:port/idm

Select the Server Tasks tab.
Select the Configure Tasks tab.
Click the Update User Template task (for example).
Select the Audit tab.

You should see Audit Controls for the selected task, which performs auditing when a user update occurs.

Select the Audit entire workflow box to activate the workflow auditing feature.
Click the Add Attribute button (located in the Audit Attributes section) to select the attributes you want to record for reporting purposes.
When the Select an attribute menu displays in the Audit Attributes table, select an attribute from the list. (For example: Select user.global.email from the drop-down menu).
Click Save.
You must now enable the configuration as follows:
Select Server Tasks > Configure Tasks.
Click the Update User Template’s Enable button.
Do not change the default value in the Select Process Types list.

Performing this step actually causes the workflow engine to emit the necessary logging information.

Click Save again.

The workflow can now provide audit records that are suitable for matching both the attribute name and the value. Although turning on this level of auditing provides much more information, be aware that there is a significant performance cost and your workflows will run slower.

Chapter 11, Identity Auditing

The following information has been added to this chapter:

Continuous Compliance

The information in this section currently states that any provisioning operations performed on a user will cause user- and organization-assigned policies to be evaluated. This information should be corrected to read as follows: (ID-17416)

Continuous compliance means that an audit policy is applied to all provisioning operations, such that an account cannot be modified in a way that does not comply with current policy.

You enable continuous compliance by assigning an audit policy to an organization, a user, or both. Any provisioning operations performed on a user will cause the user-assigned policies to be evaluated. Any resulting policy failure will interrupt the provisioning operation.

Resolving Auditor Capabilities Limitations

By default, capabilities needed to perform auditing tasks are contained in the Top organization (object group). As a result, only those administrators who control Top can assign these capabilities to other administrators.

You can resolve this limitation by adding the capabilities to another organization. Identity Manager provides two utilities, located in the sample/scripts directory, to assist with this task.

Run the following command to list all capabilities (AdminGroups) and their associated organizations (object groups):

beanshell objectGroupUpdate.bsh -type AdminGroup -action list -csv

This command captures the output to a comma-separated value (CSV) file.

Edit the CSV file to adjust the capabilities organizational locations as desired.
Run this command to update Identity Manager.

beanshell objectGroupUpdate.bsh -data CSVFileName -action add -groups NewObjectGroup

Adding Rules

Added the following Note to this section (ID-16604, 16831):

Note	Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with Boolean expression nesting can produce unpredictable results. For complex Rule expressions, use an XML editor to create a separate XPRESS rule that references all of the rules you want to use.

Create the Rule Expression

Changed the Note in this section to read as follows (ID-16604, 16831):

Note	Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with Boolean expression nesting can produce unpredictable results. For complex Rule expressions, use an XML editor to create a separate XPRESS rule that references all of the rules you want to use.

Chapter 13, Service Provider Administrator

The section titled “Configure Synchronization” should state the default synchronization interval for Service Provider synchronization tasks defaults to 1 minute.

All Chapters

The release date noted in the chapter footers should be 7.1 not 7.0. (ID-16968)

---

Identity Manager Resources Reference

This section contains new information and documentation corrections for the Sun Java^™ System Identity Manager Resources Reference:

General

The Exchange 5.5 resource adapter is not supported. Ignore any references to this adapter.

Active Directory

The following information should be added to the Active Directory resource adapter documentation.

Specifying a Domain for Pass-Through Authentication

In a default configuration, pass-through authentication is accomplished by sending the user ID and password only. These two attributes are configured in the AuthnProperties element in the resource object’s XML as w2k_user and w2k_password. Without a domain specification, the gateway searches all known domains and tries to authenticate the user in the domain that contains the user.

In a trusted multi-domain environment, there can be two possible situations:

All domains contain a synchronized user/password combination
The user/password combination is domain dependent.

When the user/password combination is synchronized, configure your Active Directory resources so that they are common resources. See Identity Manager Administration for more information about setting up common resources.

If the user/password combination is domain-dependent, and if users can be expected to know the domain information, you can allow users to enter the domain information on the login screen. This option can be used in combination with common resources.

To allow the user to enter the domain on the login page, add the following property to the <AuthnProperties> element in the resource object's XML:

<AuthnProperty name='w2k_domain' displayName='Domain:' formFieldType='text' dataSource='user' doNotMap='true'/>

In an environment with multiple trusted domains and Active Directory forests, the authentication can fail using any of these configurations because the Global Catalog does not contain cross-forest information. If a user supplies a wrong password, it could also lead to account lockout in the user’s domain if the number of domains is greater than the lockout threshold.

User management across forests is only possible when multiple gateways, one for each forest, are deployed. In this case, you can configure the adapters to use a predefined domain for authentication per adapter without requiring the user to specify a domain. To accomplish this, add the following authentication property to the <AuthnProperties> element in the resource object’s XML:

<AuthnProperty name='w2k_domain' dataSource='resource attribute' value='MyDomainName'/>

Replace MyDomainName with the domain that will authenticate users.

Login failures will occur in domains if the user exists in the domain and the password is not synchronized.

It is not possible to use multiple data sources for the domain information in one Login Module Group.

Correction

In the Active Directory documentation, the “Managing ACL Lists” procedure of this guide contains the following step: (ID-16476)

3. Edit the user in Identity Manager and on the Edit User form.

Replace this sentence with the following:

3. Edit the user in Identity Manager on the Edit User form.

Database Table

In the Database Table adapter documentation, the example for the Last Fetched Predicate is invalid. It should be defined as follows:

lastMod > '$(lastmod)'

Flat File Active Sync

The Flat File Active Sync adapter discusses setting the sources.hosts property in the Waveset.properties file. This configuration should now be accomplished using synchronization policy.

Gateway Adapters

The Domino Gateway, Active Directory, Novell NetWare and other gateway adapters allow you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This attribute controls how long before a request to the gateway times out and is considered hung.

You must manually add this attribute to the Resource object as follows:

<ResourceAttribute name='Hang Timeout' displayName='com.waveset.adapter.RAMessages:RESATTR_HANGTIMEOUT' type='int' description='com.waveset.adapter.RAMessages:RESATTR_HANGTIMEOUT_HELP' value='NewValue'>
</ResourceAttribute>

The default value for this attribute is 0, indicating that Identity Manager will not check for a hung connection.

Mainframe Adapters

A step is missing in the Identity Manager Installation Notes section for the ACF2, Natural, RACF, RACF-LDAP, Scripted Host, and Top Secret adapters. Add the following step after step 3.

4. When the Attachmate libraries are installed into a WebSphere Application Server, add the property com.wrq.profile.dir=LibraryDirectory to the WebSphere/AppServer/configuration/config.ini file.

This allows the Attachmate code to find the licensing file.

Microsoft SQL Server

The following information should be added to the Usage Notes section:

Windows authentication mode for the SQL Server resource adapter can only be configured on the Microsoft SQL Server adapter if the Identity Manager server is running on a Windows machine that is included in the same Windows security/authentication framework as the SQL Server server instance.

The JDBC driver supports the use of Type 2 integrated authentication on Windows operating systems through the integratedSecurity connection string property. To use integrated authentication, copy the sqljdbc_auth.dll file to a directory on the Windows system path on the computer where the JDBC driver is installed.

The sqljdbc_auth.dll files are installed in the following location:

InstallationDirectory\sqljdbc_Version\Language\auth\

On a 32-bit processor, use the sqljdbc_auth.dll file in the x86 folder. On a 64-bit processor, use the sqljdbc_auth.dll file in the x64 folder.

For more information, see:

http://msdn2.microsoft.com/en-us/library/ms378428.aspx

NetWare

The NDS adapter has improved support for GroupWise:
The adapter can now manage post offices in secondary domains.
GroupWise users can subscribe to any known distribution list.
A post office can be deleted without specifying a “delete pattern”.
The NetWare adapter documentation incorrectly states that the Login Script, NRD:Registry Data, and NRD:Registry Index attributes are unsupported. These attributes are supported. (ID-16813)

Oracle

In the Oracle adapter documentation, the description for the oracleTempTSQuota account attribute should be as follows: (ID-12843)

The maximum amount of temporary tablespace the user can allocate. If the attribute appears in the schema map, the quota is always set on the temporary tablespace. If the attribute is removed from the schema map, no quota will be set on the temporary tablespace. The attribute must be removed for adapters that communicate with Oracle 10gR2 resources.

Oracle ERP

The Oracle ERP adapter now has an npw_number account attribute to support contingent workers. (ID-16507)

Resource User Attribute	Data Type	Description
npw_number	string	Contingent worker number. It represents an npw_number from the per_people_f table. When you enter a value on create, the adapter tries to lookup a user record in the per_people_f table, retrieve the person_id into the create API, and insert the person_id into the fnd_user table's employee_id column. If no npw_number is entered on create, no linking is attempted. If you enter an npw_number on create and that number is not found, then the adapter throws an exception. The adapter will try to return the npw_number on a getUser, if npw_number is in the adapter schema. Note: The employee_number attribute and npw_number attribute are mutually exclusive. If both are entered on create, employee_number takes precedence.

The Oracle ERP adapter supports Oracle E-Business Suite (EBS) version 12. It is no longer necessary to edit or comment out sections the OracleERPUserForm, depending on version of ERP installed as described in the Identity Manager Resources Reference. (16705, 16713)

The FormRef attribute now supports the following properties:

RESOURCE_NAME — Specifies the ERP resource name
VERSION - Specifies the version of the ERP resource. Allowed values are 11.5.9, 11.5.10, 12.
RESP_DESCR_COL_EXISTS — Defines whether the description column exists in the fnd_user_resp_groups_direct table. This property is required if Version is 11.5.10 or 12. Allows values are TRUE and FALSE.

These properties should be entered on wherever the user form is being referenced from. For example, the Tabbed User Form may need to be modified in a manner similar to the following to support Release 12.

<FormRef name='Oracle ERP User Form'>
   <Property name='RESOURCE_NAME' value='Oracle ERP R12'/>
   <Property name='VERSION' value='12'/>
   <Property name='RESP_DESCR_COL_EXISTS' value='TRUE'/>
</FormRef>

Remedy

You must place multiple Remedy API libraries in the directory where the Gateway is installed. These libraries can be found on the Remedy server.

Table 3  Remedy API Libraries

Remedy 4.x and 5.x	Remedy 6.3	Remedy 7.0
arapiXX.dll arrpcXX.dll arutlXX.dll where XX matches the version of Remedy. For example, arapi45.dll on Remedy 4.5.	arapi63.dll arrpc63.dll arutl63.dll icudt20.dll icuin20.dll icuuc20.dll	arapi70.dll arrpc70.dll arutl70.dll icudt32.dll icuin32.dll icuuc32.dll

SAP

General Notes

The note in step 1 in the Identity Manager Installation Notes procedure is unclear. The wording should be

Note	Make sure that the JCo toolkit you download matches the bit version of Java your application server runs on. For example, JCo is available in only in the 64-bit version on the Solaris x86 platform. Therefore, your application server must be running the 64-bit version on the Solaris x86 platform.

Renaming Accounts

The SAP adapter now supports renaming accounts. The adapter performs this function by copying an existing account to a new account and deleting the original. SAP discourages renaming accounts, but provides the option in the user management application (Transaction SU01 from the SAP GUI). Therefore, Identity Manager also supports the option. Be aware that SAP may not support the rename feature in future releases.

The SAP GUI uses a different method to perform the rename because it has access to non-public APIs and to the SAP kernel. The following steps provide a high-level description of how the adapter performs the rename operation:

Get the user information for the existing user.
Save the ALIAS attribute, if one exists.
Create the new user.
Set the Activity Groups on the new user. (If in CUA mode, get the old user's Activity Groups)
Set the Profiles on the new user. (If in CUA mode, get the old user's Profiles.)
Get the old user's Personalization Data.
Set the new user's Personalization Data.
Delete the old user.
Set the Alias on the new user if one was set on the old user.

If an error occurs during steps 1-3, the operation fails immediately. If an error occurs during steps 4-7, the new user is deleted and the whole operation fails. (If the new user cannot be deleted, a warning is placed into the WavesetResult). If an error occurs during steps 8-9, a warning is added to the WavesetResult, but the operation succeeds.

The Rename operation requires that a new password be set on the new user. This is most easily accomplished by customizing the Rename User Task to invoke the Change User Password Task.

Sun Java System Access Manager

The procedure described in the “Policy Agent” section in the Sun Java System Access Manager documentation is outdated. Use the following procedure instead.
From the Identity Manager Administrator Interface menu bar, select Security.
Click the Login tab.
Click the Manage Login Module Groups button, located at the bottom of the page.
Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login Module Group.
In the Assign Login Module select box, select Sun Access Manager Login Module or Sun Access Manager Realm Login Module.
When a new Select option displays next to the Assign Login Module option, select the appropriate resource.
When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again.
Specify Sun Access Manager Login Module as the first resource in the module group, and then click Save.
A step is missing in the procedure listed under the heading “Sun Java System Access Manager Realm Resource Adapter. After you have copied the amclientsdk.jar file to the InstallDir/WEB-INF/lib directory (step 4), you must restart Identity Manager’s application server.
References to Policy Agent 2.1 should be changed to Policy Agent 2.2.

Sun Java System Access Manager Realm

The Identity Manager Resources Reference contains outdated links. Use the following links instead:

Policy agent downloads: http://wwws.sun.com/software/download/inter_ecom.html#dirserv
Policy agent documentation: http://docs.sun.com/app/docs/coll/1322.1

In the Installation Notes section, the procedure for configuring the Sun Java System Access Manager Realm Resource Adapter has been updated as follows:

Follow the instructions provided in the Sun Java^™ System Access Manager 7 2005Q4 Developer's Guide to build the client SDK from the Sun Access Manager installation.
Extract the AMConfig.properties and amclientsdk.jar files from the war file that is produced.
Put a copy of the AMConfig.properties in the following directory:

InstallDir/WEB-INF/classes

Place a copy of amclientsdk.jar in the following directory:

InstallDir/WEB-INF/lib

Add the amclientsdk.jar file to the server class path.
Restart the Identity Manager application server.
After copying the files, you must add the Sun Java System Access Manager Realm resource to the Identity Manager resources list. Add the following value in the Custom Resources section of the Configure Managed Resources page.

com.waveset.adapter.SunAccessManagerRealmResourceAdapter

The procedure described in the “Policy Agent” section is outdated. Use the following procedure instead.

From the Identity Manager Administrator Interface menu bar, select Security.
Click the Login tab.
Click the Manage Login Module Groups button, located at the bottom of the page.
Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login Module Group.
In the Assign Login Module select box, select Sun Access Manager Login Module or Sun Access Manager Realm Login Module.
When a new Select option displays next to the Assign Login Module option, select the appropriate resource.
When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again.
Specify Sun Access Manager Realm Login Module as the first resource in the module group, and then click Save.

UNIX Adapters

The documentation for the AIX, HPUX, Solaris, and Linux adapters previously stated that if you are using sudo, the NOPASSWORD option must be specified for each command the adapter uses. This is incorrect.

Synchronizing LDAP Passwords

Identity Manager now supports LDAP password synchronization Directory Server 5.2 SP5 and later. The Configure Password Synchronization page contains a new field, Directory Server version, which allows you to specify whether your Directory Server instance is 5.2 P4 or earlier, or 5.2 P5 or later.

Note the following documentation changes:

In the procedure “Step 2: Enable Password Synchronization Features”, a new numbered step should be added between steps 6 and 7 that states you must select an option from the Directory Server version pull-down menu.
The section titled “Installing the Password Capture Plugin” should be re-titled to “Installing and Configuring the Password Capture Plugin.” The first sentence in the first note in that section should end with “then the plugin must be installed and configured on each master replica.”

Step 2 in this section should begin “For Directory Server version 5.2 P4 or earlier only, place the plugin binary (idm-plugin.so) on the host where the Directory Server is running.”

The following paragraph and note should be added to the end of the “Installing and Configuring the Password Capture Plugin” section:

After the Password Capture plugin is enabled, clients must have the MODIFY right to both the userPassword and the idmpasswd attribute to make password changes. Adjust the access control information settings in your directory tree accordingly. This is usually necessary if administrators other than the directory manager have the ability to update the password of other users.

Note	Directory Server must be restarted whenever you make changes to the plugin configuration.

---

Identity Manager Technical Deployment Overview

This section contains new information and documentation corrections for Sun Java^™ System Identity Manager Technical Deployment Overview:

You can use CSS to set column widths in the User list and Resource list tables to a fixed pixel or percentage value. To do so, add the following style classes (commented out by default) to customStyle.css. You can then edit the values to meet the user's requirements.

th#UserListTreeContent_Col0 {
  width: 1px;
}

th#UserListTreeContent_Col1 {
  width: 1px;
}

th#UserListTreeContent_Col2 {
  width: 50%;
}

th#UserListTreeContent_Col3 {
  width: 50%;
}

th#ResourceListTreeContent_Col0 {
  width: 1px;
}

th#ResourceListTreeContent_Col1 {
  width: 1px;
}

th#ResourceListTreeContent_Col2 {
  width: 33%;
}

th#ResourceListTreeContent_Col3 {
  width: 33%;
}

th#ResourceListTreeContent_Col4 {
  width: 33%;
}

You can also resize table columns by clicking and dragging the right border of the column header. If you mouse over the right border of the column header, the cursor will change to a horizontal resize arrow. Left-click and drag the cursor will resize the column. (Resizing ends when you release the mouse button.)

Customers who want to use custom JavaScript functions specifically in the end user navigation bar (tabs) must reference that form using endUserNavigation. For example, document.forms['endUserNavigation'].elements. (ID-13769)
The System Configuration object now contains the security.delegation.historyLength attribute, which controls the number of previous delegations that are recorded.
The Access Review Dashboard and Access Review Detail Report both show instances of reviews that are recorded in the audit logs. Without database maintenance, the audit logs are never trimmed, and the list of reviews grows. Identity Manager provides the ability to limit the reviews shown to a certain age range. To change this limit, you must customize compliance/dashboard.jsp (for the dashboard) and sample/auditortasks.xml (for the Details report). (The default is to show only reviews that are less than 2 years old.)

To restrict the reviews included in the Access Review Dashboard, customize compliance/dashboard.jsp as follows:

Open compliance/dashboard.jsp in either the Identity Manager IDE or editor of your choice:
Change the line: form.setOption("maxAge", "2y"); to form.setOption("maxAge", "6M"); to limit the list to reviews run in the last 6 months. The qualifiers are:
m - minute
h - hour
d - day
w - week
M - month
y - year

To show all reviews that still exist in the audit logs, comment out this line.

To restrict the reviews included in the Access Review Detail Report,

Open sample/auditortasks.xml in either the IDE or editor of your choice.
Change the following line as indicated:

<s>maxAge</s>
  <s>2y</s>

to

<s>maxAge</s>
  <s>6M</s>

to limit reviews to the last 6 months. The same qualifiers as above apply.

Each Periodic Access Review includes a set of UserEntitlement records that were created when the review was run. These records, which accumulate over time, provide valuable historical information about accounts. However, to conserve database space, consider deleting some records. You can delete a record by executing Server Task > Run Task > Delete Access Review. Deleting a review adds new audit log entries that indicate the review is deleted, and deletes all UserEntitlement records associated with the review, which conserves database space.

In the section “Changing Background Image on the Login Page”, the third line of code should read:

url(../images/other/login-backimage2.jpg)

Code Example 5-5 contains information that should appear in Code Example 5-4.
Code Example 5-4 should be as follows:

Code Example 5-4  Customizing Navigation Tabs  

/* LEVEL 1 TABS */ .TabLvl1Div {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   background-color:#333366;   padding:6px 10px 0px; } a.TabLvl1Lnk:link, a.TabLvl1Lnk:visited {   display:block;   padding:4px 10px 3px;   font: bold 0.95em sans-serif;   color:#FFF;   text-decoration:none;   text-align:center; } table.TabLvl1Tbl td {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left top;   background-color:#666699;   border:solid 1px #aba1b5; } table.TabLvl1Tbl td.TabLvl1TblSelTd {   background-color:#9999CC;   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   border-bottom:none; } /* LEVEL 2 TABS */ .TabLvl2Div {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   background-color:#9999CC;   padding:6px 0px 0px 10px } a.TabLvl2Lnk:link, a.TabLvl2Lnk:visited{   display:block;   padding:3px 6px 2px;   font: 0.8em sans-serif;   color:#333;   text-decoration:none;   text-align:center; } table.TabLvl2Tbl div.TabLvl2SelTxt {   display:block;   padding:3px 6px 2px;   font: 0.8em sans-serif;   color:#333;   font-weight:normal;   text-align:center; } table.TabLvl2Tbl td {   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left top;   background-color:#CCCCFF;   border:solid 1px #aba1b5; } table.TabLvl2Tbl td.TabLvl2TblSelTd {   border-bottom:none;   background-image:url(../images/other/dot.gif);   background-repeat:repeat-x;   background-position:left bottom;   background-color:#FFF;   border-left:solid 1px #aba1b5;   border-right:solid 1px #aba1b5;   border-top:solid 1px #aba1b5;

Code Example 5.5 should be as follows:

Code Example 5-5  Changing Tab Panel Tabs

table.Tab2TblNew td {background-image:url(../images/other/dot.gif);background-repeat:repeat-x;background-positi on:left top;background-color:#CCCCFF;border:solid 1px #8f989f} table.Tab2TblNew td.Tab2TblSelTd {border-bottom:none;background-image:url(../images/other/dot.gif);background-repeat:repeat- x;background-position:left bottom;background-color:#FFF;border-left:solid 1px #8f989f;border-right:solid 1px #8f989f;border-top:solid 1px #8f989f}

In the Identity Manager End User Interface, the horizontal navigation bar is driven by the End User Navigation UserForm in enduser.xml. (ID-12415)

userHeader.jsp, which is included in all the end user pages, includes another JSP named menuStart.jsp. This JSP accesses two system configuration objects:

ui.web.user.showMenu - Toggles the display of the navigation menu on/off (default: true)
ui.web.user.menuLayout - Determines whether the menu is rendered as horizontal navigation bar with tabs (the default: horizontal) or a vertical tree menu (vertical)

The CSS style classes that determine how the menu is rendered are in style.css.

Identity Manager now calls the Lighthouse account the Identity Manager account. You can override this name change through the use of a custom catalog. (ID-14918) See Enabling Internationalization in Identity Manager Technical Deployment Overview for information on custom catalogs.

The following catalog entries control the display of the product name:

PRODUCT_NAME=Identity Manager

LIGHTHOUSE_DISPLAY_NAME=[PRODUCT_NAME]

LIGHTHOUSE_TYPE_DISPLAY_NAME=[PRODUCT_NAME]

LIGHTHOUSE_DEFAULT_POLICY=Default [PRODUCT_NAME] Account Policy

Identity Manager now provides a new configuration object (WorkItemTypes configuration object) that specifies all supported work item type names, extensions, and display names. (ID-15468) This configuration object is defined in sample/workItemTypes.xml, which is imported by init.xml and update.xml.

The extends attribute allows for a hierarchy of work item types (workItem Types). When Identity Manager creates a work item, it delegates the work item to the specified users if its workItem type is:

the type delegated
one of the subordinate workItem types of the type being delegated.

workItem Type	Description	Display Name
Approval	extends WorkItem	Approval
OrganizationApproval	extends Approval	Organization Approval
ResourceApproval	extends Approval	Resource Approval
RoleApproval	extends Approval	Role Approval
Attestation	WorkItem	Access Review Attestation
review	WorkItem	Remediation
accessReviewRemediation	WorkItem	Access

The code sample included in the section titled “Changing Masthead Appearance” incorrectly lists the first line as “MstDiv”. This line should read “.MstDiv”. (ID-16072)
The section titled Customizing the Browser bar has been revised as follows: (ID-16073)

You can now replace the product name string in the browser title bar with a localizable string of your choice.

Import the following XML file:

Code Example 1  XML to Import

<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE Configuration PUBLIC 'waveset.dtd' 'waveset.dtd'> <Configuration name='AltMsgCatalog'> <Extension> <CustomCatalog id='AltMsgCatalog' enabled='true'> <MessageSet language='en' country='US'> <Msg id='UI_BROWSER_TITLE_PROD_NAME_OVERRIDE'>Override Name</Msg>     </MessageSet> </CustomCatalog> </Configuration> </Extension>

Using the Identity Manager IDE, load the System Configuration object for editing. Add a new top-level attribute:

Name = customMessageCatalog

Type = string

Value = AltMsgCatalog

Open the ui.web Generic Object and look for the browserTitleProdNameOverride attribute. Set this value to true.
Save this change to the System Configuration object, and restart your application server.
By default, Identity Manager’s anonymous enrollment processing generates values for accountId and emailAddress by using user-supplied first (firstName) and last names (lastName) as well as employeeId. (ID-16131)

Because anonymous enrollment processing can result in the inclusion of non-ASCII characters in email addresses and account IDs, international users should modify EndUserRuleLibrary rules so that Identity Manager maintains ASCII account IDs and email addresses during anonymous enrollment processing.

To maintain account ID and email address values in ASCII during anonymous enrollment processing, follow these two steps:

Edit the following three rules within the EndUserRuleLibrary as indicated below:

Edit this rule	To make this change...
getAccountId	To use employeeId only (and remove firstName and lastName)
getEmailAddress	To use employeeId only (remove firstName, lastName, and ".")
verifyFirstname	To change length check from 2 to 1 to allow for single character Asian first names

Edit the End User Anon Enrollment Completion form to remove the firstName and lastName arguments from calls to the getAccountId and getEmailAddress rules.
The discussion of how to customize the login pages in Chapter 5 “Private Labeling of Identity Manager” should include the following information about message keys. (ID-16702)

JSP or Identity Manager Component	Interface Affected	Message Key
Login Page TITLE	Administrator and User	UI_LOGIN_TITLE_TO_RESOURCE UI_LOGIN_CHALLENGE
Login Page SUBTITLE	Administrator and User	Select a key depending on the login mode: Forgot Password, Forgot User ID, Login Challenge. UI_LOGIN_WELCOME3 UI_LOGIN_WELCOME4 UI_LOGIN_WELCOME5 UI_LOGIN_WELCOME6 UI_LOGIN_CHALLENGE_INFO
staticLogout.jsp and user/staticUserLogout.jsp	Administrator and User	UI_LOGIN_TITLE
continueLogin.jsp	Administrator	UI_LOGIN_IN_PROGRESS_TITLE UI_LOGIN_WELCOME

The following keys are no longer used:

UI_LOGIN_TITLE_LONG
UI_LOGIN_WELCOME2.

---

Identity Manager Workflows, Forms, and Views

This section contains new information and documentation corrections for Sun Java^™ System Identity Manager Workflows, Forms, and Views.

You can turn off policy checking in your user form by adding the following field to the form: (ID-13346)

<Field name='viewOptions.CallViewValidators'>   <Display class='Hidden'/>     <Expansion>         <s>false</s>     </Expansion> </Field>

This field overrides the value in the OP_CALL_VIEW_VALIDATORS field of modify.jsp.

The Identity Manager User Interface pages include a second XPRESS form that implements the navigation bar. As a result, the rendered page contains two <FORM> tags, each with a different name attribute:

<form name="endUserNavigation"> and <form name="mainform">

To avoid potential confusion between these two <FORM> elements, make sure you use the name attribute as follows to distinguish which <FORM> you are referencing: document.mainform or document.endUserNavigation.

Chapter 1, Identity Manager Workflow

Identity Manager provides the following new sample Access Review workflow in /sample/workflows. (ID-15393)

Test Auto Attestation

Use to test new Review Determination rules without creating Attestation work items. This workflow does not create any work items, and simply terminates shortly after it starts. It leaves all User Entitlement objects in the same state that they were created in by the access scan. Use the Terminate and Delete options to clean up the results from access scans run with this workflow.

You can import this stub workflow as needed. (Identity Manager does not import it automatically.)