Novell is now a part of Micro Focus

An Introduction to Novell Nsure Secure Identity Management (SIM)

Articles and Tips: article

01 May 2003


Excerpted from the "Secure Identity Management Overview" Course from DeveloperNet University

http://developer.novell.com/education

This AppNote provides an introduction to Novell Nsure, Novell's family of Secure Identity Management (SIM) solutions. It provides an overview of Nsure and its solution components, describes the use of Novell Nsure Resources to build a workable employee provisioning scenario, and recommends a phased approach to the deployment of a such a system in your organization.

This AppNote is excerpted from a DeveloperNet University (DNU) online course entitled, "Secure Identity Management Overview." If you are interested in learning more by taking this course and others offered through DNU, visit http://developer.novell.com/education.


Topics

Nsure, secure identity management (SIM), employee provisioning, network security

Products

Novell Nsure

Audience

network administrators, designers, developers

Level

beginning

Prerequisite Skills

familiarity with network security concepts

Operating System

n/a

Tools

none

Sample Code

no

Introduction

Novell recently introduced four new business units called Nterprise, Nsure, exteNd, and Ngage. (If you would like more information on these solution areas, see http://www.novell.com/solutions). This AppNote focuses on Nsure, which is highlighted by secure identity management or "SIM" for short.

SIM solves a key business problem CIOs of organizations face today: How do you cost-effectively deliver real-time, role-based resources to your distributed workforce, partners, and customers from any location-wired or wireless-yet keep your systems safe? Developing solutions with Novell Nsure gives you the flexibility and agility your organization need to keep pace with tomorrow's dynamic, service-oriented system environment.

Novell provides several Nsure solution components which are aimed at fulfilling the mission of SIM. They are described briefly below:

  • eDirectory provides new business growth by building and maintaining secure and highly customized e-business relationships, while leveraging your existing technology.

  • DirXML is a bidirectional data sharing service that leverages eDirectory to distribute new and updated information across directories, databases, and critical applications on the network and across firewalls to partner systems.

  • iChain provides identity-based Web security services that control access to application and network resources across technical and organizational boundaries.

  • Nsure UDDI Server provides visibility of Web Services for enterprise developers and contains Web Service description metadata published by departments or groups within the organization.

  • Novell Nsure Resources is a platform-independent, packaged solution that helps you automate the process of granting or revoking employee access to business resources. Once installed, tested, and customized, this solution dramatically reduces administrative costs, tightens security, and increases user productivity.

  • SecureLogin is a directory-integrated authentication solution that delivers reliable, single sign-on access across your multi-platform network.

  • Novell Account Management is a powerful, directory-enabled solution that you can use to manage your mixed-platform network as a unified whole.

  • Novell Modular Authentication Service (NMAS) Enterprise Edition provides a single point of administration for managing, grading, and accessing all biometric and non-biometric authentication methods to your enterprise.

  • Secure Access Suite includes access and security products that simplify, secure, and accelerate user-identity management and extend those capabilities to applications, platforms, databases, and network resources.

  • BorderManager is a directory-integrated access and security solution that enables you to control, accelerate, and monitor your users' Internet activities.

In addition to these products, SIM leverages industry standards and technologies, including the following:

  • Lightweight Directory Access Protocol (LDAP) enjoys broad industry acceptance as the protocol for deploying directory-based applications and solutions.

  • Extensible Markup Language (XML) is a universal syntax for describing and structuring data. XML can be used to define unlimited languages for specific industries and applications.

Nsure Overview

Novell Nsure is all about getting the right information to the right people. Every decision you make about giving people access to your business, and every effort you make to deliver services or content to people, is based on identity. You can't deliver resources to people or effectively control access to those resources unless you know who they are, how they relate to your business, and what they need from you.

Novell Nsure places a robust identity and access management foundation at the heart of your IT infrastructure. This foundation unifies identity information and policies across all the different systems in your organization. It safeguards your resources from intruders. And it allows you to present your customers, partners, and employees with a dynamic combination of information, resources, and processes-all based on their relationship with your business.

With Nsure, you can give new employees fast, automatic access to everything they need to be totally productive on their first day. You can grant people inside and outside of your organization safe, controlled access to your corporate resources-and build more productive, personalized relationships with everyone who matters to your business. You can allow customers and partners to create and change their own profiles and preferences. And you can develop password management solutions that allow people to access all the information they need-across many different systems-using a single username and password.

Novell Nsure delivers all these capabilities without disrupting your existing systems or forcing you to change the way you do business. Every Nsure component is designed to plug into and work flawlessly with the technology you already have in place.

This flexible, modular approach means you can add new capabilities that match your business requirements and meet your most pressing identity management needs. But no matter where you start, you'll always be creating a flexible, secure foundation that makes it easy to add new capabilities later.

Novell Nsure solutions can combine a number of Novell and partner technologies and services to address the business challenges that your organization is facing.

Putting Nsure Together for Your Company

Managing user identity information on information technology (IT) systems consumes substantial staff time and costs a lot of money. Whenever a new employee is hired, or when a current employee changes jobs or terminates employment, the IT staff has to grant, modify, or revoke that person's access privileges to IT resources. This task usually involves entering, modifying, or deleting user information separately in multiple systems-e-mail systems, business applications, databases, directories, and more. That takes time. Yet, time is of the essence because delays in adding accounts for new employees cause productivity lags, while delays in deleting accounts of terminated employees can create serious security issues. Moreover, delays can result in inconsistent, obsolete, and even inaccurate information.

What's required is a user identity management solution that minimizes the delays by automating the processes of managing user identities and controlling access to resources across the network. Such a solution should automatically grant, modify or revoke access to IT resources immediately, whenever employees are added, change job status or terminate their employment. The solution should also automatically propagate any changes in user information made anywhere in the network to all other systems that share that information, ensuring accuracy and consistency across all systems.

Deploying such a system is not a trivial task. It involves interfacing with many disparate systems, from human resources (HR) and messaging systems to account and directory systems. It requires ensuring that a change made in any one system is immediately propagated to all other affected systems. For example, if an employee promotion is entered into the HR system, the user identity management system should not only propagate the new job level information but also modify the user's access privileges accordingly in messaging systems, network directories, account systems, and all other affected systems.

Deploying an identity management solution requires obtaining the buy-in of different departments, many of which want to maintain their autonomy and authority. That's why the solution should maintain authoritative data sources. The HR system, for example, may be the authoritative source for all employee additions, modifications, and deletions, while the e-mail system is the authoritative source for all e-mail addresses. That means employee additions, modifications, and deletions can be made only in the HR system, and e-mail addresses can be created and changed only in the e-mail system.

Novell Nsure Resources

Novell Nsure Resources provides an effective first step in the deployment of just such an identity management solution. Nsure Resources is a preconfigured packaging of Novell DirXML technology intended for organizations that want to implement an identity management infrastructure. With Nsure Resources, an organization can quickly create a laboratory system that can be used to demonstrate and study user identity management concepts.

The Nsure Resources package includes preconfigured DirXML drivers that tie together popular HR, messaging, account, and directory systems to provide basic employee provisioning functionality as well as synchronization of user identity information across the systems.

Three major characteristics distinguish Novell Nsure Resources from other user identity management systems:

  • Standards based. Nsure Resources is based on extended markup language (XML), which facilitates data sharing with other systems.

  • Attribute level distributed authority. Nsure Resources permits the organization to maintain authoritative data sources for user identity information in different systems. For example, most additions and modifications to employee information must be initiated by HR system. E-mail address additions and modifications must be initiated in the messaging system. Employees can modify some personal information such as cell phone and home phone numbers.

  • Real-time bidirectional information sharing. Nsure Resources propagates, in real time, changes made to user identity data in one system to all other systems that share that data. When an employee e-mail address is changed in the messaging system, for example, the address is immediately changed in the HR system and account systems or directories.

Architecture Overview

Nsure Resources consists of the following major infrastructure components:

  • Workforce Tree. A tree created in Novell eDirectory that can be installed on a Novell NetWare, Windows NT/2000, Linux, or Solaris server.

  • Novell DirXML Engine. Installed on the same server as the Workforce Tree.

  • Novell DirXML Drivers. Installed on the HR client system, messaging system, and account and directory systems included in the lab setup.

  • Novell DirXML Remote Loader Service. Installed on the HR client system, messaging system, and account and directory services machines included in the lab setup.

Other components include:

  • Novell iManager installed on the Web server

  • Novell eGuide installed on the Web server

Figure 1 shows how these components of Novell Nsure Resources are deployed in a typical setup.

Figure 1: The deployment of Nsure Resources components in a typical setup.

Nsure Resources Components

The Nsure Resources components are described individually in the following sections.

Workforce Tree.  The Workforce Tree, created in Novell eDirectory, is the heart of the system. It is also the reference point for Novell iManager and Novell eGuide. The Workforce Tree is created during installation and setup of Nsure Resources. Nsure Resources maintains a user identity repository in the Workforce Tree that can be used by all participating systems. All other systems included in the laboratory environment either publish information to or receive information from the Workforce Tree via the DirXML Engine.

The Workforce Tree is built on a flat structure consisting primarily of two containers, a Services container and a Users container. Both containers are created during installation and setup. The Services container contains a DirXML Driver object that is also created during Nsure Resources setup. The Users container contains an Active container that represents users whose accounts are active, and an Inactive container that represents users whose accounts have been disabled.

DirXML Engine.  The DirXML engine is the data-sharing service that controls the synchronization of information between Novell eDirectory and the connected applications according to the policies specified in the DirXML driver configurations. By extension, the DirXML engine also controls the synchronization of information between the connected applications, with Novell eDirectory acting as a hub between these applications. The DirXML engine and DirXML drivers share data bi-directionally over two channels: a Publisher Channel that publishes changes to the Workforce Tree, and a Subscriber Channel that subscribes to changes from the Workforce Tree.

DirXML Drivers.  Nsure Resources includes DirXML drivers for popular HR systems, messaging systems, and directories and account systems. Nsure Resources also includes prebuilt configuration files for the drivers that specify a set of default policies and processes for data sharing and provisioning through each driver's Publisher Channel and Subscriber Channel. The drivers communicate with the DirXML Engine installed on the Workforce Tree through the DirXML Remote Loader Service.

DirXML Remote Loader Service.  The DirXML Remote Loader Service enables communication between the DirXML Engine running on one computer and a DirXML driver running on another computer on which the DirXML Remote Loader Service is installed. In the Nsure Resources laboratory configuration, the DirXML Engine and Workforce Tree run on the same server. The HR, messaging, directory, and account services applications and their respective DirXML drivers and DirXML Remote Loader Service run on other servers.

Novell iManager.  Novell iManager is a browser-based tool for managing Novell eDirectory. Novell Nsure Resources includes a set of DirXML tasks for iManager that are used to set up and manage all aspects of Nsure Resources.

Novell eGuide.  Novell eGuide is a Web application that enables users to conduct browser-based searches for user information-including e-mail addresses, fax numbers, telephone numbers, and names-from the Workforce Tree. Users can also use Novell eGuide to update the details of their own accounts depending on which user identity attributes have been configured to permit user update.

System Environment

The Nsure Resources environment can include:

  • One HR system, either PeopleSoft or SAP

  • One messaging system, either Microsoft Exchange, Lotus Notes, or Novell GroupWise

  • One or more account systems and directories, including Windows NT, Microsoft Active Directory, and Novell eDirectory

Nsure Resources includes a set of preconfigured DirXML drivers for each of these systems to facilitate setup. To develop the configurations, Novell engineers examined the configurations of a number of customers who had already successfully implemented provisioning systems. Using this information, they configured the drivers to create a sample environment that ties together the HR, messaging, and account and directory systems to provide basic employee provisioning functionality as well as synchronization of user identity information across the systems.

Nsure Resources automates the propagation of data additions and modifications from the authoritative identity information sources to the other systems in the environment. All systems included in the laboratory environment either publish identity data to or receive data from the Workforce Tree repository via the DirXML Engine. DirXML brokers the exchange of data held in the Workforce Tree through preconfigured rules and style sheets that support the default business policies and processes.

Default Configuration

The HR system is the default authoritative source for most identity information. As a result, the HR system drives most data exchanges, that is, most of the identity data is created or modified in the HR system and is published to the Workforce Tree repository where other systems can subscribe to it.

For some identity data, systems other than the HR system are the default authoritative sources. E-mail address attribute changes, for example, are generated and owned by the messaging system, and some data, such as the home phone and pager number attribute, may be updated by the users themselves through Novell eGuide. The data that is created or modified in these other systems is also published to the Workforce Tree where it can be consumed by other applications.

The Nsure Resources default configuration includes a basic provisioning process in which Nsure Resources automatically creates, modifies, and disables user accounts in all required systems immediately, in response to a single action in the HR system. Data modification in the HR system sets processes in motion that trigger the automatic creation or modification of the digital identity of an individual in all appropriate systems in the lab environment. The processes that are initiated, the tasks that are performed in each process and the order in which the processes are performed are specified by the preconfigured design of Nsure Resources.

Employee ProVisioning Example

The following example illustrates the default automatic employee provisioning process for a specific setup that includes PeopleSoft, NT, and Exchange 5.5. (Setups that use the other supported HR, messaging, and account and directory systems could also be created and would operate in a similar manner.)

  1. When an employee is hired, an HR specialist enters the new employee data in the PeopleSoft system.

  2. The PeopleSoft system records this event in its transaction table.

  3. The PeopleSoft DirXML driver's Publisher Channel periodically accesses the transaction table by way of Component Interface (CI) objects, which are part of the PeopleSoft Service Agent (PSA). (The PSA is a collection of software processes and components that run on the PeopleSoft database server and define what data and how data will be available from PeopleSoft for synchronization with the Workforce Tree. The PSA is included with Nsure Resources and installed along with the PeopleSoft DirXML driver.)

  4. Based on the information it finds in the transaction table, the PeopleSoft DirXML driver publishes the new data to the Workforce Tree as follows:

    1. It constructs an XML document and passes it to the DirXML engine for processing.

    2. It derives additional data from the PeopleSoft database, such as the employee's manager and direct reports, and adds it to the user object's attributes to be published in the Workforce Tree.

  5. To process the newly received XML document, the DirXML Engine consults the Matching and Create rules as well as other defined policies associated with the PeopleSoft DirXML driver's Publisher Channel.

    1. The Matching rule determines whether this user already exists in the Workforce Tree.

    2. The Create rule dictates the attributes for which the engine needs information before it can create a User object, and specifies the naming policy the engine should use to name this User object. Other defined policies provide guidelines for transforming data or object names between PeopleSoft and the eDirectory Workforce Tree.

    3. The Placement rule dictates that this new User object be placed in the Active container within the Users container.

  6. The DirXML Engine notifies the NT Domain DirXML driver via the subscriber channel of the addition. In response, the NT Domain DirXML Driver creates an NT Domain account.

  7. When the NT account is created, the NT Domain DirXML Driver updates the Preferred Name attribute for the user in the Workforce Tree with the NT Account Name via its publisher channel.

  8. This update triggers the Exchange DirXML driver to initiate the creation of an e-mail account in Exchange.

  9. Exchange creates an e-mail account and e-mail ID.

  10. The Exchange DirXML driver then publishes the e-mail ID back to the Workforce Tree.

  11. The PeopleSoft DirXML driver subscribes to the Workforce Tree attribute for e-mail and updates this field in the PeopleSoft database.

Data Synchronization Examples

The following examples illustrate how Novell Nsure Resources synchronizes user identity information.

First is the case of an e-mail address change:

  1. The administrator changes a user's e-mail address in Exchange.

  2. The Exchange DirXML driver publishes the new e-mail address back to the Workforce Tree.

  3. The PeopleSoft DirXML driver subscribes to the Workforce Tree attribute for e-mail address and updates this field in the PeopleSoft database.

The second is the case of an employee-initiated change:

  1. Using Novell eGuide, an employee changes her home telephone number in the Workforce Tree.

  2. The PeopleSoft DirXML driver subscribes to the Workforce Tree attribute for home telephone number and updates this field in the PeopleSoft database.

Novell DirXML: The Heart of It All

Novell DirXML provides the foundation for Novell Nsure Resources. DirXML is Novell's data-sharing software that enables bidirectional real-time information exchange between network applications, directories, and databases. DirXML leverages the XML standard to enable integration among multiple systems.

Nsure Resources includes a set of configuration files containing default policies that can be imported into the Nsure Resources environment. These include DirXML drivers for the popular HR systems, messaging systems, account systems, and directories listed below:

  • PeopleSoft (PeopleTools 7.5x and 8.1x)

  • SAP HR 4.6c or later

  • Microsoft Exchange 5.5

  • Active Directory with Exchange 2000

  • Novell GroupWise versions 5.5, 6.0, and 6.1

  • Lotus Notes R5

  • Novell eDirectory 8.62 and 8.7

  • Microsoft Active Directory

  • Microsoft Windows NT 4

The Driver objects representing these preconfigured DirXML drivers store additional objects that represent DirXML Rules and Filters that together comprise the business logic underlying the Nsure Resources default policies and processes for managing user identities. The rules are written in either XML or XSLT (Extensible Stylesheet Language Transformations) format.

Novell DirXML consults the Filters and Rules objects associated with a DirXML driver's Publisher Channel and Subscriber Channel to determine such things as which modified user information is allowed to synchronize across which systems, how and when to create and disable user accounts, and how to format information to suit the system receiving the information.

Filters dictate what information can pass between the Workforce Tree and the other systems over a DirXML driver's Publisher or Subscriber Channel. Filters are used to establish which systems are the authoritative sources for various identity data attributes. For example, default filters on the PeopleSoft (or SAP) DirXML driver's Publisher Channel ensure that changes to most user account attributes (including Last Name, First Name, Middle Name, Manager, and Address) flow only from PeopleSoft (or SAP) to the Workforce Tree. This establishes the HR application as the authoritative source for most user identity information. Filters on the PeopleSoft (or SAP) DirXML driver's Subscriber Channel allow information for other attributes (far fewer) to flow from the Workforce Tree to PeopleSoft (or SAP).

Nsure Resources also permits shared authoritative sources. For example, an employee's home telephone number may be added or modified in either the HR system or in the Workforce Tree using eGuide.

Rules may include:

  • Schema-mapping rules that map eDirectory object classes and attributes to the object classes and attributes of other systems

  • Matching rules that specify criteria for identifying matches between specific objects in eDirectory and other systems.

  • Create rules that specify requirements that must be met before a new object can be created.

  • Placement rules that define the criteria for placing new objects in the target application.

  • Event Transform rules that define how the DirXML Engine is to transform particular events before passing the information along to receiving systems. For example, a rule might dictate that the DirXML Engine convert a "move to the Inactive container" event in the Workforce Tree to a "disable" event in Active Directory.

  • Data Transform rules that define how the DirXML engine must transform particular data elements before passing the data along to receiving systems. For example, a rule might specify that a birth date in the format month, day, year (for example 062173) in Novell eDirectory should be converted to the format day, month, year (210673) before passing it to a system that uses the latter format.

Default Policies

Novell Nsure Resources actions are governed by its default policies for managing user identity information. The logic is stored in the Filters and Rules objects contained in the DirXML driver objects which use Novell eDirectory as their policy repository. Specific policies vary depending on which systems are used.

In general, Nsure Resources default policies are configured as listed below.

Authoritative Sources.  The PeopleSoft or SAP HR system is the authoritative source for most user identity information, including employee name, department, location, and title. Adding users or modifying a user's job status must be done in the HR system.

The Lotus Notes, Microsoft Exchange, or Novell GroupWise messaging system is the authoritative source for messaging-related information such as e-mail addresses and post office domains. When the messaging system creates an e-mail account for a new user, the messaging system DirXML driver immediately publishes the relevant information to the Workforce Tree where other systems can subscribe to it.

The Workforce Tree is a shared authoritative source for cell phone, home phone, and pager numbers, sharing authority with the HR system. Consequently, these attributes can be updated either within the HR system or by users through Novell eGuide.

User Object Names.  A User object name is created by concatenating the first letter of the person's first name with that person's last name. John Brown's User object name, for example, would be jbrown. If another jbrown user object already exists, the new John Brown would be named jbrown1. This policy is defined in one of the HR DirXML driver's Create Rules.

Passwords.  Each user object is assigned an initial password according the password policy as defined in the HR system DirXML driver's Create Style Sheet. The default password policy defines the password, in each system in which a user is created, as the individual's surname.

Placement.  By default, Novell Nsure Resources creates new User objects in the Active container in the Workforce Tree. Also by default, Nsure Resources places User objects in the Inactive User container to represent users whose accounts have been disabled.

E-Mail Addresses.  The messaging system creates the e-mail address. As a result, Novell Nsure Resources does not specify the rules for its creation. Nsure Resources does map the e-mail address created by the messaging system into the Internet e-mail address attribute in the Workforce Tree.

E-Mail Distribution Lists.  The HR DirXML driver's Event Transform rule adds a new employee to the appropriate group object, manager or employee, depending on whether the individual is designated as a manager or employee from within the HR system. The Messaging DirXML driver also uses this information to assign the new employee to the appropriate e-mail distribution lists within the messaging system.

Terminated Employees' Accounts.  Novell Nsure Resources inactivates terminated employee accounts in the Workforce Tree rather than deleting them entirely. When an employee's record in the HR system is terminated or inactivated, Nsure Resources moves the User object representing that employee from the Active container to the Inactive container in the Workforce Tree. Nsure Resources then triggers the disabling of corresponding accounts in the other affected systems such as Exchange, GroupWise, and Active Directory. Nsure Resources also removes the user from any previously assigned groups.

Data Update.  Whenever data is updated in an authoritative system, Novell Nsure Resources immediately propagates the update to the other systems that have been configured to subscribe to that piece of information.

Setting Up the Lab Environment

The Nsure Resources laboratory environment can include the following systems:

  • One PeopleSoft or SAP HR application

  • One GroupWise, Lotus Notes, or Exchange messaging application

  • Any combination of account systems and directories, including eDirectory, Active Directory, or NT 4

Figure 2 illustrates a typical laboratory environment.

Figure 2: A typical laboratory environment.

The installation process varies somewhat depending which systems are included in the laboratory environment. In general, setting up the laboratory environment involves the following steps:

  1. Install the HR application, messaging application, and account systems and directories or make the necessary preparations to access such systems in a development environment. When installing these systems, certain specific information must be gathered about these applications. This information is used later when setting up the DirXML drivers. The DirXML drivers use this information to access the applications.

  2. Install Novell eDirectory and create the Workforce Tree on a separate server.

  3. Install the DirXML Engine on the same server as the Workforce Tree.

  4. Install Novell iManager and Novell eGuide on a Web server.

  5. Install the DirXML plug-ins and preconfigured DirXML drivers on the Web server.

  6. Install the DirXML Remote Loader service and install the driver shims to the HR system, messaging system, and account systems and directories that are included in the laboratory setup.

  7. Install the preconfigured files for deployment of the default configured Nsure Resources into the Workforce Tree. In the set-up process (when importing the driver configuration files to create the preconfigured DirXML drivers), the Import Drivers task prompts for the system information gathered earlier.

  8. Install and run a sample project on the HR system for PeopleSoft or configure ALE for an SAP HR system.

From the Laboratory to Production

To get the most from Nsure Resources, Novell recommends taking a phased approach to its deployment and its transition from a laboratory system to a full production secure identity management solution. Novell consultants and Novell partners are available to provide expert assistance for any or all of the phases.

The recommended phases are discussed individually in the remainder of this section.

Determine How Novell Nsure Resources Fits

Once the organization has successfully implemented the Novell Nsure Resources in a laboratory environment, Novell recommends consulting with an Nsure Resources expert (Novell consultant or Novell Consulting Systems Integration partner) to help in determining how Nsure Resources can best be employed in the organization's business and technology environments. (Novell is in the process of extending Nsure Resources support to a variety of disparate systems, applications, and platforms.)

Conduct a Formal Kick-off Meeting

Conduct a kick-off meeting to engage all impacted departments, decision makers, managers, and executives to bring them into alignment for implementing Novell Nsure Resources. This is a critical step in that it is essential to have everyone in the company completely aligned before continuing. Appropriate signatures should be obtained from representatives from each affected organization, department or system. A signature page helps reduce potential problems in the event of changes in regime or systems.

Assess Requirements

Assess business requirements to identify policies, processes and technical requirements, then map the Novell Nsure Resources functionality to these business needs. The assessment process may include the following tasks:

  • Define the organization's business requirements

  • Analyze the organization's business processes

  • Create a data flow diagram

Once the requirements have been determined, evaluate the readiness of the technical environment to support the rollout to the production environment and determine what is required to bring the staff up to speed. Based on these findings, establish the scope and create a project plan for implementation. Be sure to include any prerequisite activities.

Prepare a Design Plan

When designing the Novell Nsure Resources environment, consider such issues as account systems, authoritative sources, messaging systems, and licensing and activation issues. It may help to include various test scenarios in the design plan to test for desired outcomes for both data and events.

It may be of value to document the design of the planned deployment to provide the organization with a clear picture of the business processes, the requirements for implementing provisioning to support these processes, and ownership of the common data to be synchronized across the system. Signatures on all documents by representatives from all affected systems are helpful during this phase. Signatures help to ensure that all parties have a chance to review the design and commit to the deployment.

Build and Test a Real-World Production Pilot

A proof of concept is performed during this phase. The pilot environment enables the organization to test the production candidate with minimum impact on the production environment. The organization can test the business procedures outlined in the requirements assessment and design plan, and can correct any problems identified during testing. The design document should be updated to reflect any changes made during final system testing.

The experience gained through the production pilot may indicate that the requirements assessment document and the design plan need refinement. This may necessitate extra time and effort to update the impacted documents and processes. By employing an iterative process, however, the organization can improve efficiencies and realize additional economies.

Deploy the Nsure Resources Solution

Roll out the identity management system to the entire enterprise or to a particular segment of the enterprise. Documentation that was developed and fine-tuned during the production pilot laboratory phase may be useful in this step.

Conclusion

Novell Nsure solutions take secure identity management to a whole new level. Combining award-winning products, customer-driven services and committed business partnerships, Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people-securely, efficiently and, best of all, affordably.

For more information on Nsure secure identity management solutions and supporting technologies, see the following resources:

  • Novell Nsure Web site: http://www.novell.com/solutions/nsure

  • Novell Nsure Resources Deployment Guide: http://www.novell.com/documentation/lg/eprov10

  • DirXML Drivers Documentation: http://www.novell.com/documentation/lg/dirxmldrivers/index.html

  • Novell DirXML 1.1a Administration Guide: http://www.novell.com/documentation/lg/dirxml11a

  • eDirectory 8.7 Documentation: http://www.novell.com/documentation/lg/edir87

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates