Provisioning Access to Network Assets - Get a Jump Start With Novell Nsure Resources
Articles and Tips: article
01 Nov 2002
Today a new receptionist, on an apparent caffeine high, blasts you with way too much cheer as you make your way through the door. You don't know why this receptionist replaced the last one, who sat bored at the front desk for only five gum-filled days. You know only that the termination and new hire will cost you and others in the IT department time and, consequently, cost your company money.
Admittedly, adding and disabling user accounts on multiple systems for a single fire and subsequent hire doesn't consume that much time or money, but these minutes and cents add up over a year. The minutes and cents add up even more quickly when you factor in the time and money spent moving and changing user identity information on multiple systems. Think about it: How much time do you and your IT coworkers spend setting up accounts for new hires and moving, adding, changing, or tearing down existing accounts?
Specific answers to this question naturally vary between companies. In one estimate, however, Novell suggests that in a company of 3,000 employees, each of ten IT workers over the course of one year probably spends 40 percent of his or her time managing user-identity information. This time estimate equates to a projected annual cost of U.S. $399,360.
If you've given this topic an ounce of thought, you don't need this estimate or any other estimate to draw this conclusion: A system that automates the processes of creating, modifying, and deleting user-identity information could save your company a lot of money. After all, such a system requires you to enter and manage user identity information only once in one system, rather than several times in several systems. Equally (if not more) important, such a system decreases the amount of time it takes to provide or provision access to network resources and thus increases productivity. Hence, this type of system is commonly called an employee provisioning system.
Burton Group analyst Kevin Kampman confirms your suspicions that provisioning systems provide "legitimate opportunities for return on investment [ROI] in the short term." (Burton Group is an IT research, consulting, and advisory firm. For more information, visit http://www.burtongroup.com/.) In fact, Kampman says, short-term benefits are only the most tangible benefits of provisioning systems, which offer arguably more significant long-term benefits. (For more information, see "In the Long Run.")
If provisioning systems offer quantifiable short-term ROIs (not to mention less quantifiable but equally real long-term benefits), why hasn't your company implemented one? Novell believes that at least one reason you haven't started setting up a provisioning system is that you just don't know where to start. Enter Novell Nsure Resources, one of several products in Novell's secure identity management (SIM) solution.
Released in October, Nsure Resources shows you where and how to start. Nsure Resources jump-starts the process of implementing a system that enables you to quickly provision access to the resources users need to be productive. This system is hereafter called a provisioning system.
THE QUICK PATH TO PROOF OF CONCEPT
Nsure Resources provides you with a generic design for a provisioning system that is based on an equally generic set of business policies. You can get this simple infrastructure up and running in a lab within only a few short days. In fact, enabling you to set up and test a generic provisioning system quickly and easily in a lab is Nsure Resources' reason for being.
To develop Nsure Resources, Novell compiled information from customers who had already implemented provisioning systems. Based on this information, Novell tailored key DirXML 1.1a components to represent what amounts to the common denominator among these companies' varied configurations. (For more information about DirXML, see "The DirXML Basics.")
The heart and soul of Nsure Resources, DirXML is Novell's data-sharing software that enables bidirectional real-time exchange of information between network applications, directories, and databases. (For an interesting tidbit about DirXML, see "Did You Know?") As the name suggests, DirXML, and consequently Nsure Resources, is based on eXtensible Markup Language (XML) and eXtensible Style Sheet Language Transformation (XSLT). As is typical of Novell software, DirXML and Nsure Resources run on several different platforms, including Windows 2000 and NT, Solaris, Linux, and NetWare.
To offer you this ready-made, common-denominator starting point, Novell engineers created configuration files for you to import into a set of DirXML drivers. (For information about other DirXML drivers that Nsure Resources does not include, see "The Other DirXML Drivers.")
With these files, Nsure Resources offers preconfigured DirXML drivers for the following human resource, messaging, and account systems:
PeopleSoft (PeopleTools 7.5x and 8.1x)
SAP HR 4.6c or above
Microsoft Exchange 5.5
Microsoft Exchange 2000
Novell GroupWise versions 5.5, 6.0, and 6.1
Lotus Notes R5
Novell eDirectory 8.62 and 8.7
Microsoft Active Directory
Microsoft NT 4
For your initial Nsure Resources setup, you choose a set of drivers for only a few of these systems. Specifically, Nsure Resources enables you to choose drivers for the following number of systems:
One human resource application (either PeopleSoft or SAP)
One messaging application (either GroupWise, Lotus Notes, or Exchange)
One or all three of the account and NOS directories (eDirectory, Active Directory, or NT 4)
After you set up Nsure Resources in your lab, you can observe what this product enables by default: the automatic creation, modification, and deletion of user accounts instantly, with a single action, across the systems you include in your setup. The order in which these events occur on these systems, the types of events that occur on each system, and the way these events occur are all based on Nsure Resources' preconfigured design.
The bottom line is that within only days, you can set up Nsure Resources in your lab and begin immediately to observe and test a generic provisioning system. This system can then serve as the launch pad to a customized system suitable for your live network.
THE READER'S DIGEST GUIDE TO GETTING NSURE RESOURCES GOING
Getting Nsure Resources going in the lab is relatively simple, and when you've done so, the configuration you create will resemble the configuration shown in Figure 1. Detailed instructions for getting Nsure Resources to this point are beyond the scope of this article. (For detailed instructions, see the Nsure Resources deployment guide, which will be made available on the Nsure Resources home page at www.novell.com/products/nsureresources.) However, a general discussion of the installation steps will help you get the gist of what setting up Nsure Resources entails:
Figure 1
Install and make available the human resource, messaging, and account systems you will include in your lab setup.
Install eDirectory, and create a provisioning tree.
Install DirXML components.
Install Novell iManager and Novell eGuide.
Import the preconfigured drivers for the systems you want to include in your Nsure Resources setup.
Setting Up Application Systems
Before you install Nsure Resources, you need to set up and configure the systems you plan to include in your lab setup. As Figure 1 shows, your initial setup may include the following:
PeopleSoft or SAP
Lotus Notes, Exchange, or GroupWise
eDirectory and/or Active Directory and/or NT4
As part of this process, Nsure Resources documentation asks you to gather certain information about these applications. (Ultimately, DirXML drivers use this information to access the applications.) For example, the documentation asks you to note the user ID, password, and IP address that the Nsure Resources driver can use to access an application.
Later in the Nsure Resources setup process (when you import the driver configuration files), a wizard prompts you to enter this information.
Creating a Provisioning Tree
Before you install Nsure Resources, you also need to install eDirectory 8.6.2 or above (on a Windows 2000 or NT, Solaris, Linux, or NetWare server) and create a provisioning tree, which Novell calls the Workforce Tree.
As Figure 1 shows, the Workforce Tree is the conceptual hub of your Nsure Resources setup. This Workforce Tree acts as a central data repository (something you commonly find in DirXML environments). All of the other systems you include in your Nsure Resources configuration either publish information to or receive information from the Workforce Tree (via the DirXML engine) over their preconfigured drivers' Publisher Channel or Subscriber Channel, respectively.
The Workforce Tree has a flat structure and includes little more than containers for users and provisioning services. (See Figure 2.) For example, a Services container (created automatically) stores DirXML Driver objects, among other things, within an Nsure Resources container.
Figure 2
The Users container (created automatically during the driver import process) contains Active and Inactive containers. By default, Nsure Resources creates new User objects in the Active container. In the Inactive User container and also by default, Nsure Resources places User objects that represent users whose accounts have been disabled.
Install DirXML Components
On the server running the Workforce Tree, you need to install the DirXML engine. The DirXML engine brokers the exchange of data between the Workforce Tree and the human resource, messaging, and account systems that you include in your Nsure Resources setup.
After the Workforce Tree is equipped with the DirXML engine, you begin the process of enabling your human resource, messaging, and account systems to publish information to or to receive information from this tree. Among other steps, this process involves installing and configuring the DirXML Remote Loader Service on the human resource, messaging, and account system servers that you configure to participate in the Nsure Resources setup.
First introduced in DirXML 1.1, the DirXML Remote Loader Service is software that enables communications between the DirXML engine and a DirXML driver running on another computer. Before Novell introduced the DirXML Remote Loader Service, you had to run the DirXML engine, your company's eDirectory tree, your client application (for example, PeopleSoft client), and the application's DirXML driver on the same server. As you can see in Figure 1, with the Remote Loader Service, you can run the DirXML engine and eDirectory tree on one server, and you can run the application and its DirXML driver on a another server.
Install Novell eGuide and iManager
To complete the process of installing Nsure Resources' prerequisite software, you need to install Novell eGuide and Novell iManager on a web server.
Novell eGuide is a white-pages application that enables users to conduct browser-based searches for the e-mail addresses, fax numbers, telephone numbers, and names of other users in your company. (For more information about eGuide, consult Novell online documentation, which you can download from www.novell.com/documentation/lg/eguide21.) Users can also use Novell eGuide to update the details of their own identity information, an ability you enable via Novell iManager.
Novell iManager is Novell's new management interface that enables you to use a browser and, in some cases, a handheld device to manage your company's eDirectory tree. For example, using Novell iManager, you can manage your Workforce Tree over wired and wireless connections to an intranet, an extranet, or the Internet.
Perhaps more exciting, Novell iManager enables role-based (or delegated) administration. As a result, you can farm out specific sets of administrative tasks--in this case, tasks related to user identity management--to particular users. These users, in turn, can access the Workforce Tree to complete these tasks, and they don't need a thorough understanding of the directory to do so.
Most important in this context, DirXML 1.1a plug-ins for Novell iManager enable you to remotely manage all aspects of your DirXML system, or, in this case, your Nsure Resources system. (The DirXML 1.1a plug-ins are included with Nsure Resources.) For example, using Novell iManager, you can find and view Nsure Resources' preconfigured DirXML drivers and can add, activate, and delete DirXML drivers.
You install the Novell eGuide and Novell iManager program files on a web server. If you don't already have a web server, the installation program for these applications enables you to install either Apache 1.3.20 or Tomcat 3.2.3. (For more information about these web server platforms, see http://httpd.apache.org and http://jakarta.apache.org.)
The Install Wizards
After you install Nsure Resources' prerequisite software, you will need to set up Nsure Resources. To do so, you launch Novell iManager, authenticate to the Workforce Tree, and select one of Nsure Resources' installation wizards from DirXML Management. (See Figure 3.)
Figure 3
For example, the Install Drivers wizard enables you to import preconfigured DirXML drivers for one human resource application, one messaging application, and one to all three of the available account or NOS directories. Click to select the drivers you want to import. (See Figure 3.)
The Driver objects that represent these preconfigured drivers store other objects. These other objects represent rules and filters that together comprise the business logic underlying Nsure Resources' default policies and processes for managing user identities.
As a DirXML-based product, Nsure Resources applies rules to the information it receives to process this information. These rules are in either XML or XSLT format and define processes for a number of things. For example, schema-mapping rules map eDirectory object classes and attributes to other systems' object classes and attributes. Matching rules identify matches between specific objects in eDirectory and other systems. Other rules define the creation and placement processes.
As its DirXML core requires, Nsure Resources also includes rules that define how the DirXML engine must transform particular events or data before passing the information along to the receiving system. For example, a transformation rule might dictate that the DirXML engine should convert a "move to the Inactive container" event in the Workforce Tree to a "disable" event in Active Directory. Another transformation rule might specify that a birth date written according to month, day, year (for example, 060873) in eDirectory should be converted to a day, month, year format (that is, 080673) before passing it to another system that uses the latter format.
Filters are XML documents that dictate what information can pass between the Workforce Tree and the other systems over a driver's Publisher or Subscriber Channel. Using filters, you can control which systems are the authoritative sources for various user account attributes. For example, filters on the PeopleSoft Publisher Channel ensure that changes to most user account attributes (including Last Name, First Name, Middle Name, Manager, and Address) flow from PeopleSoft to the Workforce Tree.
Filters on the Subscriber Channel allow information for far fewer attributes to travel from the Workforce Tree to PeopleSoft or SAP, ensuring that the human resource application remains the authoritative source for most user identity information. However, the Subscriber Channel filters do allow information for some attributes to flow in this direction, including information for cellular phone, pager, and home phone attributes. (For more information about the attributes that Nsure Resources preconfigured drivers receive, see "Attributes to Success.")
DirXML consults the rules and filters objects associated with a driver's Publisher Channel or its Subscriber Channel to determine such things as how to create and disable user accounts, which modified user information to synchronize across which systems in your Nsure Resources setup, and how to format information to suit the system receiving the information.
After you select drivers for the systems you want to include in your Nsure Resources lab setup, another installa-tion wizard (not yet definitively named when this article was written) prompts you to enter information about these applications. For example, for each application, you enter the IP address and port number as well as the user ID and password that Nsure Resources should use to access this application. The wizard then uses this information to finish configuring each of the drivers.
That, in the proverbial nutshell, is the gist of the Nsure Resources setup process.
POLICIES IN ACTION
After you set up Nsure Resources, you can begin immediately to test your lab setup to ensure that it is working properly and to observe what Nsure Resources can do by default. What Nsure Resources does is governed by its default policies for managing user-identity information--the logic for which is stored in the rules and filters objects contained in the Driver objects. Specific policies vary, depending on which systems you're using. In general terms, however, Nsure Resources default policies include the following:
The human resource system (that is, either PeopleSoft or SAP) is the authoritative source for most user identity information, including employee name, department, location, and title. This means, among other things, that when a new user is entered into the human resource system, DirXML will instantly create new user accounts across the other systems in the Nsure Resources setup, including the Workforce Tree and the messaging system.
The messaging system (that is, Lotus Notes, Exchange, or GroupWise) is the authoritative source for messaging-related information, such as e-mail address and post office domains. This means, among other things, that when the messaging system creates an e-mail account for a new user, DirXML instantly distributes relevant information to the other systems in the Nsure Resources setup, including the Workforce Tree and the human resource system.
The Workforce Tree is an additional authoritative source for users' cell phone, home phone, and pager numbers, which users update using Novell eGuide.
Nsure Resources' naming policy adjoins the first initial in a user's first name to the user's surname. (For example, Linda Kennard becomes lkennard.) If this concatenated name exists, Nsure Resources affixes a number (1, 2, and so on) to the end of the name. (For example, a second lkennard becomes lkennard1.)
Nsure Resources' policy for dealing with terminated employees' accounts in the Workforce Tree is to inactivate these accounts, rather than delete them. That is, when an employee is terminated and, as a result, this employee's account is disabled in the human resource system, Nsure Resources moves the User object representing this employee in the Workforce Tree from the Active container to the Inactive container. When an account is disabled (in the human resource system) and moved to the Inactive container in the Workforce Tree, Nsure Resources disables corresponding accounts in the other systems (such as GroupWise and Active Directory) that are tied to your identity-management system.
As you can guess, these policies represent only a small sampling of the default policies governing Nsure Resources processes for managing user-identity information. This sampling, however, should give you an idea of the types of policies underlying Nsure Resources' processes for creating and inactivating user accounts as well as synchronizing modified information within these accounts.
To give you a better idea of how these default policies play out when Nsure Resources is in action, suppose that you have successfully installed and configured Nsure Resources in your lab. Further suppose that in this lab setup, you included the following systems: PeopleSoft, Exchange 5.5, eDirectory (the Workforce Tree), and Active Directory. This example assumes that you have prepared all of these systems for participation in your Nsure Resources setup according to Novell's documentation for Nsure Resources.
Creating New Accounts
When you enter a new username, such as Linda Kennard, in PeopleSoft, the PeopleSoft system records this event in a transaction table. The PeopleSoft driver's Publisher Channel periodically accesses this transaction table by way of Component Interface (CI) objects, which are part of Novell's PeopleSoft Service Agent (PSA).
The PSA you install and extract when you install the preconfigured PeopleSoft driver is a collection of software processes and components that run on your PeopleSoft database server. The PSA defines what data and how data will be available from PeopleSoft for synchronization with your eDirectory Workforce Tree.
Based on the information found in the transaction table, the PeopleSoft driver then constructs an XML document and passes this document to the DirXML engine for processing.
To process this new XML document, the DirXML engine consults the rules associated with the PeopleSoft driver's Publisher Channel. For example, the DirXML engine consults the driver's Matching rules to ensure that this user does not already exist in the Workforce Tree.
The DirXML engine also consults the Create rule, which dictates, among other things, the attributes the engine needs information about before it can create a User object. The Create rule also dictates the naming policy the DirXML engine should use to name this User object.
In addition, the DirXML engine consults the Placement rule, which ensures that this new User object is placed in the Active container within the Users container. In the end, a new lkennard User object is created.
Updating Account Information
The creation of the lkennard object in the Workforce Tree triggers the creation of new user accounts in Active Directory and Exchange. DirXML uses processes similar to the process outlined above to create these accounts, applying the rules and filters associated with the Subscriber Channels for these systems' drivers.
When the Exchange driver creates a new account lkennard, Exchange creates an e-mail address for this user. The Exchange event system passes news of this transaction to the Exchange driver's Publisher Channel.
The Exchange driver's Publisher Channel creates an XML document based on this information and passes this document to the DirXML engine. The DirXML engine then uses the preconfigured rules, filters, and transformations on the Exchange driver's Publisher Channel to update lkennard's e-mail address in the Workforce Tree.
When lkennard's e-mail address is updated in the Workforce Tree, the PeopleSoft and Active Directory drivers' Subscriber Channels take note of this event, create XML documents, and pass the documents to the DirXML engine. The DirXML engine, again using the rules and filters associated with these drivers' Subscriber Channels, pushes information regarding lkennard's e-mail address through to PeopleSoft and Active Directory.
Inactivate or Disable Accounts
If you disable the lkennard record in PeopleSoft, DirXML uses a process similar to the process it uses to create a user account. The difference, of course, is that the rules associated with a disabled PeopleSoft account would trigger processes that would result in DirXML moving the lkennard User object in the Workforce Tree from the Users Active container to the Inactive container.
Moving the lkennard User object from the Active to the Inactive container triggers processes that result in DirXML disabling accounts for Linda Kennard in Exchange and Active Directory.
WHAT NEXT?
This is what Nsure Resources is really all about: providing you with everything you need out of the box to get a generic provisioning system running in your lab very quickly, so you can begin immediately to test its default configurations. After testing the default configuration for Nsure Resources, you can begin to take steps toward implementing a customized provisioning system on your live network.
Of these steps--the steps that will take you out of the lab to your live network--Nsure Resources marks the beginning and can serve as a prototype for the provisioning system you deploy on your live system. These steps require, among other things, a thorough understanding of your company's business processes, expertise in XML and XSLT, and a great deal of additional testing. (For basic information on the types of work required to customize Nsure Resources, bring it out of the lab, and set it up on to your live network, see "Novell Nsure Resources: The Road From Lab to Live.")
As one of several products in Novell's SIM solution, Nsure Resources marks the beginning of the road to implementing a system for securely managing user identity information. The beginning Nsure Resources offers comes in the form of an example system that automatically provisions access to network resources.
In effect, the example that Nsure Resources provides is similar to the first problem on a math sheet that's been done for you: Although you still have to solve the problems that haven't been done, you can study the example of the completed problem to gain a sense of how to approach solving the remaining problems. Similarly, when you see Nsure Resources' preconfigured design for a provisioning system in action, you will be better able to determine how you want to customize this system to automate your company's processes for managing user identity information.
The bottom line is that Nsure Resources, out of the box, provides a generic provisioning system that jump-starts the process of implementing a customized provisioning system.
Linda Kennard works for Niche Associates, which is located in Sandy, Utah.
Attributes to Success
The following tables identify the User object attributes that Novell Nsure Resources' preconfigured drivers receive from and publish to the Workforce Tree by default. Drivers receive information from the Workforce Tree via their Subscriber Channel and publish information to the Workforce Tree over their Publisher Channel.
LOTUS NOTES
|
Subscriber Channel Attributes
|
Publisher Channel Attributes
|
|
CN (common name) |
Preferred Name |
|
Description |
|
|
Surname |
|
|
Given Name |
|
|
Initials |
|
|
Title |
|
|
SA (Street Address) |
|
|
Postal Code |
|
|
OU (Organizational Unit) |
|
|
Telephone Number |
|
|
Generational Qualifier |
|
|
NSCP: employeeNumber |
|
|
L (Location) |
|
|
Facsimile Telephone Number |
MICROSOFT ACTIVE DIRECTORY
|
Subscriber Channel Attributes
|
Subscriber Channel Attributes Derived From Style Sheets
|
|
CN |
Manager |
|
Internet E-mail Address |
Full Name |
|
Description |
Login Disabled |
|
Surname |
|
|
Given Name |
|
|
Initials |
|
|
WorkforceID |
MICROSOFT ACTIVE DIRECTORY WITH EXCHANGE 2000
|
Subscriber Channel Attributes
|
Subscriber Channel Attributes Derived From Style Sheets
|
Publisher Channel Attributes
|
|
CN |
Manager |
|
|
Description |
Full Name |
|
|
Surname |
Login Disabled |
|
|
Given Name |
||
|
Initials |
||
|
WorkforceID |
||
|
Title |
||
|
SA |
||
|
Physical Delivery Office Name |
||
|
S (State) |
||
|
Postal Code |
||
|
OU |
||
|
Telephone Number |
||
|
Mobile |
||
|
Pager |
||
|
Home Phone |
MICROSOFT EXCHANGE 5.5
|
Subscriber Channel Attributes
|
Publisher Channel Attributes
|
|
CN |
Internet E-mail Address |
|
Description |
|
|
Surname |
|
|
Given Name |
|
|
IS Manager |
|
|
Title |
|
|
Mailstop |
|
|
SA |
|
|
Physical Delivery Office Name |
|
|
S |
|
|
Postal Code |
|
|
OU |
|
|
Telephone Number |
|
|
Preferred Name |
MICROSOFT NT DOMAIN
|
Subscriber Channel Attributes
|
Subscriber Channel Attributes Derived From Style Sheets
|
Publisher Channel Attributes
|
|
CN |
Login Disabled |
Preferred Name |
|
Description |
||
|
Full Name |
NOVELL EDIRECTORY
|
Subscriber Channel User Attributes
|
Subscriber Channel User Attributes Derived From Style Sheets
|
|
CN |
DN (distinguished name) |
|
Internet E-mail Address |
Manager |
|
Description |
Direct Reports |
|
Surname |
Login Disabled |
|
Given Name |
|
|
Initials |
|
|
WorkforceID |
|
|
ManagerWorkforceID |
|
|
IS Manager |
|
|
Title |
|
|
Mailstop |
|
|
SA |
|
|
Physical Delivery Office Name |
|
|
S |
|
|
Postal Code |
|
|
OU |
|
|
Telephone Number |
|
|
Full Name |
|
|
Employee Status |
|
|
Mobile |
|
|
Pager |
|
|
Home Phone |
NOVELL GROUPWISE
|
Subscriber Channel Attributes
|
Publisher Channel Attributes
|
Publisher Channel GroupWise Post Office Attributes
|
Publisher Channel GroupWise Resources Attributes
|
Publisher Channel GroupWise Distribution Attributes
|
|
CN |
Surname |
Member |
NGW: Owner |
Member |
|
Given Name |
NGW: Object ID |
NGW: Blind Copy Member |
||
|
Surname |
NGW:Account ID |
NGW: Carbon Copy Member |
||
|
Title |
NGW: Gateway Access |
|||
|
OU |
NGW: Mailbox Expiration Time |
|||
|
Telephone Number |
NGW: File ID |
|||
|
Facsimile Telephone Number |
NGW: GroupWise ID |
|||
|
Description |
NGW: Visibility |
|||
|
Company |
E-mail Address |
|||
|
Initials |
Internet E-mail Address |
|||
|
Generational Qualifier |
NGW: Post Office |
|||
|
Personal Title |
||||
|
Login Disabled |
||||
|
Login Expiration Time |
||||
|
NGW: GroupWise ID |
PEOPLESOFT
|
Subscriber Channel Attributes
|
Publisher Channel Attributes
|
Publisher Channel Attributes Derived From Style Sheets
|
|
User ID |
User ID |
Full Name |
|
User DN |
Last Name |
|
|
E-mail ID |
First Name |
|
|
Description |
Middle Name |
|
|
Cellular Phone |
Assoc ID |
|
|
Pager |
Manager ID |
|
|
Home Phone |
Manager |
|
|
Job Code Descr |
||
|
Mail Drop |
||
|
Address |
||
|
City |
||
|
State |
||
|
Postal |
||
|
Department Descr |
||
|
Business Phone |
||
|
Empl Status |
||
|
Cellular Phone |
||
|
Pager |
||
|
Home Phone |
SAP
|
Subscriber Channel Attributes
|
Publisher Channel Attributes
|
Publisher Channel Attributes Derived From Style Sheets
|
Publisher Channel Group Attribures Derived From Style Sheets
|
|
PO105:USRID:MAIL:78:30 |
Surname |
CN |
Member |
|
Description |
Given Name |
Manager WorkforceID |
|
|
PO105:USRID:CELL:78:30 |
Initials |
Manager |
|
|
PO105:USRID:PAGR:78:30 |
WorkforceID |
Direct Reports |
|
|
POOO6:TELNR:1:195:14 |
Title |
IS Manager |
|
|
SA |
Full Name |
||
|
Physical Delivery Office Name |
Login Disabled |
||
|
S |
Group Membership |
||
|
Postal Code |
|||
|
OU |
|||
|
Telephone Number |
|||
|
Employee Status |
|||
|
Mobile |
|||
|
Pager |
|||
|
Home Phone |
The DirXML Basics
DirXML 1.1a is the foundation for Novell Nsure Resources, a system that helps to automatically provision access to network resources. Consequently, understanding the DirXML basics will help you better understand Nsure Resources. (For more information about DirXML, see the following Novell Connection articles: "Too Many Directories? Synch 'Em With DirXML," May 2000, 814; "Check Out That DirXML Engine," May 2000, pp. 1619; "DirXML 1.1: Synching With Style," Oct. 2001, pp. 4041. You can download these articles from www.ncmag.com/past.)
DirXML uses the following products and components:
Novell eDirectory 8.7. DirXML 1.1a uses Novell eDirectory 8.7 as a central repository for directory-based information, such as user-identity and DirXML configuration information.
DirXML Drivers. DirXML drivers are application-specific and consist of three main components:
An Application's Application Program Interface (API). The application API component enables the driver to communicate with and make changes in an application.
An Application Shim. The application shim uses the application API to push information (via the DirXML engine) in two ways: from the application to eDirectory over a driver's Publisher Channel or from eDirectory to the application over a driver's Subscriber Channel.
Driver Parameters and Policies. A driver includes a collection of eXtensible Markup Language (XML) and eXtensible Style Sheet Language Transformation (XSLT) documents comprised of rules, filters, and other parameters that together determine the scope and nature of information exchanges between an application and eDirectory. These rules and filters are stored as objects within Driver objects in your eDirectory tree and are associated with a driver's Publisher Channel, Subscriber Channel, or both channels. (Data transformations describe how data are transformed from one representation to another. For example, a data transformation can describe how a date that is represented as 11-11-02 is transformed so that it is represented as November 11, 2002. Data transformations are described in XSLT style sheets.)
DirXML Engine. The DirXML engine processes outbound information from eDirectory (bound for another application) and inbound information from another application (bound for eDirectory). The DirXML engine subscribes to the eDirectory event system. When changes occur in eDirectory, the DirXML engine uses XML to create a DOM that describes these changes. The DirXML engine then processes these changes according to the rules and filters associated with drivers' Subscriber Channels. The DirXML engine hands these changes to the DirXML drivers, which push the information through to their respective applications. After receiving application changes from a DirXML driver, the DirXML engine processes these changes according to the rules and filters associated with this driver's Publisher Channel. The DirXML engine then pushes these changes to eDirectory.
DirXML Remote Loader Service. The DirXML Remote Loader Service is agent software that enables the DirXML engine to communicate with a DirXML application API and shim running on a remote computer. That is, the Remote Loader enables you to run an application's API and the application shim component of a DirXML driver on one computer and to run the DirXML engine and eDirectory on another computer.
Did You Know?
DirXML is the only metadirectory product currently in Gartner's Metadirectory Service Market Magic Quadrant. The Metadirectory Service Market Magic Quadrant is a measure of several factors that determine a metadirectory product's viability in the marketplace. (See "2HO2 Metadirectory Service Market Magic Quadrant," Gartner Research Note, Markets, Aug. 19, 2002. This Research Note is available at www.gartner.com/reprints/novell/109261.html.)
In the Long Run
Although the easiest to quantify, short-term benefits are not the only benefits of a system that provisions access to network resources. Over the long term, such systems, which are commonly called employee provisioning systems, save companies money by improving security. Such systems simplify the process of preventing former employees from accessing network resources and thus minimize the risk that these employees' accounts will not be deleted or will not be deleted quickly enough to prevent security breeches.
Few companies realize how vulnerable they are in this respect, Burton Group analyst Kevin Kampman says. (Burton Group is an IT research, consulting, and advisory firm. For more information, visit www.burtongroup.com.) Kampman adds that calculating the amount of money companies potentially save by improving security in this area is difficult at best because security threats are intangible by nature. Nevertheless, Kampman believes that improving security with a provisioning system "represents as significant a return on investment over time" as short-term gains afforded by such a system.
DirXML 1.1a Drivers
Nsure Resources includes several preconfigured Novell DirXML 1.1a components, including configuration files for DirXML drivers for popular human resource, messaging, and account and NOS systems. Following is a summary of DirXML drivers for which Nsure Resources does not provide configuration files. (For more information, visit www.novell.com/products/edirectory/dirxml/drivers. For DirXML 1.1a pricing, visit www.novell.com/products/edirectory/dirxml/pricing.html.)
You can configure this DirXML driver to synchronize information contained in Active Directory lists with information in Novell eDirectory User and Group objects. The application-specific Application Program Interface (API) and application-specific shim components of this DirXML driver run on NetWare 5 with Support Pack 4 or above and Windows 2000. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/activedir/pricing.html.)
Note: DirXML drivers have three components: an application-specific API, an application-specific shim, and eXtensible Markup Language (XML) and eXtensible Style Sheet Language Transformation (XSLT) documents that comprise the rules, filters, and data transformations on drivers' Subscriber and Publisher Channels. You import these XML and XSLT documents into eDirectory 8.7, which runs on NetWare 5 with Support Pack 4 and above, AIX, Linux, Solaris, Windows 2000, and Windows NT.
DirXML Driver 1.1a for Delimited Text 1.0. Using this DirXML driver, you can synchronize data between eDirectory and applications that are capable of exporting data to a file. By default, this driver supports data exchanges via both its Subscriber and Publisher Channel. You can configure the Subscriber Channel to receive information from text files and push this information to eDirectory. Conversely, you can configure the Publisher Channel to push information from eDirectory to a text file.
By default, the DirXML Driver for Delimited Text supports two file formats: Comma Separated Value (CSV) and XML. However, you can create XSLT documents that can use data from any delimited file format. This DirXML driver runs on NetWare 5 with Support Pack 4 and above, AIX, Linux, Solaris, Windows 2000, and Windows NT. ( For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/delimited/pricing.html.)
You can configure this DirXML driver to synchronize information between eDirectory User and Group objects and Microsoft Exchange 5.5 mailboxes and distribution lists. Application-specific components of this DirXML driver run on any platform upon which eDirectory runs. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/exchange/pricing.html.)
You configure this DirXML driver to synchronize information between eDirectory and one of the following Lightweight Directory Access Protocol (LDAP)-compliant directories: Sun Open Net Environment Directory (Sun ONE), IBM Secure Way Directory, Innosoft Directory Services, and Critical Path InJoin Directory. This DirXML driver runs on NetWare 5 with Support Pack 4 and above, AIX, Linux, Solaris, Windows 2000, and Windows NT. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/ldap/pricing.html.)
You configure this driver to synchronize information between two eDirectory 8.62 and above trees. (The DirXML Driver for eDirectory must be running on both trees.) This driver supports NetWare 5 with Service Pack 4 and above, AIX, Linux, Solaris, Windows 2000, and Windows NT. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/nds/pricing.html.)
You can configure this DirXML driver to synchronize information between eDirectory and the GroupWise domain database. You can also configure this DirXML driver to automatically create, update, and disable user accounts in GroupWise. The DirXML Driver for GroupWise supports GroupWise 5.5, GroupWise 5.5 Enhancement Pack, and GroupWise 6. Application-specific components of this DirXML driver run on Windows XP, 2000 Professional Edition, and NT with Service Pack 5. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/groupwise/pricing.html.)
You can configure this DirXML driver to synchronize information in eDirectory with information in any version of the Lotus Notes R5 database. You can also configure this DirXML driver to create registered users in the Notes Address Book. This DirXML driver runs on NetWare 5 with Support Pack 4 and above, AIX, Linux, Solaris, Windows 2000, and Windows NT. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/notes/pricing.html.)
You can configure this DirXML driver to synchronize information in eDirectory 8.7 with Windows domain User and Group objects. The application-specific components of this DirXML driver run only on Windows NT. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/nt/pricing.html.)
DirXML Driver 1.6 for JDBC. You can configure this DirXML driver to synchronize information between eDirectory and the following Java Database Connectivity (JDBC)-accessible relational databases: DB2 Universal Database (UDB) 7.x, Informix Dynamic Server 9.x, Sybase Adaptive Server 12.x, Microsoft SQL Server 7.x, and Oracle 8.x.
This DirXML driver supports JDBC 1.0 character, numeric, and time data types. Application-specific components of the DirXML Driver for JDBC run on NetWare 5 with Support Pack 4 and above, AIX, Linux, Solaris, and Windows NT. (For information about pricing, visit www.novell.com/products/edirectory/dirxml/drivers/jdbc/pricing.html.)
You configure this DirXML driver to synchronize information in the PeopleSoft database with User and Group information in eDirectory. Application-specific components of this DirXML driver run on NetWare 5 with Support Pack 4 and above, AIX, Linux, Solaris, Windows 2000, and Windows NT. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/peoplesoft36/pricing.html.)
You configure this DirXML driver to synchronize information in the SAP HR database with User and Group information in eDirectory. Application-specific components of this DirXML driver run on the same platforms on which eDirectory runs. (For pricing information, visit www.novell.com/products/edirectory/dirxml/drivers/saphr/pricing.html.)
DirXML Driver 1.0 for IBM MQ Series. You configure this driver to synchronize information between business processes that are integrated using IBM MQ Series and eDirectory, thereby directory-enabling these processes. The DirXML Driver for IBM MQ Series application-specific components run on NetWare 6, IBM AIX, AS/400, HP-UX 10-20, HP-UX 11, Linux for Intel, Linux for S/390, Solaris, Windows 2000, and Windows NT.
You can also develop custom DirXML drivers using DirXML Driver Kits for Linux, NetWare and NT, and Solaris. (You can download these DirXML Driver Kits from http://developer.novell.com/ndk/downloadaz.htm.)
A Helping Hand
The following integration and consulting companies can help you plan, create, and set up Novell Secure Identity Management (SIM) solutions for your company. (For more information about SIM solutions, visit www.novell.com/news/leadstories/2002/oct16.) Some of the companies listed are international companies, and others are national or regional companies. The international companies are listed first.
|
COMPANY
|
URL
|
LOCATIONS
|
|
Bearing Point |
international |
|
|
Cap Gemini Ernst & Young (CGE&Y) |
international |
|
|
Computer Sciences Corp. (CSC) |
international |
|
|
Deloitte & Touche |
international |
|
|
PricewaterhouseCoopers |
international |
|
COMPANY
|
URL
|
LOCATIONS
|
|
Advanced Communication Services |
Washington |
|
|
Alphanumeric |
North America |
|
|
CenterLogic |
Oregon |
|
|
Compuquip Technologies |
Florida |
|
|
DataTechnique Inc. |
Kansas, Missouri |
|
|
DSI Consulting Inc. |
Pennsylvania, Virginia, Georgia, Oklahoma, Rhode Island, North Carolina, California |
|
|
Goliath Networks |
Wisconsin (will travel anywhere) |
|
|
The Harding Group Inc. |
Texas |
|
|
Data Integrity Inc. |
Pennsylvania, New Jersey, Delaware, Connecticut |
|
|
IT Systems & Consulting |
New York |
|
|
Jaguar Computer Systems Inc. |
California |
|
|
DynTek |
California, Louisiana, New York, Texas, Massachusetts, Michigan, Virginia, Florida |
|
|
Entr Network Consulting Services |
Louisiana |
|
|
Integrated Network Systems LLC |
Louisiana |
|
|
Sparkhound |
Louisiana |
|
|
Maintech |
New Jersey, California |
|
|
Network Business Systems |
Alaska |
|
|
Networks Inc. |
Hawaii |
|
|
Novacoast Inc. |
California |
|
|
Gracon Services Inc. |
Michigan |
|
|
AimNet Solutions |
Connecticut, Massachusetts, New York, and Florida |
|
|
Netivity Solutions |
Massachusetts |
|
|
Info Services Group |
Michigan |
|
|
Attronica Computers Inc. |
Virginia, Maryland |
|
|
RDA Enterprises Inc. |
New York, California, Florida, Bucharest |
|
|
Strategic Network Consulting |
Texas |
|
|
SoftDev Inc. |
Florida |
|
|
Stratasys Group LLC |
Florida |
|
|
Technology Integration Group |
California |
|
|
The Wiring Company |
North America, Europe, Japan, Australasia |
|
|
G+H Netzwerk Design GmbH |
Offenbach, Germany |
|
|
Carpe Diem GmbH |
Wiesbaden, Germany |
|
|
Vivex GmbH |
Berlin, Germany |
|
|
CSS |
Netherlands |
|
|
Avantage |
Netherlands |
|
|
AAC Cosmos |
Netherlands |
|
|
Valtech |
France |
|
|
Martinsson Informationssystem |
Sweden |
|
|
Pulsen Integration AB |
Sweden |
|
|
Dimension NetAssist |
Sweden |
* Originally published in Novell Connection Magazine
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.