Novell is now a part of Micro Focus

Novell Nsure Resources - The Road From Lab to Live

Articles and Tips: article

Linda Kennard

01 Nov 2002


As explained in the article titled "Provisioning Access toNetwork Assets: Get a Jump Start With Novell Nsure Resources," Novell Nsure Resources enables you to set up in your lab a generic system that provisions access to network resources. Such a system, commonly called an employee provisioning system, automates the processes of creating, modifying, and deleting user identity information across multiple systems.

One of several products in Novell's secure identity management (SIM) solution, Nsure Resources' generic employee provisioning system is based on preconfigured DirXML 1.1a components. These components include DirXML drivers for several popular human resource, messaging, and account and NOS directories, namely the following:

  • PeopleSoft (PeopleTools 7.5x and 8.1x)

  • SAP HR 4.6c or above

  • Microsoft Exchange 5.5

  • Active Directory with Exchange 2000

  • Novell GroupWise 5.5, 6.0, and 6.1

  • Lotus Notes R5

  • Novell eDirectory 8.62 and 8.7

  • Microsoft Active Directory

  • Microsoft NT 4

The generic Nsure Resources system you set up in your lab automates the creation, modification, and deletion of user account information across the systems you include in your Nsure Resources setup. Nsure Resources enables you to choose the following number and types of systems in your lab configuration:

  • One human resource system (PeopleSoft or SAP)

  • One messaging system (GroupWise, Exchange, or Lotus Notes)

  • One to three account and NOS directories (eDirectory, Active Directory, and Windows NT 4)

The drivers for these systems include, among other things, preconfigured rules and filters that enforce Nsure Resources' generic policies. These rules and filters are represented in eXtensible Markup Language (XML) and eXtensible Style Sheet Language Transformation (XSLT) documents. DirXML consults these documents to broker the exchange of information between the systems in your Nsure Resources setup. The rules and filters reflected in these documents basically control the order in which events occur on your systems, the types of events that occur on each system, and the way these events occur.

You can have this generic provisioning system up and running in your lab within only days. Nsure Resources thus acts as a sort of catalyst to launch your company's efforts to implement a live provisioning system.

PHASING TO LIVE

Of course, transforming the generic provisioning system you create using Nsure Resources into a customized version of this system ideally suited for your live network can be a difficult process. Among other things, this process requires a thorough understanding of your company's business policies and the expertise to translate these policies into XML and XSLT documents.

Getting your generic system out of the lab and on to your live network requires the following phases:

  • Phase 1. Analyze your company's rules and processes associated with managing the user accounts Nsure Resources will provision

  • Phase 2. Customize the default configurations for Nsure Resources to automate the processes you pinpoint during Phase 1 and then test your customized system

  • Phase 3. Install Nsure Resources on your live network and import your customized drivers

Of course, as Jack Mullins, Novell provisioning solution line manager, points out, summarizing the phases involved in getting a provisioning system out of the lab and onto your live network risks understating the potential difficulty of these phases. To be fair, details regarding the work involved in completing these phases require more explanation than I can offer here in the space of a few pages.

However, I can at least provide you with a general picture of what these phases involve. In the process, I can also show you one example (admittedly a simple one) of how to modify one of Nsure Resources' generic XML documents to reflect a different policy. (This article requires a baseline understanding of Nsure Resources and assumes that you have read "Provisioning Access to Network Assets: Get a Jump Start With Novell Nsure Resources.")

WHAT'S YOUR ANALYSIS?

To begin the work of moving an employee provisioning system from the lab to a live network environment, you need a thorough understanding of your company's business policies for managing user-identity information. In all likelihood, most of Nsure Resources' default policies will not match exactly the policies in place at your company. For example, what's your company's policy for dealing with the accounts of terminated employees? Which systems in your company are considered the authoritative sources for what information? (For information on Nsure Resources' default policies, see the "Policies in Action" section in the article "Provisioning Access to Network Assets: Get a Jump Start With Novell Nsure Resources.")

These examples are admittedly simple. In fact, the policies underlying user-identity management can be very complex (particularly in large organizations). Consequently, analyzing your company's business policies can be among the most difficult phases involved in customizing a generic system based on Nsure Resources. For example, if you're in the healthcare industry, you face the Herculean task of understanding the policies and processes currently in place to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Because performing an in-depth analysis of existing policies can be complex and time-consuming, your company may benefit from outside expertise to complete this phase. Employing the aid of a Novell value added reseller (VAR), systems integrator, or consulting organization can decrease the amount of time it takes to analyze your company's existing policies. This, in turn, decreases the amount of time it takes to launch an Nsure Resources' provisioning system on your live network and begin reaping a return on the investment.

A VAR, systems integrator, or consulting organization also can help your company identify inefficiencies in and problems with existing policies and processes. Your company thus can avoid automating these problem policies and processes.

In addition, a VAR, systems integrator, or consulting organization can help your company develop a long-term strategy for provisioning more policies and processes using the DirXML infrastructure upon which Nsure Resources is based. (For information about systems integrators and consulting companies that can help you set up an employee provisioning system, see "A Helping Hand." For a list of third-party companies that have products that support Novell Secure Identity Management solutions, see "Working Together.")

HAVE IT YOUR WAY

After you have a clear understanding of your company's business policies, you can begin the next phase: Customizing Nsure Resources to reflect and automate your company's policies.

A very early part of this customization phase is to add drivers to your initial lab setup to better mirror your live network. That is, in the initial configuration of Nsure Resources, you select one human resource system, one messaging system, and one to three account systems. However, you are not restricted to this handful of systems. You can later add drivers and even multiple instances of drivers to meet your business needs.

For example, perhaps you have more than one human resource system, each of which is the authoritative source for the data it maintains. Perhaps you have more than one messaging system and assign particular groups of users to these different systems. One group may use Lotus Notes while another group uses GroupWise. You may give some network users only a Windows NT 4 account and give other users both a Windows NT 4 account and an Active Directory account.

Whatever your specific case, Nsure Resources provides a starting point to enable you to get a sample provisioning system running quickly in your lab. The big effort is revamping this sample system to match your network environment.

The configuration phase, like the analysis phase, is time-consuming. Taking what you have working in your lab and making it work in your live environment is not as simple as moving what you've got. You might have a complex infrastructure in your network environment that simply does not match the simple configuration in your lab. For example, you might have multiple messaging systems, or you might have to move from the single-server environment in your lab to a multiple-server environment on your live network.

Whether or not your lab configuration closely matches your live configuration, customizing Nsure Resources at the very least puts you face-to-face with the task of translating your company's policies into XML and XSLT documents. Doing so requires expertise in XML and XSLT. If you do not have such expertise in-house, you will need the assistance of a Novell VAR, systems integrator, or consulting organization.

Even if you do have in-house XML and XSLT experts, seeking the aid of these outside specialists might still save you time (and money). For example, members of the Novell Consulting team regularly customize DirXML drivers and, consequently, know the process quite well. Mullins says that members of the Novell Consulting team typically require only days to complete a job. Depending on your level of expertise, this same job could take weeks to months.

At any rate and at the very least, as part of this phase, you customize Nsure Resources' preconfigured drivers to reflect your company's business policies. To give you an idea of how you customize Nsure Resources' drivers, consider the following example.

Suppose you work for a multinational company that has two GroupWise post offices: one post office for employees working in the U.S. and a second post office for employees working in Europe. Further suppose that in your Workforce Tree, you have created two User containers: US_Users and Europe_Users.

In Nsure Resources, the default Placement rule associated with the GroupWise driver's Subscriber Channel places all GroupWise users in the same post office. However, the Placement rule can be modified to base post office placement on an attribute value or the eDirectory User container.

In this case, you decide to modify the default Placement rule to determine post office placement based on the user's container. As you can guess, you want this rule to use this logic: If the user is in the US_Users container, place this user in the US GroupWise post office; if the user is in the Europe_Users container, place this user in the Europe GroupWise post office.

To modify the Placement rule to match your company's placement policy, you decide to use iManager, which you launch to browse for the GroupWise driver's Subscriber object. When you locate the Subscriber object (located in the GroupWise Driver object), you select this object's Placement Rule and click Edit XML.

iManager then displays an XML document that comprises the Place-ment rule on the GroupWise driver's Subscriber Channel. (See Figure 1.) You modify this XML document, changing the default Placement rule to match your company's GroupWise post office placement policy. (See Figure 1. Also, Novell's user documentation for DirXML 1.1a drivers includes detailed information about modifying rules and filters. For example, see "Novell DirXML Driver for GroupWise" at www.novell.com/documentation/lg/dirxml11.)

Figure 1

During this customization phase, you test your system as it evolves. Predicting how long the customization and testing-to-perfection phase will last is nearly impossible. You test until you're certain that the system is perfect and ready for your live environment.

ALL SYSTEMS GO

After you have vested the time and effort required to reach this point, you are ready to begin the final phase in the process of transforming a generic provisioning system suitable for a lab into a customized system suitable for your live network. The final phase is to install Nsure Resources on your company's live network.

You install Nsure Resources on your live network by repeating part of the installation procedure you followed to install Nsure Resources in your lab: You install eDirectory and create a provisioning tree, install DirXML components, install Novell iManager and Novell eGuide, and import your customized drivers. As you did during the lab installation, you use web-based wizards in iManager to import your drivers. This time, however, you use the wizards to export the drivers from your customized Nsure Resources environment and import them into your production environment.

Using ConsoleOne or Novell iManager, you then activate these drivers. You activate and license each driver separately within 90 days of installation. (For more information, see "Activating Your DirXML Product" in the DirXML Administration Guide. You can find this document at www.novell.com/documentation.)

When Nsure Resources is running on your live network, you'll want to check out additional tools, such as the Reporting and Notification tool, that help keep your provisioning system running smoothly. (For more information, see "Reporting and Notification.")

IS IT WORTH THE TIME AND EFFORT?

With Nsure Resources, Novell provides you with a generic employee provisioning system that you can have running in your lab within only days. This generic system can thus jump-start the long process of implementing a customized version of such a system on your live network.

That said, customizing and reconfiguring your generic Nsure Resources lab setup to prepare it for your production network can take a considerable amount of time and effort. Is it worth it? Burton Group analyst Kevin Kampman thinks so. Kampman, like other analysts, believes that a significant number of companies will implement an employee provisioning system sooner or later because the rewards of doing so far outweigh the risks. What do you think?

Linda Kennard works for Niche Associates, which is located in Sandy, Utah.

Novell Connection ,November 2002, pp. 20-25

Reporting and Notification

Suppose your company has used Nsure Resources to implement a system that automatically provisions access to network resources. This system, commonly called an employee provisioning system, has taken over the manual task of creating, updating, and disabling user accounts in your company's critical applications, directories, and databases. This employee provisioning system saves your company both time and money.

Naturally, your company has a vested interest in keeping this system operating smoothly. One step toward doing so is to ensure that you know immediately when certain crucial events--such as fatal errors--occur.

Fortunately, Nsure Resources takes advantage of a new Novell eDirectory service that can notify you when such events occur: the Reporting and Notification Service (RNS) 1.00. The RNS is also available with DirXML 1.1a, the latest version of DirXML and the version upon which Nsure Resources is based.

Using plug-ins for Novell iManager, you can configure RNS to notify you when any or all of the following events occur within your company's DirXML (or, in this case, Nsure Resources) system: fatal errors, errors, warnings, retries, and successes.

The RNS also records information about where these events occur and which eDirectory objects are affected by these events. (DirXML uses eDirectory as a central repository for user and DirXML information.) For example, RNS may record that an error occurred on a particular driver's Subscriber or Publisher Channel.

The RNS is the latest in a continuous line of improvements to DirXML status and error tracking, which started with DirXML 1.0. DirXML 1.0 sends log information to the DSTRACE screen and records it in the DIRXML.LOG or DSTRACE.LOG files.

DirXML 1.1 supports the DirXML 1.0 method for status and error tracking but also supports another method: DirXML 1.1 records event notifications in attributes on the DirXML Driver Set objects as well as the Publisher and Subscriber objects associated with a DirXML Driver object. You can use ConsoleOne to view the Status Log for the Driver Set, Publisher, or Subscriber objects.

DirXML 1.1a continues to support the two aforementioned methods but now takes advantage of the RNS method as well. The RNS enables you to record notification information in eXtensible Markup Language (XML) documents that RNS can send to you in a number of formats, including the following: a log file, an e-mail message, an LDAP directory entry, and a directory services event.

You can read the log files directly, or you can configure third-party reporting tools to process the information in the log files. For example, you can configure Crystal Decisions Crystal Reports to use information in an XML file to generate formatted reports. (For detailed information about how to configure Crystal Reports to use an RNS XML file, see "DirXML and the Reporting & Notification Service (RNS)," Novell AppNotes, Aug. 2002. You can download this article from http://developer.novell.com/research. For more information about Crystal Reports, visit http://www.crystaldecisions.com/.)

Working Together

In today's world, companies can never be too rich or too secure. Forget about being thin. Whatever your company does, whatever software you add to the network, you must ensure that only legitimate users access the network. After those users have access to the network, you must ensure that they can easily access the resources they need--but only those resources.

Novell's Secure Identity Management (SIM) solutions can help you secure your network and enable your company's users to access the resources they need. The following Novell partners provide products that support Novell's SIM solutions:


PeopleSoft

http://www.peoplesoft.com/

SAP

http://www.sap.com/

Siebel Systems Inc.

http://www.siebel.com/

Tibco Software Inc.

http://www.tibco.com/

Yahoo! Inc.

http://www.yahoo.com/

Hewlett-Packard

http://www.hp.com/

IBM

http://www.ibm.com/

Bea Systems Inc.

http://www.bea.com/

NetVision Inc.

http://www.netvision.com/

Metastorm Inc.

http://www.metastorm.com/

Protocom Development Systems

http://www.serversystems.com/

RF Ideas Inc.

http://www.pcprox.com/

ActivCard

http://www.activcard.com/

Arcot Systems Inc.

http://www.arcot.com/

BioID

http://www.bioid.com/

Biometric Access Corp.

http://www.biometricaccess.com/

BioPassword

http://www.biopassword.com/

Identix

http://www.identix.com/

Saflink Corp.

http://www.saflink.com/

SecuGen Biometric Solutions

http://www.secugen.com/

Secure Computing

http://www.securecomputing.com/

VASCO

http://www.vasco.com/

Veridicom Inc.

http://www.veridicom.com/

VisionSphere Technologies

http://www.visionspheretech.com/

* Originally published in Novell Connection Magazine


Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates