Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be repro-
duced or transmitted in any form or by any means, electronic or mechanical, including photocopying
and recording for any purpose other than the purchaser’s personal use without the written permission
of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or
implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in
connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDI-
TIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABIL-
ITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO
ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIA-
BLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
(INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR
LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations
or warranties with respect to the accuracy or completeness of the contents of this document and re-
serves the right to make changes to specifications and product descriptions at any time without notice.
Quest does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Refer to our Web site (www.quest.com) for regional and international office information.
2
Patents
This product includes patent pending technology.
Trademarks
Quest, Quest Software, the Quest Software logo, ActiveRoles, Data Governance, Password Manager,
Quest One Identity Manager, Quick Connect and Webthority are trademarks and registered trademarks
of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest
Software’s trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks
and registered trademarks are property of their respective owners.
.NET logging library 1.0 Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993,
1994 The Regents of the University of California. All rights reserved.
BSD 4.4 License.
Boost 1.34.1 Boost Software License - Version 1.0 - August 17th, 2003. Boost 1.0
License.
Dojo Toolkit 1.8.3 Copyright. All Rights Reserved. BSD Simple License.
Google APIs Auth Client Apache License Version 2.0, Januar 2004 (http://www.apache.org/
Library 1.6.0.1 licenses). Apache 2.0 License.
Google APIs Auth MVC Exten- Apache License Version 2.0, Januar 2004 (http://www.apache.org/
sions 1.6.0 licenses). Apache 2.0 License.
Google APIs Client Library for Apache License Version 2.0, Januar 2004 (http://www.apache.org/
.NET 1.6.0 (Beta) licenses). Apache 2.0 License.
Google Open Sans 1.0 Apache License Version 2.0, Januar 2004 (http://www.apache.org/
licenses). Apache 2.0 License.
3
Quest One Identity Manager
zlib 1.2.3 Copyright © 1995-2005 Jean-loup Gailly and Mark Adler. zlib 1.2.3
License.
zlib portable 1.9.2 Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler. zlib 1.2.7
License.
4
CONTENTS
CHAPTER 1
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
®
QUEST ONE IDENTITY MANAGER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
INTENDED AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IDENTITY MANAGER DOCUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CHAPTER 2
WORKING WITH JOB QUEUE INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
DESIGN OF THE USER INTERFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
TITLE BAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
STATUS BAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
MENU BAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
CONTEXT MENUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
TOOLBAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
UPDATING THE VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
FILTERING THE VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
COLUMN CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CUSTOMIZING THE PROGRAM SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CHANGING THE PASSWORD FOR THE LOGGED IN USER. . . . . . . . . . . . . . . . . . . . . . . 18
JOB QUEUE VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
REACTIVATING PROCESS STEPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
JOB SERVER VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
PROCESS HISTORY VIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
BASE OBJECT VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
PROCESSES VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
PROCESS STEP VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
PARAMETER VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
OUT PARAMETER VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
PROGRESS VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DETERMINING THE STATE OF THE SERVER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DBQUEUE VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
STOPPING THE SYSTEM (EMERGENCY STOP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
CHAPTER 3
HANDLING PROCESSES IN THE IDENTITY MANAGER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
WORKING WITH THE PROCESS EDITOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
MENU BAR AND TOOLBAR EXTENSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
PROCESS EDITOR VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
FUNCTIONS IN THE PROCESS DOCUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
FUNCTIONS FOR PROCESSES AND PROCESS STEPS IN THE EDIT VIEW. . . . . . . . . . . . 39
FUNCTIONS IN THE PARAMETER AND EVENTS EDIT VIEW . . . . . . . . . . . . . . . . . . . . 39
FUNCTIONS IN THE PROCESS VALIDITY CHECK VIEW . . . . . . . . . . . . . . . . . . . . . . 40
FUNCTIONS IN COMPILER ERRORS VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
FUNCTIONS IN THE SOURCE CODE VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5
Quest One Identity Manager
6
Contents
7
Quest One Identity Manager
8
1
About this Guide
• Quest® One Identity Manager
• Intended Audience
• Identity Manager Documentation
Quest One Identity Manager
Intended Audience
This guide describes the functionality of the Identity Manager that you can use to control Process
Orchestration.You will discover how to define, edit, simulate and automate processes. You are provided
with a summary of all the process components that can be used as process functions. The way you can
configure the Identity Manager to monitor errors during process handling is also described.
Furthermore, the way to configure the Identity Manager to monitor running processing and to recog-
nise errors during process handling is described. The Identity Manager helps you by providing detailed
information about the status of process handling and with different views of the processing sequence.
This guide is intended for system administrators, consultants, analysts, and any other IT professionals
using the product.
This guide describes the default user functionality of the Identity Manager. It is possible that
not all the functions described here are available to you. This depends on your system config-
uration and permissions.
10
2
Working With Job Queue Info
• Introduction
• Design of the User Interface
• Job Queue View
• Job Server View
• Process History View
• Base Object View
• Processes View
• Process Step View
• Parameter View
• Progress View
• Determining the State of the Server
• DBQueue View
• Stopping the System (Emergency Stop)
Quest One Identity Manager
Introduction
The Job Queue Info tool supports control of the current state of services running in a Identity Manager
network. It enables a detailed and comprehensive overview of the requests in the “job queue” and the
different requests that Identity Manager Service has on the servers. This tool makes working with pro-
cesses easier, delivers live status information and makes it faster to search for and recognize errors.
The graphical user interface can be controlled by mouse and key combinations. We recommend a mini-
mum screen resolution of 1280 x 1024 pixels with at least 16 bit color in order to optimize the graphics
display.
The Job Queue Info graphical interface contains a title list, a status bar, a menu bar, an toolbar and in-
put panes. Within the input area there are different views representing the information.
Title Bar
The title bar shows the program icon, the name of the program and connected databases using the no-
tation <user>@<database server>\<database(description)>.
Status Bar
The status bar displays the database connections in the notation <server>\<database (description)>
and the system user connection. The system status is also displayed. Database activity such as loading
or saving objects is shown using symbols in the status bar.
ICON MEANING
12
Working With Job Queue Info
ICON MEANING
Menu Bar
The menu bar contains several menus. The <Database> and <Help> menus are always shown. The
<View> and <Filter> menus are only shown when a database is connected
13
Quest One Identity Manager
Settings... Opens a dialog window for configuring the default program set-
tings.
Filter Define filter The WHERE clause wizard is opened to assist in defining a filter.
Help Emergency stop Displays a dialog from which the system can be stopped.
Context Menus
Some elements of the input area have separate context menus. You open the context menus using the
key combination <shift+F10>, the context menu key or the right mouse button. The content of the
menu is dependent on the current view.
14
Working With Job Queue Info
Toolbar
The toolbar is always shown. The icons are activate or deactivated depending on which views are dis-
played.
Toolbar
ICON MEANING
Delete filter.
15
Quest One Identity Manager
and reloaded at program startup. Use the WHERE Clause Wizard to define filter conditions. You start the
wizard by selecting the menu item <Filter>\<Define filter>. The menu item <Filter>\<Delete filter>
deletes the filter condition again.
Enter the condition to limit the number of results. The condition is defined as a valid Where clause for
the database query. The given condition related to the selected database table that is filled when the
wizard is started.
Creating a Filter
Use the <Next> button to move to the preview. All entries are shown that correspond to this condition.
If you use the <Next> button to reconfirm, the condition is displayed in SQL syntax. Use the <Back>
button to return to the last view. Use the <Finished> button to accept the configuration or <Abort> to
cancel the settings. In both of these cases the dialog box is closed.
Column Configuration
You can specify which columns should be displayed for each of the views, <Job queue>, <Job history>,
<Process history> and <Base objects>. To do this, select a node in the hierarchical tree and use the
context menu item <Configure columns> to open the column configuration dialog window.
16
Working With Job Queue Info
Select the columns you want to display by moving through the list and accepting with the arrow but-
tons, and then change the order in which they are displayed. Select <OK> to accept the configuration
settings, select <Cancel> to abort the configuration. In both cases the dialog window is closed.
Column Configuration
The width of the columns can be varied in the views <Job queue>, <Job history>, <Process history>
and <Base objects>. The following user interaction has been implemented:
• The column is adjusted to the optimal size by double-clicking on the column sizing bar.
• All columns are optimized in size by double-clicking on the column sizing bar whilst holding
down the <Shift> key.
• Language
Specify the program language. The changes come into effect after the program has been re-
started. This sets the language globally for all Identity Manager programs and therefore the
change does not have to be made separately for each program. Refer to Languages for Dis-
playing and Maintaining Data on page 258 in the Configuration Guide for more information.
• Result limit
Specify a limit for the number of process or process step entries to be loaded and displayed.
• Server state
Enter the HTTP port for requesting the state of the job server that Identity Manager Service is
working on. The default value is port 1880. You can also specify the timeout limit for state re-
quests. This input is in seconds. Job servers that do not respond within this time limit are con-
sidered to be not available.
• Process history
You can use this setting to restrict the process history to only displaying process that have
failed. The setting does not affect how the process history is recorded, only how it is displayed.
17
Quest One Identity Manager
The settings are applied with the <OK> button. The <Cancel> button aborts the changes. In both
cases the window is closed.
18
Working With Job Queue Info
If a process node is opened, all the processes are shown with start times. The complete process is dis-
played with its hierarchy under such a process node. Each process step contains its success and failure
branches as sub elements. The process information can be regularly updated by selecting the context
menu item <Monitor process>.
ICON MEANING
Processes are grouped by name. The number of processes displayed is executed.
19
Quest One Identity Manager
In order to improve the overview, the execution progress of a process step is mirrored in the color of
the text.
Red The process step being dealt with cannot be processed. You can Frozen/Overlimit/
reactivate process steps with a progress state of “Frozen” and unknown
“Over limit” and therefore present them again for processing.
To reactivate a process
• Select the process and select Restart process from the context menu.
All process steps are reprocessed when you restart a process. Therefore, all process step han-
dled up to the point the error occurred are processed a second time. This may result in data in-
consistencies in certain circumstances.
Sometimes a rerun of the failed process step is not desired. This may occur when the action to be car-
ried out by the process has been carried out manually, for example, an expected directory has been
manually added. Even so it may just happen that the process should be rerun even though the error
has not been fixed, i.e. for a rollback of already processed steps.
20
Working With Job Queue Info
ICON MEANING
Displays the job server whose process function is currently executing. The number of dif-
ferent processes per job server is shown.
Displays the executing process function. The number of executed process steps per pro-
cess function is shown.
21
Quest One Identity Manager
Customizing the Program Settings on page 17. If you select a failed process step, the entire error mes-
sage is shown in a tooltip.
ICON MEANING
The step being dealt with here is a follow-on step in a success branch. The executed pro-
cess function and the state of the process step are shown.
The step being dealt with here is a follow-on step in a fail branch. The executed process
function and the state of the process step are shown.
In order to improve the overview, the execution progress of a process step is mirrored in the color of
the text.
COLOR MEANING
22
Working With Job Queue Info
Processes View
This view gives an overview of how process steps are linked within a process. In this way, the execution
sequence of individual process steps for large processes can be monitored better.
23
Quest One Identity Manager
After selecting a process in the job queue view or the job server view, the process steps of the selected
process are displayed in the <Process> view.
View of a Processes
The process step and its properties are displayed through a special control element. The progress state
and the name of the process step are shown in the header of the control element. The progress state of
the process step is further clarified by the use of a color icon. All other entries represent the parameters
for this process step. You can hide or show the parameter list by clicking on the icon in the header of
the control element.
Each entry in the control element has a tooltip. The process step tooltip contains the name of the exe-
cuting queue, the progress state as well as the start time of the process step. The parameter tooltip
shows the parameter name and the value of the parameter.
ICON MEANING
Shows the progress state of the process step. Each progress state is labeled in color.
24
Working With Job Queue Info
Red The process step being dealt with cannot be processed. You can Frozen/Overlimit/
reactivate process steps with a progress state of “Frozen” and unknown
“Over limit” and therefore present them again for processing.
ICON MEANING
25
Quest One Identity Manager
ICON MEANING
You can copy the currently selected data in the view into the clipboard with the key combination <ctrl +
C>. The data format is:
Parameter View
After selecting a process step in the job queue or job server view, the passing parameters of the se-
lected process step with name and value are displayed in the <Parameter> view. If the selected node
does not represent a process step, the parameter view is cleared.
You can copy the currently selected data in the view into the clipboard with the key combination <ctrl +
C>. The data format is:
26
Working With Job Queue Info
Job Queue Info cannot determine technically when or for which process step this parameter applies.
Therefore, out parameters are added to a parameter list for a process step (marked in blue).
You cannot see the parameters in the <Process step> view under <ParamIN> because this view shows
the data structure of each process step at compiler time and the out parameters are created within the
context of the process.
The time at which the process is loaded into Job Queue Info is important. If a parameter is overwritten
several times, only the state at the time of data query is displayed.
Example:
If the process in Job Queue Info is loaded before step 2 is processed, the value “X=1” is shown for the
out parameter in Job Queue Info. If the process is loaded after step 2 has been process, The out pa-
rameter shows the value “X=2”.
You can find more detailed information about each process step and how the parameters are filled, in
the Identity Manager Service log file.
27
Quest One Identity Manager
Progress View
In the progress view, the number of entries in the job queue is queried. In the process the current
value is represented as a number and inserted in to a bar graph at the same time. The process step
progress state is shown in different colors. The display is updated every 5 seconds.
Progress View
Black Number of process steps that are not read for processing. False
28
Working With Job Queue Info
the Designer in the category <Base data>\<Schedules>. For more information, read Setting Up and
Configuring Schedules on page 254 in the Configuration Guide.
You can request the state of all the job servers available in the database with the <F5>. To obtain the
state of an individual server select <Refresh state> in the context menu. The maximum timeout for re-
quests and the HTTP port are specified in the program settings. For more information, see Customizing
the Program Settings on page 17.
If the server responds, the system time, the Identity Manager Service version and the Identity Manager
Service account name are determined and displayed. The software update status as well as the current
version of the software is also displayed.
Use the context menu item <Open in browser> to display the different Identity Manager Service ser-
vices by querying the Identity Manager Service HTTP server.
Use the context menu item <Stop processing> if you need to temporarily stop the Job server from pro-
cessing the queue; use <Start processing> to continue processing the queue.
DBQueue View
When data, which is relevant for inheritance, is changed within Identity Manager, for example, modifi-
cations to assignments or changes in particular system data, i.e. system user interface changes, the re-
sulting data needs to be recalculated. The requests are queued in the DBQueue and processed by the
DBScheduler.
29
Quest One Identity Manager
The <DBQueue> view displays the requests in the table “DialogDBQueue” that are waiting to be pro-
cessed by the DBScheduler. The number, sort order and name of the queued requests are displayed.
The display is updated in a fixed time interval of 2 seconds.
DBQueue View
The DBScheduler is executed in regular intervals by a database schedule “VID_DBScheduler”. You can
also manually start the request computation if necessary, when you have the required administrative
permission. By selecting the icon in the program’s status bar with you can open a dialog window which
30
Working With Job Queue Info
shows the status of the SQL Server Agent, the status of the DBScheduler and information about pend-
ing tasks in the DBQueue.
The SQL Server and the DBScheduler status information is shown on the <Processing state> tab. You
can start the DBScheduler server-sided over the SQL Server Agent (<Start agent> button) or directly
using the logged on user’s connection (<Start immediately> button). The <Pending tasks> tab show
the currently pending tasks in the DBQueue. These are processed the next time the DBScheduler runs.
The newest entries in the system log are displayed on the <Journal> tab (see also Recording Message
in System Journal on page 85). Close the dialog window with the <Close> button.
31
Quest One Identity Manager
If you have the necessary administration permissions, you can stop and start the system using the
menu item <Emergency Stop> in the <Help> menu.
The <DBScheduler> can be stopped by selecting the button, <DBScheduler>. From this point on no
new computations are carried out in the database. After the problem has been fixed, the DBScheduler
can be started again using the same button.
You can stop collection of process step for all Identity Manager Services over the button
<Identity Manager Services>. Process steps that have already been collected are still processed but no
new process step are sent to the services. After the problem has been fixed, the services can be started
again using the same button.
The following icons are displayed in the status bar of all administration tools to inform the user that the
DBScheduler and services have been stopped.
ICON MEANING
32
3
Handling Processes in the
Identity Manager
• Introduction
• Working with the Process Editor
• Defining Processes
• Executing Processes Automatically
• Process Components
Quest One Identity Manager
Introduction
The principle of Identity Manager allows actions and workflows to be assigned to specific events. For
example, the steps that need to be executed in order to add a user account to the database can be de-
scribed in the form of a workflow. In this case, each action is represented by a process step and work-
flows are transformed into processes by linking the process steps together.
34
Handling Processes in the Identity Manager
KEY
MENU MENU ITEM MEANING COMBINATION
35
Quest One Identity Manager
KEY
MENU MENU ITEM MEANING COMBINATION
Process step New Adds a new process step into the process
document.
The editor has its own toolbar that you can show or hide by using the context menu. The view selection
determines which icons are disabled or enabled.
Toolbar
ICON MEANING
Deletes a process
36
Handling Processes in the Identity Manager
ICON MEANING
Exports a process.
Imports a process.
Searches for a process step and imports it into the process document.
Deletes the process step from the list but retains it in the clipboard.
37
Quest One Identity Manager
• Process document
• Edit view for processes and process steps
• Edit view for events and parameters
• Process validity check view
• Compiler error messages
• Source code view
• Simulation view
The process document contains special control elements that allow a process to be displayed and edited
with its process steps. A separate document is opened for each process. Read Working with the Process
Document on page 42 for more details about handling a process document.
38
Handling Processes in the Identity Manager
In this edit view you can change the properties of processes and process steps. The process or process
step properties that are shown, depends on which elements are selected in the process document.
There is a default context menu available for the input fields.
This edit view enables you to alter the event properties for a process or the parameters for a process
step. Either parameters or events are shown depending on which elements is selected in the process
document. You can directly edit the entry with a simple mouse click
39
Quest One Identity Manager
The view has its own toolbar. The functions relate to either parameters or events depending on the se-
lection.
ICON MEANING
The result of the validity check is displayed in this view and is retained until the next validity check. By
clicking on an error message in the view, the corresponding process or process step is displayed in the
process document.
40
Handling Processes in the Identity Manager
Errors that occur when a process is compiled are displayed in this view. By clicking on an error message
in the view, the corresponding process or process step is displayed in the process document.
The source code is displayed if errors occur during compilation. This view is only for displaying the
source code. It cannot be edited here. When you double-click on a message in the compiler errors view,
it jumps to the corresponding row in the source code view.
When you change to the simulation view, a wizard is started that tests how a process is generated. The
functionality of this wizard is described in more detailed in Simulating Process Generation on page 65.
When you enter a “$” character in an input field that is expecting a VB.Net expression, an input list is
opened. This displays all the properties for the current object. A tooltip with a more detailed description
of the property is also shown. If you select a FK column you can navigate to the columns of the associ-
ated table with the arrow keys. Exit the selection on the target column with <Enter> or by double-click-
ing with the mouse. Now the complete dollar notation for your selection is displayed. Use <Esc> or exit
the input field to close the list without accepting any data.
41
Quest One Identity Manager
ICON MEANING
Primary key.
Left arrow, right arrow Swaps from FK to parent object or back to the child object respec-
tively.
New Creates a new process step element for editing a process step.
Use connectors to links the elements to each other. Activate the connection points with the mouse.
Once a connection is selected, the mouse cursor changes to an arrow shape. Hold down the mouse but-
ton and pull the connector from one connection point to the next. To delete a connection, select a con-
42
Handling Processes in the Identity Manager
nection end-point and confirm the deletion request that appears. The connection to the control element
is deleted.
Arranging a Process
You can change the layout position of control elements in the process document using the mouse. Each
element processes a tooltip. The contents of these tooltips are made up of from the name, process de-
scription or process step and the process function description.
Double-click on the process or process step element to open the respective edit view, where you can
make your changes.
The processes and process step entries are not created in the Identity Manager database until the com-
plete process is saved over the change log in Designer. After this, other users can use the
Process Editor to make changes to the process. However, it cannot be generated yet. The process has
to be compiled before it can be generated. The layout positions of the processes and process steps are
also saved in the Identity Manager database, along with their contents.
Defining Processes
Processes are edited and displayed in the category <Process Orchestration> in Designer. Apart from
the default processes supplied by us and customer specific processes, you also get an overview of the
43
Quest One Identity Manager
process components with their process tasks and parameters. You can set up process plans that are
available for triggering processes on a cyclical basis as well.
A process step is an instruction to carry out a particular action by a vi* process component. A process
generator (Jobgenerator) is responsible for converting script templates in processes and process steps
into a concrete process in the ’Job queue’. Decision logic monitors the execution of the process steps
and determines how processing should continue depending on the results of the executed process com-
ponents. So-called process tasks are used to perform single elementary tasks at system level, for ex-
ample, adding a directory. A process component consists of one or more process tasks and its parame-
ters. Process components are defined in the tables “Jobcomponent”, “Jobtask” and “Jobparameter”
along with their process tasks and parameters. These definitions are maintain by us in the database mi-
gration and cannot be edited.
44
Handling Processes in the Identity Manager
The following illustration shows a chain of process steps with which you can add an employee, set up an
Active Directory user account for him or her and finally add a mailbox.
You can reproduce this sequence in a process. However, you can also define entry points for other pro-
cesses. The result of entering at point ‘process 1’ is the addition of an employee with an Active
Directory account with a mailbox. Joining at entry point ‘process 2’ only results in the addition of an
Active Directory user account with a mailbox.
Editing Processes
In order to create a custom process you can:
All the default processes that are supplied by us are labeled with the strings “VI_” or “VID_”. These pro-
cesses can only be minimally changed and are updated by migration. Label your custom processes with
your customer prefix.
Use the Process Editor to edit and create processes. To edit an existing process select it in the category
<Process Orchestration> in Designer. Start the Process Editor by selecting the task <Edit process
45
Quest One Identity Manager
‘XY’>. To create a new process start the Process Editor by running the task <Create new Process>. Use
the process edit view to enter data for the process.
• Process name
The name of a process has to be unique. All the default processes that are supplied by us are
labeled with the prefix “VI_” or “VID_”. Label your custom processes with the appropriate cus-
tomer prefix.
• Base object
Select the base object (table) from the list. The process is based on the results from this object.
• Description/Comment
Enter an additional description and information for the process.
• Recording process information
Process information allows us to monitor all the processes that are executed in
Identity Manager. Read Setting Up Process Information for Process Handling on page 276
about setting up process information for a process.
• Process UID
Shows the process UID. This cannot be edited.
When a process is being handled, the generating pre-script is executed first and then the gen-
erating condition is evaluated.
46
Handling Processes in the Identity Manager
The pre-script is executed before the other scripts. For example, you can define global variables
in the pre-script that can be used later within processes and process steps for generating con-
ditions, server selection scripts or parameters.
• Generating condition
You can define a condition in VB.Net syntax that is used to determine whether it is necessary
to generate the process. If a generating condition is given, the process is only generated if the
condition is fulfilled. The standard syntax is described in Using Scripts on page 310 in the
Configuration Guide. Example scripts are in the SDK.
• Do not generate
Use this option to decide whether the process should be generated. If the option is set, the
process is not generated and cannot be compiled.
If the option <Do not generate> is set for this process, it remains in the ’set’ state during mi-
gration and is not reset.
Local process variables are in local memory when a process is generated. They are used to determine
values within a pre-script on a one-off basis, which can then be used within the process and its process
steps, for example, in generating conditions, server selection scripts or in parameters.
It is recommended to set local process variables only in the pre-script and to access them
read-only on further use.
Pre-script syntax:
values("Name") = "value"
Value = values("Name")
You can find further examples in Pre-scripts for using in Processes and Process Steps on page 315 in
the Configuration Guide.
You can use additional global variables provided by the connection object to control process generation.
These variables are valid as long as the connect exists. All custom variables defined for the connection
object can be used in addition to predefined variables. You can define custom global variables through
scripts, methods or the Customizer and use the, in processes.
47
Quest One Identity Manager
During process handling the pre-script for generation is executed first and then the generating
condition is evaluated. It is also recommended you evaluate global variables used in the gener-
ating condition in the pre-script. This can prevent unnecessary data access.
If you defined a custom connection variable, it should be removed again afterwards. Other-
wise, it stays there when the connection is subsequently used and may lead to incorrect pro-
cesses being generated.
Example
The process should only be generated for a full synchronization. The connection variable “FullSync” is
used for this. This variable is set by all synchronizers and has the values “True” or “False”. The variable
is available for all processes generated during full synchronization.
The variable “FullSync” is set in the generating pre-script and in the generating condition. This means it
is already determined in the pre-script whether the process must be generated or not.
Generating pre-script:
If CBool(Connection.Variables("FULLSYNC")) Then
values("name1") = "value1"
values("name2") = "value2"
values("name3") = "value3"
End If
Generating condition:
Value = CBool(Connection.Variables("FULLSYNC"))
48
Handling Processes in the Identity Manager
In order to prevent bulk changes you can specify how long each process can remain in the Job queue.
Use the values <Threshold (warning)> and <Threshold (disable)> to do this. You can use the database
script “SDK_SetLimitationCount_in_Jobchain” to initially fill the process data. You can find this script in
the SDK.
If the warning threshold is exceeded, a message is sent by email to a specified recipient. Prerequisites
for using the notification system is an SMTP host set up for sending mail and activation of the configu-
ration parameter for mail notification.
If the disable threshold is exceeded, the affected processes given the status “Overlimit” in the Job
queue. These processes are no longer collected by Identity Manager Service for processing and remain
in the Job queue. You can reactivate the process steps with “overlimit” status in the program
“Job Queue Info”. Refer to Reactivating Process Steps on page 20 for details.
49
Quest One Identity Manager
Predefined Events
EVENT COMMENT
Insert Event created when an object is created. Available for all objects.
Update Event created when an object is changed. Available for all objects.
Delete Event created when an object is deleted. Available for all objects.
Execute Event created by DBScheduler when the execution time is reached of a delayed
operation.
Other events are provided by the Customizer. These events are described in the Customizer documen-
tation. You can define other custom events to trigger processes. For example, custom events can be
triggered with a database schedule to handle processes on a specific time schedule.
Editing Events
Use the Process Editor to create and edit events. Select a process in the Process Editor and select the
process element in the process document. All the events that are defined for the process are shown in
the event edit view.
You can edit an event directly by clicking on it with the mouse once. Use the toolbar in the edit view to
add events. Open the dialog window for editing the data using the icon on the toolbar. Accept the
50
Handling Processes in the Identity Manager
changes with the <OK> button or discard them with the <Cancel> button. In both cases the dialog
window is closed.
Setting up Events
• Event name
• Base object
The base object is already predefined in the process definition and cannot be changed.
• Sort order
If several processes refer to the same base object event, you can specify the order for gener-
ating the processes.
• Process information
You can a store a formatting rule for the process information to record events in the process
tracking (see Setting Up Process Information for Process Handling on page 276).
Use the Process Editor to create and edit process steps. To edit an existing process step, open the pro-
cess in the Process Editor and select the process step element in the process document. Use the menu
51
Quest One Identity Manager
item <Process step\New> to create a new process step in the edit view. Enter the data for the process
step in the process step edit view.
You can specify the following general properties for a process step:
52
Handling Processes in the Identity Manager
You need to specify which server should handle the process step in each individual case. You can define
a server mask or write a script to select the execution server. The selection of the server should always
end with a unique result. The selection script is evaluated first to determine the server. If a server can-
not be determined in this way then the server mask is evaluated. The first server that is found is used
for executing the process step.
The usual server roles are defined in the server mask, i.e. PDC or Master SQL Server. Use the server
mask if you can determine the server uniquely with it.
Domain controller Domain controller (target system Active Directory); Servers that are
not labeled as domain controller are considered to be member servers.
SAM synchronization server Server for synchronization with a Windows NT environment, where a
PDC is implicitly assumed as synchronization server. Make sure that
there is only one SAM synchronization server per domain.
Home server Home servers are available once a user account is added.
Master SQL Server The Master SQL Server is already entered into the database during ini-
tial migration.
Inventory server Query and result files for automatic hardware and software inventory
are stored on the server.
53
Quest One Identity Manager
SMTP Host Identity Manager Service can send emails via this server. Prerequisite
for sending mail with Identity Manager Service is that the SMTP host is
configured.
Identity Manager Service This option is set for the server whose queue will be processed. This
installed does not necessarily mean that Identity Manager Service is running on
this physical server. The option is not automatically removed which
means that you can reset this option is the server’s queue is no longer
active.
NTFRS base Server This is the source server for Windows NT File Replication (NTFRS). Only
one server of this type can be defined per domain.
Lotus Notes Gateway Server Gateway Server synchronizing the Identity Manager with the Lotus
Notes environment
Profile server Profile server are available to the user for setting up profile directories.
UNS generic server Server for generic UNS synchronization with a target system.
If it is not possible to decide which server should be used, based on the server mask (e.g. if several
mail servers exist), you can use a server script to determine it in more detail. The standard script syn-
tax is described in Using Scripts on page 310.
To determine a server with a selection script you can use VB.Net statements that:
Alternatively, you can enter the queue that the process step should process in the selection script. Ev-
ery Identity Manager Service has a unique queue identifier within the overall network. Process steps
are requested by the Job queue using these exact queue names.
DIRECT:<Queue>
Example:
Value = "DIRECT:\Server01"
54
Handling Processes in the Identity Manager
If a specific condition is not fulfilled at a particular point in the process step, Identity Manager Service
can repeat the process step. By enabling the option <Wait mode on errors> the process step is exe-
cuted again depending on the data in the fields <Latency (min)> and <Retries>.
Label process steps that are only required for branching the process with the option <Split process-
ing>. An example could be a process step that checks for the existence of a directory. The next process
step to be processed is either the step on success or the step on error (without generating an error
message) depending on the return value.
Use the option <Ignore errors> to specify whether an error during process step handling should be ig-
nored. In this case the following process step is still carried out despite the previous step not being cor-
rectly processed.
If the process step is labeled with the option <Stop on error> and an error occurs while handling the
process step, the process step remains in the Job queue and is given the status “Frozen”. In this case,
no more process steps are collected by Identity Manager Service for processing and they remain in the
Job queue. You can reactivate the process steps with “Frozen” status in the program “Job Queue Info”.
Refer to Reactivating Process Steps on page 20 for details.
55
Quest One Identity Manager
the Master SQL server event log. Prerequisites for using the notification system is an SMTP host set up
for sending mail and activation of the configuration parameter for mail notification.
If the option <Log errors to journal> is set, error messages from process handling are recorded in the
system log. Error messages from process handling can be recorded in the process history. Read Record-
ing Messages in the Process History on page 84 and Identity Manager Service Logging on page 85 for
more information.
You have the possibility to send a message when a process step has succeeded or when it has failed. A
prerequisite for using the notification system is to set up an SMTP host for mail delivery and to set the
configuration parameters.In order to configure process step notification, enable the options <Notifica-
tion (success)> and <Notification (error)> in the edit view. After this, two new tabs appear for input-
ting the message information.
56
Handling Processes in the Identity Manager
You need to enter all the input in VB.Net syntax. Standard script syntax is described in Using Scripts on
page 310. The syntax required for creating language dependent data is explained in Using #LD
Notation on page 318.
Messages are only sent during processing if all the data is entered for a case (failure, success)!
The process “VID_SendMail” (table “DialogDatabase”) is used to send email messages from process
handling. This process uses the database procedure “vid_InsertForSendMail” parameter. To customize
this process, create a copy of the process and customize it.
You can make use of the following configuration parameters when you configure mail notification.
57
Quest One Identity Manager
TargetSystem\ADS\DefaultAddress Default mail address for messages for actions in the Active
Directory.
TargetSystem\LDAP\DefaultAddress Default mail address for messages for actions in the LDAP.
TargetSystem\Notes\DefaultAddress Default mail address for messages for actions in the Notes.
TargetSystem\SAPR3\DefaultAddress Default mail address for messages for actions in the SAP R⁄3.
TargetSystem\EBS\DefaultAddress Default mail address for messages for actions in the EBS.
Compulsory parameters are immediately entered into the process step when the process task is se-
lected. Then, you need to enter any optional parameters individually. When a parameter is added, the
value template is copied from the parameter template. Templates for parameter values are mostly pre-
defined, for example, procedures that evaluate object UIDs and note them accordingly.
You edit process step parameters in the Process Editor. Open the process in the Process Editor and se-
lect the process element in the process document. All the parameters required for the process step are
defined in the parameter edit view.
ICON MEANING
58
Handling Processes in the Identity Manager
ICON MEANING
Select the process step in the process document and make the parameter assignment in the edit view.
You can directly edit these by simply clicking once. Use the button on the tool bar to open an dialog for
editing the data. Accept the changes with the <OK> button or discard the changes with <Cancel>. In
both cases the dialog is closed.
Configuring a Parameter
• Parameter name
The name of a parameter should not be changed. Exceptions to the rule are the special process
component parameters “HandleObjectComponent” and “LDAPADSIComponent”. Furthermore,
the parameter extensions for the target system specific process components have to be re-
named. Refer to Additional Steps for Target System Extension Synchronization on page 396.
• Hidden
Use this option to specify whether the parameter should be shown in the Identity Manager
Service log file and in the program “Job Queue Info”. Values for hidden parameters are shown
as <HIDDEN>. Only “viadmin” system users have access permission to see these parameters
in Job Queue Info.
• Encrypted
Use this option to specify whether the parameter is encrypted before being passed. If the op-
tion is already set in the parameter template, the parameter should also be encrypted when it
is passed. Read Encrypting Database Information on page 77 about encryption.
• Value template
When a parameter is added, the value template is copied from the parameter template. Define
value templates in VB.Net syntax. The standard script syntax is described in Using Scripts on
page 310. You can reset the default values with the <Sample> button in the parameter edit
dialog.
59
Quest One Identity Manager
The syntax is described in detail in Using Scripts on page 310. The following statements can be used for
allocating values:
• Empty
• Object columns or columns of a related object
Syntax:
Value = $<column name>:<data type>$
Value = ${FK(<foreign key column>).}<column name>:<data type>$
Example:
Value = $Lastname$
Value = $PasswordNeverExpires:bool$
Value = $FK(Ident_Domain).Description$
• Parameter from the optional parameter collection
Syntax:
Value = $PC(<parameter name>)$
Example:
Value = $PC(SRCUID_Application)$
• OUT parameter
Parameters of type OUT and INOUT are parameters in a process component that can output a
value. This value is available to all following process steps and can be used to set IN parame-
ters.
When you use OUT parameters you need to take care that these contain data at runtime. Al-
ternatively, when the text is processed “&OUT(<parametername>)&” is entered, which means
that the variable will not be replaced.
Syntax:
Value = "&OUT(<parameter name>)&"
Example:
Value = "&OUT(FileSize)&"
• Global variables, that are set by the set up program
Syntax:
Value = Variables("<variable names>")
Example:
Value = Variables("GENPROCID")
Value = Connection.Variables("FULLSYNC")
• Process or process step variables created locally by a pre-script
Syntax:
Value = values("Name")
Example:
Value = Values("FirstHomeServer")
• From configuration parameter requests:
The full path for the configuration parameter always has to entered.
Syntax:
Value = Connection.GetConfigParm("<full path>")
Example:
Value = Connection.GetConfigParm("TargetSystem\ADS\RestoreMode")
• VB.Net
Enter any VB.Net statement.
60
Handling Processes in the Identity Manager
ICON MEANING
Enter a search string and use the search options to specify which objects should be searched for. The
given objects are searched for internally by a WHERE clause. If several objects are found they are ap-
pended, internally, with a ’Join’ condition.
Process Name
61
Quest One Identity Manager
Start the search process using the appropriate toolbar icon. The process steps that are found are dis-
played in the result list. Select the process steps you want from the list and import them into the pro-
cess document with the appropriate icon in the toolbar or by double clicking in the process document.
Finally, link the process step into the process.
Process Name
62
Handling Processes in the Identity Manager
fields with different values are highlighted with an icon in the process step edit view. The value in the
input field is copied to selected process steps when the changes have been in saved.
Copying a Process
You can create a copy of a process with a new name. Start the copy wizard from the menu item <Pro-
cess>\<Copy...> in the Process Editor. Use the <Next> button to move onto the next stage, and the
<Back> button to return to the previous step. The <Cancel> button discards any changes and closes
the wizard.
The wizard start up screen displays the name of the process to be copied. The next step is to name the
new process and set the copy options. The follow options are available:
63
Quest One Identity Manager
If you have set the copy option <Rename process steps> you can rename each process steps in the
next mask. You can change these by clicking on the new process name.
The next dialog window displays all the actions that are going to be executed by the copying process.
Select the <Start> button to start the copy process. During the process the action that is currently be-
ing executed is displayed in a status bar.
64
Handling Processes in the Identity Manager
Comparing Processes
In order to determine the differences between two processes, open dialog window for comparing pro-
cesses with the menu item <Process>\<Compare process...> in the Process Editor. Select the two pro-
cesses, <Process A> and <Process B>, to be compared. Use the button next to the selection lists to
start the comparison. Differences in the processes are highlighted in the output text.
Comparing Processes
To start an import from an XML file in the database, select the menu item <Process>\<Import> or se-
lect the category <Process Orchestration> and the task <Import processes>.
To test generating a process, load the process in the Process Editor and start the simulation from the
menu item <Process>\<View>\<Simulation view> or from the entry <Start new simulation> in the
Editor’s toolbar. This starts a wizard. The wizard takes you through each step in the simulation process.
Use <Next> to move onto the next step and <Back> to return to the previous step. The <Cancel> but-
ton discards all changes and closes the wizard.
65
Quest One Identity Manager
Selecting Events
ICON MEANING
Default event.
Custom event.
Specify for which object the event should be simulated in the next step.
66
Handling Processes in the Identity Manager
Processes that are generated with parameter collections need defined parameters and passing values
(for example “SourceDir” copying profiles). No parameter collection is used for processes generated for
the default events (insert, update, delete).
67
Quest One Identity Manager
Specify which preprocessor conditions should be taken into account when a process is being generated.
In the next step, start the generation simulation from the <Finished> button. The simulation process
can take some time. The assemblies generated are saved locally on the workstation on which the simu-
lation is executed. A simulation does not, therefore, have any effect on other users.
When a process is being simulated the <Do not generate> option is taken into account. After the simu-
lation is complete the generated processes are shown in the process document.
68
Handling Processes in the Identity Manager
The process steps are shown in color depending on the generation result.
COLOR MEANING
Double-click on a successfully generated process step to show the properties and parameters with con-
crete values in the edit window.
After the simulation is complete you can look at the process generator log.
You can swap between the edit view and the simulation view using the menu <Processes>\<View> in
order to make any further changes. Every simulation process is entered into the simulation item on the
toolbar so that you can repeat the simulation without having to set it up again.
69
Quest One Identity Manager
The result of the validity check is shown in the <Validity check> view and is retained until a new validity
check is run. If you double-click on an error message, you jump to the corresponding entry in the pro-
cess document which you can edit.
ICON MEANING
No error found.
Error
Warning, information
70
Handling Processes in the Identity Manager
Compiling a Process
Once you have created, imported or made changes to a process, you need to compile it. The process
cannot be generated until it has been compiled.
Compiling takes place for each base object, that means that all processes are translated that belong to
a base object.The assemblies generated are saved locally on the executing workstation. During transla-
tion, the source is checked for errors. Therefore, this process can take some time.
There are two methods for compiling a process in the Process Editor:
• Local compilation
Use this method to compile a process for testing.
• Compilation enters the assemblies in the main database.
If the process has been test compiled, use this method to add assemblies that are generated
into the main database after compiling the process. Once the changes have be integrated the
altered processes are immediately available in the system.Start the compilation with the menu
item <Process>\<Compile and save in the DB>.
Load the process in the Process Editor and start the compiler process. Start local compiling from the
menu item <Process>\<Compile>. To start compiling with assembly transfer to the main database, use
the menu item <Process>\<Compile and save in the DB>.
Error messages are displayed in the <Compiler error> window. If you double-click on an error mes-
sage, you jump to the corresponding entry in the process document which you can then edit.
If errors occur during compilation, the source code is displayed. This view is only for viewing the source
code. It cannot be edited here. When you double-click on a message in the window <Compiler error>,
you jump to the corresponding row in the source code view.
71
Quest One Identity Manager
If several users are editing a base object of a process at the same time it is possible that error mes-
sages are sent to other users. However, these cannot be changed by such users.
72
Handling Processes in the Identity Manager
The following items are added to the menu bar once the editor has started.
Start process plan now The selected process plan is executed immediately. Sets
up a process to execute the process plan in the
Identity Manager database.
Show captions Toggles list view between the technical identifiers and
captions in the user’s login language.
The editor has its own toolbar that you can show or hide by using the context menu. The icons are dis-
abled or enabled depending on which view is selected.
Toolbar
ICON MEANING
Editor Views
The editor has several views for displaying and editing schedules:
73
Quest One Identity Manager
The editor list view displays all the process plans, the time they were last executed and the next
planned execution time. Use the context menu <Select columns...> to open the dialog window for col-
umn configuration. Specify which properties should be shown additionally in the list and the order they
should be shown in. You can also specify the width of the columns and the text alignment.
ICON MEANING
The process plan was not executed. This state can occur if the task could not be executed
to plan or if the schedule was reenabled and the time had not been reached for the initial
run.
Edit process Open the editor for the process which is executed by the process plan.
Execute The selected process plan is executed immediately. A process for execut-
ing is queued in the Identity Manager database.
Select columns... A dialog window is opened for selecting the columns for displayed the list.
Navigation Other editors that you can apply to the selected are shown.
74
Handling Processes in the Identity Manager
You can edit the properties for a process plan in the edit view. There is a default context menu available
for the input fields.
Edit View
75
Quest One Identity Manager
• Name
Process plan name. Use the button next to the input field to enter a translation for multilingual
usage.
• Base object (table)
Select the base object (table names) to which the process plan is going to be applied.
• Event
Select the event which is going to be executed. All base object events are listed for new process
plans. You can find more information about this in Events for Process Generation, page 50 ff.
• Activation schedule
Select the schedule that contains the execution time for the process plan. Use the <Add> but-
ton next to the menu to create a new schedule.
For more information see Setting Up and Configuring Schedules on page 254 in the
Configuration Guide.
• Max. execution time (hours)
Enter the number of hours after which the process plan should automatically quit.
• Description
Enter a detailed description of the process plan.
• Condition
Here you have the option to specify the base object query further. The input must satisfy the
“Where clause” syntax for database queries.
• Parameter
List of parameter that are set when the process is generated from this process plan.
Example:
Cyclical synchronization of an Active Directory environment with the Identity Manager database is only
started by the plan “AD Synchronization (configuration: Load ADtarget system)” that are Active
Directory domains. The synchronization configuration “Load AD target system” is supposed to be ap-
plied. The plan is set up as follows:
Event FULLSYNC_ADS
You can execute the process plan immediately from the context menu item <Execute> or the
menu item <Process plan>\<Start process plan now>. The process is queued in the
Identity Manager database.
You can see which process is triggered from the context item <Edit process>.
Process Components
Process components and their process tasks form a framework that all process steps can be based on.
The tables “Jobcomponent”, “JobTask” and “Jobparameter” define the complete range of
Identity Manager’s own process components and process task with the associated parameters. The in-
formation available for the process components is added through migration and cannot be edited.
76
Handling Processes in the Identity Manager
You can get a complete overview process component and their process function and parameter in the
report <Process components> in the category <Documentation>\<System configuration Reports>.
COMPONENT DESCRIPTION
DelayComponent This process component controls the start time of the follow-
ing process steps.
HandleObjectComponent This process component runs default and custom events for
database objects. Each assigned default process is generated
as in the front-ends (i.e. Manager). The component also
makes it possible to initiate so called CustomEvents for trig-
gering object related generation of a special process.
77
Quest One Identity Manager
COMPONENT DESCRIPTION
ReportComponent This process component can create reports and export them
in various file formats (e.g. report.pdf).
SQLComponent This process component runs SQL queries and can be used to
determine the number of data records and the existence of
data records.
SubversionComponent This process component runs the sub version operations. The
program “SharpSVN”, version 1.5 is required as prerequisite
for using the process component (download from:http://
sharpsvn.open.collab.net/servlets/ProjectPro-
cess?pageID=3794)
78
Handling Processes in the Identity Manager
All process components with their process tasks and parameters are displayed in the category <Process
Orchestration>\<Process components> in Designer.
• Assembly name
• Component class
• Description of component functionality
• Max. instances
This value defines the maximum number of instances of this process component can run on a
Job server.
The value is only used if the maximum number of instances of a process function is set to “0”.
Otherwise, the value applies that is set for the process function.
Meaning of Value
VALUE MEANING
79
Quest One Identity Manager
• System component
Use this property to specify if the process component belongs to the system data model or the
application data model.
• Defined by Quest
This input is provided by us and cannot be changed. Process component definitions are over-
written by migration and cannot be edited apart from a few special properties. This property is
not set for custom process components.
• Edit status
The edit status is used for creating custom configuration packages.
Process tasks are used to carry out single basic jobs at system level, for example, adding directories.
One or more process tasks and their parameters are grouped into process components. The following
properties are displayed for a process task.
Meaning of Value
VALUE MEANING
• Execution type
The execution type specifies whether the process component for the process task should be
executed in by Identity Manager Service (internal) or in its own process (external).
• Last step in the partial process tree
This input specifies whether a process task is principally marks the end of a partial process tree.
• Operating system class
This input specifies the operating system that the process task can be run on. Permitted values
are “Win32”, “Linux” and “ALL” where the value “ALL” specifies that this process function can
be run on any operating system.
• Edit status
The edit status is used for creating custom configuration packages.
When a process is created, the parameter templates for the process task are copied and entered in the
process step. This means you can give different parameter values to every process step that this pro-
cess task uses. The original is not changed. The following properties are shown for a parameter:
• Parameter name
• Process function affiliation
• Parameter description
• Parameter type
Permitted values are IN, OUT and INOUT.
80
Handling Processes in the Identity Manager
Parameters of type OUT and INOUT are parameters in a process component that can output a
value. This value is available to all following process steps and can be used to set IN parame-
ters.
• Label parameter as mandatory or optional parameter
• Value template
When a parameter is added to a process step, the value template is taken from the parameter
template. Define the value template in VB.Net syntax. The general script syntax is described
in Using Scripts on page 310.
• Hidden
This option specifies whether the parameter is shown in the Identity Manager Service log file
and in the program “Job Queue Info”. Values for hidden parameter are shown as <HIDDEN>.
Only the system user “viadmin” has access permission to see this parameter in Job Queue Info.
• Encrypted
This option specifies whether the parameter is encrypted when it is passed.
81
Quest One Identity Manager
82
4
Process Debugging
• Introduction
• Recording Messages in the Process History
• Recording Message in System Journal
• Identity Manager Service Logging
• Process Generation Logging
• Database Query Logging
• Object Action Logging
• Logging DBScheduler Tasks
Quest One Identity Manager
Introduction
Identity Manager offers several possibilities for containing errors during the processing of process
steps. These include:
The program “Job Queue Info” supports control of the current state of services running on an
Identity Manager network. It provides a detailed and clear overview of the tasks in the Jobqueue and
different Identity Manager Service queries to the servers. This program makes it easier to work with
processes, supplies status information during run-time and allows errors to be quickly recognized and
debugged. You will find a description of the program in the manual “Job Queue Info”. You can find a de-
scription of the program under Working With Job Queue Info on page 11.
Messages about process steps that have been processed are controlled using the configuration param-
eter “Common\ProcessState\JobHistory”.
If the configuration parameter is set, the process steps that have been processed are recorded in the
table “JobHistory”. The value of the configuration parameter specifies the range of messages to be re-
corded.
VALUE MEANING
ALL All process step that are processed are recorded in the process history.
ERROR Only failed process steps are recorded in the process history.
The process history can be analyzed with the help of the “Job Queue Info” program.
Data records in the process history are exported from the Identity Manager database at regular inter-
vals. There are several methods available to do this. You can read more in Archiving Procedure
Setup on page 294.
84
Process Debugging
The system journal is used to store information, warning and error messages from different compo-
nents of Identity Manager, for example, DBScheduler, Database Transporter or Identity Manager
Service. Actions in the program “Job Queue Info”, such as reactivating process steps, are also written
to the system journal.
Process step have to labeled with the option <Log error to journal> in order to record error in process
handling to the system journal. For more information read How to Handle Errors during Process Step
Handling on page 55.
The system journal is shown in the error log view of the program, “Identity Manager”. Read more in
Displaying the Error and System Logs on page 175. System messages that are recorded during pro-
cessing by the DBScheduler can also be viewed in the administration tools (see DBScheduler Computa-
tional Tasks Data on page 58).
The entries in the system protocol are deleted regularly from the Identity Manager database. All entries
that are older than the maximum storage period (configuration parameter “Common\Journal\LifeTime”)
are deleted. To do this use the scheduled task “Delete journal”, which you configure and start with the
Schedule Editor.
In order to create the Identity Manager Service log file there is a module “FileLogwriter” that needs to
be customized in the Identity Manager Service configuration file. All the parameters and settings are
described in The Log Writer Module on page 70.
The name of the log file is given using this program (parameter “OutputFile”). You need to ensure that
the given directory exists for the file. If the files cannot be created it is not possible to generate an error
message. In this case the error messages appear in the event log under Windows or in /var/log/mes-
sage under Linux.
85
Quest One Identity Manager
Furthermore, the contents of the log file information is specified using this module. Only warnings and
fatal errors are logged by default. By setting the type of messages (parameter “LogSeverity”) however,
you can extend the range of messages that are logged.
Message Types
Info All messages are written to the log file. The log file quickly becomes large and
cumbersome.
Warning Only warnings and fatal errors appear in the log file (default).
Serious Only fatal errors are written to the log file (exceptions).
The parameter “LogLifeTime” specifies the maximum age of a log file. If the log file has reached the
maximum age, the file is renamed (e.g. “JobService.log_20040819-083554”) and a new log file is cre-
ated.
http://<servername>:1880/log
The messages to be displayed on the web page can be filter interactively. There is a selection list on the
top edge of the page for this. Of course, only text contained in the log file can be displayed in this case.
If, for example, the message type is set to “Warning”, no “Info” messages can be shown even if the ap-
propriate filter is chosen.
86
Process Debugging
COLOR MEANING
If you want to retain the color information to send by mail, you need to save the complete web page.
The HTTPStatusPlugin provides other services to Identity Manager Service other than the log file.
The result can also be verified using the following command line call:
• DebugMode
87
Quest One Identity Manager
• ComponentDebugMode
Identity Manager Service write more detailed data into the log file if the parameter “DebugMode” is set,
e.g. all parameters that are passed to a component as well as the processing results together with OUT
parameters.
Individual Identity Manager Service process components can output additional process data to the
Identity Manager Service log file. To do this you set the parameter “ComponentDebugMode” in the con-
figuration module. You should only use “ComponentDebugMode” for localizing errors because the effect
on performance means that it is not recommended for normal use.
This behavior can, however, cause further errors in the case of certain objects. For example, when a lo-
cal group is added to an Active Directory system, only the name, the DistinguishedName and the option
“IsGlobal” are set after the third property. The option “IsLocal” is not set until the next three properties
are passed but the object can not be edited anymore because an Active Directory group cannot be re-
defined. This means that the group is neither global or local when the first “commit” is made, which
cause it to be rejected by the Active Directory system. This results in an error when a local group is
added to an Active Directory synchronization server and the group is deleted from the database.
Synchronizer tasks are written a separate log file. Specify the storage location of the log file in the
<tracebehavior> section of the StdioProcessor.exe/StdioProcessor32.exe configuration files.
<tracebehaviour>
<add key="file" value="NSProviderTrace.log" />
</tracebehaviour>
If a value is given in the configuration file, the log file name is formatted as follows:
NSProviderTrace.Log.<date>
If debug mode is enable for this component, external processes are also logged with StdioProces-
sor.exe/StdioProcessor32.exe (StdioProcessor_<ProcessID>.log). You will find this log file in the
Identity Manager Service log directory. The log files are kept for a maximum of 10 days.
88
Process Debugging
Individual process components have process functions with parameters that supply extended return
values. The entire output of the parameter is written to the Identity Manager Service log file when a er-
ror occurs.
Messages are marked in color in the log file depending on the message type (MsgSeverity).
RaiseMessage:
The output is consolidated with other messages and logged at the end of processing the process step.
Syntax:
Example:
AppData.Instance.RaiseMessage
This output is written immediately during processing; not taking into account the end of the process
step.
89
Quest One Identity Manager
Syntax:
Example:
You can find further scripting examples for outputting to the Identity Manager Service log file in the
SDK.
The VB.Net functions “Msgbox” and “Inputbox” are not permitted on servers. Use the functions
“VID_Write2Log”, “RaiseMessage” or “AppData.Instance.RaiseMessage”.
To record Identity Manager Service messages in the server’s results view the module “EventLogLog-
Writer” has to modified in the Identity Manager Service configuration file. All the parameter and set-
tings are described in EventLogLogWriter on page 70. Recording is done in the results view application
log.
Enter the name of the result log where the messages should appear in the EventLog parameter. The
messages are written to the application log if the default value “Application” is used.
The amount of information in the messages is specified through the module. By default, only warnings
and serious errors are logged. This can be changed, however, by setting parameter “LogSeverity”.
Message Types
Info All messages are written to the log file. The log quickly becomes too large and
confusing!
Warning Only warnings and serious exceptions appear in the log (default).
Process handling error can also be written to a server’s result log. To do this use the process component
“LogComponent”.
90
Process Debugging
<configuration>
...
<category name="connectionbehaviour">
<value name="jobgenlogdir">%Temp%\jobgenlog</value>
</category>
...
</configuration>
<configuration>
<configSections>
...
<section name="connectionbehaviour" type="System.Configuration.
NameValueSectionHandler" />
</configSections>
...
<connectionbehaviour>
<add key="jobgenlogdir" value="C:\TEMP\jobgenlog" />
</connectionbehaviour>
...
</configuration>
91
Quest One Identity Manager
<configuration>
...
<category name="connectionbehaviour">
<value name="sqllogdir">%Temp%\sqllogdir</value>
</category>
...
</configuration>
<configuration>
<configSections>
...
<section name="connectionbehaviour" type="System.Configuration.
NameValueSectionHandler" />
</configSections>
...
<connectionbehaviour>
<add key="sqllogdir" value="C:\TEMP\sqllog" />
</connectionbehaviour>
...
</configuration>
The Identity Manager Service configuration file is adapted to fit the Job Service Configuration (see The
Connection Module on page 72).
<configuration>
...
<category name="connectionbehaviour">
<value name="objectlogdir">%Temp%\objectlog</value>
</category>
...
92
Process Debugging
</configuration>
<configuration>
<configSections>
...
<section name="connectionbehaviour" type="System.Configuration.
NameValueSectionHandler" />
</configSections>
...
<connectionbehaviour>
<add key="objectlogdir" value="C:\TEMP\objectlog" />
</connectionbehaviour>
...
</configuration>
Use the parameter “Regular expression for stack trace positions (ObjectDumpStackExpression)” to
specify a regular expression. If the current row in the object log matches the regular expression, the
stack trace is written in the object log.
<connectionbehaviour>
...
<add key="ObjectDumpStackExpression" value="Lastname" />
</connectionbehaviour>
If the current contain the value “Lastname” the stack trace is also copied to the log.
The Identity Manager Service DBSchedulerWatchDogPlugin can be used to check if a database schedule
is still active. This plugin checks, at regular intervals, whether the database schedule for the
DBScheduler is enabled and starts it if necessary. The plugin should only be enabled on one Job server
in the network and we recommend running it on the database server. For information about plugins
read DBSchedulerWatchDogPlugin on page 75 in the Getting Started Guide.
93
Quest One Identity Manager
Information, warning and error messages are logged to the system journal. System messages that are
logged during scheduling tasks can also be seen in the administration tools (see DBScheduler Computa-
tional Tasks Data on page 58).
94
5
Identity Manager Files
• Identity Manager Service Configuration Files
• Identity Manager Service Log File
• HTTPLogPlugins Log File
Quest One Identity Manager
• Jobservice.cfg
• viNetworkService.exe.config
Jobservice.cfg
Jobservice.cfg is a configuration file in Quest’s own simpler format. The advantage of this file is that re-
loading is supported during runtime. The text is case sensitive. There is a configuration section in the
file for each of the different Identity Manager Service modules.
The root in the XML file is always called “configuration”.In “category” one configuration file module is
define with its value. At the moment the program only supports the section type “System.Configura-
tion.NameValueSectionHandler”.
Both the section and the name of the value must be written in “lower case”.
<configuration>
<category name="serviceconfiguration">
<value name="jobprovider">VI.JobService.MSSqlJobProvider,jobser-
vice</value>
<value name="HttpPort">1180</value>
<value name="logwriter">VI.JobService.FileLogWriter,jobservice</
value>
</category>
</configuration>
Example:
96
Identity Manager Files
</category>
<category name="filelogwriter">
<value name="loglifetime">0.01:00:00</value>
<value name="logseverity">Info</value>
</category>
<category name="dispatcher" />
<category name="jobdestinations">
<value name="queuex">VI.JobService.JobServiceDestination,jobser-
vice</value>
</category>
<category name="queuex">
<value name="queue">\%COMPUTERNAME%</value>
</category>
<category name="plugins">
<value name="httpstatusplugin">VI.JobService.HttpStatusPlugin,job-
service</value>
</category>
</configuration>
viNetworkService.exe.config
The viNetworkService.exe.config is the default configuration file for .NET exes and has the specified for-
mat. The text is case sensitive. There is a configuration section in the file for each of the different
Identity Manager Service modules.
The root in the XML file is always called “configuration”. All other sections of the configuration file and
its type are defined in “configSections”, which is always in the file. At the moment the program only
supports the section type “System.Configuration.NameValueSectionHandler”.
<configuration>
<configSections>
<section name="sectionname" type="System.Configuration.NameVal-
ueSectionHandler" />
</configSections>
<sectionname>
...
</sectionname>
</configuration>
<configuration>
<configSections>
<section name="serviceconfiguration" type="System.Configura-
tion.NameValueSectionHandler" />
97
Quest One Identity Manager
98
Identity Manager Files
Message Types
Info All messages are written to the log file. The log file quickly becomes large and
confusing.
Warning Only warnings and fatal errors appear in the log file (default).
Serious Only fatal error are written to the log file (Exceptions).
It is possible to view the log file using a browser. Prerequisite is the configuration parameter HTTPSta-
tusPlugins. This plugin appends several services the Identity Manager Service HTTP server.
The log file can be displayed in the browser. It is called up by entering the appropriate URL:
http://<servername>:1880/log
You can reach the server using HTTPS once SSL support has been configured.
The messages displayed on the web page can be filtered interactively. There is a selection box on the
top edge of the page for this. Of course, only text that is in the log file can be displayed. For example, if
the message type is set to “Warning”, it is possible that no “info” messages are displayed if the right fil-
ter is chosen.
The maximum age of a log file is configured over the parameter “LogLifeTime”. If a log file has reached
its maximum age, the file is renamed (e.g. “JobService.log_20040819-083554”) and a new log file is
created.
The HTTPStatusPlugin makes other services, apart from calling the log file, available for
Identity Manager Service. Calling syntax for the services:
http://<servername>:1880/Assemblies
http://<servername>:1880/Cache
http://<servername>:1880/Comp
http://<servername>:1880/Statistics
http://<servername>:1880/Status
http://servername:1880/PerfCounter
Input example:
99
Quest One Identity Manager
INPUT MEANING
OK Status code
100
GLOSSARY
This glossary contains definitions taken from Microsoft publications.
A
ABAP
Advanced Business Application Programming. Programming language from the company SAP AG.
LDAP based directory server from Microsoft, introduced with Windows 2000.
Additional List
All user accounts that are added to a dynamic group in addition to the group selection criteria.
Additional lists can be maintained in the target systems Lotus Notes and LDAP.
AdminP Request
Administration process in Lotus Notes used to handle various internal tasks. All AdminP tasks and their
results are added to the Admin4 database. This database can be synchronized with the
Identity Manager database.
Analyzer
AP Customer
Application
User software.
Application Group
SAP technology for integrating and running distributed applications on different SAP systems.
Refer to your SAP system documentation for further details.
Application Role
Identity Manager application roles are preset, customizable, functional roles used to specify entitle-
ments to Identity Manager functions resulting from Identity Manager user tasks from within company
structures. Application roles take administration and approval processes into account.
Approval Process
Process for requesting products for a customer in the IT Shop. The approval process is set up with ap-
proval policies that can contain several approval levels. There can be several approval steps defined in
an approval level. A different group of approvers can be specified for each approval step.
101
Quest One Identity Manager
Approver
The approver is an employee who grants or denies approval in a request procedure (renewal or cancel-
lation).
Approval Policy
Specifies which approval workflow should be used in the IT Shop for an attestation case or a request
(renewal or cancellation).
Approval Procedure
Finds the attestor for the current attestation case or the approver for the current request (renewal or
cancellation) in the IT Shop.
AP Supplier
AR Party
Employee listed in the table “AR.HZ_PARTIES” of an Oracle E-Business Suite. Employee data can be im-
ported from the Oracle E-Business Suite into the Identity Manager database and linked to EBS user ac-
counts.
Assignment
Part in the synchronization that makes the connection between the target system schema and the data-
base schema if the synchronization objects should be mapped as many-to-many relation. Mapping tar-
get system objects to assignment tables is defined by assignments. In addition, synchronization behav-
ior for synchronization configuration is specified with assignments.
Assignment Request
Requests for company resources, employees for roles. You can request assignments for departments,
cost centers, locations or business roles through the Web Portal. Then they are authorized by the ap-
proval process.
Assignment Table
Tables, used to define relations between two tables. Objects in both tables are assigned to each other
in a many-to-many relation. Assignment tables are, for example, PersonInDepartment or ADSAccountI-
nADSGroup.
Attestation
A method for authorizing data or internal rules. Attestation functionality in Identity Manager is used by
managers or others in authority to certify the correctness of editing permissions, entitlements, requests
or exception approvals on a regular or manual basis.
Attestation Instance
Objects that are created as soon as attestation is automatically or manually started. When attestation
is triggered, Identity Manager creates an attestation case for each attestation object. Attestation data
is saved in the attestation instance. This includes the attestation object, status (open, approved, de-
nied), date of attestation, and the attestor.
102
Attestor
The person that will carry out the attestation. Attestors either approve or deny data presented in an at-
testation instance.
Auditing
The term <Auditing> or <Audit> describes how an aspect (audit object) of a company is assessed. An
audit is normally orientated around special auditing tasks and helps quality assurance. An audit is spe-
cifically an instrument for systematic, independent and documented examination for objectively obtain-
ing quality related activities and their evaluation based on planned requirements and targets (auditing
criteria). To successfully complete and audit there must be certain features available and specific re-
quirements must be fulfilled. (Source: sicherheitswiki.org).
Authentication Module
Authentication modules are used to define how user should log in to Identity Manager tools. Users can
log in as, for example employees with their Active Directory user account or directly as system users.
The authentication module determines which system user is directly or indirectly assigned to the logged
in user. This assigns user permissions for the user interface elements of the administration tool that has
been started and for the database objects.
Authentication Object
An object used by a SharePoint user to log into a SharePoint site. SharePoint takes authentication ob-
jects from the system environment in which the SharePoint environment is integrated. The
Identity Manager can create references to the following authentication objects: Active Directory user
accounts and groups, LDAP user accounts and groups.
Authorization Definition
Group of transactions and authorization objects in Identity Manager to be tested by an SAP function.
Authorization Editor
Authorization Field
An object in an SAP system. The smallest unit that can be granted authorizations. To do this, authoriza-
tion fields are given fixed values (activities of data). Comprises of up to 10 authorization fields grouped
as one authorization, which are only valid in this grouping.
Authorization Object
An object in an SAP system that makes the definition of authorizations possible. Authorization objects
are made up of up to 10 authorization fields connected with an AND link.
B
Base Object
Link to the authentication object with which a SharePoint user logs into a SharePoint site.
BI analysis Authorization
Authorizations that an SAP user uses to analyze BI data in an SAP system across clients.
103
Quest One Identity Manager
BI User Account
User account used for mapping the properties of an SAP user account with BI analysis authorizations in
the Identity Manager. BI analysis authorizations can be assigned through BI user accounts across cli-
ents to all SAP user accounts within an SAP system.
C
Cancellation Workflow
Approval workflow that determines the approver when a requested product is canceled.
Cart
Used to collect products in the IT Shop. Customers can add as many carts as they want. A cart is de-
leted as soon its have be carried out.
Cart Item
A product assigned to a shopping cart. Cart items show the requestor and intended recipient for each
product.
Function in SAP for administrating SAP user accounts in a central system rather than maintaining all cli-
ents separately. SAP clients in different SAP systems are grouped together in a system network. SAP
user accounts for these SAP clients are maintained in a central system and the data is distributed to cli-
ent systems. Therefore, users that own permissions in different SAP clients do not have to individually
maintained. SAP roles and SAP profiles are administrated in client systems but can only be assigned to
SAP user accounts in the central system. Refer to your SAP system documentation for more details.
Company Policy
Object that maps the policy in a company in relation to Identity and Access Management in the
Identity Manager. Policy violations can be found and approved in retrospect. Attestations and risk as-
sessments can be executed through company policies.
Company Resource
Umbrella term for all objects that are assigned to employees or roles or that can be requested through
the IT Shop. Company resources include: applications, system entitlements, resources, target system
groups, and system roles.
Configuration Parameter
Parameter for configuring the basic settings for Identity Manager system administration.
Preprocessor-relevant configuration parameters are configuration parameters connected to a prepro-
cessor condition. If a preprocessor-relevant configuration parameter changes, the database must be re-
compiled.
Configuration Wizard
Crypto Configuration
104
CUA
CUA Status
Labels an SAP client for use as central system or client system in the central user administration. Cli-
ents that should be excluded from the Central User Administration are labeled with the CUA status
“None”.
Customer
A company employee entitled to request items from the IT Shop. An employee becomes a customer
when assigned to a shop.
Customers form an IT Shop solution by combining shelves, products, shops and shopping centers.
D
Database Compiler
Program for compiling the Identity Manager database after changes have been made.
Database Schema
A logical description of data saved in a database. The schema not only defines names for individual data
items, their size, and other characteristics, but also identifies the relation between the data. The
Identity Manager data model differentiates between reference data and meta data. Reference data is
described by the application data model, the meta data by the interface data model.
Database Transporter
Program for exporting objects and custom changes from an Identity Manager database to an
Identity Manager database.
Data Import
DBQueue
DBScheduler
The DBScheduler is used to calculate processing tasks from the DBQueue. The DBScheduler is made up
of a combination of saved procedures and triggers.
The DBScheduler also controls recurring tasks on a cyclical basis, such as daily maintenance tasks for
calculating statistics or indexing the database.
Delegation
Special assignment request form. In this case, an employee passes any number of role assignments to
another employee for a limited period of time. Delegations can be authorized using an approval proce-
dure.
Designer
105
Quest One Identity Manager
Discontinue Inheritance
The property “Discontinue inheritance” indicates that the option “End of inheritance” is set in a role’s
master data.
Distribution Model
Relationships between logical systems are defined in the SAP distribution model. It is used by Applica-
tion Link Enabling to control data distribution amongst others. Refer to your SAP system documentation
for more details.
The Domain Name System (DNS) is a distributed database that manages namespaces in the internet.
Selected productive Notes server with a good network connection to the gateway server.
When actions are performed against the productive address book and the mailbox files, the gateway
server communicates with the central Domino server.
Dynamic Group
Target system group that user accounts are added to based on strict selection criteria. Dynamic groups
can be added in the target systems Active Directory, Lotus Notes and LDAP.
Standard for administration of dynamic settings and addresses in a network. DHCP makes it possible to
dynamically assign an IP address with the help of a DHCP server and other configuration parameters on
computers in a network.
E
Edit Permissions
Groups Identity Manager user permissions for database objects, menu items, forms and methods to-
gether.
Identifies the company task for planning the use of existing company resources in the most efficient
way for daily operations.
EBS Entitlement
A combination of EBS security group and EBS responsibility mapped in the Identity Manager. EBS re-
sponsibilities are assigned to EBS user accounts in the Identity Manager through EBS entitlements.
EBS System
Synchronization base object for objects in an Oracle E-Business Suite. A separate EBS system is set up
for each Oracle E-Business Suite mapped in the Identity Manager database. Synchronization fir the
Oracle E-Business Suite is configured in the EBS system.
Employee Assignment
User accounts can be automatically linked to employees in the Identity Manager database. Search cri-
teria for this can be defined separately for each target system. They are used if the target systemspe-
cific configuration parameters “PersonAutoDefault” and “PersonAutoFullsync” are set.
106
Exception Approver
A person who can approve rule exceptions. Exception approvers are only those employees that are as-
signed to at least one compliance rule as exception approver with the application role <Identity & Ac-
cess Governance>\<Identity Audit>\<Exception approver>.
Excluded Attribute
An Oracle E-Business Suite object that is explicity excluded from assignment to an EBS responsibility.
Excluded List
All user accounts that are excluded from a dynamic group. Excluded lists can be maintained in the tar-
get systems Lotus Notes and LDAP.
F
Function (Risk index)
Functions define the method used to calculate risk indexes. Data sources, the objects involved, calcula-
tion type and the table column of the calculation target object are specified.
Function Instance
Function definition that is given values for a specific application. A specific SAP client to be used in the
SAP function is given in the function instance, and variable allocated to authorization fields are given
fixed values. Function instances can only be set up for active SAP functions.
Function Element
A general term for transactions, authorization objects and authorization fields that are displayed in an
authorization definition as a tree structure in the Authorization Editor.
G
Gateway Server
A server in the Identity Manager environment that executes all the tasks in Lotus Notes triggered by
the Identity Manager. The gateway server cannot be a productive Notes server. It requires access to
the Note server in the productive environment. The Identity Manager Service is installed on the gate-
way serer with the Lotus Notes synchronization components and Notes database “viAgentsDB.nsf”
available.
Business Role
Business roles represent customized functions in Identity Manager. You can use them to model ap-
proval workflows, assignments or approval procedures according to the needs of you organization
structure. All business roles are specified by your company.
H
HistoryDB
107
Quest One Identity Manager
HistoryDB Manager
Administration tool for displaying and editing all the information in the HistoryDB archiving system.
HistoryDB Service
System service on the servers. The HistoryDB Service imports log entries into the HistoryDB archiving
system.
Hotfix
A hotfix contains corrections to the default configuration of the main installed version but no new func-
tionality.
HR Person
Employee listed in the table “HR.PER_ALL_PEOPLE_F” of an Oracle E-Business Suite. Employee data
can be imported from the Oracle E-Business Suite into the Identity Manager database and linked to EBS
user accounts.
I
Identity Manager (1)
Main administration tool for managing employees, user accounts and permissions within an
Identity Manager network.
ID Restore
A method in the Identity Manager for restoring user ID files in Lotus Notes. This method can be used if
restoring user ID files from an ID vault has not been implemented.
IT Shop
Program component for providing employees with company resources using a defined approval proce-
dure. IT Shop solutions are setup in the Identity Manager and can then be used in the Web Portal.
IT Shop Structure
Role classes are used to group the components of an IT Shop solution, for example, shopping center,
shop, shelf, customer.
J
Job Queue Info
Programs for monitoring the current state of the services running in an Identity Manager network.
108
Job Destination
Identity Manager Service component. The Job destination handles the process steps and returns the re-
sult back to the Job provider.
Job Provider
Identity Manager Service component. A Job provider delivers process steps to the Job destination and
evaluates the results.
Job Queue
Job Server
L
Language Editor
License Meter
Network protocol that permits queries and modifications to directory service’s information (a hierarchal
database distributed on a network).
List Editor
Lock Group
Notes groups with the group type “only negative list” for which the access type “Not access server” on
a Notes server is defined.
Lotus Notes
109
Quest One Identity Manager
M
Manage Level
The user account manage level determines the range of properties inherited by the user account from
the employee. The Identity Manager supplies configurations for the manage levels “Unmanaged” and
“Full managed”. You can define other manage levels.
Unmanaged User accounts obtain a link to the employee but do not inherit any other
properties from them.
Full managed User accounts obtain a link to the employee and inherit defined properties
from them.
Manager
Main administration tool for displaying and editing all the information in an Identity Manager network.
Mapping
Maps target system objects and their properties to database objects and their properties.
Mapping is used to synchronize data between the Identity Manager and target systems.
Mapping File
Contains extended rules for mapping properties between database and target system. The mapping file
has an XML structure. A mapping file can be created and extended with internal mapping rules for pro-
cess components. Alternatively, a new mapping file can created that only contains extensions. If an-
other extended mapping rule exists as a mapping file, it is added to the process component internal
mapping rule and the resulting rule is used to map the property.
Mitigating Control
A control to be carried out so that, for example, a compliance rule is not violated. Mitigating controls
reduce the risk by a fixed value (significance reduction).
Mitigating controls are independent of Identity Manager functions. For example, the risk that is con-
nected with a rule violation can be reduced by regular manual checking of prohibited authorizations.
N
NetBIOS
Network Basic Input Output System, a programmed interface developed by IBM to make communica-
tion between two network programs possible. NetBIOS allows 16 characters for a NetBIOS name. Mi-
crosoft limited NetBIOS names to 15 characters because the 16th character is used as a NetBIOS suf-
fix.
Notes Domain
A Notes domain in the Identity Manager corresponds to the mapping of a visible area in Lotus Notes, for
example, a productive Lotus Notes environment. It is possible to manage several productive Lotus
Notes environments in parallel using this construct because it is handled more stringently in the
Identity Manager.
110
O
Object Definition
Object definitions create a view for database objects that can be differentiated by their properties and
therefore allow an additional control function.
Object Editor
Basic editor in the Designer for displaying and editing all objects.
Object type
Element in the synchronization that creates the connection between target system schema and data-
base schema. Object types define the mapping from target system objects to database objects. Apart
from this the synchronization behavior of a synchronization configuration is specified by the object
types.
Organization
The company structures department, cost center, and location are called organizations in
Identity Manager.
Org Level
An object in an SAP system that defines fixed values for authorization fields. Org levels are, for exam-
ple, custom accounting codes, functional areas or account types.
P
Patch
Software update.
Permission Level
Object used to group SharePoint permissions together. Permission levels that are linked to a concrete
SharePoint site are mapped as SharePoint roles in the Identity Manager.
Permissions Editor
Designer editor used to grant table and column permissions to permissions groups and system users.
Permissions Group
Different edit permissions for Identity Manager functions are grouped together in permissions groups.
Permissions groups are assigned to system users. In this way, users of Identity Manager tools obtain
edit permissions to Identity Manager functions.
Certain permissions groups are components of the Identity Manager installation. Other permissions
groups can be custom defined in the Designer.
Plugin
111
Quest One Identity Manager
Preprocessor Condition
Process
Stringing together process steps into a sensible order. The process has the task of mapping live pro-
cesses.
Process Editor
Process Function
Process Parameter
Process Plan
A process plan covers the basic configuration for automatically executing a process.
Process Step
Process Component
Product
Company resource that is assigned to an IT Shop shelf and therefore can be requested. Products form
an IT Shop solution by combining shelves, customers, shops and shopping centers. Only company re-
sources that are assigned to a service item and labeled with the option <IT Shop> can be added as
products to the IT Shop.
Provider Client
The provider client is a completely configured Identity Manager customer environment with a database,
Identity Manager Service, and possibly Identity Manager front-ends. The provider client actively admin-
isters a network. In addition to the usual Identity Manager environment, the provider client can process
its own Identity Manager Service requests that are executed on the provider master.
Provider Master
The provider client is a completely configured Identity Manager provider environment with a database,
Identity Manager Service and possibly Identity Manager front-ends. The provider master does not nec-
essarily administer its own network but does however, contain additional information about the provider
clients in its administration. The provider master keeps a queue for provider clients requests.
Provider Mode
Provider mode is a model that stores and changes information in a central Identity Manager environ-
ment. The information is transferred into mainly independent Identity Manager environments and take
effect there.
112
R
Release Key
The release key is used by system users to change objects defined by Quest Software. The release key
is only issued for a limited period of time and has to be specially requested.
Renewal Workflow
Approval workflow that finds the approver if a requested product needs to be renewed.
Replication Info
Request Template
Template for a cart containing items often requested together. Public request templates are available to
all Identity Manager users the moment they are shared. Non-public request templates can only be used
by the request template owner.
Resource
Resource Type
Objects that are used to sort resources corresponding to usage. Processing steps for resource types can
be defined and run when a resource is successfully assigned to an employee.
Risk Index
Security risk for the company when a company resource is assigned to an employee or a compliance
rule, company policy or attestation policy is violated. The risk index can be given for all company re-
sources, SAP functions, attestation policies, company policies and compliance rules. The risk index for
an employee is calculated from the risk indexes for directly and indirectly assigned company resources.
It is given as a value in the range 0 (no risk) to 1 (problem).
Role
The term “role” is an umbrella term for the company structures departments, cost centers, locations,
and business roles. Roles in Identity Manager are all objects though which employees, can be assigned
company resources. Therefore, IT Shop structures are also roles in the Identity Manager sense of the
word. Examples of roles include: “Development”, location “Prague”, product “FrameMaker - German -
9.0”.
Role Assignment
Role (SharePoint)
SharePoint permission level that is linked to a concrete SharePoint site. SharePoint roles are used to
pass on permissions from concrete sites to SharePoint user accounts.
Role Classes
Objects that group together similar roles. Role classes are defined in Identity Manager to differentiate
between various company structures. Role classes regulate inheritance behavior in these company
structures. Furthermore, they specify which company resource assignments are possible through a role
in a role class.
113
Quest One Identity Manager
Examples of role classes are: “departments”, “location” or “IT Shop structure”. Define custom role
classes in order to create business roles.
Role Definition
Role Type
Company-specific criteria for allocating roles. Role types are mainly used to regulate inheritance of ap-
proval policies within an IT Shop structure. To do this, you define role types that you assign to the ap-
proval policies and IT Shop rules. In addition, you can use role types to structure business roles or
shops in the IT Shop by criteria.
Root Site
Main site for a SharePoint site collection. There is exactly one root site for each SharePoint site collec-
tion that builds the top layer of the site hierarchy. All other sites are below the root site.
Permission levels are defined for the root site and can be used as SharePoint roles for child sites in the
site collection.
S
SAP Authorization
Authorization permissions that SAP user accounts obtain on the basis of the SAP roles assigned to them
in the SAP system.
SAM Database
Security Accounts Manager – secure account administration under Windows. Administration of user ac-
counts and encoded passwords is done in the SAM database.
SAP Function
An object in Identity Manager that can be used to test which SAP authorizations an SAP user account in
an SAP client has effectively.
SAP Menu
Element for guiding users through the SAP GUI. Authorizations are linked to fixed menu items in the
SAP system using authorization objects. Authorization objects can be linked into authorization defini-
tions through the choice of SAP menu in the Identity Manager Authorization Editor.
SAP R⁄3
Schedule
Schedules control cyclical execution of processes, calculation tasks and different scheduled tasks. You
define the time of execution and the interval between tasks. The time of execution can be given in local
or UTC time. A schedule can run several tasks.
Schema Extension
Program for extending the Identity Manager database schema with custom tables and columns.
114
Schema Editor
Editor in the Designer for customizing database schema table and column definitions.
Search criteria
User accounts can be automatically linked to employees in the Identity Manager database. Search cri-
teria for this can be defined separately in each target system mapping. They are used if the target sys-
tem specific configuration parameters “PersonAutoDefault” and “PersonAutoFullsync” are set.
Security attribute
An Oracle E-Business Suite object that was explicity assigned to an EBS responsibility or an EBS user
account.
Server Permissions
Access list that specifies which Notes user accounts and Notes groups have access to a Note server, and
for what reasons.
Server Restrictions
Access list that specifies which agents Notes user accounts and Notes groups can run on a Notes server.
Service Catalog
Displays all requestable service items grouped by service category. Service items for products that are
assigned to IT Shop shelves are displayed in the service catalog.
Service Category
Grouping criteria for service items. A product‘s service item must be assigned to a service category in
order to select the product from the service catalog.
Service Item
These are objects necessary to book company resources internally. Service items must be assigned to
company resources so that they can be requested and booked internally as products in the IT Shop. A
service item contains an exact product definition, assignment to a cost center, price information.
Service Pack
A service pack contains minor extensions to the functionality and includes all hotfix changes since the
last major version that were already included in hotfixes.
Service Provisioning Markup Language is an XML-based description language that is used as an ex-
change format for user and resource information between provisioning systems. The standardization of
SPML has been driven by the OASIS consortium (Organization for the Advancement of Structured Infor-
mation Standards, www.oasis-open.org) which includes some well-known software companies. The lat-
est version (2.0) was released in April 2006.
Shelf
An IT Shop structure that is part of a shop and can be assigned products. Shelves form part of a hierar-
chical IT Shop solution along with customers, shops, shopping centers, and products.
115
Quest One Identity Manager
Shelf Template
Template that you can use to automatically generate shelves in IT Shop and fill them with company re-
sources. You can use shelf templates when you want to setup shelves in several shops with identical
products. Identity Manager differentiates between global shelf templates, special shelf templates and
shopping center templates.
Shop
Shopping Cart
See Cart.
Shopping Center
IT Shop structure for grouping shops together. Shops form a hierarchical IT Shop solution along with
customers, shops, shelves, and products.
Template that you can user to replicate a shelf from a special shelf template in all the shops in a shop-
ping center. To do this, the shopping center template must be assigned to at least one special shelf
template.
Security ID (SID)
A security identifier (SID) is a unique value of variable length, which is used to identify a security prin-
ciple or security group in Windows operating systems. Known SIDs are a group of SIDs to identify gen-
eral usres or groups. Their values remain fixed throughout every operating system.
Significance reduction
A value by which the risk index of a compliance rule, SAP function, attestation policy or company policy
is reduced when a mitigating control is assigned to it. The risk index (reduced) is calculated by the risk
index and the significance reduction.
Software Loader
Program for loading new or changed files in the Identity Manager database. These files can then be dis-
tributed in the Identity Manager network through automatic software updating.
Template that you can use to automatically generate shelves in selected shops in the IT Shop.
A special shelf template can be assigned company resources, such as products and approval policies.
The shops that should be replicated by the shelf template are selected individually.
Synchronization Configuration
Settings that define data synchronization between a target system and the Identity Manager. Synchro-
nization configuration contains the object types and assignments that should be synchronized, and a
schedule for synchronization. This specifies the synchronization behavior of each object type/assign-
ment.
116
Synchronization Status
Flag that is set on synchronization objects during synchronization. Use the synchronization status to
determine whether the object was marked as added, updated, published or deleted by synchronization.
You can post-process synchronization objects is depending on the status.
System Role
A system role is a resource in which any number of company resources can be grouped together.
System roles are used to simplify assignment of different company resources. If a system roles is as-
signed to an employee, the employees receive all the company resources that are assigned to the sys-
tem role. This might be system permissions, applications or non-IT Shop resources.
System roles can be assigned directly to employees, requested through the IT Shop or inherited
through roles.
A predefined user that contains several entitlements to Identity Manager functions. The system user
obtains these entitlements through their permissions groups assignments. A system user is assigned to
user during the administration tool login procedure. Entitlements for the Identity Manager functions are
passed onto the user from this system user.
Certain system users are included in the Identity Manager installation. Further system users can be de-
fined in Designer.
An authentication module for logging onto Identity Manager tools. See Authentication Module.
System User ID
The user ID that a user enters to log onto an Identity Manager tool.
The system user ID is independent of the selected authentication module. It can be a login name for an
Active Directory domain or a system user, for example, a central user account.
T
Target System
A system in which employees under Identity Manager administration have access to network resources.
Example: Active Directory, SAP R⁄3, Lotus Notes
Administration unit in a target system for user accounts, user groups, and computer accounts.
Example: Active Directory domain, SAP R⁄3 client, Lotus Notes domain.
Target system types are used in the Unified Namespace to differentiate between data from several tar-
get systems. Each object that is mapped in the Unified Namespace has a target system type. The fol-
lowing target system types are provided by default in the Identity Manager: ADS, LDAP, NOTES,
SAPR3.
Other target system types can be custom defined.
Template
Rule for mapping object properties. Templates can be used within an object as well as across objects.
117
Quest One Identity Manager
Text Comparison
A procedure in SAP that mirrors names of roles and profiles from a CUA client system in the central sys-
tem. The roles and profiles in the central system are only made known when the text comparison has
been run at least once. Then they can be assigned to user account.
Roles and profiles from client systems cannot be synchronized with Identity Manager until the text
comparison has been run in SAP.
Refer to your SAP system documentation for more details.
Transaction
U
UID
The UID is an artificial primary key created by the operating system as soon as the object is inserted in
the database. The UID is a unique value that does not alter even when changes are made to the object
properties. An object is labeled with a UID and can be uniquely referenced with it.
Unified Namespace (UNS) is a virtual target system for mapping various target systems along with
their containers, user accounts, target system groups, and associated memberships. The data for all
target systems connected to Identity Manager is mapped in the Unified Namespace. This allows other
core Identity Manager functions, such as compliance testing, attestation or IT Shop, to be used across
target system. The target systems Active Directory, Lotus Notes, SAP R⁄3, and LDAP can also be
mapped like your own applications, for example, a telephone system.
User
The person that uses a tool to gain an advantage (a benefit such as time and/or cost reduction).
User Account
Access entitlement to a restricted access IT system. Normally users must authenticate themselves with
a user name and password when logging in.
User account resources are special resource used to automatically create and manage user accounts in
the connect target system. If an employee is assigned a user account resource, the Identity Manager
creates a user account in the target system where the user account resource is assigned. The default
manage level for a user account resource specifies what employee properties should be inherited by the
user account.
Object that is used to provide a SharePoint user with permissions to SharePoint sites.
User Policy
Object that is used to provide a SharePoint user with general permissions to all sites in a SharePoint
web application.
118
User Interface Editor
UTC
V
Variable Set
A group of all variables and their values that can be used in the authorization definition of an SAP func-
tion. Variable sets are used to set up function instances for one and the same function definition.
Version Update
A version update means significant additions to functionality and requires a completely new installation.
VIAgentsDB.nsf
A database, containing the agents for accessing the productive Lotus Notes address pool and to create
ID files. This database is part of the Identity Manager installation package for Lotus Notes components.
It needs to be reassigned after installation.
VINotes.INI
Copy of the file “Notes.INI” that is created when the Lotus Notes client is configured.
The file “VINotes.INI” contains configuration data that the Identity Manager Service required for log-
ging onto Lotus Notes.
W
Web Designer
Web Installer
Program for simplifying installation and configuration of web-based application that are created with the
Web Designer.
Web Portal
Web-based application that provides various workflows. In the Web Portal, you can edit your own em-
ployee master data, edit staff data, request company resources in the IT Shop, delegate your own
roles, edit approvals, attestations, and rule violations.
The Windows Internet Naming Service (WINS) is a software service developed by Microsoft that dy-
namically assigns IP addresses to computer names (NetBIOS names).
Workflow Editor
An editor that you can use to create workflows for attestation instances or approval processes.
In the Workflow Editor, approval levels and steps from an approval workflow are inserted using a spe-
cial graphical control. Approval levels can be arranged in any way and connected to each other.
119
Quest One Identity Manager
120
INDEX
Symbols C
#LD notation 56 Cancellation workflow 104
Cart 104
A
Cart item 104
Active Directory (AD) 101
Central user administration 104
Active Directory Service 101
Combined Log Format 99
Additional list 101
Company policy 104
Admin4 database
Company resource 104
see AdminP request
Compile
AdminP request 101
error message 71
Analyzer 101
Configuration parameter 104
Application 101
Configuration Parameter Editor 104
Application group 101
Configuration Wizard 104
Application Link Enabling 101
ConnectionBehavior
Application role 101
JobGenLogDir 91
Approval policy 102
ObjectLogDir 92
Approval procedure 102
SQLLogDir 91
Approval process 101
Crypto Configuration 104
Approver 102
CUA
Assignment 102
see Central User Administration
Assignment request 102
CUA status 105
Assignment table 102
Customer 105
Attestation 102
Attestation instance 102 D
attestor 103 Data Definition Language 105
Audit 103 Data Importer 105
Auditing 103 Database Compiler 105
Authentication module 103 Database Installer 104
system user 117 Database query
Authentication object 103 logging 91
Authorization definition Database schema 105
see SAP function > Authorization definition Database Transporter 105
Authorization editor DBQueue
see SAP function > Authorization editor view 29
Authorization field DBScheduler 105
see SAP function > Authorization definition > start 29
Authorization field stop 31
Authorization object System log 29
see SAP function > Authorization object Default manage level 106
B see manage level
Base object 103 Delegation 105
BI analysis authorization 103 Designer 105
BI user account 104 Distribution model 106
Business role 107 Dollar notation 41
121
Quest One Identity Manager
E I
EBS ID restore 108
AP customer 101 Identity Manager 108
AP supplier 102 application role 101
AR party 102 Identity Manager Service 108
HR Person 108 ComponentDebugMode 87
EBS entitlement 106 configuration file 96, 97
EBS system 106 DebugMode 87
Edit permissions 106 HTTP server 86
Edit process plan 72 log file 85, 87, 99
Emergency stop 31 display 86
Employee assignment 106 NSComponent.log 87
Enterprise Resource Planning 106 NSProviderTrace.log 87
Event result display 90
edit 50 services 86
EventLogLogWriter StdioProcessor.log 87
LogSeverity 90 stop 31
Exception approver 107 Input help
Excluded attribute dollar notation 41
Oracle E-Business Suite 107 IT Shop 108
Excluded list 107 IT Shop structure 108
Item 112
F
FileLogWriter J
OutputFile 85 Job 19
Function Job destination 109
see Risk index > Function Job provider 109
Function element Job queue 109
see SAP function > authorization definition > progress 28
Function element view 19
Function instance Job Queue Info 11
see SAP function > Function instance column configuration 16
G filter 15
Gateway server 107 language 17
program settings 17
H
updating 15
Handling processes 33
Job server 109
HistoryDB 107
status 28
HistoryDB Manager 108
view 21
HistoryDB Service 108
122
Index
123
Quest One Identity Manager
schedule 75 SAP
124
Index
special 116 V
Shop 116 Variable set
Shopping cart see SAP function > Variable set
see Cart Version update 119
Shopping center 116 VIAgentsDB.nsf 119
Significance reduction 116 viNetworkService.exe.config 97
125
Quest One Identity Manager
VINotes.INI 119
W
Web Designer 119
Web Portal 119
Windows Internet Name Service 119
Workflow Editor 119
126
Contact Quest
• About Quest Software
• Contacting Quest Software, Inc.
• Contacting Quest Support
Quest One Identity Manager
World Headquarters
5 Polaris Way
USA
Please refer to our Web site for regional and international office information.
View the Global Support Guide for a detailed explanation of support programs, online services, contact
information, and policy and procedures. The guide is available at http://support.quest.com/pdfs/Global
Support Guide.pdf.
130