Вы находитесь на странице: 1из 128

6.

Process Orchestration Guide


Quest One Identity Manager

© 2013 Quest Software, Inc. ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be repro-
duced or transmitted in any form or by any means, electronic or mechanical, including photocopying
and recording for any purpose other than the purchaser’s personal use without the written permission
of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or
implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in
connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDI-
TIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABIL-
ITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO
ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIA-
BLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES
(INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR
LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations
or warranties with respect to the accuracy or completeness of the contents of this document and re-
serves the right to make changes to specifications and product descriptions at any time without notice.
Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters


LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
email: legal@quest.com

Refer to our Web site (www.quest.com) for regional and international office information.

2
Patents
This product includes patent pending technology.

Trademarks
Quest, Quest Software, the Quest Software logo, ActiveRoles, Data Governance, Password Manager,
Quest One Identity Manager, Quick Connect and Webthority are trademarks and registered trademarks
of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest
Software’s trademarks, please see http://www.quest.com/legal/trademarks.aspx. Other trademarks
and registered trademarks are property of their respective owners.

Third Party Contributions


Quest One Identity Manager contains some third party components (listed below). Copies of their li-
censes may be found at http://www.quest.com/legal/third-party-licenses.aspx.

COMPONENT LICENSE OR ACKNOWLEDGEMENT

.Less 1.3.1 Apache License Version 2.0, Januar 2004 (http://www.apache.org/


licenses). Apache 2.0 License.

.NET logging library 1.0 Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993,
1994 The Regents of the University of California. All rights reserved.
BSD 4.4 License.

Boost 1.34.1 Boost Software License - Version 1.0 - August 17th, 2003. Boost 1.0
License.

cherrypy 3.1.1 Copyright © 2002-2008, CherryPy Team (team@cherrypy.org). All


rights reserved. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991,
1992, 1993, 1994 The Regents of the University of California. All rights
reserved. BSD 4.4 License.

Dojo Toolkit 1.8.3 Copyright. All Rights Reserved. BSD Simple License.

Google APIs Auth Client Apache License Version 2.0, Januar 2004 (http://www.apache.org/
Library 1.6.0.1 licenses). Apache 2.0 License.

Google APIs Auth MVC Exten- Apache License Version 2.0, Januar 2004 (http://www.apache.org/
sions 1.6.0 licenses). Apache 2.0 License.

Google APIs Client Library for Apache License Version 2.0, Januar 2004 (http://www.apache.org/
.NET 1.6.0 (Beta) licenses). Apache 2.0 License.

Google Open Sans 1.0 Apache License Version 2.0, Januar 2004 (http://www.apache.org/
licenses). Apache 2.0 License.

Google.Apis.Admin.Direc- Apache License Version 2.0, Januar 2004 (http://www.apache.org/


tory.directory_v1 Client Li licenses). Apache 2.0 License.
1.6.0.21

jcrop 0.9.9 Copyright ©. MIT License.

JQuery 1.7.1 Copyright ©. MIT License.

JQuery UI 1.8.20 Copyright ©. MIT License.

Log4Net 1.2.11 Apache License Version 2.0, Januar 2004 (http://www.apache.org/


licenses). Apache 2.0 License.

3
Quest One Identity Manager

COMPONENT LICENSE OR ACKNOWLEDGEMENT

Log4Net 2.0.3 Apache License Version 2.0, Januar 2004 (http://www.apache.org/


licenses). Apache 2.0 License.

Mono.Security 2.0.3600.1 Copyright ©. MIT License.

Newtonsoft.Json.dll 5.0.8 Copyright ©. MIT License.

Novell.Directory.LDAP 2.1.9.0 Copyright ©. MIT License.

pyodbc 2.1.3 Copyright ©. MIT License.

Python 2.5.2 Python 2.5 license 2.5.


Copyright 2001-2006 Python Software Foundation. All rights reserved.
Copyright 1995-2001 Corporation for National Research Initiatives. All
rights reserved.
Copyright 1991-1995 Stichting Mathematisch Centrum Amsterdam,
The Netherlands. All rights reserved.

SharpZipLib 0.85.4.369 SharpZipLib License.

spin.js 1.2.2 Copyright ©. MIT License.

SQLAlchemy 0.5.0 Copyright ©. MIT License.

Windows Installer XML tool- Microsoft Reciprocal License (MS-RL).


set (aka WIX) 3.6.3303.0

zlib 1.2.3 Copyright © 1995-2005 Jean-loup Gailly and Mark Adler. zlib 1.2.3
License.

zlib portable 1.9.2 Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler. zlib 1.2.7
License.

ZLib.NET 1.0.3 Copyright © 2006, ComponentAce (http://www.componentace.com).


All rights reserved. ZLib.NET 1.0.3 License.

Quest One Identity Manager - Process Orchestration Guide


Updated - December 2013
Software Version - 6.1.2

4
CONTENTS

CHAPTER 1
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
®
QUEST ONE IDENTITY MANAGER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
INTENDED AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
IDENTITY MANAGER DOCUMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
CHAPTER 2
WORKING WITH JOB QUEUE INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
DESIGN OF THE USER INTERFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
TITLE BAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
STATUS BAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
MENU BAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
CONTEXT MENUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
TOOLBAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
UPDATING THE VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
FILTERING THE VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
COLUMN CONFIGURATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CUSTOMIZING THE PROGRAM SETTINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
CHANGING THE PASSWORD FOR THE LOGGED IN USER. . . . . . . . . . . . . . . . . . . . . . . 18
JOB QUEUE VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
REACTIVATING PROCESS STEPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
JOB SERVER VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
PROCESS HISTORY VIEW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
BASE OBJECT VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
PROCESSES VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
PROCESS STEP VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
PARAMETER VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
OUT PARAMETER VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
PROGRESS VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DETERMINING THE STATE OF THE SERVER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DBQUEUE VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
STOPPING THE SYSTEM (EMERGENCY STOP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
CHAPTER 3
HANDLING PROCESSES IN THE IDENTITY MANAGER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
WORKING WITH THE PROCESS EDITOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
MENU BAR AND TOOLBAR EXTENSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
PROCESS EDITOR VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
FUNCTIONS IN THE PROCESS DOCUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
FUNCTIONS FOR PROCESSES AND PROCESS STEPS IN THE EDIT VIEW. . . . . . . . . . . . 39
FUNCTIONS IN THE PARAMETER AND EVENTS EDIT VIEW . . . . . . . . . . . . . . . . . . . . 39
FUNCTIONS IN THE PROCESS VALIDITY CHECK VIEW . . . . . . . . . . . . . . . . . . . . . . 40
FUNCTIONS IN COMPILER ERRORS VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
FUNCTIONS IN THE SOURCE CODE VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5
Quest One Identity Manager

FUNCTIONS IN THE SIMULATION VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41


SUPPORT FOR DOLLAR NOTATION INPUT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
WORKING WITH THE PROCESS DOCUMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
SUPPORT FOR INPUTTING VALUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
DEFINING PROCESSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
BASICS FOR DEFINING PROCESSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
EDITING PROCESSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
GENERAL PROCESS PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
DATA FOR GENERATING A PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
NOTIFICATION DURING PROCESS HANDLING . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
EVENTS FOR PROCESS GENERATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
EDITING EVENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
EDITING PROCESS STEPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
GENERAL PROCESS STEP PROPERTIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
DATA FOR GENERATING A PROCESS STEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
SPECIFYING THE EXECUTION SERVER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
HOW TO HANDLE ERRORS DURING PROCESS STEP HANDLING . . . . . . . . . . . . . . . . 55
NOTIFICATION DURING PROCESS STEP HANDLING . . . . . . . . . . . . . . . . . . . . . . . 56
PROCESS STEP PARAMETERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
EDITING PROCESS STEP PARAMETERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
ALLOCATING PARAMETER VALUES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
IMPORTING PROCESS STEPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
SEARCHING FOR A PROCESS STEP WITHIN A PROCESS . . . . . . . . . . . . . . . . . . . . . . . 62
MULTIPLE PROCESS STEP EDITING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
COPYING A PROCESS STEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
COPYING A PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
COMPARING PROCESSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
EXPORTING AND IMPORTING PROCESSES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
SIMULATING PROCESS GENERATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
PROCESS VALIDITY CHECK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
COMPILING A PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
EXECUTING PROCESSES AUTOMATICALLY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
WORKING WITH THE PROCESS PLAN EDITOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
MENU BAR AND TOOLBAR EXTENSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
EDITOR VIEWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
FUNCTIONS IN THE LIST VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
FUNCTIONS IN THE EDIT VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
CREATING A PROCESS PLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
PROCESS COMPONENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
CHAPTER 4
PROCESS DEBUGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
RECORDING MESSAGES IN THE PROCESS HISTORY . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
RECORDING MESSAGE IN SYSTEM JOURNAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
IDENTITY MANAGER SERVICE LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

6
Contents

CONFIGURING THE IDENTITY MANAGER SERVICE LOG FILE . . . . . . . . . . . . . . . . . . . . 85


DISPLAYING THE LOG FILE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
IDENTITY MANAGER SERVICE EXTENDED DEBUGGING . . . . . . . . . . . . . . . . . . . . . . . 87
OUTPUT OF EXTENDED RETURN VALUES FROM INDIVIDUAL PROCESS COMPONENTS . . . . . . 89
OUTPUTTING CUSTOM MESSAGES IN THE IDENTITY MANAGER SERVICE LOG FILE . . . . . . . 89
DISPLAYING MESSAGES IN THE RESULTS VIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
PROCESS GENERATION LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
DATABASE QUERY LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
OBJECT ACTION LOGGING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
LOGGING DBSCHEDULER TASKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
CHAPTER 5
IDENTITY MANAGER FILES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
IDENTITY MANAGER SERVICE CONFIGURATION FILES . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
JOBSERVICE.CFG. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
VINETWORKSERVICE.EXE.CONFIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
IDENTITY MANAGER SERVICE LOG FILE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
HTTPLOGPLUGINS LOG FILE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
GLOSSARY ............................................................................................................. 101
INDEX .................................................................................................................. 121

CONTACT QUEST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127


ABOUT QUEST SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
CONTACTING QUEST SOFTWARE, INC.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
CONTACTING QUEST SUPPORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

7
Quest One Identity Manager

8
1
About this Guide
• Quest® One Identity Manager
• Intended Audience
• Identity Manager Documentation
Quest One Identity Manager

Quest® One Identity Manager


Quest One Identity Manager streamlines the process of managing user identities, access privileges and
security enterprise wide. It empowers identity and access management to be driven by business needs,
not IT capabilities. Quest One Identity Manager is based on an automation-optimized architecture that
addresses major identity and access management challenges at a fraction of the complexity, time, or
expense of “traditional” solutions.

Intended Audience
This guide describes the functionality of the Identity Manager that you can use to control Process
Orchestration.You will discover how to define, edit, simulate and automate processes. You are provided
with a summary of all the process components that can be used as process functions. The way you can
configure the Identity Manager to monitor errors during process handling is also described.
Furthermore, the way to configure the Identity Manager to monitor running processing and to recog-
nise errors during process handling is described. The Identity Manager helps you by providing detailed
information about the status of process handling and with different views of the processing sequence.

This guide is intended for system administrators, consultants, analysts, and any other IT professionals
using the product.

This guide describes the default user functionality of the Identity Manager. It is possible that
not all the functions described here are available to you. This depends on your system config-
uration and permissions.

Identity Manager Documentation


Identity Manager documentation includes the following manuals. They can be found on the installation
media in the directory ...\Quest One Identity Manager\Documentation.

• Getting Started Guide


This guide provides Identity Manager installation instructions and product walkthroughs.
• Identity Management Guide
This guide provides Identity Manager in-depth administration information.
• Process Orchestration Guide
This guide provides information about designing and implementing process automation with
the Identity Manager.
• Configuration Guide
This guide provides information about configuring and customizing the Identity Manager.
• IT Shop Guide
This guide provides in-depth administration information on managing the IT Shop.
• Web Portal User Guide
This guide provides in-depth information about Web Portal handling.
• Web Portal Installation Guide
This guide provides Web Portal installation instructions.
• Web Designer Reference Guide
This guide provides information about configuring and customizing the Web Portal.
• Identity Manager Web Installation Guide
This guide provides Identity Manager Web installation instructions.

10
2
Working With Job Queue Info
• Introduction
• Design of the User Interface
• Job Queue View
• Job Server View
• Process History View
• Base Object View
• Processes View
• Process Step View
• Parameter View
• Progress View
• Determining the State of the Server
• DBQueue View
• Stopping the System (Emergency Stop)
Quest One Identity Manager

Introduction
The Job Queue Info tool supports control of the current state of services running in a Identity Manager
network. It enables a detailed and comprehensive overview of the requests in the “job queue” and the
different requests that Identity Manager Service has on the servers. This tool makes working with pro-
cesses easier, delivers live status information and makes it faster to search for and recognize errors.

Design of the User Interface


How to log onto this tool is described in Logging into Identity Manager Administration Tools as a System
User on page 113 in the Getting Started Guide.

The graphical user interface can be controlled by mouse and key combinations. We recommend a mini-
mum screen resolution of 1280 x 1024 pixels with at least 16 bit color in order to optimize the graphics
display.

The Job Queue Info graphical interface contains a title list, a status bar, a menu bar, an toolbar and in-
put panes. Within the input area there are different views representing the information.

Title Bar
The title bar shows the program icon, the name of the program and connected databases using the no-
tation <user>@<database server>\<database(description)>.

Title bar with program name and database

Status Bar
The status bar displays the database connections in the notation <server>\<database (description)>
and the system user connection. The system status is also displayed. Database activity such as loading
or saving objects is shown using symbols in the status bar.

Extended Tool Status Bar

Icons in the Status Bar

ICON MEANING

System user without release key to perform actions.

12
Working With Job Queue Info

Icons in the Status Bar

ICON MEANING

System user with release key to perform actions.

DBScheduler processing was stopped because the database has to be compiled.

The DBScheduler has been stopped.

The server service has been stopped.

The database is connected.

Database status and display of DBScheduler computation requests.

Menu Bar
The menu bar contains several menus. The <Database> and <Help> menus are always shown. The
<View> and <Filter> menus are only shown when a database is connected

Menu Bar with Menu Commands

Default Key Combination in the Menu Bar

KEY COMBINATION ACTION


Alt + letter with underscore Select menu or menu item.

Up arrow, down arrow Move between menu items.

Enter Select a menu item.

Esc Cancel menu.

13
Quest One Identity Manager

Job Queue Info - Meaning of the Menu Commands

MENU MENU ITEM MEANING

Database New connection Creates a new database connection.

Close connection Closes the current database connection.

Change password... Password for current use can be changed.

Settings... Opens a dialog window for configuring the default program set-
tings.

Exit Exits the program.

Filter Define filter The WHERE clause wizard is opened to assist in defining a filter.

Delete filter Deletes the filter.

View Job queue Hide or show job queue view.

Job server Hide or show job server view.

Process history Hide or show process history view.

Base object Base object view is show/hidden.

Process Hide or show process view.

Process step Hide or show process step view.

Parameter Hide or show parameter view.

Progress Hide or show progress view.

Server state Hide or show server state view.

DBQueue Hide or show DBQueue view.

Default layout Restores the user interface default layout.

Help Emergency stop Displays a dialog from which the system can be stopped.

Job Queue Info help Program help is opened.

Info Displays the program version number.

Context Menus

Some elements of the input area have separate context menus. You open the context menus using the
key combination <shift+F10>, the context menu key or the right mouse button. The content of the
menu is dependent on the current view.

Default Key Combinations for the Context Menu

KEY COMBINATION ACTION

Shift + F10 or context key Opens the context menu.

Up arrow, down arrow Move around within the context menu.

Enter Select context menu item.

Esc Cancel context menu.

14
Working With Job Queue Info

Toolbar
The toolbar is always shown. The icons are activate or deactivated depending on which views are dis-
played.

Toolbar

Meaning of Toolbar Items

ICON MEANING

Create new database connection.

Close current database connection.

Hide or show job queue view.

Hide or show job server view.

Hide or show process history view.

Hide or show process view.

Hide or show process step view.

Hide or show parameter view.

Open WHERE clause wizard to set up a filter.

Delete filter.

Updating the Views


To update the views press <F5>. If the view focus is on a base object then the whole display is updated
and the hierarchy tree is closed. This update refreshes the contents of all views. This update also re-
freshes the contents of other views.
The views can only ever display a snap-shot of the queue because the contents of the job queue are
continually changing. Therefore, when a node is opened or the view is updated, the necessary informa-
tion may have already been deleted from the job queue. If this is the case, the corresponding entry in
the hierarchical display is deleted or the corresponding element is not shown.

Filtering the Views


By defining filter conditions you can limit the entries that are displayed in the views <Job queue>, <Job
server> and <Process history> even more. The filter conditions are saved when the program is exited

15
Quest One Identity Manager

and reloaded at program startup. Use the WHERE Clause Wizard to define filter conditions. You start the
wizard by selecting the menu item <Filter>\<Define filter>. The menu item <Filter>\<Delete filter>
deletes the filter condition again.

Enter the condition to limit the number of results. The condition is defined as a valid Where clause for
the database query. The given condition related to the selected database table that is filled when the
wizard is started.

Creating a Filter

Use the <Next> button to move to the preview. All entries are shown that correspond to this condition.
If you use the <Next> button to reconfirm, the condition is displayed in SQL syntax. Use the <Back>
button to return to the last view. Use the <Finished> button to accept the configuration or <Abort> to
cancel the settings. In both of these cases the dialog box is closed.

Column Configuration
You can specify which columns should be displayed for each of the views, <Job queue>, <Job history>,
<Process history> and <Base objects>. To do this, select a node in the hierarchical tree and use the
context menu item <Configure columns> to open the column configuration dialog window.

16
Working With Job Queue Info

Select the columns you want to display by moving through the list and accepting with the arrow but-
tons, and then change the order in which they are displayed. Select <OK> to accept the configuration
settings, select <Cancel> to abort the configuration. In both cases the dialog window is closed.

Column Configuration

The width of the columns can be varied in the views <Job queue>, <Job history>, <Process history>
and <Base objects>. The following user interaction has been implemented:

• The column is adjusted to the optimal size by double-clicking on the column sizing bar.
• All columns are optimized in size by double-clicking on the column sizing bar whilst holding
down the <Shift> key.

Customizing the Program Settings


You can make the following changes to the program setting over the menu <Database>\<Settings...>:

• Language
Specify the program language. The changes come into effect after the program has been re-
started. This sets the language globally for all Identity Manager programs and therefore the
change does not have to be made separately for each program. Refer to Languages for Dis-
playing and Maintaining Data on page 258 in the Configuration Guide for more information.
• Result limit
Specify a limit for the number of process or process step entries to be loaded and displayed.
• Server state
Enter the HTTP port for requesting the state of the job server that Identity Manager Service is
working on. The default value is port 1880. You can also specify the timeout limit for state re-
quests. This input is in seconds. Job servers that do not respond within this time limit are con-
sidered to be not available.
• Process history
You can use this setting to restrict the process history to only displaying process that have
failed. The setting does not affect how the process history is recorded, only how it is displayed.

17
Quest One Identity Manager

The settings are applied with the <OK> button. The <Cancel> button aborts the changes. In both
cases the window is closed.

Configuring the Program Settings

Changing the Password for the Logged In User


You can change the password for the user that is currently logged in using the menu item <Data-
base>\<Change password...>. Enter the old password, the new password and repeat the new pass-
word. Accept the changes with <OK>.

Dialog Window for Changing a User Password

18
Working With Job Queue Info

Job Queue View


The <Job queue> view shows the contents of the job queue grouped in processes. In the first level of
the hierarchy, all the processes are shown with a process count.

Job Queue View

If a process node is opened, all the processes are shown with start times. The complete process is dis-
played with its hierarchy under such a process node. Each process step contains its success and failure
branches as sub elements. The process information can be regularly updated by selecting the context
menu item <Monitor process>.

Job Queue View - Meaning of Icons

ICON MEANING
Processes are grouped by name. The number of processes displayed is executed.

A start time for each process is displayed.

This process step is dealt with in the case of success.

This process step is dealt with in the case of failure.

19
Quest One Identity Manager

In order to improve the overview, the execution progress of a process step is mirrored in the color of
the text.

Job Queue Display - Meaning of the Colors

COLOR MEANING PROGRESS STATE

Orange This process step is being processed. Processing

Yellow This process step is loaded for processing. Loaded

Green This process step is ready for processing. True

Blue This process step has already been processed. Finished

Black This process step is not ready for processing. False

Red The process step being dealt with cannot be processed. You can Frozen/Overlimit/
reactivate process steps with a progress state of “Frozen” and unknown
“Over limit” and therefore present them again for processing.

Reactivating Process Steps


The maximum number of times a process can appear in the job queue can be limited in order to pre-
vent mass modifications. When the limit is exceeded the process steps are set to the state “Overlimit”
and can no longer be collected for processing.
Critical process steps that have failed are set to “Frozen”. Once the error has been corrected, you can
present these process steps for processing again.

To reactivate process steps


• Select the process step, then select Reactivate process step from the context menu.
Use <SHIFT + SELECT> or <CTRL + SELECT> to multi-select process steps and reactivate
them.

To reactivate a process
• Select the process and select Restart process from the context menu.

All process steps are reprocessed when you restart a process. Therefore, all process step han-
dled up to the point the error occurred are processed a second time. This may result in data in-
consistencies in certain circumstances.

Sometimes a rerun of the failed process step is not desired. This may occur when the action to be car-
ried out by the process has been carried out manually, for example, an expected directory has been
manually added. Even so it may just happen that the process should be rerun even though the error
has not been fixed, i.e. for a rollback of already processed steps.

To execute the next process step


• Select the failed process step and select End with success or End with error from the con-
text menu.
Use <SHIFT + SELECT> or <CTRL + SELECT> to multi-select process steps and continue with
execution.
The entries are only visible if a subsequent error/success step exists and the process step is
“Frozen”.

20
Working With Job Queue Info

Job Server View


The <Job server> view shows the job queue context in the order of executing servers. At the first hier-
archy level, all job servers are displayed, with their counts of the different processes that exist in the
job queue for the job server. If a job server node is opened, the process functions are listed and the
number of process step per process function is shown. The process steps are listed by start time under
the process function node.

Job Server View

Job Server View - Meaning of the Icons

ICON MEANING

Displays the job server whose process function is currently executing. The number of dif-
ferent processes per job server is shown.

Displays the executing process function. The number of executed process steps per pro-
cess function is shown.

Shows the start time of the process step.

Process History View


The <Process history> view displays the contents of the “JobHistory” table. The course of the process
execution is displayed by sorted processes. In the program settings, you can limit the number of pro-
cesses to be displayed in the process history to only those that have failed. For more information, see

21
Quest One Identity Manager

Customizing the Program Settings on page 17. If you select a failed process step, the entire error mes-
sage is shown in a tooltip.

Process History View

Process History View - Meaning of the Icons

ICON MEANING

Processes are grouped by name. A count of the processes is shown.

The start time of each process is shown.

The step being dealt with here is a follow-on step in a success branch. The executed pro-
cess function and the state of the process step are shown.

The step being dealt with here is a follow-on step in a fail branch. The executed process
function and the state of the process step are shown.

In order to improve the overview, the execution progress of a process step is mirrored in the color of
the text.

Process History View - Meaning of the Colors

COLOR MEANING

Black This process step has been processed without error.

Red An error occurred processing this process step.

22
Working With Job Queue Info

Base Object View


The process history entries and the current job queue entries are summarized here in this view for the
object being processed. If an error occurs during processing which stops process handling (execution
state “Frozen” or “Overlimit”), you can use this view to analyze the processing flow up until this point.
The functions described in Job Queue View on page 19 and Process History View on page 21 are avail-
able to you for further processing. Once all processes have been successfully handled for this object the
error messages are removed from the view.

Base Object Error Handling View

Processes View
This view gives an overview of how process steps are linked within a process. In this way, the execution
sequence of individual process steps for large processes can be monitored better.

23
Quest One Identity Manager

After selecting a process in the job queue view or the job server view, the process steps of the selected
process are displayed in the <Process> view.

View of a Processes

The process step and its properties are displayed through a special control element. The progress state
and the name of the process step are shown in the header of the control element. The progress state of
the process step is further clarified by the use of a color icon. All other entries represent the parameters
for this process step. You can hide or show the parameter list by clicking on the icon in the header of
the control element.

Each entry in the control element has a tooltip. The process step tooltip contains the name of the exe-
cuting queue, the progress state as well as the start time of the process step. The parameter tooltip
shows the parameter name and the value of the parameter.

Displaying the Process Steps in a Process - Meaning of the Icons

ICON MEANING

Shows the progress state of the process step. Each progress state is labeled in color.

Show process step parameters

Hide process step parameters

Displaying the Process Steps in a Process - Meaning of the Colors

COLOR MEANING PROGRESS STATE

Orange This process step is being processed. Processing

24
Working With Job Queue Info

Displaying the Process Steps in a Process - Meaning of the Colors

COLOR MEANING PROGRESS STATE

Yellow This process step is loaded for processing. Loaded

Green This process step is ready for processing. True

Blue This process step has already been processed. Finished

Black This process step is not ready for processing. False

Red The process step being dealt with cannot be processed. You can Frozen/Overlimit/
reactivate process steps with a progress state of “Frozen” and unknown
“Over limit” and therefore present them again for processing.

Process Step View


In this view detailed information is displayed for each process step. The view shows the data structure
for a process step at compilation time. After selecting a process step in the job queue or job server
view, specific information from the job queue and the separate parameters of the process step with
concrete values are displayed in the <Process step> view.

Process Step View

Process Step View - Meaning of the Icons

ICON MEANING

Selection of a process step and its parameters.

25
Quest One Identity Manager

Process Step View - Meaning of the Icons

ICON MEANING

Displays a column from the “Jobqueue” table and the value.

Displays a process step parameter and the value.

You can copy the currently selected data in the view into the clipboard with the key combination <ctrl +
C>. The data format is:

Column name = value

Parameter View
After selecting a process step in the job queue or job server view, the passing parameters of the se-
lected process step with name and value are displayed in the <Parameter> view. If the selected node
does not represent a process step, the parameter view is cleared.

Process Step Parameter View

You can copy the currently selected data in the view into the clipboard with the key combination <ctrl +
C>. The data format is:

Column name = value

26
Working With Job Queue Info

Out Parameter View


Parameters of type “OUT” or “INOUT” are parameters that can be used by process components to out-
put a value. This value is then available to subsequent process steps in the process and can be used as
a value for IN parameters.

Job Queue Info cannot determine technically when or for which process step this parameter applies.
Therefore, out parameters are added to a parameter list for a process step (marked in blue).

You cannot see the parameters in the <Process step> view under <ParamIN> because this view shows
the data structure of each process step at compiler time and the out parameters are created within the
context of the process.

The time at which the process is loaded into Job Queue Info is important. If a parameter is overwritten
several times, only the state at the time of data query is displayed.

Example:

Step 1 Out parameter: X=1

Step 2 In parameter: X=1

Value changes: X=2

Out parameter: X=2

Step 3 In parameter: X=2

If the process in Job Queue Info is loaded before step 2 is processed, the value “X=1” is shown for the
out parameter in Job Queue Info. If the process is loaded after step 2 has been process, The out pa-
rameter shows the value “X=2”.

You can find more detailed information about each process step and how the parameters are filled, in
the Identity Manager Service log file.

27
Quest One Identity Manager

Progress View
In the progress view, the number of entries in the job queue is queried. In the process the current
value is represented as a number and inserted in to a bar graph at the same time. The process step
progress state is shown in different colors. The display is updated every 5 seconds.

Progress View

Progress View - Meaning of the Colors

COLOR MEANING PROGRESS STATE

Black Number of process steps that are not read for processing. False

Green Number of process steps ready for processing. True

Yellow Number of process steps loaded for processing. Loaded

Blue Number of process step that have completed processing Finished

Red Number of process steps with an unknown progress state Frozen/Overlimit/


unknown

Determining the State of the Server


The <Server state> view supplies a quick overview of the availability of all the job servers in the net-
work. Job Queue Info also uses the Identity Manager Service configuration of each Job server saved in
the database to provide more exact status query results. This is particularly necessary if the HTTP
server port has been set individually or a Job server processes several queues. To do this, load the Job
server Identity Manager Service configuration into the database using the schedule “Get configuration
file from the Job server and write in the Job server configuration”. Configure and enable this schedule in

28
Working With Job Queue Info

the Designer in the category <Base data>\<Schedules>. For more information, read Setting Up and
Configuring Schedules on page 254 in the Configuration Guide.

Request Server State

You can request the state of all the job servers available in the database with the <F5>. To obtain the
state of an individual server select <Refresh state> in the context menu. The maximum timeout for re-
quests and the HTTP port are specified in the program settings. For more information, see Customizing
the Program Settings on page 17.

If the server responds, the system time, the Identity Manager Service version and the Identity Manager
Service account name are determined and displayed. The software update status as well as the current
version of the software is also displayed.

Use the context menu item <Open in browser> to display the different Identity Manager Service ser-
vices by querying the Identity Manager Service HTTP server.

Use the context menu item <Stop processing> if you need to temporarily stop the Job server from pro-
cessing the queue; use <Start processing> to continue processing the queue.

DBQueue View
When data, which is relevant for inheritance, is changed within Identity Manager, for example, modifi-
cations to assignments or changes in particular system data, i.e. system user interface changes, the re-
sulting data needs to be recalculated. The requests are queued in the DBQueue and processed by the
DBScheduler.

29
Quest One Identity Manager

The <DBQueue> view displays the requests in the table “DialogDBQueue” that are waiting to be pro-
cessed by the DBScheduler. The number, sort order and name of the queued requests are displayed.
The display is updated in a fixed time interval of 2 seconds.

DBQueue View

The DBScheduler is executed in regular intervals by a database schedule “VID_DBScheduler”. You can
also manually start the request computation if necessary, when you have the required administrative
permission. By selecting the icon in the program’s status bar with you can open a dialog window which

30
Working With Job Queue Info

shows the status of the SQL Server Agent, the status of the DBScheduler and information about pend-
ing tasks in the DBQueue.

Advanced DBScheduler Information

The SQL Server and the DBScheduler status information is shown on the <Processing state> tab. You
can start the DBScheduler server-sided over the SQL Server Agent (<Start agent> button) or directly
using the logged on user’s connection (<Start immediately> button). The <Pending tasks> tab show
the currently pending tasks in the DBQueue. These are processed the next time the DBScheduler runs.
The newest entries in the system log are displayed on the <Journal> tab (see also Recording Message
in System Journal on page 85). Close the dialog window with the <Close> button.

Stopping the System (Emergency Stop)


In certain circumstances, situations can occur in the system that require processing by
Identity Manager Service and processing of task by the DBScheduler to be stopped. Changes in
Identity Manager can, for example, sometimes cause the system to become overloaded by making
mass entries in the job queue or the DBQueue. To analyze this situation and to take the necessary
steps to solve the problem where necessary, the system can be stopped in Job Queue Info and started
again once the problem has been fixed.

31
Quest One Identity Manager

If you have the necessary administration permissions, you can stop and start the system using the
menu item <Emergency Stop> in the <Help> menu.

Stopping and Starting the System

The <DBScheduler> can be stopped by selecting the button, <DBScheduler>. From this point on no
new computations are carried out in the database. After the problem has been fixed, the DBScheduler
can be started again using the same button.

You can stop collection of process step for all Identity Manager Services over the button
<Identity Manager Services>. Process steps that have already been collected are still processed but no
new process step are sent to the services. After the problem has been fixed, the services can be started
again using the same button.

The following icons are displayed in the status bar of all administration tools to inform the user that the
DBScheduler and services have been stopped.

Special Icon in the Status Bar for System Stop

ICON MEANING

DBScheduler has been stopped.

The server services have been stopped.

32
3
Handling Processes in the
Identity Manager
• Introduction
• Working with the Process Editor
• Defining Processes
• Executing Processes Automatically
• Process Components
Quest One Identity Manager

Introduction
The principle of Identity Manager allows actions and workflows to be assigned to specific events. For
example, the steps that need to be executed in order to add a user account to the database can be de-
scribed in the form of a workflow. In this case, each action is represented by a process step and work-
flows are transformed into processes by linking the process steps together.

Working with the Process Editor


The Process Editor is the program that you use to define and edit processes. This editor is started from
the program “Designer” and opened in the program‘s document edit view. The standard functionality of
the “Designer” is described in the chapter “Working with the Designer on page 29. At this point, we
shall only go into the functionality of this editor.

Designers User Interface and the Process Editor

34
Handling Processes in the Identity Manager

Menu Bar and Toolbar Extensions


The following items are added to the menu bar once the editor has started.

Meaning of Menu Bar Items

KEY
MENU MENU ITEM MEANING COMBINATION

Process New Creates a new process. Ctrl + N

Delete Deletes the selected process after request-


ing confirmation.

Rearrange Rearranges the process within the process


document.

Error checking Carries out a validity check on the process.


Error messages are outputted to the <Pro-
cess error> view.
Compile Compiles the selected process on a test
basis. Error messages are outputted to the
<Compiler error> view.

Compare pro- Open a dialog window for comparing pro-


cesses... cesses.

Compile and save Compiles the selected process and assem-


to database bly is saved in the database. Error mes-
sages are outputted to the <Compiler
error> view.

Export... Exports the selected process as XML file.

Import... Imports the selected process into the data-


base from an XML file.

Copy... Starts a copy wizard for a process.

View Swaps between views.

View/ Edit view Default view for editing processes.


View/Simulation Starts the process simulation wizard.
view

View/ Source code Only shown when compiler errors have


view occurred.

View/ Process Shows the process generation log after sim-


generator log ulation.

35
Quest One Identity Manager

Meaning of Menu Bar Items

KEY
MENU MENU ITEM MEANING COMBINATION

Process step New Adds a new process step into the process
document.

Delete Deletes the selected process step from the


process document.

Import Imports a process step from anywhere in


the database into a process document.

Search Searches for a process step within the Ctrl + F


selected process.

Copy Copies the selected process step into the


clipboard.

Cut Copies the selected process step into the


clipboard and deletes it from the process
document.

Paste Inserts the selected process step from the


clipboard into the process document.

View Process errors Shows/hides view <Process errors>.

Compiler errors Shows/hides view <Compiler errors>.

Parameters/ Shows/hides view <Parameter/Events>.


Events

Properties Shows/hides the edit view.

Help Process editing Opens help window on this theme.


help

Help for Opens help window for the editor.


Process Editor

The editor has its own toolbar that you can show or hide by using the context menu. The view selection
determines which icons are disabled or enabled.

Toolbar

Meaning of the Toolbar Items

ICON MEANING

Creates a new process

Deletes a process

Executes an validity check for this process.

Rearranges the process.

36
Handling Processes in the Identity Manager

Meaning of the Toolbar Items

ICON MEANING

Compiles the process.

Compiles the process and save assemblies.

Exports a process.

Imports a process.

Insert a new process step.

Deletes a process step.

Searches for a process step and imports it into the process document.

Copies the process into the clipboard.

Deletes the process step from the list but retains it in the clipboard.

Inserts a process step from the clipboard.

Shows/hides edit view.

Shows/hides simulation view.

Shows/hides source code view.

Shows process generation log (after simulation).

Zooms in on view in incremental steps.

Sets zoom factor.

Zooms out on view in incremental steps.

Shows/hides edit view.

Shows/hides compiler errors.

Shows/hides process errors.

37
Quest One Identity Manager

Process Editor Views


The Process Editor has several views for displaying and editing processes and process steps:

• Process document
• Edit view for processes and process steps
• Edit view for events and parameters
• Process validity check view
• Compiler error messages
• Source code view
• Simulation view

Functions in the Process Document

The process document contains special control elements that allow a process to be displayed and edited
with its process steps. A separate document is opened for each process. Read Working with the Process
Document on page 42 for more details about handling a process document.

Process Document with a Process

38
Handling Processes in the Identity Manager

Functions for Processes and Process Steps in the Edit View

In this edit view you can change the properties of processes and process steps. The process or process
step properties that are shown, depends on which elements are selected in the process document.
There is a default context menu available for the input fields.

Process Edit View

Functions in the Parameter and Events Edit View

This edit view enables you to alter the event properties for a process or the parameters for a process
step. Either parameters or events are shown depending on which elements is selected in the process
document. You can directly edit the entry with a simple mouse click

Event Edit View

39
Quest One Identity Manager

Parameter Edit View

The view has its own toolbar. The functions relate to either parameters or events depending on the se-
lection.

Meaning of Toolbar Items

ICON MEANING

Creates a new event or parameter.

Deletes an event or parameter.

Opens the dialog window for editing the event or parameter.

Functions in the Process Validity Check View

The result of the validity check is displayed in this view and is retained until the next validity check. By
clicking on an error message in the view, the corresponding process or process step is displayed in the
process document.

Process Validity Check View

40
Handling Processes in the Identity Manager

Functions in Compiler Errors View

Errors that occur when a process is compiled are displayed in this view. By clicking on an error message
in the view, the corresponding process or process step is displayed in the process document.

Compiler Errors View

Functions in the Source Code View

The source code is displayed if errors occur during compilation. This view is only for displaying the
source code. It cannot be edited here. When you double-click on a message in the compiler errors view,
it jumps to the corresponding row in the source code view.

Functions in the Simulation View

When you change to the simulation view, a wizard is started that tests how a process is generated. The
functionality of this wizard is described in more detailed in Simulating Process Generation on page 65.

Support for Dollar Notation Input

When you enter a “$” character in an input field that is expecting a VB.Net expression, an input list is
opened. This displays all the properties for the current object. A tooltip with a more detailed description
of the property is also shown. If you select a FK column you can navigate to the columns of the associ-
ated table with the arrow keys. Exit the selection on the target column with <Enter> or by double-click-
ing with the mouse. Now the complete dollar notation for your selection is displayed. Use <Esc> or exit
the input field to close the list without accepting any data.

Help List for Dollar Notation

41
Quest One Identity Manager

Meaning of the Symbols used in the Help List.

ICON MEANING

Property of current object.

Primary key.

Foreign key (FK).

Help List Functions

KEY COMBINATION ACTION

Down arrow Opens the help list.

Down arrow, up arrow Swaps to next or previous entry respectively.

Left arrow, right arrow Swaps from FK to parent object or back to the child object respec-
tively.

Enter Accepts the value in dollar notation.

Working with the Process Document


The process document contains special control elements that allow a process to be displayed and edited
with its process steps. When a new process is added, an initial process document with one process ele-
ment is created. You can add process step elements using the context menu in the process document.

Process Document Context Menu Items

CONTEXT MENU ITEM MEANING

New Creates a new process step element for editing a process step.

Delete Deletes the selected process step.

Copy Copies the selected process step into the clipboard.

Paste Insert the process step stored in the clipboard

Properties Shows the common object properties of the selected entry.

Use connectors to links the elements to each other. Activate the connection points with the mouse.
Once a connection is selected, the mouse cursor changes to an arrow shape. Hold down the mouse but-
ton and pull the connector from one connection point to the next. To delete a connection, select a con-

42
Handling Processes in the Identity Manager

nection end-point and confirm the deletion request that appears. The connection to the control element
is deleted.

Arranging a Process

You can change the layout position of control elements in the process document using the mouse. Each
element processes a tooltip. The contents of these tooltips are made up of from the name, process de-
scription or process step and the process function description.

Double-click on the process or process step element to open the respective edit view, where you can
make your changes.

The processes and process step entries are not created in the Identity Manager database until the com-
plete process is saved over the change log in Designer. After this, other users can use the
Process Editor to make changes to the process. However, it cannot be generated yet. The process has
to be compiled before it can be generated. The layout positions of the processes and process steps are
also saved in the Identity Manager database, along with their contents.

Support for Inputting Values


A special input field is used if data needs to be entered in VB.Net syntax. Several function are provided
to do this that make it easier to enter script code. For more information read Support for Scripting on
page 72 in the Configuration Guide.

Defining Processes
Processes are edited and displayed in the category <Process Orchestration> in Designer. Apart from
the default processes supplied by us and customer specific processes, you also get an overview of the

43
Quest One Identity Manager

process components with their process tasks and parameters. You can set up process plans that are
available for triggering processes on a cyclical basis as well.

Process Orchestration Overview

Basics for Defining Processes


Identity Manager uses so-called process steps to represent company workflows. You can group these
into processes using the successor/predecessor relation.

A process step is an instruction to carry out a particular action by a vi* process component. A process
generator (Jobgenerator) is responsible for converting script templates in processes and process steps
into a concrete process in the ’Job queue’. Decision logic monitors the execution of the process steps
and determines how processing should continue depending on the results of the executed process com-
ponents. So-called process tasks are used to perform single elementary tasks at system level, for ex-
ample, adding a directory. A process component consists of one or more process tasks and its parame-
ters. Process components are defined in the tables “Jobcomponent”, “Jobtask” and “Jobparameter”
along with their process tasks and parameters. These definitions are maintain by us in the database mi-
gration and cannot be edited.

44
Handling Processes in the Identity Manager

The following illustration shows a chain of process steps with which you can add an employee, set up an
Active Directory user account for him or her and finally add a mailbox.

Creating a Single Process by Linking Process Steps

You can reproduce this sequence in a process. However, you can also define entry points for other pro-
cesses. The result of entering at point ‘process 1’ is the addition of an employee with an Active
Directory account with a mailbox. Joining at entry point ‘process 2’ only results in the addition of an
Active Directory user account with a mailbox.

Editing Processes
In order to create a custom process you can:

• Create a new process


• Copy an existing process and alter it.
Read Copying a Process on page 63 for more details.

All the default processes that are supplied by us are labeled with the strings “VI_” or “VID_”. These pro-
cesses can only be minimally changed and are updated by migration. Label your custom processes with
your customer prefix.

Use the Process Editor to edit and create processes. To edit an existing process select it in the category
<Process Orchestration> in Designer. Start the Process Editor by selecting the task <Edit process

45
Quest One Identity Manager

‘XY’>. To create a new process start the Process Editor by running the task <Create new Process>. Use
the process edit view to enter data for the process.

Properties for a Process

General Process Properties

You can define the following data for a process:

• Process name
The name of a process has to be unique. All the default processes that are supplied by us are
labeled with the prefix “VI_” or “VID_”. Label your custom processes with the appropriate cus-
tomer prefix.
• Base object
Select the base object (table) from the list. The process is based on the results from this object.
• Description/Comment
Enter an additional description and information for the process.
• Recording process information
Process information allows us to monitor all the processes that are executed in
Identity Manager. Read Setting Up Process Information for Process Handling on page 276
about setting up process information for a process.
• Process UID
Shows the process UID. This cannot be edited.

Data for Generating a Process

When a process is being handled, the generating pre-script is executed first and then the gen-
erating condition is evaluated.

• Pre-script for generating

46
Handling Processes in the Identity Manager

The pre-script is executed before the other scripts. For example, you can define global variables
in the pre-script that can be used later within processes and process steps for generating con-
ditions, server selection scripts or parameters.
• Generating condition
You can define a condition in VB.Net syntax that is used to determine whether it is necessary
to generate the process. If a generating condition is given, the process is only generated if the
condition is fulfilled. The standard syntax is described in Using Scripts on page 310 in the
Configuration Guide. Example scripts are in the SDK.
• Do not generate
Use this option to decide whether the process should be generated. If the option is set, the
process is not generated and cannot be compiled.

If the option <Do not generate> is set for this process, it remains in the ’set’ state during mi-
gration and is not reset.

• Preprocessor condition/Deactivated by preprocessor


You can define a preprocessor condition for conditional compilation. This makes the process
available only when the preprocessor condition is fulfilled. If a process is not available due to
a preprocessor condition, the Database Compiler sets the option <Deactivated by preproces-
sor>. For more information about preprocessor functionality, see Using Preprocessor
Conditions on page 302.

How to Use Local Process Variables and Global Variables

Local process variables are in local memory when a process is generated. They are used to determine
values within a pre-script on a one-off basis, which can then be used within the process and its process
steps, for example, in generating conditions, server selection scripts or in parameters.

It is recommended to set local process variables only in the pre-script and to access them
read-only on further use.

Pre-script syntax:

values("Name") = "value"

Usage in the following process and process step code sections:

Value = values("Name")

You can find further examples in Pre-scripts for using in Processes and Process Steps on page 315 in
the Configuration Guide.

You can use additional global variables provided by the connection object to control process generation.
These variables are valid as long as the connect exists. All custom variables defined for the connection
object can be used in addition to predefined variables. You can define custom global variables through
scripts, methods or the Customizer and use the, in processes.

Global variable should only be used read-only in processes.

47
Quest One Identity Manager

During process handling the pre-script for generation is executed first and then the generating
condition is evaluated. It is also recommended you evaluate global variables used in the gener-
ating condition in the pre-script. This can prevent unnecessary data access.

If you defined a custom connection variable, it should be removed again afterwards. Other-
wise, it stays there when the connection is subsequently used and may lead to incorrect pro-
cesses being generated.

Example

The process should only be generated for a full synchronization. The connection variable “FullSync” is
used for this. This variable is set by all synchronizers and has the values “True” or “False”. The variable
is available for all processes generated during full synchronization.

The variable “FullSync” is set in the generating pre-script and in the generating condition. This means it
is already determined in the pre-script whether the process must be generated or not.

Generating pre-script:

If CBool(Connection.Variables("FULLSYNC")) Then
values("name1") = "value1"
values("name2") = "value2"
values("name3") = "value3"
End If

Generating condition:

Value = CBool(Connection.Variables("FULLSYNC"))

48
Handling Processes in the Identity Manager

Notification During Process Handling


Configuration Parameters for Mail Notification

CONFIGURATION PARAMETER MEANING

Common\MailNotification Notification data.

Common\MailNotification\Default- Default email address (recipient) for sending notifications.


Address

Common\MailNotification\DefaultCul- Default language culture that emails are sent in if a lan-


ture guage culture cannot be determined for a recipient.

Common\MailNotification\Default- Default language for sending notifications.


Language

Common\MailNotification\Default- Default email address (sender) for sending notifications.


Sender

Common\MailNotification\NotifyAbout- Specifies whether a message should be sent if the process


WaitingJobs steps have a particular execution state in the job queue.

Common\MailNotification\SMTPAccount Name of user account for authentication on SMTP server.

Common\MailNotification\SMTPDomain User account domain for authentication on SMTP server.

Common\MailNotification\SMTPPass- User account password for authentication on SMTP server.


word

Common\MailNotification\SMTPPort SMTP service port on the SMTP server (default : 25).

Common\MailNotification\SMTPRelay SMTP server for sending notifications.

Common\MailNotification\SMTPUse- Specifies whether the Identity Manager Service credentials


DefaultCredentials (configuration parameter set) or the login data stored under
"Common\MailNotification\SMTPDomain" and "Com-
mon\MailNotification\SMTPAccount" as well as "Com-
mon\MailNotification\SMTPPassword" are used for
authentication on the SMTP server.

In order to prevent bulk changes you can specify how long each process can remain in the Job queue.
Use the values <Threshold (warning)> and <Threshold (disable)> to do this. You can use the database
script “SDK_SetLimitationCount_in_Jobchain” to initially fill the process data. You can find this script in
the SDK.

If the warning threshold is exceeded, a message is sent by email to a specified recipient. Prerequisites
for using the notification system is an SMTP host set up for sending mail and activation of the configu-
ration parameter for mail notification.

If the disable threshold is exceeded, the affected processes given the status “Overlimit” in the Job
queue. These processes are no longer collected by Identity Manager Service for processing and remain
in the Job queue. You can reactivate the process steps with “overlimit” status in the program
“Job Queue Info”. Refer to Reactivating Process Steps on page 20 for details.

If the configuration parameter “Common\MailNotification\NotifyAboutWaitingJobs” is set, an additional


email is sent when processes are labeled with the status “Overlimit” and a corresponding entry is made
in the Master SQL server event log.

49
Quest One Identity Manager

Events for Process Generation


Events are defined to assign processes to objects. Processes cannot be generated until a link has been
created between object, event and process. The following predefined events are available. These are
described in the following table.

Predefined Events

EVENT COMMENT

Insert Event created when an object is created. Available for all objects.

Update Event created when an object is changed. Available for all objects.

Delete Event created when an object is deleted. Available for all objects.

Execute Event created by DBScheduler when the execution time is reached of a delayed
operation.

Other events are provided by the Customizer. These events are described in the Customizer documen-
tation. You can define other custom events to trigger processes. For example, custom events can be
triggered with a database schedule to handle processes on a specific time schedule.

Editing Events

Use the Process Editor to create and edit events. Select a process in the Process Editor and select the
process element in the process document. All the events that are defined for the process are shown in
the event edit view.

Editing Events for Process Generation

You can edit an event directly by clicking on it with the mouse once. Use the toolbar in the edit view to
add events. Open the dialog window for editing the data using the icon on the toolbar. Accept the

50
Handling Processes in the Identity Manager

changes with the <OK> button or discard them with the <Cancel> button. In both cases the dialog
window is closed.

Setting up Events

Enter the following data for an event:

• Event name
• Base object
The base object is already predefined in the process definition and cannot be changed.
• Sort order
If several processes refer to the same base object event, you can specify the order for gener-
ating the processes.
• Process information
You can a store a formatting rule for the process information to record events in the process
tracking (see Setting Up Process Information for Process Handling on page 276).

Editing Process Steps


To add process steps within a process with the Process Editor you can:

• Create a new process step


• Import a new process step
More details in Importing Process Steps on page 61.
• Copy an existing process step and altering it
More details in Copying a Process Step on page 63.

Use the Process Editor to create and edit process steps. To edit an existing process step, open the pro-
cess in the Process Editor and select the process step element in the process document. Use the menu

51
Quest One Identity Manager

item <Process step\New> to create a new process step in the edit view. Enter the data for the process
step in the process step edit view.

Process Step Edit Properties

General Process Step Properties

You can specify the following general properties for a process step:

• Process step name


• Process task
The process components and their process tasks are displayed in the selection list. When you
select a process task you define which action is executed by the process step. The process task
parameter templates are copied to the process step as parameters. This means that every pro-
cess step that uses this process task can pass other parameter values. The original is not
changed.
• Description
Enter a description of the tasks for this process step.
• Priority
The priority specifies the precedence in the Job queue for adding and processing the process
step. The value ranges from 1 to 15.
• Enable process information
Process information enables monitoring of all processes in Identity Manager. Read Setting Up
Process Information for Process Handling on page 276 about setting up process information for
process steps.
• Success and error notification
You may configure messages for notifying on success or failure of a process. Read How to Han-
dle Errors during Process Step Handling on page 55 for more details.

52
Handling Processes in the Identity Manager

Data for Generating a Process Step


• Pre-script for generating
The pre-script is executed before the other scripts. For example, you can define global variables
in the pre-script that can be used later within process steps for generating conditions, server
selection scripts or parameters.
• Generating condition
You can define a condition in VB.Net syntax that is used to determine whether it is necessary
to generate the process step. If a generating condition is given, the process step is only gen-
erated if the condition is fulfilled. The standard syntax is described in Using Scripts on page 310
in the Configuration Guide. Example scripts are in the SDK.
• Preprocessor condition/Deactivated by preprocessor
You can define a preprocessor condition for conditional compilation. This makes the process
step available only when the preprocessor condition is fulfilled. If a process is not available due
to a preprocessor condition, the Database Compiler sets the option <Deactivated by prepro-
cessor>. For more information about preprocessor functionality, see Using Preprocessor
Conditions on page 302.

Specifying the Execution Server

You need to specify which server should handle the process step in each individual case. You can define
a server mask or write a script to select the execution server. The selection of the server should always
end with a unique result. The selection script is evaluated first to determine the server. If a server can-
not be determined in this way then the server mask is evaluated. The first server that is found is used
for executing the process step.

Selecting the Server with a Server Mask

The usual server roles are defined in the server mask, i.e. PDC or Master SQL Server. Use the server
mask if you can determine the server uniquely with it.

Permitted Server Roles

SERVER ROLE REMARK

Domain controller Domain controller (target system Active Directory); Servers that are
not labeled as domain controller are considered to be member servers.

Primary domain controller Only for Windows NT target system.

Application server Server that functions as an application server.

SAM synchronization server Server for synchronization with a Windows NT environment, where a
PDC is implicitly assumed as synchronization server. Make sure that
there is only one SAM synchronization server per domain.

Home server Home servers are available once a user account is added.

Print server Server is implemented as a printer server

Master SQL Server The Master SQL Server is already entered into the database during ini-
tial migration.

Inventory server Query and result files for automatic hardware and software inventory
are stored on the server.

Boot server The boot structure is stored on this server.

PXE Server Server functions as a PXE server.

53
Quest One Identity Manager

Permitted Server Roles

SERVER ROLE REMARK

SMTP Host Identity Manager Service can send emails via this server. Prerequisite
for sending mail with Identity Manager Service is that the SMTP host is
configured.

Identity Manager Service This option is set for the server whose queue will be processed. This
installed does not necessarily mean that Identity Manager Service is running on
this physical server. The option is not automatically removed which
means that you can reset this option is the server’s queue is no longer
active.

NTFRS base Server This is the source server for Windows NT File Replication (NTFRS). Only
one server of this type can be defined per domain.

Exchange Server Server for synchronization with a Microsoft Exchange environment

Lotus Notes Gateway Server Gateway Server synchronizing the Identity Manager with the Lotus
Notes environment

Profile server Profile server are available to the user for setting up profile directories.

Default report server Server on which reports are generated.

UNS generic server Server for generic UNS synchronization with a target system.

Selecting the Server with a Selection Script

If it is not possible to decide which server should be used, based on the server mask (e.g. if several
mail servers exist), you can use a server script to determine it in more detail. The standard script syn-
tax is described in Using Scripts on page 310.

To determine a server with a selection script you can use VB.Net statements that:

• return a string with the UID (!) of the Job server


• that supply a string with WHERE clause input for a database query. The selection has to supply
a string that starts with “WHERE” and contains a logical condition. The WHERE clause is used
on the “Jobserver” table.
Example:
"where is10 = 1 and is01=0"

Alternatively, you can enter the queue that the process step should process in the selection script. Ev-
ery Identity Manager Service has a unique queue identifier within the overall network. Process steps
are requested by the Job queue using these exact queue names.

Syntax for direct queue input:

DIRECT:<Queue>

Example:

Value = "DIRECT:\Server01"

54
Handling Processes in the Identity Manager

How to Handle Errors during Process Step Handling


Configuration Parameters for Mail Notification

CONFIGURATION PARAMETER MEANING

Common\MailNotification Notification data.

Common\MailNotification\Default- Default email address (recipient) for sending notifications.


Address

Common\MailNotification\DefaultCul- Default language culture that emails are sent in if a language


ture culture cannot be determined for a recipient.

Common\MailNotification\Default- Default language for sending notifications.


Language

Common\MailNotification\Default- Default email address (sender) for sending notifications.


Sender

Common\MailNotification\NotifyAbout- Specifies whether a message should be sent if the process


WaitingJobs steps have a particular execution state in the job queue.

Common\MailNotification\SMTPAccount Name of user account for authentication on SMTP server.

Common\MailNotification\SMTPDomain User account domain for authentication on SMTP server.

Common\MailNotification\SMTPPass- User account password for authentication on SMTP server.


word

Common\MailNotification\SMTPPort SMTP service port on the SMTP server (default : 25).

Common\MailNotification\SMTPRelay SMTP server for sending notifications.

Common\MailNotification\SMTPUse- Specifies whether the Identity Manager Service credentials


DefaultCredentials (configuration parameter set) or the login data stored under
"Common\MailNotification\SMTPDomain" and "Com-
mon\MailNotification\SMTPAccount" as well as "Com-
mon\MailNotification\SMTPPassword" are used for
authentication on the SMTP server.

If a specific condition is not fulfilled at a particular point in the process step, Identity Manager Service
can repeat the process step. By enabling the option <Wait mode on errors> the process step is exe-
cuted again depending on the data in the fields <Latency (min)> and <Retries>.

Label process steps that are only required for branching the process with the option <Split process-
ing>. An example could be a process step that checks for the existence of a directory. The next process
step to be processed is either the step on success or the step on error (without generating an error
message) depending on the return value.

Use the option <Ignore errors> to specify whether an error during process step handling should be ig-
nored. In this case the following process step is still carried out despite the previous step not being cor-
rectly processed.

If the process step is labeled with the option <Stop on error> and an error occurs while handling the
process step, the process step remains in the Job queue and is given the status “Frozen”. In this case,
no more process steps are collected by Identity Manager Service for processing and they remain in the
Job queue. You can reactivate the process steps with “Frozen” status in the program “Job Queue Info”.
Refer to Reactivating Process Steps on page 20 for details.

If the configuration parameter “Common\MailNotification\NotifyAboutWaitingJobs” is set, an additional


email is sent when processes are labeled with the status “Frozen” and a corresponding entry is made in

55
Quest One Identity Manager

the Master SQL server event log. Prerequisites for using the notification system is an SMTP host set up
for sending mail and activation of the configuration parameter for mail notification.

If the option <Log errors to journal> is set, error messages from process handling are recorded in the
system log. Error messages from process handling can be recorded in the process history. Read Record-
ing Messages in the Process History on page 84 and Identity Manager Service Logging on page 85 for
more information.

Notification during Process Step Handling

You have the possibility to send a message when a process step has succeeded or when it has failed. A
prerequisite for using the notification system is to set up an SMTP host for mail delivery and to set the
configuration parameters.In order to configure process step notification, enable the options <Notifica-
tion (success)> and <Notification (error)> in the edit view. After this, two new tabs appear for input-
ting the message information.

Setting up Notifications for Process Step Handling

The following data is necessary for sending messages:

• Message recipient email address


• Message sender email address
• Reference
• The message itself

56
Handling Processes in the Identity Manager

You need to enter all the input in VB.Net syntax. Standard script syntax is described in Using Scripts on
page 310. The syntax required for creating language dependent data is explained in Using #LD
Notation on page 318.

Messages are only sent during processing if all the data is entered for a case (failure, success)!

The process “VID_SendMail” (table “DialogDatabase”) is used to send email messages from process
handling. This process uses the database procedure “vid_InsertForSendMail” parameter. To customize
this process, create a copy of the process and customize it.

The database procedure “vid_InsertForSendMail” provides the parameter “pcAdditionalMes-


sage” for sending error messages by email which have been logged by the Identity Manager
Service.
To access this functionality, use the variable [AdditionalMessage] when you set up your failure
notification message.

You can make use of the following configuration parameters when you configure mail notification.

Configuration Parameters for Mail Notification

CONFIGURATION PARAMETER MEANING

Common\MailNotification Notification data.

Common\MailNotification\Default- Default email address (recipient) for sending notifications.


Address

Common\MailNotification\DefaultCul- Default language culture that emails are sent in if a language


ture culture cannot be determined for a recipient.

Common\MailNotification\Default- Default language for sending notifications.


Language

Common\MailNotification\Default- Default email address (sender) for sending notifications.


Sender

Common\MailNotification\NotifyAbout- Specifies whether a message should be sent if the process


WaitingJobs steps have a particular execution state in the job queue.

Common\MailNotification\SMTPAccount Name of user account for authentication on SMTP server.

Common\MailNotification\SMTPDomain User account domain for authentication on SMTP server.

Common\MailNotification\SMTPPass- User account password for authentication on SMTP server.


word

Common\MailNotification\SMTPPort SMTP service port on the SMTP server (default : 25).

Common\MailNotification\SMTPRelay SMTP server for sending notifications.

Common\MailNotification\SMTPUse- Specifies whether the Identity Manager Service credentials


DefaultCredentials (configuration parameter set) or the login data stored under
"Common\MailNotification\SMTPDomain" and "Com-
mon\MailNotification\SMTPAccount" as well as "Com-
mon\MailNotification\SMTPPassword" are used for
authentication on the SMTP server.

57
Quest One Identity Manager

Configuration Parameters for Mail Notification

CONFIGURATION PARAMETER MEANING

TargetSystem\ADS\DefaultAddress Default mail address for messages for actions in the Active
Directory.

TargetSystem\ADS\Exchange2000\Def Default mail address for messages for actions in the


aultAddress Microsoft Exchange.

TargetSystem\LDAP\DefaultAddress Default mail address for messages for actions in the LDAP.

TargetSystem\Notes\DefaultAddress Default mail address for messages for actions in the Notes.

TargetSystem\SAPR3\DefaultAddress Default mail address for messages for actions in the SAP R⁄3.

TargetSystem\EBS\DefaultAddress Default mail address for messages for actions in the EBS.

Process Step Parameters


When you select a process task you specify which action will be executed by the process step. The pro-
cess task parameter templates are copied and passed on to the process step as parameters. This
means that you can pass different parameter values to each process step that uses this process task.
The original is not altered.

Compulsory parameters are immediately entered into the process step when the process task is se-
lected. Then, you need to enter any optional parameters individually. When a parameter is added, the
value template is copied from the parameter template. Templates for parameter values are mostly pre-
defined, for example, procedures that evaluate object UIDs and note them accordingly.

Editing Process Step Parameters

You edit process step parameters in the Process Editor. Open the process in the Process Editor and se-
lect the process element in the process document. All the parameters required for the process step are
defined in the parameter edit view.

Assigning Parameters to a Process step

Meaning of the Icons

ICON MEANING

Compulsory process task parameter.

58
Handling Processes in the Identity Manager

Meaning of the Icons

ICON MEANING

Optional process task parameter which is assigned to the process step.

Optional process task parameter which is not assigned to a process step.

Select the process step in the process document and make the parameter assignment in the edit view.
You can directly edit these by simply clicking once. Use the button on the tool bar to open an dialog for
editing the data. Accept the changes with the <OK> button or discard the changes with <Cancel>. In
both cases the dialog is closed.

Configuring a Parameter

You can alter the following parameter properties:

• Parameter name
The name of a parameter should not be changed. Exceptions to the rule are the special process
component parameters “HandleObjectComponent” and “LDAPADSIComponent”. Furthermore,
the parameter extensions for the target system specific process components have to be re-
named. Refer to Additional Steps for Target System Extension Synchronization on page 396.
• Hidden
Use this option to specify whether the parameter should be shown in the Identity Manager
Service log file and in the program “Job Queue Info”. Values for hidden parameters are shown
as <HIDDEN>. Only “viadmin” system users have access permission to see these parameters
in Job Queue Info.
• Encrypted
Use this option to specify whether the parameter is encrypted before being passed. If the op-
tion is already set in the parameter template, the parameter should also be encrypted when it
is passed. Read Encrypting Database Information on page 77 about encryption.
• Value template
When a parameter is added, the value template is copied from the parameter template. Define
value templates in VB.Net syntax. The standard script syntax is described in Using Scripts on
page 310. You can reset the default values with the <Sample> button in the parameter edit
dialog.

59
Quest One Identity Manager

Allocating Parameter Values

The syntax is described in detail in Using Scripts on page 310. The following statements can be used for
allocating values:

• Empty
• Object columns or columns of a related object
Syntax:
Value = $<column name>:<data type>$
Value = ${FK(<foreign key column>).}<column name>:<data type>$
Example:
Value = $Lastname$
Value = $PasswordNeverExpires:bool$
Value = $FK(Ident_Domain).Description$
• Parameter from the optional parameter collection
Syntax:
Value = $PC(<parameter name>)$
Example:
Value = $PC(SRCUID_Application)$
• OUT parameter
Parameters of type OUT and INOUT are parameters in a process component that can output a
value. This value is available to all following process steps and can be used to set IN parame-
ters.
When you use OUT parameters you need to take care that these contain data at runtime. Al-
ternatively, when the text is processed “&OUT(<parametername>)&” is entered, which means
that the variable will not be replaced.
Syntax:
Value = "&OUT(<parameter name>)&"
Example:
Value = "&OUT(FileSize)&"
• Global variables, that are set by the set up program
Syntax:
Value = Variables("<variable names>")
Example:
Value = Variables("GENPROCID")
Value = Connection.Variables("FULLSYNC")
• Process or process step variables created locally by a pre-script
Syntax:
Value = values("Name")
Example:
Value = Values("FirstHomeServer")
• From configuration parameter requests:
The full path for the configuration parameter always has to entered.
Syntax:
Value = Connection.GetConfigParm("<full path>")
Example:
Value = Connection.GetConfigParm("TargetSystem\ADS\RestoreMode")
• VB.Net
Enter any VB.Net statement.

60
Handling Processes in the Identity Manager

Importing Process Steps


You can use the import function to search for process steps inside the database and import them. Open
the edit view in the Process Editor with the menu item <Process step>\<Import> and specify the
search criteria.

Searching and Importing Process Steps

Meaning of the Toolbar Items

ICON MEANING

Searches for a process step.

Copies a process step.

Specify the search options.

Enter a search string and use the search options to specify which objects should be searched for. The
given objects are searched for internally by a WHERE clause. If several objects are found they are ap-
pended, internally, with a ’Join’ condition.

Transparent Objects and Properties

SEARCHING IN PROPERTIES TO BE SEARCHED


OBJECTS

Process Name

Process step Name, description, generating condition, server selection script

Parameter Name, value

Process component Component class, component assembly

Process task Name

61
Quest One Identity Manager

Transparent Objects and Properties

SEARCHING IN PROPERTIES TO BE SEARCHED


OBJECTS

Parameter template Name, value template

Start the search process using the appropriate toolbar icon. The process steps that are found are dis-
played in the result list. Select the process steps you want from the list and import them into the pro-
cess document with the appropriate icon in the toolbar or by double clicking in the process document.
Finally, link the process step into the process.

Searching for a Process Step within a Process


Use <Ctrl + F> to open the search dialog to find an entry within a process. Start the search with the
<Search> button. To continue searching, select <F3>. Use <Cancel> to end the search and close the
dialog window.

The string is searched for in the processes and process steps.

Objects and Properties to be Searched

SEARCH IN OBJECTS PROPERTIES TO BE SEARCHED

Process Name

Process step Name, description, generating condition, server selection script

Multiple Process Step Editing


It is possible to edit more than one process step in a process at the same time in the Process Editor.
You need to select the process steps you want in the process document using <Ctrl + select>. Input

62
Handling Processes in the Identity Manager

fields with different values are highlighted with an icon in the process step edit view. The value in the
input field is copied to selected process steps when the changes have been in saved.

Process Step Multi-editing

Copying a Process Step


Copy the process step into the clipboard with the context menu item <Copy> or <Ctrl +C>. Use the
context menu item <Paste> or <Ctrl + V> to insert it into a process from the clipboard. The process
step is given a new UID and all the process steps are copied. Then link the process step into a pro-
cess.To copy several process steps, mark them with <Ctrl> and select.

Copying a Process
You can create a copy of a process with a new name. Start the copy wizard from the menu item <Pro-
cess>\<Copy...> in the Process Editor. Use the <Next> button to move onto the next stage, and the
<Back> button to return to the previous step. The <Cancel> button discards any changes and closes
the wizard.

The wizard start up screen displays the name of the process to be copied. The next step is to name the
new process and set the copy options. The follow options are available:

• Rename process steps


If you set this option you have the possibility to rename each of the process steps individually
in the wizard.
• Copy events
Enable this option if you want the events that are assigned to this process to be copied as well.
• Disable source process
This option specifies whether the source process should be disabled after copying. If you set

63
Quest One Identity Manager

this option the source process is set to “do not generate”.


• Disable copied process
Use this option to specify whether the process should be disabled after copying. If you enable
this option the process is set to “do not generate”.

Specifying the Copy Options

If you have set the copy option <Rename process steps> you can rename each process steps in the
next mask. You can change these by clicking on the new process name.

Renaming Process Steps

The next dialog window displays all the actions that are going to be executed by the copying process.
Select the <Start> button to start the copy process. During the process the action that is currently be-
ing executed is displayed in a status bar.

64
Handling Processes in the Identity Manager

Comparing Processes
In order to determine the differences between two processes, open dialog window for comparing pro-
cesses with the menu item <Process>\<Compare process...> in the Process Editor. Select the two pro-
cesses, <Process A> and <Process B>, to be compared. Use the button next to the selection lists to
start the comparison. Differences in the processes are highlighted in the output text.

Comparing Processes

Exporting and Importing Processes


Exporting and importing processes is implemented through XML files. In order to export a process to an
XML file, open the process in the Process Editor and start the export from the menu item <Pro-
cess>\<Export>.

To start an import from an XML file in the database, select the menu item <Process>\<Import> or se-
lect the category <Process Orchestration> and the task <Import processes>.

Simulating Process Generation


You can use the simulation of a process being generated to test whether the selected process can be
successfully generated or the syntax is correct for the passing the parameters. Thus, processes can be
altered without much effort if required.

To test generating a process, load the process in the Process Editor and start the simulation from the
menu item <Process>\<View>\<Simulation view> or from the entry <Start new simulation> in the
Editor’s toolbar. This starts a wizard. The wizard takes you through each step in the simulation process.
Use <Next> to move onto the next step and <Back> to return to the previous step. The <Cancel> but-
ton discards all changes and closes the wizard.

65
Quest One Identity Manager

Select the event for which you want to generate a process.

Selecting Events

Meaning of Icons Used for Simulated Events

ICON MEANING

Default event.

Custom event.

Specify for which object the event should be simulated in the next step.

Selecting the Object

66
Handling Processes in the Identity Manager

If necessary, the object properties can still be changed.

Customizing the Object Properties

Processes that are generated with parameter collections need defined parameters and passing values
(for example “SourceDir” copying profiles). No parameter collection is used for processes generated for
the default events (insert, update, delete).

Example for Adding Parameters to a Parameter Collection

67
Quest One Identity Manager

Specify which preprocessor conditions should be taken into account when a process is being generated.

Specifying Preprocessor Conditions

In the next step, start the generation simulation from the <Finished> button. The simulation process
can take some time. The assemblies generated are saved locally on the workstation on which the simu-
lation is executed. A simulation does not, therefore, have any effect on other users.

When a process is being simulated the <Do not generate> option is taken into account. After the simu-
lation is complete the generated processes are shown in the process document.

Process Simulation Data

68
Handling Processes in the Identity Manager

The process steps are shown in color depending on the generation result.

Simulation Color Code

COLOR MEANING

gray Process step not generate.

blue Process step successfully generated.

Double-click on a successfully generated process step to show the properties and parameters with con-
crete values in the edit window.

Process Step Simulation Data

After the simulation is complete you can look at the process generator log.

Process Generator Log

You can swap between the edit view and the simulation view using the menu <Processes>\<View> in
order to make any further changes. Every simulation process is entered into the simulation item on the
toolbar so that you can repeat the simulation without having to set it up again.

Toolbar item for Repeating a Simulation

69
Quest One Identity Manager

Process Validity Check


Before you compile a process you should run a validity check on the processes and process steps. Load
the process in the Process Editor and start the validity check from the menu item <Process>\<Error
checking>.

The result of the validity check is shown in the <Validity check> view and is retained until a new validity
check is run. If you double-click on an error message, you jump to the corresponding entry in the pro-
cess document which you can edit.

Validity Check View

Symbols used in the Validity Check

ICON MEANING

No error found.

Error

Warning, information

Possible Reasons for Process Failure

ERROR CATEGORY POSSIBLE CAUSE

Error The process does not have a name.


No base object given.
The given generating condition does not correspond to required notation
(value =).

Warning The process does not have a base process step.


The process has no event.

Information Option <Do not generate> is set.

70
Handling Processes in the Identity Manager

Possible Reasons for Process Step Failure

ERROR CATEGORY POSSIBLE CAUSE

Error The process step does not have a name.


No process task assigned.
The given generating condition does not correspond to required notation
(value =).
No execution server specified (server selection script or server mask).
Process step name not unique.
Process step has no parameters.
The given parameter value does not correspond to required notation
(value =).

Warning Process step not linked into the process.

Compiling a Process
Once you have created, imported or made changes to a process, you need to compile it. The process
cannot be generated until it has been compiled.

Compiling takes place for each base object, that means that all processes are translated that belong to
a base object.The assemblies generated are saved locally on the executing workstation. During transla-
tion, the source is checked for errors. Therefore, this process can take some time.

There are two methods for compiling a process in the Process Editor:

• Local compilation
Use this method to compile a process for testing.
• Compilation enters the assemblies in the main database.
If the process has been test compiled, use this method to add assemblies that are generated
into the main database after compiling the process. Once the changes have be integrated the
altered processes are immediately available in the system.Start the compilation with the menu
item <Process>\<Compile and save in the DB>.

Load the process in the Process Editor and start the compiler process. Start local compiling from the
menu item <Process>\<Compile>. To start compiling with assembly transfer to the main database, use
the menu item <Process>\<Compile and save in the DB>.

Error messages are displayed in the <Compiler error> window. If you double-click on an error mes-
sage, you jump to the corresponding entry in the process document which you can then edit.

Compiler Error View

If errors occur during compilation, the source code is displayed. This view is only for viewing the source
code. It cannot be edited here. When you double-click on a message in the window <Compiler error>,
you jump to the corresponding row in the source code view.

71
Quest One Identity Manager

If several users are editing a base object of a process at the same time it is possible that error mes-
sages are sent to other users. However, these cannot be changed by such users.

Executing Processes Automatically


Process plans are set up to execute cyclical processes to put into effect, for example, regular synchro-
nization with a target system environment. Process plans are connected to schedules and can therefore
be executed at regular intervals.

The following steps are necessary to execute processes automatically:

• Creating a process plan


A process plan include the basic configuration for automatically executing a process.
• Setting up and configuring a schedule
A schedule include the configuration of execution times for executing processes regularly.
There are already schedules defined in the default Identity Manager installation. These have to
be configured to suit customer requirements. For more information see Setting Up and Config-
uring Schedules on page 254 in the Configuration Guide.

Working with the Process Plan Editor


A separate editor is provided for creating process plans. The editor is started from the program
“Designer” in the category <Process Orchestration>\<Process automation> in the chapter “Working
with the Designer on page 29. At this point, we shall only go into the additional functionality of this ed-
itor.

Designer Interface with the Editor

72
Handling Processes in the Identity Manager

Menu Bar and Toolbar Extensions

The following items are added to the menu bar once the editor has started.

Meaning of Menu Bar Items

MENU MENU ITEM MEANING

Process plan New Creates a new process plan.

Delete Deletes the selected process plan after confirmation.

Start process plan now The selected process plan is executed immediately. Sets
up a process to execute the process plan in the
Identity Manager database.

Show captions Toggles list view between the technical identifiers and
captions in the user’s login language.

Refresh Updates the list view.

View Properties Shows/hides the edit view.

Help Help for Process auto- Opens the editor help.


mation

The editor has its own toolbar that you can show or hide by using the context menu. The icons are dis-
abled or enabled depending on which view is selected.

Toolbar

Meaning of Toolbar Items

ICON MEANING

Updates the list view.

Creates a new schedule task.

Deletes the process plan.

Toggles between technical identifiers or captions in the user’s login language.

Executes the process plan.

Editor Views

The editor has several views for displaying and editing schedules:

• View with list of all the process plans


• Edit view

73
Quest One Identity Manager

Functions in the List View

The editor list view displays all the process plans, the time they were last executed and the next
planned execution time. Use the context menu <Select columns...> to open the dialog window for col-
umn configuration. Specify which properties should be shown additionally in the list and the order they
should be shown in. You can also specify the width of the columns and the text alignment.

Editors List View

Meaning of the List View Icons

ICON MEANING

The process plan schedule is not enabled.

The process plan was executed according to plan.

The process plan was not executed. This state can occur if the task could not be executed
to plan or if the schedule was reenabled and the time had not been reached for the initial
run.

Entries in Context Menu

CONTEXT MENU ITEMS MEANING

Add process plan Adds a new schedule.

Delete process plan Deletes the selected schedule.

Edit process plan Edits the new schedule.

Edit process Open the editor for the process which is executed by the process plan.

Execute The selected process plan is executed immediately. A process for execut-
ing is queued in the Identity Manager database.

Select columns... A dialog window is opened for selecting the columns for displayed the list.

Navigation Other editors that you can apply to the selected are shown.

74
Handling Processes in the Identity Manager

Functions in the Edit View

You can edit the properties for a process plan in the edit view. There is a default context menu available
for the input fields.

Edit View

Creating a Process Plan


A process plan covers the basic configuration for automatic execution of a process. Create and edit pro-
cess plans in the Designer in the category <Process Orchestration>\<Process automation>. To set up a
new process plan start the editor with the <Edit process plan> task.

Edit Process Plan

75
Quest One Identity Manager

Enter the following data for a process plan:

• Name
Process plan name. Use the button next to the input field to enter a translation for multilingual
usage.
• Base object (table)
Select the base object (table names) to which the process plan is going to be applied.
• Event
Select the event which is going to be executed. All base object events are listed for new process
plans. You can find more information about this in Events for Process Generation, page 50 ff.
• Activation schedule
Select the schedule that contains the execution time for the process plan. Use the <Add> but-
ton next to the menu to create a new schedule.
For more information see Setting Up and Configuring Schedules on page 254 in the
Configuration Guide.
• Max. execution time (hours)
Enter the number of hours after which the process plan should automatically quit.
• Description
Enter a detailed description of the process plan.
• Condition
Here you have the option to specify the base object query further. The input must satisfy the
“Where clause” syntax for database queries.
• Parameter
List of parameter that are set when the process is generated from this process plan.

Example:

Cyclical synchronization of an Active Directory environment with the Identity Manager database is only
started by the plan “AD Synchronization (configuration: Load ADtarget system)” that are Active
Directory domains. The synchronization configuration “Load AD target system” is supposed to be ap-
plied. The plan is set up as follows:

Name Active Directory Synchronization (configuration: Load AD target system)

Base object Domain

Event FULLSYNC_ADS

Condition Ident_Domaintype = 'ADS'

Parameter ConfigName = Load AD target system

You can execute the process plan immediately from the context menu item <Execute> or the
menu item <Process plan>\<Start process plan now>. The process is queued in the
Identity Manager database.
You can see which process is triggered from the context item <Edit process>.

Process Components
Process components and their process tasks form a framework that all process steps can be based on.
The tables “Jobcomponent”, “JobTask” and “Jobparameter” define the complete range of
Identity Manager’s own process components and process task with the associated parameters. The in-
formation available for the process components is added through migration and cannot be edited.

76
Handling Processes in the Identity Manager

You can get a complete overview process component and their process function and parameter in the
report <Process components> in the category <Documentation>\<System configuration Reports>.

The following table contain short descriptions of the process components.

Short Descriptions of Process Components

COMPONENT DESCRIPTION

ADSComponent This process component runs the comparison between the


Active Directory target system and the database.

CommandComponent This process component runs any command.

DelayComponent This process component controls the start time of the follow-
ing process steps.

Ex2010Component This process components runs the comparison between


Microsoft Exchange 2010 and the database.

Ex2K7Component This process component runs the comparison between


Microsoft Exchange 2007 and the database.

Ex2KComponent This process component runs the comparison between


Microsoft Exchange 2003 and the database.

FileComponent This process component creates, deletes, copies and modifies


file and directories and also their access permissions. The
program “RSync” is required as prerequisite for using the
process component under Linux (download from: http://
www.itefix.no/i2/index.php or http://sourceforge.net/proj-
ect/showfiles.php?group_id=69227&package_id=68081).
The program “XCacls” is required as prerequisite for setting
permissions. You can find this in the your server installation
resource kit.

FtpComponent This process component can transfer file by FTP.

HandleObjectComponent This process component runs default and custom events for
database objects. Each assigned default process is generated
as in the front-ends (i.e. Manager). The component also
makes it possible to initiate so called CustomEvents for trig-
gering object related generation of a special process.

JobService This process component map the Job service built-in-tasks.

LDAPADSIComponent This process component runs the comparison between an


LDAP store and the database.

LogComponent This process component is used to log messages, for exam-


ple, in the result log.

MailComponent This process component can send emails.

NotesComponent This process component runs the comparison between Lotus


Notes and the database.

ObjectTransferComponent This process component is used to transfer object changes


between databases.

ORAF12Component This process component runs the comparison between Oracle


E-Business Suite and the database.

PowerShellComponent This process component is used to start Windows PowerShell.


Version 2.0 of Windows PowerShell must be installed.

77
Quest One Identity Manager

Short Descriptions of Process Components

COMPONENT DESCRIPTION

QCAComponent This process component runs the comparison between


Quick Connect and the database.

ReportComponent This process component can create reports and export them
in various file formats (e.g. report.pdf).

SAPComponent This process component runs the comparison between


SAP R⁄3 and the database.
ScriptComponent This process component run the scripts from the assemblies.

SPSComponent This component runs the comparison between SharePoint


and the database.

SQLComponent This process component runs SQL queries and can be used to
determine the number of data records and the existence of
data records.

SubversionComponent This process component runs the sub version operations. The
program “SharpSVN”, version 1.5 is required as prerequisite
for using the process component (download from:http://
sharpsvn.open.collab.net/servlets/ProjectPro-
cess?pageID=3794)

WakeOnLanComponent This process component send a wake-on-lan packet to a


defined IP address or a specific IP area.

ZipComponent This process component creates or unpacks ZIP files.

78
Handling Processes in the Identity Manager

All process components with their process tasks and parameters are displayed in the category <Process
Orchestration>\<Process components> in Designer.

Displaying Process Components

The following properties are displayed for a process component:

• Assembly name
• Component class
• Description of component functionality
• Max. instances
This value defines the maximum number of instances of this process component can run on a
Job server.
The value is only used if the maximum number of instances of a process function is set to “0”.
Otherwise, the value applies that is set for the process function.

Meaning of Value

VALUE MEANING

-1 All instances of this process component are handled in


sequence.

0 All instances of this process component can be handled


simultaneously.

1 or larger Exact number of instances of a process task to be handled


simultaneously.

• Current version of the process component

79
Quest One Identity Manager

• System component
Use this property to specify if the process component belongs to the system data model or the
application data model.
• Defined by Quest
This input is provided by us and cannot be changed. Process component definitions are over-
written by migration and cannot be edited apart from a few special properties. This property is
not set for custom process components.
• Edit status
The edit status is used for creating custom configuration packages.

Process tasks are used to carry out single basic jobs at system level, for example, adding directories.
One or more process tasks and their parameters are grouped into process components. The following
properties are displayed for a process task.

• Process task name


• Process component affiliation
• Process task description
• Max. instances
This value specifies the maximum number of instances that can be run by Identity Manager
Service in parallel per process task.

Meaning of Value

VALUE MEANING

-1 All instances of this process component are handled in


sequence.

0 All instances of this process component can be handled


simultaneously.

1 or larger Exact number of instances of a process task to be handled


simultaneously.

• Execution type
The execution type specifies whether the process component for the process task should be
executed in by Identity Manager Service (internal) or in its own process (external).
• Last step in the partial process tree
This input specifies whether a process task is principally marks the end of a partial process tree.
• Operating system class
This input specifies the operating system that the process task can be run on. Permitted values
are “Win32”, “Linux” and “ALL” where the value “ALL” specifies that this process function can
be run on any operating system.
• Edit status
The edit status is used for creating custom configuration packages.

When a process is created, the parameter templates for the process task are copied and entered in the
process step. This means you can give different parameter values to every process step that this pro-
cess task uses. The original is not changed. The following properties are shown for a parameter:

• Parameter name
• Process function affiliation
• Parameter description
• Parameter type
Permitted values are IN, OUT and INOUT.

80
Handling Processes in the Identity Manager

Parameters of type OUT and INOUT are parameters in a process component that can output a
value. This value is available to all following process steps and can be used to set IN parame-
ters.
• Label parameter as mandatory or optional parameter
• Value template
When a parameter is added to a process step, the value template is taken from the parameter
template. Define the value template in VB.Net syntax. The general script syntax is described
in Using Scripts on page 310.
• Hidden
This option specifies whether the parameter is shown in the Identity Manager Service log file
and in the program “Job Queue Info”. Values for hidden parameter are shown as <HIDDEN>.
Only the system user “viadmin” has access permission to see this parameter in Job Queue Info.
• Encrypted
This option specifies whether the parameter is encrypted when it is passed.

81
Quest One Identity Manager

82
4
Process Debugging
• Introduction
• Recording Messages in the Process History
• Recording Message in System Journal
• Identity Manager Service Logging
• Process Generation Logging
• Database Query Logging
• Object Action Logging
• Logging DBScheduler Tasks
Quest One Identity Manager

Introduction
Identity Manager offers several possibilities for containing errors during the processing of process
steps. These include:

• Recording messages in the process history


• Recording messages in the system journal
• Outputting messages in the Identity Manager Service log file.
• Outputting message to the events log
• Logging process generation
• Logging database queries
• Logging object actions

The program “Job Queue Info” supports control of the current state of services running on an
Identity Manager network. It provides a detailed and clear overview of the tasks in the Jobqueue and
different Identity Manager Service queries to the servers. This program makes it easier to work with
processes, supplies status information during run-time and allows errors to be quickly recognized and
debugged. You will find a description of the program in the manual “Job Queue Info”. You can find a de-
scription of the program under Working With Job Queue Info on page 11.

Recording Messages in the Process History


Configuration Parameter for Recording Messages in the Process History

CONFIGURATION PARAMETER AFFECT WHEN SET

Common\ProcessState\JobHistory Records entries in the table “JobHistory“

Messages about process steps that have been processed are controlled using the configuration param-
eter “Common\ProcessState\JobHistory”.

If the configuration parameter is set, the process steps that have been processed are recorded in the
table “JobHistory”. The value of the configuration parameter specifies the range of messages to be re-
corded.

Permitted Values for the Configuration Parameter “Common\JobHistory“

VALUE MEANING

NO No messages are recorded in the process history.

ALL All process step that are processed are recorded in the process history.

ERROR Only failed process steps are recorded in the process history.

The process history can be analyzed with the help of the “Job Queue Info” program.

Data records in the process history are exported from the Identity Manager database at regular inter-
vals. There are several methods available to do this. You can read more in Archiving Procedure
Setup on page 294.

84
Process Debugging

Recording Message in System Journal


Configuration Parameters for Recording to the System Journal

CONFIGURATION PARAMETER MEANING

Common\Journal General parameter for configuring the system journal.

Common\Journal\LifeTime This configuration parameter specifies the maximum storage


period (in days) for an entry in the system journal in the
database. Entries older than this are deleted.

Common\Journal\LoginAudit Logs successful Identity Manager logins.

The system journal is used to store information, warning and error messages from different compo-
nents of Identity Manager, for example, DBScheduler, Database Transporter or Identity Manager
Service. Actions in the program “Job Queue Info”, such as reactivating process steps, are also written
to the system journal.

Process step have to labeled with the option <Log error to journal> in order to record error in process
handling to the system journal. For more information read How to Handle Errors during Process Step
Handling on page 55.

The system journal is shown in the error log view of the program, “Identity Manager”. Read more in
Displaying the Error and System Logs on page 175. System messages that are recorded during pro-
cessing by the DBScheduler can also be viewed in the administration tools (see DBScheduler Computa-
tional Tasks Data on page 58).

The entries in the system protocol are deleted regularly from the Identity Manager database. All entries
that are older than the maximum storage period (configuration parameter “Common\Journal\LifeTime”)
are deleted. To do this use the scheduled task “Delete journal”, which you configure and start with the
Schedule Editor.

Identity Manager Service Logging


Success and error messages from process handling are written to the Identity Manager Service log file.
Message can also be written to a server’s event log. A severity level can be configured for output to this
log file.

Configuring the Identity Manager Service Log File


There is a more detailed description of the Identity Manager Service configuration using the
Job Service Configuration program in Identity Manager Service Configuration Files on page 55. At this
point we shall only go into the settings relevant for debugging.

In order to create the Identity Manager Service log file there is a module “FileLogwriter” that needs to
be customized in the Identity Manager Service configuration file. All the parameters and settings are
described in The Log Writer Module on page 70.

The name of the log file is given using this program (parameter “OutputFile”). You need to ensure that
the given directory exists for the file. If the files cannot be created it is not possible to generate an error
message. In this case the error messages appear in the event log under Windows or in /var/log/mes-
sage under Linux.

85
Quest One Identity Manager

Furthermore, the contents of the log file information is specified using this module. Only warnings and
fatal errors are logged by default. By setting the type of messages (parameter “LogSeverity”) however,
you can extend the range of messages that are logged.

Message Types

SEVERITY LEVEL DESCRIPTION

Info All messages are written to the log file. The log file quickly becomes large and
cumbersome.

Warning Only warnings and fatal errors appear in the log file (default).

Serious Only fatal errors are written to the log file (exceptions).

The parameter “LogLifeTime” specifies the maximum age of a log file. If the log file has reached the
maximum age, the file is renamed (e.g. “JobService.log_20040819-083554”) and a new log file is cre-
ated.

Displaying the Log File


The log file may be displayed over a browser front-end. Prerequisite is the configuration of HTTPSta-
tusPlugins. This plugin adds several services to the Identity Manager Service HTTP server. Read
HTTPStatusPlugin on page 74 in the Getting Started Guide on configuring the plugin.

The log file is called up from the appropriate URL:

http://<servername>:1880/log

Protokolldatei des Identity Manager Services

The messages to be displayed on the web page can be filter interactively. There is a selection list on the
top edge of the page for this. Of course, only text contained in the log file can be displayed in this case.
If, for example, the message type is set to “Warning”, no “Info” messages can be shown even if the ap-
propriate filter is chosen.

86
Process Debugging

The log output is color coded to make it easier to identify.

Log File Color Code

COLOR MEANING

Green Processing successful.

Yellow Warnings occurred during processing.

Red Fatal errors occurred during processing.

If you want to retain the color information to send by mail, you need to save the complete web page.

The HTTPStatusPlugin provides other services to Identity Manager Service other than the log file.

HTTPStatusPlugins Available Services

CALLING SYNTAX DESCRIPTION

http://servername:1880/Assemblies Displays the loaded assemblies with version.

http://servername:1880/Cache Display cache information

http://servername:1880/Comp Displays executed process components with version.

http://servername:1880/Log Displays the log file.

http://servername:1880/Statistics Displays the system information.

http://servername:1880/Status Displays status information and the Identity Manager Service


configuration.

http://servername:1880/PerfCounter List of currently available performance counters.

This can be done with the following command line call:

Windows Server 2003:


httpcfg set urlacl /u http://*:<Port>/ -a D:(A;;GX;;;<user SID>)

Windows Server 2008/Windows Server 2008 (R2)/Windows Server 2012:


netsh http add urlacl url=http://*:Port number/ user=<domain>\<user
name>

The result can also be verified using the following command line call:

Windows Server 2003:


httpcfg query urlacl

Windows Server 2008/Windows Server 2008 (R2)/Windows Server 2012:


netsh http show urlacl

Identity Manager Service Extended Debugging


There are two parameters available in the Identity Manager Service configuration module that you can
use to extend debugging functionality:

• DebugMode

87
Quest One Identity Manager

• ComponentDebugMode

Identity Manager Service write more detailed data into the log file if the parameter “DebugMode” is set,
e.g. all parameters that are passed to a component as well as the processing results together with OUT
parameters.

Individual Identity Manager Service process components can output additional process data to the
Identity Manager Service log file. To do this you set the parameter “ComponentDebugMode” in the con-
figuration module. You should only use “ComponentDebugMode” for localizing errors because the effect
on performance means that it is not recommended for normal use.

If a synchronizer is working in “ComponentDebugMode” it sends a “commit” to the target system after


every third property. This behavior is used during synchronization to locate syntax errors on any object
property.

This behavior can, however, cause further errors in the case of certain objects. For example, when a lo-
cal group is added to an Active Directory system, only the name, the DistinguishedName and the option
“IsGlobal” are set after the third property. The option “IsLocal” is not set until the next three properties
are passed but the object can not be edited anymore because an Active Directory group cannot be re-
defined. This means that the group is neither global or local when the first “commit” is made, which
cause it to be rejected by the Active Directory system. This results in an error when a local group is
added to an Active Directory synchronization server and the group is deleted from the database.

Synchronizer tasks are written a separate log file. Specify the storage location of the log file in the
<tracebehavior> section of the StdioProcessor.exe/StdioProcessor32.exe configuration files.

Except from the configuration file:

<tracebehaviour>
<add key="file" value="NSProviderTrace.log" />
</tracebehaviour>

If a value is given in the configuration file, the log file name is formatted as follows:

<value from config file>.<date>.

If no value is given, the log file name is formatted as follows:

NSProviderTrace.Log.<date>

If debug mode is enable for this component, external processes are also logged with StdioProces-
sor.exe/StdioProcessor32.exe (StdioProcessor_<ProcessID>.log). You will find this log file in the
Identity Manager Service log directory. The log files are kept for a maximum of 10 days.

88
Process Debugging

Output of Extended Return Values from Individual Pro-


cess Components
Configuration Parameter for Outputting Extended Return Values

CONFIGURATION PARAMETER EFFECT WHEN ACTIVE

Common\Jobservice\DoReturnOutput The entire output of the parameter is written to the


Identity Manager Service log file when a error occurs in the
case of process functions that supply an extended return
value.

Individual process components have process functions with parameters that supply extended return
values. The entire output of the parameter is written to the Identity Manager Service log file when a er-
ror occurs.

The configuration parameter “Common\Jobservice\DoReturnOutput” controls the behavior of error log-


ging. For example, when a command or program is executed using the process component “Command-
Component”, the output text for the command or program can be returned.

Outputting Custom Messages in the Identity Manager


Service Log File
You can use the script engine methods “RaiseMessage” and “AppData.Instance.RaiseMessage” from
within process steps to write output messages to the Identity Manager Service log file. Use the process
component “ScriptComponent” to run the script.

Messages are marked in color in the log file depending on the message type (MsgSeverity).

Example Output of Messages to an Identity Manager Service Log File

RaiseMessage:

The output is consolidated with other messages and logged at the end of processing the process step.

Syntax:

RaiseMessage (MsgSeverity, "string")

Example:

RaiseMessage (MsgSeverity.Warning, "Example warning message")


RaiseMessage (MsgSeverity.Info, "Example Info message")
RaiseMessage (MsgSeverity.Serious, "Example error message")

AppData.Instance.RaiseMessage

This output is written immediately during processing; not taking into account the end of the process
step.

89
Quest One Identity Manager

Syntax:

AppData.Instance.RaiseMessage (MsgSeverity, "string")

Example:

AppData.Instance.RaiseMessage (MsgSeverity.Warning, "Example warning


message")
AppData.Instance.RaiseMessage (MsgSeverity.Info, "Example Info mes-
sage")
AppData.Instance.RaiseMessage (MsgSeverity.Serious, "Example error
marked message")

You can find further scripting examples for outputting to the Identity Manager Service log file in the
SDK.

The VB.Net functions “Msgbox” and “Inputbox” are not permitted on servers. Use the functions
“VID_Write2Log”, “RaiseMessage” or “AppData.Instance.RaiseMessage”.

Displaying Messages in the Results View


Compiling an Identity Manager Database on page 337 describes in more detail how to configure
Identity Manager Service with the program Job Service Configuration. At this point we shall only dis-
cuss the settings relevant for error capture.

To record Identity Manager Service messages in the server’s results view the module “EventLogLog-
Writer” has to modified in the Identity Manager Service configuration file. All the parameter and set-
tings are described in EventLogLogWriter on page 70. Recording is done in the results view application
log.

Enter the name of the result log where the messages should appear in the EventLog parameter. The
messages are written to the application log if the default value “Application” is used.

The amount of information in the messages is specified through the module. By default, only warnings
and serious errors are logged. This can be changed, however, by setting parameter “LogSeverity”.

Message Types

SEVERITY LEVEL DESCRIPTION

Info All messages are written to the log file. The log quickly becomes too large and
confusing!

Warning Only warnings and serious exceptions appear in the log (default).

Serious Only serious exceptions are written to the log.

Process handling error can also be written to a server’s result log. To do this use the process component
“LogComponent”.

90
Process Debugging

Process Generation Logging


You need to enter a value in the “JobGenLogDir” parameter of the configuration section “ConnectionBe-
haviour” in order to activate process generation logging. This can either take place in the program con-
figuration file or in the registry under Windows. The given directory has to exist.
The Identity Manager Service configuration file is adapted to fit the Job Service Configuration (see The
Connection Module on page 72).

Example: Identity Manager Service Jobservice.cfg entry

<configuration>
...
<category name="connectionbehaviour">
<value name="jobgenlogdir">%Temp%\jobgenlog</value>
</category>
...
</configuration>

Example: Configuration file entry for an application

<configuration>
<configSections>
...
<section name="connectionbehaviour" type="System.Configuration.
NameValueSectionHandler" />
</configSections>
...
<connectionbehaviour>
<add key="jobgenlogdir" value="C:\TEMP\jobgenlog" />
</connectionbehaviour>
...
</configuration>

Example: Manager entry using a registry file (*.reg).

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Quest Software\Identity Manager\Manager\Co


nnectionBehaviour]
"JobGenLogDir"="c:\\temp\\JobGenLog"

Database Query Logging


Database query logging can be activated for all programs that work with the VI.DB.DLL. You need to
enter the directory for the SQL log in the parameter “SQLLogDir” in the “ConnectionBehaviour” config-
uration section. This can either take place in the program configuration file or in the registry under Win-
dows. The given directory has to exist. The Identity Manager Service configuration file is adapted to fit
the Job Service Configuration (see The Connection Module on page 72).

Example: Identity Manager Service Jobservice.cfg entry

91
Quest One Identity Manager

<configuration>
...
<category name="connectionbehaviour">
<value name="sqllogdir">%Temp%\sqllogdir</value>
</category>
...
</configuration>

Example: Configuration file entry for an application

<configuration>
<configSections>
...
<section name="connectionbehaviour" type="System.Configuration.
NameValueSectionHandler" />
</configSections>
...
<connectionbehaviour>
<add key="sqllogdir" value="C:\TEMP\sqllog" />
</connectionbehaviour>
...
</configuration>

Example: Manager entry using a registry file (*.reg).

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Quest Software\Identity Manager\Manager\Co


nnectionBehaviour]
"SQLLogDir"="c:\\temp\\Sqllog"

Object Action Logging


Database query logging can be activated for all programs that work with the VI.DB.DLL. You need to
enter a directory for the object log in the parameter “ObjectLogDir” in the “ConnectionBehaviour” con-
figuration section. This can either take place in the program configuration file or in the registry under
Windows. The given directory has to exist.

The Identity Manager Service configuration file is adapted to fit the Job Service Configuration (see The
Connection Module on page 72).

Example: Identity Manager Service Jobservice.cfg entry

<configuration>
...
<category name="connectionbehaviour">
<value name="objectlogdir">%Temp%\objectlog</value>
</category>
...

92
Process Debugging

</configuration>

Example: Configuration file entry for an application

<configuration>
<configSections>
...
<section name="connectionbehaviour" type="System.Configuration.
NameValueSectionHandler" />
</configSections>
...
<connectionbehaviour>
<add key="objectlogdir" value="C:\TEMP\objectlog" />
</connectionbehaviour>
...
</configuration>

Example: Manager entry using a registry file (*.reg).

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Quest Software\Identity Manager\Manager\Co


nnectionBehaviour]
"ObjectLogDir"="c:\\temp\\ObjectLog"

Use the parameter “Regular expression for stack trace positions (ObjectDumpStackExpression)” to
specify a regular expression. If the current row in the object log matches the regular expression, the
stack trace is written in the object log.

Example expression: “Lastname”

<connectionbehaviour>
...
<add key="ObjectDumpStackExpression" value="Lastname" />
</connectionbehaviour>

If the current contain the value “Lastname” the stack trace is also copied to the log.

Logging DBScheduler Tasks


The DBScheduler is called by the database schedule “vid_DBScheduler”. You can change the calling cy-
cle of the DBScheduler in SQL Server Management Studio under <SQL Server Agent>\<Tasks> if nec-
essary. The DBScheduler can be started manually in certain Identity Manager administration tools with
the relevant access permissions if required (see DBScheduler Computational Tasks Data on page 58).

The Identity Manager Service DBSchedulerWatchDogPlugin can be used to check if a database schedule
is still active. This plugin checks, at regular intervals, whether the database schedule for the
DBScheduler is enabled and starts it if necessary. The plugin should only be enabled on one Job server
in the network and we recommend running it on the database server. For information about plugins
read DBSchedulerWatchDogPlugin on page 75 in the Getting Started Guide.

93
Quest One Identity Manager

Information, warning and error messages are logged to the system journal. System messages that are
logged during scheduling tasks can also be seen in the administration tools (see DBScheduler Computa-
tional Tasks Data on page 58).

94
5
Identity Manager Files
• Identity Manager Service Configuration Files
• Identity Manager Service Log File
• HTTPLogPlugins Log File
Quest One Identity Manager

Identity Manager Service Configuration Files


Identity Manager Service is configured using a configuration file. The configuration file has to be in the
same directory as the viNetworkService.exe. Two types of configuration file are supported:

• Jobservice.cfg
• viNetworkService.exe.config

Jobservice.cfg
Jobservice.cfg is a configuration file in Quest’s own simpler format. The advantage of this file is that re-
loading is supported during runtime. The text is case sensitive. There is a configuration section in the
file for each of the different Identity Manager Service modules.

The root in the XML file is always called “configuration”.In “category” one configuration file module is
define with its value. At the moment the program only supports the section type “System.Configura-
tion.NameValueSectionHandler”.

Both the section and the name of the value must be written in “lower case”.

<configuration>
<category name="serviceconfiguration">
<value name="jobprovider">VI.JobService.MSSqlJobProvider,jobser-
vice</value>
<value name="HttpPort">1180</value>
<value name="logwriter">VI.JobService.FileLogWriter,jobservice</
value>
</category>
</configuration>

Example:

Example for a simple configuration with:

• direct connection to a Microsoft SQL Server


• only one job destination (JobProcessor)
• HTTPStatusPlugIn to check status using HTTP
<configuration>
<category name="serviceconfiguration">
<value name="jobprovider">VI.JobService.MSSqlJobProvider,jobser-
vice</value>
<value name="logwriter">VI.JobService.FileLogWriter,jobservice</
value>
</category>
<category name="sqlprovider">
<value name="connectstring">User ID=sa;initial Catalog=<Data-
base>;Data Source=<SQL-Server>;Password=<Password></value>

96
Identity Manager Files

</category>
<category name="filelogwriter">
<value name="loglifetime">0.01:00:00</value>
<value name="logseverity">Info</value>
</category>
<category name="dispatcher" />
<category name="jobdestinations">
<value name="queuex">VI.JobService.JobServiceDestination,jobser-
vice</value>
</category>
<category name="queuex">
<value name="queue">\%COMPUTERNAME%</value>
</category>
<category name="plugins">
<value name="httpstatusplugin">VI.JobService.HttpStatusPlugin,job-
service</value>
</category>
</configuration>

viNetworkService.exe.config
The viNetworkService.exe.config is the default configuration file for .NET exes and has the specified for-
mat. The text is case sensitive. There is a configuration section in the file for each of the different
Identity Manager Service modules.

The root in the XML file is always called “configuration”. All other sections of the configuration file and
its type are defined in “configSections”, which is always in the file. At the moment the program only
supports the section type “System.Configuration.NameValueSectionHandler”.

<configuration>
<configSections>
<section name="sectionname" type="System.Configuration.NameVal-
ueSectionHandler" />
</configSections>
<sectionname>
...
</sectionname>
</configuration>

Example for a simple configuration with:

• direct connection to a Microsoft SQL Server


• only one JobProcessor
• HTTPStatusPlugIn to check status using HTTP

<configuration>
<configSections>
<section name="serviceconfiguration" type="System.Configura-
tion.NameValueSectionHandler" />

97
Quest One Identity Manager

<section name="sqlprovider" type="System.Configuration.NameVal-


ueSectionHandler" />
<section name="filelogwriter" type="System.Configuration.NameVal-
ueSectionHandler" />
<section name="dispatcher" type="System.Configuration.NameVal-
ueSectionHandler" />
<section name="jobdestinations" type="System.Configura-
tion.NameValueSectionHandler" />
<section name="queuex" type="System.Configuration.NameValueSec-
tionHandler" />
<section name="plugins" type="System.Configuration.NameValueSec-
tionHandler" />
<section name="httpstatusplugin" type="System.Configura-
tion.NameValueSectionHandler" />
</configSections>
<serviceconfiguration>
<add key="jobprovider" value="VI.JobService.MSSqlJobProvider,job-
service" />
<add key="logwriter" value="VI.JobService.FileLogWriter,jobser-
vice" />
</serviceconfiguration>
<sqlprovider>
<add key="ConnectString" value="User ID=sa;initial Catalog=<Data-
base>;Data Source=<SQL-Server>;Password=<Password>" />
</sqlprovider>
<filelogwriter>
<add key="LogLifeTime" value="0.01:00:00" />
<add key="LogSeverity" value="Info" />
</filelogwriter>
<dispatcher />
<jobdestinations>
<add key="QueueX" value="VI.JobService.JobServiceDestination,job-
service" />
</jobdestinations>
<queuex>
<add key="queue" value="\%COMPUTERNAME%" />
</queuex>
<plugins>
<add key="httpstatusplugin" value="VI.JobService.HttpStatusPlu-
gin,jobservice" />
</plugins>
</configuration>

98
Identity Manager Files

Identity Manager Service Log File


The LogWriter logs all the tasks for Identity Manager Service components with success and error mes-
sages. The message volume depends on the message type configured (parameter “LogSeverity”).

Message Types

WARNING LEVEL DESCRIPTION

Info All messages are written to the log file. The log file quickly becomes large and
confusing.

Warning Only warnings and fatal errors appear in the log file (default).

Serious Only fatal error are written to the log file (Exceptions).

It is possible to view the log file using a browser. Prerequisite is the configuration parameter HTTPSta-
tusPlugins. This plugin appends several services the Identity Manager Service HTTP server.

The log file can be displayed in the browser. It is called up by entering the appropriate URL:

http://<servername>:1880/log

You can reach the server using HTTPS once SSL support has been configured.

The messages displayed on the web page can be filtered interactively. There is a selection box on the
top edge of the page for this. Of course, only text that is in the log file can be displayed. For example, if
the message type is set to “Warning”, it is possible that no “info” messages are displayed if the right fil-
ter is chosen.

The maximum age of a log file is configured over the parameter “LogLifeTime”. If a log file has reached
its maximum age, the file is renamed (e.g. “JobService.log_20040819-083554”) and a new log file is
created.

The HTTPStatusPlugin makes other services, apart from calling the log file, available for
Identity Manager Service. Calling syntax for the services:

http://<servername>:1880/Assemblies
http://<servername>:1880/Cache
http://<servername>:1880/Comp
http://<servername>:1880/Statistics
http://<servername>:1880/Status
http://servername:1880/PerfCounter

HTTPLogPlugins Log File


The HTTPLogPlugin writes a log file with the Identity Manager Service HTTP request. The file is written
in Apache HTTP Server Combined Log Format.

Input example:

99
Quest One Identity Manager

172.19.2.18 - - [03/Feb/2005:14:55:48 +0100] "GET /resources/JobService.css HTTP/1.x" OK -


"http://vidrn005:1880/status/LogWriter/Config""Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE;
rv:1.7.5) Gecko/20041108Firefox/1.0"

Meaning of each Entry

INPUT MEANING

172.19.2.18 IP address before the request

- Client user name using IDENT protocol (RFC 1413)

- Client user name conforming to HHTP authentication

[03/Feb/2005:14:55:48 +0100] Time that the request is processed on the server

GET /resources/JobService.css HTTP/ Request


1.x"

OK Status code

- Size of data sent back to the browser

"http://vidrn005:1880/status/Log- URL from which the page can be accessed


Writer/Config"

"Mozilla/5.0 (Windows; U; Windows NT Browser name


5.1; de-DE; rv:1.7.5) Gecko/
20041108Firefox/1.0"

100
GLOSSARY
This glossary contains definitions taken from Microsoft publications.

A
ABAP

Advanced Business Application Programming. Programming language from the company SAP AG.

Active Directory (AD)

LDAP based directory server from Microsoft, introduced with Windows 2000.

Active Directory Service

Directory service implementation from Microsoft.

Additional List

All user accounts that are added to a dynamic group in addition to the group selection criteria.
Additional lists can be maintained in the target systems Lotus Notes and LDAP.

AdminP Request

Administration process in Lotus Notes used to handle various internal tasks. All AdminP tasks and their
results are added to the Admin4 database. This database can be synchronized with the
Identity Manager database.

Analyzer

A program for analyzing data correlation in the database.

AP Customer

Employee listed as customer in the table “AP.AP_SUPPLIER_CONTACTS” of an Oracle E-Business Suite.


Employee data can be imported from the Oracle E-Business Suite into the Identity Manager database
and linked to EBS user accounts.

Application

User software.

Application Group

A global group for assigning applications to user accounts.

Application Link Enabling (ALE)

SAP technology for integrating and running distributed applications on different SAP systems.
Refer to your SAP system documentation for further details.

Application Role

Identity Manager application roles are preset, customizable, functional roles used to specify entitle-
ments to Identity Manager functions resulting from Identity Manager user tasks from within company
structures. Application roles take administration and approval processes into account.

Approval Process

Process for requesting products for a customer in the IT Shop. The approval process is set up with ap-
proval policies that can contain several approval levels. There can be several approval steps defined in
an approval level. A different group of approvers can be specified for each approval step.

101
Quest One Identity Manager

Approver

The approver is an employee who grants or denies approval in a request procedure (renewal or cancel-
lation).

Approval Policy

Specifies which approval workflow should be used in the IT Shop for an attestation case or a request
(renewal or cancellation).

Approval Procedure

Finds the attestor for the current attestation case or the approver for the current request (renewal or
cancellation) in the IT Shop.

AP Supplier

Employee listed as supplier in the table “AP.AP_SUPPLIER_CONTACTS” of an Oracle E-Business Suite.


Employee data can be imported from the Oracle E-Business Suite into the Identity Manager database
and linked to EBS user accounts.

AR Party

Employee listed in the table “AR.HZ_PARTIES” of an Oracle E-Business Suite. Employee data can be im-
ported from the Oracle E-Business Suite into the Identity Manager database and linked to EBS user ac-
counts.

Assignment

Part in the synchronization that makes the connection between the target system schema and the data-
base schema if the synchronization objects should be mapped as many-to-many relation. Mapping tar-
get system objects to assignment tables is defined by assignments. In addition, synchronization behav-
ior for synchronization configuration is specified with assignments.

Assignment Request

Requests for company resources, employees for roles. You can request assignments for departments,
cost centers, locations or business roles through the Web Portal. Then they are authorized by the ap-
proval process.

Assignment Table

Tables, used to define relations between two tables. Objects in both tables are assigned to each other
in a many-to-many relation. Assignment tables are, for example, PersonInDepartment or ADSAccountI-
nADSGroup.

Attestation

A method for authorizing data or internal rules. Attestation functionality in Identity Manager is used by
managers or others in authority to certify the correctness of editing permissions, entitlements, requests
or exception approvals on a regular or manual basis.

Attestation Instance

Objects that are created as soon as attestation is automatically or manually started. When attestation
is triggered, Identity Manager creates an attestation case for each attestation object. Attestation data
is saved in the attestation instance. This includes the attestation object, status (open, approved, de-
nied), date of attestation, and the attestor.

102
Attestor

The person that will carry out the attestation. Attestors either approve or deny data presented in an at-
testation instance.

Auditing

The term <Auditing> or <Audit> describes how an aspect (audit object) of a company is assessed. An
audit is normally orientated around special auditing tasks and helps quality assurance. An audit is spe-
cifically an instrument for systematic, independent and documented examination for objectively obtain-
ing quality related activities and their evaluation based on planned requirements and targets (auditing
criteria). To successfully complete and audit there must be certain features available and specific re-
quirements must be fulfilled. (Source: sicherheitswiki.org).

Authentication Module

Authentication modules are used to define how user should log in to Identity Manager tools. Users can
log in as, for example employees with their Active Directory user account or directly as system users.
The authentication module determines which system user is directly or indirectly assigned to the logged
in user. This assigns user permissions for the user interface elements of the administration tool that has
been started and for the database objects.

Authentication Object

An object used by a SharePoint user to log into a SharePoint site. SharePoint takes authentication ob-
jects from the system environment in which the SharePoint environment is integrated. The
Identity Manager can create references to the following authentication objects: Active Directory user
accounts and groups, LDAP user accounts and groups.

Authorization Definition

Group of transactions and authorization objects in Identity Manager to be tested by an SAP function.

Authorization Editor

Tool for editing the authorization definition for an SAP function.

Authorization Field

An object in an SAP system. The smallest unit that can be granted authorizations. To do this, authoriza-
tion fields are given fixed values (activities of data). Comprises of up to 10 authorization fields grouped
as one authorization, which are only valid in this grouping.

Authorization Object

An object in an SAP system that makes the definition of authorizations possible. Authorization objects
are made up of up to 10 authorization fields connected with an AND link.

B
Base Object

Link to the authentication object with which a SharePoint user logs into a SharePoint site.

BI analysis Authorization

Authorizations that an SAP user uses to analyze BI data in an SAP system across clients.

103
Quest One Identity Manager

BI User Account

User account used for mapping the properties of an SAP user account with BI analysis authorizations in
the Identity Manager. BI analysis authorizations can be assigned through BI user accounts across cli-
ents to all SAP user accounts within an SAP system.

C
Cancellation Workflow

Approval workflow that determines the approver when a requested product is canceled.

Cart

Used to collect products in the IT Shop. Customers can add as many carts as they want. A cart is de-
leted as soon its have be carried out.

Cart Item

A product assigned to a shopping cart. Cart items show the requestor and intended recipient for each
product.

Central User Administration (CUA)

Function in SAP for administrating SAP user accounts in a central system rather than maintaining all cli-
ents separately. SAP clients in different SAP systems are grouped together in a system network. SAP
user accounts for these SAP clients are maintained in a central system and the data is distributed to cli-
ent systems. Therefore, users that own permissions in different SAP clients do not have to individually
maintained. SAP roles and SAP profiles are administrated in client systems but can only be assigned to
SAP user accounts in the central system. Refer to your SAP system documentation for more details.

Company Policy

Object that maps the policy in a company in relation to Identity and Access Management in the
Identity Manager. Policy violations can be found and approved in retrospect. Attestations and risk as-
sessments can be executed through company policies.

Company Resource

Umbrella term for all objects that are assigned to employees or roles or that can be requested through
the IT Shop. Company resources include: applications, system entitlements, resources, target system
groups, and system roles.

Configuration Parameter

Parameter for configuring the basic settings for Identity Manager system administration.
Preprocessor-relevant configuration parameters are configuration parameters connected to a prepro-
cessor condition. If a preprocessor-relevant configuration parameter changes, the database must be re-
compiled.

Configuration Parameter Editor

An editor in the Designer for customizing configuration parameters.

Configuration Wizard

Program for installing and migrating an Identity Manager database.

Crypto Configuration

A program for encrypting the database contents of an Identity Manager database.

104
CUA

See Central User Administration (CUA).

CUA Status

Labels an SAP client for use as central system or client system in the central user administration. Cli-
ents that should be excluded from the Central User Administration are labeled with the CUA status
“None”.

Customer

A company employee entitled to request items from the IT Shop. An employee becomes a customer
when assigned to a shop.
Customers form an IT Shop solution by combining shelves, products, shops and shopping centers.

D
Database Compiler

Program for compiling the Identity Manager database after changes have been made.

Database Schema

A logical description of data saved in a database. The schema not only defines names for individual data
items, their size, and other characteristics, but also identifies the relation between the data. The
Identity Manager data model differentiates between reference data and meta data. Reference data is
described by the application data model, the meta data by the interface data model.

Database Transporter

Program for exporting objects and custom changes from an Identity Manager database to an
Identity Manager database.

Data Definition Language (DDL)

A language for defining database structures.

Data Import

Program for importing data into an Identity Manager database.

DBQueue

Task list where triggered processing tasks are queued.

DBScheduler

The DBScheduler is used to calculate processing tasks from the DBQueue. The DBScheduler is made up
of a combination of saved procedures and triggers.
The DBScheduler also controls recurring tasks on a cyclical basis, such as daily maintenance tasks for
calculating statistics or indexing the database.

Delegation

Special assignment request form. In this case, an employee passes any number of role assignments to
another employee for a limited period of time. Delegations can be authorized using an approval proce-
dure.

Designer

Main configuration interface for Identity Manager.

105
Quest One Identity Manager

Discontinue Inheritance

The property “Discontinue inheritance” indicates that the option “End of inheritance” is set in a role’s
master data.

Distribution Model

Relationships between logical systems are defined in the SAP distribution model. It is used by Applica-
tion Link Enabling to control data distribution amongst others. Refer to your SAP system documentation
for more details.

Domain Name System (DNS)

The Domain Name System (DNS) is a distributed database that manages namespaces in the internet.

Domino Server, Central

Selected productive Notes server with a good network connection to the gateway server.
When actions are performed against the productive address book and the mailbox files, the gateway
server communicates with the central Domino server.

Dynamic Group

Target system group that user accounts are added to based on strict selection criteria. Dynamic groups
can be added in the target systems Active Directory, Lotus Notes and LDAP.

Dynamic Host Configuration Protocol (DHCP)

Standard for administration of dynamic settings and addresses in a network. DHCP makes it possible to
dynamically assign an IP address with the help of a DHCP server and other configuration parameters on
computers in a network.

E
Edit Permissions

Groups Identity Manager user permissions for database objects, menu items, forms and methods to-
gether.

Enterprise Resource Planning (ERP)

Identifies the company task for planning the use of existing company resources in the most efficient
way for daily operations.

EBS Entitlement

A combination of EBS security group and EBS responsibility mapped in the Identity Manager. EBS re-
sponsibilities are assigned to EBS user accounts in the Identity Manager through EBS entitlements.

EBS System

Synchronization base object for objects in an Oracle E-Business Suite. A separate EBS system is set up
for each Oracle E-Business Suite mapped in the Identity Manager database. Synchronization fir the
Oracle E-Business Suite is configured in the EBS system.

Employee Assignment

User accounts can be automatically linked to employees in the Identity Manager database. Search cri-
teria for this can be defined separately for each target system. They are used if the target systemspe-
cific configuration parameters “PersonAutoDefault” and “PersonAutoFullsync” are set.

106
Exception Approver

A person who can approve rule exceptions. Exception approvers are only those employees that are as-
signed to at least one compliance rule as exception approver with the application role <Identity & Ac-
cess Governance>\<Identity Audit>\<Exception approver>.

Excluded Attribute

An Oracle E-Business Suite object that is explicity excluded from assignment to an EBS responsibility.

Excluded List

All user accounts that are excluded from a dynamic group. Excluded lists can be maintained in the tar-
get systems Lotus Notes and LDAP.

F
Function (Risk index)

Functions define the method used to calculate risk indexes. Data sources, the objects involved, calcula-
tion type and the table column of the calculation target object are specified.

Function Instance

Function definition that is given values for a specific application. A specific SAP client to be used in the
SAP function is given in the function instance, and variable allocated to authorization fields are given
fixed values. Function instances can only be set up for active SAP functions.

Function Element

A general term for transactions, authorization objects and authorization fields that are displayed in an
authorization definition as a tree structure in the Authorization Editor.

G
Gateway Server

A server in the Identity Manager environment that executes all the tasks in Lotus Notes triggered by
the Identity Manager. The gateway server cannot be a productive Notes server. It requires access to
the Note server in the productive environment. The Identity Manager Service is installed on the gate-
way serer with the Lotus Notes synchronization components and Notes database “viAgentsDB.nsf”
available.

Business Role

Business roles represent customized functions in Identity Manager. You can use them to model ap-
proval workflows, assignments or approval procedures according to the needs of you organization
structure. All business roles are specified by your company.

Global Shelf Template

Template that used to automatically generate shelves in all IT Shop shops.


A global shelf can be assigned company resources (as products) and approval policies.

H
HistoryDB

Archiving system for data changes.

107
Quest One Identity Manager

HistoryDB Manager

Administration tool for displaying and editing all the information in the HistoryDB archiving system.

HistoryDB Service

System service on the servers. The HistoryDB Service imports log entries into the HistoryDB archiving
system.

Hotfix

A hotfix contains corrections to the default configuration of the main installed version but no new func-
tionality.

HR Person

Employee listed in the table “HR.PER_ALL_PEOPLE_F” of an Oracle E-Business Suite. Employee data
can be imported from the Oracle E-Business Suite into the Identity Manager database and linked to EBS
user accounts.

Hypertext Transfer Protocol (HTTP)

Protocol for transferring data.

I
Identity Manager (1)

Product for provisioning IT and other company resources.

Identity Manager (2)

Main administration tool for managing employees, user accounts and permissions within an
Identity Manager network.

Identity Manager Service

A server system service. Identity Manager Service handling processing.

ID Restore

A method in the Identity Manager for restoring user ID files in Lotus Notes. This method can be used if
restoring user ID files from an ID vault has not been implemented.

IT Shop

Program component for providing employees with company resources using a defined approval proce-
dure. IT Shop solutions are setup in the Identity Manager and can then be used in the Web Portal.

IT Shop Structure

Role classes are used to group the components of an IT Shop solution, for example, shopping center,
shop, shelf, customer.

J
Job Queue Info

Programs for monitoring the current state of the services running in an Identity Manager network.

108
Job Destination

Identity Manager Service component. The Job destination handles the process steps and returns the re-
sult back to the Job provider.

Job Provider

Identity Manager Service component. A Job provider delivers process steps to the Job destination and
evaluates the results.

Job Queue

Central storage for process component generated actions to be executed.

Job Server

Server with Identity Manager Service installed, running elementary tasks.

Job Server Editor

Designer for editing Job server properties.

Job Service Configuration

Program for configuring Identity Manager Service.

Job Service Updater

Program for updating Identity Manager Service on Job servers.

L
Language Editor

Designer Editor for translating text captions.

License Meter

Program for quantifying licenses in the Identity Manager database.

Lightweight Directory Access Protocol (LDAP)

Network protocol that permits queries and modifications to directory service’s information (a hierarchal
database distributed on a network).

List Editor

Basic editor in the Designer for displaying and editing lists.

Lock Group

Notes groups with the group type “only negative list” for which the access type “Not access server” on
a Notes server is defined.

Lotus Notes

Document-oriented distributed database system with a very tight email connection.

109
Quest One Identity Manager

M
Manage Level

The user account manage level determines the range of properties inherited by the user account from
the employee. The Identity Manager supplies configurations for the manage levels “Unmanaged” and
“Full managed”. You can define other manage levels.

Unmanaged User accounts obtain a link to the employee but do not inherit any other
properties from them.

Full managed User accounts obtain a link to the employee and inherit defined properties
from them.

Manager

Main administration tool for displaying and editing all the information in an Identity Manager network.

Mapping

Maps target system objects and their properties to database objects and their properties.
Mapping is used to synchronize data between the Identity Manager and target systems.

Mapping File

Contains extended rules for mapping properties between database and target system. The mapping file
has an XML structure. A mapping file can be created and extended with internal mapping rules for pro-
cess components. Alternatively, a new mapping file can created that only contains extensions. If an-
other extended mapping rule exists as a mapping file, it is added to the process component internal
mapping rule and the resulting rule is used to map the property.

Mitigating Control

A control to be carried out so that, for example, a compliance rule is not violated. Mitigating controls
reduce the risk by a fixed value (significance reduction).
Mitigating controls are independent of Identity Manager functions. For example, the risk that is con-
nected with a rule violation can be reduced by regular manual checking of prohibited authorizations.

N
NetBIOS

Network Basic Input Output System, a programmed interface developed by IBM to make communica-
tion between two network programs possible. NetBIOS allows 16 characters for a NetBIOS name. Mi-
crosoft limited NetBIOS names to 15 characters because the 16th character is used as a NetBIOS suf-
fix.

Notes Domain

A Notes domain in the Identity Manager corresponds to the mapping of a visible area in Lotus Notes, for
example, a productive Lotus Notes environment. It is possible to manage several productive Lotus
Notes environments in parallel using this construct because it is handled more stringently in the
Identity Manager.

110
O
Object Definition

Object definitions create a view for database objects that can be differentiated by their properties and
therefore allow an additional control function.

Object Editor

Basic editor in the Designer for displaying and editing all objects.

Object type

Element in the synchronization that creates the connection between target system schema and data-
base schema. Object types define the mapping from target system objects to database objects. Apart
from this the synchronization behavior of a synchronization configuration is specified by the object
types.

Oracle E-Business Suite

Product of the company Oracle.

Organization

The company structures department, cost center, and location are called organizations in
Identity Manager.

Org Level

An object in an SAP system that defines fixed values for authorization fields. Org levels are, for exam-
ple, custom accounting codes, functional areas or account types.

P
Patch

Software update.

Permission Level

Object used to group SharePoint permissions together. Permission levels that are linked to a concrete
SharePoint site are mapped as SharePoint roles in the Identity Manager.

Permissions Editor

Designer editor used to grant table and column permissions to permissions groups and system users.

Permissions Group

Different edit permissions for Identity Manager functions are grouped together in permissions groups.
Permissions groups are assigned to system users. In this way, users of Identity Manager tools obtain
edit permissions to Identity Manager functions.
Certain permissions groups are components of the Identity Manager installation. Other permissions
groups can be custom defined in the Designer.

Plugin

Additional software module.

111
Quest One Identity Manager

Preprocessor Condition

Condition for posing restrictions on program code during compilation.


Conditional compilations allow parts of the program code to be included but excludes other parts. Pre-
processor conditions are defined through configuration parameters and their options.

Process

Stringing together process steps into a sensible order. The process has the task of mapping live pro-
cesses.

Process Editor

Editor in the Designer for handling process steps and processes.

Process Function

Task executed by a process.

Process Parameter

Parameter permitted for a single process component task.

Process Plan

A process plan covers the basic configuration for automatically executing a process.

Process Step

Separate parts of a process. A process step represents one work procedure.

Process Component

Elementary component available for use in process steps.

Product

Company resource that is assigned to an IT Shop shelf and therefore can be requested. Products form
an IT Shop solution by combining shelves, customers, shops and shopping centers. Only company re-
sources that are assigned to a service item and labeled with the option <IT Shop> can be added as
products to the IT Shop.

Provider Client

The provider client is a completely configured Identity Manager customer environment with a database,
Identity Manager Service, and possibly Identity Manager front-ends. The provider client actively admin-
isters a network. In addition to the usual Identity Manager environment, the provider client can process
its own Identity Manager Service requests that are executed on the provider master.

Provider Master

The provider client is a completely configured Identity Manager provider environment with a database,
Identity Manager Service and possibly Identity Manager front-ends. The provider master does not nec-
essarily administer its own network but does however, contain additional information about the provider
clients in its administration. The provider master keeps a queue for provider clients requests.

Provider Mode

Provider mode is a model that stores and changes information in a central Identity Manager environ-
ment. The information is transferred into mainly independent Identity Manager environments and take
effect there.

112
R
Release Key

The release key is used by system users to change objects defined by Quest Software. The release key
is only issued for a limited period of time and has to be specially requested.

Renewal Workflow

Approval workflow that finds the approver if a requested product needs to be renewed.

Replication Info

Program for monitoring replication of software profiles.

Request Template

Template for a cart containing items often requested together. Public request templates are available to
all Identity Manager users the moment they are shared. Non-public request templates can only be used
by the request template owner.

Resource

An existing item for solving a particular task.

Resource Type

Objects that are used to sort resources corresponding to usage. Processing steps for resource types can
be defined and run when a resource is successfully assigned to an employee.

Risk Index

Security risk for the company when a company resource is assigned to an employee or a compliance
rule, company policy or attestation policy is violated. The risk index can be given for all company re-
sources, SAP functions, attestation policies, company policies and compliance rules. The risk index for
an employee is calculated from the risk indexes for directly and indirectly assigned company resources.
It is given as a value in the range 0 (no risk) to 1 (problem).

Role

The term “role” is an umbrella term for the company structures departments, cost centers, locations,
and business roles. Roles in Identity Manager are all objects though which employees, can be assigned
company resources. Therefore, IT Shop structures are also roles in the Identity Manager sense of the
word. Examples of roles include: “Development”, location “Prague”, product “FrameMaker - German -
9.0”.

Role Assignment

SharePoint user account or group assignment to a SharePoint role.

Role (SharePoint)

SharePoint permission level that is linked to a concrete SharePoint site. SharePoint roles are used to
pass on permissions from concrete sites to SharePoint user accounts.

Role Classes

Objects that group together similar roles. Role classes are defined in Identity Manager to differentiate
between various company structures. Role classes regulate inheritance behavior in these company
structures. Furthermore, they specify which company resource assignments are possible through a role
in a role class.

113
Quest One Identity Manager

Examples of role classes are: “departments”, “location” or “IT Shop structure”. Define custom role
classes in order to create business roles.

Role Definition

A SharePoint permissions assignment to a SharePoint permission level.

Role Type

Company-specific criteria for allocating roles. Role types are mainly used to regulate inheritance of ap-
proval policies within an IT Shop structure. To do this, you define role types that you assign to the ap-
proval policies and IT Shop rules. In addition, you can use role types to structure business roles or
shops in the IT Shop by criteria.

Root Site

Main site for a SharePoint site collection. There is exactly one root site for each SharePoint site collec-
tion that builds the top layer of the site hierarchy. All other sites are below the root site.
Permission levels are defined for the root site and can be used as SharePoint roles for child sites in the
site collection.

S
SAP Authorization

Authorization permissions that SAP user accounts obtain on the basis of the SAP roles assigned to them
in the SAP system.

SAM Database

Security Accounts Manager – secure account administration under Windows. Administration of user ac-
counts and encoded passwords is done in the SAM database.

SAP Function

An object in Identity Manager that can be used to test which SAP authorizations an SAP user account in
an SAP client has effectively.

SAP Function Category

An object for grouping SAP functions.

SAP Menu

Element for guiding users through the SAP GUI. Authorizations are linked to fixed menu items in the
SAP system using authorization objects. Authorization objects can be linked into authorization defini-
tions through the choice of SAP menu in the Identity Manager Authorization Editor.

SAP R⁄3

Product from the company SAP AG.

Schedule

Schedules control cyclical execution of processes, calculation tasks and different scheduled tasks. You
define the time of execution and the interval between tasks. The time of execution can be given in local
or UTC time. A schedule can run several tasks.

Schema Extension

Program for extending the Identity Manager database schema with custom tables and columns.

114
Schema Editor

Editor in the Designer for customizing database schema table and column definitions.

Search criteria

User accounts can be automatically linked to employees in the Identity Manager database. Search cri-
teria for this can be defined separately in each target system mapping. They are used if the target sys-
tem specific configuration parameters “PersonAutoDefault” and “PersonAutoFullsync” are set.

Secure Sockets Layer (SSL)

Transfer protocol that enables encoded communication.

Security attribute

An Oracle E-Business Suite object that was explicity assigned to an EBS responsibility or an EBS user
account.

Server Permissions

Access list that specifies which Notes user accounts and Notes groups have access to a Note server, and
for what reasons.

Server Restrictions

Access list that specifies which agents Notes user accounts and Notes groups can run on a Notes server.

Service Catalog

Displays all requestable service items grouped by service category. Service items for products that are
assigned to IT Shop shelves are displayed in the service catalog.

Service Category

Grouping criteria for service items. A product‘s service item must be assigned to a service category in
order to select the product from the service catalog.

Service Item

These are objects necessary to book company resources internally. Service items must be assigned to
company resources so that they can be requested and booked internally as products in the IT Shop. A
service item contains an exact product definition, assignment to a cost center, price information.

Service Pack

A service pack contains minor extensions to the functionality and includes all hotfix changes since the
last major version that were already included in hotfixes.

Service Provisioning Markup Language (SPML)

Service Provisioning Markup Language is an XML-based description language that is used as an ex-
change format for user and resource information between provisioning systems. The standardization of
SPML has been driven by the OASIS consortium (Organization for the Advancement of Structured Infor-
mation Standards, www.oasis-open.org) which includes some well-known software companies. The lat-
est version (2.0) was released in April 2006.

Shelf

An IT Shop structure that is part of a shop and can be assigned products. Shelves form part of a hierar-
chical IT Shop solution along with customers, shops, shopping centers, and products.

115
Quest One Identity Manager

Shelf Template

Template that you can use to automatically generate shelves in IT Shop and fill them with company re-
sources. You can use shelf templates when you want to setup shelves in several shops with identical
products. Identity Manager differentiates between global shelf templates, special shelf templates and
shopping center templates.

Shop

An IT Shop structure that is assigned shelves and customers.


Shops form a hierarchical IT Shop solution along with customers, shelves, shopping centers and prod-
ucts. Each shop contains a shelves that the shop customer can request items from.

Shopping Cart

See Cart.

Shopping Center

IT Shop structure for grouping shops together. Shops form a hierarchical IT Shop solution along with
customers, shops, shelves, and products.

Shopping Center Template

Template that you can user to replicate a shelf from a special shelf template in all the shops in a shop-
ping center. To do this, the shopping center template must be assigned to at least one special shelf
template.

Security ID (SID)

A security identifier (SID) is a unique value of variable length, which is used to identify a security prin-
ciple or security group in Windows operating systems. Known SIDs are a group of SIDs to identify gen-
eral usres or groups. Their values remain fixed throughout every operating system.

Significance reduction

A value by which the risk index of a compliance rule, SAP function, attestation policy or company policy
is reduced when a mitigating control is assigned to it. The risk index (reduced) is calculated by the risk
index and the significance reduction.

Software Loader

Program for loading new or changed files in the Identity Manager database. These files can then be dis-
tributed in the Identity Manager network through automatic software updating.

Special Shelf Template

Template that you can use to automatically generate shelves in selected shops in the IT Shop.
A special shelf template can be assigned company resources, such as products and approval policies.
The shops that should be replicated by the shelf template are selected individually.

Synchronization Configuration

Settings that define data synchronization between a target system and the Identity Manager. Synchro-
nization configuration contains the object types and assignments that should be synchronized, and a
schedule for synchronization. This specifies the synchronization behavior of each object type/assign-
ment.

116
Synchronization Status

Flag that is set on synchronization objects during synchronization. Use the synchronization status to
determine whether the object was marked as added, updated, published or deleted by synchronization.
You can post-process synchronization objects is depending on the status.

System Role

A system role is a resource in which any number of company resources can be grouped together.
System roles are used to simplify assignment of different company resources. If a system roles is as-
signed to an employee, the employees receive all the company resources that are assigned to the sys-
tem role. This might be system permissions, applications or non-IT Shop resources.
System roles can be assigned directly to employees, requested through the IT Shop or inherited
through roles.

System User (1)

A predefined user that contains several entitlements to Identity Manager functions. The system user
obtains these entitlements through their permissions groups assignments. A system user is assigned to
user during the administration tool login procedure. Entitlements for the Identity Manager functions are
passed onto the user from this system user.
Certain system users are included in the Identity Manager installation. Further system users can be de-
fined in Designer.

System User (2)

An authentication module for logging onto Identity Manager tools. See Authentication Module.

System User ID

The user ID that a user enters to log onto an Identity Manager tool.
The system user ID is independent of the selected authentication module. It can be a login name for an
Active Directory domain or a system user, for example, a central user account.

T
Target System

A system in which employees under Identity Manager administration have access to network resources.
Example: Active Directory, SAP R⁄3, Lotus Notes

Target System Area

Administration unit in a target system for user accounts, user groups, and computer accounts.
Example: Active Directory domain, SAP R⁄3 client, Lotus Notes domain.

Target System Type

Target system types are used in the Unified Namespace to differentiate between data from several tar-
get systems. Each object that is mapped in the Unified Namespace has a target system type. The fol-
lowing target system types are provided by default in the Identity Manager: ADS, LDAP, NOTES,
SAPR3.
Other target system types can be custom defined.

Template

Rule for mapping object properties. Templates can be used within an object as well as across objects.

117
Quest One Identity Manager

Text Comparison

A procedure in SAP that mirrors names of roles and profiles from a CUA client system in the central sys-
tem. The roles and profiles in the central system are only made known when the text comparison has
been run at least once. Then they can be assigned to user account.
Roles and profiles from client systems cannot be synchronized with Identity Manager until the text
comparison has been run in SAP.
Refer to your SAP system documentation for more details.

Transaction

An object in an SAP system that starts an ABAP program.

U
UID

The UID is an artificial primary key created by the operating system as soon as the object is inserted in
the database. The UID is a unique value that does not alter even when changes are made to the object
properties. An object is labeled with a UID and can be uniquely referenced with it.

Unified Namespace (UNS)

Unified Namespace (UNS) is a virtual target system for mapping various target systems along with
their containers, user accounts, target system groups, and associated memberships. The data for all
target systems connected to Identity Manager is mapped in the Unified Namespace. This allows other
core Identity Manager functions, such as compliance testing, attestation or IT Shop, to be used across
target system. The target systems Active Directory, Lotus Notes, SAP R⁄3, and LDAP can also be
mapped like your own applications, for example, a telephone system.

User

The person that uses a tool to gain an advantage (a benefit such as time and/or cost reduction).

User Account

Access entitlement to a restricted access IT system. Normally users must authenticate themselves with
a user name and password when logging in.

User Account Resource

User account resources are special resource used to automatically create and manage user accounts in
the connect target system. If an employee is assigned a user account resource, the Identity Manager
creates a user account in the target system where the user account resource is assigned. The default
manage level for a user account resource specifies what employee properties should be inherited by the
user account.

User Account (SharePoint)

Object that is used to provide a SharePoint user with permissions to SharePoint sites.

User Policy

Object that is used to provide a SharePoint user with general permissions to all sites in a SharePoint
web application.

User & Permissions Group Editor

Designer editor for editing permissions groups and system users.

118
User Interface Editor

Designers editor for editing the administration tool’s user interface.

UTC

Universal Time Coordinated.

V
Variable Set

A group of all variables and their values that can be used in the authorization definition of an SAP func-
tion. Variable sets are used to set up function instances for one and the same function definition.

Version Update

A version update means significant additions to functionality and requires a completely new installation.

VIAgentsDB.nsf

A database, containing the agents for accessing the productive Lotus Notes address pool and to create
ID files. This database is part of the Identity Manager installation package for Lotus Notes components.
It needs to be reassigned after installation.

VINotes.INI

Copy of the file “Notes.INI” that is created when the Lotus Notes client is configured.
The file “VINotes.INI” contains configuration data that the Identity Manager Service required for log-
ging onto Lotus Notes.

W
Web Designer

Program for configuring and extending web-based applications.

Web Installer

Program for simplifying installation and configuration of web-based application that are created with the
Web Designer.

Web Portal

Web-based application that provides various workflows. In the Web Portal, you can edit your own em-
ployee master data, edit staff data, request company resources in the IT Shop, delegate your own
roles, edit approvals, attestations, and rule violations.

Windows Internet Name Service (WINS)

The Windows Internet Naming Service (WINS) is a software service developed by Microsoft that dy-
namically assigns IP addresses to computer names (NetBIOS names).

Workflow Editor

An editor that you can use to create workflows for attestation instances or approval processes.
In the Workflow Editor, approval levels and steps from an approval workflow are inserted using a spe-
cial graphical control. Approval levels can be arranged in any way and connected to each other.

119
Quest One Identity Manager

120
INDEX

Symbols C
#LD notation 56 Cancellation workflow 104
Cart 104
A
Cart item 104
Active Directory (AD) 101
Central user administration 104
Active Directory Service 101
Combined Log Format 99
Additional list 101
Company policy 104
Admin4 database
Company resource 104
see AdminP request
Compile
AdminP request 101
error message 71
Analyzer 101
Configuration parameter 104
Application 101
Configuration Parameter Editor 104
Application group 101
Configuration Wizard 104
Application Link Enabling 101
ConnectionBehavior
Application role 101
JobGenLogDir 91
Approval policy 102
ObjectLogDir 92
Approval procedure 102
SQLLogDir 91
Approval process 101
Crypto Configuration 104
Approver 102
CUA
Assignment 102
see Central User Administration
Assignment request 102
CUA status 105
Assignment table 102
Customer 105
Attestation 102
Attestation instance 102 D
attestor 103 Data Definition Language 105
Audit 103 Data Importer 105
Auditing 103 Database Compiler 105
Authentication module 103 Database Installer 104
system user 117 Database query
Authentication object 103 logging 91
Authorization definition Database schema 105
see SAP function > Authorization definition Database Transporter 105
Authorization editor DBQueue
see SAP function > Authorization editor view 29
Authorization field DBScheduler 105
see SAP function > Authorization definition > start 29
Authorization field stop 31
Authorization object System log 29
see SAP function > Authorization object Default manage level 106
B see manage level
Base object 103 Delegation 105
BI analysis authorization 103 Designer 105
BI user account 104 Distribution model 106
Business role 107 Dollar notation 41

121
Quest One Identity Manager

Domain Name System 106 Hotfix 108


Domino Server, central 106 HTTPLogPlugin
Dynamic group 106 log file 99
Dynamic Host Configuration Protocol 106 Hypertext Transfer Protocol (HTTP) 108

E I
EBS ID restore 108
AP customer 101 Identity Manager 108
AP supplier 102 application role 101
AR party 102 Identity Manager Service 108
HR Person 108 ComponentDebugMode 87
EBS entitlement 106 configuration file 96, 97
EBS system 106 DebugMode 87
Edit permissions 106 HTTP server 86
Edit process plan 72 log file 85, 87, 99
Emergency stop 31 display 86
Employee assignment 106 NSComponent.log 87
Enterprise Resource Planning 106 NSProviderTrace.log 87
Event result display 90
edit 50 services 86
EventLogLogWriter StdioProcessor.log 87
LogSeverity 90 stop 31
Exception approver 107 Input help
Excluded attribute dollar notation 41
Oracle E-Business Suite 107 IT Shop 108
Excluded list 107 IT Shop structure 108
Item 112
F
FileLogWriter J
OutputFile 85 Job 19
Function Job destination 109
see Risk index > Function Job provider 109
Function element Job queue 109
see SAP function > authorization definition > progress 28
Function element view 19
Function instance Job Queue Info 11
see SAP function > Function instance column configuration 16
G filter 15
Gateway server 107 language 17
program settings 17
H
updating 15
Handling processes 33
Job server 109
HistoryDB 107
status 28
HistoryDB Manager 108
view 21
HistoryDB Service 108

122
Index

Job Server Editor 109 P


Job Service Updater 109 Patch 111
JobGenLogDir 91 Permissions Editor 111
Jobqueue Permissions group 111
error handling 23 Plugin 111
JobQueueInfo 108 Preprocessor condition 112
Jobservice.cfg 96 Process 112
compare 65
L
compile 71
Language Editor 109
copy 63
License Meter 109
editing 43
Lightweight Directory Access Protocol (LDAP)
109 error check 70
List Editor 109 event 50
Lock group 109 export 65
Logwriter generating condition 46
LogLifeTime 85, 99 import 65
LogSeverity 85, 99 monitor 19
Lotus Notes 109 notification 49
overlimit 49
M
pre-script 46
Manage level 110
simulation 65
Manager 110
threshold 49
Mapping 110
validity check 70
Mapping file 110
Process automation 72
Mitigating control 110
Process component 76, 112
N ADSComponent 77
NetBIOS 110 CommandComponent 77
Notes ComponentDebugMode 87
user ID file DelayComponent 77
restore 108 Ex2010Component 77
Notes domain 110 Ex2K7Component 77
Ex2KComponent 77
O
FileComponent 77
Object action
FtpComponent 77
logging 92
HandleObjectComponent 77
Object definition 111
JobService 77
Object Editor 111
LDAPADSIComponent 77
Object type 111
LogComponent 77
ObjectLogDir 92
MailComponent 77
Oracle E-Business Suite 111
NotesComponent 77
Org level
ObjectTransferComponent 77
see SAP function > org level
ReportComponent 78
Organization 111
return value 89

123
Quest One Identity Manager

SAPComponent 78 notification 55, 56


ScriptComponent 78 parameter 26, 58
SQLComponent 78 pre-script 53
SubversionComponent 78 progress state 19
WakeOnLanComponent 78 reactivate 20
ZipComponent 78 server 53
Process Editor 34, 112 view 25
compiler error 41 process task 76
layout position 42 Provider client 112
process document 38, 42 Provider master 112
process element 42 Provider mode 112
process errors 40
R
process step element 42
Release key 113
simulation view 41
Renewal workflow 113
source code view 41, 71
Replication Info 113
Process function 112
Request template 113
Process generation
Resource 113
logging 91
Resource type 113
Process handling
Risk index 113
error handling 23
function 107
Process history
Role
error handling 23
business role 107
record 84
organization 111
view 21
user defined 113
Process parameter 112
Role class 113
Process plan 112
Role type 114
base object 75
Root-Site 114
condition 75
event 75 S

parameter 75 SAM database 114

schedule 75 SAP

set up 75 distribution model 106

process plan 72 SAP authorization 114

Process step 112 SAP BI analysis authorization 103

copy 63 SAP BI user account 104

edit 51 SAP function 114

error handling 55 authorization definition 103

execution state 19 authorization field 103

find 62 function element 107

frozen 55 Authorization Editor 103

generating condition 53 authorization object 103

import 61 function instance 107

multi-edit 62 org level 111

124
Index

SAP menu 114 Software Loader 116


transaction 118 SQLLogDir 91
variable set 119 Synchronization configuration 116
SAP function category 114 Synchronization status 117
SAP menu System
see SAP function > SAP menu stop 31
SAP R/3 114 System journal
Schedule 114 recording 85
Schema Editor 115 System log
Schema Extension 114 show 29
Search criteria System role 117
employee assignment 115 System user 117
Secure Sockets Layer (SSL) 115 authentication module 117
Security attribute System user ID
Oracle E-Business Suite 115 definition 117
Security ID 116
T
Server
Target system 117
specify 53
Target system type 117
Server permissions 115
Target system zone 117
Server restrictions 115
Template 117
Server status
Text comparison 118
view 28
Time zone 119
Service catalog 115
Transaction
Service category 115
see SAP function > Transaction
Service item 115
Service Pack 115 U

Service Provisioning Markup Language 115 UID 118

SharePoint permission level 111 Unified Namespace 118

role definition 114 Unified namespace

SharePoint role 113 target system type 117

role assignment 113 UNS 118

SharePoint user account 118 User account

SharePoint user policy 118 manage level 110

Shelf 115 User account resource 118

Shelf template 116 User Interface Editor 119

global 107 Users and Permissions Group Editor 118

shopping center template 116 UTC 119

special 116 V
Shop 116 Variable set
Shopping cart see SAP function > Variable set
see Cart Version update 119
Shopping center 116 VIAgentsDB.nsf 119
Significance reduction 116 viNetworkService.exe.config 97

125
Quest One Identity Manager

VINotes.INI 119

W
Web Designer 119
Web Portal 119
Windows Internet Name Service 119
Workflow Editor 119

126
Contact Quest
• About Quest Software
• Contacting Quest Software, Inc.
• Contacting Quest Support
Quest One Identity Manager

About Quest Software


Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management
solutions that enable more than 100,000 global customers to save time and money across physical and
virtual environments. Quest products solve complex IT challenges ranging from database manage-
ment, data protection, identity and access management, monitoring, user workspace management to
Windows management. For more information, visit www.quest.com.

Contacting Quest Software, Inc.


Email info@quest.com

Mail Quest Software, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

Web site www.quest.com

Please refer to our Web site for regional and international office information.

Contacting Quest Support


Quest Support is available to customers who have a trial version of a Quest product or who have pur-
chased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7
access to our Support Portal at http://support.quest.com/.

From SupportLink, you can do the following:

• Quickly find thousands of solutions (Knowledgebase articles/documents).


• Download patches and upgrades.
• Seek help from a Support engineer.
• Log and update your case, and check its status.

View the Global Support Guide for a detailed explanation of support programs, online services, contact
information, and policy and procedures. The guide is available at http://support.quest.com/pdfs/Global
Support Guide.pdf.

130