Getting Started

In the file install_path\basic.input.tcl, enter the relevant passwords (default value dirx) in the DIR_PW and DEMODOMAIN_PW fields.

In install_path\data\schema\dirx, run the script Setup.bat

Check the file trace.txt to make sure that everything ran correctly. You should see three occurrences of the exit code 0.

Log in to DirX Identity Manager’s data view (if not already logged in) and select Data View → Connectivity.

Right-click the data o=My-Company tree, then select Server…​. (Ensure that you do not perform this and the following steps for the DirXmetahub tree!)

The "Server" properties window opens. Modify the server profile with these parameters:*
Name*: Sample-TS
Default User DN: cn=domainadmin,cn=My-Company
Base DN: o=sample-ts
Click OK.

Now the node Sample-TS o=sample-ts is displayed instead data o=My-Company tree. That is the data o=My-Company tree has been re-configured to Sample-TS.

Enter the URL http://localhost:8080/webCenter-My-Company in an Internet browser to start the DirX Identity Web Center. (The Web Center may take a little time to start up the first time you use it because it runs some preparation tasks. This is also true for each Web page you visit for the first time. Subsequent visits to the same page are much faster.)

Click Register. (Note that we describe the Web Center handling in English. You can use the Language menu in the upper right-hand corner to switch to German.) This action automatically starts the DirX Identity workflow that handles user self-registration requests for My-Company’s customers. We will show how to monitor this workflow’s progress later on in this sequence.

First, we must adjust the Folder path to point to the Mercato Aurum part of My-Company’s Users directory tree. This is the location in My-Company’s identity store (user tree) at which Nico’s identity (user entry) is to be created. Click to the right of Folder. Navigate to the Customers node, and then select Mercato Aurum.

In the fields displayed in the dialog:

Leave Title empty.

Enter Farfello in Last Name. Click the TAB key to move to the next field.

Enter Nico in First Name. Click the TAB key.

Select Mercato Aurum Rome in Location. Click the TAB key.

Enter +39 6 2345 8793 in Phone. Click the TAB key.

Enter nico.farfello@mercato-aurum.it in Email.

Click Save. Web Center then displays the password selection dialog.

Enter 1!dirX in Password.

Enter 1!dirX again in Repeat password.

Click Save. Web Center then displays the services selection dialog.

Click Search to the right of Search for. Web Center shows the services available to My-Company’s customers. You can see that Customer Newsletter, Hardware Beta Programs, and Software Beta Programs are now displayed in Available roles.

Clicking a line toggles the checkbox to the left of a line. Click the Hardware Beta Programs and Customer Newsletter. Note that Hardware Beta Programs requires approval. This means that someone in My-Company must approve the request for this service. We will talk about this process later on in this sequence.

Click the down arrow at the bottom of the dialog to select the services.

Click Save to save your selections. Web Center next displays a data confirmation dialog.

Click Accept to approve the information you have provided and proceed with the registration process.

After a few seconds, Web Center displays its Log in page and a message indicating that the registration request has been accepted.

Since we have no more to do in this step, click OK to close this window and terminate the Web Center browser.

Start the Web Center by entering the URL http://localhost:8080/webCenter-My-Company in your Internet browser.

Enter Klarmann Bruno in Name and the password dirx. (Remember that all persons in the sample domain are set up to have the same password.)

Click Log in (or press RETURN) to log in.

Follow the steps described in "Approving the User Creation Request".

Open your mail client. You should have three email messages that inform you about user creation approval requests: one for Briner Ruben, one for Klarmann Bruno, and one for Ratnam Dilip.

View one of these emails and then click the link that starts the browser and displays the login page of the Web Center.

Enter the full name of the approver you selected in Name.

Enter the password dirx and click Log in.

Follow the steps described in "Approving the User Creation Request".

Select Work List → Task list. Web Center displays Nico Farfello’s data in the "Approve Self-Registration" dialog.

Click on the task for Nico Farfello.

Enter N. Farfello is an employee of Mercato Aurum in Reason. (It’s good practice to provide a reason for your decision, especially if you reject a request.)

Click Accept to grant the request.

Select Users → Select user.

Since Nico is an employee of Mercato Aurum, his user entry should be located in the Mercato Aurum part of the My-Company directory tree. Click to the right of Search base, then select Mercato Aurum under Customers from the tree view.

Enter F in Search for and then click Search.

An entry appears for Nico. Click it. If Nico is not yet visible, wait a short time until and try again. The reason is that the workflow task is not yet completed.

Click Roles. You can see four entries:

Two for the services that Nico has requested (indicated by Manual in the last column Mode): one for the customer newsletter, and one for the hardware beta program service.

Additionally two roles were assigned by rules: a silver customer and a platinum customer role. The first comes from the rule that all users of type Customer get the silver customer status, the second was assigned due to the fact that all users of Mercato Aurum are treated as platinum customers (excellence bonus program).

Click on the Download all tabs button () from the button group placed left to the Roles button to see all tabs.

Look at the State column for the four roles. The state for Customer Newsletter, Silver Customer and Platinum Customer is ENABLED, which means that Nico has successfully obtained this service. The state for Hardware Beta Programs is ADD, which means there is more to do before Nico can gain access to this service.

Select Users → Show subscription status. Per default, you can see a running workflow for the hardware beta programs.

Click on the Download all tabs button () left to the Running Workflows button to see all tabs.

You can still see the running hardware beta programs workflow but additionally the already completed self-registration workflow that has the state Succeeded.

Click the running workflow entry Farfello Nico –> Hardware Beta Programs. In Running Workflows, you can see that the current activity is Approval by Sales Manager, with Briner Ruben listed as a Participant. This means that Mr. Briner must approve Nico’s request for the Hardware Beta Programs service. We’ll talk more about this in the next section.

There is nothing more to do, so click Logout.

In Provisioning → Workflows, go to Monitor → My-Company → Approval → Approve Customer Self Services and look for a folder with today’s date.
If My-Company is not displayed it is necessary to refresh your data: Click Monitor and the refresh button .

Select the Farfello Nico → Hardware Beta Programs workflow - this workflow is handling the approval of the hardware beta programs service.

In the General tab, you’ll see the workflow’s graphical representation. The activity "Approval by Sales Manager" is highlighted in grey, which means it is currently being processed.

Switch to the Web Center again. Enter Briner Ruben in Name and dirx in Password (Note that all users in the sample domain have the same password.) Click Log in (or press RETURN) to log in.

Click on the Approval by Sales Manager Task for Nico Farfello in the My Tasks section of the home page or select this task when performing the Work List → Task list operation. Web Center displays an approval dialog.

Enter All open issues clarified. All necessary tasks done. in Reason. (It’s good protocol to provide a reason for your decision, especially if you reject a request.)

Click Accept to grant the request.

Note that Task list is now empty.

Since we have no more to do in this step, click Logout to exit from Briner’s user account.

Switch to the Web Center again (or start it by entering the URL http://localhost:8080/WebCenter-My-Company in your Internet browser.)

Enter Farfello Nico in Name and the password 1!dirX.

Click Log in (or press RETURN) to log in.

Follow the steps described in "Viewing the New User".

Open your mail client. You should have an email message for Nico Farfello that informs you that your registration request was successful. View this email and then click the link that starts the browser and displays the Log in page.

Enter Farfello Nico as Name.

Enter the password 1!dirX and then click Log in.

Follow the steps described in "Viewing the New User".

Click on Self Service → Display summary to view her user summary.

Web Center displays a summary of Nico’s user information.You can see the user data that we entered for Nico during the self-registration process.

Click Roles to see the roles that have been assigned to Nico.You see that she has Customer Newsletter and Hardware Beta Programs roles in ENABLED state, which correspond to the services she requested.She also has two more roles that were assigned automatically by rules.This information was also shown in the home page after log in, where you can click on more… in that section to display this page.

Click Permissions to see the permissions that have been assigned to Nico. Customer Newsletter, Hardware Beta Programs, Platin Customers and Silver Customers permissions are listed.The state is INHERITED because in the My-Company domain, all permissions except for signature level permissions are inherited from the assigned roles.

Click Groups to see the groups that have been assigned to Nico.You see Customer Newsletter, Hardware Beta Programs, Platin Customers and Silver Customers groups.You can read more about My-Company’s role, permission and group relationships - called its privilege structure - in the chapter "About the My-Company Sample Domain".

Note the Target Systems column - it identifies the systems to which these groups belong; in this case, it is the Extranet Portal target system, which is My-Company’s extranet application for its customers and suppliers.You can read more about My-Company’s target systems in the chapter "About the My-Company Sample Domain".

Click Accounts to see the accounts that DirX Identity has automatically created for Nico.You see one account for Nico in the Extranet Portal target system that was automatically created by DirX Identity.

There is no more to do in this step, so click Logout.

Click Auffret Jean-Marc to view the details about this person in the General tab.

On the Location tab, you can see that he is located in Barcelona, Spain.

On the Organization tab, you can see that he works for Professional Services.

On the General tab, you can see in the Description field that he handles the Southern Europe area. His employee number is 7836 and he is an Internal employee.

On the Operational tab, you can see that he is in the ENABLED state, which means he is an active user.

On the Relationships tab you can see that his manager is Lionel Bellanger. Click to the right of this entry to display this person’s information.

Click the Location tab to check for Country and Location.

Clich the General tab to check for Employee Type.

Click the Relationships tab for Manager.

Click the Organization tab for Organizational Unit.

Click Blander Dyan to see that he works in Chicago and is responsible for Northern USA / Canada.

Click the Communication and the Location tabs to view his communications-related user attributes like e-mail and phone.

Click the Assigned Roles tab to view the roles that are assigned to this user. In the Assigned by column, you can see that the first role has been assigned automatically by a provisioning rule (rule), that the second role is inherited from a business object (BO) and that the third role has been assigned by hand (manual). Because Dyan is an internal employee he has received the role Internal Employee by rule. We will analyze the content of this role later on in this quick start. The My-Company administrators have determined that the tools required for members of the Sales and Professional Services departments are the same. Consequently, the role Sales Tasks has been automatically assigned via inheritance from the organizational unit business object to all members of Professional Services. This assignment is not correct and you will see in a later exercise how to change it. Additionally, Dyan works as a trainer, and thus has the role Trainer assigned to him by hand.

Click the Assigned Permissions tab to view the permissions assigned to Dyan Blander. Signature Level 1 is assigned to all internal employees. In My-Company, only three signature levels exist. All other permissions are inherited from the assigned roles.

Click the Assigned Groups tab to view the groups assigned to this user. The Target Systems column shows the target systems to which these groups belong. Click the column header to sort the target system column. You can see that most groups belong to the Windows Domain USA target system but that the user also has access to the Intranet, Extranet and SAP R3 target systems. The Signatures target system is a virtual target system - there is no physical connected system behind it, because signatures in My-Company are pure paper processes. Due to this fact, synchronization to this connected system is not necessary, which results for this group assignment in an immediate ENABLED state. The Intranet and Extranet target systems are 'real' target systems (modeled as LDAP trees in this sample scenario). All other groups are in state ADD which means that the target system synchronization has not yet been performed. The reason is that these connected systems do not exist in this sample scenario.

Click the Accounts tab to view the corresponding accounts in the target systems that DirX Identity has created automatically for this user. Note that the Signature target system does not have an account.

In Provisioning → Workflows click Monitor → My-Company → Approval → 4-Eye Approval. You will see a folder with today’s date. This folder contains the created workflow. Open it.

Click Teacher Mark → Trainer. The General tab displays the workflow’s structure.

In the structure view, you see two parallel steps: Approval by User Manager and Approval by Privilege Manager. In the My-Company sample domain, both a user’s manager and the manager of the privilege must approve a role assignment. Right-click Approval by User Manager, and then select Open.

Click the Status Information tab. In Participants, you see the name Bellanger Lionel. Mr. Bellanger is Mark Teacher’s manager, and so he must approve the role assignment.

Click Close. Manager returns you to the workflow structure view.

Right-click Approval by Privilege Managers to open it, and then click the Status Information tab. In Participants, you can see that Costello Marcella, who owns the Trainer role, must approve its assignment to Mark. Click Close to return to the structure view.

The plus sign icon indicates that both people must make a decision to approve the privilege assignment; if one person denies it, the privilege will not be assigned.

Start the Web Center by entering the URL http://localhost:8080/webCenter-My-Company in your Internet browser (or switch back to it if you left it running).

Enter Bellanger Lionel in Name and the password dirx.

Click Log in.

Select Work List → Task list and click the task in the list. The approve assignment dialog appears (Approval by User Manager). You can also click directly on Approval by User Manager for Teacher Mark in the My Tasks section of the home page.

Click the task in the list. The approve assignment dialog appears (Approval by User Manager).

Enter Trainer for Asia in Reason (remember that it’s good practice to give a reason for your decision, especially when you reject a request)

Click Accept. The work list is now empty.

Select Users → Select user, enter T in Search for, and then click Search to return a list of users whose last names begin with "T". You can also enter T in the user quick search bar and press RETURN.

Select Teacher Mark from the list. Web Center displays a user summary for Mark.

Click Roles. You can see three roles:

Contractor - this role was assigned by rule.

Sales Tasks - this role is inherited from the organizational unit business object.

Trainer - this role is in state ADD which means it is still in approval.

Select Users → Show subscription status to see details about the approval workflow that is running for the Trainer assignment. You can see that the workflow’s state is Running.

Click the line to view more details of this workflow.

In the section Running activities you can see the pending approval activity for Marcella Costello.

The section Finished activities shows the completed approval from Lionel Bellanger.

There is nothing more to do, so click Logout.

Go to the folder with today’s date in Provisioning → Workflows → Monitor → My-Company → Approval → 4-Eye Approval and click Teacher Mark – Trainer workflow again.

Click the refresh button if necessary. You can see that the approval activity for Mr. Bellanger is now green, indicating success.

Start a new Internet browser instance and enter http://localhost:40000/admin. The Web server prompts for an administrative account and a password. Enter admin in User Name and wE3!dirx in Password.

Open Java Server → Workflow definitions → Request workflows → My-Company → Approval. Here you see, for example, the definitions for approval workflows that are loaded and active in the Java-based Server.

Click Workflow instances → Request workflows. click on Search. You can see the Teacher Mark → Trainer workflow in the state RUNNING as well as the creation workflow for Mark Teacher, which has already completed (it is in the state SUCCEEDED). Click on the workflow to open the details.

That’s all we’ll use the Web Admin for now, so you can close the browser window to exit the program.

Switch to the Web Center again. Enter Costello Marcella in Name and the password dirx and then click on Approval by Privilege Managers for Teacher Mark in her My Task section or use Work List → Task list and click the entry in the list. The approve assignment dialog appears.

Enter New Trainer for Asia in Reason.

Click Accept.

There is nothing more to do, so click Logout.

In an Internet browser, enter the URL http://localhost:8080/webCenter-My-Company to start the Web Center.

Enter Briner Ruben in Name and the password dirx. (Remember that all persons in the sample domain have the same password.) Ruben Briner is the project manager of the project MoreCustomers. Thus, he is the person who must assign Mark to his project.

Click Log in (or press RETURN) to log in.

Enter T in the user’s quick search bar and press RETURN to return a list of users whose last names begin with "T".

Position the cursor over the Teacher Mark line and select Assign privileges from the context menu.

Enter P in Search for, and then click Search to return a list of roles whose names begin with "P".

Select the Project Member role in the upper pane and then click the down-arrow button between the two panes. Ensure that you do not block popups in your browser.

The Parameters window opens. It shows that the Project Member role requires the parameter Project to be set. Click the Project field and select the MoreCustomers role parameter from the drop-down list. Click Confirm.

Now the new role is visible in the lower pane. Click Save to store this result.

There is nothing more to do, so click Logout.

Click Provisioning → Users and open My-Company → Professional Services (click the refresh button if it’s not visible). Click Teacher Mark and then the tab Assigned Roles.

Mark is now a project member of the MoreCustomers project. This parameter is visible in the column Role Parameters. Alternatively, you can click at the end of the row. A window opens where you can view all parameters of the assignment of the user Mark Teacher to the role Project Member. The role parameter Project (MoreCustomers) is visible in the Role Parameters tab.

The role parameter is displayed as cn: cn=MoreCustomers. This is an example of a role parameter that is derived from an object structure.

Click the Source Scheduled scenario. You can see icons for all pre-configured connected directories and blue lines in between that represent the pre-configured workflows. Almost all lines start from the central connected directory Identity Store. Most lines have arrows at both ends, some have an arrow at only one end. The arrows give hints about the direction in which the synchronization flows.

Now click the line between HR-ODBC and Identity Store with the left mouse button. The line becomes dark blue and the arrows turn to red.

Right-click the line between HR-ODBC and Identity Store. You can see the menu options New and Assign, which allow you to create or assign new synchronization workflows, and a list of synchronization workflows: Ident2ODBC, ODBC2Ident and ODBC_Ident. The last workflow is a nested workflow that simply runs other two workflows. The ODBC2Ident and Ident2ODBC workflows are not nested. As you can see, a workflow line can contain any number of workflows.

Right-click the line between the HR-ODBC and Identity Store connected directories.

Select ODBC2Ident → Show structure.

Click Close to exit the structure view.

In DirX Identity Manager’s Connectivity view, click Expert View

Open Workflows → Default → Target Scheduled → ADS → ADS2Ident_Validation.

Right-click ADS2Ident_Validation and select Report. A dialog opens.

Select Workflows as a report template and check Output to viewer.

Click Run report. After some time, the report result is displayed. The report shows all the parameters that are set for this workflow and its related objects and illustrates the workflow’s control and data flow. You can see that this workflow consists of four activities. The first activity reads account data from the ADS connected directory and stores it into an intermediate file (Data). This file is read by the meta controller (the DirX Identity agent that synchronizes LDAP- and file-based connected directories), which compares this information with the content of the ADS target system in the Identity Store. The third and fourth activities perform the same sequence for groups.

An Identity Store icon that represents the My-Company identity store. This icon is shown twice to enable a workflow line in between. Right-click the workflow line and verify that ConsistencyCheck, PolicyExecution and PrivilegeResolution workflows are available for selection.

Connected directories for audit trail database and report files and their corresponding workflows (right-click the workflow lines to see these workflows).

Connected directories for each target system that exists in the My-Company organization (Extranet Portal through Windows US). The connected workflow lines here contain validation and synchronization workflows.

We can integrate the new identity source into the existing My-Company Main scenario

We can create another scenario that contains only the identity creation connected directories and workflows available in My-Company Main.

In Connectivity, click Global View

Right-click the My-Company folder in the middle pane, and then select New → Scenario. Enter NewCompany into Name, enter Additional scenario for My-Company in Description, check Use Grid and enter 10 into Grid-X and Grid-Y. Click OK.

We forgot to set the background image correctly. Select NewCompany in the middle pane and right-click in an empty area of the right pane, and then select Properties. The Work area properties dialog appears.

In the Work area properties dialog, open the file browser and select a picture file to use as the scenario map background (any large picture in JPEG or GIF format is sufficient). This action loads the picture as the background image. You can for example use some of the sample picture files from the install_path\GUI\images folder.

Click OK to close the Work area properties dialog.

Create a copy, which creates a copy of the original connected directory that can then be individually configured.

Assign the existing instance, which creates a link to the original connected directory. If you then configure this link, you will change the original.

Right-click in an empty area of the right pane, and then select New Connected Directory. This action displays a crossbar cursor in the pane.

Move the crossbar cursor to the location in the pane at which you want to position the new connected directory, and then click the left mouse button. This action creates a connected directory icon for the new connected directory with the default name (new).

Right-click and then select Assign. The dialog Select connected directory opens.

There are two Identity Store entries in the list. Select the one from the folder My-Company/Main/Identity Store and click OK.

Right-click in an empty area of the right pane, and then select New Connected Directory. This action displays a crossbar cursor in the pane.

Move the crossbar cursor to the location in the pane at which you want to position the new connected directory, and then click the left mouse button. This action creates a connected directory icon for the new connected directory with the default name (new).

The Configure Connected Directory wizard

The Configure Workflow wizard

Click Next to move to the next dialog.

Click Previous to move to the previous dialog.

Click Finish when you reach the last wizard step to save your configuration changes and exit the wizard.

Click Cancel to exit the wizard.

Click Help to get help on the current wizard dialog.

Select a template for New-HR

Supply general information about New-HR, including its name

Check the attribute configuration

Check the bind parameters

Set operational attributes

Name the connected directory

In the NewCompany scenario (Connectivity → Global View → My-Company → NewCompany), right-click New-HR, then select Open.

The Microsoft Access tool opens and asks for the password. Note that the viewer does not use the bind profile. This example shows that DirX Identity can be used as a central user interface to view and control the content of connected directories.

Open the EMPL table and view its content. This is the table from which the data is extracted.

Note that the table contains a column DepartmentNo.

Close the application.

Click ODBC2Ident in the list of workflow types. This action selects the workflow template for importing data from an ODBC database to your identity store.

Click Next.

Enter NewHR2Ident into Name.

Add a description like Workflow to maintain identities from New-HR to Description.

Click Next.

Click EmployeeID on the right side and then click . The red field is removed from the right pane.

Click EMPL.PersonalNr on the left side and then click . The field EMPL.PersonalNr is displayed on the right side as the last field.

Perform the same procedure for the rest of the attributes. Exchange GivenName with EMPL.FirstName, Surname with EMPL.LastName, Country with EMPL.Land (the German term for country).

Click EMPL.DepartmentNo on the left side and then click .

The Role and Type attributes do not have corresponding attributes on the left side. Simply remove them. Click Role, hold down the CTRL key and click Type. Both attributes are now selected. Click to remove them. Now there are no more red attributes displayed.

Click Next.

Click dxrOULink on the left side and then click . The field dxrOULink is displayed on the right side as the last field.

Click dxrOrganizationLink on the left side and then click . The field dxrOrganizationLink is displayed on the right side as the last field.

Click Next.

Define how the attributes you have selected for synchronization will be mapped from the source connected directory to the target connected directory

Define the mapping functions that will be used to carry out the mapping for each individual attribute set

Click into the field file.GivenName. Select file.EMPL.FirstName from the drop-down list in that field.

Perform the same procedure for these fields: file.Surname to file.EMPL.LastName, file.EmployeeID to file.EMPL.PersonalNr and file.Country to file.EMPL.Land.

Scroll down to exchange the file.Surname and file.GivenName attributes that are arguments of the lStringCompose function.

Click the file.Role field. Click to delete the entire column.

Click the file.Type field. Replace its content with "Internal" (do not forget to enter the quotes into the text field!). This value means that the field ldap.employeeType is filled with the constant "Internal" because all the identities coming from New-HR are treated as internal employees.

Scroll up and down the mapping list to make sure that no red attributes remain You will find file.Country again. Replace it with file.EMPL.Land.

Locate the line that composes the cn (see the Output column). This is an example of a predefined mapping function lStringCompose. It combines the two attributes LastName and FirstName from the file and separates them with a blank. If one of these attributes is empty, it does not add the blank. The value is then stored in a variable 'cn' to be used in the next function.

The function lDNcreate creates the distinguished name of the entry. It is composed of the previously calculated cn and the ou and o parts and the base_obj (the constant part of the dn, in this case cn=Users,cn=My-Company). If in the Output column you see inconsistent.DDN in red, change it to ldap.DDN.

Next we want to create a link to the organizational unit business object Product Testing. Use also the lDNcreate function and build the ldap.dxrOULink attribute:
It consists of the elements "ou", file.EMPL.Department, "o=My-Company,cn=Companies,cn=BusinessObjects,cn=My-Company".
This should create a link like: "ou=Product Testing,o=My-Company,cn=Companies,cn=BusinessObjects,cn=My-Company".

We also want to create a link to the organization business object. All these users are employees of My-Company. Use the "=" function to store the constant value "o=My-Company,cn=Companies,cn=BusinessObjects,cn=My-Company" in the ldap.dxrOrganizationLink attribute. Don’t forget to enter the values, including the quotes!

Click Next to proceed to the next step.

The workflow template uses the table HR. Our New-HR database uses the table EMPL. Set this value in From.

Replace GivenName, Surname with FirstName, LastName. This action sets the parameters used for the delta handling index (hash file) when using delta mode (which we are not using at the moment).

Click Next.

Do not change these settings and click Next.

Do not change these settings and click Next.

Click Next to use the current set of properties.

Click Next to use the current set of properties.

Click Next to use the current set of properties.

Click Next to use the defined tracing parameters.

Because you entered the name earlier, leave everything as it is.

Click Finish to save the configuration information for this new workflow and exit the wizard.

Open the tree Users → My-Company → Product Testing. There should be 6 user entries and one user facet entry. Our new workflow will add 9 new user entries.

Click the workflow line between the two connected directory icons to select it.

Right-click on the line, select NewHR2Ident, and then select Run. This action starts the workflow and opens a separate status dialog window. The status dialog displays a series of status messages and a status bar that shows the progress of the NewHR2Ident run. You could abort the workflow run with Abort Workflow. However, we want to wait until the blue progress bar reaches the end, which indicates that the workflow has run successfully. (When the workflow run is not successful, the color of the progress bar changes to red and the bar stops).*
Note:* You can click Details in the status dialog to display the changing status messages in a sub-window, but this information isn’t relevant to this part of the quick start.

Click the Structure tab in the running workflow’s open status window. Two icons for the two activities of the workflow are displayed. The icons change color during the workflow run from yellow (not yet started) to blue (running). After the run, the icons should either be green (the workflow run was successful) or red (the run was not successful). When the icon is light red, it indicates that minor problems occurred (warning). Perhaps some entries could not be processed correctly but most of the workflow ran correctly.

Click the Structure tab in the open status window from the NewHR2Ident workflow run if you haven’t done so already.

Double-click the second activity ODBC2Ident_metaCP. A new dialog opens and shows the status information from this activity. Its name is ODBC2Ident_metaCP 20120620141822Z (the time stamp value shown here might differ from yours).

Click Connectivity → Monitor View.

Open the folders My-Company → NewCompany → Source Scheduled → ODBC → NewHR2Ident, which contains all the status entries that result from runs of this workflow.

Double-click the NewHR2Ident status entry in the tree with the relevant date and time. The status entries for the activities that comprise this workflow are shown in the tree and at the top of the right-hand pane, while the properties of the workflow status entry are shown in the lower part of the window. You can move the horizontal separator bar up to enlarge the lower window and view its entire content.

Look at the start and end times and the result closed.completed.ok. If an error occurs during the run, the status will be closed.completed.error, and if warnings are detected, the status will be closed.completed.warning.

Click the activity status entry under the workflow status entry in the tree or in the list at the top of the right-hand pane to display its properties. This is the information we already checked from the run window.

Click the workflow status entry again and then the Statistics tab. It contains the same information as the metacp activity status entry. Workflow entries collect the statistics information from all contained activities even if these activities represent nested workflows.

Click Expert View.

Click Configuration in the tree in the middle pane. This action displays a global configuration dialog that shows general parameters for DirX Identity.

Click the Status Tracker tab.

Look at Status Life Time. It is set to one month (720 hours).

Click Edit.

Enter a two-month value in Status Life Time (1440 hours).

Click Save to store the information permanently in your configuration database.

Open the tree Users → My-Company → Product Testing.

There should be 17 entries now including the user facet (click the refresh button if they’re not visible). Our new workflow added 9 additional entries.

Click the entry Bader Hans and then the tab General (if not yet selected).

Check that the attributes Name, Last Name, First Name, Title, Employee Type and Employee Number are set correctly as well as the Master (NEWHR) and Identifier (NHH8753) attributes.

The Location tab shows the Country attribute.

The Organization tab shows the Organizational Unit attribute which represents the link to the related business object. Click the link button to view this object. View the title, the description and the Department Number attribute. Close the Window. The user attribute Department Number in the Organization tab is set to the same value. This shows that users can inherit attributes from business objects.

The Operational tab shows that the entry is in the ENABLED state. In our mapping for the workflow we have set the dxrState attribute to NEW. The change to the ENABLED state was performed by the EventBasedUserResolution workflow that was triggered by the meta controller and that ran in background. If you are fast enough you can see the NEW state for some time during the import operation.

Click the Assigned Roles tab.

All imported users have two roles assigned: Internal Employee and Test Tasks.

View the Assigned Permissions tab.

Besides the Signature Level 1 permission that was assigned by a rule, all other permissions are inherited from roles.

Click the Assigned Groups tab and then sort the Target System column.

The users have group memberships in the Intranet Portal, MVS, Signatures and Windows Domain Europe target systems. Only the memberships of the Intranet Portal and Signatures target systems are in state ENABLED.

Now click the Accounts tab.

You can see that the users have only accounts in the Intranet Portal, MVS and Windows Domain Europe target systems. The Signatures target system does not need an account. It is a virtual target system where the user is directly a member of the related groups.

View the Assigned Roles tab again.

You can see from the Assigned by column that the Internal Employee role was assigned by rule. So let’s check the available rules.

Open Policies → Rules. Under this folder all rules are located as there are provisioning rules, consistency rules and validation rules. In our case we look for provisioning rules.

Open the Role based scenario under My-Company and then the Corporate folder. Here you can find the Internal Employees rule.

It assigns all users that have the employeeType set to "Internal" the Internal Employee role.

View the Assigned Roles tab again.

You can see from the Assigned by column that the Test Tasks role was inherited from a business object (BO).

Open Provisioning → Business Objects → Companies → My-Company → Product Testing.

Click the References tab.You will see the Test Tasks role that is assigned to this organizational unit.

In Input arguments, click file.EMPL.EntryDate, then click to create a new empty mapping line above it. Select file.EMPL.Comment in Input arguments, lStringEscape in Mapping function (it escapes some special characters if present) and ldap.description in Output.

In Input arguments, click "dxrUser" then click to create a new empty mapping line.

In Mapping function, select lDNcreate.

In Input arguments, add these fields, using to create additional lines in the column:

In Output, select ldap.manager.

Click Finish to close the workflow wizard.

Select Data View → Connectivity.

Click the o=sample-ts node (Base DN: o=sample-ts).

Log in with the user DN cn=DomainAdmin,cn=My-Company (simple bind).

In the File menu, select Import.

Select the file newLDAPts.ldif from the path install_path\data\extension.

Select Add entry only, then click OK.

Select the Provisioning view and then Target Systems.

Right-click the top-level node and select New → Target system.

The new target system wizard opens. Click Next to continue.

Select Connectivity → Global View and check to see if the connected directory New-LDAP exists in the My-Company scenario map. Move it to your preferred location.

Right-click the workflow line between the Identity Store and the New-LDAP connected directory. Note that the context menu contains a synchronization, a set password and a validation workflow.

Select Ident_LDAP_Realtime → Configure.

Set the Is Active flag.

Click Finish.

Select Provisioning → Target Systems.

Right-click the New-LDAP target system, then select Connectivity → Workflows → Validate_LDAP_Realtime → Run Workflow. The validation workflow runs in initial mode and imports the accounts and groups.

In Provisioning → Target Systems → New-LDAP, open the accounts and groups folders. You can see the 9 accounts and the two groups (click the refresh button if they’re not visible).

Click Bader Hans. You can see on the Operational tab that this account is in the state IMPORTED and in the connected system state ENABLED, which means that the account is active (not disabled) and it is currently controlled from the target system (IMPORTED).

The LDAP tab shows the employee number in Employee number and the distinguished name in the connected system in PrimaryKey.

In the Member of tab you can see that this account is a member of the Software Tests group. Assignment State is IMPORTED, too and it is marked as a direct assignment, which means that this membership is controlled by the target system.

Check the other accounts and their settings.

In Provisioning → Target Systems → New-LDAP → accounts, open the unassigned query folder. The unassigned accounts are shown here.

In Provisioning → Target Systems → New-LDAP → groups, click Firmware Tests and Software Tests. You can see on the Operational tab that both groups are in state ENABLED and in connected system state ENABLED.

The LDAP tab shows again the distinguished name from the connected system in PrimaryKey.

The Permissions tab is still empty because there is no permission that controls the memberships in this group.

The Members tab shows the members of these groups (four in Firmware Tests, five in Software Tests), all in the state IMPORTED.

All other tabs are empty and of no meaning at the moment.

Select Policies → Rules → Default → Consistency.

Right-click the Rules node and select New → Rule Container. In the pop-up dialog, set the name to New-LDAP.

Right-click assocAccount2User and copy it to the New-LDAP rule container folder (use the Copy Object method).

Edit assocAccount2User in the New-LDAP rule container and check Is active in the General tab.

In the Parameter Values area, click in the Value field of the joinFilter line, then right-click and select Edit Filter. The LDAP filter editor starts. Click the > button and use Delete row to delete the third and fourth rows. Change the second row to employeenumber equals $(subject.employeenumber). Click OK.

In the Filter tab, set Search base to TargetSystems → New-LDAP → accounts. Click Save.

Select Provisioning → Target Systems.

Right-click the top-level object Target Systems, then select Connectivity → New Workflow. The workflow configuration wizard starts.

Select the PolicyExecution workflow from the folder My-Company/Main/Identity Store.

Click Next twice to skip the Define Direction step.

In the General Information step, set Name to AssociateAccounts and the Description to Associate accounts to users in New-LDAP.

Click Next twice to skip the Policy Agent Parameters step.

In the Rule Search Parameters step, change Base Object to cn=New-LDAP,cn=Rules,cn=Policies,cn=My-Company and set Search Filter to (objectClass=dxrConsistencyRule).

Click Next several times until you reach the end, and then click Finish.

Click Provisioning view Target Systems.

Right-click Target Systems in the tree pane and select Connectivity → Workflows → AssociateAccounts → Remove.

Click Provisioning view Target Systems.

Right-click on New-LDAP below Target Systems and select Connectivity → Assign Workflow and select AssociateAccounts from the list.

Click Provisioning view Target Systems.

Right-click on New-LDAP below Target Systems and select Connectivity → Workflows → AssociateAccounts → Run Workflow. The workflow runs and ends without error.

In the workflow’s structure window, click the PolicyExecution activity and then the Trace tab. Open the trace file.

It shows cn=assocAccount2User, …​ | consistency | 1, which indicates that one account cannot be assigned to a user.

Close the three open windows.

In the Target Systems tree, click New-LDAP → accounts → unassigned again (click the refresh button if necessary). The folder contains only the entry for Konrad Derksen. Notice that the User link is not set for this account; all the other accounts have their User links set after the join operation. This is because there is no user Konrad Derksen in the New-HR database and thus in the Identity Store.

Try to join them with different join filters.

For accounts that remain unassigned after this step, determine whether each account is still valid:

If the account is still valid but there is no user in the Identity Store (for example, because it’s an administrative account), you can mark it as 'Managed only in target system'. We recommend that you keep the number of such accounts as small as possible.

If the account is no longer valid, then it may be an obsolete account, which is definitely a security risk. You should remove it from the system.

Right-click the account for Konrad Derksen and select Delete.

DirX Identity notifies that the account is set to be deleted. Check the state (DELETED) and the deletion date. You can see that the account will be deleted in about 1 month, which is the default setting in the Domain Configuration view. Select the top-level object and then the Timing tab. The maximum time after which an object is deleted is set to 30 days.

Check the group Firmware Tests. The membership of Konrad Derksen is set to DELETED.

Select Privileges → Permissions → Corporate Permissions → Department Specific.

Click Test Tasks and then Edit.

In Assigned Groups, search for Name begins with s. Click the Software Tests group of the New-LDAP target system and use to assign it to this permission.

Click Save.

Click Target Systems and then New-LDAP → Accounts. You can see 15 new accounts (the ones with the number as a suffix) in addition to the 9 that already exist. The existing accounts are now in the state ENABLED and in the connected system state ENABLED. The new accounts are in state ENABLED and in the connected system state NONE, which will switch to ENABLED after a while.

Click Groups → Software Tests and check that there are 5 members in the state ENABLED and 19 members in the state ADD, which will switch to ENABLED after a while.

Click the Privileges view and then select Permissions → Corporate Permissions → Department Specific.

Right-click Department Specific and select New → Permission.

Set Name to Firmware Tests and enter a description for the permission. Select the Assigned Groups tab and assign the Firmware Tests group from the New-LDAP target system. Click OK.

Click Provisioning → Privileges and then Roles → Corporate Roles → Department Specific.

Right-click Department Specific and select New → Role.

Set Name to Firmware Tests and enter a description for the role.

Fill the other fields as appropriate. It’s a good idea to specify an owner of the role in the event that you want to control its assignment with a request workflow (which we do not require at the moment).

Select the Assigned Permissions tab and assign the Firmware Tests permission. Click OK.

Click the Users view and then select Users (top-level node) → My-Company → Product Testing.

Assign the new Firmware Tests role to the users Binder, Dyson and Karrer.

Click the Target Systems view and then New-LDAP → Groups → Firmware Tests. Note that there are three persons in the state IMPORTED.

You can define a role and permission for the Software Tests group, too, and assign the role by hand.

You can define another attribute - for example, testDetail - for the test users that specifies their tasks in more detail, then define a provisioning rule that assigns the Software Tests role automatically.

Click the Target Systems view and then New-LDAP.

Run the synchronization workflow via Connectivity → Workflows → Ident_LDAP_Realtime → Run Workflow.

Seven additional accounts have been automatically created. There’s a total of 24 accounts: 8 accounts from New-Company and 16 new ones (including one functional user account). Note that the account for Konrad Derksen is still in the state DELETED. The new account names were created according to the naming rule for the name property that is defined by default for LDAP-type directories. Check Domain Configuration → My-Company → TargetSystems → LDAP → Object Descriptions → TSAccount.xml. Scroll down to the line that begins with <property name="cn" … to view the naming rule. As you can see, the rule defines a hierarchy of naming specifications according to the available properties at the user object. The first one that is fulfilled is taken.
Note: the naming rules in this file are default rules. If you want to define your own rules, you should not change this file due to the fact that it is overwritten with each upgrade of DirX Identity. Use the file Target Systems → New-LDAP → configuration → object descriptions → tsaccount.xml instead.

The Software Tests group contains 24 members that are completely controlled by DirX Identity.

The Firmware Tests group contains 3 members as before, but they are now controlled by DirX Identity. The previous member Konrad Derksen is no longer there.

Add a new account into the connected system: use the data view and create an inetOrgPerson in the tree ou=accounts,ou=new-ldap,o=sample-ts. Set the name (cn) to Zeller Andreas, set sn to Zeller and givenName to Andreas and set employeeNumber to 6543.

Use the data view to add this new account to the Firmware Tests group. Add a link to the member attribute.

Remove Horst Binder from the Firmware Test group but do not delete the account.

Right-click the New-LDAP target system and select Connectivity → Workflows → Validate_LDAP_Realtime → Run Workflow.

Click accounts → errors to view the error query folder for accounts. No errors are reported.

Click accounts → todos to view the ToDos query folder for accounts. It lists the Derksen Konrad entry that is already in the DELETED state. No action is required, because a consistency workflow will automatically remove the entry when its deletion date arrives.

Notice that Andreas Zeller is listed. The ToDo field tells you that this account was created in the target system and not by DirX Identity.

Click the unassigned query folder. It lists Zeller Andreas as an unassigned account.

Click the errors query folder for groups. No errors are reported.

Click the todo membership query folder for groups. It lists the Firmware Tests group. Click it.

Click the Members tab of the group. You can see the IMPORTED state for the membership of Zeller Andreas. Note that the membership for Binder Horst is in the ADD state, which means that DirX Identity will create this membership the next time the synchronization workflow runs.

Let’s delete the account for Zeller Andreas. Right-click it and select Delete.

The account for Zeller Andreas in the connected system is deleted.(This behavior might be different for other types of connected systems.Here, the LDAP connected system cannot handle disabled accounts.)

In DirX Identity’s target system the account is still available but in the DELETED state.The ToDo folder shows the accounts in the DELETED state.They will be removed in about a month if they are not reused by then.

The group membership in the connected system for Zeller Andreas no longer exists.The membership for Binder Horst has been re-created.

In DirX Identity’s target system the group membership for Zeller Andreas is removed, too.All other memberships are in the ENABLED state.There are no ToDos visible in the group area.

Log in to DirX Identity Manager and select the Connectivity view.

Click Expert View, and then open Connectivity Configuration Data → Configuration → Resource Families. You will see the folder Default that contains all the default resource families provided with DirX Identity. (You can read more about resource families in the DirX Identity Connectivity Administration Guide.)

Create a new folder named My-Company to hold the resource families to be created for the My-Company domain.

Create a new resource family in the My-Company folder. Enter New-LDAP in Name and provide a description of the resource family.

Open Connectivity Configuration Data → Configuration → DirX Identity Servers → Java Servers → My-Company.

Click the My-Company-S1-*machine server with your machine name and click *Edit.

Select the Resource Families tab and select New-LDAP from the Available resources. Add this to the Selected resource families by clicking the button. By default, a number of two threads is added to the Java server for the selected resource family. You may change this number in the column Thread number. Click Save.

Start a Web browser and enter this URL for the DirX Identity Web Admin:*
http://your host:40000/admin*

Enter admin for the account and wE3!dirx for the password.

The initial screen shows that the server is running. Click Java Server. You will see the number of processors, the memory used and other parameters.

Click Expand all. Click Worker containers. Now you can see all worker threads that run within this server.

Check that two threads are waiting for New-LDAP password change tasks.

Close the browser window to exit the program.

In DirX Identity Manager → Provisioning → Target Systems, open each target system, and then click the Advanced tab. You will note that Disable Password Sync is set for all target systems except the New-LDAP, Intranet Portal, Extranet Portal, and DirXmetaRole target systems.

In the Connectivity view, verify that all password sync workflows are active. You must activate the last workflow SetPassword in LDAP:

Connectivity Configuration Data → Workflows → My-Company → Main → Password Synchronization → UserPasswordEventManager

Connectivity Configuration Data → Workflows → My-Company → Main → Target Realtime → Extranet Portal → SetPassword in Extranet

Connectivity Configuration Data → Workflows → My-Company → Main → Target Realtime → Intranet Portal → SetPassword in Intranet

Connectivity Configuration Data → Workflows → My-Company → Main → Target Realtime → LDAP → SetPassword in LDAP

Start the Web browser and enter the URL http://*your_host:8080/webCenter-My-Company*

Enter Duplan Frederic as the name and dirx as the password.

Select Self Service → Change password.

Enter the old password dirx and a new password myPwd5% twice. Click Save.

Start a Web browser and enter the URL for DirX Identity Web Admin:
http://*your host:40000/admin*

Enter admin for the account and wE3!dirx as password.