Use Cases

When working with user facets, the DirX Identity maintenance workflows need to be configured in a special way: The user facet must be processed first. The corresponding user may inherit privileges from the user facet, which may flag this user with "To Be Analyzed" (TBA). In a second step, these users need to be resolved. This chapter describes how to configure these workflows. The first section describes the configuration steps for the Tcl-based workflows. The second section describes the steps for the Java-based consistency workflow.

Configuring the Tcl-based Maintenance Workflows

This section describes the steps to set up and run the following use cases for maintaining user facets with the Tcl-based maintenance workflows:

  • Consistency checking for user facets

  • Privilege resolution for user facets

  • Policy execution for user facets

  • Maintenance of the entire database

Configuring Consistency Checking for User Facets

The Consistency Check workflow performs the following operations:

  1. Checks the consistency of target system groups and accounts.

  2. Checks the consistency of start and end dates and the state of the user or user facet.

  3. Checks the consistency of start and end dates of assignments.

  4. Performs privilege resolution of those users flagged with TBA (dxrTBA=true)

If the workflow finds inconsistencies in step 2 or 3, it flags the corresponding user with dxrTBA=true. It resolves these inconsistencies in Step 4. For user facets, privilege resolution does not take place; the corresponding user is simply flagged with dxrTBA=true. Because some additional users may be flagged with dxrTBA=true here, we need to use two workflows: the first workflow handles user facets and then flags the corresponding users in step 4. The second workflow performs the privilege resolution step for the previously flagged users.

Workflow 1: ConsistencyCheckForUserFacets

To configure the first workflow ConsistencyCheckForUserFacets:

  • Log in to DirX Identity Manager and select the Connectivity view. You can use the Global View or the Expert View to perform the rest of these steps.

  • Run the Workflow Configuration wizard (option Configure in the context menu) and select the Consistency Check workflow as a template.

  • In the Set Consistency Check Parameters step, set the subject filter to user facets with dxrTBA=true:

    Configure a Workflow

The filter is applied for step 4. Only user facets are handled here. Changes of the user facet state or assignment lead to flagging the corresponding user with dxrTBA=true.

Workflow 2: PrivilegeResolutionNotFacet

To configure the second workflow PrivilegeResolutionNotFacet:

  • Log in to DirX Identity Manager and select the Connectivity view.

  • Run the Workflow Configuration wizard (option Configure in the context menu) and select the Consistency Check workflow as a template.

  • In the Set Privilege Resolution Parameters step, set the subject filter to handle users and disallow any handling of user facets, since we’ve already done this in workflow 1:

    Configure a Workflow

  • In the ConnectivityExpert ViewJobs tree, select the job PrivilegeResolution2 and open it for editing.

  • Select the Service Agent Parameters tab. In this tab:

  • Set Request Type to User Resolution, which selects to resolve just the given users.

  • Check Suppress Change Events to prevent change events from being initiated for user changes.

    Configure a Workflow

  • Create a nested workflow that contains workflow 1 and workflow 2. See the DirX Identity Tutorial follow-on exercise "Creating a Nested Workflow" for an example.

  • Create a schedule for this nested workflow which runs our Workflow 1 first and then runs Workflow 2. Go to ConnectivityExpert ViewSchedulesDefault to see some example schedules. Click Help to get information about how to set the schedule configuration object’s time controls and the rules for creating schedules.

Configuring Privilege Resolution for User Facets

Configuring privilege resolution for user facets is analogous to configuring for consistency checking:

  • Configure Workflow 1 with the subject filter: (&(objectClass=dxrUserFacet)(dxrTBA=true)).

  • Configure Workflow 2 with the subject filter: (&(objectClass=dxrUser)(!(objectClass=dxrUserFacet)) (dxrTBA=true)).

  • For Workflow 1, set Request Type to Resolution.

  • For Workflow 2, set Request Type to User Resolution.

  • Create a nested workflow that runs Workflow 1 first and then Workflow 2.

Configuring Policy Execution for User Facets

If rules for user facets should be applied, we recommend using the following configuration:

Workflow 1: Policy Agent

  • In the ConnectivityExpert ViewJobs tree, select the job PolicyExecution2 and open it for editing.

  • In the Policy Agent Parameters tab, configure the Provisioning Mode to Assign privilege only.

    image4

Workflow 2: Privilege Resolution for User Facets

  • Configure the subject filter: (&(objectClass=dxrUserFacet)(dxrTBA=true)).

  • Configure Request Type to User Resolution.

Workflow 3: Privilege Resolution for other User Types

  • Configure the subject filter: (&(objectClass=dxrUser)(!(objectClass=dxrUserFacet)) (dxrTBA=true)).

  • Configure Request Type to User Resolution.

We recommend building a nested workflow that runs workflow 1 > workflow 2 > workflow3 in the given sequence.

Maintaining the Entire Database

To maintain the entire database, use the workflow structure described in the previous sections of this use case, omitting (dxrTBA=true) in the subject filters. This process resolves all the users in the database, not just the ones with dxrTBA=true.

Configuring the Java-based Consistency Workflows

This section describes how to integrate consistency for user facets into the Java-based maintenance workflows. The only affected workflow in this case is the Check Consistency workflow.

Configuring Check Consistency

The Check Consistency workflow performs some checks on the entries that match the selection criteria. In particular, it applies consistency rules.

Unlike the Tcl-based Consistency Check workflow, the Java-based Check Consistency workflow does not check start and end dates of users and assignments or perform privilege resolution. These tasks are performed by the Mark Affected Users and User Resolution workflows.

As a result, you only need to duplicate the Check Consistency workflow: the first instance needs to handle user facets, while the second instance handles the other user types. The non-user object types (roles, permissions, groups, accounts) can be processed in either of the two workflows.

Let’s assume here that the first workflow handles only the user facets and the second workflow handles all other users and object types.

To create a Check Consistency workflow for user facets only:

  • In Identity Manager’s Connectivity view group, open the Global View. Select the workflow line between the two Identity stores, and then select New from the context menu. Select the CheckConsistency workflow from the presented template list.

  • In the wizard step on Consistency Check Attributes, change the user filter so that it matches only user facet objects: &(objectClass=dxrUserFacet)

  • Disable the flags for check roles and permissions and check accounts and groups.

  • Enable the flag for applying consistency rules.

Change the existing Check Consistency workflow to include users, but not user facets:

  • In the Global View of Identity Manager’s Connectivity view group, select the CheckConsistency workflow and then run the configuration wizard.

  • In the wizard step on Consistency Check Attributes, change the user filter so that it excludes user facet objects: (&(objectClass=dxrUser)(!(objectClass=dxrUserFacet)))

Now define schedules for both workflows so that the user facet workflow runs before the other one.