> developer > dnu > courses > secure identity management page 10
Secure Identity Management Overview Course
March 2003
DeveloperNet University Course
Reader Rating    from ratings rate this article
View an eBook Version of this course - LARGE FILE! Send this page to a friend

Novell DirXML

Novell DirXML provides the foundation for Novell Nsure Resources. DirXML is Novell's data-sharing software that enables bi-directional real-time information exchange between network applications, directories and databases. DirXML leverages the XML standard to enable integration among multiple systems.

Nsure Resources includes a set of configuration files containing default policies that can be imported into the Nsure Resources environment. These include DirXML drivers for the popular HR systems, messaging systems, account systems, and directories listed below:

  • PeopleSoft (PeopleTools 7.5x and 8.1x)

  • SAP HR 4.6c or later

  • Microsoft Exchange 5.5

  • Active Directory with Exchange 2000

  • Novell GroupWise versions 5.5, 6.0, and 6.1

  • Lotus Notes R5

  • Novell eDirectory 8.62 and 8.7

  • Microsoft Active Directory

  • Microsoft NT 4

The Driver objects representing these preconfigured DirXML drivers store additional objects that represent DirXML Rules and Filters that together comprise the business logic underlying the Nsure Resources default policies and processes for managing user identities. The rules are written in either XML or XSLT (Extensible Stylesheet Language Transformations) format.

Novell DirXML consults the Filters and Rules objects associated with a DirXML driver's Publisher Channel and Subscriber Channel to determine such things as which modified user information is allowed to synchronize across which systems, how and when to create and disable user accounts, and how to format information to suit the system receiving the information.

Filters dictate what information can pass between the Workforce Tree and the other systems over a DirXML driver's Publisher or Subscriber Channel. Filters are used to establish which systems are the authoritative sources for various identity data attributes. For example, default filters on the PeopleSoft (or SAP) DirXML driver's Publisher Channel ensure that changes to most user account attributes (including Last Name, First Name, Middle Name, Manager, and Address) flow only from PeopleSoft (or SAP) to the Workforce Tree. This establishes the HR application as the authoritative source for most user identity information. Filters on the PeopleSoft (or SAP) DirXML driver's Subscriber Channel allow information for other attributes (far fewer) to flow from the Workforce Tree to PeopleSoft (or SAP).

Nsure Resources also permits shared authoritative sources. For example, an employee's home telephone number may be added or modified in either the HR system or in the Workforce Tree using eGuide.

Rules may include:

  • Schema-mapping rules that map eDirectory object classes and attributes to the object classes and attributes of other systems.

  • Matching rules that specify criteria for identifying matches between specific objects in eDirectory and other systems.

  • Create rules that specify requirements that must be met before a new object can be created.

  • Placement rules that define the criteria for placing new objects in the target application.

  • Event Transform rules that define how the DirXML Engine is to transform particular events before passing the information along to receiving systems. For example, a rule might dictate that the DirXML Engine convert a "move to the Inactive container" event in the Workforce Tree to a "disable" event in Active Directory.

  • Data Transform rules that define how the DirXML engine must transform particular data elements before passing the data along to receiving systems. For example, a rule might specify that a birth date in the format month, day, year (for example 062173) in Novell eDirectory should be converted to the format day, month, year (210673) before passing it to a system that uses the latter format.

Default Policies

Novell Nsure Resources actions are governed by its default policies for managing user identity information. The logic is stored in the Filters and Rules objects contained in the DirXML driver objects which use Novell eDirectory as their policy repository. Specific policies vary depending on which systems are used.

In general, Nsure Resources default policies are configured as listed below.

Authoritative Sources.  The PeopleSoft or SAP HR system is the authoritative source for most user identity information, including employee name, department, location, and title. Adding users or modifying a user's job status must be done in the HR system.

The Lotus Notes, Exchange or Novell GroupWise messaging system is the authoritative source for messaging-related information such as e-mail addresses and post office domains. When the messaging system creates an e-mail account for a new user, the messaging system DirXML driver immediately publishes the relevant information to the Workforce Tree where other systems can subscribe to it.

The Workforce Tree is a shared authoritative source for cell phone, home phone, and pager numbers, sharing authority with the HR system. Consequently, these attributes can be updated either within the HR system or by users through Novell eGuide.

User Object Names.  A User object name is created by concatenating the first letter of the person's first name with that person's last name. John Brown's User object name, for example, would be jbrown. If another jbrown user object already exists, the new John Brown would be named jbrown1. This policy is defined in one of the HR DirXML driver's Create Rules.

Passwords.  Each user object is assigned an initial password according the password policy as defined in the HR system DirXML driver's Create Style Sheet. The default password policy defines the password, in each system in which a user is created, as the individual's surname.

Placement.  By default, Novell Nsure Resources creates new User objects in the Active container in the Workforce Tree. Also by default, Nsure Resources places User objects in the Inactive User container to represent users whose accounts have been disabled.

E-Mail Addresses.  The messaging system creates the e-mail address. As a result, Novell Nsure Resources does not specify the rules for its creation. Nsure Resources does map the e-mail address created by the messaging system into the Internet e-mail address attribute in the Workforce Tree.

E-Mail Distribution Lists.  The HR DirXML driver's Event Transform rule adds a new employee to the appropriate group object, manager or employee, depending on whether the individual is designated as a manager or employee from within the HR system. The Messaging DirXML driver also uses this information to assign the new employee to the appropriate e-mail distribution lists within the messaging system.

Terminated Employees' Accounts.  Novell Nsure Resources inactivates terminated employee accounts in the Workforce Tree rather than deleting them entirely. When an employee's record in the HR system is terminated or inactivated, Nsure Resources moves the User object representing that employee from the Active container to the Inactive container in the Workforce Tree. Nsure Resources then triggers the disabling of corresponding accounts in the other affected systems such as Exchange, GroupWise and Active Directory. Nsure Resources also removes the user from any previously assigned groups.

Data Update.  Whenever data is updated in an authoritative system, Novell Nsure Resources immediately propagates the update to the other systems that have been configured to subscribe to that piece of information.

Previous Contents Next