The Identity Manager Fan-Out driver maintains objects in eDirectory with configuration information for the core driver and platforms as well as users and groups of users available to the platforms. These are stored in the ASAM System container.
You maintain configuration information by using the Web interface. Do not use any other method of changing objects in the ASAM System container unless advised by support personnel.
A writable replica of the partition holding the ASAM System container must reside on the LDAP host server used by a core driver.
The core driver processes perform an LDAP Bind as the ASAM Master User to gain access to eDirectory. The ASAM Master User object is created during installation.
The ASAM Master User must have Supervisor rights to the container in eDirectory that holds the users and groups that can be added to the Census. This is known as the User and Group Subtree. These rights are granted during installation.
To use the AS Client API to access objects outside of the User and Group Subtree, you must grant additional rights to the ASAM Master User.
You must grant the ASAM Master User Browse object rights and Compare property rights to any object that is accessed through the AS Client API.
You must grant the ASAM Master User Read property rights to any object whose Security Equals list or Group Membership list, or other attribute value is accessed through the AS Client API.
Configuration information for Identity Manager Fan-Out driver components is stored in objects that correspond to them.
Audit Services object
Certificate Services object
Event Journal Services object
Object Services object
Web Services object
Event Subsystem objects
Authentication Services objects
UID/GID Set objects
Platform Set objects
Platform objects
Identity Manager Fan-Out driver program component configuration objects list each of their host server network addresses. Before accepting a communication connection from another component, driver components verify that the connection originates from a network address listed in the corresponding configuration object.
Based on your specifications, Object Services maintains a Census of users and groups of users for use with target platforms. Users in the Census are represented by Enterprise User (eUser) objects. Groups of users in the Census are represented by Enterprise Group (eGroup) objects.
Object Services uses events from the Event Subsystem to maintain the Census. Object services of the primary core driver also periodically trawls eDirectory for information to ensure the validity of the Census.
Authentication Services uses eUser objects in the Census to locate the corresponding User objects in eDirectory for password verification and other functions. For information about associating eUsers and eGroups from the Census with sets of platforms for provisioning purposes, see Platform Set Objects.
You use the Web interface to specify Census Search objects that identify the users and groups that are to be included in the Census.
Search objects can get Enterprise Users from
Specifically identified User objects
Group object membership
Organizational Role object occupant lists
Objects in containers (and subcontainers, to whatever depth you set)
Search objects can get Enterprise Groups from
Specifically identified Group objects
Group objects in containers (and subcontainers, to whatever depth you set)
Identity Manager entitlements
Dynamic groups use an LDAP search filter to define a set of rules that, when matched by eDirectory User objects, define the members of the group. Membership in the group is evaluated dynamically by eDirectory. There is no actual list of members for a dynamic group like there is for a static group.
Events involving users who are already in the Census that affect their membership in a dynamic group that is a Search object are seen by the Event Subsystem as they happen. This is because the core driver interrogates Search objects to discover if an event involving a given User object is of interest.
Events involving users not already in the Census and events involving the LDAP search filter of a dynamic group that is a Search object are not seen by the Event Subsystem. This is because there is nothing to drive the LDAP search. Such changes are not detected until the next Trawl is run.
Because Enterprise User objects and Enterprise Group objects share the same name space, their names must be unique. If a duplicate name is found based on your Census Search objects, the resulting Enterprise User or Enterprise Group object is placed in the Exceptions container rather than being made available in the Census. You can use the Web interface to review naming exceptions.
Enterprise User (eUser) objects reside in the Census container. An eUser object represents a single User object, or an Alias object that references a User object, in eDirectory.
An eUser object includes a reference to the User object or Alias object that it represents in eDirectory. The User object referenced by an Alias object is provisioned to platforms, not the Alias object itself.
Enterprise Group (eGroup) objects reside in the Census container. An eGroup object represents a group of users, and is based on a Group object, or an Alias object that references a Group object, in eDirectory. Enterprise Group objects must be based on static Group objects. Dynamic Group objects are not provisioned.
An eGroup object includes a reference to the Group object or Alias object that it represents in eDirectory. The Group object referenced by an Alias object is provisioned to platforms, not the Alias object itself.
Enterprise Group objects in the Census contain a list of the eUser objects that are represented in the corresponding Group object in eDirectory (but not any users that are not present in the Census).
You can choose to have Enterprise User and Enterprise Group objects whose corresponding User or Group object is deleted from eDirectory or is no longer covered by a Census Search object remain in the Census in an inactive state. Because Enterprise User objects relate to User objects in eDirectory through a globally unique identifier, this prevents another person from receiving access to resources as an unintended result of the reuse of the user name. Inactive users cannot authenticate through Authentication Services.
You can use the Web interface to specify a Delete Pending Duration. During this interval, eUser and eGroup objects whose corresponding User and Group objects have either been deleted from eDirectory or are no longer covered by a Search object are not deleted from target platforms. The results of a Delete User or Delete Group Receiver script can be difficult to reverse. Delete Pending Duration provides a grace period to allow recovery from a disastrous mistake affecting many users.
The Delete User Pending or Delete Group Pending Receiver script is called when a delete event becomes pending for a user or group. The Delete User or Delete Group script is not called until the Delete Pending Duration expires.
A Platform object represents a specific target platform that runs Platform Services.
Platform Set objects provide the relationship between Search objects and Platform objects. You can use Platform Sets to group together multiple platforms that share the same user and group population.
The following example illustrates how you can fan out your user and group population to platforms that are grouped into Platform Sets.
Table 2-2 Platform Set Example