Novell Doc: Identity Manager 3.6 ID Provider Driver Implementation Guide

3.2 Creating ID Policies

An ID Policy container ID Policy container icon is a repository for ID policies and is used in conjunction with the ID Provider driver. An ID policy ID policy icon allows the ID Provider driver to generate unique IDs. When the ID Provider driver receives an ID request from a client, it generates an ID based on the ID policy specified in the request and passes it to the client.

By default, there are three ID policies that are created when the driver is imported. The three policies are sample policies. You can use these policies or create your own. The default policies are:

pid: The pid policy generates unique ids between the range of 100000 to 2000000000. It also adds the prefix of PID to each unique ID.
wfid: The wfid policy generates unique ids between the range of 10000000 to 99999999. It also adds the prefix of WFID to each unique ID for the workforce ID.
woid: The woid policy generates unique ids between the range of 100000 to 2000000000. It also adds the prefix of WOID to each unique ID.

To create an ID policy:

In Designer, right-click the ID Policy container in the Outline tab, then click New > ID Policy.

The ID Policy container is created when the ID Provider driver is created. The ID Policy container can only reside under the ID Provider driver.
Specify the name for the ID policy, then click OK.
Double-click the ID policy to access the properties page.
Use the information in Table 3-4 to create your ID policy, then click OK to save the information.

Table 3-4 The ID Policy’s General Settings

Field	Description
Policy Name	The name of the ID policy.
Policy’s Last ID	The last ID number that was used by this ID policy. If you have deployed this ID policy, use the Connect icon to update this field to the last ID number that was stored in the Identity Vault for this ID policy. NOTE:Only the ID Provider driver can update the last value stored in the Identity Vault.
Constraints
Minimum/Maximum	Numbers must be between 0 and 2147483647. If you have a fixed system that can only handle eight digits, set the Maximum to 99999999.
Exclude/Include	Allows you to include or exclude a set of numbers that you type in. Numbers can be typed in a coma-delimited list and you can use ranges, such as 10,100,1000,5000-10000,1099, etc.
Prefix	Allows you to give a prefix to the IDs that are generated using this ID policy. If you create multiple ID policies, a prefix is useful to see which ID policies are being used. An example is WFID, for workforce IDs.
Fill: Yes/No	If you choose Yes, the ID is filled with leading zeros (0) up to the maximum length. This helps keep generated IDs at the same length. If you select No, it does nothing and the ID lengths increment over time.
Access Control	Access control restricts access to the ID server with an ACL containing names of all clients that are allowed to retrieve an ID.
Enabled	Check this box if you want to enable access control lists.
ACL	Type in the access control lists you want to use. Access control must be enabled before you can type in ACLs. Access control lists (ACLs) are defined per the ID policy in the ID-Provider driver. The lists ensure that only the ID Client, which identifies itself with a name included in the ACL, can get IDs from the ID policy. An ACL is a comma-delimited list of ID Client names. The client name is the fourth parameter of the getNextID() function. When making a call to getNextID(), when ACLs are enabled, the client name passed in the function should match with one of the entries in the ACL. If the client name matches with one of the entries in the ACL, the next ID is returned. If the client name does not match with one of the entries in the ACL, request for a new ID is denied and -1 is returned.