5.12 ID Vault Support

Notes ID Vault is a new Notes ID recovery and management feature introduced in Lotus Notes and Domino 8.5. It allows copies of Notes user IDs to be uploaded to an Identity Vault application on a Domino server. The Identity Manager driver for Lotus Notes now supports the Notes Identity Vault feature.

By default, inactive-IDVault-delete-flag, delete-user-from-IDVault-support, and IDVault-database subscription options are provided by the pre-config file. These options allow you to use one Notes ID Vault database. For using multiple ID Vault databases, additional GCVs and corresponding policies are required.

NOTE:Ensure that Notes driver user has the manager-level ACLs to access the ID Vault database.

Example:

Assume that an organization has three different organizational units (OU): Sales, Engineering, and Marketing, where the Sales OU uses the sales.nsf ID Vault database, the Engineering OU uses the eng.nsf ID Vault database, and the Marketing OU uses the marketing.nsf ID Vault database.

Use iManager or Designer to add the following GCVs:

<definition display-name="Sales organization ID Vault DB Name" name="account.idVault.salesIDVaultDB" type="string">
      <description>Enter the Sales organization Id Vault database name.</description>
     <value>sales.nsf</value>
</definition>

<definition display-name="Marketing organization ID Vault DB Name" name="account.idVault.markIDVaultDB" type="string">
     <description>Enter the Marketing organization Id Vault database name.</description>
     <value>marketing.nsf</value>
</definition>

<definition display-name="Engineering organization ID Vault DB Name" name="account.idVault.engIDVaultDB" type="string">
       <description>Enter the Engineering organization ID Vault database name.</description>
      <value>eng.nsf</value>
 </definition>

Use iManager or Designer to add the following policy to the Subscriber Command Transformation Policies:

<?xml version="1.0" encoding="UTF-8"?>
<policy>
<rule>
  <description>setting the Sales idVault Names</description>
  <conditions>
  <and>
   <if-operation op="equal">delete</if-operation>
   <if-class-name op="equal">User</if-class-name>
   <if-src-dn op="in-subtree"xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.SalesName~</if-src-dn>
   <if-global-variable name="account.idVault.salesIDVaultDB" op="not-equal"/>
 </and>
 </conditions>
 <actions>
  <do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
  <arg-string>
   <token-global-variable name="account.idVault.salesIDVaultDB"/>
  </arg-string>
 </do-set-xml-attr>
 </actions>
</rule>

<rule>
   <description>setting the Marketing idVault Names</description>
    <conditions>
     <and>
      <if-operation op="equal">delete</if-operation>
      <if-class-name op="equal">User</if-class-name>
      <if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.MktgName~</if-src-dn>
    </and>
  </conditions>
  <actions>
   <do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
<arg-string>
<token-global-variable name="account.idVault.markIDVaultDB"/>
 </arg-string>
 </do-set-xml-attr>
 </actions>
 </rule>
 <rule>
     <description>setting the Engineering idVault Names</description>
       <conditions>
        <and>
         <if-operation op="equal">delete</if-operation>
         <if-class-name op="equal">User</if-class-name>
         <if-src-dn op="in-subtree"
xml:space="preserve">\~dirxml.auto.treename~\~account.src-loc.EngName~</if-src-dn>
         <if-global-variable name="account.idVault.engIDVaultDB" op="not-equal"/>
      </and>
      </conditions>
      <actions>
         <do-set-xml-attr expression="../delete[@class-name='User']"
name="IDVault-database">
     <arg-string>
     <token-global-variable name="account.idVault.engIDVaultDB"/>
     </arg-string>
     </do-set-xml-attr>
     </actions>
 </rule>

</policy>