Summary

This PhenixID Solution Document (PSD) is written for Identity Manager 4.8.

This PSD describes how to store forms, searches and policies in file system instead of in LDAP directory. One big advantage is that you do not need to extend the LDAP directory schema.

System Requirements

• PhenixID Server installed

Instruction

In earlier version of Identity Manager, pre 4.6 version, you were pretty much forced to store form, searches and policies in your directory. To do this you needed to extend the schema for your directory. In version 4.6 and later you can still do that but you now also have the option to store everything in the file system.

In this example I will use two IM roles with some forms and searches to explain how it works. An IM role in this example is an Active Directory group. Adjust the example below if you use something else than Windows as file system or Active Directory as LDAP directory to match your environment.
The two pictures below will be used to explain how it works.
Important! If you change any form or search, you need to restart the “PhenixID Identity Manager”.

Overview

In DSEditor.properties 1 there will be policies for how the web application should behave and work. In this file you will put policy´s that all role will inherit and use. This is also the file where you enable to only read information from file and not the directory (see next section).
In the NEIDMgmt folder you must create a folder called role 2.
In the role folder you will create your role folders. The name of role folder is not important to get this to work but should probably reflect the role. One of the role folders in my example is called “identityauditor” 3. In the role folder you must create a folder called form 4 and one called search 5. The “form” and “search” folder contains the forms and searches for that specific role.
Every role folder must have an DSEditor.properties 6. When a user logs on settings from this file will be used. Settings from the DSEditor.properties 1 file for the web app is only used during startup of the web app. This means that when a user logs in the user will only read one policy file!
Enable to read only from file

This section explains the settings you need to add in DSEditor.properties 1 file.
Open DSEditor.properties, go to the end of the file.
Add the following lines:

#
# Settings when reading policies, forms and searches from file instead from directory
#
# Settings for role selector
NordicEdge_USE_ROLESELECTION=true
ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.FileBasedRoleSelector
USE_DEFAULT_ROLE_MANAGEMENT=false
#
# Make sure no policy is read from directory
LOAD_POLICY_FROM_FILE_ONLY=true
#
# What attribute is used to map users to a role
GROUPMEMBER_ATTRIBUTE=memberOf
#
# Load predefined search from file
PREDEFINED_SEARCH.LOAD_FROM_FILE=true
#
# No self service is allowed. See PSD1033 on how add self service
AUTO_LOAD_TAB_DIRECTORY=NONE
#

Explanation of DSEditor.properties for a role

In the DSEditor.properties 6 file for an IM role (in my example, identityauditor) there are some minimum policies you need to add.

#
# Settings for the Service Desk role. This role is created for an Active Directory environment
#
# Name of the role. This will be displayed in role selector
#
ROLE_NAME=Identity Auditor
#
# Group in Active Directory that will be associated with this role.
MEMBER=CN=PhenixID_IdentityAuditor_Role,OU=Roles,OU=PhenixID,DC=phenixid,DC=local
#
# Enable this role
ENABLED=TRUE
#
# BaseDn for this role
BASEDN=DC=phenixid,DC=local
#

Explanation of some of the settings:
ROLE_NAME – This name will be displayed when a user logs in and the role selector will be shown
MEMBER – The group this role is linked to
ENABLED – Should this role be enabled
BASEDN – Where in the directory should this role have its start

Move an existing IM structure in LDAP to file system

Move policy

In the directory you can store IM policies on the LDAP root object, an OU, a group or on the user object. When a user logs in the effective policy for that user will be a combination of policies.
When working with policies in the file system there will only be two places where you can store policies. Either in the DSEditor.properties for the web app, those policies will apply to all roles or you can store policies in DSEditor.properties for the specific role.
Best practice: If you have five policies on the root object and three policies on the group object in the directory you will put all eight policies in the DSEditor.properties file for that role.

Move forms and predefined search

The best way to move all your forms and predefined searches from the directory to the file system would be to open the e.g. form with IM 4.6 Standalone tab designer and save it in the file system in the forms folder for that role.’