Friday Feb 22, 2008

ADAM and LDAP v3 Compliance

Hey all. Sorry (again) for the lack of blogging, but busy getting ready for new versions of IdM and welcoming our Vaau friends to the good ship Sun.

One question keeps coming up over and over again and think we finally got the straight answer on why the Sun IdM LDAP v3 resource adapter (ours we suspect is based on the OpenLDAP standard) does not work with the LDAP v3 compatible ADAM interface to AD by Microsoft. Logic would make one think that it would.  Many customers would surmise that instead of buying two adapters, they could buy one LDAP adapter for directory and then reuse the same adapter to control AD via ADAM ("Gee, its LDAP v3 compliant, Microsoft tells me so"), thus saving the licensing fee on the AD adapter.

The argument always boiled down to MS claiming they were v3 compliant so our adapter must be at fault, but nobody ever answered why there was a problem technically. Think we have determined the answer:

First ADAM is the assumption that it is an LDAP interface of Active Directory that adheres to RFC3377 - an umbrella RFC containing 8 other RFC's to define the LDAP v3 protocol. This was first published in 1999 with Microsoft releasing ADAM on Windows 2003 several years later. One missing element from the RFC was a clear definition of the user objects, so extension RFC2798 was created April 2000 to define InetOrgPerson. Key feature to note here is the inclusion of a 'uid' attribute for user logon, not defined in the core RFC schema. As AD uses a form of distinguished name versus login ID, it did not concern itself with 'uid'.

Statement: at that time, around 2003, Microsoft could claim ADAM to be v3 compliant because it did not include 'uid' which was part of a RFC extension, not part of the core LDAP definition of the v3 RFC family.

When the InetOrgPerson RFC was published, ADAM and AD were already too far along in development to include them, so Microsoft put out an "InetOrgPerson" service kit that basically altered the schema of AD to make it compliant. The kit had to be applied to AD and not everyone did, because in a mostly Microsoft shop, the attributes used by InetOrgPerson were not used by AD in day to day operations.

The ADAM interface at this time would be considered LDAP v3 compliant because it handled all bind requests and responses as defined in RFC3377 and you could extend the schema with the InetOrgPerson toolkit to make the interface compliant with the extension RFC2798 to include InetOrgPerson. Interestingly, we would surmise this would have been most likely a null field, as AD has no use for 'uid' or login id.

Now skip forward to the development of the then Waveset, now Sun IdM LDAP resource adapter.  I cannot confirm this (we don't let our code out of the lab), but one would expect us to have used the OpenLDAP project as a code base (or some similar code library which would have been an offshoot of OpenLDAP) somewhere in the 2003/2004 timeframe. That code is kept up to date and included the InetOrgPerson Schema as part of the library, as they wished to be totally compliant to LDAP v3 core and all extensions.  And we would have designed the adapter to key off of the 'uid' field as one way to determine account uniqueness. It could be used in standard LDAP, but not in ADAM, which was an LDAP front for AD, which does not use it (at least I don't think it does; don't have an old Windows 2003 server lying around the cave to test).

Now, move forward to 2006, when the LDAP v3 protocol has still not been ratified, but had gone through enough changes in the RFC process they were updated and reissued.  RFC4510 replace RFC 3377 as the core umbrella RFC for the LDAP v3 standard. One of the RFC's controlled is RFC4519 LDAP v3 Schema for User Applications.  Lo and behold, the 'uid' attribute is no longer in the extension, but in the specification itself.

Statement: upon the release of the 2006 version of the protocol, ADAM would no longer be compliant. Can't be sure if that includes a site that have applied the InetOrgPerson toolkit, but the core ADAM interface, which seems not to have been updated since release in 2003.

Anyway, in order to get our future ADAM resource adapter to work, it appears a change to the AD schema is needed to add the needed fields.

The second reason for it not working is, in order to do ActiveSync on the ADAM interface, we need access to the LDAP transaction log, which is available LDAP directory, but not through ADAM (which uses AD via ASDI).  We had to do some work arounds to get the desired functionality of the resource adapter.

Technorati Tags:

Tuesday Nov 13, 2007

Another Side Bar - Welcome Vaau

Well, its official folks. Sun has reached a definitive agreement to purchase Vaau and its RBACx product line.

One of the things analysts give Oracle credit for is "Vision", though acquiring identity software companies to cobble together a solution (have you seen all the moving parts in Oracle?) and slapping a label on it "Fusion" does not strike me as "visionary" at all.   Ask Oracle's John Wookey, who has been replaced as lead on the Fusion project "amid growing worries that the pivotal, complicated initiative may underwhelm customers and investors  when it arrives in late 2008".  Why customers buy into smoke and mirrors on mission critical software projects is way beyond me.

So why the crank on Oracle when we should be celebrating the Vaau purchase?  Won't Sun have the same problem?

The good news is no.  We have been working closely with Vaau for several years now when we recognized their advanced position in the RBAC space. Instead of trying to play catch up, thus consuming valuable IdM resources working hard on 7.X audit and reporting features, we partnered with Vaau, letting them do what they do best and we keep strengthening the core platform.

We have had a resource adapter for RBACx, the Vaau product, for well over a year now. RBACx can be fed user information that IdM knows, role mine new user roles, and feed that back into our product.  We have been learning what true RBAC is in this space and have made product plans to incorporate these features in the future, without requiring a "big bang" (wasn't that a big Fusion?) IT shops and enterprises find difficult to swallow.

So, we are not buying a software shop to plug a hole in a large amorphous cloudy vision and hope to deliver something some day, we are finally welcoming in a valued partner who we have worked with for quite some time.  This is validated by Deloitte's Security & Privacy Services, which has done its due diligence on Vaau and Sun, and has committed to delivering their Enterprise Role Lifecycle Management (ERLM) service based on this technology. This will combine provisioning IdM from Sun, Vaau's role management, and Deloitte's services to create a complete enterprise RBAC solution.  This is not a future deliverable. Call Deloitte now and you can get started.

So, welcome to the team, Vaau. Though its like you have been here all along.


Technorati Tags: , , , , ,

Powered by ScribeFire.

Monday Nov 12, 2007

Sidebar - Deloitte acquires Iditarod

Wanted to take a side bar from the whats new to do a shout out on the news that Deloitte has acquired Iditarod Systems' Identity Business.

I work closely with both teams on Identity Manager deployments and excited to hear the news.  Both are top flight design and deployment teams with years of experience and talent.

This is definitely a case of where the total is greater than the sum of the two parts.  Congratulations to all involved. Celebrate and then get back to work!

Powered by ScribeFire.

Thursday Nov 01, 2007

What's New In IdM 7.1 Con't - Forgot User ID

We are all familiar with the "Forgot Password" capabilities of IdM on the End User Interface. This venerated function has been aiding struggling users reset their password through a series of security questions/procedures. Flavors of this have been around since the early Waveset days. 

But now users will find a "Forgot User ID" button next to it now.  This will help with the other half of the "I forgot" problem and it has some unique characteristics.

As an implementor, you can turn this whole feature on or off. If on (default), the user will be taken to a new user screen where they can put in a validating email address and one or more user attributes. Of course, you have complete control on what User attributes you want to collect through this screen to aid or screen the user.

Once submitted, Sun IdM will attempt to find a matching user (one only) and send a reset password message with the user ID to the indicated email address.  The results of the search are no users found (user notified invalid information), one user found (positive match - email account ID and force password reset), or more than one account returned (developer's choice on what you want to do here).  You can also create an User Correlation Rule to help sift through the possibilities.

And different "login group" can be utilized to check more than one authoritative source to try and identify the user account that matches the user logging in. For example, while UserID is used to find the user in a company LDAP directory, you may want to first quiz the email system to see if the submitted email is valid for the company domain. This might get you more user attributes to help find the exact LDAP account.

Take a good look at the search code behind the new button; it shows a fairly sophisticated searching capability.

Powered by ScribeFire.

Wednesday Oct 31, 2007

What's New In IdM 7.1 Con't. - Security - New End User Group

One of the new features that adds to the flexibility of setting up roles, organizations, and users is the addition of a new End User Group Object in Sun Java System Identity Manager 7.1.

The purpose of this new group, which automatically is assigned as a member to the TOP organization node, allows the administrator more flexibility in insuring basic privileges are given to all users, or at least, rules are tested on each user IdM handles.

Before, say all employees get access to an email account and a building security card; there are two locations they can be assigned (Campus East or Campus West).  Before, the administrator would create two organizations under TOP (Campus A and Campus B) and had to write policies to assign emails account and security accounts and assign the right one to the right organization. If any changes were made, they had to insure both organization rules and policies were corrected for the new change.  And what about the new "work from home policy" where employees get a different security account at either one of the two campuses.  Makes for some creative account writing.

Now, the administrator can write just one set of rules and policies and assign them to this new End User Group.  It is a catch all group that theoretically every employee account will be tested against after they have been run through all other org based tests and assignments.  Once the employee is placed in their correct organization and the rules and policies are applied to the user account, they are then run through the End User Group for final determination of end user privileges.

This is very similar to the "Default User" account in Windows. When a user logs in, they are given not only their own account privileges, but are also given additional access based on the "Default User" account.  Now a policy (for determining campus security access) can be written once and applied to the End User Organization.  The user accounts will be processed according to traditional organization assignments (Campus A, Campus B, and WorkFromHome) and then the end user will run through the End User Group to determine final account privileges.

Now when the end user logs into the end user interface, they will be automatically evaluated against the built-in End User Controlled Organizations rule, which can return one or more organizations the user can control. The centralizes some of the tasks in determining the end user capabilities and should be considered a best practice going forward for assigning Roles, Resources, and Tasks.

To manage this new capability around end users assignments, a new End User Administrator capability has been added to the system and is initially assigned to Configurator. Note that this is assigned during user log in, so any changes in assigning this capability will not affect current users logged into the system; they would have to log out and back in to gain the capability.

Powered by ScribeFire.

Tuesday Oct 30, 2007

Identity Manager 7.1 - Whats new? - Delegation Work Items

When an approver needs to delegate a work item (provisioning approval, audit remediation, mitigation, attestations, etc.) due to vacation or some other reason, the approver would enter IdM and assign a delegate to handle the approvals for a set period of time. This was a powerful and needed capability. But deployments in real life production found some short comings that have been addressed in IdM 7.1.

First is the all or nothing based approach to delegation. All work items were treated the same and you could delegate all of them to one or more delegates (thus giving them temporary super powers they may not already have).  But real life is more complex than that. A manager going on vacation may want approvals to go to the department supervisor running things while they are gone, but audit type attestations and remediations to go to the department finance person, just to keep everyone honest.

Now in 7.1, as a developer, you can treat the different work items differently when it comes to delegation. First off, work items come out of the box in the following flavors:
  • Approvals
  • Organizational Approvals
  • Resource Approvals
  • Role Approvals
  • Attestation
  • Review
  • Access Review Remediation
As implementor, you can extent these work items as well within the IDE/BPE editor. Just extend the WorkItemType. Also important -> you can create a hierarchy of work item types.

Now when you go into IdM 7.1, instead of the delegations, there are work items (as there are more than just delegations possible) and the screens let the user filter different work items and delegate them to others.  This is a powerful feature that allows the implementor to address a slew of need capabilities that were not available before (and certainly not in our competitors products).  The ability to classify work items, extend them, and create a hierarchy adds a great deal of flexibility to the Sun IdM Product.

One other fix to mention is what if the person delegated to is deleted or disabled?  In prior versions, someone would have to go in and either delete or redirect the work items back to the delegator. In the new version, if the target person is deleted or disabled, the delegator will be able to see the work items they have delegated have been returned with the disabled delegatee's name in (parenthesis) to indicate they can no longer manage the delegation. They delegator can then reassign the work items to someone else.

Powered by ScribeFire.

Wednesday Sep 12, 2007

Identity Manager 7.1 - What New Part 1 - HOD Replaced with Attachmate Libraries

Promised to get some new features out, so here goes. In no particular order, will review the new features in Sun Java System Identity Manager 7.1.

One of the most important new features is the updating of all host access resource adapters that previously used the IBM Host on Demand (HOD) libraries to access IBM style mainframe security systems.  This would be RACF, ACF2, Scripted Host Adapter, etc.

We had employed the HOD libraries to drive the Sun IdM resource adapters. You would install the HOD on the same machine or include the "freely" available habeans.jar (which has the following habase.jar, hacp.jar, ha3270.jar, hassl.jar, and hodbase.jar) so the resource adapter would be able to create a session and speak to the host at a level sufficient access to manage user accounts.

I put "freely" in quotes because IBM's documentation and licensing agreements encourage you to use these jars within your own application. But true to their heritage, once you use the HOD libraries for free, they try and nail you for licensing fees on the back end in production.  This is not a competitor going ouch, I used to be an IBM Websphere Platinum Partner.  Why do you think I work for Sun for the last 5 years.

What was happening, since we have been beating bloated Tivoli Identity Manager is the IBM sales team has turned on its own customers and try to rape and pillage them for using these jar files.  Their warped sense of humor had their sales reps interpret the license agreement, which says any account that access the mainframe through the jar files needs a license. Since Sun's IdM provisions all accounts into the host, IBM tried to enforce every account had to purchase a HOD license.  This is just plain stupid; only the admin account connected to the mainframe needs a license (read your own software agreement) not every user in the company.

This led to the problem in several accounts where IBM, who lost out to Sun on the IdM software, tried to "impart a license fee" (there are better words for it, but would you really do this to your best customers?) of literally millions of dollars in HOD's use. Often the HOD jars cost more than the entire IdM project.  How IBM customers can still remain loyal with such bad vendor behavior is a topic for another blog.

Anyway, we have a solution here at Sun. Instead of relying solely on HOD, we have come to an agreement with Attachmate to implement their WRQ libraries as an alternative to IBM's HOD. You will have to license the library through Sun even if you already have an Attachmate license, as we use a slightly modified version of the library for support purposes. Hey, thats the way the corporate suites and lawyers set it up.

Now all Sun IdM host adapters will default to using the Attachmate libraries instead of IBM's HOD, though they are still supported (through v9, seems IBM moved from the OHIO interface in v10); see...we try not to lock in our customers.  You will need to upgrade to Sun IdM 7.1 for full support, but there are no changes to your code, as the changes are done under the resource adapter covers.

If you are interested in more details, contact your local Sun software rep for more information.

IBM. Seems we like your loyal customers better than you do.

Powered by ScribeFire.

Wednesday Sep 05, 2007

Sun Identity Management and Gartner Magic Quadrant

Yeah, yeah, I know. Have not been blogging recently.  Have a new role in partner technical enablement and been busy, busy with them getting everyone moving forward. Now that the kids are back in school and the Great Dane puppy is sleeping through the night (its a rescue, but been like having another baby in the house) things should be settling down.  May even get the canoe down to the lake and finally put it in the water.

But that brings me to this good news - Gartner has Sun as the Leader in Identity Management again.  We don't take this lightly.  A copy of the report will be available shortly for public consumption.  What is particularly pleasing is the analysts point out one of Sun's strengths is the partner delivery eco-system we have been able to generate. That's right, one of the strengths of our products are you folks out there who have made the commitment to our Identity Management product line and are executing in the trenches everyday.

Which explains why I have been so busy recently with partner technical enablement.  We are committed to improving you ability to execute, making the product more powerful, yet easier to implement. 

So to all Identity Crisis loyalists who spend the long hours working for clients implementing our products, we just wanted to say thank you, you do make a difference for us.  We also want to let you know, just because we are in the driver's seat, we are going to relax and enjoy the success. Quite the opposite; we are going to redouble our efforts to move even further ahead in the industry.

Now pat yourself on the back and get back to work! We are!

Powered by ScribeFire.

Monday Jun 25, 2007

New in IdM 7.1: Periodic Access Review Improvements

One of the key improvements to IdM 7.0 was the re-integration of Sun's Identity Auditor back into the core Sun Identity Manager product.  The original idea was to fork the core code and offer an auditing product that could look down the same resource adapters to view user account information and check for security audit and separation of duty violations.  That is the way it works in 6.X.

But fortunately, clearer heads prevailed and in 7.0, the code fork was removed and the two became one again (and so did the license, saving you money by not having to purchase two products).  The reason was simple; provisioning and auditing go hand in hand, ying and yang, Abbott and Costello, etc. With the products split, you only had the ability to do postmortems on problems introduced into your identity infrastructure.  Create a security violation and it may be a week before an audit catches it, if it does at all.

What if you could catch it a priori to creating the problem.  With 7.X, you can add a policy check to your provisioning workflows to do an on the spot audit check before you create a problem you then have to find later. In your work flows you can basically say "Ok, I know how I want to provision this user, but before I do, let me check with the current auditing and security policies and insure the user's provisioning does not violate any of them".  Don't forget, the auditing security policies can change at any time.  So this step saves creating a problem you may not detect until you do an audit scan.

The big improvement now in IdM 7.1 is improved attestation or periodic access review. One of the new burdens for systems managers due to Sarbanes-Oxley is the need to periodically (once a quarter, month, week) is to review who has access to your systems and should the continue.  This PAR requirement has identity management teams scrambling to issue reports to managers to attest the user accounts are valid and insuring the systems managers respond in a timely fashion.

But fret no more; Sun's IdM 7.1 has a new PAR subsystem built into it to make PAR's almost OOTB.  You can set a review task to start on a regular basis to scan all user accounts and send a report to the manager of a resource or organization unit (or to both of them) to validate the user accounts on their system. There are new reports available to help managers review the user accounts and to quickly attest or challenge (or pass on to a delegate) the users access. There are summary reports that can help auditors see the state of each PAR and help them determine what managers have not responded yet.

One other feature I will mention in passing, which I will go into more detail in a future posting, is the ability of an attesting manager to request a user's account information is refreshed from live data at the time of attestation. This insures the audit is working on current state data, not the data at the time of the original scan. More later.

Powered by ScribeFire.

Monday Jun 18, 2007

New in 7.1: Delegation by type

One of the nice features in 7.0 is the ability to delegate your responsibility to someone else.  All delegation chains are recorded for a legitimate audit trail, are checked to avoid circular delegation (the buck passes all the way back to you), and set for a time limit (just for next week while I am on vacation!).

In 7.1, you can now do delegation types. This is an extension of the work item types and can be extended by your development team to handle any delegation types you want to do.  Out of the box, delegations can now be split along task types.

Examples are best. In 7.0, you could pick Jerome to handle all of your delegations next week while you are on vacation.  In a 7.1 deployment, you could have Jerome handle your approvals, Kathy your account attestations, and Chick, your role request approvals.

The out of the box tasks include:
  1. Approvals
  2. Organization Approvals
  3. Resource Approvals
  4. Role Approvals
  5. Attestation
  6. Review
  7. Access Review Remediation
Delegations can be canceled at any time and can be canceled by type.

There is now a new configuration type "workItemTypes" which is an extension of either the above tasks (Attestations, Review, etc.) or of the base workItem. This allows your project complex flexibility to add its own custom tasks and permit their delegation separate from the other types of delegations.

Delegations in 6.0 will be upgraded to the new configurations on an upgrade to 7.1.

Powered by ScribeFire.

Sun Identity Manager (IdM) 7.1 New Features - Forgot Your User ID

Ok, time to start reviewing the new features in Sun Identity Manager version 7.1.  Should cover all the major points in the next few blogs.

The first change you can see

We have added the "Forgot Your Password" functionality to login screens. . Clicking on this takes you to the answer security questions screen.

User will have to match with a known IdM account. The user Id will be forwarded to the known mail address on file with IdM and the password will be reset and require reset on login.

All OOTB. 

Tuesday Jun 05, 2007

Microsoft Identity Lifecycle Manager 2007

Doing some more research on where the competition is at and have been asked some questions around Microsoft's offering of MIIS, which our IdM has a resource adapter to. Actually, its our SQL Server adapter customized for managing the MIIS tables directly.

Decided to catch up on the announcements that Microsoft made at the RSA 2007 conference and got a chance to watch the Microsoft clip on the newly announced Microsoft Lifecycle Manager 2007. You will have to watch it through IE, as MS cannot seem to get a clip to stream through Firefox, even into its own Media Player 10.

All I can say is wow, are they far behind.  The product leads discusses the yet to be release MLM will handle user life cycle identities (like "provisioning" and "deprovisioning" user from multiple directories).

And, hold on to your hats, in the middle of 2008, MLM v2 will be introduced that will allow "end user complete control of their lives, like password resets".  It will even "implement password policy enforcement". Wow, like how cool is that!

Waveset and the subsequent Sun Identity Manager versions (as well as many of our competition) have had these features for years, some out of the box.  Why would anyone think waiting a year for features that we have implemented (not just introduced) nearly 5 years ago?

Microsoft is known not to be on the forefront of technology, but this is way late to the game. And they seem proud of their announcement.

As many of you know I normally am not into the bashing of competition (we let our products speak for themselves), but this was just too entertaining not to share.

Maybe, by 2010 they can have version 3 out that will help with compliance auditing, attestations/periodic access reviews, and separation of duty review. Oops, we have had that for nearly two years and are on our third iteration.

You must really buy into the MS dogma if you find MLM 2007 exciting and bet your identity infrastructure on the future deliverables.

Powered by ScribeFire.

Monday Jun 04, 2007

Sun Identity Manager Release 7.1

Friday was the official release of IdM 7.1. Will be the basis for the next couple of blogs.

Please down load it from

New in this release 7.1:

Periodic Access Review Enhancements

  • Dashboard view
  • Remediation request during PAR
  • Entitlement history
  • Advanced Auditing Capabilities
Policy violation prioritization
  • Audit policy scan scheduling
  • "Test" mode ability for audit policy scans (What-If analysis)
  • Audit Log Publishers (JMX, JMS, and Scripted)
Resource Adapters Additions and Updates
  • Hybrid LDAP/RACF Mainframe Adapter (New)
  • SAP GRC Access Enforcer (Virsa) (New)
  • Lotus Notes 7.0 (updated)
  • PeopleSoft HRMS 9.0 (updated)
  • BMC Remedy Service Desk 7.0 (updated)
  • Novell GroupWise 7.0 (updated)
Resource Adapters Additions and Updates
  • Hybrid LDAP/RACF Mainframe Adapter (New)
  • SAP GRC Access Enforcer (Virsa) (New)
  • Lotus Notes 7.0 (updated)
  • PeopleSoft HRMS 9.0 (updated)
  • BMC Remedy Service Desk 7.0 (updated)
  • Novell GroupWise 7.0 (updated)
  • Other Improvements to:
  • Administrative and End User Interface
  • Identity Manager IDE
  • Role delegations
Bug Fixes and Platform Support Updates

Powered by ScribeFire.

Friday Jun 01, 2007

Like, how lame is that!

Hi all.

Been busy as anything for the last few months and have kind of dropped out of the blogging habit, but ran across something today that I thought might entertain a little.

Was doing some research on IBM's TIM versus Sun's Identity Manager (we have replaced TIM implementations on a regular basis).

Was utilizing the IBM public website to review information about the latest on TAM.

Middle of the page is a link for "Analyst Report: Gartner's Magic Quadrant for User Provisioning for 1H06". After you pass through one screen warning you that the next screen is out of IBM's control, you go to the Gartner site and see a Magic Quadrant report with IBM clearly in the upper right.

But here the funny thing - its not the report you think. Its for Magic Quadrant for Security Information and Event Management, 1H06, a category Sun does not have an entry for. If you weren't paying attention, you would think IBM is the leader in Identity Management.

If you look at the real Gartner report, you will see IBM up there. Well behind Sun.

Nice bait and switch. Made my day!

Anyway, hope to blog more now that Sun IdM 7.1 is on the way.

Powered by ScribeFire.

Thursday Jan 18, 2007

Time to Embrace Meta View

Questions keep arising around Sun's Identity Manager's MetaViews.  Thought a brief attempt at an explaination might help.

As a workflow engine, IdM's raison d'etre is to collect and manipulate attributes about users and their accounts through the IT infrastructure. FirstName and LastName attributes may be retrieved from the HR system, passed through a rule that manipulates the string to create a userid perhaps (Lastname + First two letters of first name), and then pushes that down a resource adapter as an attribute. Individual forms can then validate and further manipulate it during this process.

In the end of the project, you end up with a intricate tapestry of workflows and manipulations. Any change to the attribute logic/manipulation means you have to figure out where it is being used and what forms, rules and resources work with it.  Gets sticky fast.

MetaViews flip this problem inside out to greatly simplify the building and maintenance of provisioning workflow logic.  A "Meta View" of the user is logically created within the workflow as an object and each attribute is responsible for expressing itself.  The meta view attribute knows where to gather its "inbound" user information (from HR perhaps) and how to manipulate the information (perhaps running the above mentioned rule).  Then, every resource adapter that needs that information just maps to the meta view attribute.

This centralizes all of the information within the workflow into one location. Need to make a change?  Only modify the metaview and all references to that attribute receive the update. Need to change an authoritative resource? In the old method, you would have to find all references to the resource attributes and logic and update them to reflect the shift in source. But in the meta view approach, all you have to do is repoint the attribute to the new resource. All other references stay the same.

Its a new concept and we realize it will take some time to get use to for designers and developers.  In Sun IdM 6.X, the concept was introduced as an option.  In IdM 7.X, it is a clear choice and encouraged by the administration screens. Logic would indicate in 8.X, it will continue its move to center stage.

So review the documentation on Meta View and at least get the concepts down. Perhaps buid some simple logic using the approach; it will take some getting use to.  If you are just starting out on an IdM development project, give a serious look at perhaps going the meta view route for the project.

Sean ONeill


« July 2016