CA Identity Manager Connector Guides › Connectors Guide › Connecting to Endpoints › CA DLP Connector › CA DLP Connector Specific Features

CA DLP Connector Specific Features

This section details the management features of your connector, including account, group, and least privilege information for your connector.

How to Rename CA DLP Connector User Attributes

CA DLP Connector account management screens use the labels User Attribute 1 – User Attribute 10 by default on the User Attributes 1 and User Attributes 2 tabs in the CA Identity Manager User Console.

If you rename user attributes in your CA DLP environment, we recommend that you also rename the corresponding user attributes in the CA DLP Connector account management screens. Using identical attribute names in your CA DLP environment and the CA DLP Connector account management screens makes administration easier.

For example, if you rename User Attribute 1 to City in your CA DLP environment, you can change the name of User Attribute 1 to City in the CA DLP Connector account management screens. You can change the name of the user attribute by editing the metadata of the CA DLP Connector by using Connector Xpress.

To rename a user attribute in the CA DLP Connector account management screens, do the following:

1. Edit the metadata of the CA DLP Connector using Connector Xpress as follows:
   1. Create a Connector Xpress project based on the existing CA DLP Connector metadata.
   2. Rename the CA DLP Connector user attribute so that its name matches the corresponding user attribute in your CA DLP environment.

      Important! We recommend that you edit only the Name attribute in the CA DLP Connector metadata. Editing other attributes can make the CA DLP Connector inoperable.

   3. Redeploy the CA DLP Connector metadata to the provisioning server.
2. Generate the CA DLP account management screens, as follows:
   1. Use the Role Definition Generator to generate the CA_DLP.jar file.

      The CA_DLP.jar file contains the role, task, and screen definitions for the CA DLP account management screens in the CA Identity Manager User Console.

   2. Import the CA_DLP.jar file into the CA Identity Manager User Console.

Example: Edit the metadata of the CA DLP Connector using Connector Xpress

The following example shows you how to rename a CA DLP user attribute on the CA DLP account management screen so that it matches the name of the corresponding attribute in your CA DLP environment. You rename the attribute by using Connector Xpress to edit the CA DLP Connector metadata. This example assumes that you have changed the name of the User 1 Attribute in your CA DLP environment to City.

This example shows you how to change the name of User Attribute 1 to City on the User Attribute 1 tab in the CA Identity Manager User Console.

To edit the metadata of the CA DLP Connector using Connector Xpress

1. Start Connector Xpress.
2. If necessary, add and configure the provisioning server that manages the CA DLP Connector.
3. In the Provisioning Servers tree, navigate to your CA DLP endpoint.
4. Right-click the CA DLP endpoint, then click Create a Project.

   Connector Xpress creates a project based on the existing CA DLP Connector metadata.

5. In the Mapping Tree, expand the Classes Node, expand the eTDYNAccount node, then expand the Attributes node.
6. Click the User Attribute 1 node.

   The Attribute Details dialog appears.

7. In the Name field, change the name of the attribute to City.
8. In the Provisioning Servers tree, navigate to your CA DLP endpoint.
9. Right-click the CA DLP endpoint, then Click Deploy Metadata.

   The Deploy Metadata dialog appears.

10. When prompted, increase the version number of the CA DLP Connector and confirm that you want to deploy the new metadata to the provisioning server.

    Connector Xpress deploys the CA DLP Connector metadata to the provisioning server.

    Next, use the Role Definition Generator to generate the CA DLP account management screens.

Note: For more information about how to add and configure a provisioning server, create a Connector Xpress project, and generate CA Identity Manager User Console account management screens, see the Connector Xpress Guide.

Example: Generate CA DLP account management screens using the Role Definition Generator

This example shows you how to use the Role Definition Generator to generate the CA_DLP.jar file and how to import it into the CA Identity Manager User Console to generate DLP account management screens. This example uses a provisioning server named myProvisioningServer, with administrator login name AdminLogin for a CA DLP endpoint named CA DLP.

This example assumes that you have edited the metadata of the CA DLP Connector using Connector Xpress and renamed User Attribute 1 to City.

Note: For more information about how to use the Role Definition Generator, see How you Generate CA Identity Manager User Console Account Screens in the Connector Xpress Guide.

To generate CA DLP account management screens using the Role Definition Generator

1. On the computer where you installed CA Identity Manager, stop the CA Identity Manager Server.
2. Navigate to the following folder:

   <jboss_home>\server\default\deploy\iam_im.ear\user_console.war\WEB-INF\lib 
   

3. Back up the current CA_DLP.jar file.

   Making a backup of the CA_DLP.jar file allows you to restore the previous version of the CA DLP Connector metadata and revert to the previous version of the CA DLP account management screens, if necessary.

4. Navigate to one of the following directories according to your operating system:
   • (Windows) <identity manager_HOME>\tools\RoleDefinitionGenerator\bin
   • (UNIX) <identity manager_HOME>/ tools/RoleDefinitionGenerator/bin
5. Open a Command Prompt window or a terminal window according to your operating system, then enter one of the following commands:
   • (Windows) RoleDefGenerator.bat -d exampledomain –h im.example.com -p port–u adminusername EndpointType
   • (UNIX) RoleDefGenerator.sh -d exampledomain –h im.exmaple.com –p port –u adminusername EndpointType

   For example:

   RoleDefGenerator.bat -d im -h myProvisioningServer -p myport -u Adminlogin "CA DLP"
   

   When prompted, enter the provisioning server password.

   The Role Definition Generator creates the CA_DLP.jar file and puts it in the following folder by default:

   <identity manager_home>\RoleDefinitionGenerator\bin
   

   Note: For more information about the Role Definition Command, see the Connector Xpress Guide.

6. Copy the CA_DLP.jar that you generated to the following folder:

   <jboss_home>server\default\deploy\iam_im.ear\user_console.war\WEB-INF\lib
   

7. Restart the CA Identity Manager Server.

   CA Identity Manager loads the new role, screen, and task definitions for the CA DLP account management screens.

8. Start the CA Identity Manager Management Console.
9. Click Environments, then click the environment that you want to change.

   The Environment Properties page appears.

10. Click Role and Task Settings, then click Import.

    CA Identity Manager displays the currently installed version of the CA DLP metadata in the Installed Version column. The version of the CA DLP Connector metadata that you deployed to the Provisioning Server in Step 6 appears in the Version column.

11. In the Name column, select the check box next to CA_DLP, then click Finish.

    CA Identity Manager deploys the role definitions, screens, tasks, and roles for the CA DLP Connector and updates the CA Identity Manager environment you selected.

12. Click Continue, then click Restart Environment.
13. Start the CA Identity Manager User Console.
14. Verify that CA Identity Manager has renamed the User Attribute 1 field to City, as follows:
    1. In the CA Identity Manager User Console, view the CA DLP account of a user.
    2. Click the User Attributes 1 Tab.
    3. Verify that CA Identity Manager has renamed the User Attribute 1 field to City.

How to Create Custom User Categories

CA DLP Connector account management screens display the same user categories used in CA DLP by default. For example, Administrator, Manager, User, Policy Administrator, and Reviewer.

CA DLP supports the addition of new user categories. If you add a user category in your CA DLP environment, we recommend that you also add the new user category to the CA DLP Connector account management screens. Adding user categories to the CA DLP Connector account management screens to match the user categories on your CA DLP endpoint makes administration easier.

For example, if you add a user category named Assistant Manager to your CA DLP environment, you can add a user category attribute named Assistant Manager to the CA DLP Connector account management screens.

You can add the new user category attribute by using Connector Xpress to edit the metadata of the CA DLP Connector.

To create a custom user category on the CA DLP Connector Account tab in the CA Identity Manager User Console account management screens, do the following:

1. Edit the metadata of the CA DLP Connector using Connector Xpress as follows:
   1. Create a Connector Xpress project based on the existing CA DLP Connector metadata.
   2. In Connector Xpress, add the same User Category attribute that you added to the CA DLP endpoint.
   3. Redeploy the CA DLP Connector metadata to the provisioning server.

      Important! We recommend that you edit only the DLPUserCategory attribute in the CA DLP Connector metadata. Editing other attributes can make the CA DLP Connector inoperable.

   4. Redeploy the CA DLP Connector metadata to the provisioning server.
2. Generate the DLP account management screens, as follows:
   1. Use the Role Definition Generator to generate the CA_DLP.jar file.

      The CA_DLP.jar file contains the role, task, and screen definitions for the DLP account management screens in the CA Identity Manager User Console.

   2. Import the CA_DLP.jar file into the CA Identity Manager User Console.

Example: Edit the metadata of the CA DLP Connector using Connector Xpress

The following example shows you how to add a CA DLP user category attribute named Assistant Manager to the CA DLP account management screen. You add the attribute by using Connector Xpress to edit the CA DLP Connector metadata. This example assumes that you have added a user category named Assistant Manager to your CA DLP environment.

This example shows you how to add a user category named Assistant Manager to the Account Management tab in the CA Identity Manager User Console.

To edit the metadata of the CA DLP Connector using Connector Xpress

1. Start Connector Xpress.
2. If necessary, add and configure the provisioning server that manages the CA DLP Connector.
3. In the Provisioning Servers tree, navigate to your CA DLP endpoint.
4. Right-click the CA DLP endpoint, then click Create a Project.

   Connector Xpress creates a project based on the existing CA DLP Connector metadata.

5. In the Mapping Tree, click the Custom Types node.

   The Custom Types dialog appears.

6. Under Enumerated Types, click DLPUserCatergory.
7. In the Values list, click Add, then enter the following:

   Value

   Defines the value of the enumerated type used on the endpoint system.

   Example: Assistant Manager

   Display Name

   (Optional) Defines the name of the enumerated type displayed in the CA Identity Manager User Console.

   Example: Assistant Manager

   Ordinal

   (Optional) Defines the order of the enumerated values.

   Example: 2

8. In the Provisioning Servers tree, navigate to your CA DLP endpoint.
9. Right-click the CA DLP endpoint, then click Deploy Metadata.

   The Deploy Metadata dialog appears.

10. When prompted, increase the version number of the CA DLP Connector and confirm that you want to deploy the new metadata to the provisioning server.

    Connector Xpress deploys the CA DLP Connector metadata to the provisioning server.

    Next, use the Role Definition Generator to generate the CA DLP account management screens.

Note: For more information about how to add and configure a provisioning server, create a Connector Xpress project, and generate CA Identity Manager User Console account management screens, see the Connector Xpress Guide.

Example: Generate CA DLP account management screens using the Role Definition Generator

This example shows you how to use the Role Definition Generator to generate the CA_DLP.jar file and how to import it into the CA Identity Manager User Console to generate DLP account management screens. This example uses a provisioning server named myProvisioningServer, with administrator login name AdminLogin for a CA DLP endpoint named CA DLP.

This example assumes that you have edited the metadata of the CA DLP Connector using Connector Xpress and added a new user category named Assistant Manager to the CA DLP account management screens.

Note: For more information about how to use the Role Definition Generator, see How you Generate CA Identity Manager User Console Account Screens in the Connector Xpress Guide.

To generate DLP account management screens using the Role Definition Generator

1. On the computer where you installed CA Identity Manager, stop the CA Identity Manager Server.
2. Navigate to the following folder:

   <jboss_home>\server\default\deploy\iam_im.ear\user_console.war\WEB-INF\lib 
   

3. Back up the current CA_DLP.jar file.

   Making a backup of the CA_DLP.jar file allows you to restore the previous version of the CA DLP Connector metadata, and revert to the previous version of the DLP account management screens, if necessary.

4. Navigate to one of the following directories according to your operating system:
   • (Windows) <identity manager_HOME>\tools\RoleDefinitionGenerator\bin
   • (UNIX) <identity manager_HOME>/ tools/RoleDefinitionGenerator/bin
5. Open a Command Prompt window or a terminal window according to your operating system, then enter one of the following commands:
   • (Windows) RoleDefGenerator.bat -d exampledomain –h im.example.com -p port–u adminusername EndpointType
   • (UNIX) RoleDefGenerator.sh -d exampledomain –h im.exmaple.com –p port –u adminusername EndpointType

   For example:

   RoleDefGenerator.bat -d im -h myProvisioningServer -p myport -u Adminlogin "CA DLP"
   

   When prompted, enter the provisioning server password.

   The Role Definition Generator creates the CA_DLP.jar file and puts it in the following folder by default:

   <identity manager_home>\RoleDefinitionGenerator\bin
   

6. Copy the CA_DLP.jar that you generated to the following folder:

   <jboss_home>\server\default\deploy\iam_im.ear\user_console.war\WEB-INF\lib
   

7. Restart the CA Identity Manager Server.

   CA Identity Manager loads the new role, screen, and task definitions for the CA DLP account management screens.

8. Start the CA Identity Manager Management Console.
9. Click Environments, then click the environment that you want to change.

   The Environment Properties page appears.

10. Click Role and Task Settings, then click Import.

    CA Identity Manager displays the currently installed version of the DLP metadata in the Installed Version column. The version of the CA DLP Connector metadata that you deployed to the provisioning server in Step 6 appears in the Version column.

11. In the Name column, select the check box next to CA_DLP, then click Finish.

    CA Identity Manager deploys the role definitions, screens, tasks, and roles for the CA DLP Connector and updates the CA Identity Manager environment you selected.

12. Click Continue, then click Restart Environment.
13. Start the CA Identity Manager User Console.
14. Verify that CA Identity Manager has added the user category Assistant Manager to the CA DLP account management screens, as follows:
    1. In the CA Identity Manager User Console, view the CA DLP default template
    2. Click the Account tab.
    3. Verify that CA Identity Manager has added the new user category Assistant Manager.

Least Privilege Considerations

To manage objects on a CA DLP endpoint using the CA DLP Connector, the administrator account that manages the CA DLP endpoint requires the following minimum permissions and privileges:

• User: Reset user passwords
• User: Edit the user hierarchy

In CA DLP, the administrator user category inherits these privileges by default, however you can configure other user categories to have these privileges.

Note: For more information, see the CA DLP Deployment Guide.

Account Management

You can use the CA DLP Connector to view, create, modify, or delete an account.

Account Suspension and Unlocking

The CA DLP Connector does not support account suspension and unlocking.

Groups and Hierarchies

CA DLP maintains a user hierarchy. Groups can also contain users. The user hierarchy is built up dynamically as users are provisioned to CA DLP. Groups that contain users and other groups are typically built from the attributes belonging to users provisioned to CA DLP.

The CA DLP Connector does not display the CA DLP group hierarchy. However, you can use the CA DLP Connector to provision a user into a group or groups on the CA DLP endpoint.

The account template associated with a CA DLP endpoint lets you define a rule string that specifies the group hierarchy and the groups you want to provision the user to. The rule string is defined in the Groups field.

When you provision a user with the CA DLP Connector, CA DLP dynamically creates the groups and the group hierarchy based on the rule strings specified in the Group field on the CA Identity Manager account template.

For example, specifying the following rule string %COUNTRY%/%UC%/%UB%/%UL% in the Group field groups users by country, city, building, and location on the CA DLP endpoint.

Troubleshooting

Unable to View or Modify CA DLP Accounts with Unicode or UTF-8 Characters in the User Console

Symptom:

I created a CA DLP account with Japanese or other non-English characters. When I try to view the account, I get an error message that starts with Not a valid IAM handle, and then contains unintelligible characters.

Solution:

The account was created in CA Identity Manager, but it is not visible in the User Console. However, it is visible in the Provisioning Manager.To display CA DLP accounts created with non-English characters in the User Console, configure the JBoss server.xml file for UTF-8 encoding for URI.

Note: For information about configuring server.xml file for UTF-8 encoding for URI, see Change JBoss server.xml in the User Console Design Guide.

Removal of Email Address from a CA DLP Account is Ignored

Symptom:

I am modifying a CA DLP account with more than one email address. When I try to remove one of the email address in the CA Identity Manager User Console, the changes are applied, but the email address is not removed.

Solution:

Removal of an email address from a CA DLP account is not supported in the CA Identity Manager User Console.

Note: Attempts to delete an email address from a CA DLP account in the CA Identity Manager User Console are recorded in the logs, and include the reason for preventing the operation.

To remove an email address from a CA DLP account, use the CA DLP administrative tools.

Important! Deleting an email address from a DLP account can impair the event tracking and search capabilities of CA DLP.