Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/
The concept of service is introduced in the front-end document. Now, we only need to note the following:
1. A profile is required for each service. This profile describes which adapter is used to communicate with the service, what attributes it supports, the form of its service form, and the form of the account form.
2. Service Selection policies is an automatic allocation mechanism that defines which services are allocated to users. It can use JavaScript for search and then determine the service allocation principle. As an extension of the allocation principle, it provides the ability to allocate accounts based on the attributes of user personal information. There are two layers: one is a single layer, and the other is a layer that contains sub-trees.
A service selection policies must be associated with an allocation principle and provide services to users based on the service type. It is automatically enabled when a user is newly added (associated with the allocation principle), a user attribute is modified, service selection policies, or the allocation principle is modified. Javascript example:
Function selectservice ()
{
VaR Title = subject. getproperty ("title") [0];
VaR serviceinstance = NULL;
If (title! = NULL) & (Title = "lead test engineer") |
(Title = "engineer manager") | (Title = "engineer") |
(Title = "Software Engineer II "))
{
Serviceinstance = servicesearch. searchbyfilter
("(Erservicename = Los Angeles engineering server)", 1) [0];
}
Else
{
Return serviceinstance;
}
}
Return selectservice ();
This script monitors the title of a user. If the title meets one of the four program titles, an account is created based on the user on the instance specified by searchbyfilter. Otherwise, no account is created.
3. Identity Policy:
Defines how a logon ID is automatically created.
4. Password Policy:
Defines the password strength and other content.
5. Reconciliation:
Compares the local user information with the user information stored on the server. There are two types:
A. Import the permission information to the itim database.
B. Monitor users entering the itim.
Step 1: An administrator initiates reconciliation.
Step 2: Tim initiates a reconciliation request to the selected service.
Step 3: The system collects information and returns it to Tim.
Step 4: Compare Tim with LDAP.
Step 5: Tim tries to find the account owner.
Step 6: if the account owner is found, the account change is based on the allocation policy.
Step 7: Change the account according to the policy enforcement.
Policy Check supervises the actions created or modified outside of itim. It is enabled by default, however, if you do not care about non-compliance or want to improve efficiency, disable this option.
When a problem is detected using policy check, you can set how to handle the problem on configure policy enforcement behavior. Of course, you can also set it in configure global policy enforcement.
Reconciliation query performs Partial reconciliation Using LDAP or some attributes to reduce unnecessary queries and comparisons and improve efficiency.
Author: gnuhpc
Source: http://www.cnblogs.com/gnuhpc/