I am about to write a design for an IDM solution. The solution is going
to be an IDM 4.5 system. It has one AD driver, 2 SOAP drivers and
workflows will be developed to handle creations, changes and closing of
users and also management of department structures, such as creating new
departments in the company or removing one. Also reporting will be

So I guess my question is, do you have any best practices on how to go
about this? How would you implement roles and resources? Would you use
nested groups?

A couple of thoughts:

1. I think I will create a role which gives the AD Useraccount
2. Another role for the Exchange User entitlement
3. One SOAP driver is for the customers intranet and only has sync from
IDM to the intranet. I was thinking about a role that grants the user
rights to be synced to the intranet aswell, but I dont know if that is a
good idea, there is no entitlement on that driver, but I guess I could
make one, but is that best practice? A user is only allowed to be synced
to the intranet, if the user object has a specific attribute set.
4. I have seen other solutions, where group membership in eDir, are
granted as a dynamic resource from a null driver. You get the resource,
and the value of the resource is the group object. This gives you
reporting options on group memberships, but again, is that best

In general, do you have any advice on how to design this solution. I
have been on multiple projects and we usually do things the same way,
but maybe there are smarter ways of doing things. Have you guys got any

Thanks in advance,


jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=52336