Hi to all,

I'm not so familar with IDM so I need hints regarding best practices
/approach to provide for some of our customers a SuperUser with rights
to create further customer users
for their own company/ in their own context.

Customers superuser will connect to a WEB application, log in and will
be authenticated and authorized via LDAP against eDirectory. Then they
should be able to create users as needed. This will be audited and
results will be send to several people, e.g. the customers superuser,
our support, maybe the just created user and so on.

It would be nice (but may also be realized using LDAP-querys and
shell-scripts) if the superuser is presented with a view of which user
are inactive for a given time and is able to delete them.

What comes in my mind first and what in fact we curently do with
IDM3.61 is reading a ascii file with DTD and create the user from that.
The file will be generated by a webform.
Auditing and emailing the results is quiet simple then.

Now I'm looking at IDM 4 and its drivers and new features. What seems
to be another good approach is role-based-provisioning.
So what will be the best way for me (DTD vs. role-based-provisioning)
and what are the advantages of the latter?
Or are there other drivers/tools which will fit for that?

Criteria should be operator convenience to the superuser, security,
auditing and maybe reporting.



bwisupport's Profile: http://forums.novell.com/member.php?userid=19240
View this thread: http://forums.novell.com/showthread.php?t=451022