IBM Notes objects such as user accounts, groups, mail-in databases, servers, policies, and certificates can be administrated with One Identity Manager. By defining Notes domains in One Identity Manager, you are able to manage several productive IBM Notes environments in parallel with a One Identity Manager database. Notes users and employee documents are managed as user accounts in One Identity Manager.
One Identity Manager provides company employees with the necessary user accounts. You may use different mechanisms for connecting employees to their Notes user accounts. These user accounts can also be managed separately from employees and therefore administrative user accounts can be set up.
When you certify a new user, a series of user specific files are generated, which must be available to the user for working with IBM Notes. When you add a user with the IBM Notes connector, the user ID file for authentication, the mailbox file, and the user’s personal address book are created.
Groups and mail-in databases are managed by One Identity Manager along side user accounts. Groups are used to provide users the access permissions they need or they can be used for email distribution lists. Users can send or receive messages through shared mail-in databases. Users can access these mail-in databases when access permissions have been granted. If you add a mail-in database using One Identity Manager, the necessary mailbox file is created.
Server documents, certificates, policies, and templates for mailbox files are only loaded into the One Identity Manager database so they can be referenced when you set up user accounts and groups. One Identity Manager access lists can be defined for server documents in order to specify who has access to a server for what reason.
In One Identity Manager, the image of part of an operational IBM Notes system is mapped to a Notes domain. One Identity Manager needs access to this IBM Notes's Domino Directory for synchronization.
A server is defined within the One Identity Manager environment to execute all administrative task effecting the IBM Notes environment. This server is named the gateway server in the rest of this chapter. The gateway server performs the function of the synchronization server. It is not a productive Domino server. An IBM Notes client, the One Identity Manager Service, and the IBM Notes connector are installed on the gateway server.
All IBM Notes connector actions are executed from the gateway server. The gateway server communicates with the productive environment's Domino server when actions are running in the target system. This Domino server is a selected server with a good network connection to the gateway server. The IBM Notes connection requires access to the Domino Directory, preferably therefore, you should use a directory server.
For synchronization, provide an ID file with sufficient administrative permissions for accessing the productive IBM Notes environment. If you want to work with a Certification Authority process (CA process), a certifier ID file must be provided. Both files must be available on the gateway server.
The gateway server executes One Identity Manager Service actions, like certifications, adding, modifying, and deleting document in the Domino Directory. In addition to this, databases can be also added to servers for users, mailbox files or mail-in databases on Domino servers. The One Identity Manager Service provides an IBM Notes client context using the IBM Domino COM library and processes all necessary function for exchanging data with the Domino server in it (access to Domino objects, running Notes agents, creating administrative processes (AdminP), error handling).
Figure 1: IBM Notes Connectors communication with IBM Notes
The objects in IBM Notes are mapped as follows in the One Identity Manager database:
Table 1: Mapping object types from this IBM Notes installation in the One Identity Manager
Domino server |
Notes server |
Domino domain |
No direct mapping |
|
Notes domain
Properties of Notes objects to assign them to different IBM Notes environments. |
User |
Notes user account |
Group |
Notes group |
Mail-in DB |
Notes mail-in database |
Notes certificate |
Notes certificate |
Template |
Notes template |
Policy |
Notes policy |
The following users are used for setting up and administration of IBM Notes.
Table 2: Users
Target system administrators |
Target system administrators must be assigned to the Target systems | Administrators application role.
Users with this application role:
-
Administer application roles for individual target system types.
-
Specify the target system manager.
-
Set up other application roles for target system managers if required.
-
Specify which application roles for target system managers are mutually exclusive.
-
Authorize other employees to be target system administrators.
-
Do not assume any administrative tasks within the target system. |
Target system managers |
Target system managers must be assigned to the Target systems | IBM Notes application role or a child application role.
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects like user accounts or groups.
-
Edit password policies for the target system.
-
Prepare groups to add to the IT Shop.
-
Can add employees who have an other identity than the Primary identity.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other employees within their area of responsibility as target system managers and create child application roles if required. |
One Identity Manager administrators |
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required.
-
Create and configure password policies as required. |
Administrators for the IT Shop |
Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.
Users with this application role:
|
Administrators for organizations |
Administrators must be assigned to the Identity Management | Organizations | Administrators application role.
Users with this application role:
|
Business roles administrators |
Administrators must be assigned to the Identity Management | Business roles | Administrators application role.
Users with this application role:
|
One Identity Manager supports synchronization with IBM Notes in the following versions:
- IBM Domino Server versions 8, 9, and 10
- HCL Domino Server version 11
- IBM Notes Client version 8.5.3 or 10.0
- HCL Notes Client version 11.0.1
To load IBM Notes objects into the One Identity Manager database for the first time
- In IBM Notes, prepare a user with sufficient permissions for synchronization.
- One Identity Manager components for managing IBM Notes environments are available if "TargetSystem | NDO" is set.
- Install and configure the gateway server.
- Create a synchronization project with the Synchronization Editor.
- If user accounts in IBM Notes are to be registered by the IBM Notes connector, modify the required certificates in One Identity Manager. Enter the path for the certifier's ID file or the name of the CA database.
Detailed information about this topic