Quest One Quick Connect

Transcription

1 Quest One Quick Connect Version 5.0 Administrator Guide

2 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, please contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA USA legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, Aelita, Akonix, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invertus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vanalyzer, vautomator, vcontrol, vconverter, vessentials, vfoglight, vmigrator, voptimizer Pro, vpackager, vranger, vranger Pro, vreplicator, vspotlight, vtoad, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vessentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Third Party Contributions Quest One Quick Connect contains some third party components (listed below). Copies of their licenses may be found on our website at COMPONENT LICENSE OR ACKNOWLEDGEMENT.NET logging library 1.0 BSD 4.4 Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. Quest One Quick Connect - Administrator Guide Updated - October 14, 2011 Software Version - 5.0

3 CONTENTS ABOUT THIS GUIDE INTENDED AUDIENCE CONVENTIONS ABOUT QUEST SOFTWARE CONTACTING QUEST SOFTWARE CONTACTING QUEST SUPPORT CHAPTER 1 QUICK CONNECT OVERVIEW WHAT IS QUICK CONNECT? WHAT S NEW IN THIS RELEASE FEATURES AND BENEFITS TECHNICAL OVERVIEW QUICK CONNECT SYNC ENGINE CAPTURE AGENT CONNECTORS AND CONNECTED DATA SYSTEMS SYNCHRONIZATION WORKFLOWS AND STEPS CHAPTER 2 DEPLOYING QUICK CONNECT LICENSING STEPS TO INSTALL QUICK CONNECT SYNC ENGINE STEP 1: INSTALL SYNC ENGINE STEP 2: CONFIGURE SYNC ENGINE UPGRADING FROM AN EARLIER VERSION SIDE-BY-SIDE UPGRADE IN-PLACE UPGRADE CHAPTER 3 GETTING STARTED QUICK CONNECT ADMINISTRATION CONSOLE WORKFLOWS TAB SYNC HISTORY TAB CONNECTIONS TAB MAPPING TAB PASSWORD SYNC TAB OVERVIEW OF STEPS TO SYNCHRONIZE IDENTITY DATA CHAPTER 4 CONNECTIONS TO EXTERNAL DATA SYSTEMS ABOUT CONNECTIONS TO EXTERNAL DATA SYSTEMS iii

4 Quest One Quick Connect iv MANAGING CONNECTIONS TO EXTERNAL DATA SYSTEMS MANAGING A CONNECTION TO AN ACTIVE DIRECTORY DOMAIN MANAGING A CONNECTION TO AN AD LDS (ADAM) INSTANCE MANAGING A CONNECTION TO QUEST ACTIVEROLES SERVER MANAGING A CONNECTION TO QUEST ONE IDENTITY MANAGER MANAGING A CONNECTION TO A DELIMITED TEXT FILE MANAGING A CONNECTION TO AN LDAP DIRECTORY SERVICE MANAGING A CONNECTION TO A SQL SERVER DATABASE MANAGING A CONNECTION TO NOVELL EDIRECTORY MANAGING A CONNECTION TO AN OLE DB-COMPLIANT DATA SOURCE MANAGING A CONNECTION TO ORACLE DATABASE MANAGING A CONNECTION TO ORACLE USER ACCOUNTS MANAGING A CONNECTION TO SUN ONE DIRECTORY SERVER MANAGING A CONNECTION TO IBM RACF MANAGING A CONNECTION TO CA ACF MANAGING A CONNECTION TO CA TOP SECRET MANAGING A CONNECTION TO IBM LOTUS DOMINO SERVER MANAGING A CONNECTION TO GOOGLE APPS MANAGING A CONNECTION TO GOOGLE POSTINI SERVICES MANAGING A CONNECTION TO SALESFORCE MANAGING A CONNECTION TO SAP MANAGING A CONNECTION TO PEOPLESOFT RENAMING A CONNECTION DELETING A CONNECTION MODIFYING SYNCHRONIZATION SCOPE FOR A CONNECTION MODIFYING PASSWORD SYNCHRONIZATION SETTINGS FOR A CONNECTION CHAPTER 5 SYNCHRONIZING IDENTITY DATA GETTING STARTED WITH IDENTITY DATA SYNCHRONIZATION MANAGING SYNCHRONIZATION WORKFLOWS CREATING A SYNCHRONIZATION WORKFLOW RUNNING A SYNCHRONIZATION WORKFLOW RENAMING A SYNCHRONIZATION WORKFLOW DELETING A SYNCHRONIZATION WORKFLOW MANAGING STEPS IN A SYNCHRONIZATION WORKFLOW CREATING A PROVISIONING STEP CREATING AN UPDATING STEP CREATING A DEPROVISIONING STEP MODIFYING AN EXISTING STEP CHANGING THE ORDER OF STEPS IN A WORKFLOW

5 Administrator Guide DELETING A STEP SPECIFYING TARGET CONTAINERS FOR A SYNCHRONIZATION STEP CONFIGURING RULES TO GENERATE OBJECT NAMES SYNCHRONIZING GROUP MEMBERSHIPS SYNCHRONIZING MULTIVALUED ATTRIBUTES CONFIGURING ATTRIBUTE TRANSFORMATION RULES CONFIGURING A RULE FOR GENERATING AN ATTRIBUTE VALUE CHAPTER 6 MAPPING OBJECTS ABOUT MAPPING OBJECTS STEPS TO MAP OBJECTS STEP 1: CREATE MAPPING PAIRS STEP 2: CREATE MAPPING RULES STEP 3: RUN MAP OPERATION UNMAPPING OBJECTS CHAPTER 7 AUTOMATED PASSWORD SYNCHRONIZATION ABOUT AUTOMATED PASSWORD SYNCHRONIZATION STEPS TO AUTOMATE PASSWORD SYNCHRONIZATION MANAGING CAPTURE AGENT INSTALLING CAPTURE AGENT MANUALLY USING GROUP POLICY TO INSTALL CAPTURE AGENT UNINSTALLING CAPTURE AGENT MANAGING PASSWORD SYNC RULES CREATING A PASSWORD SYNC RULE DELETING A PASSWORD SYNC RULE MODIFYING SETTINGS OF A PASSWORD SYNC RULE SPECIFYING PASSWORD SYNC PARAMETERS FOR AN LDAP DIRECTORY SERVICE USING AN SQL QUERY TO SPECIFY DATA IN A CONNECTED SYSTEM SCENARIO: USING A QUERY TO SYNCHRONIZE PASSWORDS FOR ALL USERS IN SQL SERVER SCENARIO: USING A QUERY TO SYNCHRONIZE PASSWORDS FOR ALL USERS IN ORACLE DATABASE RUNNING CUSTOM SQL QUERIES AUTOMATICALLY AFTER PASSWORD SYNCHRONIZATION FINE-TUNING AUTOMATED PASSWORD SYNCHRONIZATION CONFIGURING CAPTURE AGENT CONFIGURING QUICK CONNECT SERVICE SPECIFYING A CUSTOM CERTIFICATE FOR ENCRYPTING PASSWORD SYNC TRAFFIC IN WINDOWS SERVER v

6 Quest One Quick Connect RUNNING A POST-SYNC POWERSHELL SCRIPT CHAPTER 8 SYNCHRONIZATION HISTORY ABOUT SYNCHRONIZATION HISTORY VIEWING WORKFLOW HISTORY VIEWING MAPPING HISTORY SEARCHING SYNCHRONIZATION HISTORY CLEANING UP SYNCHRONIZATION HISTORY CHAPTER 9 USING MANAGEMENT SHELL ABOUT MANAGEMENT SHELL INSTALLING AND OPENING MANAGEMENT SHELL INSTALLING THE QUICK CONNECT MANAGEMENT SHELL OPENING THE QUICK CONNECT MANAGEMENT SHELL GETTING HELP CMDLET NAMING CONVENTIONS CHAPTER 10 SCENARIOS OF USE ABOUT SCENARIOS SCENARIO 1: PROVISION USERS FROM A.CSV FILE TO AN ACTIVE DIRECTORY DOMAIN STEP 1: CREATE A NEW WORKFLOW STEP 2: CREATE A PROVISIONING STEP STEP 3: RUN THE CREATED PROVISIONING STEP STEP 4: COMMIT CHANGES TO THE ACTIVE DIRECTORY DOMAIN SCENARIO 2: USE A.CSV FILE TO UPDATE USER ACCOUNTS IN AN ACTIVE DIRECTORY DOMAIN STEP 1: CREATE AN UPDATING STEP STEP 2: RUN THE CREATED UPDATING STEP STEP 3: COMMIT CHANGES TO THE ACTIVE DIRECTORY DOMAIN vi

7 About This Guide Intended Audience Conventions About Quest Software Contacting Quest Software Contacting Quest Support

8 Quest One Quick Connect Intended Audience This document has been prepared to familiarize you with Quest One Quick Connect. This Administrator Guide contains the information required to install and use the product. It is intended for network administrators, consultants, analysts, and any other IT professionals using Quest One Quick Connect. Conventions In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions apply to procedures, icons, keystrokes and cross-references. ELEMENT Select Bolded text Italic text Bold Italic text Blue text CONVENTION This word refers to actions such as choosing or highlighting various interface elements, such as files and radio buttons. Interface elements that appear in Quest Software products, such as menus and commands. Used for comments. Used for emphasis. Indicates a cross-reference. When viewed in Adobe Reader, this format can be used as a hyperlink. Used to highlight additional information pertinent to the process being described. Used to provide Best Practice information. A best practice details the recommended course of action for the best result. Used to highlight processes that should be performed with care. + A plus sign between two keystrokes means that you must press them at the same time. A pipe sign between elements means that you must select the elements in that particular sequence. 8

9 Administrator Guide About Quest Software Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to Contacting Quest Software Mail Web site Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA USA Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at Support Guide.pdf. 9

10 Quest One Quick Connect 10

11 1 Quick Connect Overview What Is Quick Connect? What s New in This Release Features and Benefits Technical Overview

12 Quest One Quick Connect What Is Quick Connect? Within the same organization identity information can be stored in many different data systems, such as directories, databases, or formatted dump files. To manage the identity information and keep it in sync in all these data systems, administrators sometimes have to spend a considerable amount of time and effort. On top of that, performing the data synchronization tasks manually is error-prone and can lead to the duplication of information and incompatibility of data formats. With Quest One Quick Connect, you can completely automate the process of identity data synchronization between the data systems used in your enterprise environment. Quick Connect increases the data management efficiency by allowing you to automate the provision, deprovision, and update operations between different data systems. For example, when an employee joins or leaves the organization, the related information in the data systems managed by Quick Connect is automatically updated, thereby reducing your administrative workload and getting the new users up and running faster. The use of scripting capabilities provides a flexible way to automate day-to-day administration tasks and integrate the administration of managed data systems with other business processes. By automating regular synchronization tasks, Quick Connect allows administrators to concentrate on strategic issues, such as planning the directory, increasing enterprise security, and supporting business-critical applications. Quick Connect includes a core module called Quick Connect Sync Engine and a number of connectors that enable the Sync Engine to access external data systems to read and synchronize the identity information they contain. Quick Connect allows you to automate such tasks as: User provisioning User deprovisioning Identity data updating Password synchronization 12

13 Administrator Guide What s New in This Release This release of Quick Connect Sync Engine offers the following major new features: Support for Quest One Identity Manager. This new version of Quick Connect Sync Engine allows you to synchronize identity data between Quest One Identity Manager and other data systems connected to the Sync Engine. Any-to-any synchronization. Now you can synchronize identity data between almost any types of external data systems supported by this version of Quick Connect Sync Engine. The exceptions are delimited text files and OLE DB-compliant data systems: these data systems can only be used as sources for the synchronization operations. Share the same configuration between multiple instances of Sync Engine. With this feature you can share the same configuration settings between several instances of Quick Connect Sync Engine installed in your environment. When starting a new Sync Engine instance for the first time, you can connect it to the existing SQL Server databases where another instance of Quick Connect saves its configuration data. The configuration settings held in the databases are shared between all instances of Sync Engine you connect to them. Redesigned Administration Console. The Quick Connect Administration Console has been redesigned to improve its usability and provide a better user experience. You can benefit from this new feature when managing synchronization workflows, object mapping, connections to external data systems, and password synchronization between an Active Directory domain and other connected systems. Support for Windows PowerShell scripting. This version of Quick Connect Administration Console includes support for Windows PowerShell scripting. For instance, you can use Windows PowerShell scripts to map and unmap objects in connected systems, start data synchronization operations and view their progress, view sync history, and set object passwords. To benefit from this functionality, you need to install Quick Connect Management Shell, a component of Quick Connect that enables Windows PowerShell scripting. Features and Benefits The major features of Quick Connect include: Bidirectional Synchronization Delta Processing Mode Group Memberships Synchronization Windows PowerShell Scripting Attribute Synchronization Rules Distinguished Name Generation Rules Scheduling Capabilities Extensibility 13

14 Quest One Quick Connect Bidirectional Synchronization Bidirectional synchronization allows you to synchronize all changes occurred to identity information between your data systems. Using this type of synchronization, you can proactively prevent potential identity information conflicts between different data sources. The bidirectional synchronization is not supported for the following: Delimited text files PeopleSoft OLE DB-compliant data sources Employee objects in a SAP system These items can only serve as sources for data synchronization operations performed with Quick Connect Sync Engine. Delta Processing Mode Delta processing mode allows you to more quickly synchronize identities by processing only the data that has changed in the source and target connected systems since their last synchronization. Both the full mode and the delta mode provide you with the flexibility of choosing the appropriate method for your synchronization tasks. The delta processing mode is currently supported only for the following types of data systems: Active Directory AD LDS (ADAM) Delimited text file Lotus Domino Server Group Membership Synchronization With Quick Connect you can ensure that group membership information is in sync in all connected data systems. For example, when provisioning a group object from an Active Directory domain to an AD LDS (ADAM) instance, you can configure rules to synchronize the Member attribute from the Active Directory domain to the AD LDS (ADAM) instance. Windows PowerShell Scripting The Management Shell component of Quick Connect is an automation and scripting shell that provides a command-line management interface for synchronizing data between connected systems via the Quick Connect Service. The Management Shell is implemented as a Windows PowerShell snap-in extending the standard Windows PowerShell functionality. The commands provided by the Management Shell conform to the Windows PowerShell standards and are fully compatible with the default command-line tools that come with Windows PowerShell. 14

15 Administrator Guide The Management Shell lets administrators perform attribute or password synchronization operations by using Windows PowerShell scripts. For example, you can compose and run a Windows PowerShell script that assigns values to the target object attributes using values of the source object attributes. For more information, see "Developing PowerShell Scripts for Attributes Synchronization Steps" and "Developing PowerShell Scripts for Passwords Synchronization Steps" in the Quick Connect Software Development Kit (SDK). Attribute Synchronization Rules With Quick Connect, you can create and configure synchronization rules to generate values of target object attributes. These rules support the following types of synchronization: Direct synchronization. Assigns the attribute value of a source object to the target object attribute you specify. Script-based synchronization. Generates the target object attribute value by using a Windows PowerShell script. Rule-based synchronization. Generates the target object attribute value by using specific rules you configure in the Quick Connect Administration Console. Distinguished Name Generation Rules Quick Connect lets you create flexible rules for generating the distinguished names (DNs) of objects being provisioned. These rules allow you to ensure that objects created during provisioning operations are named in full compliance with the naming conventions existing in your organization. Scheduling Capabilities Quick Connect allows you to schedule the execution of specific synchronization operations and automatically perform them on a regular basis to satisfy your company s policy and save your time and effort. Extensibility To access external data systems Quick Connect Sync Engine employs special connectors. A connector enables the Sync Engine to read and synchronize the identity data contained in a particular data system. Out of the box, Quick Connect Sync Engine includes a number of built-in connectors that allow you to connect to the following data systems: Active Directory AD LDS (formerly ADAM) Quest ActiveRoles Server Quest One Identity Manager To connect the Sync Engine to other supported data systems, you need to obtain and install one or more special Quick Connect packages (also known as bundles) providing connectors for the data systems you want to access. For more information on available Quick Connect packages, please visit In case no ready-made connector is available for your data system, you can develop and implement a custom connector. Quick Connect Sync Engine provides a Software Development Kit (SDK) containing documentation and samples for developing and implementing custom connectors. 15

16 Quest One Quick Connect Technical Overview Quick Connect environment comprises Quick Connect Sync Engine, Capture Agents, connected data systems, connectors, connections, and synchronization workflows. The following illustration shows how Quick Connect synchronizes data between connected data systems. Quick Connect Source Connected System Connection to source Quick Connect Sync Engine Connection to target Target Connected System Quick Connect Sync Engine Quick Connect Sync Engine, a core module of Quest One Quick Connect, includes the Quick Connect Service that performs data synchronization operations and the Quick Connect Administration Console that provides a graphical user interface for managing connections to data systems and data synchronization operations. 16

17 Administrator Guide Capture Agent Quest One Capture Agent allows you to synchronize user passwords between Active Directory domains managed by Quick Connect and other connected data systems. The following diagram shows how the Password Synchronization feature of Quick Connect works: Password Synchronization Quick Connect Capture Agent Transfer information about changed user passwords in the source AD domain Password Synchronization Rule Update user password Target Connected System 1 Domain Controller Quick Connect Sync Engine Update user password Target Connected System 2 Quest One Capture Agent tracks changes to user passwords in the source Active Directory domain and provides that information to Quick Connect Sync Engine, which in turn synchronizes the changes with target connected data systems by using the password synchronization rules you specified. To synchronize passwords, you need to install Capture Agent on each domain controller in the Active Directory domain you want to use as a source for the password synchronization operations. Connectors and Connected Data Systems Quick Connect lets you synchronize identity information between a wide variety of external data systems. To synchronize identities, you must connect Quick Connect Sync Engine to your data systems through special connectors. A connector enables the Sync Engine to access a specific data system and read and synchronize the identity data in that system. Out of the box, Quick Connect Sync Engine supports the following data systems: Active Directory AD LDS (formerly ADAM) Quest ActiveRoles Server Quest One Identity Manager You can connect the Sync Engine to other supported data systems only after you install Quick Connect packages providing connectors for those systems. For more information on available Quick Connect packages, please visit 17

18 Quest One Quick Connect In addition to ready-made connectors, you can develop and implement custom connectors for specific data systems. For more information, refer to Quest One Quick Connect Software Development Kit (SDK) supplied with Quick Connect Sync Engine. Synchronization Workflows and Steps A synchronization workflow is a set of synchronization steps (or synchronization operations) that define how to synchronize objects between two connected data systems. A synchronization workflow can comprise one or more synchronization steps. You can use the Quick Connect Administration Console to configure as many synchronization workflows as needed, each performing a specific set of synchronization steps. A synchronization step can be configured to perform one of the following data synchronization operations: Provision. Creates objects in the target connected data systems based on the changes made to specific objects in the source connected system. When creating a new object, Quick Connect assigns initial values to the object attributes based on the attribute population rules you have configured. Update. Changes the attributes of objects in the target connected data systems based on the changes made to specific objects in the source connected system. To define the objects that will participate in the update operation you can use object mapping rules. For more information, see Mapping Objects on page 187. Deprovision. Modifies or removes objects in the target connected data systems after their counterparts have been disconnected from the source connected system. Quick Connect can be configured to remove objects permanently or change them to a specific state. 18

19 2 Deploying Quick Connect Licensing Steps to Install Quick Connect Sync Engine Upgrading from an Earlier Version

20 Quest One Quick Connect Licensing The following Quick Connect components do not require a license: Quick Connect Sync Engine, including these built-in connectors: Active Directory Connector AD LDS (ADAM) Connector Quest ActiveRoles Server Connector Quest One Identity Manager Connector Capture Agent Management Shell However, you must supply an appropriate license file to install and use any of the following Quick Connect packages (also known as bundles): QUICK CONNECT PACKAGE (BUNDLE) Quick Connect for Base Systems Quick Connect for Lotus Notes Quick Connect for Mainframes Quick Connect for Cloud Services (formerly Quick Connect for Online Services) Quick Connect for PeopleSoft Quick Connect for SAP Solutions SUPPORTED DATA SYSTEMS Delimited text file Microsoft SQL Server LDAP directory service OLE DB-compatible data source Sun One Directory Server Oracle Database Oracle user accounts Novell edirectory (formerly Novell Directory Server) Lotus Domino Server CA ACF2 CA Top Secret IBM RACF Google Apps Google Postini Services Salesforce PeopleSoft SAP solutions To obtain a license file for a Quick Connect package, please contact Quest Software. 20

21 Administrator Guide Steps to Install Quick Connect Sync Engine This section provides instructions on how to perform a clean installation of Quick Connect Sync Engine. If you want to upgrade from an earlier version of Sync Engine, see the instructions provided in Upgrading from an Earlier Version on page 22. To install Quick Connect Sync Engine, complete the following steps: Step 1: Install Sync Engine Step 2: Configure Sync Engine Step 1: Install Sync Engine To install Quick Connect Sync Engine 1. Make sure the system where you wish to install Quick Connect Sync Engine meets the system requirements provided in the Quick Connect Sync Engine Release Notes. 2. In a 32-bit edition of Windows, run the file QuickConnectSyncEngine_x86.msi OR In a 64-bit edition of Windows, run the file QuickConnectSyncEngine_x64.msi Both these files are supplied with the Quick Connect Sync Engine installation package. 3. Step through the wizard. 4. On the Custom Setup page, select the features you want to install, and then click Next. The following features are available for installation: Quick Connect Sync Engine (required). Installs Quick Connect Administration Console, Quick Connect Service, and built-in connectors. The Administration Console is a user interface providing access to all functions of Quick Connect. The Quick Connect Service manages data flows between connected data systems. Connectors enable the Sync Engine to access specific data systems to read and synchronize the identity data the systems contain. Configuration Import Wizard (required). Installs a tool that allows you to import Quick Connect Sync Engine configuration settings from a pre-5.0 version of the Sync Engine to the Sync Engine version you are installing. SDK (optional). Installs documentation and samples that help develop custom connectors for external data systems. Administrative Templates (optional). Installs Group Policy administrative templates for deploying Capture Agent and configuring the password synchronization parameters. For more information, see Step 4 (Optional): Configure Capture Agent on page On the Specify Quick Connect Service Account page, specify the name and password of the user account under which you want the Quick Connect Service to run, and then click Next. 6. Click Install and follow the instructions to complete the installation. 21

22 Quest One Quick Connect Step 2: Configure Sync Engine This section provides instructions on how to configure Quick Connect Sync Engine you installed in Step 1: Install Sync Engine. You can configure the Sync Engine using one of these methods: Create new SQL Server databases where the Sync Engine will save its configuration settings. Share the existing configuration settings between two or more instances of Sync Engine. Use configuration settings held in the SQL Server databases that left after the removal of a Sync Engine instance. To configure Quick Connect Sync Engine 1. Start the Quick Connect Administration Console: a) Click Start All Programs Quest Software Quest One Quick Connect. b) Click Quick Connect Administration Console. 2. Follow the steps in the wizard to configure the Sync Engine. Upgrading from an Earlier Version If you have Quick Connect Sync Engine version 4.5 or 4.7 or Quick Connect Sync Engine (Standalone Mode) 4.7 installed in your environment, you can upgrade it to Quick Connect Sync Engine 5.0. You can use one of the following upgrade methods: Side-by-side Upgrade. This method is recommended if you are using the Sync Engine to synchronize passwords in connected data systems. As compared to the in-place upgrade method described below, this method includes more steps but ensures a smoother transition from an earlier version of Sync Engine to version 5.0. The major benefit this method provides is that you can run both the old and new versions of Sync Engine simultaneously for some time to ensure the upgrade was a success. Then, you remove the Sync Engine version from which you upgraded. The downside of this method is that it does not transfer connected system access passwords to the new installation of Sync Engine, so you will have to retype the access passwords after installing the new version of the Quick Connect Administration Console. With this method, you install Quick Connect Sync Engine 5.0 on a computer alongside with the computer running an earlier version of Sync Engine. Then, you import the configuration settings from the earlier Sync Engine version to Quick Connect Sync Engine 5.0. In-place Upgrade. You can use this method if you are not using the Sync Engine to synchronize passwords in your environment. As compared to the side-by-side upgrade method, this method involves less steps and does not require additional hardware: you install Quick Connect Sync Engine 5.0 on the same computer where an earlier version of Sync Engine is installed. Then, you import the configuration settings from the earlier Sync Engine version to Quick Connect Sync Engine 5.0. The in-place method automatically transfers connected system access passwords to the new installation of Sync Engine, so you do not have to retype them in the Quick Connect Administration Console. 22

23 Administrator Guide Regardless of the upgrade method you choose, Quick Connect Sync Engine 5.0 will use the settings configured in the Sync Engine version from which you upgrade. This includes the connected data systems, synchronization scope, synchronization workflows, password synchronization settings and rules, and object mapping rules. Side-by-side Upgrade The side-by-side upgrade method includes the following steps: Step 1: Install Quick Connect Sync Engine 5.0 Step 2: Create New SQL Server Databases Step 3: Import Sync Engine Configuration Settings Step 4: Retype Connected System Access Passwords Step 5: Upgrade Quick Connect Capture Agent Step 6: Uninstall Old Quick Connect Sync Engine Version Step 1: Install Quick Connect Sync Engine 5.0 For instructions on how to install the Sync Engine, see Step 1: Install Sync Engine on page 21. Step 2: Create New SQL Server Databases In this step, you create new SQL Server databases where Quick Connect Sync Engine 5.0 will save its configuration data. To create new SQL Server databases 1. Start the Quick Connect Administration Console: a) Click Start All Programs Quest Software Quest One Quick Connect. b) Click Quick Connect Administration Console. 2. On the wizard page titled Step 1 of 3: Select a configuration method, select Create a new configuration. 3. Follow the steps in the wizard to configure the Sync Engine. 23

24 Quest One Quick Connect Step 3: Import Sync Engine Configuration Settings In this step, you use a special tool supplied with Quick Connect Sync Engine 5.0 to import configuration settings from the SQL Server databases used by the old version of Sync Engine to the SQL Server databases you created in Step 2: Create New SQL Server Databases. Before you proceed with this step, it is recommended that you suspend scheduled workflows and mapping operations in the Quick Connect Sync Engine version from which you are upgrading. You can resume the scheduled workflows and mapping operations after this step is complete. To import Sync Engine configuration settings 1. Start the Quick Connect Configuration Import Wizard: a) On the computer where you installed Quick Connect Sync Engine 5.0, click Start All Programs Quest Software Quest One Quick Connect. b) In the upper right corner of the Quick Connect Administration Console, click Tools Configuration Import Wizard. 2. Select the Quick Connect Sync Engine version whose configuration settings you want to import. Optionally, you can select the Import sync history check box to import the sync history along with the configuration settings. 3. Follow the steps in the wizard to complete the import operation. Step 4: Retype Connected System Access Passwords In this step, you need to retype all data system access passwords in the Administration Console installed with Quick Connect Sync Engine 5.0. This step is required because in case with the side-by-side upgrade method Quick Connect Sync Engine 5.0 cannot decrypt the access passwords that were encrypted by the Sync Engine version from which you are upgrading. To retype access passwords for your connected systems, see the instructions on how to modify connections to data systems provided in Managing Connections to External Data Systems on page 37. Step 5: Upgrade Quick Connect Capture Agent If you are using Quick Connect Sync Engine to synchronize passwords between an Active Directory domain and other connected data systems, upgrade Capture Agent installed on each domain controller in the source Active Directory domain. While you are upgrading Capture Agent, the old agent instances will continue to provide information about changed user passwords to the old Sync Engine version from which you are upgrading. After an agent instance is upgraded, it immediately switches to the Quick Connect Sync Engine 5.0 you installed in Step 1: Install Quick Connect Sync Engine 5.0. This ensures a seamless transfer to the new Sync Engine version: the password synchronization will continue to work in your environment throughout the entire upgrade process. 24

25 Administrator Guide To upgrade Capture Agent 1. In a 32-bit edition of Windows, run the file QuickConnectCaptureAgent_x86.msi. OR In a 64-bit edition of Windows, run the file QuickConnectCaptureAgent_x64.msi. Both these files are supplied in the Quick Connect Sync Engine 5.0 installation package. 2. Step through the wizard to complete the agent upgrade. Step 6: Uninstall Old Quick Connect Sync Engine Version In this step, you uninstall the Quick Connect Sync Engine version from which you upgraded. Before you uninstall the old version of Sync Engine, it is recommended to ensure that Quick Connect Sync Engine 5.0 is functioning properly. To uninstall old Quick Connect Sync Engine version 1. Open the list of installed programs and/or updates: In Windows XP, Windows Server 2003, or Windows Server 2003 R2, open Add or Remove Programs in Control Panel. In a later version of Windows, open Programs and Features in Control Panel. 2. In the list of installed programs and/or updates, select the Quick Connect Sync Engine entry. 3. Remove Quick Connect Sync Engine: In Windows XP, Windows Server 2003, or Windows Server 2003 R2, click Remove. In a later version of Windows, click Uninstall. 25

26 Quest One Quick Connect In-place Upgrade The in-place upgrade method includes the following steps: Step 1: Install Quick Connect Sync Engine 5.0 Step 2: Create New SQL Server Databases Step 3: Import Sync Engine Configuration Settings Step 4: Upgrade Quick Connect Capture Agent on Each DC Step 1: Install Quick Connect Sync Engine 5.0 For instructions on how to install the Sync Engine, see Step 1: Install Sync Engine on page 21. Step 2: Create New SQL Server Databases In this step, you create new SQL Server databases where Quick Connect Sync Engine 5.0 will save its configuration data. To create new SQL Server databases 1. Start the Quick Connect Administration Console: a) Click Start All Programs Quest Software Quest One Quick Connect. b) Click Quick Connect Administration Console. 2. On the wizard page titled Step 1 of 3: Select a configuration method, select Create a new configuration. 3. Follow the steps in the wizard to configure the Sync Engine. Step 3: Import Sync Engine Configuration Settings In this step, you use a special tool supplied with Quick Connect Sync Engine 5.0 to import configuration settings from the SQL Server databases used by the old version of Sync Engine to the SQL Server databases you created in Step 2: Create New SQL Server Databases. To import Sync Engine configuration settings 1. Start the Quick Connect Configuration Import Wizard: a) On the computer where you installed Quick Connect Sync Engine 5.0, click Start All Programs Quest Software Quest One Quick Connect. b) In the upper right corner of the Quick Connect Administration Console, click Tools Configuration Import Wizard. 2. Select the Quick Connect Sync Engine version whose configuration settings you want to import. Optionally, you can select the Import sync history check box to import the sync history along with the configuration settings. 3. Follow the steps in the wizard to complete the import operation. 26

27 Administrator Guide Step 4: Upgrade Quick Connect Capture Agent on Each DC If you are using Quick Connect Sync Engine to synchronize passwords between an Active Directory domain and other connected data systems, upgrade Capture Agent installed on each domain controller in the source Active Directory domain. To upgrade Capture Agent 1. In a 32-bit edition of Windows, run the file QuickConnectCaptureAgent_x86.msi. OR In a 64-bit edition of Windows, run the file QuickConnectCaptureAgent_x64.msi. Both these files are supplied in the Quick Connect Sync Engine 5.0 installation package. 2. Step through the wizard to complete the agent upgrade. 27

28 Quest One Quick Connect 28

29 3 Getting Started Quick Connect Administration Console Overview of Steps to Synchronize Identity Data

30 Quest One Quick Connect Quick Connect Administration Console The Quick Connect Administration Console is a graphical user interface where you can manage connections to external data systems and data synchronization operations between the data systems to which the Sync Engine is connected. The Quick Connect Administration Console is installed as part of the Quick Connect Sync Engine. To start the Quick Connect Administration Console Click Start All Programs Quest Software Quest One Quick Connect, and then click Quick Connect Administration Console. The Quick Connect Administration Console looks similar to the following: 30

31 Administrator Guide In the upper right corner of the console you can use the following menu items: MENU ITEM Tools DESCRIPTION Provides the following commands: Configuration Import Wizard. Starts a wizard that helps you to import configuration settings from a pre-5.0 version of the Quick Connect Sync Engine installed in your environment. Export Configuration Profile. Starts a wizard that helps you to save the configuration profile of the current Quick Connect Sync Engine instance to a file. You can use this file to apply the saved configuration profile to other instances of Quick Connect Sync Engine deployed in your environment. You can only apply the saved configuration profile to Quick Connect Sync Engine version 5.0 or later. Configuration Wizard. Starts a wizard that helps you to change configuration settings of the current Quick Connect Sync Engine instance. About Displays a window where you can view a list of installed Quick Connect packages and connectors, as well as licensing details. The console has the following tabs: Workflows Tab Sync History Tab Connections Tab Mapping Tab Password Sync Tab For more information about the elements you can use on these tabs, see the next subsections. Workflows Tab Allows you to manage data synchronization workflows for connected data systems. A workflow can include a number of synchronization steps, each performing a specific data synchronization operation (provision, deprovision, or update). For more information on synchronization workflows and their steps, see Synchronizing Identity Data on page 167. You can use the following elements on this tab (some of these elements become available only after you create at least one workflow): Add workflow. Creates a new synchronization workflow. <Workflow Name>. Displays the name of a synchronization workflow. You can click the name to view and add, delete, or modify synchronization steps in that workflow. Schedule. Allows you to create a schedule for running the synchronization workflow on which you click this link. Rename. Allows you to rename the synchronization workflow on which you click this link. Delete. Deletes the workflow on which you click this link. 31

32 Quest One Quick Connect Sync History Tab Allows you to view and selectively clean up the synchronization history. This is the history of synchronization workflow runs and object mapping operations. For more information, see Synchronization History on page 213. This tab has the following elements: Clean up now. Allows you to selectively clean up sync history entries. You can specify the age of the entries that you want to clean up. Schedule cleanup. Allows you to schedule a recurring cleanup operation for the sync history. Workflow History. Allows you to view a list of completed workflow runs and the details of objects that participated in a particular workflow run. Mapping History. Allows you to view a list of completed map and unmap operations and the details of objects that participated in those operations. Search. Allows you to search the Quick Connect Sync Engine synchronization history for completed provision, deprovision, update, and sync passwords operations. You can search by a number of criteria, such as the target connected data system and object type on which the operation was performed and the time period during which the operation completed. Connections Tab Allows you to manage connections between Quick Connect Sync Engine and the external data systems you want to use for data synchronization operations. For more information, see Connections to External Data Systems on page 35. You can use the following elements on this tab (some of them become available only after you create at least one connection): Add connection. Allows you to create a new connection to an external data system. <Connection Name>. Displays the name of a connection. You can click the connection name to view and modify settings for the connection. Connection settings. Allows you to view and modify settings for the connection on which you click this link. Synchronization scope. Allows you to view and modify synchronization scope for the connection on which you click this link. Delete connection. Deletes the connection on which you click this link. 32

33 Administrator Guide Mapping Tab Allows you to establish relationships between the objects you want to synchronize in connected data systems. Establishing such relationships is called mapping. This tab provides a list of objects mapped by you and those automatically mapped by the Sync Engine. For more information on mapping objects, see Mapping Objects on page 187. You can use the following elements on this tab (some of them become available only after you create at least one mapping pair): Add mapping pair. Allows you to specify the types of objects in two connected systems between you want to establish a relationship. <Mapping Pair>. Displays the object types specified in the mapping pair. You can click this link to view and change the scope of conditions where objects of specified types will be mapped. To define these conditions, you can use mapping rules. Delete. Deletes the mapping pair on which you click this link. Password Sync Tab Allows you to automate password synchronization operations from a specified Active Directory domain to other connected data systems. You can synchronize passwords by creating password synchronization rules. Optionally, you can type a custom PowerShell script you want to run after the password synchronization for particular connected systems is complete. For more information, see Automated Password Synchronization on page 193. You can use the following elements on this tab (some of them become available only after you create at least one password sync rule): Add password sync rule. Allows you to create a rule for synchronizing passwords from an Active Directory domain to another connected system. Password sync settings. Allows you to specify how many times you want to retry the password synchronization in the event of a failure. Also allows you to type a Windows PowerShell script to generate passwords for the target connected system. For more information, see "Developing PowerShell Scripts for Passwords Synchronization Steps" in the Quick Connect Software Development Kit (SDK). Delete rule. Deletes the password sync rule on which you click this link. 33

34 Quest One Quick Connect Overview of Steps to Synchronize Identity Data On a very high level, you need to complete the following steps to synchronize identity data between two data systems: 1. Connect the Quick Connect Sync Engine to the data systems between which you want to synchronize identity data. For more information, see Connections to External Data Systems on page Specify synchronization scope for the connected data systems. For more information, see Modifying Synchronization Scope for a Connection on page Create a synchronization workflow. For more information, see Creating a Synchronization Workflow on page Create one or more steps in the synchronization workflow, and, if necessary, define synchronization rules for these steps. For more information, see Managing Steps in a Synchronization Workflow on page Run the workflow you created. Running a Synchronization Workflow on page 170. You can also use the Sync Engine to automatically synchronize passwords from a specified Active Directory domain to other connected data systems. For more information, see Automated Password Synchronization on page

35 4 Connections to External Data Systems About Connections to External Data Systems Managing Connections to External Data Systems

36 Quest One Quick Connect About Connections to External Data Systems In order you could synchronize identity data between external data systems, you must connect Quick Connect Sync Engine to these data systems through special connectors. A connector enables the Sync Engine to access specific data system to read and synchronize the identity data in that system according to your settings. Out of the box, the Quick Connect Sync Engine includes a number of built-in connectors. These connectors allow you to access the following data systems right after you install the Sync Engine: Active Directory AD LDS (formerly ADAM) Quest ActiveRoles Server Quest One Identity Manager These built-in connectors do not require any license file. To connect the Sync Engine to other data systems, you need to obtain and install special Quick Connect packages (also known as bundles), each providing connectors for particular data systems. The following table lists the available Quick Connect packages and the data systems each package supports: QUICK CONNECT PACKAGE (BUNDLE) Quick Connect for Base Systems Quick Connect for Lotus Notes Quick Connect for Mainframes Quick Connect for Cloud Services (formerly Quick Connect for Online Services) Quick Connect for PeopleSoft Quick Connect for SAP Solutions SUPPORTED DATA SYSTEMS Delimited text file Microsoft SQL Server LDAP directory service OLE DB-compatible data source Sun One Directory Server Oracle Database Oracle user accounts Novell edirectory (formerly Novell Directory Server) Lotus Domino Server CA ACF2 CA Top Secret IBM RACF Google Apps Google Postini Services Salesforce PeopleSoft SAP solutions Each of the Quick Connect packages listed in the table requires a separate license file you can obtain from Quest Software. To find out more about Quick Connect packages, please visit 36

37 Managing Connections to External Data Systems Administrator Guide This section provides information on how to manage connections to external data systems of specific type. This section covers: Managing a Connection to an Active Directory Domain Managing a Connection to an AD LDS (ADAM) Instance Managing a Connection to Quest ActiveRoles Server Managing a Connection to Quest One Identity Manager Managing a Connection to a Delimited Text File Managing a Connection to an LDAP Directory Service Managing a Connection to a SQL Server Database Managing a Connection to Novell edirectory Managing a Connection to an OLE DB-compliant Data Source Managing a Connection to Oracle Database Managing a Connection to Oracle User Accounts Managing a Connection to Sun One Directory Server Managing a Connection to IBM RACF Managing a Connection to CA ACF2 Managing a Connection to CA Top Secret Managing a Connection to IBM Lotus Domino Server Managing a Connection to Google Apps Managing a Connection to Google Postini Services Managing a Connection to Salesforce Managing a Connection to SAP Managing a Connection to PeopleSoft Renaming a Connection Deleting a Connection Modifying Synchronization Scope for a Connection Modifying Password Synchronization Settings for a Connection 37

38 Quest One Quick Connect Managing a Connection to an Active Directory Domain This section covers: Creating a New Connection to an Active Directory Domain Modifying an Existing Connection to an Active Directory Domain Creating a New Connection to an Active Directory Domain An Active Directory connector is built into the Sync Engine, so you can create a connection to an Active Directory domain right after you install the Sync Engine on your computer. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Active Directory Connector. c) Click Next. 3. In the Domain name text box, type the fully qualified domain name (FQDN) of the Active Directory domain to which you want to connect. 4. Use the Secure Sockets Layer usage list to select one of the following list entries: None. Allows you to connect to the AD domain without using Secure Sockets Layer (SSL). Use. Allows you to connect to the AD domain through SSL. Preferred. Allows you to attempt the connection to the AD domain through SSL first. If this connection attempt fails, the Sync Engine tries to connect without using SSL. 5. Under Access Active Directory using, select one of the following authentication options: Quick Connect Service account. Allows you to access the AD domain in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the AD domain in the security context of the account whose user name and password you specify below this option. When you are finished, you can click Test Connection to verify the specified connection settings. 6. Click Finish to create a connection to the Active Directory domain. 38

39 Administrator Guide Modifying an Existing Connection to an Active Directory Domain To modify an existing connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Active Directory domain connection you want to modify. 3. Expand Specify connection settings and modify settings as necessary. You can use the following options: OPTION Domain name Security Sockets Layer usage Access Active Directory using Test Connection DESCRIPTION Allows you to specify the fully qualified domain name (FQDN) of the Active Directory domain where you want to synchronize data. Provides the following options: None. Allows you to connect to the AD domain without using Secure Sockets Layer (SSL). Use. Allows you to connect to the AD domain through SSL. Preferred. Allows you to attempt the connection to the AD domain through SSL first. If this connection attempt fails, the Sync Engine tries to connect without using SSL. Allows you to specify one of the following authentication options to access the AD domain: Quick Connect Service account. Allows you to access the AD domain in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the AD domain in the security context of the account whose user name and password you specify below this option. Allows you to verify the specified connection settings. 4. Click Save. 39

40 Quest One Quick Connect Managing a Connection to an AD LDS (ADAM) Instance This section covers: Creating a New Connection to an AD LDS (ADAM) Instance Modifying an Existing Connection to an AD LDS (ADAM) Instance Creating a New Connection to an AD LDS (ADAM) Instance An AD LDS (ADAM) connector is built into the Sync Engine, so you can create a connection to an AD LDS (ADAM) instance right after you install the Sync Engine on your computer. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select AD LDS (ADAM) Connector. c) Click Next. 3. In the Server text box, type the fully qualified domain name (FQDN) of the computer on which the AD LDS (ADAM) instance where you want to synchronize data is running. 4. In the Port text box, type the LDAP communication port number used by the AD LDS (ADAM) instance. By default, it is port Under Access AD LDS (ADAM) instance using, select one of the following authentication options: Quick Connect Service account. Allows you to access the target AD LDS (ADAM) instance in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the target AD LDS (ADAM) instance in the security context of the account whose user name and password you specify below this option. Optionally, you can click Advanced to specify advanced AD LDS (ADAM) connection settings. When you are finished, you can click Test Connection to verify the specified connection settings. 6. Click Finish to create a connection to the AD LDS (ADAM) instance. 40

41 Administrator Guide Modifying an Existing Connection to an AD LDS (ADAM) Instance To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing AD LDS (ADAM) instance connection you want to modify. 3. Expand Specify connection settings and modify settings as necessary. You can use the following options: OPTION Server Port Advanced Access AD LDS (ADAM) instance using Test Connection DESCRIPTION Allows you to specify the fully qualified domain name (FQDN) of the computer on which the AD LDS (ADAM) instance where you want to synchronize data is running. Allows you to specify the number of the LDAP communication port used by the AD LDS (ADAM) instance. By default, it is port 389. Allows you to specify advanced AD LDS (ADAM) connection settings. Allows you to specify one of the following authentication options to access the AD LDS (ADAM) instance: Quick Connect Service account. Allows you to access the AD LDS (ADAM) instance in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the AD LDS (ADAM) instance in the security context of the account whose user name and password you specify below this option. Allows you to verify the specified connection settings. 4. Click Save. 41

42 Quest One Quick Connect Managing a Connection to Quest ActiveRoles Server This section covers: Creating a New Connection to Quest ActiveRoles Server Modifying an Existing Connection to Quest ActiveRoles Server Creating a New Connection to Quest ActiveRoles Server An ActiveRoles Server connector is built into the Sync Engine, so you can create a connection to ActiveRoles Server right after you install the Sync Engine on your computer. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Quest ActiveRoles Server Connector. c) Click Next. 3. Under Connect to, select one of the following options to specify the ActiveRoles Server Administration Service to be used by the Quick Connect Sync Engine: Administration Service on the specified computer. Type the name of the computer running the Administration Service you want the Sync Engine to use. Any Administration Service of the same configuration. Specify any Administration Service whose database holds the necessary configuration: type the DNS name of the computer running that Administration Service. If ActiveRoles Server replication is used to synchronize configuration data, this must be any Administration Service whose database server acts as the Publisher for the configuration database. 4. Under Access ActiveRoles Administration Service using, select one of the following authentication options: Quick Connect service account. Allows you to access the Administration Service in the security context of the user account under which the Quick Connect Service is running. Windows account. Allows you to access the Administration Service in the security context of the user account whose user name and password you specify below this option. When you are finished, you can click Test Connection to verify the specified connection settings. 5. Click Finish to create a connection to Quest ActiveRoles Server. 42

43 Administrator Guide Modifying an Existing Connection to Quest ActiveRoles Server To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Quest ActiveRoles Server connection you want to modify. 3. Expand Specify connection settings and modify settings as necessary. You can use the following options: OPTION Connect to DESCRIPTION Allows you to specify the ActiveRoles Server Administration Service to be used by the Quick Connect Sync Engine. You can use one of the following options: Administration Service on the specified computer. Type the name of the computer running the Administration Service you want the Sync Engine to use. Any Administration Service of the same configuration. Specify any Administration Service whose database holds the necessary configuration: type the DNS name of the computer running that Administration Service. If ActiveRoles Server replication is used to synchronize configuration data, this must be any Administration Service whose database server acts as the Publisher for the configuration database. Access ActiveRoles Administration Service using Allows you to specify an authentication option to access the ActiveRoles Administration Service. You can use one of the following options: Quick Connect service account. Allows you to access the Administration Service in the security context of the user account under which the Quick Connect Service is running. Windows account. Allows you to access the Administration Service in the security context of the user account whose user name and password you specify below this option. Test Connection Allows you to verify the specified connection settings. 4. Click Save. 43

44 Quest One Quick Connect Managing a Connection to Quest One Identity Manager This section covers: Creating a New Connection to Quest One Identity Manager Modifying an Existing Connection to Quest One Identity Manager Quest One Identity Manager Connector Configuration Creating a New Connection to Quest One Identity Manager An Identity Manager connector is built into the Sync Engine, so you can create a connection to Identity Manager right after you install the Sync Engine on your computer. To connect to Identity Manager, Quick Connect Sync Engine requires certain Dynamic Link Library (.dll) files supplied with Identity Manager. Before creating a connection to Identity Manager make sure that Quick Connect Sync Engine can access these.dll files. For details, see Step 1: Ensure Sync Engine Can Access Identity Manager. In order Quick Connect Sync Engine could access Identity Manager, both these applications must be installed on the same computer. To create a new connection to Identity Manager, complete these steps: Step 1: Ensure Sync Engine Can Access Identity Manager Step 2: Configure a Connection to Quest One Identity Manager Step 1: Ensure Sync Engine Can Access Identity Manager Make sure that Quick Connect Sync Engine and Identity Manager are installed on the same computer. If Identity Manager is installed to a non-default installation folder, perform the next steps: 1. Use a text editor (such as Notepad) to open the QuestOneIdentityManagerConnectorConfiguration.xml file located in <Quick Connect Sync Engine installation folder>\service\connectors\ OneIdentityManagerConnector\ This is the file where Quest One Identity Manager connector saves its configuration settings. For more information on these settings, see Quest One Identity Manager Connector Configuration on page Create the <PathToOneIdentityManagerDlls> XML element in the file and then type the correct path to the Identity Manager installation folder in that element. Example: <PathToOneIdentityManagerDlls> C:\IdentityManagerInstallationFolder </PathToOneIdentityManagerDlls> 3. Save the changes, and then close the.xml file. 4. Restart Quick Connect Service on the computer where Identity Manager and Sync Engine are installed: a) Open the Services snap-in (to do so, click Start All Programs Administrative Tools Services). b) In the list of local services, right-click Quest Quick Connect Service, and then click Restart. 44

45 Administrator Guide Step 2: Configure a Connection to Quest One Identity Manager 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Quest One Identity Manager Connector. c) Click Next. 3. Specify the following options: OPTION SQL Server Database used by Quest One Identity Manager SQL Server Authentication Quest One Identity Manager Authentication DESCRIPTION Type the fully qualified domain name (FQDN) of the SQL Server that hosts the database where Quest One Identity Manager saves its data. Type the name of the SQL Server database where Quest One Identity Manager saves its data. Select one of the following authentication methods to access the SQL Server that hosts the Quest One Identity Manager database: Use Quick Connect Service account. Allows you to access the SQL Server within the security context of the account under which the Quick Connect Service is running. Use SQL Server authentication. Allows you to specify the user name and password of an account registered on the SQL Server. Specify the user name and password of the account with which you want to access Identity Manager. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Finish to create a connection to Quest One Identity Manager. 45

46 Quest One Quick Connect Modifying an Existing Connection to Quest One Identity Manager To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Quest One Identity Manager connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the settings as necessary: OPTION SQL Server Database used by Quest One Identity Manager SQL Server Authentication Quest One Identity Manager Authentication Test Connection DESCRIPTION Type the fully qualified domain name (FQDN) of the SQL Server that hosts the database where Quest One Identity Manager saves its data. Type the name of the SQL Server database where Quest One Identity Manager saves its data. Select one of the following authentication methods to access the SQL Server that hosts the Quest One Identity Manager database: Use Quick Connect Service account. Allows you to access the SQL Server within the security context of the account under which the Quick Connect Service is running. Use SQL Server authentication. Allows you to specify the user name and password of an account registered on the SQL Server. Specify the user name and password of the account with which you want to access Identity Manager. Allows you to verify the specified connection settings. 4. Click Save. 46

47 Administrator Guide Quest One Identity Manager Connector Configuration Quest One Identity Manager connector saves its configuration settings in the QuestOneIdentityManagerConnectorConfiguration.xml file located in the folder <Quick Connect Sync Engine installation folder>\service\connectors\oneidentitymanagerconnector You can edit the XML elements in the file to configure the various Quest One Identity Manager connector parameters. The table below describes the XML elements you can edit. XML ELEMENT <PathToOneIdentityManagerDlls> DESCRIPTION Specifies the path to the Quest One Identity Manager.dll files required for the Sync Engine to connect to the Identity Manager. Example: <PathToOneIdentityManagerDlls> C:\IdentityManagerDLLs </PathToOneIdentityManagerDlls> <ExcludeDeletedObjects> Specifies how to treat objects marked as deleted in Identity Manager. This element can take one of the following values: TRUE. Specifies to ignore deleted objects during data synchronization operations. FALSE. Specifies to process deleted objects during data synchronization operations. Example: <ExcludeDeletedObjects> TRUE </ExcludeDeletedObjects> <PasswordAttributes> Specifies the default Identity Manager attribute to be used for storing passwords for objects of a particular type. Specifying the attribute in the Quick Connect Sync Engine GUI overrides the value specified in this XML element. Example: <PasswordAttributes> <PasswordAttributeDefinitions> <PasswordAttributeDefinition objecttype="person" attribute="centralpassword" /> </PasswordAttributeDefinitions> </PasswordAttributes> <ReadFullSync> <CreateFullSync> <ModifyFullSync> <DeleteFullSync> <ObjRefFullSync> <SyncStatusFullSync> Specifies the value of the FullSync variable for the Read operations performed in Identity Manager. Specifies the value of the FullSync variable for the Create operations performed in Identity Manager. Specifies the value of the FullSync variable for the Modify operations performed in Identity Manager. Specifies the value of the FullSync variable for the Delete operations performed in Identity Manager. Specifies the value of the FullSync variable for the Modify Object Reference operations performed in Identity Manager. Specifies the value of the FullSync variable for the Sync Status operations performed in Identity Manager. 47

48 Quest One Quick Connect For more information on the FullSync variable and the values it can take, please see the Quest One Identity Manager documentation. Managing a Connection to a Delimited Text File This section covers: Creating a New Connection to a Delimited Text File Modifying an Existing Connection to a Delimited Text File Creating a New Connection to a Delimited Text File To connect the Sync Engine to a delimited text file, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Delimited Text File Connector. c) Click Next. 3. Use the Delimited text file text box, to specify the delimited text file to which you want to connect. 4. Under Access delimited text file using, select one of the following options: Quick Connect Service account. Allows you to access the delimited text file in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the delimited text file in the security context of the account whose user name and password you specify below this option. When you are finished, you can click Test Connection to verify the specified connection settings. 5. Click Next. 6. Specify the format used in the delimited text file so that the Sync Engine could correctly read the file: a) Use the Delimiter area to specify the delimiter used in the file to which you want to connect. b) If the first line of the target delimited text file contains names of attributes, select the Use first row for attribute names check box. c) Optionally, click Advanced to specify advanced options to access the delimited text file. 7. Click Next. 8. Specify UniqueID attributes. These are the attributes with which you want to uniquely identify each object in the database. Do the following: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 9. Click Finish to create a connection to the delimited text file. 48

49 Administrator Guide Modifying an Existing Connection to a Delimited Text File To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing delimited text file connection you want to modify. 3. Expand Specify connection settings and modify settings as necessary. You can use the following options: OPTION Delimited text file Access delimited text file using DESCRIPTION Allows you to specify the delimited text file to which you want to connect. Allows you to specify an authentication option to access the delimited text file. You can select one of the following options: Quick Connect Service account. Allows you to access the delimited text file in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the delimited text file in the security context of the account whose user name and password you specify below this option. Test Connection Allows you to verify the specified connection settings. 4. Click Save. To specify a delimited text file format 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing delimited text file connection for which you want to modify the file format. 3. Open the Connection Settings tab. 4. Expand Specify delimited text file format and modify settings so that the Sync Engine could correctly read the file. You can use the following options: Delimiter. Allows you to specify a delimiter used in the file. Use first row for attribute names. Allows you to indicate that the first row in the file contains attribute names. Advanced. Allows you to specify advanced file format options, such as file encoding, row delimiter, value delimiter, and text qualifier. 5. Click Save. 49

50 Quest One Quick Connect Managing a Connection to an LDAP Directory Service This section covers: Creating a New Connection to an LDAP Directory Service Modifying an Existing Connection to an LDAP Directory Service Creating a New Connection to an LDAP Directory Service To connect the Sync Engine to an LDAP directory service, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Generic LDAP Connector. c) Click Next. 3. In the Server text box, type the fully qualified domain name (FQDN) of the computer running the LDAP directory service to which you want to connect. 4. In the Port text box, type the number of the LDAP communication port used by the LDAP directory service. 5. Under Access LDAP directory service using, select an authentication option: Quick Connect Service account. Allows you to access the target LDAP directory service in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the target LDAP directory service in the security context of the account whose user name and password you specify below this option. 6. Optionally, click Advanced to specify additional connection options to access the LDAP directory service. When you are finished, you can click Test Connection to verify the specified connection settings. 7. Click Next. 50

51 Administrator Guide 8. Specify the directory partitions that will participate in synchronization. 9. Specify UniqueID attributes. These are the attributes with which you want to uniquely identify each object in the database. Do the following: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 10. Click Finish to create a connection to the LDAP directory service. Modifying an Existing Connection to an LDAP Directory Service You can modify the various setting for an existing LDAP directory service connection, such as LDAP directory service server, communication port, access credentials, directory partitions participating in the synchronization, and attributes used for naming objects in the LDAP directory service. Every object in an LDAP directory service has a naming attribute from which the object name is formed. By default, after you create a connection to an LDAP directory service, the default naming attribute for each object class is uid. Optionally, you can redefine naming attributes as necessary. To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing LDAP directory service connection you want to modify. 3. Expand Specify connection settings and modify the settings as necessary. You can use the following options: OPTION Server Port Access LDAP directory service using DESCRIPTION Allows you to specify the fully qualified domain name (FQDN) of the computer running the LDAP directory service to which you want to connect. Allows you to specify the number of the LDAP communication port used by the LDAP directory service. Allows you to specify an authentication option to access the LDAP directory service. You can select one of the following options: Quick Connect Service account. Allows you to access the target LDAP directory service in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the target LDAP directory service in the security context of the account whose user name and password you specify below this option. Advanced Test Connection Allows you to specify advanced LDAP directory service connection settings. Allows you to verify the specified connection settings. 4. Click Save. 51

52 Quest One Quick Connect To specify directory partitions participating in synchronization 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing LDAP directory service connection whose connection settings you want to modify. 3. Open the Connection Settings tab. 4. Expand Specify directory partitions to specify the partitions that will participate in the synchronization. 5. Click Save. To specify naming attributes for objects 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing LDAP directory service connection where you want to specify naming attributes for objects. 3. Open the Connection Settings tab. 4. Expand Specify naming attributes to specify naming attributes for object classes as necessary. 5. Click Save. Managing a Connection to a SQL Server Database This section covers: Creating a New Connection to a SQL Server Database Modifying an Existing Connection to a SQL Server Database Examples of Queries to Modify SQL Server Data Creating a New Connection to a SQL Server Database To connect the Sync Engine to a SQL Server database, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select SQL Server Connector. c) Click Next. 3. Use the SQL Server list to type or select the name of the SQL Server to which you want to connect. 4. Under Access SQL Server using, select an authentication option: Use Windows authentication. Allows you to access the SQL Server in the security context of the account under which the Quick Connect Service is running. Use SQL Server authentication. Allows you to access the SQL Server in the security context of the SQL Server user account whose user name and password you specify below this option. 5. Use the Connect to database text box to specify the name of the SQL Server database to which you want to connect. When you are finished, you can click Test Connection to verify the specified connection settings. 52

53 Administrator Guide 6. Click Next. 7. Specify the data that will participate in the synchronization operations. You can select one of the following options: Use data from this table. Allows you to select a database table that includes the data for synchronization. Use an SQL query to specify data. Allows you to compose an SQL query that provides a more flexible way for specifying the data for synchronization. For example, you can use this option to specify multiple database tables. 8. Click Configure Settings to specify how you want to modify data in the SQL Server database during synchronization operations. 9. Click Next. 10. Specify UniqueID attributes. These are the attributes with which you want to uniquely identify each object in the database. Do the following: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 11. Click Finish to create a connection to the SQL server database. Modifying an Existing Connection to a SQL Server Database To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing SQL Server connection you want to modify. 3. Expand Specify connection settings and modify settings as necessary. You can use the following options: OPTION SQL Server DESCRIPTION Allows you to specify the name of the SQL Server where you want to synchronize data. Type the name or select it from the list. To get a list of available SQL Servers, click Refresh. Access SQL Server using Allows you to specify an authentication option to access SQL Server. You can select one of the following options: Quick Connect Service account. Allows you to access the SQL Server in the security context of the account under which the Quick Connect Service is running. Windows account. Allows you to access the SQL Server in the security context of the SQL Server user account whose user name and password you specify below this option. Connect to database Test Connection Allows you to specify the name of the SQL Server database to which you want to connect. Allows you to verify the specified connection settings. 4. Click Save. 53

54 Quest One Quick Connect To specify how to select and modify SQL Server data during synchronization 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing SQL Server connection for which you want to specify the data selection and modification settings. 3. Open the Connection Settings tab. 4. Expand Specify how to select and modify data to change the settings as necessary. You can use the following options: OPTION Specify the SQL Server data that will participate in synchronization Configure settings to modify SQL Server data during synchronization DESCRIPTION You can select one of the following: Use data from this table. Allows you to select a database table that includes the data for synchronization. Use an SQL query to specify data. Allows you to compose an SQL query to specify the data for synchronization. Use this option in case you want to specify multiple database tables. You can click Configure Settings to specify how you want to modify data in the SQL Server database during synchronization operations. 5. Click Save. To specify attributes that identify each object in the database (UniqueID attributes) 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing SQL Server connection for which you want to specify the UniqueID attributes. 3. Open the Connection Settings tab. 4. Expand Specify attributes to identify objects, and then specify the UniqueID attributes: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 5. Click Save. 54

55 Administrator Guide Examples of Queries to Modify SQL Server Data This section provides sample SQL queries illustrating how to modify SQL Server data during synchronization operations. In the sample queries, Id refers to an attribute (a column name in an SQL Server table) that uniquely identifies an object in your SQL database. These examples can be used only for configuring connectors to Microsoft SQL Server How to Insert an Object into a Table This sample illustrates how to create a query that inserts an object with specified attributes into the table named SQLConnTest1. DATABASE TABLE STRUCTURE CREATE TABLE [SQLConnTest1]([Id] [bigint] IDENTITY(1,1),[attr1] [nchar](64),[attr2] [nchar](64))) SAMPLE QUERY INSERT into SQLConnTest1(Id) values(@id) How to Create a SQL Server Account This sample illustrates how to create a SQL Server account, and then retrieve the UniqueID attribute for that account. To define the scope where to create the SQL Server account, insert the following query in the Query Editor dialog box: SELECT sid as Id,name as login from sys.server_principals Insert the following SQL query into the Configure SQL Statements dialog box: EXEC SELECT sid as Id from sys.server_principals where name=@login; None of attribute names used in SQL queries can include white-space characters. For example, you cannot use names such as "user password". 55

56 Quest One Quick Connect Managing a Connection to Novell edirectory This section covers: Creating a New Connection to Novell edirectory Modifying an Existing Connection to Novell edirectory Creating a New Connection to Novell edirectory To connect the Sync Engine to Novell edirectory, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Novell Connector. c) Click Next. 3. Use the Server text box to type the fully qualified domain name (FQDN) of the computer running Novell edirectory. 4. Use the Port text box to type the number of the Lightweight Directory Access Protocol (LDAP) communication port used by the Novell edirectory server. 5. Under Access Novell Directory Service using, enter the user name and password with which you want to access Novell edirectory. When you are finished, you can click Test Connection to verify the specified connection settings. 6. Click Finish to create a connection to Novell edirectory. Modifying an Existing Connection to Novell edirectory To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Novell edirectory connection you want to modify. 3. Expand Specify connection settings and modify settings as necessary. You can use the following options: Server. Specify the fully qualified domain name (FQDN) of the computer running Novell edirectory. Port. Specify the number of the Lightweight Directory Access Protocol (LDAP) communication port used by the Novell edirectory server. Access Novell edirectory using. Specify the user name and password with which you want to access the Novell edirectory server. 4. Click Save. 56

57 Administrator Guide Managing a Connection to an OLE DB-compliant Data Source This section covers: Creating a New Connection to an OLE DB-compliant Data Source Modifying an Existing Connection to an OLE DB-compliant Data Source Creating a New Connection to an OLE DB-compliant Data Source To connect the Sync Engine to an OLE DB-compliant relational database, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name text box, type a descriptive name for the connection. b) From the Use the specified connector list, select OLE DB Connector. c) Click Next. 3. Use the Connection string text box to specify the connection parameters to access an OLE DB-compatible relational database. To specify the connection string using a graphical user interface, click Configure. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Next. 5. Select one of the following options to specify the data that will participate in synchronization: Use data from this table. Allows you to select a database table that includes the data for synchronization. Use an SQL query to specify data. Allows you to compose an SQL query that provides a more flexible way for specifying the data for synchronization. For example, you can use this option to specify multiple database tables. 6. Click Next. 7. Specify UniqueID attributes. These are the attributes with which you want to uniquely identify each object in the relational database. Do the following: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 8. Click Finish to create a connection to the specified OLE DB-compliant relational database. 57

58 Quest One Quick Connect Modifying an Existing Connection to an OLE DB-compliant Data Source To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing OLE DB-compliant relational database connection you want to modify. 3. Expand Specify connection settings and then use the Connection string text box to modify the connection settings as necessary. When you are finished, you can click Test Connection to verify the specified settings. 4. Click Save. To specify how to select data in the relational database during synchronization 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing OLE DB-compliant relational database connection for which you want to specify the data selection settings. 3. Open the Connection Settings tab. 4. Expand Specify how to select data to change the settings as necessary. You can use the following options: Use data from this table. Allows you to select a database table that includes the data for synchronization. Use an SQL query to specify data. Allows you to compose an SQL query to specify the data for synchronization. Use this option in case you want to specify multiple database tables. 5. Click Save. To specify attributes that identify each object in the relational database (UniqueID) 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing OLE DB-compliant relational database connection for which you want to specify the UniqueID attributes. 3. Open the Connection Settings tab. 4. Expand Specify attributes to identify objects, and then specify the UniqueID attributes: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 5. Click Save. 58

59 Administrator Guide Managing a Connection to Oracle Database The Quick Connect Sync Engine supports Oracle Database 8g or later. This section covers: Creating a New Connection to Oracle Database Modifying an Existing Connection to Oracle Database Sample SQL Queries Creating a New Connection to Oracle Database To connect the Sync Engine to Oracle Database, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Oracle Connector. c) Click Next. 3. Specify connection settings to access an Oracle service: a) Use the Oracle service name text box to specify the name of the Oracle service you want to use to access Oracle Database. You can click Refresh to get a list of available Oracle services. b) Under Access Oracle service with, type the user name and password with which you want to access the specified service. When you are finished, you can click Test Connection to verify the specified connection string. 4. Click Next. 5. Select an option to specify the data that will participate in synchronization: Use data from this table. Allows you to select a database table that includes the data for synchronization. Use an SQL query to specify data. Allows you to compose an SQL query to specify the data for synchronization. Use this option in case you want to specify multiple database tables. 6. Click Next. 7. Specify UniqueID attributes. These are the attributes with which you want to uniquely identify objects in the database. Do the following: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 8. Click Finish to create a connection to the specified Oracle Database. 59

60 Quest One Quick Connect Modifying an Existing Connection to Oracle Database To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Oracle Database connection you want to modify. 3. Open the Connection Settings tab. 4. Expand Specify connection settings and modify settings as necessary. You can use the following options: OPTION Oracle service name DESCRIPTION Allows you to specify the name of the Oracle service you want to use to access Oracle Database. Type the name or select it from the list. To get a list of available SQL Servers, click Refresh. Access Oracle service with Test Connection Allows you to specify the user name and password with which you want to access the Oracle service. Allows you to verify the specified connection settings. 5. Click Save. To specify how to select and modify Oracle Database data during synchronization 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing Oracle Database connection for which you want to specify the data selection and modification settings. 3. Open the Connection Settings tab. 4. Expand Specify how to select and modify data to change the settings as necessary. You can use the following options: OPTION Specify the Oracle Database data that will participate in synchronization Configure settings to modify Oracle Database data during synchronization DESCRIPTION You can select one of the following: Use data from this table. Allows you to select a database table that includes the data for synchronization. Use an SQL query to specify data. Allows you to compose an SQL query to specify the data for synchronization. Use this option in case you want to specify multiple database tables. For sample SQL queries, see Sample SQL Queries on page 61. You can click Configure Settings to specify how you want to modify data in the Oracle Database during synchronization operations. 5. Click Save. 60

61 Administrator Guide To specify attributes that identify each object in Oracle Database (UniqueID attributes) 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing Oracle Database connection for which you want to specify the UniqueID attributes. 3. Open the Connection Settings tab. 4. Expand Specify attributes to identify objects, and then specify the UniqueID attributes: a) Use the Available attributes list to select the attributes you want to use as UniqueID attributes. To select multiple attributes, hold down CTRL and click to select attributes. b) Click Add-> to move the selected attributes to the UniqueID attributes list. 5. Click Save. Sample SQL Queries The sample queries provided in this section are only applicable if Quick Connect Sync Engine is connected to the target Oracle system through the Oracle Connector. Sample SQL Query 1 This SQL query illustrates how to add a new entry to the table named SQLConnTest1 in the Oracle system to which you want to provision data from some other connected system. In the sample, Id refers to an attribute that uniquely identifies each object in your Oracle system. DATABASE TABLE STRUCTURE CREATE TABLE "SQLConnTest1"("Id" number,"attr1" nchar(64), "attr2" nchar(64)) SAMPLE QUERY Insert into SQLConnTest1(attr1) values(:attr1) returning Id into :Id Sample SQL Query 2 This SQL query illustrates how to create a new user in an Oracle system: call dbms_utility.exec_ddl_statement('create USER ' :USERNAME ' IDENTIFIED BY ' :newpassword) In this query: USERNAME refers to the name of the attribute that uniquely identifies a user in the Oracle system. newpassword refers to the name of the attribute that will store the initial password you want to set for the Oracle user being created. 61

62 Quest One Quick Connect Managing a Connection to Oracle User Accounts You can use Quick Connect Sync Engine to synchronize identity data between user accounts in Oracle Database and other data systems to which the Sync Engine is connected. For example, you can synchronize passwords between Oracle user accounts and user accounts in other connected data systems. To get started with synchronizing Oracle user accounts, you need to connect the Oracle Database system where those accounts reside through the Oracle User Accounts Connector. This section covers: Creating a New Connection to Oracle User Accounts Modifying an Existing Connection to Oracle User Accounts Sample SQL Queries Creating a New Connection to Oracle User Accounts To connect the Sync Engine to the Oracle Database system where you want to synchronize user accounts, you need to obtain and install the Oracle User Accounts Connector. For more information, see About Connections to External Data Systems on page 36. After you install the required connector, complete the steps below to create a new connection to the Oracle Database system. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection being created. b) From the Use the specified connector list, select Oracle User Accounts Connector. c) Click Next. 3. Specify connection settings to access the target Oracle system: a) Use the Oracle service name box to specify the name of the Oracle service through which you want to access the target Oracle system. You can click Refresh to get a list of available Oracle services, and then select a service from the list. b) Under Access Oracle service with, type the user name and password with which you want to access the Oracle service. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Finish to create a connection to the Oracle system. After you connect the Sync Engine to an Oracle system through Oracle User Accounts Connector, you can specify custom SQL queries you want to automatically run each time after the Sync Engine creates, updates, or deletes a user account in the Oracle system. For more information, see Modifying an Existing Connection to Oracle User Accounts on page

63 Administrator Guide Modifying an Existing Connection to Oracle User Accounts You can modify connection settings for an existing connection to the Oracle Database system where Quick Connect synchronizes user identity data. When modifying the connection settings you can optionally specify one or more custom SQL queries you want to automatically run each time after Quick Connect provisions, updates, or deprovisions a user in the Oracle Database system connected through the Oracle User Accounts Connector. To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Oracle Database connection you want to modify. 3. Open the Connection Settings tab. 4. Expand Specify connection settings, and then modify settings as necessary. You can use the following options: OPTION Oracle service name DESCRIPTION Allows you to specify the name of the Oracle service through which you want to access the target Oracle system. Type the Oracle service name or select it from the list. To get a list of available Oracle services, click Refresh. Access Oracle service with Test Connection Allows you to specify the user name and password with which you want to access the Oracle service. Allows you to verify the specified connection settings. 5. Click Save. 63

64 Quest One Quick Connect To specify custom SQL queries 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the existing Oracle connection for which you want to specify SQL queries. 3. Open the Connection Settings tab. 4. Expand Advanced, and then use the appropriate list to specify your SQL queries: LIST SQL queries to run after user provisioned. Specifies SQL queries you want to run each time Quick Connect Sync Engine creates a user account in the Oracle system. SQL queries to run after user updated. Specifies SQL queries you want to run each time Quick Connect Sync Engine updates a user account in the Oracle system. SQL queries to run after user deprovisioned. Specifies SQL queries you want to run each time Quick Connect Sync Engine deletes a user account in the Oracle system. BUTTONS Below each list, you can use the following buttons: Add. Allows you to add a new SQL query to the list. Edit. Allows you to edit the SQL query you selected in the list. Delete. Deletes the SQL query you selected in the list. SQL queries are run in the order they are listed. If necessary, you can rearrange the SQL queries: select an SQL query in the appropriate list, and then click the up or down arrow button to move the query up or down as necessary. For sample SQL queries, see Sample SQL Queries on page Click Save. Sample SQL Queries The sample queries provided in this section are only applicable if Quick Connect Sync Engine is connected to the target Oracle Database system through the Oracle User Accounts Connector. Sample Query 1 This SQL query illustrates how to call a specific Oracle stored procedure: CALL "<ProcedureName>"('&USERNAME') In this query: ProcedureName specifies the name of the Oracle stored procedure you want to call. USERNAME refers to the name of the attribute that uniquely identifies a user in the target Oracle Database system. Sample Query 2 This SQL query illustrates how to add a new entry to a particular table in the target Oracle Database system: insert into DatabaseTable(ColumnName) values (upper('&username')) In this query: DatabaseTable specifies the name of the table into which the entry will be added. USERNAME refers to the name of the attribute that uniquely identifies a user in the target Oracle Database system. 64

65 Administrator Guide Managing a Connection to Sun One Directory Server This section covers: Creating a New Connection to Sun One Directory Server Modifying an Existing Connection to Sun One Directory Server Creating a New Connection to Sun One Directory Server To connect the Sync Engine to Sun One Directory Server, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Sun One Directory Server Connector. c) Click Next. 3. In the Server text box, type the fully qualified domain name (FQDN) of the computer running Sun One Directory Server. 4. In the Port text box, type the number of the LDAP communication port used by Sun One Directory Server. 5. Under Access Sun One Directory Server with, specify the user name and password with which you want to access the server. You can optionally click Advanced to specify additional connection options. When you are finished, you can click Test Connection to verify the specified connection settings. 6. Click Finish to create a connection to Sun One Directory Server. 65

66 Quest One Quick Connect Modifying an Existing Connection to Sun One Directory Server To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Sun One Directory Server connection you want to modify. 3. Open the Connection Settings tab. 4. Expand Specify connection settings and use the following options to modify the settings: Server. Specify the fully qualified domain name (FQDN) of the computer running Sun One Directory Server. Port. Specify the number of the LDAP communication port used by Sun One Directory Server. Access Sun One Directory Server with. Specify the user name and password with which you want to access the server. Advanced. Allows you to specify additional connection options. Test Connection. Allows you to verify the connection settings you have specified. 5. Click Save. Managing a Connection to IBM RACF This section covers: Creating a New Connection to IBM RACF Modifying an Existing Connection to IBM RACF Creating a New Connection to IBM RACF To create a connection to IBM RACF, complete these steps: Step 1: Ensure Prerequisites Are Met Step 2: Create a Connection to IBM RACF Step 1: Ensure Prerequisites Are Met PREREQUISITE Obtain and install a special connector for IBM RACF. Ensure that Quick Connect for Mainframes (bridge) application (also known as LDAP Bridge) is installed on the mainframe computer that hosts your IBM RACF system. COMMENT For more information, see About Connections to External Data Systems on page 36. The LDAP Bridge is distributed in the Quick Connect for Mainframes package and serves as a gateway that provides Quick Connect Sync Engine with access to IBM RACF. For more information on how to install and configure the LDAP Bridge, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. 66

67 Administrator Guide Step 2: Create a Connection to IBM RACF 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select RACF Connector. c) Click Next. 3. Specify the following options to connect to the LDAP Bridge: Server. Specify the fully qualified domain name (FQDN) of the computer running the LDAP Bridge that provides access to the IBM RACF system. Port. Specify the number of the LDAP communication port used by the LDAP Bridge. For more information, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. Access Quest One Quick Connect for Mainframes (bridge) using. Specify the use name and password with which you want to access the LDAP Bridge. Optionally, you can click Advanced to specify additional connection options. When you are finished, you can click Test Connection to verify the settings you have specified. 4. Click Finish to create a connection to the IBM RACF system through the LDAP Bridge. Consider the following restrictions imposed by IBM RACF: The maximum length of the values you specify for user name (saved in the IBM RACF attribute uid), user password (saved in the IBM RACF attribute racfpassword), and group name (saved in the IBM RACF attribute cn) cannot exceed 8 characters. Values of the attributes that identify objects in IBM RACF cannot include any of these characters:, = + < > # ; \ " SPACE 67

68 Quest One Quick Connect Modifying an Existing Connection to IBM RACF To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing IBM RACF connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the settings: Server. Specify the fully qualified domain name (FQDN) of the computer running the LDAP Bridge that provides access to the IBM RACF system. Port. Specify the number of the LDAP communication port used by the LDAP Bridge. For more information, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. Access Quest One Quick Connect for Mainframes (bridge) using. Specify the use name and password with which you want to access the LDAP Bridge. Advanced. Click to specify additional connection options. Test Connection. Click to verify the connection settings you have specified. 4. Click Save. Managing a Connection to CA ACF2 This section covers: Creating a New Connection to CA ACF2 Modifying an Existing Connection to CA ACF2 Creating a New Connection to CA ACF2 To create a connection to CA ACF2, complete these steps: Step 1: Ensure Prerequisites Are Met Step 2: Create a Connection to CA ACF2 Step 1: Ensure Prerequisites Are Met PREREQUISITE Obtain and install a special connector for CA ACF2. Ensure that Quick Connect for Mainframes (bridge) application (also known as LDAP Bridge) is installed on the mainframe computer that hosts your CA ACF2 system. COMMENT For more information, see About Connections to External Data Systems on page 36. The LDAP Bridge is distributed in the Quick Connect for Mainframes package and serves as a gateway that provides Quick Connect Sync Engine with access to CA ACF2. For more information on how to install and configure the LDAP Bridge, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. 68

69 Administrator Guide Step 2: Create a Connection to CA ACF2 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select ACF2 Connector. c) Click Next. 3. Specify the following options to connect to the LDAP Bridge: Server. Specify the fully qualified domain name (FQDN) of the computer running the LDAP Bridge that provides access to the CA ACF2 system. Port. Specify the number of the LDAP communication port used by the LDAP Bridge. For more information, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. Access Quest One Quick Connect for Mainframes (bridge) using. Specify the use name and password with which you want to access the LDAP Bridge. Optionally, you can click Advanced to specify additional connection options. When you are finished, you can click Test Connection to verify the settings you have specified. 4. Click Finish to create a connection to the CA ACF2 system through the LDAP Bridge. Consider the following restrictions imposed by CA ACF2: The maximum length of the values you specify for user name (saved in the CA ACF2 attribute uid) and user password (saved in the CA ACF2 attribute acf2password) cannot exceed 8 characters. Values of the attributes that identify objects in CA ACF2 cannot include any of these characters:, = + < > # ; \ " SPACE Modifying an Existing Connection to CA ACF2 To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing CA ACF2 connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the settings: Server. Specify the fully qualified domain name (FQDN) of the computer running the LDAP Bridge that provides access to the CA ACF2 system. Port. Specify the number of the LDAP communication port used by the LDAP Bridge. For more information, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. Access Quest One Quick Connect for Mainframes (bridge) using. Specify the use name and password with which you want to access the LDAP Bridge. Advanced. Click to specify additional connection options. Test Connection. Click to verify the connection settings you have specified. 4. Click Save. 69

70 Quest One Quick Connect Managing a Connection to CA Top Secret This section covers: Creating a New Connection to CA Top Secret Modifying an Existing Connection to CA Top Secret Creating a New Connection to CA Top Secret To create a connection to CA Top Secret, complete these steps: Step 1: Ensure Prerequisites Are Met Step 2: Create a Connection to CA Top Secret Step 1: Ensure Prerequisites Are Met PREREQUISITE Obtain and install a special connector for CA Top Secret. Ensure that Quick Connect for Mainframes (bridge) application (also known as LDAP Bridge) is installed on the mainframe computer that hosts your CA Top Secret system. COMMENT For more information, see About Connections to External Data Systems on page 36. The LDAP Bridge is distributed in the Quick Connect for Mainframes package and serves as a gateway that provides Quick Connect Sync Engine with access to CA Top Secret. Step 2: Create a Connection to CA Top Secret 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Top Secret Connector. c) Click Next. For more information on how to install and configure the LDAP Bridge, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. 70

71 Administrator Guide 3. Specify the following options to connect to the LDAP Bridge: Server. Specify the fully qualified domain name (FQDN) of the computer running the LDAP Bridge that provides access to the CA Top Secret system. Port. Specify the number of the LDAP communication port used by the LDAP Bridge. For more information, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. Access Quest One Quick Connect for Mainframes (bridge) using. Specify the use name and password with which you want to access the LDAP Bridge. Optionally, you can click Advanced to specify additional connection options. When you are finished, you can click Test Connection to verify the settings you have specified. 4. Click Finish to create a connection to the CA Top Secret system through the LDAP Bridge. Consider the following restrictions imposed by CA Top Secret: The maximum length of the values you specify for user name (saved in the CA Top Secret attribute uid), user password (saved in the CA Top Secret attribute tsspassword), and group name (saved in the CA Top Secret attribute uid) cannot exceed 8 characters. Values of the attributes that identify objects in CA Top Secret cannot include any of these characters:, = + < > # ; \ " SPACE To create objects in CA Top Secret (for example, when provisioning objects from the managed Active Directory domain to CA Top Secret), you must specify an existing department ID (saved in the CA Top Secret attribute tssdeptacid) for the objects being created. Modifying an Existing Connection to CA Top Secret To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing CA Top Secret connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the settings: Server. Specify the fully qualified domain name (FQDN) of the computer running the LDAP Bridge that provides access to the CA Top Secret system. Port. Specify the number of the LDAP communication port used by the LDAP Bridge. For more information, see the Quick Connect for Mainframes (bridge) PDF document supplied with the Quick Connect for Mainframes package. Access Quest One Quick Connect for Mainframes (bridge) using. Specify the use name and password with which you want to access the LDAP Bridge. Advanced. Click to specify additional connection options. Test Connection. Click to verify the connection settings you have specified. 4. Click Save. 71

72 Quest One Quick Connect Managing a Connection to IBM Lotus Domino Server This section covers: Creating a New Connection to IBM Lotus Domino Server Modifying an Existing Connection to IBM Lotus Domino Server IBM Lotus Domino Server Data Supported out of the Box Considerations for Provisioning Person Objects in Lotus Domino Server Considerations for Moving Person Objects in Lotus Domino Customizing Lotus Domino Server Connector Scenario: Provisioning Users from an Active Directory Domain to Lotus Domino Server If you want to upgrade from an earlier version of Quick Connect for Lotus Notes, please follow the upgrade steps provided in the Release Notes supplied with Quick Connect for Lotus Notes. If you do not follow the upgrade steps, the upgrade may result in the loss of certain settings specified for your existing Lotus Domino Server connections. Creating a New Connection to IBM Lotus Domino Server Before you start creating a new connection to Lotus Domino Server, make sure the following software is installed on the Quick Connect Sync Engine computer: The Quick Connect for Lotus Notes package. For more information, see About Connections to External Data Systems on page 36. An IBM Lotus Notes version supported by Quick Connect. For a list of supported Lotus Notes versions, see the Release Notes supplied with Quick Connect for Lotus Notes. Creating a new connection to IBM Lotus Domino Server includes the following steps: Step 1: Configure IBM Lotus Notes Step 2: Connect Quick Connect Sync Engine to IBM Lotus Domino Server Step 1: Configure IBM Lotus Notes To complete this step, do the following: 1. On the Quick Connect Administration Console computer, start Lotus Notes. 2. Log in to Lotus Notes by specifying the User ID (.id) file (it is also called Notes ID file) that identifies the user account under which you want Quick Connect Sync Engine to access Lotus Domino Server. 3. Connect Lotus Notes to the Lotus Domino Server that hosts the data you want to synchronize with Quick Connect. Then, proceed to Step 2: Connect Quick Connect Sync Engine to IBM Lotus Domino Server. For more information on how to connect Lotus Notes to Lotus Domino Server, see the Lotus Notes documentation. 4. After successfully connecting Lotus Notes to Lotus Domino Server, close Lotus Notes. 72

73 Administrator Guide Step 2: Connect Quick Connect Sync Engine to IBM Lotus Domino Server To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Lotus Domino Connector. c) Click Next. 3. Use the following options to configure connection settings: Server name. Type the hierarchical name of the Lotus Domino Server to which you want to connect. Use the format <LotusDominoServerName>/<CertificateAuthorityName>. User ID file. Specify the User ID file you used in Step 1: Configure IBM Lotus Notes to log on to Lotus Notes. You can either type the full path to the file or click Browse to locate and select the file. Password. Type the password required to open the specified User ID file. Address Book (.nsf) files. Set up a list of the Address Book (.nsf) files you want to participate in the data synchronization operations performed with Quick Connect. If necessary, use the buttons below this list to add or remove.nsf files as necessary. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Next. 5. On the Specify organizational units page, set up a list of the organizational units on the Lotus Domino Server you want to participate in the synchronization operations. Use the following buttons: Add. Allows you to add an organizational unit to the list. Edit. Allows you to modify an item currently selected in the list. Remove. Removes an item currently selected in the list. If you click Add or Edit, complete the following steps to specify an organizational unit you want to participate in the synchronization operations: a) Use the Address Book (.nsf) file list to select the file that includes the organizational unit of your choice. This list only includes the Address Book (.nsf) files you added in step 3 of this procedure. b) Use the Organizational unit list to select the organizational unit you want to participate in the synchronization. This list only includes the organizational units located in the Address Book (.nsf) file you selected. c) Use the Certifier ID file text box to type the full path to the Certifier ID file for the organizational unit you selected or click Browse to locate and select the Certifier ID file. d) Use the Password text box to type the password required to open the specified Certifier ID file. e) When you are finished, click OK. 6. Click Finish. The new Lotus Domino Server connection appears on the Connections tab. 73

74 Quest One Quick Connect Modifying an Existing Connection to IBM Lotus Domino Server You can modify connection settings of an existing IBM Lotus Domino Server connection. Also you can edit the list of organizational units participating in the data synchronization operations. To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Lotus Domino Server connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the connection: Server name. Type the hierarchical name of the Lotus Domino Server to which you want to connect. Use the format <LotusDominoServerName>/<CertificateAuthorityName>. User ID file. Specify the User ID file you used in Step 1: Configure IBM Lotus Notes to log on to Lotus Notes. You can either type the full path to the file or click Browse to locate and select the file. Password. Type the password required to open the specified User ID file. Address Book (.nsf) files. Set up a list of the Address Book (.nsf) files you want to participate in the data synchronization operations performed with Quick Connect. If necessary, use the buttons below this list to add or remove.nsf files as necessary. Test Connection. Click to verify the connection settings you have specified. 4. Click Save. To edit the list of organizational units for synchronization operations 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Lotus Domino Server connection for which you want to edit the list of organizational units. 3. Expand Specify organizational units, and then set up a list of the organizational units you want to participate in the synchronization operations. Use the following buttons: Add. Allows you to add an organizational unit to the list. Edit. Allows you to modify an item currently selected in the list. Remove. Removes an item currently selected in the list. If you click Add or Edit, complete the following steps to specify an organizational unit you want to participate in the synchronization operations: 74

75 Administrator Guide a) Use the Address Book (.nsf) file list to select the file that includes the organizational unit of your choice. This list only includes the Address Book (.nsf) files added to the Address Book (.nsf) files list in the Specify connection settings area. b) Use the Organizational unit list to select the organizational unit you want to participate in the synchronization. This list only includes the organizational units contained in the Address Book (.nsf) file you selected. c) Use the Certifier ID file text box to type the full path to the Certifier ID file for the organizational unit you selected or click Browse to locate and select that file. d) Use the Password text box to type the password required to open the specified Certifier ID file. e) When you are finished, click OK. 4. Click Save. Deleting a certifier (organizational unit) on Lotus Domino Server does not remove the corresponding certifier (organizational unit) entry from the Organizational units list set up in the Lotus Domino Server connection settings. After you delete a certifier (organizational unit) on Lotus Domino Server, you need to manually remove the corresponding certifier (organizational unit) entry from the Organizational units list. IBM Lotus Domino Server Data Supported out of the Box The next table lists the IBM Lotus Domino Server object types supported by Quick Connect for Lotus Notes out of the box and the operations you can perform on these objects by using Quick Connect. LOTUS DOMINO SERVER OBJECT READ CREATE DELETE UPDATE Person Supported Supported Supported Supported Group Supported Supported Supported Supported Certifier (Organizational Unit) Supported Supported Supported Supported Resource Supported Not supported Not supported Not supported Room Supported Not supported Not supported Not supported Mail-in Database Supported Not supported Not supported Not supported Quick Connect for Lotus Notes provides some special attributes that allow you to perform certain operations on Lotus Domino Server data, such as Read or Update. These attributes only exist in Quick Connect and can be accessed and used through the Quick Connect Administration Console (for example, when you select the source and target attributes that will participate in the synchronization). The next sections list the attributes provided by Quick Connect for Lotus Notes and explain what Lotus Domino Server data you can read and/or update using a particular attribute. These sections also provide information on some native Lotus Notes attributes that may be useful for you to configure data synchronization steps in Quick Connect Administration Console. 75

76 Quest One Quick Connect The next sections are: Attributes Related to a Person Object in Lotus Domino Server Attributes Related to a Certifier Object in Lotus Domino Server Attributes Related to a Group Object in Lotus Domino Server Attributes Related to a Resource Object in Lotus Domino Server Attributes Related to a Room Object in Lotus Domino Server Attributes Related to a Mail-in Database Object in Lotus Domino Server The tables provided in the next sections have the following columns: Attribute Name. Provides the names of Quick Connect attributes and native Lotus Notes attributes as they appear in the Quick Connect Administration Console. The names of attributes provided by Quick Connect have the LN prefix (example: LNCertifierName). The names of native Lotus Notes attributes do not have the LN prefix (example: Comment). Note that this column lists only some of the native Lotus Notes attributes supported by Quick Connect. Syntax. Specifies the syntax accepted by the attribute. Attribute Description. Provides attribute s description. Where appropriate, this column lists the values the attribute can take. Supported Operations in Lotus Domino Server. Lists the operations the attribute allows you to perform on the corresponding data in Lotus Domino Server. 76

77 Administrator Guide Attributes Related to a Person Object in Lotus Domino Server ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION LNAccountIsDisabled Boolean Specifies whether to prohibit or allow access to Lotus Domino Server for the user whose Person object you specify. SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER Read, Write The LNAccoutIsDisabled attribute sets user access to Lotus Domino Server by sending an administration request to update the value of the Check password option on Lotus Domino Server. The LNAccoutIsDisabled attribute can take one of the following values: TRUE. Prohibits access to Lotus Domino Server by setting the value of the Check password attribute on the Lotus Domino Server to Lockout ID. FALSE (default value). Allows access to Lotus Domino Server by setting the value of the Check password option on the Lotus Domino Server to Don t check password. You can only use the LNAccoutIsDisabled attribute if the Lotus Domino Server is configured to check passwords on Notes IDs (the Check passwords on Notes IDs option must be enabled on the Lotus Domino Server). LNCertifierName Single-valued, string Allows you to specify the target Organizational Unit (Certifier) to which you want to provision data. The name you specify in this attribute must match the name of the Organizational Unit (Certifier) that will act as the target container for the provision operation. Write Note: You can only use this attribute to provision data in Lotus Domino Server. 77

78 Quest One Quick Connect ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNCreat Db Single-valued, string Specifies whether to create a mail database for the Person object. This attribute can take one of the following values: TRUE. Specifies to create the mail database. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE (default value). Specifies not to create the mail database. LNEnforceUniqueShortName Single-valued, Boolean Specifies whether the short name in Lotus Domino Server must be unique. This attribute can take one of the following values: TRUE. Specifies that the short name must be unique. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE (default value). Specifies that it is not obligatory for the short name to be unique. Note: If you set this attribute value to TRUE, you must also set the ShortName attribute value (described later in this table). 78

79 Administrator Guide ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNGroupList Multivalued, string (group name) Allows you to specify Lotus Domino Server groups for a particular Person object. To specify groups, use the distinguished (DN) or abbreviated names of the groups. Read, Write When used for reading data in Lotus Domino Server, this attribute always returns abbreviated names of groups. Example of a distinguished name of a group: CN=GroupOne/OU=Unit/O=corp Example of an abbreviated name of a group: GroupOne/corp Quick Connect validates the specified attribute value when writing the attribute value in Lotus Domino Server. If the specified groups do not exist, Quick Connect returns an error. When provisioning a Person object in Lotus Domino Server, you can use this attribute to specify the Lotus Domino Server groups where you want the Person object to be a member. LNIDExpiration Single-valued, DateTime Allows you to specify an expiration date for the ID files to be created. To specify an expiration date in this attribute, use the DateTime format. Write The default expiration date is 2 years from the current date and time. 79

80 Quest One Quick Connect ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNIDIsNorthAmerican Single-valued, Boolean Specifies a security type for the ID file to be created. This attribute can take one of the following values: TRUE (default value). Specifies that the ID file has the North American security type. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE. Specifies that the ID file has the International security type. For more information on security types, see the Lotus Domino Server documentation. LNIDType Single-valued, integer Specifies a type for the ID file to be created. This attribute can take one of the following values: 171 (default value). Specifies to create a flat ID file. Write Note: You can only use this attribute to provision data in Lotus Domino Server Specifies to create a hierarchical ID file Creates an ID file of the type to which the corresponding certifier belongs. LNIsRoamingUser Single-valued, Boolean Specifies whether or not the Person is a roaming user. This attribute can take one of the following values: TRUE. Specifies that the Person is a roaming user. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE (default value). Specifies that the Person is not a roaming user. LNMailACLManager Multivalued, reference Specifies a name assigned to the Manager-level access in the mail database ACL. A mail database owner may or may not be a Manager depending on the value set for the LNMailOwnerAccess attribute. Write Note: You can only use this attribute to provision data in Lotus Domino Server. 80

81 Administrator Guide ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNMailCreateFTIndex Single-valued, Boolean Specifies whether to create a full-text index for the mail database. This attribute can take one of the following values: TRUE (default value). Specifies to create the full-text index. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE. Specifies not to create the full-text index. LNMailOwnerAccess Single-valued, integer Specifies an access level for the owner of the mail database. This attribute allows you to set an access level in the Access Control List (ACL) for the mail database. The attribute can take one of the following values: Write Note: You can only use this attribute to provision data in Lotus Domino Server. 0 (default value). Sets the Manager access level for the owner. 1. Sets the Designer access level for the owner. 2. Sets the Editor access level for the owner. LNMailQuotaSizeLimit Single-valued, integer Allows you to specify a size limit for the user's mail database. If this attribute s value is set to 0 (zero), no size limit applies to the mail database. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNMailQuotaWarningThreshold Single-valued, integer Specifies a threshold size (in megabytes) for the user s mail database. When the database size exceeds the specified value, the user receives a warning. The default value of this attribute is 0 (zero): no threshold size applies to the mail database. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNMailReplicaServers Multivalued, reference Specifies a list of servers to which the mail database will replicate. This attribute applies to clustered servers only. Write Note: You can only use this attribute to provision data in Lotus Domino Server. 81

82 Quest One Quick Connect ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNMailTemplateName Single-valued, string Specifies the name of the mail template file to be used by default for users mail messages. When this attribute s value is empty, a standard mail template file is used. For example, in Release 6 the standard mail template file is MAIL6.NTF. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNNoIDFile Single-valued, Boolean Specifies whether to create a corresponding ID file for the Person object to be registered. This attribute can take one of the following values: TRUE. Specifies not to create a corresponding ID file. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE (default value). Specifies to create a corresponding ID file. LNIDFile Single-valued, string Specifies ID file name. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNMinPasswordStrength Single-valued, integer Specifies a complexity level for the ID file password. This attribute can take one of the following values: 0 (default value). Password is optional. Write Note: You can only use this attribute to provision data in Lotus Domino Server. 1. Password of any length is acceptable. 2 or 3. Very weak password. 4, 5, or 6. Weak password. 7 or 8. Password complexity level recommended for users. 9, 10, 11, or 12. Strong password complexity level recommended for servers and certifiers. 13, 14, 15, or 16. Highest password complexity level recommended for servers and certifiers. 82

83 Administrator Guide ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNRegistrationLog Single-valued, string Specifies whether to enable logging for the ID files creation operations. Logging is not enabled if this attribute s value is empty. When logging is enabled, the log information is written to the CERTLOG.NSF file that is saved in the Domino data directory on the Lotus Domino Server. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNRoamingServer Single-valued, reference Specifies a server for storing user's roaming data. If this attribute s value is empty, the roaming data is stored on user's mail server. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNRoamingSubdir Multivalued, string Specifies a subdirectory for storing user's roaming data. Write Note: You can only use this attribute to provision data in Lotus Domino Server. LNStoreIDInAddressBook Single-valued, Boolean Specifies whether to store User ID in the Domino data directory on Lotus Domino Server. This attribute can take one of the following values: TRUE (default value). Specifies to store User ID in the Domino data directory. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE. Specifies not to store User ID in the Domino data directory. LNStoreIDInMailfile Single-valued, Boolean Specifies whether to store User ID in the user's mail file. This property applies only to Domino Web Access. By setting this attribute to TRUE you allow the Lotus Notes users to read their encrypted mail through Domino Web Access. Write Note: You can only use this attribute to provision data in Lotus Domino Server. This attribute can take one of the following values: TRUE. Specifies to store User ID in the user s mail file. FALSE (default value). Specifies not to store User ID in the user s mail file. 83

84 Quest One Quick Connect ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNSynchInternetPassword Single-valued, Boolean Specifies whether to automatically synchronize the user's Internet password with the corresponding Lotus Notes ID password. This attribute can take one of the following values: Write Note: You can only use this attribute to provision data in Lotus Domino Server. TRUE. Specifies to automatically synchronize user s Internet password with the corresponding Lotus Notes ID password, so that these two passwords match. FALSE (default value). User s Internet password is not synchronized with the corresponding Lotus Notes ID password. LNUpdateAddressBook Single-valued, Boolean Specifies whether to update the server entry in the Lotus Domino Directory when creating the ID file. This attribute can take one of the following values: Write Note: You can only use this attribute to provision data in Lotus Domino Server. TRUE (default value). Specifies to update the server entry in the Lotus Domino Directory during the ID file creation operations. FALSE. Specifies not to update the server entry in the Lotus Domino Directory during the ID file creation operations. LNUseCertificateAuthority Single-valued, Boolean Specifies whether to use the certificate authority (CA) for registration. This attribute can take one of the following values: TRUE. Specifies to use CA for registration. Write Note: You can only use this attribute to provision data in Lotus Domino Server. FALSE (default value). Specifies not to use CA for registration. 84

85 Administrator Guide ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNUserType Single-valued, integer Allows you to specify what type of client you want to create Specifies to create Mail client Specifies to create Desktop client. Write Note: You can only use this attribute to provision data in Lotus Domino Server. 176 (default value). Specifies to create Full client. For more information on types of clients, see the Lotus Domino Server documentation. Comment Single-valued, string Specifies comment field value in the Lotus Domino Directory record. Read, Write FirstName Single-valued, string Specifies user s first name. Read, Write InternetAddress Single-valued, string Specifies user s address. Read, Write LastName Single-valued, string Specifies user s last name. Read, Write Location Single-valued, string Specifies location field value in the Domino Directory record. Read, Write MailAddress Single-valued, string Specifies forwarding domain for the user's mail file. Read, Write MailDomain Single-valued, string Specifies Lotus Notes domain of the Person's mail address. Read, Write MailFile Single-valued, string Allows you to specify a name for the.nsf file to be created. The maximum.nsf file name length is 8 characters. Read, Write You can only specify a name for the.nsf file if you set the LNCreat Db attribute value to TRUE. If the LNCreat Db attribute value is set to TRUE and you specify no.nsf file name in the MailFile attribute, the following default name is given to the.nsf file being created: mail\ <ShortNameAttributeValue>.nsf MailServer Single-valued, string Specifies user s mail server. Read, Write 85

86 Quest One Quick Connect ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER MailSystem Single-valued, string Specifies mail system type. Note that this attribute uses different sets of values in different situations. Read, Write When you use the MailSystem attribute to provision data in Lotus Domino Server, the attribute can take one of the following values: 0 (default value). The mail system type is Lotus Notes. 1. The mail system type is POP. 2. The mail system type is IMAP. 3. The mail system type is Domino Web Access. 4. The mail system type is Other Internet. 5. The mail system type is Other. 6. The mail system type is None. When you use the MailSystem attribute to update or read data in Lotus Domino Server, the attribute can take one of the following values: 1. The mail system type is Lotus Notes. 2. The mail system type is cc:mail. 3. The mail system type is Other. 4. The mail system type is X The mail system type is Other Internet. 6. The mail system type is POP or IMAP The mail system type is None. MiddleInitial Single-valued, string Specifies user s middle initials. Read, Write Policy Multivalued, string Specifies the name of an explicit policy. Read, Write 86

87 Administrator Guide ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER RoamCleanPer Single-valued, integer Allows you to specify a time interval (in days) for cleaning up data on the Notes clients that belong to roaming users. Read, Write The default value of this attribute is set to 0 (zero). RoamCleanSetting Single-valued, integer Specifies parameters for cleaning up roaming data on the Notes clients that belong to roaming users. Read, Write This attribute can take one of the following values: 0 (default value). Roaming data is never cleaned up. 1. Roaming data is cleaned up every N days, where N is defined by the RoamCleanPer attribute. 2. Roaming data for a given roaming user is cleaned up each time that roaming user closes Lotus Notes. 3. The roaming user is prompted for roaming data cleanup each time the user closes Lotus Notes. This value also allows the user to clean up roaming data manually or cancel the data cleanup prompting. 87

88 Quest One Quick Connect ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER ShortName Single-valued, string Specifies short name for the Person object. Read, Write This attribute can take one of the following default values: First letter of the FirstName attribute value followed by the value of the LastName attribute. The attribute takes this default value only if the initial attribute population rules in the Quick Connect Administration Console specify values to be assigned to the FirstName and LastName attributes. OR First eight alphanumeric characters of the CN attribute value of the Person object. 88

89 Administrator Guide Attributes Related to a Certifier Object in Lotus Domino Server ATTRIBUTE NAME LNDeleteCertifierIDFile ATTRIBUTE DESCRIPTION Specifies whether to delete the corresponding Certifier ID file. You can only use this attribute when updating a Certifier object or deprovisioning a Certifier object by modifying its attributes. This attribute can take one of the following values: TRUE. Specifies to delete the corresponding Certifier ID file. FALSE (default value). Specifies not to delete the corresponding Certifier ID file. Note: When you use Quick Connect to deprovision a Certifier object by deleting it, Quick Connect deletes both the object and the corresponding Certifier ID file. SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER Write Consider the following when configuring provisioning rules for a Certifier object in the Quick Connect Administration Console: Certifier ID file for a newly-provisioned certifier is always created in the Lotus Domino Server directory that stores the Certifier ID of the parent Certifier object. A newly-provisioned Certifier ID and its parent Certifier ID always have identical password. 89

90 Quest One Quick Connect Attributes Related to a Group Object in Lotus Domino Server ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER GroupType Single-valued, string Specifies a Lotus Domino Server group type. Read, Write This attribute can take one of the following values: 0. Sets the type to Multi-purpose. 1. Sets the type to Mailing list only. 2. Sets the type to Access Control List only. 3. Sets the type to Deny List only. 4. Sets the type to Servers only. LNGroupList Multivalued, string (group name) Allows you to specify Lotus Domino Server groups for a particular Group object. To specify groups, use the distinguished (DN) or abbreviated names of the groups. Read, Write When used for reading data in Lotus Domino Server, this attribute always returns abbreviated names of groups. Example of a distinguished name of a group: CN=GroupOne/OU=Unit/O=corp Example of an abbreviated name of a group: GroupOne/corp Quick Connect validates the specified attribute value when running the synchronization step that writes the attribute value in Lotus Domino Server. If the specified groups do not exist, Quick Connect returns an error. When provisioning a Group object in Lotus Domino Server, you can use this attribute to specify the Lotus Domino Server groups where you want the Group object to be a member. 90

91 Administrator Guide Attributes Related to a Resource Object in Lotus Domino Server ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNGroupList Multivalued, string (group name) Allows you to specify Lotus Domino Server groups where a particular Resource object is a member. To specify groups, use the distinguished (DN) or abbreviated names of the groups. Read When used for reading data in Lotus Domino Server, this attribute always returns abbreviated names of groups. Example of a distinguished name of a group: CN=GroupOne/OU=Unit/O=corp Example of an abbreviated name of a group: GroupOne/corp Attributes Related to a Room Object in Lotus Domino Server ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNGroupList Multivalued, string (group name) Allows you to specify Lotus Domino Server groups where a particular Room object is a member. To specify groups, use the distinguished (DN) or abbreviated names of the groups. Read When used for reading data in Lotus Domino Server, this attribute always returns abbreviated names of groups. Example of a distinguished name of a group: CN=GroupOne/O=corp Example of an abbreviated name of a group: GroupOne/corp 91

92 Quest One Quick Connect Attributes Related to a Mail-in Database Object in Lotus Domino Server ATTRIBUTE NAME SYNTAX ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN LOTUS DOMINO SERVER LNGroupList Multivalued, string (group name) Allows you to specify Lotus Domino Server groups where a particular Main-in Database object is a member. To specify groups, use the distinguished (DN) or abbreviated names of the groups. Read When used for reading data in Lotus Domino Server, this attribute always returns abbreviated names of groups. Example of a distinguished name of a group: CN=GroupOne/OU=Unit/O=corp Example of an abbreviated name of a group: GroupOne/corp 92

93 Administrator Guide Considerations for Provisioning Person Objects in Lotus Domino Server When you provision Person objects in Lotus Domino Server, you must assign a unique value to the FullName attribute of each of the Person objects being created. To generate and assign such value, you need to use the Rules to generate unique object name list provided in the Quick Connect Administration Console. You will be prompted to create rules in this list when creating a new provisioning step. Take into account the following behavior of the Rules to generate unique object name list when provisioning Person objects in Lotus Domino Server: When the Rules to generate unique object name list includes two or more rule entries, Quick Connect uses the uppermost rule in the list to generate a unique FullName attribute value for the Person object being created. If the generated FullName attribute value is not unique, Quick Connect uses the next rule in the list. If none of the rules in the Rules to generate unique object name list can generate a unique FullName attribute value, Quick Connect does not create the Person object. For more information about the Rules to generate unique object name list, see Configuring Rules to Generate Object Names on page 181. By default, the generated unique FullName attribute value is also assigned to the LastName attribute of the Person object being created. To override this behavior and assign the correct value to the LastName attribute, you can use the Initial Attribute Population Rules area in the same provisioning step that creates the object. For a sample scenario on how to provision Person objects in Lotus Domino Server and create rules to generate values for the FullName and LastName attributes, see Scenario: Provisioning Users from an Active Directory Domain to Lotus Domino Server on page 98. For instructions on how to provision data, see Creating a Provisioning Step on page 173. For instructions on how to update data, see Creating an Updating Step on page

94 Quest One Quick Connect Considerations for Moving Person Objects in Lotus Domino You can use an updating or deprovisioning step to move Person objects between Organizational Units (Certifiers) on a Lotus Domino Server. Before you move a Person object, you need to make sure that certain Certifiers are added to the Address Book (.nsf) file located on the Quick Connect Administration Console computer. For the move operation to succeed, make sure that: Lotus Notes is closed on the Quick Connect Administration Console computer. The local Address Book (.nsf) file on the the Quick Connect Administration Console computer includes all the Certifiers that belong to the branch from the organization s root down to the parent of the Certifier that includes the Person object you want to move. See the next diagram for an example. In this diagram, Certifier C-1 holds the Person object you want to move. Thus, you need to add the Root Certifier and Certifier C to the local Address Book (.nsf) file on the Quick Connect Administration Console computer. The next procedure illustrates how to add Certifiers to the local Address Book (.nsf) file by using Lotus Notes version 7. To add Organizational Units (Certifiers) to local Address Book (.nsf) file 1. On the Quick Connect Administration Console computer, start Lotus Notes. 2. Log in to Lotus Notes by specifying the User ID (.id) file that identifies the user account under which Quick Connect accesses Lotus Domino Server. 3. On the Bookmark bar (located on the left side of the Lotus Notes window), click the Databases button, and then click Workspace. 4. Double-click the item that represents Domino Directory on the Lotus Domino Server. 5. In the Domino Directory pane, expand the Configuration node, and then select the Certificates node. 6. In the right pane, expand the Notes Certifiers node and its subnodes to select the item that represents the organization s root Certifier. 7. Click the Copy to Personal Address Book button and wait until the copy operation completes. 8. Perform steps 6 and 7 in this procedure for each Certifier down to the parent of the Certifier that includes the Person object you want to move. 9. Close Lotus Notes. 94

95 Administrator Guide Customizing Lotus Domino Server Connector The Lotus Domino Server Connector configuration information is stored in the following file on the Quick Connect computer: <QuickConnectInstallationFolder>\Service\Connectors\DominoConnector\ConnectorConfig.xml You can modify this file to customize the Lotus Domino Server Connector schema. For more information about the file format, see "Configuration XML File Format" in the Quick Connect SDK. The configuration file contains general information about the connector, such as the connector ID, description, and assembly name. In addition to the general information, this file includes the SelfConfig element that includes several XML child elements specific to the Lotus Domino connector. These child elements are located between the <SelfConfig> and </SelfConfig> elements. The next sections describe the XML elements you can use in the Lotus Domino Server Connector ConnectorConfig.xml file to customize the connector schema. The XML elements described in the next sections must be inserted between the <SelfConfig> and </SelfConfig> elements in the ConnectorConfig.xml file. SchemaExtension Element The <SchemaExtension> element provides definitions for all supported attributes and object classes that extend the connector schema. PARENT ELEMENT SelfConfig CHILD ELEMENTS SchemaAttributeDefinition, SchemaClassDefinition The <SchemaExtension> element has the following attributes: ATTRIBUTE dominoobjectcount DESCRIPTION Specifies the number of the Lotus Domino Server objects of each class (Person, Group, or Certifier) from which the connector reads the schema. When the attribute value is set to -1, the connector reads the schema from all supported Lotus Domino Server objects. Minimum value: 5 95

96 Quest One Quick Connect SchemaAttributeDefinition Element The <SchemaAttributeDefinition> element provides definitions for new attributes that extend the connector schema. Note that one attribute can be assigned to several object classes. PARENT ELEMENT SchemaExtension CHILD ELEMENTS None The <SchemaAttributeDefinition> element has the following attributes: ATTRIBUTE name displayname attributetype issinglevalue DESCRIPTION Specifies the attribute name. Specifies the attribute display name. Specifies the syntax to which the attribute conforms. Possible values: String Boolean Integer LargeInteger DateTime Binary ObjectReference When TRUE, the attribute is single valued. SchemaClassDefinition Element The <SchemaClassDefinition> element provides definitions for Lotus Domino object classes. PARENT ELEMENT SchemaExtension CHILD ELEMENTS Attributes The <SchemaClassDefinition> element has the following attributes: ATTRIBUTE name displayname DESCRIPTION Specifies the class name. The supported Lotus Domino object classes: Person Group Certifier Specifies the class display name. 96

97 Administrator Guide Attributes Element The <Attributes> element defines attributes for the object class defined in the <SchemaClassDefinition> parent element. PARENT ELEMENT SchemaClassDefinition CHILD ELEMENTS Attribute The <Attributes> element has no attributes. Attribute Element The <Attribute> element defines the attribute name to be assigned to the object class defined in the <SchemaClassDefinition> parent element. Note that this attribute must be defined using the <SchemaAttributeDefinition> element. PARENT ELEMENT Attributes CHILD ELEMENTS None The <Attribute> element has no attributes. An Example of Extended Lotus Domino Server Connector Schema To clarify the procedure of the Lotus Domino Server Connector schema extension, consider the following snippet of the ConnectorConfig.xml file that contains only the SelfConfig section. This section extends the connector schema by assigning the NoteID and Form attributes to Lotus Group objects. <SelfConfig> <!-- Causes Quick Connect to read the connector schema only from 6 first objects of each class found in Organizational Units participating in synchronization --> <SchemaExtension dominoobjectscount="6"> <!-- New attributes used to extend the connector schema --> <SchemaAttributeDefinition name="noteid" displayname="noteid" syntax="string" singlevalue="true" /> SchemaAttributeDefinition name="members" displayname="members" attributetype="objectreference" issinglevalued="false" />) <SchemaClassDefinition name="group" displayname="group"> <!-- Assign new attributes to Lotus Groups --> <Attributes> <Attribute>NoteID</Attribute> <Attribute>Members</Attribute> </Attributes> </SchemaClassDefinition> </SchemaExtension> </SelfConfig> 97

98 Quest One Quick Connect Scenario: Provisioning Users from an Active Directory Domain to Lotus Domino Server This scenario illustrates how to provision users from an Active Directory domain to a Lotus Domino Server system. This scenario includes the following steps: Step 1: Configure a Connection to Source Active Directory Domain Step 2: Configure a Connection to Lotus Domino Server Step 3: Create a New Synchronization Workflow Step 4: Configure a Synchronization Step to Provision Users Step 5: Run Your Workflow Step 1: Configure a Connection to Source Active Directory Domain For instructions on how to create a new connection to an Active Directory domain, see Creating a New Connection to an Active Directory Domain on page 38. Step 2: Configure a Connection to Lotus Domino Server For instructions on how to create a new connection to Lotus Domino Server, see Creating a New Connection to IBM Lotus Domino Server on page 72. Step 3: Create a New Synchronization Workflow For instructions on how to create a new synchronization workflow, see Creating a Synchronization Workflow on page 170. Step 4: Configure a Synchronization Step to Provision Users 1. Open the workflow you created in Step 3: Create a New Synchronization Workflow (on the Workflows tab, click the workflow name), and then click the Add synchronization step link. 2. On the Select an action page, click Provision, and then click Next. 3. On the Specify source and criteria page, do the following: a) In the Source connected system option, click the Specify button, then click Select existing connected system, and select the Active Directory domain you connected in Step 1: Configure a Connection to Source Active Directory Domain. Click Finish. b) In the Source object type option, click the Select button, and then select the User object type from the list. Click OK. c) Click Next. 4. On the Specify target page, do the following: a) In the Target connected system option, click the Specify button, then click Select existing connected system, and select the Lotus Domino Server system you connected in Step 2: Configure a Connection to Lotus Domino Server. Click Finish. b) In the Target object type option, click the Select button, and then select the Person object type from the list. Click OK. c) Use the Target container option to specify the target Lotus Domino Server certifier (organizational unit) to which you want to provision users from the Active Directory domain. For more information, see Specifying Target Containers for a Synchronization Step on page

99 Administrator Guide d) Use the Rules to generate unique object name option to specify rules for generating a unique FullName attribute value for each Person object to be created in Lotus Domino Server. Since normally the FullName attribute value is a combination of the first name, initials, and last name of a user, you may want create the following rule: By default, the generated FullName attribute value is also assigned to the LastName attribute of the Person object being created. To override this behavior, you will need to create initial attribute population rules to specify the desired LastName attribute value. For more information, see step 5 later in this procedure. e) Click Next. 99

100 Quest One Quick Connect 5. Use the Initial Attribute Population Rules area to configure a rule that assigns the correct last name to each Person object being created. For example, you can assign the value of the Last Name (sn) attribute in Active Directory to the LastName attribute in Lotus Domino Server: Optionally, you can specify some additional rules. For example, to create a Person object with Lotus Domino Server mailbox whose mail system type is Lotus Notes, create rules to populate values of the following attributes in Lotus Domino Server: MailSystem (set this attribute value to 0), LNCreat DB, MailDomain, and MailFile. For more information about these attributes, see Attributes Related to a Person Object in Lotus Domino Server on page Use the Initial Password area to set an initial password for each Person object to be created in Lotus Domino Server. 7. Click Finish to close the wizard. Step 5: Run Your Workflow For instructions on how to run a workflow, see Running a Synchronization Workflow on page

101 Administrator Guide Managing a Connection to Google Apps This section covers: Creating a New Connection to Google Apps Modifying an Existing Connection to Google Apps Specifying Google Apps Containers Using a PowerShell Script Google Apps Data Supported out of the Box Scenario: Provisioning Containers and Users from an Active Directory Domain to Google Apps Creating a New Connection to Google Apps To connect Quick Connect Sync Engine to Google Apps, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. Once the connector is installed, follow the steps below to create a new connection to the Google Apps system. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Google Apps Connector. c) Click Next. 3. Use the following options to specify the connection settings: Google Apps domain. Type the name of the Google Apps domain to which you want to connect. Access Google Apps domain using. Type the user name and password of the account with which you want to access the target Google Apps domain. Use a proxy server for your LAN. Select this check box if your LAN uses a proxy server. Then enter the proxy server address in the Proxy server box. Use credentials for proxy. Select this check box if your proxy server requires authentication. Use the appropriate text boxes to specify the user name and password with which you want to authenticate. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Finish to create a connection to the specified Google Apps domain. 101

102 Quest One Quick Connect Modifying an Existing Connection to Google Apps To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Google Apps connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the connection: Google Apps domain. Type the name of the Google Apps domain to which you want to connect. Access Google Apps domain using. Type the user name and password of the account with which you want to access the target Google Apps domain. Use a proxy server for your LAN. Select this check box if your LAN uses a proxy server. Then enter the proxy server address in the Proxy server box. Use credentials for proxy. Select this check box if your proxy server requires authentication. Use the appropriate text boxes to specify the user name and password with which you want to authenticate. Test Connection. Click to verify the settings you have specified. 4. Click Save. Specifying Google Apps Containers Using a PowerShell Script You can use a custom PowerShell script to specify target Google Apps containers (OUs) to which you want to provision data from the other connected data system. In this case, make sure the script returns the target containers in the following format required by Quick Connect Sync Engine: <GoogleAppsDomain>/<PathToTargetContainer> Example: mydomain.com/ou1/ou1/ou3 where OU3 is the target Google Apps container to which you want to provision data. For more information, see Specifying Target Containers for a Synchronization Step on page 180. Google Apps Data Supported out of the Box The table below lists the Google Apps object types supported by Quick Connect for Cloud Services out of the box and the operations you can perform on these objects in Google Apps. GOOGLE APPS OBJECT READ CREATE DELETE UPDATE User Supported Supported Supported Supported Group Supported Supported Supported Supported Organization Unit Supported Supported Supported Supported For each supported Google Apps object type, Quick Connect for Cloud Services provides special attributes. These attributes allow you to work with certain data in Google Apps. The following sections list these attributes and provide information on the Google Apps data you can work with using a particular attribute: Attributes Related to Google Apps User Attributes Related to Google Apps Group Attributes Related to Google Apps Organization Unit 102

103 Administrator Guide The tables provided in these sections have the following columns: Quick Connect Attribute. Provides the names of the Quick Connect for Cloud Services attributes as they appear in the Quick Connect Administration Console. Attribute Description. Provides additional details about the attribute, such as whether the attribute is single-valued or multivalued, the format in which the attribute accepts data, and other information. Supported Operations in Google Apps. Lists the operations the attribute allows you to perform on the corresponding data in Google Apps. Google Apps Reference. Specifies what Google Apps data you can read and write using the attribute. Where appropriate, the column provides instructions on how to view the Google Apps user interface element that includes the value you can read and write using the corresponding Quick Connect attribute. 103

104 Quest One Quick Connect Attributes Related to Google Apps User QUICK CONNECT ATTRIBUTE ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN GOOGLE APPS GOOGLE APPS REFERENCE Id Single-valued Read User ID in Google Apps. This attribute accepts user ID in the format <GoogleDomain>/ <ObjectType>/ <User > Example: mydomain.com/user/ UserName Single-valued Read, Write User name in Google Apps. To view user name 1. Open the Organization & users page. 2. Use the tree view in the left part of the page to select an appropriate organization unit. 3. In the column, see the part of the address to the left of the at sign For example, in the address the user name is john.doe. GivenName Single-valued Read, Write User s first name. To view user s first name 1. Open the Organization & users page. 2. Use the tree view in the left part of the page to select an appropriate organization unit. 3. See the first name in the Name column. 104

105 Administrator Guide QUICK CONNECT ATTRIBUTE ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN GOOGLE APPS GOOGLE APPS REFERENCE FamilyName Single-valued Read, Write User s last name. To view user s last name 1. Open the Organization & users page. 2. Use the tree view in the left part of the page to select an appropriate organization unit. 3. See the last name in the Name column. ChangePasswordAtNextLogon Single-valued Read, Write Require a change of password in the next sign in check box. To view the check box 1. Open the Organization & users page. 2. Click the name of a user in the Name column. 3. On the User information tab, in the Password area, see the Require a change of password in the next sign in check box. Nicknames Multivalued Read, Write User s nicknames in Google Apps. To view nicknames 1. Open the Organization & users page. 2. Click the name of a user in the Name column. 3. On the User information tab, in the Nicknames area, see the list of nicknames. 105

106 Quest One Quick Connect QUICK CONNECT ATTRIBUTE ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN GOOGLE APPS GOOGLE APPS REFERENCE Groups Multivalued reference Read, Write Google Apps groups of which the user is a member. To view groups 1. Open the Organization & users page. 2. Click the name of a user in the Name column. 3. On the User information tab, in the Groups area, see the list of groups of which the user is a member. Suspended Single-valued Read, Write User s status in Google Apps. Admin Single-valued Read, Write Administrator Privileges check box. To view the check box 1. Open the Organization & users page. 2. Click the name of a user in the Name column. 3. On the Privileges tab, see the Administrator Privileges check box. 106

107 Administrator Guide Attributes Related to Google Apps Group QUICK CONNECT ATTRIBUTE ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN GOOGLE APPS GOOGLE APPS REFERENCE Id Single-valued Read Group ID in Google Apps. This attribute accepts group ID in the format <GoogleDomain>/ <ObjectType>/ <Group > Example: mydomain.com/group/ GroupName Single-valued Read, Write Group name in Google Apps. To view group name 1. Open the Groups page. 2. See the group name in the Name column. Single-valued Read address of the group. Members Multivalued reference Read, Write Group members. Owners Multivalued reference Read, Write Group owners. To view group 1. Open the Groups page. 2. See the address in the address column. Description Single-valued Read, Write Group description. To view group members 1. Open the Groups page. 2. Click the group name in the Name column. 3. On the Members tab, see the list of group members. To view group owners 1. Open the Groups page. 2. Click group name in the Name column. 3. On the Members tab, use the Roles column to identify the group owners. To view group description 1. Open the Groups page. 2. Click group name in the Name column. 3. See group description below the group name at the top of the page. 107

108 Quest One Quick Connect QUICK CONNECT ATTRIBUTE ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN GOOGLE APPS GOOGLE APPS REFERENCE Permissions Single-valued Read, Write A list of users who can send s to the group. Attributes Related to Google Apps Organization Unit QUICK CONNECT ATTRIBUTE ATTRIBUTE DESCRIPTION SUPPORTED OPERATIONS IN GOOGLE APPS GOOGLE APPS REFERENCE Id Single-valued Read Organization unit ID in Google Apps. This attribute accepts organization unit ID in the format <GoogleDomain>/ <ObjectType>/<OUPath> Name Single-valued Read, Write Organization unit name. Scenario: Provisioning Containers and Users from an Active Directory Domain to Google Apps This scenario illustrates how to provision organizational units (OUs) and the users these OUs include from an Active Directory domain to Google Apps. The scenario includes the following steps: 108 Step 1: Configure a Connection to Source Active Directory Domain Step 2: Configure a Connection to Google Apps Step 3: Create a New Synchronization Workflow Step 4: Configure a Step to Provision OUs Step 5: Configure a Step to Provision Users Step 6: Run Your Workflow To view organization unit name 1. Open the Organization & users page. 2. Select an organization unit in the tree view. 3. See the organization unit name at the top of the page. Description Single-valued Read, Write Organization unit description. To view organization unit description 1. Open the Organization & users page. 2. Select an organization unit in the tree view. 3. See the description below the organization unit name at the top of the page.

109 Administrator Guide Step 1: Configure a Connection to Source Active Directory Domain For instructions on how to create a new connection to an Active Directory domain, see Creating a New Connection to an Active Directory Domain on page 38. Step 2: Configure a Connection to Google Apps For instructions on how to create a new connection to Google Apps, see Creating a New Connection to Google Apps on page 101. Step 3: Create a New Synchronization Workflow For instructions on how to create a new synchronization workflow, see Creating a Synchronization Workflow on page 170. Step 4: Configure a Step to Provision OUs 1. Open the workflow you created in Step 3: Create a New Synchronization Workflow (on the Workflows tab, click the workflow name), and then click the Add synchronization step link. 2. On the Select an action page, click Provision, and then click Next. 3. On the Specify source and criteria page, do the following: a) In the Source connected system option, click the Specify button, then click Select existing connected system, and select the Active Directory connection you configured in Step 1: Configure a Connection to Source Active Directory Domain. Click Finish. b) In the Source object type option, click the Select button, and then select the organizationalunit object type from the list. Click OK. c) Click Next. 4. On the Specify target page, do the following: a) In the Target connected system option, click the Specify button, then click Select existing connected system, and select the Google Apps connection you configured in Step 2: Configure a Connection to Google Apps. b) In the Target object type option, click the Select button, and then select the OU object type from the list. Click OK. c) Use the Target container option to specify the target Google Apps containers to which you want to provision organizational units from the Active Directory domain. For more information, see Specifying Target Containers for a Synchronization Step on page 180. If you want to use a PowerShell script to specify target containers in Google Apps, make sure the script returns the target containers in the format required by Quick Connect Sync Engine. For details, see Specifying Google Apps Containers Using a PowerShell Script on page 102. d) In the Rules to generate unique object name option, specify rules for generating names for the OUs to be created in Google Apps. e) Click Next. 5. Optionally, you can use the Initial Attribute Population Rules area on the Specify provisioning rules page to specify additional settings for the OUs to be provisioned. For this purpose, you can use special attributes provided by the Google Apps Connector. For more information about these attributes, see Google Apps Data Supported out of the Box on page Click Finish to close the wizard. 109

110 Quest One Quick Connect Step 5: Configure a Step to Provision Users 1. Open the workflow you created (on the Workflows tab, click the workflow name), and then click the Add synchronization step link. 2. On the Select an action page, click Provision, and then click Next. 3. On the Specify source and criteria page, do the following: a) In the Source connected system option, click the Specify button, then click Select existing connected system, and select the Active Directory domain you connected in Step 1: Configure a Connection to Source Active Directory Domain. Click Finish. b) In the Source object type option, click the Select button, and then select the User object type from the list. Click OK. c) Click Next. 4. On the Specify target page, do the following: a) In the Target connected system option, click the Specify button, then click Select existing connected system, and select the Google Apps system you connected in Step 2: Configure a Connection to Google Apps. b) In the Target object type option, click the Select button, and then select the User object type from the list. Click OK. c) Use the Target container option to specify the target Google Apps containers to which you want to provision organizational units from the Active Directory domain. For more information, see Specifying Target Containers for a Synchronization Step on page 180. If you want to use a PowerShell script to specify target containers in Google Apps, make sure the script returns the target containers in the format required by Quick Connect Sync Engine. For details, see Specifying Google Apps Containers Using a PowerShell Script on page 102. d) In the Rules to generate unique object name option, specify rules for generating user names for the user objects to be created in Google Apps. Make sure that generated user names meet the format <UserName>@<Domain>, where <Domain> is the target Google Apps domain. e) Click Next. 5. Use the Initial Password area on the Specify provisioning rules page to set an initial password for each user to be created in Google Apps. Make sure the password meets the requirements set by Google Apps. Optionally, you can use the following elements to configure additional settings for the users to be provisioned: Initial Attribute Population Rules. Allows you to specify additional settings for the users to be provisioned in Google Apps. For this purpose, you can use special attributes provided by the Google Apps Connector. For more information about these attributes, see Google Apps Data Supported out of the Box on page 102. User Account Options. Provides the User must change password at next logon check box that allows you to force the provisioned users to change their initial passwords at their next logon to Google Apps. This option also provides the Account is disabled check box that allows you to disable the user accounts created in Google Apps in the result of the provision operation. 6. Click Finish to close the wizard. Step 6: Run Your Workflow For instructions on how to run a workflow, see Running a Synchronization Workflow on page

111 Administrator Guide Managing a Connection to Google Postini Services This section covers: Creating a New Connection to Google Postini Services Modifying an Existing Connection to Google Postini Services Google Postini Services Data Supported out of the Box Scenario: Provisioning Users from an Active Directory Domain to Google Postini Services Creating a New Connection to Google Postini Services To connect Quick Connect Sync Engine to Google Postini Services, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. Once the connector is installed, follow the steps below to create a connection to the Google Postini Services system. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Google Postini Services Connector. c) Click Next. 3. Use the following options to specify the connection settings: Postini API key. Specify the Postini API key provided to you by Google. To obtain a Postini API key, submit a request to the Postini Technical Support Team at postinicustomercare@google.com. User name. Type the user name of the account with which you want to access Google Postini Services. The account whose name you specify must have the Modify privilege on User Settings in the Google Postini Services system to which you want to connect. Password. Type the password for the account whose user name you specified. Use a proxy server for your LAN. Select this check box if your LAN uses a proxy server. Then enter the proxy server address in the Proxy server box. Use credentials for proxy. Select this check box if your proxy server requires authentication. Use the appropriate text boxes to specify the user name and password with which you want to authenticate. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Finish to create a connection to the specified Google Apps domain. 111

112 Quest One Quick Connect Modifying an Existing Connection to Google Postini Services To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Google Postini Services connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the connection: Postini API key. Specify the Postini API key provided to you by Google. To obtain a Postini API key, submit a request to the Postini Technical Support Team at postinicustomercare@google.com. User name. Type the user name of the account with which you want to access Google Postini Services. The account whose name you specify must have the Modify privilege on User Settings in the Google Postini Services system to which you want to connect. Password. Type the password for the account whose user name you specified. Use a proxy server for your LAN. Select this check box if your LAN uses a proxy server. Then enter the proxy server address in the Proxy server box. Use credentials for proxy. Select this check box if your proxy server requires authentication. Use the appropriate text boxes to specify the user name and password with which you want to authenticate. Test Connection. Click to verify the settings you have specified. 4. Click Save. Google Postini Services Data Supported out of the Box The table below lists the Google Postini Services object types supported by Quick Connect for Cloud Services out of the box and the operations you can perform on these objects in Google Postini Services. GOOGLE POSTINI SERVICES OBJECT READ CREATE DELETE UPDATE User Supported Supported Supported Supported Quick Connect for Cloud Services provides special attributes for working with Google Postini Services data. These attributes allow you to read and write certain data in Google Postini Services. The next table lists the Quick Connect attributes and the Google Postini Services data you can work with using a particular attribute. The table has the following columns: Quick Connect Attribute. Provides the names of the Quick Connect for Cloud Services attributes as they appear in the Quick Connect Administration Console. Attribute Description. Provides attribute description. You can use this column to find out what Google Postini Services data you can read and write using a certain attribute provided by Quick Connect for Cloud Services. Supported Operations in Google Postini Services. Lists the operations the attribute allows you to perform on the corresponding data in Google Postini Services. QUICK CONNECT ATTRIBUTE primary_ user_id ATTRIBUTE DESCRIPTION Specifies an existing primary address for the user. Specifies a unique Google Postini Services identifier for the user. SUPPORTED OPERATIONS IN GOOGLE POSTINI SERVICES Read, Write Read 112

113 Administrator Guide QUICK CONNECT ATTRIBUTE org_name wireless_fwd spamfltr_status filter_bulk filter_sexplicit ATTRIBUTE DESCRIPTION Specifies the name of user s organization. Specifies whether wireless forwarding is enabled for the user. The Wireless Forwarding feature provided in Google Postini Services allows you to manage message forwarding to mobile devices. This attribute can take one of the following values: On Off Unavailable Specifies whether spam protection is enabled for the user. This attribute can take one of the following values: On Off Specifies a level for filtering bulk s. This attribute can take one of the following values: Lenient Aggressively lenient Moderate Leniently aggressive Aggressive Specifies a level for filtering sexually explicit s. This attribute can take one of the following values: Off Lenient Moderate Moderately aggressive Aggressive SUPPORTED OPERATIONS IN GOOGLE POSTINI SERVICES Read, Write Read, Write Read, Write Read, Write Read, Write 113

114 Quest One Quick Connect QUICK CONNECT ATTRIBUTE filter_getrich filter_offers filter_racial virus_block ATTRIBUTE DESCRIPTION Specifies a level for filtering s with get-rich-quick offers. This attribute can take one of the following values: Off Lenient Moderate Moderately aggressive Aggressive Specifies a level for filtering s with commercial offers. This attribute can take one of the following values: Off Lenient Moderate Moderately aggressive Aggressive Specifies a level for filtering racially insensitive s. This attribute can take one of the following values: Off Lenient Moderate Moderately aggressive Aggressive Specifies whether blocking of messages containing viruses is enabled for the user. This attribute can take one of the following values: On Off Unavailable SUPPORTED OPERATIONS IN GOOGLE POSTINI SERVICES Read, Write Read, Write Read, Write Read, Write 114

115 Administrator Guide QUICK CONNECT ATTRIBUTE virus_notify approved_senders blocked_senders approved_recipients dly_msg_limit user_aliases notify_ msg_center_access_block ATTRIBUTE DESCRIPTION Specifies how frequently notifications about quarantined viruses will be sent to the user. This attribute can take one of the following values: Immediately One per day Disable notifications NULL The NULL value applies default virus notification setting specified for the organization. Specifies addresses of approved senders for the user. Messages from approved senders bypass the spam filters. Specifies addresses of the senders whose messages to the user will be quarantined regardless of their contents. Specifies addresses of approved recipients for the user. Messages from approved senders bypass the user s spam filters. Specifies the maximum number of messages each user in the organization can receive daily. To allow an unlimited number of messages, set the value of this attribute to NULL. Specifies one or more alternative addresses (aliases) for the user. Specifies an address to which notifications for the user will be delivered. Specifies whether to enable or disable Message Center access for the user. This attribute can take one of the following values: Yes No SUPPORTED OPERATIONS IN GOOGLE POSTINI SERVICES Read, Write Read, Write Read, Write Read, Write Read, Write Read, Write Read, Write Read, Write 115

116 Quest One Quick Connect QUICK CONNECT ATTRIBUTE change_pwd_atlogon ATTRIBUTE DESCRIPTION Specifies whether or not the user must change password at next logon. This attribute can take one of the following values: TRUE FALSE SUPPORTED OPERATIONS IN GOOGLE POSTINI SERVICES Write user_pwd Specifies user s password. Write Scenario: Provisioning Users from an Active Directory Domain to Google Postini Services This scenario illustrates how to configure a synchronization workflow to provision users from an Active Directory domain to Google Postini Services. The scenario includes the following steps: Step 1: Configure a Connection to Source Active Directory Domain Step 2: Configure a Connection to Google Postini Services Step 3: Create a New Synchronization Workflow Step 4: Configure a Synchronization Step Step 5: Run Your Workflow Each of these steps is described in the next sections. Step 1: Configure a Connection to Source Active Directory Domain For instructions on how to create a new connection to an Active Directory domain, see Creating a New Connection to an Active Directory Domain on page 38. Step 2: Configure a Connection to Google Postini Services For instructions on how to create a new connection to Google Postini Services, see Creating a New Connection to Google Postini Services on page 111. Step 3: Create a New Synchronization Workflow For instructions on how to create a new synchronization workflow, see Creating a Synchronization Workflow on page

117 Administrator Guide Step 4: Configure a Synchronization Step 1. Open the workflow you created (on the Workflows tab, click the workflow name), and then click the Add synchronization step link. 2. On the Select an action page, click Provision, and then click Next. 3. On the Specify source and criteria page, do the following: a) Click the Specify button in the Source connected system option, then click Select existing connected system, and select the Active Directory domain you connected in Step 1: Configure a Connection to Source Active Directory Domain. Click Finish. b) Click the Select button in the Source object type option, and then select the User object type from the list. Click OK. c) Click Next. 4. On the Specify target page, do the following: a) Click the Specify button in the Target connected system option, then click Select existing connected system, and select the Google Postini Services system you connected in Step 2: Configure a Connection to Google Postini Services. b) Click the Select button in the Target object type option, and then select the User object type from the list. Click OK. c) Use the button in the Target container option to specify the target container where you want to create user objects. For more information, see Specifying Target Containers for a Synchronization Step on page 180. d) In the Rules to generate unique object name option, specify rules for generating user names for the users being provisioned to Google Postini Services. Make sure that generated user names meet the format <UserName>@<domain>, where <domain> is the domain managed by the target Google Postini Services system. e) Click Next. 5. Optionally, you can use the following elements on the Specify provisioning rules page to configure additional settings for the users being provisioned: Initial Attribute Population Rules. Allows you to use special attributes provided by the Google Postini Services Connector to specify additional settings for the users being provisioned in Google Postini Services. For more information about the attributes you can use attributes, see Google Postini Services Data Supported out of the Box on page 112. Initial Password. Allows you to set an initial password for each user being provisioned. Make sure the password meets the requirements set by Google Postini Services. If you specify initial password in this option, you can optionally force the users to change the password at their next logon. If you do not set this option, a random initial password is generated for each user being provisioned and the users will be forced to change their passwords at their next logon. User Account Options. Provides the User must change password at next logon check box that allows you to force the users to change their initial passwords at their next logon. You can only use this check box if you have specified initial password in the Initial Password option. This option also provides the Account is disabled check box that allows you to disable the user accounts provisioned to Google Postini Services. 6. Click Finish to close the wizard. Step 5: Run Your Workflow For instructions on how to run a workflow, see Running a Synchronization Workflow on page

118 Quest One Quick Connect Managing a Connection to Salesforce This section covers: Creating a New Connection to Salesforce Modifying an Existing Connection to Google Postini Services Salesforce Data Supported out of the Box Scenario: Provisioning Users from an Active Directory Domain to Salesforce Creating a New Connection to Salesforce To connect Quick Connect Sync Engine to Salesforce, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. Once the connector is installed, follow the steps below to create a connection to the Salesforce system. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select Salesforce Connector. c) Click Next. 3. Use the following options to specify the connection settings: Connect to Salesforce Sandbox. Select this check box if you want to connect to your Salesforce testing environment. If you want to connect to production environment, make sure this check box is cleared. For more information about Salesforce Sandbox, see the Salesforce documentation. User name. Type the user name of the account with which you want to access Salesforce. The account must have the System Administrator profile in the target Salesforce system. Password. Type the password of the account with which you want to access Salesforce. Security token. Enter the security token provided to you by Salesforce. For more information on what a security token is and how to obtain it, see the Salesforce documentation. Use a proxy server for your LAN. Select this check box if your LAN uses a proxy server, and then enter the proxy server address in the Proxy server box. Use credentials for proxy. Select this check box if your proxy server requires authentication. Use the appropriate text boxes to specify the user name and password with which you want to authenticate. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Finish to create a connection to Salesforce. 118

119 Administrator Guide Modifying an Existing Connection to Salesforce To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing Salesforce connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the connection: Connect to Salesforce Sandbox. Select this check box if you want to connect to your Salesforce testing environment. If you want to connect to production environment, make sure this check box is cleared. For more information about Salesforce Sandbox, see the Salesforce documentation. User name. Type the user name of the account with which you want to access Salesforce. The account must have the System Administrator profile in the target Salesforce system. Password. Type the password of the account with which you want to access Salesforce. Security token. Enter the security token provided to you by Salesforce. For more information on what a security token is and how to obtain it, see the Salesforce documentation. Use a proxy server for your LAN. Select this check box if your LAN uses a proxy server, and then enter the proxy server address in the Proxy server box. Use credentials for proxy. Select this check box if your proxy server requires authentication. Use the appropriate text boxes to specify the user name and password with which you want to authenticate. Test Connection. Click to verify the settings you have specified. 4. Click Save. Salesforce Data Supported out of the Box Out of the box, Quick Connect for Cloud Services supports all object types in Salesforce. For each supported object, Quick Connect for Cloud Services supports the same operations (such as Read, Create, Delete, or Update) that you can perform on the object in Salesforce. Quick Connect for Cloud Services provides a number of special attributes in the Quick Connect Administration Console. Each of these attributes allows you to work with a particular corresponding Salesforce object field. Each attribute has the same name as the corresponding Salesforce field whose value you can read and write using the attribute. Quick Connect attributes accept the same values and save data in the same format as the corresponding Salesforce fields do. For more information on Salesforce fields, see the Reference Standard Objects section in the Salesforce Web Services API Developer's Guide available online at 119

120 Quest One Quick Connect The following sections list these additional attributes and explain what Salesforce data you can read and update using a particular attribute provided in the Quick Connect Administration Console: Additional Attributes Related to Salesforce User Additional Attributes Related to Salesforce Group The tables provided in these sections have the following columns: Quick Connect Attribute. Provides the name of the Quick Connect for Cloud Services attribute as it appears in the Quick Connect Administration Console. Attribute Description. Provides attribute description. You can use this column to find out what Salesforce data you can read and write using a particular attribute provided by Quick Connect for Cloud Services. Supported Operations in Salesforce. Lists the operations the attribute allows you to perform on the corresponding Salesforce data. 120

121 Administrator Guide Additional Attributes Related to Salesforce User QUICK CONNECT ATTRIBUTE vaprofilename varolename vamanagername vacontactname vamemberof ATTRIBUTE DESCRIPTION Allows you to specify a Salesforce profile. For example, you can use this attribute to assign a Salesforce profile to a user being provisioned to Salesforce. To specify a profile, enter the profile name as it appears in the Salesforce user interface. Examples of vaprofilename values: System Administrator Force.com - Free User For more information on profiles, see the Salesforce documentation. Allows you to specify a Salesforce role. For example, you can use this attribute to assign a Salesforce role to a user being provisioned to Salesforce. To specify a role, enter the role name in the format used in the Salesforce user interface. For more information on roles, see the Salesforce documentation. Allows you to specify a manager for a particular user. To specify a manager, enter the manager name in the format used in the Salesforce user interface. Allows you to specify an associated contact for a particular user. To specify an associated contact, enter the associated contact name in the format used in the Salesforce user interface. Allows you to define group membership for a particular user (this attribute is primarily intended for group membership synchronization). This attribute contains references to the groups where the user is a member. SUPPORTED OPERATIONS IN SALESFORCE Read, Write Read, Write Read, Write Read, Write Read, Write 121

122 Quest One Quick Connect QUICK CONNECT ATTRIBUTE vamemberofname valocale vatimezone va encoding valanguage vadelegatedapproverusername ATTRIBUTE DESCRIPTION Allows you to define group membership for a particular user (for example, when provisioning a user to Salesforce). Specify the names of the Salesforce groups where you want the user to be a member. Allows you to specify a locale for a particular user (for example, when provisioning a user to Salesforce). To specify a locale, enter the locale name in the format used in the Salesforce user interface. Example of a valocale value: Engish (United States) Allows you to specify a time zone for a user (for example, when provisioning a user to Salesforce). To specify a time zone, enter the time zone name in the format used in the Salesforce user interface. Example of a vatimezone value: (GMT+00:00) Greenwich Mean Time (GMT) Allows you to specify outbound encoding to be used for a user (for example, when provisioning a user to Salesforce). Specify encoding in the format used in the Salesforce user interface. Example of a va encoding value: Unicode (UTF-8) Allows you to specify a user interface language for a particular user. The Salesforce user interface and help will be displayed to the user in the language you specify in this attribute. Allows you to specify the name of the user you want to appoint delegated approver. SUPPORTED OPERATIONS IN SALESFORCE Read, Write Read, Write Read, Write Read, Update Read, Write Read, Write 122

123 Administrator Guide QUICK CONNECT ATTRIBUTE vadelegatedapprovergroupname ATTRIBUTE DESCRIPTION Allows you to specify the name of a group all members of which you want to appoint delegated approvers. SUPPORTED OPERATIONS IN SALESFORCE Read, Write Additional Attributes Related to Salesforce Group QUICK CONNECT ATTRIBUTE vamemberof vamemberofname vamember vamembername ATTRIBUTE DESCRIPTION Allows you to define group membership for a group in Salesforce (this attribute is primarily intended for group membership synchronization). The attribute contains references to the groups where a group is a member. Allows you to define group membership for a group. Specify the names of Salesforce groups where you want the group to be a member. Allows you to define members of a group. This attribute contains references to the users and/or groups that are members of a particular group. Allows you to define members of a particular group. Specify the names of users and/or groups you want to be members of the group. SUPPORTED OPERATIONS IN SALESFORCE Read, Write Read, Write Read, Write Read, Write 123

124 Quest One Quick Connect Scenario: Provisioning Users from an Active Directory Domain to Salesforce This scenario illustrates how to configure a synchronization workflow to provision users from an Active Directory domain to Salesforce. The scenario includes the following steps: Step 1: Configure a Connection to Source Active Directory Domain Step 2: Configure a Connection to Salesforce Step 3: Create a New Synchronization Workflow Step 4: Configure a Synchronization Step Step 5: Run Your Workflow Each of these steps is described in the next sections. Step 1: Configure a Connection to Source Active Directory Domain For instructions on how to create a new connection to an Active Directory domain, see Creating a New Connection to an Active Directory Domain on page 38. Step 2: Configure a Connection to Salesforce For instructions on how to create a new connection to Salesforce, see Creating a New Connection to Salesforce on page 118. Step 3: Create a New Synchronization Workflow For instructions on how to create a new synchronization workflow, see Creating a Synchronization Workflow on page 170. Step 4: Configure a Synchronization Step 1. Open the workflow you created (on the Workflows tab, click the workflow name), and then click the Add synchronization step link. 2. On the Select an action page, click Provision, and then click Next. 3. On the Specify source and criteria page, do the following: a) Click the Specify button in the Source connected system option, then click Select existing connected system, and select the Active Directory connection you configured in Step 1: Configure a Connection to Source Active Directory Domain. Click Finish. b) Click the Select button in the Source object type option, and then select the User object type from the list. Click OK. c) Click Next. 4. On the Specify target page, do the following: a) Click the Specify button in the Target connected system option, then click Select existing connected system, and select the Salesforce connection you configured in Step 2: Configure a Connection to Salesforce. b) Click the Select button in the Target object type option, and then select the User object type from the list. Click OK. c) Click Next. 5. On the Specify provisioning rules page, in the Initial Attibute Population Rules option, add rules to populate the following required attributes: 124

125 Administrator Guide Username. Use this attribute to specify a Salesforce user name for the user being provisioned. Make sure the user name you specify meets the format <UserName>@<Domain>, for example jdoe@domain.com. LastName. Use this attribute to specify the last name of the user being provisioned. vaprofilename. Use this attribute to assign a Salesforce profile to the user being provisioned. A profile defines specific permissions a user has in Salesforce. For more information on profiles, see the Salesforce documentation. Alternatively, you can specify a Salesforce profile by using the ProfileId attribute. . Use this attribute to specify an existing valid address for the user being provisioned. Alias. Use this attribute to specify a unique Salesforce alias for the user being provisioned. A Salesforce alias can include up to 8 characters. For more information on alias, see the Salesforce documentation. You must populate these attributes in order to create a new user object in Salesforce. You can populate other attributes at your discretion. These attributes are provided by the Salesforce Connector and allow you to configure particular options in Salesforce. For a complete list of attributes provided by the Salesforce Connector and their descriptions, see Salesforce Data Supported out of the Box on page Click Finish to close the wizard. Step 5: Run Your Workflow For instructions on how to run a workflow, see Running a Synchronization Workflow on page

126 Quest One Quick Connect Managing a Connection to SAP This section covers: Creating a New Connection to SAP Modifying an Existing Connection to SAP Populating Mandatory Attributes of SAP User Objects Assigning SAP Roles to Provisioned Users SAP Data Supported out of the Box Creating a New Connection to SAP To connect Quick Connect Sync Engine to SAP, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. Once the connector is installed, follow the steps below to create a connection to the SAP system. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select SAP Connector. c) Click Next. 3. Use the following options to specify the connection settings: SAP server name. Type the fully qualified domain name (FQDN) or the IP address of the computer hosting the SAP system you want to access. SAP system ID. Type the identifier of the target SAP system you want to access. SAP client ID. Type the SAP client key to specify the SAP client in which you want to work. Language ID. Type the identifier of the language currently in use on the target SAP system. Access SAP system using. Type the user name and password of the user account with which you want to connect to the target SAP system. When you are finished, you can click Test Connection to verify the specified connection settings. 4. Click Finish to create a connection to the specified SAP system. 126

127 Administrator Guide Modifying an Existing Connection to SAP To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing PeopleSoft connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the connection: SAP server name. Type the fully qualified domain name (FQDN) or the IP address of the computer hosting the SAP system you want to access. SAP system ID. Type the identifier of the target SAP system you want to access. SAP client ID. Type the SAP client key to specify the SAP client in which you want to work. Language ID. Type the identifier of the language currently in use on the target SAP system. Access SAP system using. Type the user name and password of the user account with which you want to connect to the target SAP system. Test Connection. Click to verify the settings you have specified. 4. Click Save. Populating Mandatory Attributes of SAP User Objects When you are creating new SAP User objects (that is, provision users to SAP), make sure that for each of the user objects you populate the following attributes provided by Quick Connect with non-empty values: UserName LastName For more information on these attributes, see Attributes Related to SAP User on page 131. To populate values of those attributes, you can use initial attribute population rules provided by Quick Connect Sync Engine. For example, you can configure these rules to map the samaccountname and sn attributes of the source Active Directory user to the UserName and LastName attributes of the target SAP User, respectively. For more information on how to provision objects, see Creating a Provisioning Step on page

128 Quest One Quick Connect Assigning SAP Roles to Provisioned Users In SAP, a role defines an activity set and all the sources of information and services that an individual SAP user needs in order to achieve a desired business objective. When provisioning user objects to a SAP system, you can configure Quick Connect Sync Engine to automatically assign specified SAP roles to the newly provisioned users. The next example shows how to provision users to a SAP system and then assign the SAP_BC_SRV_USER and SAP_BC_BASIS_MONITORING roles to them: 1. Create a new provisioning step: a) On the Workflows tab, open the workflow to which you want to add a new provisioning step. b) Click Add synchronization step. c) Select Provision, and then click Next. d) Specify source connected system, and then click Next. e) Specify SAP as a target connected system, and then click Next. 2. On the Specify provisioning rules page, expand the Initial Attribute Population Rules area, and then click the down arrow on the leftmost button below the list. 3. From the drop-down list, select Text. 4. In the Constant-based Synchronization dialog box, do the following: a) In the Constant value text box, type SAP_BC_SRV_USER. b) Click Select, and then locate and select the UserRoles attribute. Click OK. c) Click OK to close the Constant-based Synchronization dialog box. 5. In the list, select the rule you have just created. 6. On the rightmost button below the list, click the down arrow. Select Options from the drop-down list. 7. Select Append source values to target attribute values. Click OK. 8. Repeat steps 3-7 for the SAP_BC_BASIS_MONITORING role. 9. Expand the Initial Attribute Population Rules area, and then specify how to populate the UserName and LastName mandatory attributes for the users to be provisioned to SAP. For example, if you are provisioning users from Active Directory, you can do the following: a) Click the down arrow on the leftmost button below the list in the Initial Attribute Population Rules area. b) From the drop-down list, select Attribute. The Direct Synchronization dialog box opens. c) In the Source attribute option, click Select to locate and select the Name (cn) attribute. d) In the Target attribute option, click Select to locate and select the UserName attribute. e) Repeat steps 9a-9d to select Last Name (sn) as the source attribute and LastName as the target attribute. 10. Expand the Initial Password area, and then specify how to generate passwords for the users to be provisioned to SAP. 11. Click Finish to close the wizard. The SAP users provisioned in this synchronization step will be automatically assigned the SAP_BC_SRV_USER and SAP_BC_BASIS_MONITORING roles. 128

129 Administrator Guide SAP Data Supported out of the Box The table below lists the SAP object types supported by Quick Connect for SAP Solutions out of the box and the operations you can perform on each of the object types. SAP OBJECT READ CREATE DELETE UPDATE SAP User Supported Supported Supported Supported HR Employee Supported Not supported Not supported Supported Note: Some limitations apply. For details, see the Supported Operations in SAP column in the table provided in Attributes Related to HR Employee on page 137. SAP Role Note: Out of the box, Quick Connect for SAP Solutions supports composite roles only. Supported Not supported Not supported Supported Note: Some limitations apply. For details, see the Supported Operations in SAP column in the table provided in Attributes Related to SAP Role on page 153. SAP Profile Supported Not supported SAP Asset Supported Not supported Not supported Not supported Supported Note: Some limitations apply. For details, see the Supported Operations in SAP column in the table provided in Attributes Related to SAP Profile on page 153. Supported Note: Some limitations apply. For details, see the Supported Operations in SAP column in the table provided in Attributes Related to SAP Asset on page 153. For each supported SAP object type, Quick Connect for SAP Solutions provides special attributes. These attributes allow you to read and write (if the write operation is supported) the values of certain SAP fields. The attributes provided by Quick Connect for SAP Solutions are listed in the following sections: Attributes Related to SAP User Attributes Related to HR Employee Attributes Related to SAP Role Attributes Related to SAP Profile Attributes Related to SAP Asset 129

130 Quest One Quick Connect The tables provided in these sections have the following columns: Quick Connect Attribute. Provides the names of the Quick Connect for SAP Solutions attributes as they appear in the Quick Connect Administration Console. Single-valued or Multivalued. Specifies whether the attribute is single-valued or multivalued. Supported Operations in SAP. Lists the operations the attribute allows you to perform on the corresponding SAP field. SAP Reference. Specifies what SAP data (SAP field) you can read or write using the attribute. To locate the SAP field whose value you can read or write using a particular Quick Connect for SAP Solutions attribute, in the SAP user interface, open the transaction listed in the SAP Reference column, then open the SAP infotype and subtype if they are specified, and locate the SAP user interface element that represents the SAP field. 130

131 Administrator Guide Attributes Related to SAP User QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE UserName Single-valued Read, Write SAP transaction code: SU01 User text box FirstName Single-valued Read, Write SAP transaction code: SU01 Address tab First name text box LastName Single-valued Read, Write SAP transaction code: SU01 Address tab Last name text box DisplayName Single-valued Read, Write SAP transaction code: SU01 Address tab Format text box BirthName Single-valued Read, Write SAP transaction code: SU01 Address tab Name at Birth text box SecondName Single-valued Read, Write SAP transaction code: SU01 Address tab 2nd family name text box NameSupplement Single-valued Read, Write SAP transaction code: SU01 Address tab Name supplement text box NickName Single-valued Read, Write SAP transaction code: SU01 Address tab Nickname text box MiddleName Single-valued Read, Write SAP transaction code: SU01 Address tab 2nd forename text box NameFormat Single-valued Read, Write SAP transaction code: SU01 Address tab Format name text box NameCountry Single-valued Read, Write SAP transaction code: SU01 Address tab Format country text box Initials Single-valued Read, Write SAP transaction code: SU01 Address tab Initials text box 131

132 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE UserRoles Multivalued Read, Write SAP transaction code: SU01 Note: This attribute accepts names of SAP Roles as values. Roles tab Role Assignments list UserProfiles Multivalued Read, Write SAP transaction code: SU01 Note: This attribute accepts names of SAP Profiles as values. Profiles tab Assigned Authorization Profiles list Password Single-valued Read, Write SAP transaction code: SU01 Change Password for <UserName> dialog box New Password and Repeat Password text boxes Title Single-valued Read, Write SAP transaction code: SU01 Address tab Title text box AcademicTitle Single-valued Read, Write SAP transaction code: SU01 Address tab Academic Title text box AcademicTitle2 Single-valued Read, Write SAP transaction code: SU01 Address tab 2nd Academic Title text box NamePrefix1 Single-valued Read, Write SAP transaction code: SU01 Address tab Name Prefix text box NamePrefix2 Single-valued Read, Write SAP transaction code: SU01 Address tab Name Prefix 2 text box Function Single-valued Read, Write SAP transaction code: SU01 Address tab Function text box Department Single-valued Read, Write SAP transaction code: SU01 Address tab Department text box RoomNumber Single-valued Read, Write SAP transaction code: SU01 Address tab Room Number text box 132

133 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Floor Single-valued Read, Write SAP transaction code: SU01 Address tab Floor text box Building Single-valued Read, Write SAP transaction code: SU01 Address tab Building text box Language Single-valued Read, Write SAP transaction code: SU01 Address tab Language text box Telephone Single-valued Read, Write SAP transaction code: SU01 Address tab Telephone text box TelephoneExtension Single-valued Read, Write SAP transaction code: SU01 Address tab Extension text box next to the Telephone text box Fax Single-valued Read, Write SAP transaction code: SU01 Address tab Fax text box FaxExtension Single-valued Read, Write SAP transaction code: SU01 Address tab Extension text box next to the Fax text box Mail Single-valued Read, Write SAP transaction code: SU01 Address tab text box InHous Single-valued Read, Write SAP transaction code: SU01 Address tab Internal mail text box ShortNameCorrespondence Single-valued Read, Write SAP transaction code: SU01 Address tab Abbreviation text box CommType Single-valued Read, Write SAP transaction code: SU01 Address tab Comm. Meth text box SearchTerm1 Single-valued Read, Write SAP transaction code: SU01 SearchTerm2 Single-valued Read, Write SAP transaction code: SU01 PNAME Single-valued Read, Write SAP transaction code: SU01 SNC tab SNC name text box 133

134 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE GUIFLAG Single-valued Read, Write SAP transaction code: SU01 SNC tab Unsecure communication permitted (user-specific) check box Company Single-valued Read, Write SAP transaction code: SU01 Address tab Company text box Validfrom Single-valued Read, Write SAP transaction code: SU01 Note: This attribute saves date in the format DD.MM.YYYY Logon data tab Valid from text box Validtrough Single-valued Read, Write SAP transaction code: SU01 Note: This attribute saves date in the format DD.MM.YYYY Logon data tab Valid through text box UserGroup Single-valued Read, Write SAP transaction code: SU01 Logon data tab User group text box AccountingNumber Single-valued Read, Write SAP transaction code: SU01 Logon data tab Accounting Number text box TimeZone Single-valued Read, Write SAP transaction code: SU01 Defaults tab Personal Time Zone of the User text box UserTyp Single-valued Read, Write SAP transaction code: SU01 Logon data tab User Type text box LogonLanguage Single-valued Read, Write SAP transaction code: SU01 Defaults tab Logon Language text box CATT Single-valued Read, Write SAP transaction code: SU01 Defaults tab Check Indicator check box 134

135 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Decimalnotation Single-valued Read, Write SAP transaction code: SU01 Defaults tab Decimal Notation text box Dateformat Single-valued Read, Write SAP transaction code: SU01 Defaults tab Date format text box SpoolOutputdevice Single-valued Read, Write SAP transaction code: SU01 Defaults tab OutputDevice text box Printparameter1 Single-valued Read, Write SAP transaction code: SU01 Defaults tab Printparameter2 Single-valued Read, Write SAP transaction code: SU01 Defaults tab Output Immediately check box Printparameter3 Single-valued Read, Write SAP transaction code: SU01 Defaults tab Delete After Output check box Startmenu Single-valued Read, Write SAP transaction code: SU01 Defaults tab Start menu text box CostCenter Single-valued Read, Write SAP transaction code: SU01 Logon data tab Cost center text box UserAlias Single-valued Read, Write SAP transaction code: SU01 Logon data tab Alias text box CUSERTYP Single-valued Read, Write SAP transaction code: SU01 LicenseData tab Contractual User Type text box SpecificVersion Single-valued Read, Write SAP transaction code: SU01 LicenseData tab Assignment to Special Version text box CountrySurcharge Single-valued Read, Write SAP transaction code: SU01 LicenseData tab 135

136 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE SubstituteFrom Single-valued Read, Write SAP transaction code: SU01 LicenseData tab SubstituteUntil Single-valued Read, Write SAP transaction code: SU01 LicenseData tab Licensedata_SysID Single-valued Read, Write SAP transaction code: SU01 LicenseData tab Licensedata_Client Single-valued Read, Write SAP transaction code: SU01 LicenseData tab Bname_ChargableUser Single-valued Read, Write SAP transaction code: SU01 LicenseData tab IsLockedStatus Single-valued Read, Write Not applicable This boolean attribute can take one of the following values: TRUE. Indicates that the SAP user account is locked. FALSE. Indicates that the SAP user account is not locked. 136

137 Administrator Guide Attributes Related to HR Employee QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE PersonalNo Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) Personnel no. text box City Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Postal Code/City text box Country Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Country Key text box NameofCountry Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Country Key text box PostalCode Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Postal Code/City text box NameofState Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Canton/region text box State Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Region text box 137

138 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Street Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) House no. and street text box Coname Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) c/o text box District Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) District text box TelephoneNumber Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Telephone Number text box NameOfAddresstype Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Permanent Residence (1) Address type text box Home_City Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Postal Code/City text box Home_NameofCountry Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Country Key text box 138

139 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Home_Country Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Country Key text box Home_PostalCode Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Postal Code/City text box Home_NameofState Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Canton/region text box Home_State Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Region text box Home_Street Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) House no. and street text box Home_Coname Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) c/o text box Home_District Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) District text box 139

140 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Home_TelephoneNumber Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Telephone Number text box Home_NameOfAddresstype Single-valued Read SAP transaction code: PA30 SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Address type text box PersToDate Single-valued Read SAP transaction code: PA30 Note: This attribute saves date in the format DD.MM.YYYY SAP infotype: Addresses (0006) SAP subtype: Home Address (3) To text box PersFromDate Single-valued Read SAP transaction code: PA30 Note: This attribute saves date in the format DD.MM.YYYY SAP infotype: Addresses (0006) SAP subtype: Home Address (3) Start text box FirstName Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) First name text box Initials Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Initials text box LastName Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Last name text box LastName2 Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Birth name text box 140

141 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE DisplayName Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Name text box MiddleName Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Middle name text box SecondName Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Secondacadgrade Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Aristrocratictitle Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Suffix text box LanguageKey Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Language text box Nationality Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Nationality text box KnownAs Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Nickname text box Stateofbirth Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) State text box Countryofbirth Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Ctry o.birth text box 141

142 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Maritalstatus Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Mar. status text box Maritalstatussince Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Since text box Religion Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Religion text box Dateofbirth Single-valued Read SAP transaction code: PA30 Note: This attribute saves date in the format DD.MM.YYYY SAP infotype: Personal Data (0002) Date of Birth text box Birthplace Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Birthplace text box Numberofchildren Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) No. child. text box Gender Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) Gender text box Idnumber Single-valued Read SAP transaction code: PA30 SAP infotype: Personal Data (0002) SSN text box OrgToDate Single-valued Read SAP transaction code: PA30 Note: This attribute saves date in the format DD.MM.YYYY SAP infotype: Organizational Assignment (0001) To text box 142

143 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE OrgFromDate Single-valued Read SAP transaction code: PA30 Note: This attribute saves date in the format DD.MM.YYYY SAP infotype: Organizational Assignment (0001) Start text box Department Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) POSTXT Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Position option, second text box COMP_CODE Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) CoCode text box PERS_AREA Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Pers. area text box P_SUBAREA Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Subarea text box EGROUP Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) EE group text box ESUBGROUP Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) EE subgroup text box 143

144 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE ORG_KEY Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Org. key text box BUS_AREA Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Bus. Area text box LEG_PERSON Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Leg. person text box PAYAREA Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Payr. area text box CONTRACT Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Contract text box COSTCENTER Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Cost Ctr text box ORG_UNIT Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Org Unit text box POSITION Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Position text box 144

145 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE JOB Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Job key text box SUPERVISOR Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Supervisor text box PAYR_ADMIN Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) PayrAdmin text box PERS_ADMIN Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) PersAdmin text box TIME_ADMIN Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Administrator area Time text box ADMINGROUP Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Group text box CO_AREA Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) CoCode text box JOBTXT Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Job key text box 145

146 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE FKBER Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Functional Area ORGTXT Single-valued Read SAP transaction code: PA30 SAP infotype: Organizational Assignment (0001) Unit text box, short text Manager Single-valued Read SAP transaction code: PA30 PrevPerno Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Prev. Personnel No. text box CompanyID Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Company ID text box CarAssetNo Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Asset Number text box TAX_REG Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Car Regulation text box CarValue Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Car Value text box RoomNo Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Room Number text box BuildingNo Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) Building Number text box 146

147 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE LIPLATE_NO Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) License Plate Number text box PHONENO1 Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) In-House Tel. Number option, text box 1 PHONENO2 Single-valued Read SAP transaction code: PA30 SAP infotype: Internal Control (0032) In-House Tel. Number option, text box 2 DATETYPE01 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 1 DATE01 Single-valued Read SAP transaction code: PA30 Note: This attribute saves date in the format DD.MM.YYYY SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 1 NAMEOFDATETYPE01 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 1 DATETYPE02 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 2 DATE02 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 2 NAMEOFDATETYPE02 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 2 147

148 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE DATETYPE03 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 3 DATE03 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 3 NAMEOFDATETYPE03 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 3 DATETYPE04 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 4 DATE04 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 4 NAMEOFDATETYPE04 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 4 DATETYPE05 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 5 DATE05 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 5 148

149 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE NAMEOFDATETYPE05 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 5 DATETYPE06 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 6 DATE06 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 6 NAMEOFDATETYPE06 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 6 DATETYPE07 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 7 DATE07 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 7 NAMEOFDATETYPE07 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 7 DATETYPE08 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 8 149

150 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE DATE08 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 8 NAMEOFDATETYPE08 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 8 DATETYPE09 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 9 DATE09 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 9 NAMEOFDATETYPE09 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 9 DATETYPE10 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 10 DATE10 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 10 NAMEOFDATETYPE10 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type

151 Administrator Guide QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE DATETYPE11 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 11 DATE11 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 11 NAMEOFDATETYPE11 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 11 DATETYPE12 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, Date Type 12 DATE12 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, date related to Date Type 12 NAMEOFDATETYPE12 Single-valued Read SAP transaction code: PA30 SAP infotype: Date Specifications (0041) Date Specifications area, description related to Date Type 12 SY-Uname Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) System User Name text box SAP2 Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: SAP2 (0002) FAX Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: Telefax (0005) 151

152 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Voic Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: Voic (0006) Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: Internet address ( ) (0010) CreditCard Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: Credit card numbers (0011) TelWork Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: First telephone number at work (0020) MAIL Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: MAIL ( ) CELL Multivalued Read, Write SAP transaction code: PA30 SAP infotype: Communication (0105) SAP subtype: CELL (cell phone) EmployeeStatus Single-valued Read SAP transaction code: PA30 SAP infotype: Actions (0000) Employment text box 152

153 Administrator Guide Attributes Related to SAP Role QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Id Multivalued Read SAP transaction code: PFCG Roles area Role text box Description Multivalued Read SAP transaction code: PFCG Roles area Description text box Members Multivalued reference Read, Write SAP transaction code: PFCG User tab User Assignments list Attributes Related to SAP Profile QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Id Multivalued Read SAP role identifier. Members Multivalued reference Read, Write Members of a particular SAP profile. Attributes Related to SAP Asset QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE Id Single-valued Read SAP transaction code: AS02 Asset Single-valued Read SAP transaction code: AS02 Time-dependent tab Asset text box DESCRIPTION Single-valued Read, Write SAP transaction code: AS02 General tab line 1 in the Description text box DESCRIPTION2 Single-valued Read, Write SAP transaction code: AS02 General tab line 2 in the Description text box INVENTARYNUMBER Single-valued Read, Write SAP transaction code: AS02 General tab Inventory number text box QUANTITY Single-valued Read SAP transaction code: AS02 General tab first text box (Quantity) next to the Quantity option 153

154 Quest One Quick Connect QUICK CONNECT ATTRIBUTE SINGLE- VALUED OR MULTIVALUED SUPPORTED OPERATIONS IN SAP SAP REFERENCE BASE_UOM Single-valued Read SAP transaction code: AS02 General tab second text box (Base Unit of Measure) next to the Quantity option CAPIT_DATE Single-valued Read SAP transaction code: AS02 Note: This attribute saves date in the format DD.MM.YYYY General tab Capitalized on text box ASSETCLASS Single-valued Read SAP transaction code: AS02 Time-dependent tab Class text box BUS_AREA Single-valued Read SAP transaction code: AS02 Time-dependent tab Business Area text box COSTCENTER Single-valued Read SAP transaction code: AS02 Time-dependent tab Cost Center text box PLANT Single-valued Read SAP transaction code: AS02 Time-dependent tab Plant text box INTERN_ORD Single-valued Read SAP transaction code: AS02 Time-dependent tab Order Number text box 154

155 Administrator Guide Managing a Connection to PeopleSoft Consider the following: For PeopleSoft, the Sync Engine supports one-way synchronization only: you can only synchronize data from PeopleSoft to other connected systems. The Sync Engine only allows you to synchronize user and employee objects from a PeopleSoft system to other connected systems. This section covers: Creating a New Connection to PeopleSoft Modifying an Existing Connection to PeopleSoft PeopleSoft Connector Configuration Customizing PeopleSoft Connector Examples of a PeopleSoft Connector Schema File Creating a New Connection to PeopleSoft To connect Quick Connect Sync Engine to PeopleSoft, you need to obtain and install a special connector. For more information, see About Connections to External Data Systems on page 36. To create a new connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Add connection, and then do the following: a) In the Connection name box, type a descriptive name for the connection. b) From the Use the specified connector list, select PeopleSoft Connector. c) Click Next. 3. Use the Select the PeopleSoft system database engine list to select the database engine type used by the PeopleSoft system. You can select one of the following options: Oracle. Select this option if the PeopleSoft system stores data about its objects in Oracle Database. Microsoft SQL Server. Select this option if the PeopleSoft system stores data about its objects in Microsoft SQL Server. 4. In the PeopleSoft system database engine server text box, type the fully qualified domain name (FQDN) or IP address of the computer running the PeopleSoft system database engine. 5. If the PeopleSoft system stores its data in Oracle Database, use the Database port number text box to type the number of the communication port on which the PeopleSoft database can be accessed. 6. In the Database name text box, type the name of the PeopleSoft database to which you want to connect. 7. Under Access database engine using, specify the user name and password with which you want to access the PeopleSoft database. When you are finished, you can click Test Connection to verify the specified connection settings. 8. Click Finish to create a connection to the specified PeopleSoft database. 155

156 Quest One Quick Connect Modifying an Existing Connection to PeopleSoft To modify connection settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click Connection settings below the existing PeopleSoft connection you want to modify. 3. Expand Specify connection settings and use the following options to modify the connection settings: Select the PeopleSoft system database engine. Select the database engine in use by the PeopleSoft system. PeopleSoft system database engine server. Type the fully qualified domain name (FQDN) or IP address of the computer running the database engine in use by the PeopleSoft system. Database port number. Type the number of the communication port used by the specified PeopleSoft system database engine. You need to use this option only if you specify Oracle as database engine used by PeopleSoft. Database name. Type the name of the PeopleSoft database to which you want to connect. Access database engine using. Specify the user name and password with which you want to access the PeopleSoft database. Test Connection. Click to verify the settings you have specified. 4. Click Save. 156

157 Administrator Guide PeopleSoft Connector Configuration The PeopleSoft connector stores its configuration settings in several.xml files located in the <Quick Connect installation folder>\service\connectors\peoplesoftconnector folder. Each of these files is described in the next table. FILE ConnectorConfig.xml BaseQueries.xml DESCRIPTION Contains general information about the connector, such as connector ID, description, and assembly name. For more information about the format of this file, see "Configuration XML File Format" in the Quick Connect Software Development Kit (SDK). Defines basic SQL queries with which Quick Connect calculates some single-valued attributes of PeopleSoft objects. Note: It is not recommended to modify this file. Make all your custom changes in the PSSchema.xml file. PSSchema.xml Defines the PeopleSoft connector schema. The connector schema defines supported PeopleSoft object classes, attributes, and display names provided in the Quick Connect Administration Console. This file also specifies SQL queries with which Quick Connect calculates the following categories of PeopleSoft objects attributes: Multivalued attributes Single-valued attributes not defined in the BaseQueries.xml file You can extend the PeopleSoft connector schema by adding new attibutes to the PSSchema.xml file as necessary. For the descriptions of the XML elements in the PSSchema.xml file, see Customizing PeopleSoft Connector on page 158. To add a new attribute to the connector schema 1. Open the PSSchema.xml file in a text editor to choose the PeopleSoft object class for which you want to define a new attribute. 2. Specify the new attribute name, display name, syntax, and type. To do this, use the <PSAttribute> XML element. 3. Specify how to calculate values of the newly-added attribute. To do this, use the <CustomQuery> element and its children. 157

158 Quest One Quick Connect Customizing PeopleSoft Connector This section provides information about the XML elements you can use in the PSSchema.xml file. PSClasses Element The <PSClasses> element provides definitions for all supported PeopleSoft object classes. In this version, only the PeopleSoft User and PeopleSoft Employee object classes are supported. PARENT ELEMENT PSClassSchema CHILD ELEMENTS PSClass The <PSClasses> element has no attributes. PSClass Element The <PSClass> element describes a PeopleSoft object class. PARENT ELEMENT PSClasses CHILD ELEMENTS PSAttributes The <PSClass> element has the following attributes: ATTRIBUTE name displayname DESCRIPTION Specifies the object class name. Possible values: PSUser. Specifies the PeopleSoft User object class. PSEmployee. Specifies the PeopleSoft Employee object class. Specifies the object class display name. This name is used in the application User Interface. PSAttributes Element The <PSAttributes> element describes a collection of all attributes supported for this object class. PARENT ELEMENT PSClass CHILD ELEMENTS PSAttribute The <PSAttributes> element has no attributes. 158

159 Administrator Guide PSAttribute Element The <PSAttribute> element describes the PeopleSoft object attribute. PARENT ELEMENT PSAttributes CHILD ELEMENTS CustomQuery The <PSAttribute> element has the following attributes: ATTRIBUTE name displayname IsSingleValued HasInternalHandler DESCRIPTION Specifies the object attribute name. Specifies the object attribute display name. This name is used on the application User Interface. Optional. Specifies the object attribute type. Possible values: TRUE. single-valued attribute FALSE (default). multi-valued attribute Optional. Specifies whether this object attribute can be processed by the PeopleSoft connector using a special handler. The default value is FALSE. In this release, do not set this attribute or set it to FALSE. AttributeSyntax QueryType AddToWebRequest Specifies the object attribute syntax. Possible values: Integer String DateTime Optional. Specifies the type of a SQL query used to retrieve the object attribute value. Possible values: None (default). the query type is not specified. Base. the query is defined in the BaseQueries.xml file. Custom. the query is defined in the CustomQuery element. Optional. Specifies whether this object attribute can be used in requests to create or modify PeopleSoft objects using CI-Web service. In this release, do not set this attribute or set it to None. 159

160 Quest One Quick Connect CustomQuery Element The <CustomQuery> element describes a set of SQL queries used to calculate the attribute value. PARENT ELEMENT PSAttribute CHILD ELEMENTS Queries The <CustomQuery> element has the following attributes: ATTRIBUTE QueryType KeyColumn DESCRIPTION Specifies the query type. Possible values: Single. Specifies that the PeopleSoft connector sends one request to retrieve the object attribute values for all PeopleSoft objects from the synchronization scope. This query returns two-column SQL table. The names of columns are defined in the KeyColumn and ValueColumn attributes. Individual. Specifies that the PeopleSoft connector sends individual requests to retrieve the object attribute values for each PeopleSoft object from the synchronization scope. This query returns one-column SQL table that contains values of the object attribute. The column name is of no importance. For parametrisation of the individual query, use the following form: [@attrname], where attrname is the name of a PeopleSoft object attribute. Required only for the Single-type queries. Specifies the first column name. Set this attribute to name of the object attribute used as the unique ID. ValueColumn Required only for the Single-type queries. Specifies the second column name. Set this attribute to name of the object attribute that contains values. If the synchronization scope includes a large number of the PeopleSoft objects, the Single-type queries may consume too much memory. The use of Individual-type queries may be a time-consuming operation. 160

161 Administrator Guide Queries Element The <Queries> element describes a set of SQL queries used to calculate the object attribute value. PARENT ELEMENT CustomQuery CHILD ELEMENTS Query The <Queries> element has no attributes. Query Element The <Query> element allows you to specify what type of SQL query you want to use for calculaing the values of PeopleSoft objects. PARENT ELEMENT Queries CHILD ELEMENTS None The <Query> element has the following attributes: ATTRIBUTE NAME DBType ATTRIBUTE DESCRIPTION Optional. Specifies the type of SQL query to be used for calculating values of the PeopleSoft object attributes that participate in the data synchronization. Make sure you specify an SQL query type that is compatible with the database engine in use by the PeopleSoft system. This attribute accepts one of the following values: Any (default). Specifies to use a generic SQL query. When this value is set, PeopleSoft Connector does not support functions specific to a particular type of database engine, be it Oracle or Microsoft SQL Server. Oracle. Specifies to use an Oracle-specific query. MSSQL. Specifies to use a Microsoft SQL Server-specific query. PeopleSoftVersions Not supported in this release. Do not change the current value of this attribute. 161

162 Quest One Quick Connect Examples of a PeopleSoft Connector Schema File This section provides examples of the following: XML File Defining Connector Schema for a PeopleSoft System That Stores Data in Oracle Database XML File Defining Connector Schema for a PeopleSoft System That Stores Data in Microsoft SQL Server XML File Defining Connector Schema for a PeopleSoft System That Stores Data in Oracle Database <PSClassSchema xmlns:xsi=" xmlns:xsd=" SchemaVersion="1.0"> <PSClasses> <PSClass Name="PSEmployee" DisplayName="PeopleSoft Employee"> <PSAttributes> <!-- The PeopleSoft Employee attributes description goes here. --> <! > <!-- Add new attribute "DormitoryAddress" --> <PSAttribute Name="DormitoryAddress" DisplayName="Dormitory Address" IsSingleValued="true" HasInternalHandler="false" AttributeSyntax="String" QueryType="Custom" AddToWebRequest="None"> <CustomQuery KeyColumn="EMPLID" ValueColumn="FULLADDR" QueryType="Single"> <Queries> <Query DBType="Oracle" PeopleSoftVersions="Any"> SELECT DISTINCT EMPLID, (ADDRESS1 ' ' ADDRESS2 ' ' ADDRESS3 ' ' ADDRESS4 ' ' CITY ' ' STATE ' ' POSTAL ' ' COUNTRY) AS FULLADDR FROM ( SELECT EMPLID, EFFDT, EFF_STATUS, ADDRESS_TYPE, COUNTRY, CITY, ADDRESS1,ADDRESS2,ADDRESS3,ADDRESS4, POSTAL, STATE, RANK () OVER ( PARTITION BY EMPLID ORDER BY EFFDT DESC ) RNK FROM PS_ADDRESSES WHERE EFFDT <=SYSDATE AND EFF_STATUS='A' AND ADDRESS_TYPE='DORM' ) WHERE RNK = 1 </Query> </Queries> </CustomQuery> </PSAttribute> </PSAttributes> </PSClass> </PSClasses> </PSClassSchema> 162

163 Administrator Guide XML File Defining Connector Schema for a PeopleSoft System That Stores Data in Microsoft SQL Server <PSClassSchema xmlns:xsi=" xmlns:xsd=" SchemaVersion="1.0"> <PSClasses> <PSClass Name="PSEmployee" DisplayName="PeopleSoft Employee"> <PSAttributes> <!-- The PeopleSoft Employee attributes description goes here. --> <! > <!-- Add new attribute "DormitoryAddress" --> <PSAttribute Name="DormitoryAddress" DisplayName="Dormitory Address" IsSingleValued="true" HasInternalHandler="false" AttributeSyntax="String" QueryType="Custom" AddToWebRequest="None"> <CustomQuery KeyColumn="EMPLID" ValueColumn="FULLADDR" QueryType="Single"> <Queries> <Query DBType="MSSQL" PeopleSoftVersions="Any"> SELECT DISTINCT EMPLID, (ADDRESS1 + ' ' + ADDRESS2 + ' ' + ADDRESS3 + ' ' + ADDRESS4 + ' ' + CITY + ' ' + STATE + ' ' + POSTAL + ' ' + COUNTRY) AS FULLADDR FROM ( SELECT EMPLID, EFFDT, EFF_STATUS, ADDRESS_TYPE, COUNTRY, CITY, ADDRESS1,ADDRESS2,ADDRESS3,ADDRESS4, POSTAL, STATE, RANK () OVER (PARTITION BY EMPLID ORDER BY EFFDT DESC) RNK FROM PS_ADDRESSES WHERE EFFDT <=GETDATE() AND EFF_STATUS='A' AND ADDRESS_TYPE='DORM' ) AS T WHERE RNK = 1 </Query> </Queries> </CustomQuery> </PSAttribute> </PSAttributes> </PSClass> </PSClasses> </PSClassSchema> 163

164 Quest One Quick Connect Renaming a Connection To rename an existing connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the name of the existing connection you want to rename. 3. Open the General tab. 4. Edit the connection name in the Connection name box. 5. Click Save. Deleting a Connection To delete a connection 1. In the Quick Connect Administration Console, open the Connections tab. 2. Locate the connection you want to delete, and then click Delete connection for that connection. 3. When prompted, confirm that you want to delete the connection. Modifying Synchronization Scope for a Connection For each connected data system, you can modify the scope of objects participating in the data synchronization operations. To modify the synchronization scope 1. In the Quick Connect Administration Console, open the Connections tab. 2. Locate the connection for which you want to modify the synchronization scope, and then click Synchronization scope. 3. Use the following options to modify the synchronization scope: Include objects from selected containers only. Select the check boxes next to the containers that hold the objects you want to participate in data synchronization operations. Note that this option may be unavailable for some types of connected data systems, for example, SQL Server or Oracle Database. Objects must meet these conditions. Set up a list of conditions the objects must meet in order to participate in data synchronization operations. 4. When you are finished, click Save. 164

165 Administrator Guide Modifying Password Synchronization Settings for a Connection For each connected data system, you can specify password synchronization settings. These settings allow you to enable or disable password synchronization. Also they allow you to type a custom Windows PowerShell script to be run each time the password synchronization completes for the connected data system. To modify password synchronization settings 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the name of the connection for which you want to modify the password synchronization settings. 3. Open the Password tab, and use the following options to modify the password synchronization settings as necessary: Synchronize and manage passwords. Allows you to enable or disable the password synchronization for this connection. Selecting this check box also allows you to manage passwords in the connected system by using Quest Password Manager. For more information about this product, please visit Run post-sync script. Allows you to specify a Windows PowerShell script you want to run after the password synchronization operation completes for this connection. Select this check box, and then click Script Source to type your script. Synchronize passwords for objects of this type. Allows you to specify an object type that will participate in the password synchronization. Click Select next to this text box, and then specify the object type you want to participate in the password synchronization. This option is only available for some types of connected systems, such as LDAP directory service. Store password in this attribute. Allows you to specify an object attribute for storing object password. Click Select next to this text box, and then specify the object attribute. This option is only available for some types of connected systems, such as LDAP directory service. Configure Query. Allows you to specify your custom SQL query to specify the data you want to participate in the password synchronization. Click Configure, and then specify your custom SQL query. For a sample query, see Using an SQL Query to Specify Data in a Connected System on page 202. This option is only available for some types of connected systems, such as SQL Server and Oracle Database. 4. When you are finished, click Save. 165

166 Quest One Quick Connect 166

167 5 Synchronizing Identity Data Getting Started with Identity Data Synchronization Managing Synchronization Workflows Managing Steps in a Synchronization Workflow

168 Quest One Quick Connect Getting Started with Identity Data Synchronization To synchronize identity data between connected data systems, you can use synchronization workflows and synchronization steps. A synchronization workflow is a set of data synchronization operations called synchronization steps. A workflow can include one or more steps. Each synchronization step defines a synchronization operation to be run between the source and target connected systems. To manage workflows and their steps, you can use the Workflows Tab in the Quick Connect Administration Console. You can configure a synchronization step to perform one of the following operations: Provision. Creates objects in the target connected data system based on the changes made to specific objects in the source connected system. When creating a new object in the target connected system, Quick Connect Sync Engine generates initial values for the object attributes using the attribute population rules you have configured. Update. Modifies object attributes in the target connected data system based on the changes made to specific objects in the source connected system. To specify the objects that will participate in the update operation you can use object mapping rules. For more information, see Mapping Objects on page 187. Deprovision. Modifies or removes objects in the target connected data system after their counterparts have been disconnected from the source connected system. Quick Connect Sync Engine can be configured to remove target objects permanently or change them to a specific state. To specify the objects that will participate in the deprovision operation you can use object mapping rules. For more information, see Mapping Objects on page 187. When configuring a synchronization step you can specify the following: Containers to which you want to provision or move objects in the target data system. Settings to generate names for objects being created or modified in the target data system. Settings to synchronize group memberships in the target data system. Settings to synchronize multivalued attributes in the target data system. Settings to build object attribute values in the target data system based on the object attribute values in the source data system. 168

169 Administrator Guide To synchronize identity data between two data systems, you need to create a synchronization workflow, populate the workflow with synchronization steps, and then run the workflow manually or schedule it. The following illustration shows how Quick Connect synchronizes identity data in connected systems: Identity Data Synchronization Read data in source system Read Data Read data in target system Source Connected System Apply Object Mapping Rules Target Connected System Run Synchronization Step Commit Changes Update data in target system Quick Connect Sync Engine Running a workflow causes the Sync Engine to read data in the source and target data systems according to your settings and prepare a list of changes to be made in the target system. These changes can be committed to the target data system either manually or automatically. Running a workflow manually allows you to review a list of changes before committing them, so you can decide whether or not you want these changes in the target data system. A scheduled workflow always commits changes to the target data system automatically. You can configure as many synchronization workflows as needed, each performing a specific set of synchronization steps. This chapter covers the following: Managing Synchronization Workflows Managing Steps in a Synchronization Workflow 169

170 Quest One Quick Connect Managing Synchronization Workflows This section covers: Creating a Synchronization Workflow Running a Synchronization Workflow Renaming a Synchronization Workflow Deleting a Synchronization Workflow Creating a Synchronization Workflow To create a synchronization workflow 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click Add workflow. 3. Use the Synchronization workflow name text box to type a name for the workflow being created. 4. Click OK. The new workflow appears on the Workflows tab. After you have created a workflow, you need to populate it with one or more synchronization steps. For more information, see Managing Steps in a Synchronization Workflow on page 172. Running a Synchronization Workflow After you have created a synchronization workflow and populated it with one or more steps, you can run the workflow. Before running a workflow, you can select the workflow steps you want to run. A workflow can be run automatically on a recurring schedule or manually. This section covers: Running a Workflow Manually Running a Workflow Automatically on a Recurring Schedule Disabling a Workflow Run Schedule 170

171 Administrator Guide Running a Workflow Manually This method allows you to select specific steps in a workflow and run them. You can also specify how you want to commit the changes to the target data system: automatically or manually. With the manual method you can review a list of changes before committing them to decide whether or not you want these changes in the target system. To run a workflow manually 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow you want to run. 3. Click Run now. You will be prompted to select the workflow steps you want to run. 4. Select the check boxes next to the synchronization steps you want to run. 5. If you want to automatically commit the changes after the workflow run completes, select the Automatically commit changes check box. If you want to review the changes before committing them, leave this check box cleared. 6. Click OK to run the workflow. Running a Workflow Automatically on a Recurring Schedule This method allows you to create a recurring schedule for running specific synchronization steps in a workflow. When scheduling a workflow, you can choose the workflow steps to run, specify how frequently you want to run the steps, and set the date and time when you want the schedule to come into effect. If you have two or more Sync Engine instances installed in your environment, you can also select a Quick Connect Service to be used for running the workflow. A scheduled workflow commits changes to the target data system automatically. To run a workflow automatically on a recurring schedule 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click Schedule below the name of the workflow you want to run on a recurring schedule. 3. In the dialog box that opens, select the Schedule the task to run check box, and then specify the run schedule. 4. If several Sync Engine instances are installed in your environment, under Run the task on, select the computer that hosts the Quick Connect Service you want to use for running the workflow. 5. Expand Workflow Steps, and then select the check boxes next to the workflow steps you want to run on the schedule. 6. Click OK to activate the schedule. Disabling a Workflow Run Schedule To disable a workflow run schedule 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click Schedule below the workflow for which you want to disable the existing run schedule. 3. In the dialog box that opens, clear the Schedule the task to run check box. 4. Click OK to disable the schedule. 171

172 Quest One Quick Connect Renaming a Synchronization Workflow To rename a synchronization workflow 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click Rename below the appropriate workflow. 3. Use the Synchronization workflow name text box to type a new workflow name. 4. Click OK to apply the new workflow name. Deleting a Synchronization Workflow To delete a synchronization workflow 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click Delete below the appropriate workflow. 3. When prompted, confirm that you want to delete the workflow. Managing Steps in a Synchronization Workflow This section covers: Creating a Provisioning Step Creating an Updating Step Creating a Deprovisioning Step Modifying an Existing Step Changing the Order of Steps in a Workflow Deleting a Step 172

173 Administrator Guide Creating a Provisioning Step To create a provisioning step 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow in which you want to create a provisioning step. If necessary, create a new workflow. For more information, see Creating a Synchronization Workflow on page Click Add synchronization step. 4. Select Provision and then click Next. 5. Specify the provisioning source by using the following options: Source connected system. Allows you to specify a source connected system for the provision operation. Click Specify to select a connected data system or add and select a new data system. Source object type. Allows you to specify the object type you want to use as a source for the provision operation. Click Select to specify an object type. Provisioning Criteria. Allows you to narrow the scope of source data system objects that will participate in the provisioning step. Expand Provisioning Criteria to specify the containers that hold the source objects you want to participate in the step. You can also specify additional conditions for the source objects you want to participate in the provisioning step. 6. Click Next. 7. Specify the provisioning target by using the following options: Target connected system. Allows you to specify a target connected system for the provision operation. Click Specify to select a previously connected system or add and select a new system. Target object type. Allows you to specify the target data system object type to which you want to provision objects from the source data system. Click Select to specify an object type. Target container. Allows you to specify the target data system container to which you want to provision objects from the source data system. For more information, see Specifying Target Containers for a Synchronization Step on page 180. Rules to generate unique object name. Allows you to set up a list of rules to generate a unique name for each object being provisioned in the target data system. For more information, see Configuring Rules to Generate Object Names on page Click Next. 9. Specify rules to provision objects in the target data system. You can use these options: Initial Attribute Population Rules. Expand this element to specify how you want to populate the attributes of provisioned objects in the target connected system. Initial Password. Expand this element to specify an initial password for each provisioned object in the target connected system. User Account Options. Expand this element to specify settings for the user accounts to be created in the target connected system in the result of the provision operation. 10. Click Finish to create the provisioning step. You can modify the settings of an existing synchronization step. For more information, see Modifying an Existing Step on page

174 Quest One Quick Connect Creating an Updating Step To create an updating step 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow in which you want to create an updating step. If necessary, create a new workflow. For more information, see Creating a Synchronization Workflow on page Click Add synchronization step. 4. Select Update and then click Next. 5. Specify the update source by using the following options: Source connected system. Allows you to specify a source connected system for the update operation. Click Specify to select a connected data system or add and select a new data system. Source object type. Allows you to specify the data system object type you want to use as a source for the update operation. Click Select to specify an object type. Updating Criteria. Allows you to narrow the scope of source data system objects that will participate in the updating step. Expand Updating Criteria to specify the containers that hold the source objects you want to participate in the step. You can also specify additional criteria for selecting source objects. 6. Click Next. 7. Specify the update target by using the following options: Target connected system. Allows you to specify a target connected system for the update operation. Click Specify to select a previously connected system or add and select a new system. Target object type. Allows you to specify what type of objects you want to update in the target data system. Click Select to specify an object type. 8. Click Next. 9. Specify rules to update objects in the target data system. You can use these options: Rules to Modify Object Attributes. Allows you to set up a list of rules to modify specific attributes of objects in the target data system. Rules to Move Objects. Allows you to specify the location where you want to move objects in the result of the update operation. For more information, see Specifying Target Containers for a Synchronization Step on page 180 Rules to Rename Objects. Allows you to set up a list of rules to rename objects in the result of the update operation. For more information, see Configuring Rules to Generate Object Names on page Click Finish to create the updating step. You can modify the settings of an existing synchronization step. For more information, see Modifying an Existing Step on page

175 Administrator Guide Creating a Deprovisioning Step To create a deprovisioning step 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow in which you want to create a deprovisioning step. If necessary, create a new workflow. For more information, see Creating a Synchronization Workflow on page Click Add synchronization step. 4. Select Deprovision and then click Next. 5. Specify the deprovisioning source and criteria by using the following options: Source connected system. Allows you to specify a source connected system for the deprovision operation. Click Specify to select a connected data system or add and select a new system. Source object type. Allows you to specify the data system object type you want to use as a source for the deprovision operation. Click Select to specify an object type. Deprovision target objects if. Allows you to specify when to trigger the deprovision operation in the target data system. 6. Click Next. 7. Specify the deprovisioning target by using the following options: Target connected system. Allows you to specify a target connected system for the deprovision operation. Click Specify to select a previously connected system or add and select a new connected system. Target object type. Allows you to specify what type of objects you want to deprovision in the target data system. Click Select to specify an object type. 8. Click Next. 9. Specify how you want to deprovision objects in the target data system. You can use one of these options: OPTION Delete target objects Modify target objects DESCRIPTION Deletes target objects when the source connected system objects meet the criteria you have specified earlier in this wizard. Changes target objects using the rules you specify below this option. Rules to Modify Object Attributes. Expand this option to set up a list of rules to modify specific attributes of objects in the target data system. Rules to Move Objects. Expand this option to specify the location where you want to move objects in the result of the update operation. For more information, see Specifying Target Containers for a Synchronization Step on page 180 Rules to Rename Objects. Expand this option to set up a list of rules to rename objects in the result of the update operation. For more information, see Configuring Rules to Generate Object Names on page Click Finish to create the deprovisioning step. You can modify the settings of an existing synchronization step. For more information, see Modifying an Existing Step on page

176 Quest One Quick Connect Modifying an Existing Step To modify an existing step 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow in which you want to modify a step. 3. Click the name of the step you want to modify. 4. Use the following tabs to modify the step as necessary: General Tab Source Tab Target Tab Provisioning Rules Tab Deprovisioning Rules Tab Updating Rules Tab 5. When you are finished, click Save to apply the changes. General Tab Allows you rename the step, specify a method for processing data in the source and target connected systems, specify the conditions where you want to stop data processing, and type the Windows PowerShell scripts you want to run before the step starts and/or after it completes. This tab has the following elements: Step name. Allows you to rename the step: type a new step name in this text box. Specify how to process data in connected systems. Allows you to select one of the following methods for processing data in the source and target data systems: Process all data. If you select this option, each run of the step will process all data in the specified synchronization scope. Process delta from last run. If you select this option, each run of the step will process only the data that has changed in the specified synchronization scope since the last run. Stop data processing if. Allows you to specify the conditions where you want to stop data processing in the source and target systems. Scripting. Allows you to specify the Windows PowerShell scripts you want to run before the step starts and/or after the step completes. For example, you can develop scripts that add information about the synchronization step to the application log or send a notification message about the synchronization step to an administrator. To specify your script, select the Run pre-sync script and/or Run post-sync script check box, click Script source, and then type your PowerShell script. For information on how to develop the PowerShell scripts, refer to the Quick Connect Software Development Kit (SDK). 176

177 Administrator Guide Source Tab Allows you to view information about the source connected system and object type specified for the synchronization step. You can also view and modify the criteria used to perform the provision, deprovision, or update operation the step performs. For all types of synchronization steps (provisioning, deprovisioning, and updating) this tab provides the following options: Source connected system. Displays the name of the data system that is used as a source for the synchronization step. Source object type. Displays the object type that is used as a source for the synchronization step. For deprovisioning steps, this tab provides the Deprovision target objects if option. It allows you to modify the criteria used for triggering the deprovision operation in the target data system. For provisioning steps, this tab provides the Provisioning Criteria option. It allows you to modify the scope of source data system objects that participate in the provisioning step. Expand Provisioning Criteria to modify the list of containers that hold the source objects you want to participate in the step. Also you can specify additional criteria for selecting source objects. For updating steps, this tab provides the Updating Criteria option. It allows you to modify the scope of source data system objects that participate in the updating step. Expand Updating Criteria to specify the containers that hold the source objects you want to participate in the step. You can also specify additional criteria for selecting source objects. Target Tab Allows you to view information about the target connected system and object type specified for the synchronization step. For provisioning steps, you can use this tab to view and modify the target container to which objects are provisioned and rules to generate unique names for provisioned objects. For all types of synchronization steps (provisioning, deprovisioning, and updating) this tab provides the following elements: Target connected system. Displays the name of the data system that is currently used as a target for the synchronization step. Target object type. Displays the object type that is currently used as a target for the synchronization step. For provisioning steps, this tab provides the following additional elements: Target container. Allows you to specify the target data system container to which you want to provision objects from the source data system. For more information, see Specifying Target Containers for a Synchronization Step on page 180. Rules to generate unique object name. Allows you to set up a list of rules to generate a unique name for each object being provisioned in the target data system. For more information, see Configuring Rules to Generate Object Names on page

178 Quest One Quick Connect Provisioning Rules Tab Allows you to view and modify the rules used for provisioning objects in the target data system. This tab has the following elements: Initial Attribute Population Rules. Expand this element to view and modify the rules for populating the attributes of objects being provisioned in the target connected system. Initial Password. Expand this element to modify how an initial password is generated for each object being provisioned in the target connected system. User Account Options. Expand this element to modify the settings used for creating user accounts in the target connected system in the result of the provision operation. You can use this tab to import and export initial attribute population rules from/to XML files. To export a population rule to a file 1. In the list of configured attribute population rules, select the rule you want to export. 2. Click More, and then click Export. 3. In the Save As dialog box, specify the XML file where to store the rule. To import a population rule from a file 1. Expand Initial Attribute Population Rules, click More, and then click Import. 2. Use the Open dialog box to open the XML file that stores the population rule to import. Deprovisioning Rules Tab Allows you to view and modify the rules used for deprovisioning objects in the target data system. This tab has the following elements: Delete target objects. Deletes target objects when the source connected system objects meet the specified criteria. Modify target objects. Allows you to review and change the rules for modifying objects being deprovisioned in the target data system. Updating Rules Tab Allows you to view and modify the rules used for updating objects in the target data system. This tab has the following elements: Rules to Modify Object Attributes. Allows you to change the list of rules used for modifying object attributes in the target data system. Rules to Move Objects. Allows you to specify the location to which you want to move target objects in the result of the update operation. For more information, see Specifying Target Containers for a Synchronization Step on page 180. Rules to Rename Objects. Allows you to modify the list of rules used to rename target objects. For more information, see Configuring Rules to Generate Object Names on page

179 Administrator Guide Changing the Order of Steps in a Workflow When you run a workflow, its steps are executed in the order they are displayed in the Quick Connect Administration Console. If necessary, you can rearrange the steps in a workflow. To change the order of steps in a workflow 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow in which you want to change the order of steps. 3. Use the Move up and Move down links to arrange the steps as necessary. Deleting a Step To delete a step 1. In the Quick Connect Administration Console, open the Workflows tab. 2. Click the name of the workflow in which you want to delete a step. 3. Click Delete below the step you want to delete. 4. When prompted, confirm that you want to delete the step. 179

180 Quest One Quick Connect Specifying Target Containers for a Synchronization Step When configuring a provisioning step, you can use the Target container option to specify one or more target containers where you want to create objects. When configuring a deprovisioning or updating step, you can use the Move objects to option to specify the containers to which you want to move the target objects. To specify target containers for a synchronization step 1. If you are configuring a provisioning step, click the down arrow on the button provided next to the Target container option. OR If you are configuring a deprovisioning or updating step, click the down arrow on the button provided next to the Move objects to option. The button looks as follows: 2. Select one of the following: Browse. Allows you to locate and select a single target container where you want to create or move objects. Script. Allows you to compose a PowerShell script that calculates the target container name, such as the container DN. This calculation is based on the target object properties. For example, your script can designate different Organizational Units for users living in different cities (see the scenario Scenario 1: Provision Users from a.csv File to an Active Directory Domain on page 223). For more information about PowerShell scripts, refer to "Developing PowerShell Scripts for Attributes Synchronization Rules" in Quest One Quick Connect Software Development Kit (SDK). Rule. Allows you to configure a set of rules for specifying target containers. For details, see Configuring a Rule for Generating an Attribute Value on page 184. Clear. Allows you to clear the Target container or Move objects to box. 180

181 Administrator Guide Configuring Rules to Generate Object Names When configuring a synchronization step, you can use the Rules to generate unique object name list to specify rules for creating or modifying object names in the target connected system. That list looks similar to the following: To configure rules for generating object names 1. Click the down arrow on the leftmost button provided below the Rules to generate unique object name list: 2. Select one of the following: Attribute. Allows you to select the target object attribute whose value you want to use as the object name. Rule. Allows you to configure a rule for generating target object names. For details, see Configuring a Rule for Generating an Attribute Value on page 184. Script. Allows you to type a PowerShell script for generating target object names. For details, see "Developing PowerShell Scripts for Attributes Synchronization Rules" in Quest One Quick Connect Software Development Kit (SDK). You can copy and paste an existing object name generation rule: 1. In the Rules to generate unique object name list, right-click a rule, and then select Copy from the shortcut menu. 2. In the rules list, right-click an entry, and then select Paste from the shortcut menu. 181

182 Quest One Quick Connect When the Rules to generate unique object name list includes two or more entries, Quick Connect uses the uppermost rule in the list to generate the target object name. If the generated object name is not unique, Quick Connect uses the next rule in the list. For instructions on how to provision data, see Creating a Provisioning Step on page 173. Synchronizing Group Memberships You can use the Quick Connect Sync Engine to synchronize group memberships from a source connected system to a target connected system. For instance, when configuring a synchronization step to provision group objects from an Active Directory domain to AD LDS (ADAM), you can specify rules to synchronize the value of the member attribute in AD LDS (ADAM) with the value of the member attribute in the Active Directory domain. The following procedure illustrates how to accomplish this task. To synchronize the member attribute from Active Directory to AD LDS (ADAM) 1. Follow the steps provided in the Creating a Provisioning Step section until you reach the wizard page named Specify provisioning criteria. 2. Expand the Initial Attribute Population Rules element. 3. Below the list, click the down arrow on the leftmost button, and then click Attribute. 4. Add the member => member pair of attributes to the list. 5. Select the member => member pair in the list, click More, and then click Options. The dialog box that opens allows you to specify how to synchronize object references to the target system objects that are not mapped to their counterparts in the source system (for more information about mapping, see Mapping Objects on page 187). 6. Use the following options to specify how you want to synchronize the member attribute: In the target attribute, keep references to objects that are not mapped. Select this option to ensure that the member attribute of the target group will keep references to objects that are not mapped to their counterparts in the source group. Remove references to objects that are not mapped from the target attribute. Select this option to ensure that the member attribute of the target group will not contain any references to objects that are not mapped to their counterparts in the source group. Ignore object references to the following object classes in the source data system. Allows you to set up a list of source data system object types you do not want to participate in the group memberships synchronization. Ignore object references to the following object classes in the target data system. Allows you to set up a list of target data system object types you do not want to participate in the group memberships synchronization. 7. Click OK, and then follow the steps in the wizard to complete the creation of the provisioning step. 182

183 Administrator Guide Synchronizing Multivalued Attributes When configuring synchronization steps, you can specify rules for synchronizing multivalued attributes. For instance, when configuring a synchronization step to provision user objects from an Active Directory domain to AD LDS (ADAM), you can specify rules to synchronize the value of the othertelephone attribute in AD LDS (ADAM) with the value of the othertelephone attribute in the Active Directory domain. The following procedure illustrates how to accomplish this task. To synchronize the othertelephone attribute from Active Directory to AD LDS (ADAM) 1. Follow the steps provided in the Creating a Provisioning Step section until you reach the wizard page named Specify provisioning criteria. 2. Expand the Initial Attribute Population Rules element. 3. Below the list, click the down arrow on the leftmost button to select Attribute. 4. Add the othertelephone => othertelephone pair of attributes to the list. 5. Select the othertelephone => othertelephone pair in the list, click More, and then click Options. 6. In the dialog box that opens, select one of the following options: Override target attribute values with source values. Replaces the target attribute values with the source attribute values. Append source values to target attribute values. Keeps the target attribute values and appends the source attribute values to them. 7. Click OK, and then follow the steps in the wizard to complete the creation of the provisioning step. Configuring Attribute Transformation Rules The provisioning, deprovisioning, and updating rules configured for a synchronization step may include subrules that transform attribute values by calculating a target attribute value (or values, if the attribute is multivalued). For example, when creating or modifying a synchronization step you can configure attribute transformation rules by using the Initial Attribute Population Rules option: 1. Expand Initial Attribute Population Rules. 2. Click the down arrow on the Attribute button, and then select one of the following: Rule. Allows you to define a Rules-Based transformation rule to build a value to which the target attribute must be equal. After you select this option, click Select to select the target attribute whose value you want to build. Then, click Configure to define a rule for generating the attribute value. For details, see Configuring a Rule for Generating an Attribute Value on page 184. Script. Allows you to define a Script-Based transformation rule by typing a PowerShell script that calculates the target attribute value. For details, refer to "Developing PowerShell Scripts for Attributes Synchronization Rules" in Quest One Quick Connect Software Development Kit (SDK). Text. Allows you to define a Constant-Based transformation rule. With this type of rule you can assign a constant text value to the specified target attribute. Empty. Allows you to assign an empty value to the specified target attribute. For multivalued attributes, this rule allows you to clear all entries stored in a multivalued attribute. You can copy and paste an existing Attribute Transformation rule (such as an Initial Attribute Population Rule or an Updating Rule): 1. In the rules list, right-click the rule you want to copy, and then select Copy from the shortcut menu. 2. In the rules list, right-click the entry where you want to paste the copied rule, and then select Paste from the shortcut menu. 183

184 Quest One Quick Connect Configuring a Rule for Generating an Attribute Value To configure a rule for generating an attribute value you can use the Configure Generation Rule dialog box that looks similar to the following: This dialog box allows you to add new generation rule entries or edit or remove existing entries. To add a new rule entry 1. Click Add. 2. Configure the rule entry as appropriate. For more information, see Configuring Rule Entries on page 185. To remove an existing rule entry From the Rule entries list, select the entry you want to remove, and then click Remove. To edit an existing rule entry 1. From the Rule entries list, select the entry you want to modify, and then click Edit. 2. Configure the rule entry as appropriate. For more information, see Configuring Rule Entries on page

185 Administrator Guide Configuring Rule Entries This section provides instructions on how to configure a rule entry in the Define Entry dialog box that looks similar to the following: To configure a text entry 1. Under Entry type, select Text. 2. In the Text value box, type the value. 3. Click OK. To configure an attribute-based entry 1. Under Entry type, select Attribute. 2. Click Select to select the attribute whose value you want to use, and then click OK. 3. If you want the entry to include the entire value of the attribute, select the All characters option. Otherwise, click the Specified characters option, and then specify the characters to include in the entry. 4. Optionally, click the If value is shorter, add filling characters at the end of entry value option to specify the character that will fill the entry. 5. Optionally, specify Advanced settings. 6. When finished, click OK. 185

186 Quest One Quick Connect 186

187 6 Mapping Objects About Mapping Objects Steps to Map Objects Unmapping Objects

188 Quest One Quick Connect About Mapping Objects Object mapping allows you to establish one-to-one relationships between objects in two connected data systems. By using object mapping, you can determine what objects will participate in data synchronization operations you run between these two data systems. Quick Connect maps objects automatically when running the provisioning steps of a synchronization workflow. In this case, one-to-one relationship is automatically established between source objects and their counterparts created in the target connected system during the provision operation. In some cases, however, you may need to manually map objects. For example, you should configure object mapping before running a synchronization workflow that includes updating or deprovisioning steps. By doing so, you provide Quick Connect Sync Engine with the information on which objects need to be updated or deprovisioned in the target data system. To map objects, you can use mapping pairs and mapping rules. A mapping pair allows you to establish a relationship between a certain object type in one connected system and its counterpart in the other connected system. A mapping rule allows you to define the scope of conditions where the objects belonging to the object types specified in a particular mapping pair will be mapped. For a mapping pair you can create multiple mapping rules, each defining a specific mapping condition. In order your mapping rules take effect, you need to run them. After you run a mapping rule, Quick Connect Sync Engine reads data in the connected data systems for which the rule is configured, and then maps the objects that meet the conditions specified in the mapping rule. The following example shows how a mapping rule works: Object Mapping Mapping rule: map user objects if user s first name in system 1 is the same as user s first name in system 2 First Name Last name John Malcolm Mary Smith Alain Black Connected System 1 Mapped No Match Conflict Quick Connect Sync Engine First Name Last name John Doe Alain Doyle Alain White Connected System 2 In this example, one-to-one relationship is established between the user object John Malcolm in Connected System 1 and the user object John Doe in Connected System 2: the first names of these user objects match, and thus the condition specified in the mapping rule is met. Now, if you configure a synchronization workflow for these systems and populate it with synchronization steps, identity information will be synchronized between these two user objects, since they are mapped. The direction of synchronization depends on which of these two connected data systems will be the synchronization source and which the target. 188

189 Administrator Guide The next sections cover the following: Steps to Map Objects Unmapping Objects Steps to Map Objects To map objects in two connected data systems, complete the following steps: Step 1: Create Mapping Pairs Step 2: Create Mapping Rules Step 3: Run Map Operation Step 1: Create Mapping Pairs In this step, you create mapping pairs that specify the types of objects you want to map in two connected systems. You can create as many mapping pairs as necessary. To create a mapping pair 1. In the Quick Connect Administration Console, open the Mapping tab. 2. Click Add mapping pair. 3. On the Specify source page, do the following: a) Next to Source connected system, click Specify, and then specify one connected system where you want to map objects. b) Next to Connected system object type, click Select, and then select the type of object you want to map. 4. Click Next. 5. On the Specify target page, do the following: a) Next to Target connected system, click Specify, and then specify the other connected system where you want to map objects. b) Next to Connected system object type, click Select, and then select the type of object you want to map. 6. Click Finish to create the mapping pair. The mapping pair appears on the Mapping tab in the Quick Connect Administration Console. You can repeat the above steps to create mapping pairs for as many object types as necessary. 189

190 Quest One Quick Connect Step 2: Create Mapping Rules Once you have created a mapping pair, you can configure mapping rules for that pair. Mapping rules define the conditions where the objects that belong to the object types specified in the mapping pair will be mapped. Quick Connect maps objects only if all mapping rules specified for a mapping pair are met. To add a new mapping rule 1. In the Quick Connect Administration Console, open the Mapping tab. 2. Click the mapping pair for which you want to create mapping rules. 3. Click Add mapping rule. 4. Use the Define Mapping Rule dialog box to define the condition where the objects in the connected systems are to be mapped. To do so, click the down arrow on the button next to each of the two provided options and select one of the following: OPTION Attribute Rule Script DESCRIPTION Allows you to select an attribute in the connected system. Allows you to set up a list of rules to generate a value for the connected system. For details, see Configuring a Rule for Generating an Attribute Value on page 184. Allows you to type a Windows PowerShell script that generates a value for the connected system. For details, see "Developing PowerShell Scripts for Attributes Synchronization Rules" in the Quest One Quick Connect Software Development Kit (SDK). 5. When you are finished, click OK to create the mapping rule. Step 3: Run Map Operation Once you have created mapping rules for a mapping pair, you need to run the map operation in order to apply these rules and map objects that belong to the mapping pair. There are two methods to run the map operation: you can manually run the map operation once or you can create a recurring schedule to automatically run the map operation on a regular basis. The latter method is recommended when you want to use Quick Connect to synchronize passwords from an Active Directory domain to other connected systems. Running mapping rules on a recurring schedule allows you to properly map newly-created Active Directory user objects to their counterparts in the connected systems where you automatically synchronize passwords with the Active Directory domain. If you do not run mapping rules on a regular basis, some passwords may become out of sync because of the changes that inevitably occur to your environment. For example, new user objects are created, some user objects are deleted, but Quick Connect cannot detect these changes and synchronize passwords for the newly-created users before you run the mapping rules. In this scenario, the best way to ensure Quick Connect synchronizes all passwords is to run your mapping rules on a regular basis. You can accomplish this task by creating a recurring schedule for running your mapping rules. 190

191 Administrator Guide To run the map operation once 1. In the Quick Connect Administration Console, open the Mapping tab. 2. Click the mapping pair for which you want to run the map operation. 3. Click Map now and wait for the map operation to complete. After the map operation completes, the Quick Connect Administration Console displays a report that provides information about the objects that participated in the map operation. At this stage, the application does not map the objects. To map them, you need to commit the result of the map operation. You can click the number provided next to an object category name in the report to view the details of objects that belong to that category. 4. Review the report on the objects that participated in the map operation, and then click Commit to map the objects. To automatically run the map operation on a recurring schedule 1. In the Quick Connect Administration Console, open the Mapping tab. 2. Click the mapping pair for which you want to run the map operation on a recurring schedule. 3. Click Schedule mapping. 4. In the Quick Connect Administration Console, open the Sync History tab. 5. Click Schedule cleanup. 6. In the dialog box that opens, select the Schedule the task to run check box, and then specify a schedule for the map operation. It is recommended to schedule the map operation to run once in every 6 hours. 7. If several Quick Connect Sync Engine instances are installed in your environment, under Run the task on, select the computer that hosts the instance you want to use for running the map operation. 8. Click OK to activate the schedule. The results of a scheduled map operation are applied automatically, you do not need to commit the changes. Unmapping Objects You can unmap the objects that were mapped earlier. To unmap objects 1. In the Quick Connect Administration Console, open the Mapping tab. 2. Click the mapping pair that specifies the objects types you want to unmap. 3. Click Unmap now and wait until the unmap operation completes. After the unmap operation completes, the Quick Connect Administration Console displays a report that provides information about the objects that participated in the unmap operation. At this stage, the application does not unmap the objects. To unmap them, you need to commit the result of the unmap operation. You can click the number provided next to an object category name in the report to view the details of objects that belong to that category. 4. Review the report on the objects that participated in the unmap operation, and then click Commit to unmap the objects. 191

192 Quest One Quick Connect 192

193 7 Automated Password Synchronization About Automated Password Synchronization Steps to Automate Password Synchronization Managing Capture Agent Managing Password Sync Rules Specifying Password Sync Parameters for an LDAP Directory Service Using an SQL Query to Specify Data in a Connected System Running Custom SQL Queries Automatically After Password Synchronization Fine-Tuning Automated Password Synchronization

194 Quest One Quick Connect About Automated Password Synchronization If your enterprise environment has multiple data management systems, each having its own password policy and dedicated user authentication mechanism, you may face one or more of the following issues: Because users have to remember multiple passwords, they may have difficulty managing them. Some users may even write down their passwords. As a result, passwords can be easily compromised. Each time users forget one or several of their numerous access passwords, they have to ask administrators for password resets. This increases operational costs and translates into a loss of productivity. There is no way to implement a single password policy for all of the data management systems. This too impacts productivity, as users have to log on to each data management system separately in order to change their passwords. With Quick Connect Sync Engine, you can eliminate these issues and significantly simplify password management in an enterprise environment that includes multiple data management systems. Quick Connect Sync Engine provides a cost-effective and efficient way to synchronize user passwords from an Active Directory domain to other data systems used in your organization. As a result, users can access other data management systems using their Active Directory domain password. Whenever a user password is changed in the source Active Directory domain, this change is immediately and automatically propagated to other data systems, so each user password remains in sync at all times. Quick Connect Sync Engine supports automated password synchronization from an Active Directory domain to the following types of data systems: Another Active Directory domain AD LDS (ADAM) instance Quest One Identity Manager Sun One Directory Server SQL Server Oracle Database Oracle user accounts that use database authentication (that is, the user accounts that are authenticated entirely by Oracle Database). The Sync Engine does not support password synchronization for Oracle user accounts that use external or global authentication in Oracle terms. Novell edirectory (formerly Novell Directory Service) IBM RACF CA ACF2 CA Top Secret SAP Lotus Domino Server To synchronize passwords in Lotus Domino Server, you must install a Password Sync Client on each computer running the Lotus Notes client that connects to the Lotus Domino Server. For more information on how to install the Password Sync Client, see the Password Sync Client Quick Start Guide supplied with the Quick Connect for Lotus Notes package. 194

195 Administrator Guide Google Apps Google Postini Services Salesforce For information on how to enable the automatic password synchronization, see Steps to Automate Password Synchronization on page

196 Quest One Quick Connect Steps to Automate Password Synchronization To automatically synchronize passwords from an Active Directory domain to an external data system, complete these steps: 1. Install Capture Agent on each domain controller in the Active Directory domain you want to be the source for password synchronization operations. Capture Agent tracks changes to the user passwords in the source Active Directory domain and provides this information to the Quick Connect Service (a component of the Quick Connect Sync Engine), which in turn synchronizes passwords in the target connected systems you specify. For more information on how to install Capture Agent, see Managing Capture Agent on page Connect the Quick Connect Sync Engine to the Active Directory domain where you installed Capture Agent in step 1. For more information, see Creating a New Connection to an Active Directory Domain on page 38. Alternatively, you can configure a connection to Quest ActiveRoles Server that manages the source Active Directory domain. For more information, see Managing a Connection to Quest ActiveRoles Server on page Connect the Quick Connect Sync Engine to the data system where you want to synchronize user object passwords with those in the source Active Directory domain. For more information, see the appropriate subsection related to your data system in Managing Connections to External Data Systems on page 37. For some target data systems (such as SQL Server and Oracle Database) you must specify the data you want to participate in the password synchronization. You can do so by configuring an SQL query. For more information, see Using an SQL Query to Specify Data in a Connected System on page 202. If the target data system is an LDAP directory service accessed via the generic LDAP connector, you must specify the target object type for which you want to synchronize passwords and the attribute where you want to store object passwords. For more information, see Specifying Password Sync Parameters for an LDAP Directory Service on page Ensure that user objects in the source Active Directory domain are properly mapped to their counterparts in the target connected system. For more information on how to map objects, see Mapping Objects on page 187. Quick Connect automatically maps objects between the source Active Directory domain and the target connected system if you configure synchronization workflows to manage the provision and deprovision operations between the source AD domain (or Quest ActiveRoles Server that manages that domain) and the target connected system. For more information on synchronization workflows, see Synchronizing Identity Data on page Create a password syncronization rule for the target connected system. For more information, see Creating a Password Sync Rule on page

197 Administrator Guide After you complete the above steps, the Quick Connect Sync Engine starts to automatically track user password changes in the source AD domain and synchronize passwords in the target connected system. If necessary, you can fine-tune the password synchronization settings by completing these optional tasks: Modify the default Capture Agent settings. For more information, see Configuring Capture Agent on page 204. Modify the default Quick Connect Service settings related to password synchronization. For more information, see Configuring Quick Connect Service on page 206. Specify a custom certificate for encrypting the password sync traffic between the Capture Agent and the Quick Connect Service. By default, a built-in certificate is used for this purpose. Alternatively, you can specify a custom certificate. For more information, see Specifying a Custom Certificate for Encrypting Password Sync Traffic in Windows Server 2003 on page 207. Configure the Quick Connect Sync Engine to automatically run your PowerShell script after the password synchronization completes. For more information, see Running a Post-Sync PowerShell Script on page 212. Managing Capture Agent Capture Agent is required to track changes to the user passwords in the Active Directory domain you want to be the authoritative source for password synchronization operations. To synchronize passwords, you must install Capture Agent on each domain controller in the source Active Directory domain. Whenever a password changes in the source Active Directory domain, the agent captures that change and provides the changed password to the Quick Connect Sync Engine. In turn, the Sync Engine uses the provided information to synchronize passwords in the target connected systems according to your settings. This section covers: Installing Capture Agent Manually Using Group Policy to Install Capture Agent Uninstalling Capture Agent 197

198 Quest One Quick Connect Installing Capture Agent Manually You can use this method to manually deploy Capture Agent on each domain controller in the source Active Directory domain. To manually install Capture Agent 1. On a 32-bit domain controller, run the file QuickConnectCaptureAgent_x86.msi. OR On a 64-bit domain controller, run the file QuickConnectCaptureAgent_x64.msi. Both these files are supplied in the Quick Connect Sync Engine installation package. 2. Step through the wizard to complete the agent installation. Using Group Policy to Install Capture Agent You can use this method to automatically deploy Capture Agent on each domain controller in the source Active Directory domain. This method is applicable in the following scenarios only: SUPPORTED SCENARIO Scenario 1: AD domain includes either 32- or 64-bit domain controllers Scenario 2: AD domain includes both 32- and 64-bit domain controllers PREREQUISITES All the domain controllers must be held in a single organizational unit (for example, the built-in Domain Controllers OU). At least one group policy object must be linked to the OU holding the domain controllers (for example, the built-in Default Domain Controllers Policy Group Policy object). The domain controllers must be held in two separate organizational units, each containing domain controllers of the same bitness. At least one group policy object must be linked to each of the two organizational units. The next steps apply to both these scenarios. 198

199 Administrator Guide To install Capture Agent by using Group Policy 1. Save the QuickConnectCaptureAgent_x86.msi and QuickConnectCaptureAgent_x64.msi files supplied in the Quick Connect installation package to a network share accessible from each domain controller in the source Active Directory domain. 2. Depending on your scenario, complete the steps in the table: SCENARIO 1: AD DOMAIN INCLUDES EITHER 32- OR 64-BIT DOMAIN CONTROLLERS 1. Use Group Policy Editor to open the group policy object linked to the OU holding the domain contollers on which you want to install Capture Agent. 2. In the Group Policy Object Editor console tree, do one of the following: - In Windows Server 2003 or Windows Server 2003 R2, expand the Computer Configuration node, and then select Software Settings. - In a later version of Windows Server, expand the Computer Configuration node, then expand Policies, and select Software Settings. 3. In the details pane, click Software Installation, on the Action menu point to New, and then click Package. 4. Use the dialog box to open one of the following files: - QuickConnectCaptureAgent_x86.msi if all your domain controllers are 32-bit. - QuickConnectCaptureAgent_x64.msi if all your domain controllers are 64-bit. 5. In the Deploy Software dialog box, select Assigned, and then click OK. SCENARIO 2: AD DOMAIN INCLUDES BOTH 32- AND 64-BIT DOMAIN CONTROLLERS 1. Use Group Policy Object Editor to open the group policy object linked to the OU holding the 32-bit domain controllers. 2. Do one of the following in the Group Policy Object Editor console tree: - In Windows Server 2003 or Windows Server 2003 R2, expand the Computer Configuration node, and then select Software Settings. - In a later version of Windows Server, expand the Computer Configuration node, then expand Policies, and select Software Settings. 3. In the details pane, click Software Installation, on the Action menu point to New, and then click Package. 4. Use the dialog box to open the QuickConnectCaptureAgent_x86.msi file. 5. In the Deploy Software dialog box, select Assigned, and then click OK. 6. Repeat steps 1-5 for the group policy object linked to the OU holding the 64-bit domain controllers. Use the QuickConnectCaptureAgent_x64.msi file to install Capture Agent on these domain controllers. 3. Run the following command at a command prompt to refresh the Group Policy settings: gpupdate /force 199

200 Quest One Quick Connect Uninstalling Capture Agent To uninstall Capture Agent 1. On the computer where Capture Agent is installed, open the list of installed programs: In Windows Server 2003 or Windows Server 2003 R2, open Add or Remove Programs in Control Panel. In a later version of Windows, open Programs and Features in Control Panel. 2. In the list of installed programs, select Quest One Quick Connect Capture Agent. 3. Uninstall the agent: In Windows Server 2003 or Windows Server 2003 R2, click Remove. In a later version of Windows, click Uninstall. 4. Follow the on-screen instructions to uninstall Capture Agent. Managing Password Sync Rules To synchronize passwords from an Active Directory domain to other connected systems, you need to create and configure a password synchronization rule for each target connected system where you want to sychronize passwords. A password synchronization rule allows you to specify the following: The source Active Directory domain with which you want to synchronize object passwords in a connected system. The source object type for password synchronization operations (typically, this is the user object type in Active Directory). The target connected system where you want to synchronize passwords. The target object type for password synchronization operations. This section covers: Creating a Password Sync Rule Deleting a Password Sync Rule Modifying Settings of a Password Sync Rule 200

201 Administrator Guide Creating a Password Sync Rule To create a password sync rule 1. In the Quick Connect Administration Console, open the Password Sync tab. 2. Click Add password sync rule. 3. Select the source Active Directory domain and object type for password synchronization. 4. Click Next. 5. Select the target connected system and object type for password synchronization. 6. Click the Password Sync Settings button to specify how many times you want the Sync Engine to try to change a password in the connected system. If you want the object passwords in the target system to be different from the user passwors in the source AD domain, you can specify a PowerShell script to transform the passwords for the target connected system. When you are finished, click OK. 7. Click Finish to create the password sync rule. Deleting a Password Sync Rule To delete a password sync rule 1. In the Quick Connect Administration Console, open the Password Sync tab. 2. Locate the rule you want to delete, and then click Delete this rule below the rule. Modifying Settings of a Password Sync Rule You can modify the following settings of an existing password sync rule: Specify how many times you want the Sync Engine to retry the synchronize password operation in case of a password synchronization failure. Specify a PowerShell script to transform a source Active Directory user password into an object password in the target connected system. To modify the settings of a password sync rule 1. In the Quick Connect Administration Console, open the Password Sync tab. 2. Click the Password sync settings link below the appropriate existing password sync rule. 3. Specify the following options: Attempt to synchronize password in the connected system. Use this option to specify how many times you want the Sync Engine to retry the password synchronization operation in the event of a password sync failure. Use the following PowerShell script to transform passwords. Use this text box to type or paste a PowerShell script that will transform source Active Directory user passwords into object passwords in the target connected system. If you do not want to transform passwords, leave this text box blank. For more information and sample scripts, refer to the Quest One Quick Connect Software Development Kit (SDK). 4. When you are finished, click OK. 201

202 Quest One Quick Connect Specifying Password Sync Parameters for an LDAP Directory Service If the target data system were you want to synchronize passwords is an LDAP directory service accessed via the generic LDAP connector, you must specify the following additional parameters: The target object type for which you want to synchronize passwords. The object attribute for storing passwords in the LDAP directory service. To specify the target object type and attribute for storing passwords 1. Click the Connection settings link below the LDAP directory service connection for which you want to specify the target object type and attribute for storing passwords. 2. Open the Password tab. 3. Make sure the Synchronize and manage passwords check box is selected. 4. Specify an object type in the Synchronize passwords for objects of this type option. 5. Specfy an attribute in the Store password in this attribute option. 6. Click Save. Using an SQL Query to Specify Data in a Connected System If the target data system where you want to synchronize passwords is Microsoft SQL Server or an Oracle Database system connected through the Oracle Connector, you must use an SQL query to specify the target system data you want to participate in the password synchronization. To specify the target system data 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the Connection settings link below the SQL Server or Oracle Database connection for which you want to specify the data that will participate in the password synchronization. 3. Open the Password tab. 4. Make sure the Synchronize and manage passwords check box is selected. 5. Click Configure Query, and then type your query in the SQL query text box. 6. When you are finished, click OK. Scenario: Using a Query to Synchronize Passwords for All Users in SQL Server Consider that when configuring a connection to SQL Server you typed the following SQL query to specify the data that will participate in the synchronization: select * from sys.server_principals In this case, you can use the following query to specify data that will participate in the password synchronization: EXEC 202

203 Administrator Guide Scenario: Using a Query to Synchronize Passwords for All Users in Oracle Database Consider that when configuring a connection to Oracle Database you typed the following SQL query to specify the data that will participate in the synchronization: select * from all_users In this case, you can use the following query to specify data that will participate in the password synchronization: call dbms_utility.exec_ddl_statement('alter USER ' :USERNAME ' IDENTIFIED BY ' :newpassword) In this query: USERNAME refers to the name of the attribute that uniquely identifies a user in Oracle Database. newpassword refers to the name of the attribute that will store the initial password you want to set for the user being created. Running Custom SQL Queries Automatically After Password Synchronization When you use Quick Connect to synchronize passwords in an Oracle Database system connected through the Oracle User Accounts Connector, you can configure Quick Connect Sync Engine to automatically run your custom SQL queries each time a user password is synchronized in the Oracle Database system. To automatically run your custom SQL queries 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the Connection settings link below the Oracle Database connection for which you want to run custom SQL queries. 3. Open the Password tab. 4. Make sure the Synchronize and manage passwords check box is selected. 5. Under SQL queries to run after password synchronization, set up a list of the SQL queries you want the Sync Engine to run. You can use the following buttons: Add. Allows you to add a new SQL query to the list. Edit. Allows you to edit the SQL query you selected in the list. Delete. Deletes the SQL query you selected in the list. SQL queries are run in the order they are listed. If necessary, you can rearrange the SQL queries: select an SQL query in the list, and then click the up or down arrow button to move the query up or down as necessary. For sample SQL queries, see Sample SQL Queries on page When you are finished, click Save. 203

204 Quest One Quick Connect Fine-Tuning Automated Password Synchronization This section provides information about the optional tasks related to configuring the automated password synchronization from an Active Directory domain to connected data systems. This section covers: Configuring Capture Agent Configuring Quick Connect Service Specifying a Custom Certificate for Encrypting Password Sync Traffic in Windows Server 2003 Running a Post-Sync PowerShell Script Configuring Capture Agent Capture Agent has a number of parameters whose values you can modify. After you install the agent, each of these parameters has a default value, as described in the following table: PARAMETER DESCRIPTION DEFAULT VALUE Maximum connection point age Set interval between attempts to reconnect to service Set time period for attempts to connect to service Set certificate Determines the period of time (in hours) during which a connection between Capture Agent and Quick Connect Service remains valid. This parameter determines the time interval (in minutes) during which Capture Agent tries to reconnect to Quick Connect Service. Determines the period of time (in days) during which Capture Agent tries to connect to Quick Connect Service to send the information about changed user passwords. During this period Capture Agent stores the user passwords to be synchronized in an encrypted file. Specifies a certificate for encrypting the password sync data transferred between Capture Agent and Quick Connect Service. For more information, see Specifying a Custom Certificate for Encrypting Password Sync Traffic in Windows Server 2003 on page hours 10 minutes 7 days By default, a built-in certificate is used. 204

205 Administrator Guide PARAMETER DESCRIPTION DEFAULT VALUE Connection Point 1 Connection Point 2 Connection Point 3 Connection Point 4 Connection Point 5 Connection Point 6 Connection Point 7 Define the Quick Connect Service instances to which Capture Agent provides information about changed user passwords. If none of these parameters is set, Capture Agent looks for available instances of the Quick Connect Service in the following container: CN=QuickConnect,CN=Quest Software,CN=System,DC=<DomainName> You can modify the default values of these parameters by using Group Policy and the Administrative Template supplied with the Quick Connect Sync Engine. The next steps assume that all the domain controllers where the Capture Agent is installed are held within organizational units. Complete these steps to modify the default Capture Agent settings: Step 1: Create and Link a Group Policy Object Step 2: Add Administrative Template to Group Policy Object Step 3: Use Group Policy Object to Modify Capture Agent Settings Step 1: Create and Link a Group Policy Object Create a new Group Policy object. Link the object to each organizational unit holding the domain controllers on which the Capture Agent is installed. For more information, see the documentation for your version of the Windows operating system. Step 2: Add Administrative Template to Group Policy Object 1. Use Group Policy Object Editor to connect to the Group Policy object you created in step In the Group Policy Object Editor console, expand the Group Policy object, and then do one of the following: In Windows Server 2003 or Windows Server 2003 R2, expand the Computer Configuration node, and then select Administrative Templates. In a later version of Windows Server, expand Computer Configuration, expand Policies, and then select Administrative Templates. 3. On the Action menu, point to All Tasks, and click Add/Remove Templates. The Add/Remove Templates dialog box opens. 4. In the Add/Remove Templates dialog box, click Add, and then use the Policy Templates dialog box to open the Administrative Template (CaptureAgentService.adm file) supplied with the Quick Connect Sync Engine. The CaptureAgentService.adm file is located in <Quick Connect Sync Engine installation folder>\quick Connect Capture Agent\Administrative Templates. 205

206 Quest One Quick Connect Step 3: Use Group Policy Object to Modify Capture Agent Settings 1. In Windows Server 2003 or Windows Server 2003 R2, under Computer Configuration\Administrative Templates\Quick Connect, select Quick Connect Capture Agent Service. OR In a later version of Windows Server, under Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\Quick Connect, select Quick Connect Capture Agent Service. 2. In the details pane, configure the appropriate Group Policy settings. The names of Group Policy settings correspond to the names of the Capture Agent parameters provided in the table in Configuring Capture Agent on page Run the following command at a command prompt for the changes to take effect: gpupdate /force Configuring Quick Connect Service You can modify the default values of the Quick Connect Service parameters related to password synchronization. These parameters and their default values are described in the next table. PARAMETER DESCRIPTION DEFAULT VALUE Set interval between attempts to reset password Set service connection point update period Set certificate The Capture Agent sends information on changes made to Active Directory user passwords to the Quick Connect Service. After receiving this information, the Quick Connect Service tries to reset passwords in the target connected systems you specified. This parameter determines the time interval (in minutes) between attempts to reset passwords in the target connected systems. The Quick Connect Service publishes its connection point in Active Directory. This parameter determines the frequency of updates (in minutes) of the Quick Connect Service connection point. This parameter specifies the thumbprint of the certificate used to encrypt the password sync traffic between Capture Agent and Quick Connect Service. The same certificate must be used for the Capture Agent and the Quick Connect Service. 10 minutes 60 minutes By default, a built-in certificate is used. 206

207 Administrator Guide You can modify the Quick Connect Service parameters using Group Policy and the Administrative Template supplied with the Quick Connect Sync Engine. To modify the Quick Connect Service parameters using Group Policy 1. On the computer running the Quick Connect Service, start Group Policy Object Editor, and then connect to the Local Computer Policy Group Policy object. 2. In the Group Policy Object Editor console, expand the Local Computer Policy node, expand the Computer Configuration node, and select Administrative Templates. 3. On the Action menu, point to All Tasks, and click Add/Remove Templates. 4. In the Add/Remove Templates dialog box, click Add, and then use the Policy Templates dialog box to open the PasswordService.adm file that holds the Administrative Template. By default, the PasswordService.adm file is stored in <Quick Connect installation folder>\quick Connect Capture Agent\Administrative Templates 5. Under Computer Configuration\Administrative Templates\Quick Connect, select Quick Connect Password Service, and then in the details pane, configure the appropriate group policy settings. The names of group policy settings correspond to the names of the Quick Connect Service parameters provided in the table in Configuring Capture Agent on page For the changes to take effect, refresh the Group Policy settings by running the following command at a command prompt: gpupdate /force Specifying a Custom Certificate for Encrypting Password Sync Traffic in Windows Server 2003 By default, Quick Connect uses a built-in certificate to encrypt the password sync traffic between the Capture Agent and the Quick Connect Service. If necessary, you can specify a custom certificate for this purpose. This section describes how to use a custom certificate for encrypting the password synchronization traffic in Windows Server Complete the following steps: Step 1: Obtain and Install a Certificate Step 2: Export Custom Certificate to a File Step 3: Import Certificate into Certificates Store Step 4: Copy Certificate s Thumbprint Step 5: Provide Certificate s Thumbprint to Capture Agent Step 6: Provide Certificate s Thumbprint to Quick Connect Service 207

208 Quest One Quick Connect Step 1: Obtain and Install a Certificate To obtain and install a certificate, you have to make a certificate request. There are two methods to request a certificate in Windows Server 2003: Request certificates using the Certificate Request Wizard. To request certificates from a Windows Server 2003 enterprise certification authority, you can use the Certificate Request Wizard. Request certificates using the Windows Server 2003 Certificate Services Web interface. Each certification authority that is installed on a computer running Windows Server 2003 has a Web interface that allows the users to submit certificate requests. By default, the Web interface is accessible at where servername refers to the name of the computer running Windows Server This document provides steps to request certificates using the Windows Server 2003 Certificate Services Web page. For detailed information about the Certificate Request Wizard, refer to the documentation on Certification Authority. To request a certificate using the Windows 2003 Certificate Services Web interface 1. Use a Web browser to open to where servername refers to the name of the Web server running Windows Server 2003 where the certification authority that you want to access is located. 2. On the Welcome Web page, click Request a certificate. 3. On the Request a Certificate Web page, click advanced certificate request. 4. On the Advanced Certificate Request Web page, click Create and submit a certificate request to this CA. 5. On the Web page that opens, do the following: Select the Store certificate in the local computer certificate store check box. Under Additional Options, select the PKCS10 option, and in the Friendly Name text box, specify a name for your certificate (such as My QC Certificate). Keep default values for all other options. 6. Click Submit. 7. On the Certificate Issued Web page, click Install this certificate. After you install the certificate, it becomes available in the Certificates snap-in, in the Personal/Certificates store. 208

209 Administrator Guide Step 2: Export Custom Certificate to a File In this step, you export the issued certificate to a file. You will need the file to install the certificate on each domain controller running Capture Agent and on each computer running Quick Connect Service. To export the certificate 1. On the computer where you installed the certificate in step 1, open the Certificates - Local Computers snap-in. 2. In the console tree, click the Personal/Certificates store. 3. In the details pane, click the issued certificate you want to export. 4. On the Action menu, point to All Tasks, and then click Export. 5. Step through the wizard. 6. On the Export Private Key page, select Yes, export the private key, and then click Next. This option is available only if the private key is marked as exportable and you have access to the private key. 7. On the Export File Format page, do the following, and then click Next: To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box. To enable strong protection, select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box. 8. On the Password page, use the Password text box to type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next. 9. On the File to Export page, use the File name text box to specify the PKCS #12 file to which you want to export the certificate along with the private key, and click Next. 10. On the Completion page, revise the specified settings and click Finish to create the file and close the wizard. Step 3: Import Certificate into Certificates Store In this step, you import the certificate to the Personal\Certificates certificate store by using the Certificates snap-in. You must complete this step on each domain controller running Capture Agent and on each computer running the Quick Connect Service that will participate in the password synchronization. To import the certificate 1. Open the Certificates - Local Computers snap-in. 2. In the console tree, click the Personal\Certificates logical store. 3. On the Action menu, point to All Tasks and then click Import. 4. Step through the wizard. 5. On the File to Import page, in File name, type the file name containing the certificate to be imported or click Browse and to locate and select the file. When finished, click Next. 6. On the Password page, type the password used to encrypt the private key, and then click Next. 7. On the Certificate Store page, ensure that the Place all certificates in the following store option is selected, and the Certificate store text box displays Personal, and then click Next. 8. On the Completion page, revise the specified settings and click Finish to import the certificate and close the wizard. 209

210 Quest One Quick Connect Step 4: Copy Certificate s Thumbprint In this step, you copy the thumbprint of your custom certificate. In the next steps, you will need to provide the thumbprint to Capture Agent and Quick Connect Service. To copy the thumbprint of your custom certificate 1. Open the Certificates - Local Computer snap-in. 2. In the console tree, click the Personal store to expand it. 3. Click the Certificates store to expand it. 4. In the details pane, double-click the certificate. 5. In the Certificate dialog box, click the Details tab, and scroll through the list of fields to select Thumbprint. 6. Copy the hexadecimal value of Thumbprint to Clipboard. You will need the copied thumbprint value to configure Capture Agent and Quick Connect Service. Step 5: Provide Certificate s Thumbprint to Capture Agent This step assumes that: The same Group Policy object is linked to each OU holding the domain controllers on which the Capture Agent is installed. For more information on how to create and link a Group policy object, see the documentation for your version of Windows. The CaptureAgentService.adm administrative template file is linked to that Group Policy object. For instructions on how to add an administrative template file to a Group Policy object, see Step 2: Add Administrative Template to Group Policy Object on page 205 To provide the thumbprint to Capture Agent 1. On any computer joined to the domain where Capture Agent is installed, open Group Policy Object Editor, and connect to the Group Policy object to which you added the Administrative Template in Step 2: Add Administrative Template to Group Policy Object on page In the Group Policy Object Editor console, expand the Group Policy object, and then expand the Computer Configuration node. 3. Expand the Administrative Templates\Quick Connect node to select Quick Connect Capture Agent Service. 4. In the details pane, double-click Set certificate. 5. In the Certificate Properties dialog box, open the Set certificate properties tab, select the Enabled option, and then paste the certificate s thumbprint (the one you copied in Step 4: Copy Certificate s Thumbprint) in the Thumbprint text box. When finished, click OK. 6. For the changes to take effect, refresh the Group Policy settings by running the following command at a command prompt: gpupdate /force 210

211 Administrator Guide Step 6: Provide Certificate s Thumbprint to Quick Connect Service Perform the next steps on each computer running the Quick Connect Service that participates in the password sync operations. To provide the thumbprint to Quick Connect Service 1. On the computer running the Quick Connect Service, start Group Policy Object Editor, and then connect to the Local Computer Policy Group Policy object. 2. In the Group Policy Object Editor console, expand the Local Computer Policy node, expand the Computer Configuration node, and select Administrative Templates. 3. On the Action menu, point to All Tasks, and click Add/Remove Templates. 4. In the Add/Remove Templates dialog box, click Add, and then use the Policy Templates dialog box to open the PasswordService.adm file that holds the Administrative Template. By default, the PasswordService.adm file is stored in <Quick Connect installation folder>\quick Connect Capture Agent\Administrative Templates 5. Under Computer Configuration\Administrative Templates\Quick Connect, select Quick Connect Password Service. 6. In the details pane, double-click Set certificate. 7. In the Certificate Properties dialog box, open the Set certificate properties tab, select the Enabled option, and then paste the certificate s thumbprint (the one you copied in Step 4: Copy Certificate s Thumbprint) in the Thumbprint text box. When finished, click OK. 8. For the changes to take effect, refresh the Group Policy settings by running the following command at a command prompt: gpupdate /force 211

212 Quest One Quick Connect Running a Post-Sync PowerShell Script Optionally, you can configure the Sync Engine to run your custom PowerShell script after the password synchronization operation is complete. To run a post-sync script 1. In the Quick Connect Administration Console, open the Connections tab. 2. Click the Connection properties link below the name of the connected system for which you wish to run a post-sync script. 3. In the Connection Properties dialog box, open the Password tab, select the Run post-sync script check box, and then click Script Source. 4. Type your post-sync PowerShell script, and then click OK. Example of a Post-Sync PowerShell Script #---- Specify the SMTP Server name in your organization ---- $SmtpServer = "smtpservername" $smtp = new-object system.net.mail.smtpclient($smtpserver) $mail = new-object System.Net.Mail.MailMessage # ---- Set the sender mail ---- $mail.from = "yourmail@mydomain.com" # ---- Set the destination mail ---- $mail.to.add("administrator@mydomain.com") # --- Specify the message subject ---- $mail.subject = "Password was changed" # ---- Set the message text ---- $body = "The passwords were synchronized for the following object pair: " $body = $body + $srcobj.name + "->" + $dstobj.name $mail.body = $body # ---- Send mail ---- $smtp.send($mail) Description: After the password synchronization is complete, this script sends a notification message that informs the administrator that an object password has been modified in the target connected system. The message provides the names of the source Active Directory object and its counterpart in the target connected system. For more information on how to develop PowerShell scripts for Quick Connect, refer to the Quest One Quick Connect Software Development Kit (SDK). 212

213 8 Synchronization History About Synchronization History Viewing Workflow History Viewing Mapping History Cleaning up Synchronization History

214 Quest One Quick Connect About Synchronization History Quick Connect Administration Console provides the Synchronization History feature that allows you to view the details of completed synchronization workflow runs, password sync rule runs, and object mapping operations. The synchronization history also helps you troubleshoot synchronization issues by providing information on the errors that were encountered during synchronization workflow runs, password sync rule runs, or object mapping operations. You can also selectively clean up entries from the synchronization history. To access the synchronization history, you can use the Sync History tab in the Quick Connect Administration Console. This chapter covers: Viewing Workflow History Viewing Mapping History Searching Synchronization History Cleaning up Synchronization History Viewing Workflow History You can use the Sync History tab in the Quick Connect Administration Console to view a list of completed synchronization workflow runs. This list provides such information as the names of completed workflows, the dates when each workflow run started and completed, and which Quick Connect Service instance was used to run each workflow. You can click a workflow run entry in the list to view detailed information about the workflow steps that were run, objects that participated in that run, and errors encountered during the run, if any. To view the details of a workflow run 1. In the Quick Connect Administration Console, open the Sync History tab. 2. Click Workflow History. 3. Click the list entry that represents the workflow whose details you want to view. 214

215 Administrator Guide The details provided for each list entry look similar to the following: To view the details about the objects that belong to a certain object category, click the number displayed next to the object category name for the source or target connected system. To view the details about encountered errors, click the link displaying the number of errors. Viewing Mapping History You can use the Sync History tab in the Quick Connect Administration Console to view the detailed information about a particular completed map or unmap operation. The details include such information as attributes of each object that participated in the map or unmap operation. To view the details of a mapped pair of objects 1. In the Quick Connect Administration Console, open the Sync History tab. 2. Click Mapping History. 3. Click the list entry that represents the mapping run whose details you want to view. 215